HIPAA Omnibus & Research

When the HIPAA Omnibus Rule went into effect in 2013, it brought some interesting changes involving liability where covered entities and their business associates were concerned. The Omnibus Rule also brought some changes to the requirements for using PHI in medical research. Here is an overview of HIPAA Omnibus and what it means for researchers.

HIPAA Omnibus Research

The Changes

  • Compound Authorization: There are two types of authorization, conditioned and unconditioned. Previously, researchers needed separate forms for each type. Under Omnibus, authorizations can be combined on one form, provided the two types are clearly differentiated. Additionally, the unconditioned authorization must be written in an opt-in format, such as a check box or a separate line for initials. This allows a patient to sign the conditioned authorization without signing the unconditioned authorization if they choose. It should be noted that compound authorization remains unacceptable for the use of psychotherapy notes.
  • Future Research: Previously, HIPAA patient authorization for using PHI in research was study-specific. Omnibus allows for researchers to obtain a single authorization for use in future studies. However, a detailed description of the types of studies a patient's PHI might be used in must be provided. In other words, the future studies should be ones that patients would reasonably expect their information to be used in.
  • Rights of the Deceased: Originally, using the PHI of a deceased individual for research always required authorization from that individual's personal representative. Omnibus grants researchers permission to use the PHI of a deceased individual without authorization as long as the individual has been dead for at least 50 years.

The American Health Information Management Association (AHIMA) provides more detail on authorizations concerning the use of PHI here.


The above changes brought about by Omnibus simplify the process of using PHI for research. Compound authorization and the ability to include future studies with the initial authorization results in fewer forms for patients and companies to deal with. Easier access to the PHI of deceased individuals provides further data for studies. Ultimately, the new process is more efficient, allowing researchers to focus on finding new cures and treatments for the diseases the world is facing. For more information about how HIPAA and research are related, Johns Hopkins University has a helpful FAQ page.

Moving Forward

These changes to HIPAA regarding research may just be the beginning. A bill moving through Congress includes some elements that would require further revisions to HIPAA. The 21st Century Cures Act passed in the House of Representatives but the Senate decided not to take up the bill.  However, according to a recent Bloomberg Government article, the "Senate Health, Education, Labor and Pensions Committee recently approved 19 bills as part of a package that will be assembled into a companion to the 21st Century Cures Act passed by the House last year."  For more on the act, Marianne Kolbasuk McGee of InfoRisk Today summarizes some of the research implications of the act here, while David Richardson of Managed Health gives a broader summary of it here.

The HHS guidelines for research remind companies that only PHI that has not been De-identified in compliance with HIPAA standards is subject to the rules. HIPAA is quite expansive in its coverage of the healthcare industry, and it is good that Omnibus provided some changes for multiple areas, including research. Hopefully, any new regulations will continue to balance patient privacy with the medical community's efforts to combat and cure all illness.