Background: The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, intended to address potential threats to patient privacy posed by the computerization and standardization of medical records, provides a new floor level of federal protection for health information in all 50 states. In most cases, compliance with the Privacy Rule was required as of April 2003. Yet considerable confusion and concern remain about the Privacy Rule and the specific changes it requires in the way healthcare providers, health plans, and others use, maintain, and disclose health information. Researchers worry that the Privacy Rule could hinder their access to health information needed to conduct their research.
Objectives: In this article, we explain how the final version of the Privacy Rule governs disclosure of health information, assess implications of the Privacy Rule for research, and offer practical suggestions for researchers who require access to health information.
Conclusion: The Privacy Rule is fundamentally changing the way that healthcare providers, health plans, and others use, maintain, and disclose health information and the steps that researchers must take to obtain health data. The Privacy Rule requires researchers who seek access to identifiable health information to obtain written authorization from subjects, or, alternatively, to demonstrate that their research protocols meet certain Privacy Rule requirements that permit access without written authorization. To ensure continued access to data, researchers will need to work more closely than before with healthcare providers, health plans, and other institutions that generate and maintain health information.