HIPAA Privacy Rule & Research

On April 14, 2003, new regulations that are part of the Health Insurance Portability and Accountability Act (HIPAA) went into effect. These regulations (Privacy Rule) govern how health care providers and health plans can use or disclosure personally identifiable health information on their patients, including for research purposes.

These regulations may impact researchers if:

  • Their current research studies involve the use of personally identifiable health information maintained by a hospital, clinic, physician, professional association, or other HIPAA-covered health care provider, or a private, state, or federal health insurance plan (e.g., Medicaid), or
  • They plan to conduct a study involving the use of personally identifiable health information obtained from the entities mentioned in the above bullet.

As research involving personally identifiable health information qualifies as human subjects research, such research conducted by UNH agents must be reviewed and approved by the UNH Institutional Review Board for the Protection of Human Subjects in Research (IRB) prior to commencing.

In addition, UNH researchers who plan to obtain personally identifiable health information from HIPAA-covered health care entities should check with those covered health care entities as early as possible to find out any requirements for review by their own IRBs. UNH researchers are strongly encouraged to contact the Privacy Officer in the covered health care entity to obtain the most accurate information on the entity’s specific HIPAA requirements.

The UNH IRB has developed the following documents to assist researchers in understanding the new requirements and complying with them when conducting research studies:

HIPAA Impacts on Research Involving Human Subjects  PDF
HIPAA Sample Research Authorization FormRTF 
HIPAA Sample Authorization Language for Consent Forms RTFPDF
HIPAA Authorization Waiver Request Form RTF 
Other HIPAA resources:
  •  OCR Guidance on HIPAA (PDF): The U.S. DHHS Office of Civil Rights revised this guidance on April 3, 2003 to explain and answer questions about key elements of the requirements of the HIPAA Privacy Rule.

For more information please contact Julie Simpson, Director, Research Integrity Services at 603-862-2003.