The HIPAA Privacy Rule (the Privacy Rule) is a new set of federal regulations providing protections for the confidentiality of health information used in clinical practice, research, and the operations of health care facilities. The intended purpose of the Privacy Rule is to ensure that health information confidentiality risks are minimized. The Privacy Rule gives patients new federal rights, and protects those rights by requiring new procedures of health care providers and human subjects researchers.

In addition, the Privacy Rule requires the training of employees, including researchers, in the protection of confidential health information.

The Privacy Rule protects “individually identifiable health information,” referred to as protected health information or PHI. The Privacy Rule defines PHI to include information that:

• is created or received by a covered entity, which includes a health care provider, and
• relates to the past, present, or future physical or mental health, or condition of the individual, or
• relates to payment for the individual’s health care, or
• relates to the provision of health care in the past, present, or future, and
• identifies an individual or could be used for identifying an individual.

The Privacy Rule applies to the use or disclosure of PHI for research purposes and will require one or more of the following new actions and new documentation:

1. A written authorization specifically for the use and disclosure of PHI for research purposes involving human subjects.
2. A waiver of authorization approved by an IRB.
3. Use of de-identified information or limited datasets.
4. Preparatory to research certifications.
5. Database registration

Research has the same definition in the Privacy Rule as it does in the Common Rule. The Privacy Rule supplements and expands Common Rule regulation of human subjects research.