What are the HIPAA Obligations of a Covered Entity With Respect to Research?

Modified on Tue, 19 Nov at 3:27 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

This article goes over when patients must provide written authorization before a covered entity may use or disclose PHI for research.

When is Authorization Required?
The HIPAA Privacy Rule generally requires that patients give written authorization before a covered entity may use or disclose patients’ protected health information for research.  The HIPAA Security Rule requires that covered entities implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of research ePHI.

Are there Exceptions to this General Rule?
Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances outlined in the Privacy Rule. 

Several of these limited circumstances involve Institutional Review Boards (IRBs) and Privacy Boards. HHS guidance explains what Institutional Review Boards are. 

Institutional Review Boards, or IRBs, review research studies to ensure that they comply with applicable regulations, meet commonly accepted ethical standards, follow institutional policies, and adequately protect research participants.

Some people may also call IRBs Independent Review Boards or refer to them as Ethics Review Committees.


IRB reviews help to ensure that research participants are protected from research-related risks and treated ethically, a necessary prerequisite for maintaining the public’s trust in the research enterprise and allowing science to advance for the common good.

Most IRBs are based at universities, according to Department of Health and Human Services (HHS) data

When are Research Covered Entities Allowed to Use or Disclose Patient PHI Without Patient Information?

To use or disclose protected health information without authorization by the research participant, a covered entity must obtain one of the following: 

  • Documented Institutional Review Board (IRB) or Privacy Board Approval. Documentation that an alteration or waiver of research participants’ authorization for use/disclosure of information about them for research purposes has been approved by an IRB or a Privacy Board. This provision of the Privacy Rule (45 CFR 164.512(i)(1)(i)) might be used, for example, to conduct records research, when researchers are unable to use de-identified information, and the research could not practicably be conducted if research participants’ authorization were required.

    A covered entity may use or disclose protected health information for research purposes under a waiver of authorization by an IRB or Privacy Board, provided it has obtained documentation of all of the following:
    • Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved; 
    • A statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Rule; 
    • A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board;
    • A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and 
    • The signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable. 


The following three criteria must be satisfied for an IRB or Privacy Board to approve a waiver of authorization under the Privacy Rule: 

  1. The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
    • An adequate plan to protect the identifiers from improper use and disclosure; 
    • An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and 
    • Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; 
  2. The research could not practicably be conducted without the waiver or alteration; and 
  3. The research could not practicably be conducted without access to and use of the protected health information. 


There are other circumstances under which a covered entity may use or disclose PHI without authorization by the research participant.

These circumstances include:

  • When the Use or Disclosure of the PHI is Solely to Prepare a Research Protocol, or for Other Similar Purposes Preparatory to Research. For this exception to this authorization rule to apply, the following are required:

    1. Representations from the researcher, either in writing or orally, that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research.
    2. Represenations from the researcher, either in writing or orally, that the researcher will not remove any protected health information from the covered entity.
    3. Representations from the researcher that the PHI for which access is sought is necessary for the research purpose.

    This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study. The Privacy Rule does not prohibit a covered entity’s granting remote access to PHI to a researcher for activities that qualify as reviews preparatory to research, provided reasonable and appropriate safeguards are in place, as described in OCR’s guidance, Remote Access to PHI for Activities Preparatory to Research - PDF.
  • When the covered entity obtains from the researcher:
    1. A representation that the use or disclosure sought is solely for research on the PHI of decedents (deceased people);
    2. Documentation, at the request of the covered entity, of the death of such individuals; and
    3. A representation that the PHI for which use or disclosure is sought is necessary for the research purpose.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article