HIPAA Privacy Rule

The US federal regulation at 45 CFR Parts 160 and 164 Subparts A and E that establishes national standards for the protection of individually identifiable health information held or transmitted by covered entities and their business associates, requiring authorisation, a waiver, or another permitted basis for any use or disclosure for research.

ByCASRAI Editorial Board

· Last updated 21 May 2026

Worked examples

Is an instance

A clinical researcher accessing identifiable medical records obtains either a HIPAA authorisation signed by each subject or an IRB-approved waiver under u00a7164.512(i)(2).

Is an instance

A hospital releases a HIPAA limited dataset to an academic collaborator under a Data Use Agreement permitting research use without requiring individual authorisation.

Looks similar, but isn't

Not an instance

Wholly de-identified data meeting the safe-harbour standard is no longer PHI and may be used without HIPAA authorisation.

Not an instance

Research conducted by an institution that is not a covered entity or business associate, using data it generates itself without obtaining PHI from a covered entity, is outside HIPAA scope (though other regulations may apply).

Under the Privacy Rule, a covered entity may use or disclose protected health information (PHI) for research only with the individual's written HIPAA authorisation, under an IRB-granted waiver of authorisation, as a limited data set with a Data Use Agreement, after de-identification, for reviews preparatory to research, or for research on decedents' information. The eighteen identifier categories defining de-identification under the safe-harbour method are enumerated in §164.514(b)(2). Research authorisations are study-specific, must contain core elements and required statements, and remain valid until revoked.

References

HIPAA Privacy Rule 45 CFR §164.500 et seq.
HHS Office for Civil Rights Guidance on Research and HIPAA
HIPAA De-identification Guidance: Safe Harbor and Expert Determination methods

Use in your systems

JATS XML <role> element

xml

<role vocab="credit"
      vocab-identifier="https://casrai.org/dictionary/"
      vocab-term="HIPAA Privacy Rule"
      vocab-term-identifier="https://casrai.org/dictionary/term/hipaa-privacy-rule" />

Schema.org DefinedTerm (JSON-LD)

json

{
  "@context": "https://schema.org",
  "@type": "DefinedTerm",
  "name": "HIPAA Privacy Rule",
  "identifier": "https://casrai.org/dictionary/term/hipaa-privacy-rule",
  "description": "The US federal regulation at 45 CFR Parts 160 and 164 Subparts A and E that establishes national standards for the protection of individually identifiable health information held or transmitted by covered entities and their business associates, requiring authorisation, a waiver, or another permitted basis for any use or disclosure for research.",
  "inDefinedTermSet": "https://casrai.org/dictionary/domain/compliance-and-regulatory/",
  "url": "https://casrai.org/dictionary/term/hipaa-privacy-rule",
  "sameAs": [
    "HIPAA",
    "Privacy Rule",
    "45 CFR 164 Subpart E"
  ],
  "license": "https://creativecommons.org/licenses/by/4.0/"
}