Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191), commonly referred to as HIPAA. The main target of HIPAA was not researchers but health care providers and health insurance plans. In general, the law requires that covered providers and plans

  1. notify patients or plan members of their privacy rights and how their protected personal health information can be used without special authorization;

  2. obtain authorization from individuals, under certain circumstances, before releasing information for other purposes;

  3. secure patient records so that those who should not have access to them do not; and

  4. create policies and procedures to implement the law.

Under HIPAA, parents usually act as “personal representatives” of the child for the purposes of receiving the required notice of privacy rights, signing authorization for the release of protection information, and obtaining access to information about the child. HIPAA does not require the provision of any information to children and is generally silent on institutional responsibilities to children.

The law does not require permission from patients for health care providers, health plans, and health care clearinghouses to use information as part of their normal activities of providing health care or administering health benefits. For other purposes, including research, the law requires a specific, written authorization for covered organizations to release personal information that is protected under the law. If information is stripped of elements that would allow an individual to be identified, providers and health plans can provide it without written authorization. Some other exceptions to the authorization requirement are also permitted, for example, for certain activities related to preparations for research (e.g., identifying potential research participants by identifying individuals with relevant diagnoses or other characteristics).

Institutional review boards (IRBs) have been concerned about how the requirements under HIPAA might interact with their responsibilities for considering protections for privacy and confidentiality in research. Some questions involve the relationship between informed consent for research and HIPAA authorization for the release of personal health information. As explained in a National Institutes of Health (NIH) document describing the privacy rule, “an authorization focuses on privacy and states how, why, and to whom the [personal health information] will be used and/or disclosed for research. An informed consent … provides research subjects with a description of the study and of its anticipated risks and/or benefits,

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement