skip to content
New Institute Of Medicine Report Advocates Eliminating HIPAA Privacy Rule For Research

New Institute Of Medicine Report Advocates Eliminating HIPAA Privacy Rule For Research

Legal HIMformation
(February 2009)

In a report released in draft form on February 4, the Institute of Medicine asserts that the current version of the HIPAA Privacy Rule doesn't do enough to protect privacy and simultaneously hampers research.  The Institute accordingly recommends fundamental changes to the way that research is performed.  These changes, if implemented, would eliminate the application of the HIPAA Privacy Rule to research activities and create a separate approach that would govern privacy, security, and accountability for all health-related research.  The report, Beyond the HIPAA Privacy Rule:  Enhancing Privacy, Improving Health Through Research, can be obtained from the National Academies Press website at

This report should serve as a reminder that the HIPAA Privacy Rule does in fact impose restrictions on certain types of research activities.  For example, the holder of protected health information ("PHI") must obtain an authorization (complying with 45 C.F.R. Section 164.508) before using that PHI for research purposes, unless a waiver of informed consent that is approved by either an independent ethics board or institutional review board ("IRB") is obtained before research begins.  45 C.F.R. Section 164.512(i)(1)(i) Also, research preparatory to activity is limited under the Privacy Rule and may not involve the removal of any PHI from the covered entity.  45 C.F.R. Section 164.512(i)(1)(ii).  Finally, disclosures for purposes of research that do not require patient authorization (or for which a patient authorization was not obtained) must be accounted for in the covered entity's disclosure log as a disclosure without patient authorization.  45 C.F.R. Section 164.528.

We have observed throughout the course of many HIPAA engagements that covered entities without an IRB or any other formal research activities continue to mention research in their notices of privacy practice.  We strongly recommend that such references be deleted, as there is no way that such a covered entity could comply with the Privacy Rule and permit such a use or disclosure of patient PHI.

Associated Industries

Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.