HIPAA and its regulations, including the Privacy Rule and the Security Rule, govern the way certain health information is collected, maintained, used and disclosed. The Privacy Rule establishes a set of safeguards around PHI and sets forth a national minimum level of protection. It also describes ways in which a covered entity can use or disclose PHI for research purposes.

• The HIPAA Privacy Rule
• HIPAA and Research

Brown University is not a covered entity under HIPAA for the purpose of research. The Privacy Rule does not apply to research; it applies to covered entities, which researchers may or may not be. As a Brown researcher, you may wish to receive PHI from a covered entity and therefore must understand your obligations to ensure that PHI is released to you in a manner that complies with HIPAA and that you appropriately protect those data at Brown once received. 

When PHI is communicated inside of a covered entity, this is called a use of the information. When PHI is communicated to another person or organization that is not part of the covered entity, this is called a disclosure. HIPAA allows both use and disclosure of PHI for research purposes, but such uses and disclosures must adhere to HIPAA regulations and be part of a research plan that is reviewed and approved by an Institutional Review Board (IRB) or a Privacy Board.

The HIPAA Privacy Rule is primarily concerned with information generated in the course of providing health care services. However, HIPAA does recognize and endorse the fact that some research may create, use, and disclose PHI.

The Privacy Rule also defines the means by which individuals will be informed of uses and disclosures of their PHI for research purposes, and their rights to access information about them held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research.

In order for HIPAA rules to apply to a research project, it is first necessary to determine if the activity meets the federal definition of research as defined by the Common Rule (45 CFR 46), which is a systematic investigation designed to contribute to generalizable knowledge.​

HIPAA affects research that uses, creates or discloses PHI. In general, there are two ways a research study would involve PHI.

1. The study involves review of medical records as one (or the only) source of research information. Retrospective studies involve PHI in this way. Prospective studies may do this also, such as when a researcher contacts a participant's physician to obtain or verify some aspect of a person's health history.
2. The study creates new medical records because as part of the research a health-care service is being performed at a covered entity or by a covered entity, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition.

Health information obtained by the researcher directly from the research subject (i.e., self-report) solely for research purposes does not require the researcher to follow the HIPAA Privacy Rule because that information is not being obtained from a covered entity. However, if researchers are not obtaining medical record information but are placing research results into the subject’s medical record at a covered entity, HIPAA compliance is required.

HIPAA permits the use or disclosure of PHI for research under the following circumstances and conditions:

• The subject of the PHI has granted specific written permission for the use of PHI for research through an authorization.
• The IRB has granted a waiver of the authorization requirement.
• The PHI has been de-identified in accordance with the standards set by HIPAA (and, therefore, no longer meets the definition of PHI).
• The information is released in the form of a limited data set, with certain identifiers removed, and with a data use agreement between the researcher’s organization (Brown) and the covered entity.​

The principle of respect for persons means that, if it is feasible to get the consent of someone before using their PHI for research, then consent should be obtained.

HIPAA refers to consent for use of information as an authorization, and requires that the following elements be present in an authorization to use PHI for research purposes:

• A description of information to be used or released 
• The name of person(s) or class of persons (e.g., project staff) who will use the information
• The name of persons or organizations to whom PHI will be released. (e.g., central coordinating offices of multi-center trials)
• The expiration date or event that ends authorization to use PHI (e.g., completion of the research), or statement that authorization does not expire
• A statement that the research participant has the right to revoke authorization (as part of withdrawal from study procedures)
• A statement that if information will be disclosed to other organizations the information may no longer be protected
• A statement that individuals may inspect or copy their records. The researcher may stipulate that records will not be available until after the study is complete.

PI Responsibility

The principal investigator (PI) of the study is responsible for identifying and complying with all HIPAA policies and procedures, as well as applicable state or federal regulations governing access to PHI. This includes the responsibility to describe to the Brown IRB all proposed access to PHI that will occur during the course of the research, i.e., access to paper and electronic medical records for the purpose of subject identification or screening, any intended addition of information into medical records, and any collection or use of human specimens with individually identifiable health information attached.

