Full Document

FormatFile SizeNotes
PDF file 0.2 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Background: The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, intended to address potential threats to patient privacy posed by the computerization and standardization of medical records, provides a new floor level of federal protection for health information in all 50 states. In most cases, compliance with the Privacy Rule was required as of April 2003. Yet considerable confusion and concern remain about the Privacy Rule and the specific changes it requires in the way healthcare providers, health plans, and others use, maintain, and disclose health information. Researchers worry that the Privacy Rule could hinder their access to health information needed to conduct their research. Objectives: In this article, we explain how the final version of the Privacy Rule governs disclosure of health information, assess implications of the Privacy Rule for research, and offer practical suggestions for researchers who require access to health information. Conclusion: The Privacy Rule is fundamentally changing the way that healthcare providers, health plans, and others use, maintain, and disclose health information and the steps that researchers must take to obtain health data. The Privacy Rule requires researchers who seek access to identifiable health information to obtain written authorization from subjects, or, alternatively, to demonstrate that their research protocols meet certain Privacy Rule requirements that permit access without written authorization. To ensure continued access to data, researchers will need to work more closely than before with healthcare providers, health plans, and other institutions that generate and maintain health information.

Originally published in: Medical Care, v. 42, no. 4, April 2004, pp. 321-327.

This report is part of the RAND Corporation Reprint series. The Reprint was a product of the RAND Corporation from 1992 to 2011 that represented previously published journal articles, book chapters, and reports with the permission of the publisher. RAND reprints were formally reviewed in accordance with the publisher's editorial policy and compliant with RAND's rigorous quality assurance standards for quality and objectivity. For select current RAND journal articles, see External Publications.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.