HIPAA in Research

The HIPAA Privacy Rule protects the privacy of “protected health information” (PHI) that is used in human research. The HIPAA Security Rule safeguards PHI that is in electronic form. Boston University and Boston Medical Center each have policies and procedures to comply with the HIPAA Privacy Rule and the HIPAA Security Rule.

For researchers to gain access to existing PHI that is stored at any HIPAA “covered entity” or “covered component,” they must provide written assurances that the health information will be used and protected in compliance with HIPAA policies. Researchers who collect new PHI for research directly from patients of a covered entity/component must collect, use, and protect the information in compliance with HIPAA policies. The research members who will have access to the PHI must receive HIPAA workforce training.

The institutional review board (IRB) should be consulted for a determination of whether or not specific research use of PHI constitutes human subject research that requires IRB review.