NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009.

Cover of Beyond the HIPAA Privacy Rule

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.

Show details



Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care—and protecting individuals involved in research from harm and preserving their rights is essential to the conduct of ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level because it permits complex activities, including research and public health activities, to be carried out in ways that protect individuals’ dignity. It is also important to note that health research can benefit individuals, for example, when it facilitates access to new vaccines, therapies, improved diagnostics, and more effective ways to prevent illness and deliver care.

The U.S. Department of Health and Human Services (HHS) developed a set of federal standards for protecting the privacy of personal health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 The HIPAA Privacy Rule set forth detailed regulations regarding the types of uses and disclosures of individuals’ personally identifiable health information—called “protected health information”—permitted by “covered entities” (health plans, health care clearinghouses, and health care providers who transmit information in electronic form in connection with transactions for which HHS has adopted standards under HIPAA).2 A major goal of the HIPAA Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of information needed to promote high-quality health care. The HIPAA Privacy Rule also set out requirements for the conduct of health research.

The Institute of Medicine Committee on Health Research and the Privacy of Health Information (the committee) was charged with two principal tasks3: (1) to assess whether the HIPAA Privacy Rule is having an impact on the conduct of health research, defined broadly as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge”4; and (2) to propose recommendations to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information.

The committee’s conclusion is that the HIPAA Privacy Rule does not protect privacy as well as it should, and that, as currently implemented, the HIPAA Privacy Rule impedes important health research. The committee found that the Privacy Rule (1) is not uniformly applicable to all health research, (2) overstates the ability of informed consent to protect privacy rather than incorporating comprehensive privacy protections, (3) conflicts with other federal regulations governing health research, (4) is interpreted differently across institutions, and (5) creates barriers to research and leads to biased research samples, which generate invalid conclusions. In addition, security breaches are a growing problem for health care databases. In developing its recommendations to improve this situation, the committee was guided by three overarching goals: (1) improve the privacy and data security of health information; (2) improve the effectiveness of health research; and (3) improve the application of privacy protections for health research. A summary of the committee’s recommendations is presented in Box S-1.

Box Icon


Summary of the Committee’s Recommendations. The committee’s foremost recommendation is the following: Congress should authorize HHS and other relevant federal agencies to develop a new approach to protecting privacy (more...)


The committee’s first and foremost recommendation (Recommendation I) is that Congress should authorize HHS and other relevant federal agencies to develop a new approach to protecting privacy in health research that would apply uniformly to all health research. When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. The new approach should enhance privacy protections through improved data security, increased transparency of activities and policies, and greater accountability, while also allowing important health research to be undertaken with appropriate oversight. The new approach should do all of the following:

  • Apply to any person, institution, or organization conducting health research in the United States, regardless of the source of data or funding.
  • Entail clear, goal-oriented, rather than prescriptive, regulations.
  • Require researchers, institutions, and organizations that store health data to establish strong data security safeguards.
  • Make a clear distinction between the privacy considerations that apply to interventional research and research that is exclusively information based.
  • Facilitate greater use of data with direct identifiers removed in health research, and implement legal sanctions to prohibit unauthorized reidentification of information that has had direct identifiers removed.
  • Require ethical oversight of research when personally identifiable health information is used without informed consent. HHS should develop best practices for oversight that should consider:
    • Measures taken to protect the privacy, security, and confidentiality of the data;
    • Potential harms that could result from disclosure of the data; and
    • Potential public benefits of the research.
  • Certify institutions that have policies and practices in place to protect data privacy and security in order to facilitate important large-scale information-based research for clearly defined and approved purposes, without individual consent.
  • Include federal oversight and enforcement to ensure regulatory compliance.

Informative examples for such an approach include Ontario’s Personal Health Information Protection Act (PHIPA)5 and a similar model recently proposed in the United Kingdom.6 Ontario’s PHIPA shares a number of similarities with the HIPAA Privacy Rule. In general, both rules require the holder of personally identifiable health data to get informed consent (referred to as authorization in the Privacy Rule) before using those data for a purpose other than providing services directly related to the health care of the patient. If a researcher wishes to use personally identifiable health data without getting informed consent, both rules require the researcher to obtain a waiver of informed consent approved by an independent ethics board before the study begins.

