Skill

hipaa-research-privacy

Provides HIPAA Privacy Rule guidance for research uses of PHI under 45 CFR §164.512(i), covering IRB/Privacy Board waivers, authorizations, limited data sets, preparatory research, and decedents.

security

npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-complete

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Supporting Assets

assets/template.mdreferences/standards.mdreferences/workflows.mdscripts/process.py

SKILL.md

Similar Skills

github-deep-research

63.9k

Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.

2 files

bytedance-deer-flow-1

surprise-me

63.9k

Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.

bytedance-deer-flow-1

image-generation

63.9k

Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.

2 files

bytedance-deer-flow-1

Stats

Parent Repo Stars37

Parent Repo Forks4

Last CommitMar 16, 2026

Actions

View Source View Plugin View on GitHub View README

HIPAA Research Privacy — 45 CFR §164.512(i)

Overview

The HIPAA Privacy Rule permits covered entities to use and disclose PHI for research purposes through several pathways. The primary mechanisms are: (1) individual authorization under §164.508, (2) waiver or alteration of authorization by an IRB or Privacy Board under §164.512(i), (3) use of a limited data set with a data use agreement under §164.514(e), (4) use of de-identified data under §164.514(a)-(b), (5) preparatory to research reviews under §164.512(i)(1)(ii), and (6) research on decedent information under §164.512(i)(1)(iii). Researchers and covered entities must understand the interplay between HIPAA and the Common Rule (45 CFR Part 46) which governs human subjects research independently.

Regulatory Framework

Authorization for Research — §164.508

§164.508(a): A covered entity may not use or disclose PHI without an authorization that satisfies §164.508 requirements, except as otherwise permitted
§164.508(b)(3): Research-specific authorization elements:
- May describe the PHI to be used or disclosed in a specific or general manner if adequate to allow the individual to understand the PHI to be used/disclosed
- May be for use/disclosure of PHI for a specific research study, or for future unspecified research if the authorization adequately describes the purposes
- No expiration date required if the authorization states "end of the research study" or "none" or similar language

Waiver of Authorization — §164.512(i)(1)(i)

A covered entity may use or disclose PHI for research without authorization if the covered entity obtains documentation that an IRB or Privacy Board has approved a waiver (or alteration) of authorization meeting ALL of the following criteria:

The use or disclosure involves no more than a minimal risk to the privacy of individuals based on:
- An adequate plan to protect the identifiers from improper use and disclosure
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with the research (unless there is a health or research justification for retaining them, or retention is required by law)
- Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except as required by law, for authorized oversight of the research, or for other research for which the use or disclosure would be permitted
The research could not practicably be conducted without the waiver or alteration
The research could not practicably be conducted without access to and use of the PHI

Limited Data Set — §164.514(e)

A limited data set excludes the 16 direct identifiers listed in §164.514(e)(2) but may include:

Dates (admission, discharge, birth, death, service)
City, state, five-digit ZIP code
Ages (including ages over 89 if not aggregated into a 90+ category)

A data use agreement (DUA) is required specifying:

Permitted uses and disclosures
Who may use or receive the limited data set
Prohibition on re-identification or contacting individuals
Adequate safeguards commitments
Reporting of violations

Preparatory to Research — §164.512(i)(1)(ii)

A covered entity may use or disclose PHI for reviews preparatory to research if the covered entity obtains representations that:

Use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research
No PHI will be removed from the covered entity during the review
The PHI is necessary for the research purposes

Decedent Research — §164.512(i)(1)(iii)

A covered entity may use or disclose PHI of a decedent for research if:

The covered entity obtains representation that use/disclosure is solely for research on the PHI of decedents
The PHI sought is necessary for the research
Documentation of the death (upon request) is provided

HIPAA vs. Common Rule

Requirement	HIPAA Privacy Rule	Common Rule (45 CFR Part 46)
Governs	Uses/disclosures of PHI by covered entities and BAs	Protection of human research subjects
Enforced by	OCR (HHS)	OHRP (HHS) and institutional IRBs
Authorization/Consent	HIPAA authorization (§164.508)	Informed consent (§46.116)
Waiver	IRB/Privacy Board waiver of authorization (§164.512(i))	IRB waiver of informed consent (§46.116(f))
De-identification	18-identifier Safe Harbor or Expert Determination	Not a substitute for IRB review
Applies to	PHI held by covered entities and BAs	All human subjects research at institutions receiving federal funding
Overlap	Both may apply to same study — dual compliance required	Both may apply to same study — dual compliance required

Enforcement Examples

Lurie Children's Hospital (2024, $3.45M): Although primarily a cybersecurity settlement, OCR noted that research data containing PHI was among the compromised records, underscoring the obligation to secure research PHI
Memorial Sloan Kettering (NYS AG, 2023): State enforcement for insufficient research consent practices related to genetic data sharing with third parties
University of Mississippi Medical Center (2016, $2.75M): OCR found systemic failure in risk analysis and access controls affecting research data repositories

Integration Points

hipaa-privacy-rule: Research uses and disclosures are governed by the Privacy Rule
hipaa-deidentification: De-identification eliminates HIPAA restrictions on research use
hipaa-minimum-necessary: Minimum necessary applies to research disclosures under waiver (not to individual access or authorized disclosures)
hipaa-baa-management: Research collaborators may be BAs if they create, receive, maintain, or transmit PHI
hipaa-breach-notification: Research data breaches trigger the same notification obligations