Modified HIPAA Privacy Rule Affects Research, Marketing, Security

Steven J. Fox
Rachel H. Wilson
John W. Jones Jr.

Many in health care feared that the de-identification standard under the original Health Insurance Portability and Accountability Act (HIPAA) privacy rule — which would have stripped health information of anything that could reveal a patient’s identity — would curtail important research, health care operations, and public health activities. In particular, researchers said that the impracticality of using de-identified data would increase the workload of institutional review boards, because waivers of authorization would be needed more frequently for research studies.

In response, the modified rule allows the use and disclosure of “limited data sets” of personal health information for research, health care operations, or public health activities. These sets do not include direct identifiers, such as name, address, or Social Security number. Their use is subject to the terms of a data-use agreement.

This agreement — similar to a business-associate agreement — establishes how the data set may be used. The agreement requires those who receive the data to use personal health information only as permitted under HIPAA, and prohibits them from contacting the individual subjects. It also limits who can receive or use the data, and requires that those entrusted with it prevent its uses beyond those stated in the data-use agreement.


The modified rule significantly simplifies the requirements for research authorizations and the criteria for waivers of authorizations. Authorizations for research involving treatment of patients no longer have to include provisions beyond those required for other disclosures of personal health information. Also, “none” may be used as the expiration date in any research study, not just research that would use personal health information to create or maintain a database (such as a cancer registry).

In approving a request for a waiver of authorization for research, an IRB or privacy board must now consider whether the use or disclosure of personal health information involves no more than minimal risk to one’s privacy, as well as whether the research could be conducted without either the waiver or access to personal health information. The IRB or privacy board’s “minimal privacy-risk analysis” must weigh the adequacy of the plan to protect identifying information from improper use, destroy identifiers at the earliest opportunity, and provide written assurances against re-disclosure of personal health information.

The modified rule provides other much-needed clarification of the use of personal health information in the research context. In cases where authorization is revoked, covered entities may continue to use personal health information that had been collected before the revocation if it is needed to maintain the integrity of the study. Additionally, the modified rule makes clear that recruitment of individuals for research does not constitute marketing, so solicitations for participation in a research study may be made without individual authorization or an IRB or privacy board waiver.


Certain disclosure and opt-out requirements notwithstanding, the original privacy rule permitted health plans and other covered entities to use personal health information for marketing purposes without first obtaining an authorization. The modified rule gives people more control over their personal health information.

The modifications require patient authorization before using personal health information for almost any marketing-related purpose. However, the definition of marketing excludes communications with individuals about participating providers and plans in a network, or about a patient’s treatment, case management, or care coordination — including recommendations for alternative treatments, therapies, health care providers or care settings.

The Department of Health and Human Services received numerous comments about the need for providers and health plans to communicate freely with patients and enrollees about the products, services, and benefits they offer. In response, the modified rule allows them to convey information to members about insurance products that could improve or replace their existing coverage.

Under this exemption, health plans do not engage in marketing when advising enrollees about other available coverage that could improve or substitute for existing coverage. HHS offers the example of a child about to become too old for coverage under a family’s policy. In this case, a health plan would be permitted to send the family information about continuation of coverage for the child without first obtaining authorization to use personal health information for such purposes. However, absent proper authorization, the plan would not be permitted to send information about a life insurance product offered by an affiliate.

HHS also closed a loophole that would have allowed personal health information to be sold to a third party marketing its products or services. The original privacy rule would have permitted business associates of covered entities to pay providers for a list of patients with a particular condition, then use that list to market their own drugs or other products directly to those patients. This could have been accomplished by providing personal health information to business associates under the guise of recommending an alternative treatment or therapy to an individual.

The modified rule makes it clear that business-associate transactions of that nature constitute marketing, and are permissible only if proper authorization has been obtained. However, as privacy advocates have pointed out, the same result could still be achieved. It is not considered marketing if a third party pays a HIPAA-covered entity to send a marketing-type communication to a selected group of patients (for example, patients with diabetes).


We know what you’re thinking — what about the ever-elusive security regulations? (HHS says they will be released Dec. 27 — really!) In a response to a comment published in the Aug. 14 privacy rule, HHS implicitly discouraged anyone from waiting for the final security-rule standards to be issued before implementing technical and physical safeguards. It noted that HHS warns “there should be no potential for conflict” between the safeguards required by the privacy rule and the mandates of the final security rule, even though those protections have not yet been issued. The comment also points out a distinction between the privacy rule and the security rule that some may have overlooked — the latter applies only to electronic health-information systems that maintain or transmit individually identifiable information. Safeguards to protect personal health information in oral, written, or other nonelectronic forms will be unaffected by the security rule.

Remember that the requirement for security is already in effect — it was imposed by the original 1996 HIPAA statute, which requires that those who transmit health information take “reasonable and appropriate administrative, technical, and physical safeguards” to protect it from unauthorized use. The privacy rule contains its own security requirements: “A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

The bottom line: Do not defer actions on security protections simply because the final security rule has not yet been published.

Steven J. Fox is a partner and Rachel H. Wilson is an associate in the Washington office of the law firm Pepper Hamilton. John W. Jones Jr. is an associate in Pepper Hamilton’s Philadelphia office.

Our most popular topics on