HIPAA Compliance for Clinical Research: Using PHI in Studies

Research is the one corner of HIPAA where a covered entity has several different legal routes to use the same protected health information, and where a second federal framework — the Common Rule — runs alongside the Privacy Rule. Knowing which pathway you are on, and not confusing HIPAA authorization with research informed consent, is what separates a compliant study from a reportable disclosure.

The pathways for using PHI in research

The Privacy Rule’s research provisions at 45 CFR § 164.512(i) lay out the options. A signed HIPAA Authorization from each participant is the most direct route and is usually folded into the study’s consent process, though it is legally distinct from Common Rule informed consent. Where authorization is impractical, an Institutional Review Board (IRB) or Privacy Board can grant a Waiver of Authorization if the research meets specific criteria, including no more than minimal privacy risk. For preparatory work — assessing feasibility or identifying a cohort — researchers can use “reviews preparatory to research” without removing PHI from the covered entity. Studies on decedents’ information have their own provision.

Limited data sets and de-identification

Two more routes avoid full authorization. A Limited Data Set strips direct identifiers but keeps dates and geography; it may be used for research only under a Data Use Agreement that binds the recipient (§ 164.514(e)). Going further, fully de-identified data — by Safe Harbor or Expert Determination under § 164.514(b) — is no longer PHI at all and falls outside HIPAA, which is why HIPAA de-identification methods are often the cleanest path for large datasets.

Where research programs go wrong

The recurring failures are predictable: treating a single combined consent form as covering both HIPAA and the Common Rule without the required authorization elements; sharing more than a Limited Data Set without a Data Use Agreement; and forgetting that the research database, the sponsor, the contract research organization, and any analytics vendor each sit somewhere in the compliance boundary. Many of those external parties are business associates and need agreements in place. A HIPAA compliance checklist helps keep those obligations visible.

It starts with a Security Risk Analysis

All of it should be reflected in your Security Risk Analysis — the foundational requirement at 45 CFR § 164.308(a)(1)(ii)(A) — which is where research data repositories, the systems that store identifiable study data, and the vendors that touch it get inventoried and assessed rather than treated as outside normal operations.

The proposed 2026 Security Rule update

The proposed 2026 update to the HIPAA Security Rule would raise the bar on how research data is protected technically. Issued as a Notice of Proposed Rulemaking in December 2024, it is not final — still a proposal, with a 240-day compliance window once a final rule publishes. It points toward stronger encryption, asset-inventory, and vendor-verification expectations that apply squarely to research systems holding identifiable data.

How Medcurity helps

Medcurity’s guided Security Risk Analysis brings research data repositories, identifiable study systems, and the business associates behind them into a single assessment, so a research program is not a blind spot in your HIPAA posture. Plans start at $499/year (about $42/month); larger research organizations can request a quote.

Frequently Asked Questions

Do I always need patient authorization to use PHI in research?

No. A signed HIPAA Authorization is one route, but an IRB or Privacy Board can grant a Waiver of Authorization, and you can use a Limited Data Set under a Data Use Agreement or fully de-identified data without authorization. The right pathway depends on the study.

Is HIPAA authorization the same as informed consent?

No. HIPAA Authorization governs use and disclosure of PHI under the Privacy Rule; informed consent is a Common Rule requirement about participating in the research itself. They are often combined into one document but are legally distinct, each with its own required elements.

What is a Limited Data Set in research?

A Limited Data Set removes direct identifiers but may retain dates and some geographic detail. It can be used for research only under a Data Use Agreement that restricts how the recipient uses and protects the data, under § 164.514(e).

Are research sponsors and CROs business associates?

Often, yes. If a sponsor, contract research organization, or data vendor creates, receives, maintains, or transmits PHI on your behalf, a Business Associate Agreement is required under HIPAA.