However, the HIPAA Privacy Rule and PHIPA do have some key differences. One major difference is that unlike the HIPAA Privacy Rule, which applies privacy obligations unevenly across the health care sector, PHIPA applies to health information custodians (HICs; e.g., providers, hospitals, and pharmacies) that collect, use, and disclose personally identifiable health information, as well as to non-HICs that receive personally identifiable health information from a HIC. Thus, the privacy protections follow the data.

Another important difference is that PHIPA permits HICs to disclose personally identifiable health information without consent to “prescribed persons or entities” that have in place privacy practices, policies, and procedures approved by Ontario’s Information and Privacy Commissioner. The prescribed persons or entities may then disclose information to researchers either in deidentified form, or in identifiable form with approval of a Research Ethics Board (Canadian equivalent of an Institutional Review Board [IRB] or Privacy Board). Consistent with the principle of transparency, a prescribed entity must also make public a description of its functions and a summary of its practices, policies, and procedures. A similar approach was recommended in a report commissioned by the United Kingdom’s Prime Minister on secondary uses of personal information. This report suggested the creation of “safe harbors,” which have three defining characteristics: (1) they provide a secure environment for processing personally identifiable health data, (2) they are restricted to “approved researchers” who meet relevant criteria, and (3) they implement penalties and allow for criminal sanctions against researchers who abuse their access to personally identifiable data. The committee believes that such an approach, combined with strong security measures, offers adequate privacy protections for personally identifiable health information in information-based health research, while greatly expanding research opportunities.

The committee’s new framework entails a two-part practical approach to protecting health information privacy because there are fundamental differences between information-based research (e.g., using medical records or stored biological samples) and direct, interventional human subjects research. Applying the same human subjects protections in these two different scenarios is neither appropriate nor justifiable. Promoting individual autonomy is essential when a person’s health care or participation in clinical research is considered. The purpose of informed consent in this type of research is mainly to protect research participants from physical harm by providing a description of the potential risks and benefits of the study. In contrast, in information-based research that relies solely on medical records and stored biospecimens, the research participant faces no risk of direct physical harm. In this context, informed consent (authorization) is intended to ensure that individuals are able to exercise control over their personal information that is held by third parties, and to give individuals the right to determine whether their personal information can be used in a particular research project (or a series of such projects, if consent for future research is permitted). Because of these fundamental differences between information-based research and direct, interventional human subjects research, the committee makes a clear distinction between the privacy considerations that apply to interventional research and research that is exclusively information based.

First, the committee recommends that all interventional research, regardless of funding source and support, should be required to comply with the Common Rule,7 and all researchers who gain access to personally identifiable health information as part of the interventional research should be required to protect that information with strong security measures. Research participants should be allowed to provide consent for future research uses of data and biological materials collected as part of the interventional study as long as an IRB reviews and approves the future uses, ensuring that the new study is not incompatible with the original consent.

Second, the committee recommends that HHS and other relevant federal agencies develop a new approach to uniform, goal-oriented oversight of information-based research, with a focus on best practices in privacy, security, and transparency as in PHIPA and the proposed United Kingdom model. This new approach should include a mechanism by which some programs or institutions could be certified by HHS or another accrediting body, similar to a prescribed entity as in PHIPA or a safe harbor as in the United Kingdom model. Such entities could then collect and analyze personally identifiable health information for clearly defined and approved purposes, without individual consent. Because of the administrative requirements in becoming certified, this option is most appropriate for disease registries and other very large scale research databases. Certified entities could also aggregate personally identifiable data from multiple sources, and then provide data to researchers with direct identifiers removed, under strict security requirements. This would facilitate greater use of data with direct identifiers removed in research because the aggregated datasets would be more complete and thus would lead to more accurate conclusions. To further protect privacy, unauthorized reidentification of information that has had direct identifiers removed should be prohibited by law, and violators should face legal sanctions.

