Biomedical Research

HIPAA in Research

The Health Insurance Portability and Accountability Act established a Security and Privacy Rule for the protection of protected health information (PHI). These rules:

  • Establish appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI;
  • Protect privacy of patient records while patient is living and for 50 years following the date of death;
  • Provide patients with access to their records and more control over how their PHI is used and disclosed; and
  • Regulate the collection and use of PHI for research purposes.
What is protected health information?

What is protected health information?

Protected health information is a combination of identifiers and health information generated and collected by a covered entity. The University of Pennsylvania has four HIPAA Covered Entities: Penn Medicine, Penn Dental, Student Health Service, and Employee benefits plans.

Using PHI in Research

Protocols that involve accessing, collecting, or disclosing protected health information are required to include data confidentiality plans that align with institutional policies and guidance.

Confidentiality Plans

The IRB & Penn Medicine Requirements regarding PHI Security and Storage provides guidance on the key elements of a confidentiality plan, guidelines for physical security (paper files/ biospecimens), and guidelines for electronic file and data security, storage, and transmission.

Data Storage/Transmission

The IRB & Penn Medicine Requirements regarding PHI Security and Storage also provides guidance on key features of IRB‐approved mechanisms for data storage/transmission when research involves the use of protected health information (PHI).

Use of Email During the Conduct of Research

The IRB & Penn Medicine Requirements regarding PHI Security and Storage also provides guidance on avoiding and minimizing PHI in email as well as communicating with research subjects via email and best practices for communications among the research team in a research study.

Use of Text Messaging During the Conduct of Research

The Office of Clinical Research (OCR) and Penn IRB have developed the below guidance to provide best practices, considerations and parameters around when texting may, or may not, be appropriate in the conduct of research.

Research that Requires Access to Penn Medicine Systems


Penn Medicine has great resources for researchers who need to access Penn Medical records either in preparation for research or for retrospective data analysis. The Data Analytics Center will work with you one on one to ensure you can obtain the data you need and stay compliant. Working with the Data Analytics Center during protocol development is likely to shorten the amount of time it takes for the IRB to approve your project.

Levels of Identifiability

The figure below outlines the various levels of identifiability for participant data and biospecimens.


  • The data/sample was collected without knowing the identity of the subject.
  • There is no chance of re-dentification because no identifiers were collected


  • The data/sample was collected knowing the identity of the subject, but identifiers were removed.
  • There is no chance of re-identification because:
    • All identifiers were removed; OR
    • There is no link between identifiers and data/sample

Limited Dataset

  • The data/sample include indirect identifiers only
  • Re-identification is improbable


  • Coded
    • Assigned a unique random ID code that is linked to identifiers. Link must be stored separately to be coded.
    • Re-identification is possible
  • Identified
    • 1+ identifiers (e.g. name, medical record number, etc) are stored with the health information

Want to speak to an IRB staff member?

Get in Touch