HIPAA in Research Guidance

The Health Insurance Portability and Accountability Act (HIPAA) is Federal legislation that applies to covered entities, such as Northwell Health. HIPAA went into effect on April 14, 2003, designed to allow a person to go from one health insurance plan to another with continuity of care without being denied coverage for a “pre-existing condition” (portability); it details government oversight to protect fraud and finally adds protections for protected health information (PHI) that is collected (accountability). The U.S. Department of Health and Human Services (HHS) issued a Final Rule in 2013, which strengthened privacy and security protections of health information.

The Health Information Technology for Economic and Clinical Health (HITECH) Act is part of the American Recovery and Reinvestment Act (ARRA) of 2009.  The HITECH Act also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement.

Click Here for HIPAA FAQs

If you have any questions or concerns related to HIPAA in research you can contact us below:


Research Privacy Board

The Privacy Rule requires an individual to provide signed Authorization before a covered entity can use or disclose the individual’s PHI for research purposes; however,  a covered entity can use or disclose PHI for research without an Authorization by obtaining proper documentation of a waiver of the Authorization requirement by a Privacy Board.

The Reviewing IRB acts as the Research Privacy Board that reviews and approves requests for disclosure of PHI and waivers of HIPAA authorization for research purposes.

For questions contact:
The reviewing IRB or the Northwell Human Research Protection Program
Phone: (516) 321-2100
Email: irb@northwell.edu

Research Compliance & Privacy Officer

Handles privacy complaints and issues related to research, including investigation of potential HIPAA breaches.

For questions contact:
Emmelyn Kim
AVP, Research Compliance & Privacy Officer
Office of Research Compliance
Phone: (516) 266-5038
Email: ekim@northwell.edu

How does HIPAA affect researchers?

HIPAA covers use and/or disclosure of PHI for research purposes pursuant to an authorization or waiver of authorization. Researchers will need to take certain steps to use, access or disclose the PHI of research subjects.  Researchers also have responsibilities regarding the protection of PHI. See Northwell Health Research Policy GR094 Access Use and Disclosure of Protected Health Information for Research for more information (link accessible through a Northwell network connection only).

The following are ways in which PHI can be used or disclosed for research purposes:

HIPAA Category Example of Research Activity
Reviews Preparatory to Research, no waivers or authorizations needed Feasibility reviews
Partial waiver of HIPAA authorization issued by the IRB Recruitment purposes
Waiver of HIPAA authorization issued by the IRB Chart reviews
HIPAA authorization obtained from subjects Observational and interventional research studies

Useful HIPAA Research Tools and Resources

Click here for the tools and resources listed below:

  • Guidance for Tracking and Accounting for Research Disclosures of PHI
  • Tracking Form for an Individual Disclosure of PHI in Research
  • Data Mining Research Guidance
  • Chart Review Guidance
  • Business Associate Agreement Guidance
  • HIPAA & electronic PHI Security Guidance
  • Public Research Education Program (PREP) Courses on HIPAA

Northwell Health HIPAA Policies are available on the Intranet*

*link accessible through a Northwell network connection only.