Last updated on November 28, 2016 17 min read Working with Human Subjects - HIPAA

HIPAA is a federal privacy law that protects Protected Health Information (PHI). PHI is individually identifiable health information created or received by a Covered Entity/Component.

Why it Matters

How research data is classified matters in the following ways:

  • Safeguarding Data: The classification of the data under BU’s Data Classification Guide tells you what safeguards you need to make sure are in place at all times during your research. Restricted Use data is the most sensitive form of data, and it applies to both PHI and any identifiable health information—even if it is not HIPAA covered. You can find BU’s standards for protecting Restricted Use data here. PHI under HIPAA is subject to additional safeguards by IT such as audits and other security measures; there is nothing you need to do about that.
  • Reporting a Potential Breach: If your research data is lost, or disclosed in an unauthorized manner, or used in an unauthorized manner, you must tell the IRB. If it is an electronic information security matter (such as a hacking, lost unencrypted laptop, or other information security incident, you must also immediately alert If it is PHI, you must also inform the HIPAA privacy and security officers at
  • Consequences of HIPAA Breach: If the data is subject to HIPAA and is breached, the BU HIPAA Privacy Officer and Security Officer will need to notify the patients whose data was breached, and the federal department of Health and Human Services, and if over 500 persons are affected, the media.
  • Access to PHI: If you wish to access PHI from a HIPAA covered entity, see the section below on Access.

Researcher Obligations Under HIPAA and BU Policy to Secure Human Subjects Data

Whether human subjects research data is PHI covered by HIPAA or not, if it is possible to identify any subject, then it will be considered Restricted Use Data under BU’s Data Classification Policy. Researchers must follow all IT policies related to Restricted Use Data in either event. See

Protected Health Information (PHI)

Access to PHI in Research

The use and/or disclosure of PHI in research must have the appropriate authorizations. Generally, a Covered Entity/Component may disclose PHI to a researcher when the researcher obtains either:

  • An individual written patient Authorization, or
  • Waiver or Alteration of Patient Authorization, which may be in one of three forms: Waiver Preparatory to Research; Partial Waiver; Full Waiver.
    • Activities preparatory to research
    • Conducting clinical research
    • Conducting retrospective studies
    • Creating Data Repositories
    • Recruiting research subjects
    • Using information from a Data Repository

Pathways to access at each stage of research

When the researcher has ruled out using de-identified data, a limited data set, or decedents’ data, the researcher must obtain Authorizations or Waivers, as described below:



If you have any question on how the rules apply to your research, please contact the HIPAA Privacy Officer or HIPAA Security Officer.

Other policies you must follow to protect PHI are found here:

Reporting Potential Breaches

Everyone involved in Research, and everyone at BU with access to PHI, is obligated to report any potential breach to the HIPAA Privacy Officer.

How to Report

Report Potential Breach

Please report to the HIPAA Privacy Officer directly via phone at 617-348-3124 or email at

If the incident involves PHI in electronic form, please also report to

BU will not retaliate against any employee who reports a possible violations of law or of BU HIPAA policies in good faith.


Additional Resources & Contacts

BU Medical Campus HIPAA-covered component or Boston Medical Center

For access to records, contact the BU Medical Campus IRB for guidance and the records administrator for assistance.

Charles River Campus HIPAA-covered component

For access to records, contact the HIPAA-covered component’s records administrator (who may consult with the BU Privacy Officer or the BU Office of the General Counsel).

Covered Entities external to BU

For access to records, contact the covered entity’s records administrator or Privacy Officer.

HIPAA Policies & Resources

Additional HIPAA policies the researcher should be aware of and follow:

  • HIPAA Privacy Policies
  • HIPAA Security Policies
  • Data Protection Standards
  • BU Data Protection – Release of Electronic Protected Health Information
  • If you are using PHI from an entity external to BU, be sure to become familiar with that entity’s policies.

Information For...

Back to Top