This blog post is a writing assignment for HIMT 1200: Legal Aspects of Healthcare, part of the Health Information Management Technology (HI13) Associate of Applied Science Degree program at Georgia Northwestern Technical College.


The HIPAA Privacy Rule sets rules for how protected health information may be shared or used for medical research. HIPAA protects identifiable PHI and allows medical researchers to access the information required to facilitate their research. An entity can share or use de-identified health information for medical research (, 2002). However, it generally cannot share identifiable health information without authorization (Hammaker, 2020, p. 383). HIPAA considers de-identifiable data as safe to share, so the patient’s consent is irrelevant mainly except in the event of a security breach or identification.

The care providers control the EHR and the health information it contains. Generally, the health care practitioner owns the medical record, and the patient has ownership of his personal data within the record. The doctor creates a patient’s record and needs complete control of that record to provide safe and adequate care. This fact limits the power the patient has despite owning his information. He cannot remove any information he wants to be removed because removing it could endanger him (Royal, n.d.).

Some individuals say they do not want their information used in research at all. In one study, thirty-one percent of responders thought researchers should have access to their data without authorization. However, the number increased to 86 percent when they thought the database would be set up for anonymous research (Kass, 2003). If the data is de-identified, and the individuals did not need to provide authorization, then they definitely would have no involvement in how their information is used in the research. However, they can choose not to permit their PHI to be used in research, but attempting to control their data or withdrawing it entirely from the research could skew the results, and researchers need access to complete their work.

Patients have the opportunity usually, to withhold their information from research by not giving consent. However, they do not always have control. Their de-identified data can be disclosed. The HIPAA Privacy Rule also allows an entity to share or use PHI for medical research without the individual giving authorization in some situations. The entity can do this by obtaining a waiver of the requirement for approval by an Institutional Review Board (IRB) (NIH, 2003). When applicable, patients can withhold their information or choose to walk away from research, but they do not have other alternatives. Negotiating terms, purposes, and conditions of the medical research that uses the individual’s health information is not the same as walking away.



Hammaker, D. K. (2020). Health Records and the Law. (5th ed.). Burlington, MA: Jones & Bartlett Learning. (2002, Dec. 3). Research.

Kass, N. E., Natowicz, M. R., Hull, S. C., Faden, R. R., Plantinga, L., Gostin, L. O., and Slutsman, J. (2003). The Use of Medical Records in Research: What Do Patients Want? NCBI.

NIH. (2003, Aug. 15). Institutional Review Boards and the HIPAA Privacy Rule.

Royal, K. (n.d.). Who Owns Patient Medical Records? JUCM.


Assignment 14.1 - Amy Haisten


Featured Image: Stock Photo, Photo Source: Metro