In cases where researchers cannot use data with direct identifiers removed, and personally identifiable health information is needed for research, approval and oversight by an ethics oversight board should be required, partially analogous to what is now done under the HIPAA Privacy Rule and PHIPA. This board could perhaps entail a new body specifically formulated to review medical records research, rather than relying on traditional IRBs that were created to review interventional research. If researchers seek a waiver of patient consent, an ethics oversight board should consider the measures the researchers propose to take to protect the privacy and confidentiality of the data, the potential harms that could result from disclosure of the data, and the potential public benefits of the proposed research study. In order to facilitate consistent application of this option, HHS will need to develop clear guidance and best practices on how to assess the potential harm, the proposed measures to protect privacy and confidentiality, and the potential public benefits of a research study, as has been done under PHIPA.

Although expectations regarding privacy vary among different demographic groups, public opinion polls suggest that a significant portion of the American public would like to control all access to their medical records for research via an individual consent mechanism. However, obligations to implement comprehensive privacy protections—such as security, transparency, and accountability—are independent of patient consent. Moreover, the committee concluded, based on considerable testimony and other evidence, that a universal requirement for informed consent can lead to invalid results because of significant differences between patients who do or do not grant consent, and missed opportunities to advance medical science because it can be prohibitively costly and difficult to obtain consent for studies that require analysis of very large datasets. As a result, the committee’s new framework includes two alternatives to consent that can be used in certain circumstances (e.g., disclosure to a certified entity and waiver of informed consent by an ethics review board), which are intended to facilitate research that is socially beneficial and to protect privacy through increased security, transparency, and accountability.

If society seeks to derive the benefits of medical research in the form of improved health and health care, information should be shared to achieve that greater good, and governing regulations should support the use of such information, with appropriate oversight. In the committee’s proposed new framework, the greater emphasis on ensuring the security protections of personally identifiable health information (as in the committee’s Recommendation III.A), facilitating research using data with direct identifiers removed, and ensuring the scientific merits of any proposed research in the new framework should help to foster its acceptability. Nonetheless, effective communication with the public about how health research is done and the value it provides (the committee’s Recommendation III.C) will be important to address concerns and gain acceptance.


If this comprehensive new approach is not implemented (or, for the interim while the new framework is being developed), the committee proposes as an alternative that HHS revise the current HIPAA Privacy Rule and the associated guidance. These revisions would address some of the problems uncovered during the course of this study.

Recommendation II.A. The committee recommends that HHS develop guidance materials to reduce variability among IRBs and Privacy Boards in their interpretation of the HIPAA Privacy Rule as applied to research. One of the weaknesses in the current privacy protection system is that there is extreme variability in the regulatory interpretations and approval decisions among IRBs and Privacy Boards. Regulatory language often is not easily understandable and is subject to wide interpretation. Thus local IRBs and Privacy Boards interpret state and federal regulations independently, resulting in a great deal of variation in how the regulations are implemented. To address this problem, the committee developed four specific recommendations.

First, HHS should develop a dynamic, ongoing process to increase empirical knowledge about current “best practices” for privacy protection in responsible research using protected health information (PHI), and promote use of those best practices. To accomplish this, HHS should regularly convene consensus development conferences in collaboration with health research stakeholders to collect and evaluate current practices in privacy protection.

Second, HHS should encourage greater use of partially deidentified data called “limited datasets” and develop clear guidance on how to set up and comply with the associated data use agreements (DUAs) more efficiently and effectively. Currently, there is pervasive confusion regarding the conditions of DUAs and how recipients may meet those conditions. As a result, in some health care settings, the burden of establishing a DUA prevents research from going forward. At the other extreme, some covered entities sign DUAs as a matter of course, providing little meaningful privacy protection to the patient.

