hipaa-research-privacy

Installation
SKILL.md

HIPAA Research Privacy — 45 CFR §164.512(i)

Overview

The HIPAA Privacy Rule permits covered entities to use and disclose PHI for research purposes through several pathways. The primary mechanisms are: (1) individual authorization under §164.508, (2) waiver or alteration of authorization by an IRB or Privacy Board under §164.512(i), (3) use of a limited data set with a data use agreement under §164.514(e), (4) use of de-identified data under §164.514(a)-(b), (5) preparatory to research reviews under §164.512(i)(1)(ii), and (6) research on decedent information under §164.512(i)(1)(iii). Researchers and covered entities must understand the interplay between HIPAA and the Common Rule (45 CFR Part 46) which governs human subjects research independently.

Regulatory Framework

Authorization for Research — §164.508

  • §164.508(a): A covered entity may not use or disclose PHI without an authorization that satisfies §164.508 requirements, except as otherwise permitted
  • §164.508(b)(3): Research-specific authorization elements:
    • May describe the PHI to be used or disclosed in a specific or general manner if adequate to allow the individual to understand the PHI to be used/disclosed
    • May be for use/disclosure of PHI for a specific research study, or for future unspecified research if the authorization adequately describes the purposes
    • No expiration date required if the authorization states "end of the research study" or "none" or similar language

Waiver of Authorization — §164.512(i)(1)(i)

A covered entity may use or disclose PHI for research without authorization if the covered entity obtains documentation that an IRB or Privacy Board has approved a waiver (or alteration) of authorization meeting ALL of the following criteria:

Installs
10
GitHub Stars
187
First Seen
May 26, 2026
hipaa-research-privacy — mukul975/privacy-data-protection-skills