Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i).
See our research section and frequently asked questions about the research provisions for more information about Institutional Review Boards.
Date Created: 12/20/2002
Last Updated: 03/14/2006