What Kinds of Activities are Considered Research?
The HIPAA Privacy Rule is primarily concerned with information generated in the course of providing health care services, and is not primarily concerned with research. However, HIPAA does recognize and endorse the fact that some research may create, use and disclose Protected Health Information (PHI).
In order to understand whether HIPAA rules apply to a research project, it is first necessary to determine whether the activity would be considered research. For this, HIPAA uses the same definition as the federal Common Rule (45 CFR 46), which is a systematic investigation designed to contribute to generalizable knowledge.

In practice, the most common test of whether an activity is research is whether the results will be published. A quality improvement project that analyzes the medical records of patients who were treated with a particular procedure would not be research if the analysis is used for internal purposes only. But it is important to anticipate whether future publication is a possibility, because retroactive approval to do research with person-identifiable records cannot be given.

Research that is covered by HIPAA
HIPAA affects only that research which uses, creates, or discloses Protected Health Information (PHI). In general, there are two ways a research study would involve PHI:

  • The study involves review of medical records as one (or the only) source of research information. Retrospective studies involve PHI in this way. Prospective studies may do this also, such as when a researcher contacts a participant’s physician to obtain or verify some aspect of a person’s health history.
  • The study creates new medical records because as part of the research a health care service is being performed, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition.

Most sponsored clinical trials that submit data to the US Food and Drug Administration (FDA) will involve PHI because study monitors have an obligation to compare research records such as Case Report Forms (CRF) to the medical records of the persons participating in the study, in order to verify that the information transcribed onto the CRFs is accurate.

 

PHI or Not?

The broad definition of individually identifiable information has led some to conclude that any individually-identifiable fact about a person arising out of their participation in a research study would be PHI if it had immediate or potential relevance to normal or abnormal functioning (ie., health and disease) at a molecular, physiologic, or functional level.
However, life sciences research includes activities that record person-identifiable information as part of the study and in many cases it is simply not known whether the research results will be significant, correct, and relevant to healthcare services or to the health and well being of a particular individual. A large fraction of the biomedical research involving human subjects that is sponsored by NIH and other federal and not-for-profit entities is done to characterize and better understand disease processes without an associated intervention designed to correct them.

The University of California HIPAA Task Force has defined the term Research-related Health Information (RHI) for information which shares some characteristics of HIPAA PHI, but would be governed by a different set of principles and best practices. These practices respect the rights of individuals while at the same time catalyzing progress in biomedical and behavioral sciences.

The key distinction between RHI and PHI is that PHI is associated with or derived from a healthcare service event. Thus, research studies that use medical records as a source of person-identifiable research data are using PHI, and interventional clinical studies where treatments are being compared for safety and effectiveness would create PHI. In contrast, a research study that does not include a diagnostic or therapeutic intervention, and does not acquire health-related facts about a person by copying them from a medical record, would create information that if individually identifiable would be considered RHI. A white paper on the differences between PHI and RHI is available here.