Participant Responsibility

Brown has created an Authorization to Use PHI in Research Form to be presented to the study participant for review and to provide permission for access to their PHI. When participants in a research study sign an authorization to have a copy of their PHI used for research purposes, the information transcribed into the research record is subsequently governed by the terms of their authorization and is no longer PHI subject to HIPAA. Although the HIPAA Privacy Rule no longer applies to this information as it is maintained in research records, best practices for research involving human subjects requires that the confidentiality of the information continue to be protected.

Authorization to Use PHI in Research Form [PDF]

The Privacy Rule permits covered entities to use and disclose PHI without authorization for certain types of research activities. For example, PHI can be used or disclosed for research if the covered entity obtains documentation that an IRB or Privacy Board has waived the requirement for authorization or allowed an alteration to authorization.

In many situations, research cannot be conducted using health information that has been de-identified and it may not be feasible to obtain a signed authorization for all PHI needed for the conduct of your research. Therefore, the Privacy Rule contains criteria for waiver, partial waiver or alterations of authorizations by an IRB or Privacy Board.

For disclosure of PHI for research purposes, an IRB or Privacy Board may approve a waiver or an alteration of the authorization requirement in whole or in part.

Complete Waiver

A complete waiver occurs when the IRB or Privacy Board determines that no authorization will be required for a covered entity to use and disclose PHI for a particular research project.

Partial Waiver

A partial waiver of authorization occurs when an IRB or Privacy Board determines that a covered entity does not need authorization for all PHI uses and disclosures for research purposes, such as disclosing PHI for research recruitment purposes. An IRB or Privacy Board may also approve a request that removes some PHI, but not all, or alters the requirements for an authorization (an “alteration”).

Documentation of Waiver

Documentation of the waiver or alteration of authorization must include a statement identifying the IRB or Privacy Board that made the approval and the date of approval. Among other things, the documentation must also include statements that the IRB or Privacy Board has determined that the waiver or alteration of authorization, in whole or in part, satisfies the following criteria:

1. The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
   1. an adequate plan to protect health information identifiers from improper use and disclosure;
   2. an adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so); and 
   3. adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
2. The research could not practicably be conducted without the waiver or alteration. 
3. The research could not practicably be conducted without access to and use of the PHI.​

Multiple Covered Entities

Many research projects take place at multiple sites and/or require the use and disclosure of PHI created or maintained by more than one covered entity. The Privacy Rule does not require approval of a waiver or an alteration of authorization by more than one IRB or Privacy Board; a covered entity may rely on a waiver or an alteration of authorization approved by any IRB or Privacy Board, without regard to the location of the approver. 

In order for the Brown University IRB to consider approving a waiver of authorization, it is the PI’s responsibility to complete the Use of PHI in Research Form and submit it with your IRB application.

When only certain identifiers are needed, a covered entity may provide a researcher with a limited data set. A limited data set is PHI that excludes 16 categories of the direct identifiers noted above but may include: city, state, ZIP code, elements of date and other numbers, characteristics or codes not listed as direct identifiers. These direct identifiers apply both to information about the individual and to information about the individual's relatives, employers or household members.

An authorization or documentation of a waiver or alteration of authorization is not required for Brown or a researcher to receive a limited data set when the data is accompanied by a Data Use Agreement. A Data Use Agreement is a formal, written agreement into which the covered entity enters with Brown and the researcher and establishes specific ways in which the data may be used and how it must be protected. At Brown, Data Use Agreements are formally negotiated between the providing party and Research Integrity. Questions about this process should be directed to dua@brown.edu.

Data Use Agreements

It is rare that Brown (or an investigator) is truly acting in the capacity of a business associate in the conduct of research at Brown; researchers are not business associates solely by virtue of their own research activities (although one may become a business associate in some other capacity, e.g., if you are de-identifying PHI on behalf of a covered entity).

You may find covered entities that are inexperienced with providing PHI to research institutions insist that entering into a business associate agreement is the only way to provide PHI to Brown. This is not the case. Brown is able to appropriately protect these sensitive data without engaging in a business associate agreement. If a data provider requests a business associate agreement, you must contact Research Integrity at dua@brown.edu. Brown’s Office of General Counsel must review such requests; this review will be coordinated by Research Integrity.​

HIPAA and Business Associates

The HIPAA Privacy Rule permits access to PHI, for the purpose of identifying potential research subjects, under the Preparatory to Research Exception.  Note, however, that whenever medical records are reviewed for recruitment purposes, that activity is considered by the Office of Human Research Protections (OHRP) to be a research activity that falls under the Common Rule (45 CFR 46) and as such may require a waiver of consent to review medical records and to use information from those medical records for recruitment purposes.

