Compliance Program

Research and HIPAA

HIPAA-authorized pathways for using or disclosing PHI for research, including authorization, IRB waiver, limited data sets with data use agreement, and decedent research.

1 min read · Last reviewed May 23, 2026

At a glance

Category
Compliance Program
Primary sources
1
Workspace handoff
compliance binder

Where this comes up

Compliance committees and practice managers operate at this level — written policy, workforce training, sanction policy, monitoring and auditing cadence, response and corrective action. The seven elements of an effective compliance program (OIG) are the scaffolding; this term lives somewhere on that scaffold.

Full definition

What it is in practice

HHS Research Privacy catalogs the routes. Common Rule and HIPAA can interact — IRB approval does not automatically equal HIPAA authorization.

How it shows up in your practice

Document the HIPAA basis for each research disclosure. Maintain accountings of disclosures where required.

Sources

Take it into the workspace

Document research disclosures in the Compliance Binder

Open compliance binder
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.