The Health Insurance Portability Accountability Act (HIPAA) Privacy Rule was issued to protect a person's individually identifiable health information and addresses the use and disclosure of such information. The rule attempts to find a compromise between protecting an individual's privacy while allowing for the use of their individually identifiable health information to support the betterment of health care more generally through such things as medical research.

The HIPAA Privacy Rule protects the confidentiality of a person's PHI (Protected Health Information, or individually identifiable health information) obtained from or through covered entities (health care providers such as hospitals, insurance companies, clinics, mental health providers, etc.) by giving the person the right to limit who may have access to it, and written authorization to use the person's PHI must be obtained from that person. 

PHI includes any information related to an individual's past, present, or future 1) physical or mental health, 2) health care, or 3) payment for health care in such a way as to reasonably expect possible identification of the individual.

PHI includes many common identifiers when they can be associated with the health information listed above:

  1. Names (individual, employer, relatives, etc.)

  2. Address (street, city, county, precinct, zip code -- initial 3 digits if geographic unit contains >20,000 people, or any other geographical codes)

  3. Telephone Numbers

  4. Fax Numbers

  5. Social Security Numbers

  6. Medical Record Numbers

  7. Dates (except for years) connected to subjects, including date(s) of birth, admission, discharge, death, ages >89, and all elements of dates indicative of such age (except that such age and elements may be aggregated as "Age <90")

  8. E-mail Addresses

  9. Health Plan Beneficiary Numbers

  10. Account Numbers

  11. Certificate/License Numbers

  12. Vehicle Identifiers and Serial Numbers (e.g., VINs, License Plate #, etc.)

  13. Device Identifiers and Serial Numbers

  14. Universal Resource Locators (URLs)

  15. Internet Protocol (IP) Addresses Numbers

  16. Biometric Identifiers (e.g., finger or voice prints)

  17. Full Face Photographic Images (and any comparable images)

  18. Any other unique identifying numbers, characteristics, or codes

Any health information by itself, without the 18 identifiers is not considered to be PHI (nor are the identifiers by themselves, without being linked to health information); and, if the health information can be de-identified, or the link between the health information and the 18 identifiers is broken, it is no longer considered to be PHI.

HIPAA does not prohibit investigators who have not received a subject's written authorization from using the subject's health information in their research, however; it simply puts limits on what and how information may be used:

Expand All / Collapse All

Use of Limited Data Sets and DUAs

The investigator may also enter into a Data Use Agreement (DUA) with the covered entity, which allows the investigator to use a limited data set that excludes specified direct identifiers.

Under HIPAA rules, a limited data set cannot contain any of the following information:
  • Names

  • Street addresses or postal address information with the exception of town/city, state, and zip code

  • Phone/Fax numbers

  • E-mail addresses

  • Social Security Numbers

  • Medical records numbers

  • Health plan beneficiary numbers

  • Other account numbers

  • Certificate and license numbers

  • Vehicle identifiers and serial numbers, including license plates

  • Device identifiers and serial numbers

  • URLs and IP addresses

  • Biometric identifiers such as fingerprints, retinal scans, and voice prints

  • Full face photos and comparable images

The Data Use Agreement (DUA) must be accepted prior to the limited data set being shared and should outline the following:

  • Allowable uses and disclosures

  • Approved recipients and users of the data

  • An agreement that the data will not be used to contact individuals or re-identify them

  • Require safeguards to be implemented to ensure the confidentiality of data and prevent prohibited uses and disclosures

  • State that discovery of improper uses and disclosures must be reported back to the covered entity

  • State that any subcontractors who are required to access or use the data also enter into a DUA and agree to comply with its requirements

Requesting Waivers/Alterations of Authorization

Finally, the investigator may, under certain conditions, request a waiver/alteration of authorization from the IRB, which could allow the investigator to use PHI. The following criteria must be met before such a waiver can be granted:

  1. The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:

    • An adequate plan to protect health information identifiers from improper use and disclosure

    • An adequate plan to destroy identifiers at the earliest opportunity consistent with the conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so)

    • Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule

  2. The research could not practicably be conducted without the waiver or alteration

  3. The research could not practicably be conducted without access to and use of the PHI

Investigators who wish to request a waiver/alteration of authorization from the IRB must include a completed Application for Waiver or Modification of Authorization for Use or Disclosure of PHI form in their IRB application. 

For more information regarding research and HIPAA, see: