What rules and regulations govern use of patient data for research?

HIPAA is the primary legislative framework that currently manages the use of patient data for research, although other laws and regulations play a role. HIPAA has specific guidance for patients seeking to understand how their data is being used for research and researchers who are seeking to safely use patient data for research studies.

How can patients understand if their data is used for research?

Most patients have two important rights under the HIPAA privacy rule that help them see how their data is being used for research: The Right of Access, which allows them to see what data is in their PHI, and the Right to an Accounting of Disclosures, which describes the instances when their PHI has been used for research purposes. This current governance framework seeks to balance the need for patient privacy with the need for appropriate health data access.

  • The Right of Access: This rule ensures that patients may access their PHI from covered entities at any time. The Right of Access specifically states that a patient has the right to inspect or obtain a copy of their PHI in a designated record set. A designated record set is a group of health records that include the medical and billing records about a patient, the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, and a set of records used to make decisions about a patient. The Right of Access is critical to patient advocacy groups and healthcare companies who rely on the right of access to ensure effective treatment plans for patients and members of healthcare plans.
  • The Right to an Accounting of Disclosures: Under this section of HIPAA, patients are entitled to request information about when and why their healthcare records were accessed for a limited set of permitted disclosures. While covered entities are allowed to release data for routine reasons like treatment, payment, and healthcare operations, covered entities must receive written consent from patients for other uses of their data such as marketing communications and research.  


Additionally, in many instances HIPAA aims to ensure that research subjects grant informed consent for use of their data and are aware of how their health data will be used. Programs like the HHS All of Us Research program and the Million Veteran Program of the Department of Veterans Affairs are precision medicine initiatives that rely strongly on a patient’s willingness to provide their data for research purposes. The All of us Research program employs a dynamic consent model that allows patients to adjust their opt-in and opt-out preferences as the study is carried out. 


What can researchers expect when seeking to access patient data for research?

Researchers should seek guidance from the HIPAA Privacy Rule which includes important information about the acceptable uses of individually identifiable health information. In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information, especially if that is essential to carrying out research. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with official authorization from the patient, and in a set of selected circumstances that may include the following: 

  • Documented Institutional Review Board (IRB) or Privacy Board Approval: The IRB can grant researchers a waiver of research participant’s authorization to access PHI if the researcher is able to meet three key criteria: the use or disclosure of protected health information must be a minimal risk to the privacy of individuals, the research can not be conducted without the waiver or alteration, and the research can not be conducted without access to PHI.
  • Preparatory Research for a Prospective Study. This indicates that a researcher can use or disclose PHI to prepare a specific research protocol or research project that will be submitted as a proposal. This specific provision may be used to conduct a feasibility study prior to carrying out the full research study.
  • Research on Protected Health Information of Decedents. A researcher may use PHI for a person who is now officially deceased and if that research is necessary.
  • Limited Data Sets with a Data Use Agreement. A researcher may enter into a limited data use agreement with the covered entity that is managing that PHI who may then release a limited data set to the researcher for research, public health, or health care operations. These limited data agreements must establish the permitted use of data disclosures, limit who can receive the data, and require that the recipient use appropriate safeguards when working with this data.
  • Individual Authorization for Research and Disclosure. The Privacy Rule ensures that any covered entity can use or disclose protected health information for research purposes when a research participant authorizes the use or disclosure of information about themself A research participant’s authorization is usually requested for a variety of clinical trials and some records research. An IRB or Privacy Board approval is not needed in these instances. 

For more information about how the HIPAA Privacy Rule regulates patient data for research, visit HHS.