Research and HIPAA
HIPAA-authorized pathways for using or disclosing PHI for research, including authorization, IRB waiver, limited data sets with data use agreement, and decedent research.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Compliance Program
- Primary sources
- 1
- Workspace handoff
- compliance binder →
Where this comes up
Compliance committees and practice managers operate at this level — written policy, workforce training, sanction policy, monitoring and auditing cadence, response and corrective action. The seven elements of an effective compliance program (OIG) are the scaffolding; this term lives somewhere on that scaffold.
Full definition
What it is in practice
HHS Research Privacy catalogs the routes. Common Rule and HIPAA can interact — IRB approval does not automatically equal HIPAA authorization.
How it shows up in your practice
Document the HIPAA basis for each research disclosure. Maintain accountings of disclosures where required.
Sources
- HHS — Research Provisions of the Privacy Rulehttps://privacyruleandresearch.nih.gov/
Document research disclosures in the Compliance Binder
Open compliance binder →Related terms
- HIPAA & PrivacyAuthorization for DisclosureA written authorization signed by the individual permitting a covered entity to use or disclose PHI for a purpose not otherwise permitted by the Privacy Rule.
- HIPAA & PrivacyAccounting of DisclosuresThe HIPAA right of an individual to receive a list of disclosures of their PHI made by a covered entity over the prior six years.
- HIPAA & PrivacyLimited Data SetPHI that excludes direct identifiers but may include city, state, ZIP, dates, and other quasi-identifiers; may be disclosed for research, public health, or healthcare operations under a Data Use Agreement.
- HIPAA & PrivacyDe-identificationThe process of removing identifiers from PHI such that the resulting information is not individually identifiable health information.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryLimited Data SetPHI that excludes direct identifiers but may include city, state, ZIP, dates, and other quasi-identifiers; may be disclosed for research, public health, or healthcare operations under a Data Use Agreement.
- GlossaryAccounting of DisclosuresThe HIPAA right of an individual to receive a list of disclosures of their PHI made by a covered entity over the prior six years.
- GlossaryAuthorization for DisclosureA written authorization signed by the individual permitting a covered entity to use or disclose PHI for a purpose not otherwise permitted by the Privacy Rule.
- GlossaryDe-identificationThe process of removing identifiers from PHI such that the resulting information is not individually identifiable health information.
- RegulationHIPAA Research Uses and Disclosures (45 CFR 164.512(i))Research uses of PHI without individual authorization require either IRB or Privacy Board waiver, a limited data set with data use agreement, or reviews preparatory to research and decedent research with specific safeguards.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- GlossaryHIPAA Omnibus RuleThe 2013 final rule that implemented the HITECH Act amendments to HIPAA, making business associates directly liable and tightening the breach notification standard.
- ComplianceAmbulatory Surgery Center Compliance: CMS + State + Infection Control42 CFR Part 416 Conditions for Coverage, CMS State Operations Manual Appendix L, the ASC Infection Control Surveyor Worksheet, and where state ASC licensure tightens the standard.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.