Are research institutions always considered HIPAA-covered entities?

by | Mar 8, 2023 | HIPAA News and Advice

No, research institutions are not always considered HIPAA-covered entities; whether they are subject to HIPAA regulations depends on whether they meet the criteria of a covered entity by transmitting or maintaining individually identifiable health information in connection with certain healthcare transactions. Research institutions, while often involved in the study and analysis of health-related data, are not universally classified as HIPAA-covered entities. The determination of whether a research institution falls under HIPAA depends on several factors, including the nature of its activities, the type of data it handles, and the context in which that data is used.

Factors to ConsiderExplanation
HIPAA-Covered Entities DefinitionCovered entities under HIPAA include healthcare providers, health plans, and healthcare clearinghouses involved in specific healthcare transactions.
Research Institutions and Health DataResearch institutions often work with health-related data, including patient records, medical histories, and biological samples.
De-Identified DataResearch institutions dealing exclusively with de-identified health information are typically not considered HIPAA-covered entities.
Protected Health Information (PHI)PHI includes health information that can identify an individual and is related to their health status or healthcare provision.
Direct Patient InteractionResearch institutions directly interacting with patients and accessing health records are more likely to be HIPAA-covered entities.
Re-Identification PossibilityResearch institutions using de-identified data and avoiding re-identification are less likely to be covered by HIPAA.
Value of ResearchHIPAA accommodates research by allowing PHI use and disclosure for research under certain conditions.
Patient AuthorizationResearch institutions can gain patient authorization to access specific PHI while maintaining privacy.
CollaborationsCollaboration with covered entities allows research institutions to access PHI without necessarily becoming covered entities themselves.
Electronic Health RecordsAdvances in technology and electronic health records have prompted discussions about applying HIPAA to research activities.
Balancing Privacy and KnowledgeStriking a balance between patient privacy and medical knowledge advancement is a continual challenge.
ComplianceUnderstanding PHI presence, research nature, and healthcare transaction involvement is necessary for HIPAA compliance among research institutions.
Table: Factors that Determine if a Research Institution Is a HIPAA-Covered Entity or Not

Covered entities under HIPAA include healthcare providers, health plans, and healthcare clearinghouses. These entities engage in specific healthcare transactions, such as submitting claims, enrolling individuals in health plans, and transmitting health information electronically. Research institutions, while not primary healthcare providers, often deal with health-related data in the course of their scientific investigations. This can include patient records, medical histories, and biological samples. The question in determining whether a research institution is a covered entity hinges on whether it meets the criteria for transmitting, receiving, or maintaining individually identifiable health information in connection with certain healthcare transactions. These transactions involve the electronic exchange of health information, which is a defining aspect of HIPAA-covered entities.

In general, research institutions that solely research de-identified health information are not considered covered entities under HIPAA. De-identified information is data that has been stripped of specific identifiers, such as names, addresses, and Social Security numbers, rendering it incapable of being linked back to individual patients. Since the core principle of HIPAA is to safeguard the privacy of individuals’ identifiable health information, data that cannot be linked to specific individuals falls outside its regulatory scope. However, research institutions might become subject to HIPAA if their activities involve the use of protected health information (PHI). PHI includes any information that could potentially identify an individual and is related to their past, present, or future health status or healthcare provision. If a research institution engages in activities that involve PHI and meets the criteria for covered entities, it would be required to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

The determination of whether a research institution qualifies as a covered entity is not solely based on the presence of PHI. The nature of the institution’s interactions with PHI plays a role. For example, if a research institution conducts studies that involve direct patient interactions and access to their health records, they are more likely to be considered a covered entity. Institutions that obtain de-identified data from external sources and conduct analyses without the possibility of re-identifying individuals are less likely to be subject to HIPAA regulations. HIPAA recognizes the value of research in advancing medical knowledge and improving patient care. To accommodate this, the law includes provisions that permit the use and disclosure of PHI for research purposes, provided certain conditions are met. One common avenue for research institutions to access PHI is through obtaining individual authorization from patients. This authorization allows researchers to access specific PHI for their studies, while still safeguarding patient privacy.