Examples that are illustrative of regulatory requirements for identifying patients from medical records for recruitment are included for guidance:

Example 1 

A Brown investigator proposes to obtain and record identifiable private information from medical records for the purpose of contacting these individuals to determine if they would be interested in participating in a research study. Consistent with Common Rule regulations, either (1) the subjects' informed consent is sought; or (2) Brown University IRB approves an informed consent procedure that does not include, or alters, some or all of the elements of informed consent, or waives the requirement to obtain informed consent in accordance with the provisions of the HHS regulations. 

Example 2

A Brown investigator proposes to obtain and record identifiable private information from medical records to develop a database of potential research subjects for future research studies. Consistent with the Common Rule, either (1) the subjects' informed consent is sought; or (2) Brown University IRB approves an informed consent procedure which does not include, or which alters, some or all of the elements of informed consent, or waives the requirement to obtain informed consent in accordance with the provisions of the HHS regulations.

It should be noted that authorization for use or disclosure of PHI under the Privacy Rule, and legally effective informed consent for research under HHS regulations at 45 CFR 46.116 and 46.117, are not the same. Any preparatory research activities involving human subjects research that are not otherwise exempt must be reviewed and approved by an IRB and must satisfy informed consent requirements.

According to federal policy, research involving deceased individuals is not considered human subjects research and therefore does not require IRB oversight unless the research study includes both living and deceased individuals.

Per 45 CFR 46.102(f): A human subject is a living individual about whom an investigator conducting research obtains data through intervention or interaction with the individual or identifiable private information.

For studies that involve both living subjects and human decedents (cadavers, tissue or medical record data, including the use of fetal tissue), the IRB is the institutional committee with jurisdiction for oversight and approval. Therefore, a research study must be submitted to the IRB for review and approval before the study can be initiated.

The HIPAA Privacy Rule applies to the individually identifiable health information of a decedent for 50 years following the date of death of the individual. The Privacy Rule explicitly excludes from the definition of PHI individually identifiable health information regarding a person who has been deceased for more than 50 years.

Brown’s Human Research Protection Program (HRPP) requires that individuals responsible for the conduct of human subjects research activities receive appropriate instruction and education. PIs and research team members who will be collecting, accessing or receiving PHI as part of their proposed research must complete the CITI HIPAA module.

• IRB Policy on Education and Training in the Conduct of Human Subjects Research
• Human Subjects Research Education and Training

HIPAA requires that research involving PHI use physical, technical and administrative safeguards to protect confidentiality.

Physical safeguards include storing of person-identifiable data in locked file cabinets, and restriction of access only to those project staff who have a need to access the files. Paper records must not be kept in public areas where passers-by may inadvertently see their content.

Technical safeguards apply to computer systems where PHI is stored, and include, for example, use of password-protected access, screensavers that have a timeout such that when a user walks away from the computer, locking access after a period of time, and audit trails that record who has created or changed PHI data in the system. Wherever feasible, personal-identifiable elements of the computerized research records should be stored separately, and if feasible, in an encrypted format.

Brown PIs must comply with the Data Risk Classifications set by the Office of Information Technology (OIT) that specify the levels of risk for PHI and required minimum security standards for servers housing such data. De-identified PHI and/or limited datasets are Level 2 Risk, whereas PHI that does not constitute a limited dataset is classified as Level 3 Risk. Brown recommends that Level 3 Risk PHI be stored in Brown’s Stronghold research environment for data compliance. Requests to store Level 3 Risk PHI in an environment other than Stronghold must be approved by OIT.

• Data Risk Classifications
• Stronghold Research Environment for Data Compliance

HIPAA requires that certain records be maintained in both healthcare and research contexts. Authorizations for use of PHI must be kept in research records for at least six years.  Documentation of an approved waiver of authorization must also be kept for six years after the end of the study. 

Brown recommends that signed informed consent documents be stored together with research authorization forms.

The Brown PI may not share PHI beyond the members of the research study team without executing an outgoing Data Use Agreement.