Third, HHS should clarify the somewhat artificial distinction it has made between “research” and “practice” to ensure appropriate IRB and Privacy Board oversight of PHI disclosures for these closely related activities. This will require HHS to consult with relevant stakeholders to develop standard criteria for IRBs and Privacy Boards to use when making distinctions between health research and related endeavors, such as public health practice and quality improvement practices. These criteria should be evaluated regularly by HHS to ensure that the criteria are helpful and producing the desired outcomes.

Fourth, HHS should simplify the guidance regarding the use of PHI in activities preparatory to research and harmonize these provisions with the Common Rule. The committee recommends that all researchers (including those internal to a covered entity) be required to obtain IRB approval (as required under the Common Rule) prior to contacting potential research participants. When making a decision about whether to approve research projects, the IRB should review and consider the investigator’s plans for contacting patients, and ensure that the information will be used only for research projects approved by the IRB and will not be disclosed elsewhere.

Recommendation II.B. The committee recommends that HHS develop guidance materials to facilitate more effective use of existing data and materials for health research and public health purposes. Many institutions create and maintain databases with patient health information or repositories with biological materials collected from patients. These databases and biospecimen banks are used for many types of health research, including studies to understand diseases or to compare patient outcomes following different treatments. Current interpretations of provisions of the HIPAA Privacy Rule sometimes make it difficult to effectively use these valuable resources for health research. The committee developed four specific recommendations to facilitate important health research by maximizing the usefulness of patient data associated with biospecimen banks and in research databases, thereby allowing novel hypotheses to be tested with existing data and materials as knowledge and technology improve. The recommendations would align interpretation of the HIPAA Privacy Rule with the Common Rule on several points, simplify or clarify the relevant processes in research, and develop new tools for data aggregation.

First, the committee recommends that HHS develop guidance which clearly states that individuals can authorize use of PHI stored in databases or associated with biospecimen banks for specified future research under the HIPAA Privacy Rule with IRB oversight, as is allowed under the Common Rule. Future uses should be described in sufficient detail to allow individuals to give informed consent, and researchers should be required to have IRBs determine that the new research is not incompatible with the initial consent. Second, the committee recommends that HHS develop clear guidance for use of a single form that permits individuals to authorize use and disclosure of health information in a clinical trial and to authorize the storage of their biospecimens collected in conjunction with the clinical trial. This will simplify the authorization process for interrelated research activities by integrating all relevant information into one simple document.

Third, the committee recommends that HHS clarify the circumstances under which DNA samples or sequences are considered PHI. Genetic information does not itself identify an individual in the absence of other identifying information. However, in some circumstances, a person’s genetic code could be construed as a unique identifier in that it could be used to match a sequence in another biospecimen bank or databank that does include identifiers. The committee advocates a focus on strong security measures and the adoption of strict prohibitions and legal sanctions against the unauthorized reidentification of individuals from DNA sequences, by anyone.

Fourth, HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects privacy, confidentiality, and security. One way this could be accomplished, for example, might be through data warehouses that are certified for the purpose of linking data from different sources. The organizations responsible for such linking would be required to use strong security measures and would maintain the details about how the linkage was done, should another research team need to recreate the linked dataset.

Recommendation II.C. The committee recommends that HHS revise provisions of the HIPAA Privacy Rule that currently hinder research but do not provide substantive privacy protections. First, HHS should reform the requirements for the accounting of disclosures (AOD) of PHI made for research and public health purposes. Until technology advances make automatic AOD tracking feasible, affordable, and widely available, the HIPAA Privacy Rule should permit covered entities to inform patients in advance that PHI might be used for health research with IRB/Privacy Board oversight or for public health purposes. As an alternative to AOD, to ensure transparency, institutions should maintain a list, accessible to the public, of all studies approved by an IRB/Privacy Board.

In addition, HHS should simplify the criteria that IRBs and Privacy Boards use in determining whether to waive the requirement that researchers obtain authorization from each patient whose PHI will be used in a research study. If HHS decides to retain the current waiver criteria, HHS should provide clear and reasonable definitions to the vague terms used in the waiver criteria (i.e., what constitutes “minimal risk” to the privacy of individuals and what constitutes “impracticable”), as well as providing specific case examples. This would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards.