Research institutions might work with covered entities, such as hospitals or clinics, to access PHI for research without becoming covered entities themselves. These collaborations involve data-sharing agreements and adherence to HIPAA regulations by both parties. In recent years, healthcare services and research have evolved with the advancement of technology and the increasing integration of electronic health records. This has prompted discussions about how HIPAA should be applied to research activities. Balancing the need to protect patient privacy with the need to advance medical knowledge is an ongoing challenge.


Research institutions are not automatically considered HIPAA-covered entities. The determination of whether they fall under HIPAA regulations hinges on factors such as the presence of PHI, the nature of their research activities, and their interactions with healthcare transactions. Institutions that exclusively work with de-identified data and do not engage in covered transactions are generally not subject to HIPAA. However, if research activities involve PHI and meet the criteria for covered entities, compliance with HIPAA regulations becomes mandatory. Understanding these distinctions is necessary for research institutions to satisfy the regulatory requirements and contribute to scientific advancements while avoiding patient privacy violations.

HIPAA Covered Entity Topics

What is the definition of a HIPAA-covered entity?
How does an organization determine if it is a HIPAA-covered entity?
Are all healthcare providers considered HIPAA-covered entities?
What obligations does an entity covered by HIPAA have concerning patient data?
Do insurance companies fall under the category of entities covered by HIPAA?
What is a covered entity under HIPAA?
Who would not be considered a covered entity under HIPAA?
Is an employer a covered entity under HIPAA?
Who should HIPAA complaints be directed to within the covered entity?
What are the penalties for a HIPAA-covered entity that breaches patient confidentiality?
Are health technology companies automatically considered HIPAA-covered entities?
What distinguishes a HIPAA entity from non-covered entities?
Can a HIPAA-covered entity share medical records with another such entity without patient consent?
How often should HIPAA-covered entities review their compliance procedures?
What types of training must employees of an entity covered by HIPAA undergo?
How do entities covered by HIPAA handle data breaches?
What is the role of a privacy officer in a HIPAA-covered entity?
Are dental practices considered HIPAA-covered entities?
Can a patient sue a HIPAA-covered entity for a data breach?
How are HIPAA-covered entities audited for compliance?
What are the reporting obligations of a HIPAA entity in case of data exposure?
How do third-party vendors interact with HIPAA-covered entities?
Can a business associate be considered a HIPAA-covered entity?
How should a HIPAA entity respond to unauthorized access to protected health information?
What security measures must entities covered by HIPAA implement?
Are there exemptions for certain types of entities covered by HIPAA?
How long must a HIPAA-covered entity retain medical records?
What patient rights are recognized by entities covered by HIPAA concerning their personal data?
Are telemedicine platforms typically classified as HIPAA-covered entities?
What distinguishes business associates from HIPAA-covered entities?
How can patients file complaints against a HIPAA entity?
What is the significance of the Notice of Privacy Practices for a HIPAA-covered entity?
How do international medical tourism practices intersect with HIPAA-covered entities?
Are there specific encryption standards that a HIPAA-covered entity must adhere to?
How do federal and state laws regarding patient privacy relate to HIPAA-covered entities?
How do HIPAA-covered entities handle minor patient information?
Are pharmacies and drug stores universally categorized as HIPAA-covered entities?
How can a HIPAA-covered entity ensure compliance when integrating new technologies?
What are the key differences between a HIPAA-covered entity and a HIPAA business associate?
Are research institutions always considered HIPAA-covered entities?
What are the boundaries of marketing activities for an entity covered by HIPAA?
Can cloud service providers be classified as HIPAA-covered entities?
How should a HIPAA entity prepare for an official audit or review?
What documentation is essential for a HIPAA-covered entity’s compliance processes?
How often do regulations impacting HIPAA-covered entities get updated?
Do educational institutions fall under the scope of entities covered by HIPAA?
How do mobile health apps and digital health tools intersect with HIPAA-covered entities?
What is the role of electronic health record systems in a HIPAA-covered entity?
How does the Health Information Exchange (HIE) network impact HIPAA-covered entities?
Are mental health professionals bound by the same rules as other HIPAA-covered entities?
How do mergers and acquisitions impact the status of a HIPAA-covered entity?
Can patients access all their health data held by a HIPAA-covered entity?
Are billing and invoicing data handled differently by entities covered by HIPAA than medical data?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy