HIPAA & Research

HIPAA and Research

The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes. Research is defined in the Privacy Rule as, “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.”

The Privacy Rule also defines the means by which individuals will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research.

The Privacy Rule builds upon these existing Federal protections found in the Common Rule and/or the Food and Drug Adminstration's (FDA) human subjects protection regulations. More importantly, the Privacy Rule creates equal standards of privacy protection for research governed by the existing Federal human subject regulations and research that is not. 

Use of PHI for research purposes

In the course of conducting research, researchers may access, use and/or disclose individually identifiable health information.  Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with (i) the individual authorization; (ii) without individual authorization, under limited circumstances—if the researcher qualifies for and requests a waiver of authorization; or (iii) if an exception applies.

HIPAA applies to research when:

  1. The researcher is part of an IU covered healthcare component and will use health or member information for research purposes;
  2. The researcher is conducting research at Indiana University and will use health or member information from one of IU's covered healthcare components; or
  3. The researcher is conducting research at Indiana University and will use health data from another covered entity or a covered entity's business associate. This includes identifying or recruiting research subjects who are patients of a covered entity.

Covered entities and/or business associates include, but are not limited to, IU Health, Eskenazi, VA, Larue Carter, other hospitals and clinics, the Indiana Department of Public Health, Medicare, Indiana Medicaid, Anthem, other insurance carriers and Regenstrief (INPC database).


The HIPAA Privacy Rule states health information is not subject to HIPAA if it is de-identified in accordance with the Rule.  An authorization or waiver of authorization is not required to use and disclose Health Information that is de-identified.  Health Information is considered de-identified if:  (1) it does not identify an individual; and (2) there is no reasonable basis to believe it can be used to identify an individual.  

The Department of Health and Human Services (HHS) published a guidance document in January, 2013: 

Guidance for De-Identification of Protected Health Information in Accordance with the HIPAA Privacy Rule. 

The guidance document mentioned above, defines two (2) methods that can be used to de-identify data:

  • Expert Determination Method: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable.
  1. Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
  2. Documents the methods and results of the analysis that justify such determination.
  • Safe Harbor Method: Removal of all of the 18 identifiers defined in the HIPAA Privacy Rule as they pertain to the individual or to relatives, employers or household members of the individual.

List of data elements considered to be identifiers.

Request an Agreement

HIPAA permits the sharing of PHI for research purposes, as mentioned above, which includes the sharing of a limited data set when the parties enter into a data use agreement (DUA).  

Information is a university asset.  Therefore, IU and other covered entities may want additional assurances data will be protected and used only for the requested purpose.  

  • When IU shares any data derived from protected health information (PHI), some type of agreement may be required.
  • If you are requesting data derived from PHI from another covered entity, IU may be required to enter into an agreement with that organization.

To facilitate these requests, please: