Reader question: Under HIPAA, subjects do have rights to their results

By Paul W. Goebel Jr.
Vice President
Chesapeake Research Review
Columbia, MD

Question: What rights to their research-related results do patients have?

Answer: Historically, research data were regarded to be the property of the researcher and not available to research subjects. Most research data are not of value to study subjects in diagnosing or treating medical conditions. There are two reasons for this: 1) the data are not verified to the extent required for making medical decisions for diagnosis or treatment; and 2) the hypothesis being tested is not sufficiently developed to allow a practical application of the research results.

There is, however, an ethical imperative to inform research subjects of any personal health information that would be of value to them. For example, the study might require a chest X-ray. Even though it is not an objective of the study, if the X-ray reveals possible lung cancer, the researcher is obliged to inform the subject of the discovery so that a confirmed diagnosis can be made and any appropriate medical care can be started in a timely manner. On the other hand, subjects may decide they do not want to know about a positive finding of a condition for which there is no effective treatment, such as Huntington’s disease.

Public Health Service (PHS) policy requires subjects of PHS-funded or conducted research and their sex partners to be informed of positive test results for HIV.1

The advent of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003 gave to patients the power to determine who has a right to use or disclose their protected health information (PHI). Although the rule primarily addresses treatment, payment, and other routine health care operations, its purview extends to the research use and disclosure of data containing personal identifiers by covered entities.

HIPAA applies only to "covered entities," those who are involved in health care treatment, payment, or related operations. Noncovered entities are not required by law to observe the safeguards provided by the HIPAA Privacy Rule, but many see compliance with its provisions to provide insulation against any question of adequate maintenance of privacy and confidentiality.

The HIPAA Privacy Rule requires disclosure of his or her PHI to that individual on demand.2 This provision includes research data when the research is combined with medical treatment. The individual’s right of access to the research data maintained by a covered entity may be suspended provided the individual agrees to such suspension at the time authorization for the conduct of the research was obtained.3

The PHI that is part of the study must be made available to the research subject after the conclusion of the study and study-related activities, such as analysis of the data. The PHI that is revealed includes any data that contain personal identifiers of the requester. However, the PHI of other study participants would not be revealed. Nor does this provision appear to require providing to the requester any data analysis or study conclusions that were carried out after PHI was removed from the study data.

In addition, the suspension of access involves only the PHI that is in the study records. The requester would continue to have the right of access to PHI that is maintained in nonresearch medical records. In many cases, this would be a copy of the same data that the researcher obtained from the medical records.

In addition to the practical outline presented above, there may be state and local requirements that affect the rights of study subjects to research data that contain their personal identity.


  1. OHRP Guidance at: and
  2. Privacy rule at: 45 CFR 164.524.
  3. 45 CFR 164.524(a)(2)(iii).