The committee’s last set of recommendations do not directly relate to the HIPAA Privacy Rule, but should be adopted in order to achieve the committee’s overarching goals under both policy options described above (the new framework or revisions to the HIPAA Privacy Rule and associated guidance).

Recommendation III.A. The committee recommends that all health research institutions improve the security of personally identifiable health information. For example, institutions could: appoint a security officer responsible for assessing data protection needs and implementing solutions and staff training; make greater use of encryption and other techniques for data security; include data security experts on IRBs; implement a breach notification requirement, so that patients may take steps to protect their identity in the event of a breach; and implement layers of security protection to eliminate single points of vulnerability to security breaches. In addition, the federal government should support (1) the development and use of genuine privacy-enhancing techniques that minimize or eliminate the collection of personally identifiable data, and (2) standardized self-evaluations and security audits and certification programs to help institutions achieve the goal of safeguarding the security of personal health data.

Recommendation III.B. The committee also recommends that HHS—or, as necessary, Congress—provide reasonable protection against civil suits brought pursuant to state or federal laws for members of IRBs and Privacy Boards for decisions made within the scope of their responsibilities under the HIPAA Privacy Rule and the Common Rule. The limitation on liability should not include protection for willful and wanton misconduct in reviewing the research, but should instead be reserved for good-faith decisions, backed by minutes or other evidence. Effective oversight of health research depends on the recruitment of qualified and knowledgeable volunteers to serve on IRBs and Privacy Boards. But the increasing workload and complexity of IRB and Privacy Board service have made it difficult to recruit and retain knowledgeable IRB members and to ensure time for the ethical reflection necessary to make appropriate decisions about human research projects. Moreover, because of the growth over the past decade of lawsuits naming individual IRB members as defendants, fear of penalties and civil suits can be a significant deterrent in recruiting qualified volunteers to serve on IRBs and Privacy Boards.

Recommendation III.C. Finally, the committee recommends that HHS and researchers take steps to provide the public with more information about health research. Surveys indicate that the vast majority of Americans believe health research is important, and they are interested in the findings of research studies. Yet patients often lack information about how health research is conducted and are rarely informed about research results that may have a direct impact on their health. The committee recommends that researchers inform interested research participants (who granted authorization for a particular study) with a simplified summary of the results at the conclusion of a research study. HHS should also encourage researchers to register their trials and other studies in public databases, particularly when the research is being conducted under a waiver of authorization. In addition, HHS and the health research community should work to educate the public about how research is done, and what value it provides. These recommendations could be accomplished without any changes to HIPAA or the Privacy Rule by making them a condition of funding for research grants from HHS and other research sponsors, and by providing additional funds to cover the cost.



The HIPAA Privacy Rule (“Standards for Privacy of Individually Identifiable Health Information: Final Rule”) can be found at 45 Code of Federal Regulations (C.F.R.) parts 160 and 164. http://www​​.pdf (accessed August 2, 2008). A summary of the HIPAA Privacy Rule, prepared by the HHS Office for Civil Rights, is available at http://www​​.pdf (accessed August 2, 2008).


45 C.F.R. § 160.103 (2006).


The study was funded by the National Institutes of Health, the National Cancer Institute, the Robert Wood Johnson Foundation, the American Cancer Society, the American Heart Association/American Stroke Association, the American Society for Clinical Oncology, the Burroughs Welcome Fund, and C-Change.


45 C.F.R. § 164.510 (2006).


Personal Health Information Protection Act, Statutes of Ontario 2004, Ch. 3, Schedule A; Ontario Regulation 329/04.


In a report commissioned by the United Kingdom’s Prime Minister on secondary uses of personal information.


The “Common Rule” is the term used by 18 federal agencies who have adopted the same regulations governing the protection of human subjects of research.

Copyright © 2009, National Academy of Sciences.
Bookshelf ID: NBK9581


Recent Activity

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

See more...