Research Privacy (HIPAA)

HIPAA and Human Research:

The HIPAA Privacy Rule, in effect starting April 14, 2003, protects the privacy of subject’s health information which is used in human research. For researchers to gain access to health information that is stored at any HIPAA “covered entity”, investigators must provide the covered entity with written assurances covering how the health information will be used and protected. Here at Boston University Medical Center, “covered entities” include Boston Medical Center (both inpatient and outpatient), and several Boston University clinical functions (BUSDM Dental Clinic, Human Genetics Laboratory, Dental Pathology Laboratory, and BU Dental Plan).

These “covered entities” will require that investigators’ requests for health information receive prior approval through BUMC Office of the Institutional Review Board. The forms that investigators will need and the approval processes differ for different types of research. A brief description of each research type is listed below and the forms are available on the right side bar of this page.

  1. Authorization: In studies that require the subjects to sign a consent form, subjects must also sign an authorization form which gives researchers permission to use and share subjects’ protected health information for the purposes of the research study.
  2. Waiver of HIPAA Authorization: In some situations where there is minimal risk to subjects’ privacy and several other conditions are met (analogous to the conditions when the IRB can waive Informed Consent), investigators can request a waiver of HIPAA Authorization.
  3. De-identified health information: Investigators may request access to health information that has been stripped of identifiers (i.e., identifying characteristics like name, social security number, etc.). Be aware that, for HIPAA purposes, there is a lengthy list of 18 different identifiers that must be stripped.
  4. Limited data set: This refers to health information that is not completely de-identified (i.e., can include dates, zip codes and city, and some other unique identifying numbers, characteristics, or codes.) To access a limited data set, investigators must also provide the “covered entity” with a Data Use Agreement, which provides assurances how the privacy of the health information will be protected.
  5. Preparation of a Research Proposal: To review medical records and collect data for preparation of a research proposal or to identify subjects that would be eligible for a study, researchers must document what information they need, why, and how they will protect the data.
  6. Decedent Research: To do research using health information from individuals who are deceased, researchers must provide information about what information is needed, why, and how the privacy of the information will be assured.
  7. To acquire health information from BMC for research purposes, present your approved request form to: Ellen Jamieson, Grants Administration, Gambro 2 (414-5646).
    She will direct you to the source of the information you need. 


Contact|Directory|BUMC
September 8, 2008
Primary teaching affiliate
of BU School of Medicine