Research Article| Volume 53, ISSUE 2, P79-87, March 2005

Download started.


Evaluating HIPAA compliance: A guide for researchers, privacy boards, and IRBs

      The purpose of this article is to describe implications of the Health Information Portability and Accountability Act of 1996 (HIPAA) for nurses engaged in human and health services research. In general, a person’s private health information (PHI) may only be disclosed for treatment, payment, and business procedures related to healthcare service delivery. Access and/or use of the same information for research purposes necessitates another layer of review and may require a separate process of authorization. A brief historical overview of regulatory requirements regarding health information privacy and security standards for the electronic transformation of data and protection of electronically kept medical records is discussed and related to the role and responsibilities of researchers and organizations where research is conducted. In addition, a generic document template adaptable for use by an individual or organization is presented that can provide a quick, systematic review of HIPAA compliance when a research proposal is being developed or is received that seeks access to PHI.
      To read this article in full you will need to make a payment

      Purchase one-time access:

      Academic & Personal: 24 hour online accessCorporate R&D Professionals: 24 hour online access
      One-time access price info
      • For academic or personal research use, select 'Academic and Personal'
      • For corporate R&D use, select 'Corporate R&D Professionals'


      Subscribe to Nursing Outlook
      Already a print subscriber? Claim online access
      Already an online subscriber? Sign in
      Institutional Access: Sign in to ScienceDirect


      1. Pub.L.No.104-191, 110 Stat. 2023 (1996), 42 U.S.C. 1320 (d)-3.

      2. Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164). Available from: URL: Accessed February 5, 2003.

        • Annas G.J.
        HIPAA regulations - a new era of medical-record privacy.
        New England J Med. 2003; 348: 1486-1490
        • Montgomery K.L.
        Policy, Politics Nurs Practice. 2001; 2: 29-32
      3. HHS News (1998). HHS proposes security standards for electronic health data. Available from: URL: Accessed December 12, 2003.

        • Hanna K.E.
        No end in sight for final rules on medical privacy.
        Hastings Center Report. 2001; 31: 8
        • Privacy Protection Study Commission
        Personal privacy in an information society. Government Printing Office, Washington, DC1997
      4. Workgroup for electronic data interchange. Available from: URL: Accessed April 16, 2003.

        • Institute of Medicine
        Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection/Division of Health Care Services. Protecting data privacy in health services research. National Academy Press, Washington, DC2000 (Available at: Accessed December 10, 2003)
        • Fried B.M.
        Protecting medical privacy in a digital age. 2003 (Available at: Accessed April 2)
        • Kongstvedt P.
        The managed health care handbook. Aspen Publications, Gaithersburg, MD1996
        • Kulynch J.
        • Korn D.
        The effect of the new federal medical-privacy rule on research.
        New England J Med. 2002; 346: 201-205
        • Annas G.P.
        Medical privacy and medical research—judging the new federal regulations.
        New England Journal of Medicine. 2002; 346: 216-221
        • Baisden H.
        Medical research community registers complaints about HIPAA privacy rule.
        AHA News. 2001; 37: 8
        • Turner S.
        • Foong S.F.
        Navigating the road to implementation of the health insurance portability and accountability act.
        Am J Public Hlth. 2003; 93: 1806-1808
      5. HIPAA privacy rule & public heath: guidance from the CDC & US DHHS Biomedical Market Newsletter/April 30 2003/report originated in the epidemiology program office, Thacker, S.B. Director. Copyright Biomedical Market Newsletter, INC.

        • Setness P.A.
        When privacy and the public good collide—does the collection of heath data for research harm individual patients?2003 (Postgraduate Medicine (2003) online. Available at: Accessed December 15)
      6. Hanken MA, Kuruc J. (Speakers). (2003) The Impact of the HIPAA Privacy Rule on Clinical Research. (Audio Seminar Series 1 July 2003). American Health Information Management Association.

        • Politz K.
        • Tapay N.
        • Hadley E.
        • Specht J.
        Early experience with new federalism in health insurance regulations.
        Hlth Affairs. 2000; 19: 7-22
        • United States Department of Labor
        Employee benefits security administration fact sheet. 2004 (Available at: Accessed January 16)
        • Charters K.G.
        HIPAA’s latest privacy rule.
        Policy Politics Nurs Practice. 2003; 4: 75-78
        • United States Department of Health and Human Services / Office of the Assistant Secretary for Planning and Evaluation
        Administrative simplification in the health care industry. 2004 (Available at: Accessed January 23)
        • Gunter K.P.
        The HIPAA Privacy Rule.
        Hlthcare Financial Management. 2002; 56: 50-55
        • Office for Civil Rights
        HIPAA. 2003 (Available at: Accessed July 18)
        • Centers for Disease Control and Prevention
        HIPAA privacy rule and public health.
        MMWR. 2003; 52 (Early Release): 1-20
        • Department of Health and Human Services
        Protecting personal health information in research. 2004 (NIH Publication Number 03-5388. Available at: Accessed February 5)
        • Zeil S.E.
        Get on board with HIPAA privacy regulations.
        Nursing Management. 2002; 33: 28-31
        • Merrit R.K.
        • Dobbs M.S.
        The challenges of developing a modern cardiac research program.
        Critical Care Nursing Quarterly. 2002; 25: 105-109
        • National Institute of Health
        • Office of Human Subjects Research
        The Belmont Report. 2003 (Available at: Accessed December 18)
        • Siegler M.
        Confidentiality in medicine—a decrepit concept.
        New England J Med. 1982; 307: 1518-1521
        • Durham M.
        How research will adapt to HIPAA.
        American Journal of Law & Medicine. 2002; 28: 491-503


      Kathryn E. Artnak is an Associate Professor at Angelo State University Department of Nursing, San Angelo, TX.


      Margaret Benson is Director of Health Information Management and Privacy Officer at Shannon Medical Center, San Angelo, TX.