Data-Tech Connect: The Ethics of Research Access to Electronic Medical Record Data

Paula Smailes headshot

Paula Smailes, RN, MSN, CCRC, CCRP

In 2009, President Obama passed the American Recovery and Reinvestment Act, and from that came the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH began the push for healthcare organizations to convert from paper to electronic medical records. The Centers for Medicare and Medicaid Services began to enforce HITECH by offering incentive payments to eligible hospitals, such as academic medical centers, that were meeting the criteria for “meaningful use” of electronic medical records (EMRs).

However, by 2015, the incentive program turned to a penalty program for those hospitals that failed to meet the meaningful use. This has pushed healthcare organizations to convert their medical records from paper to electronic format, therefore creating access by authorized persons to millions of patient records. This presents a gold mine for researchers wanting to do research on patient data; however, access to the EMRs for research purposes isn’t always easy.

At the center of this issue are concerns about patient privacy and the confidentiality of the electronic records. Researchers may not have permission to access such data, and need to be vetted in order to access the EMRs at an organization. This vetting process could take weeks, months, or even years.

It could be argued that, instead of restricting the access of many researchers to these records and potentially crippling studies that could benefit their patients, attention should instead be focused on researchers advancing science from which patients and society will benefit. However, healthcare organizations are legally required to protect patient data and patients obviously want that, as well.

With so many legal and ethical challenges tied to this issue, could efforts be made to develop a research-centric culture that complies with the law and supports patient autonomy for those who wish to participate in research?

HIPAA Privacy Rule

In 1991, the Federal Policy for the Protection of Human Subjects (the Common Rule) was published, which applies to all research involving human subjects conducted, supported, or otherwise subject to regulation by any federal department or agency.1 A few years later, the creation of the 1996 Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule was enacted to improve the efficiency of healthcare administration. It did so by setting national standards and regulations for transmitting certain health information and for protecting patient privacy. It regulates how certain healthcare organizations or businesses, called covered entities under the Rule, handle protected health information (PHI).

As HIPAA was enacted, there was a growing concern related to the increased use of EMRs. Covered entities, as designated by the HIPAA Privacy Rule, are required to protect the privacy and security of health information of their patients. While the Privacy Rule should relate to the Common Rule, there are areas of inconsistencies that result in gaps of privacy protection, which also creates added burdens, confusion, frustration, and misunderstandings by researchers, research subjects, and institutional review boards (IRBs).2


The Covered Entity

As a covered entity, a healthcare organization may use or disclose PHI for research purposes pursuant to a HIPAA waiver of authorization by an IRB, but that doesn’t automatically mean it will. Depending on the organization, researcher access may be easy to obtain, or the researcher may be heavily scrutinized and not get the desired access.

It should be noted that research access is granted using the Minimum Necessary Standard. This is a requirement of the HIPAA Privacy Rule saying that covered entities must make reasonable efforts to limit the PHI used or disclosed to the minimum necessary amount to accomplish the intended research purpose. The decisions of covered entities lie greatly with the ethical principle of nonmaleficence—to do no harm to patients (or to their data) by accessing or sharing the data. If a breach occurs, the covered entity may face fines in excess of a million dollars, which could also impact the entity’s reputation.


Covered entities may address research in their privacy practices, including what allowing data to be used by researchers might mean to the patient’s electronic record. Even if this occurs, it may not necessarily mean a researcher is allowed to review full medical records and contact patients directly.

For the advancement of healthcare through research, the ideal situation would be to allow patients the autonomy to decide if researchers can or cannot use their PHI prior to the research need. Evidence suggests that this tactic has been followed successfully at various institutions:

  • In 1997, a 10-month survey of patients at the Mayo Clinic found that 96% of the 214,000 patients who returned surveys provided a general authorization for the use their medical records information for research if needed.3
  • Similar findings were seen in a sample of 217 patients from four U.S. Department of Veterans Affairs healthcare facilities. Patients were questioned about the intent to use their records for research, and they unanimously wanted to share their information for research, desiring more control over whether and how their records were used for research.4
  • A Canadian study found that respondents were generally supportive of medical research and trusting of researchers who supported the use of their information and biospecimens for health research.5

These studies provide proof that patients are interested in research, motivated to participate, and desire the autonomy to choose.


The ethical principles that apply to researchers are beneficence, nonmaleficence, veracity, and fidelity with respect to patient data in EMRs. With few exceptions, most researchers operate with beneficence to find cures that do the greatest good for the greatest number of people. By doing so, the usual intent is nonmaleficence, as described earlier, and to engage in clinical research with veracity (truth telling) to patients while upholding fidelity (promise keeping) to them about what engaging in the study truly entails.

Researchers, upon being hired, may be subject to background checks, drug screens, and education on human subject protections, such as training on HIPAA and via the Collaborative Institutional Training Initiative (CITI). They need further approvals for access to EMRs from the appropriate IRBs, which verify waivers of HIPAA. If researchers are not able to obtain timely access to patient data for conducting research, it could negatively impact study timelines, grants, career advancements, organizations’ reputations and revenues, and scientific progress.


After examining the stakeholders in this complex issue, it is easy to see that there are multiple ethical principles impacting the situation. However, this issue should also be considered in terms of the public good that research offers each of us.

It is important that covered entities not violate the established HIPAA Privacy Rule, but instead work within this rule to engage patients with the possibility of research participation. If the research enterprise is impeded, or if it is less robust in the spirit of upholding HIPAA and patient privacy, important societal interests are adversely affected.6

One solution to this ethical dilemma may be an opt-in or opt-out feature for EMRs, whereby patients indicate whether they would like to be considered for research or not. (It should be noted that some patients may not care to explain their wishes not to engage in research, or may have sensitive diagnoses that they do not want disclosed beyond their care team. The choice to opt out should be respected, whatever the line of reasoning.)

As this column shows, the complexity of the HIPAA Privacy Rule lies in its interpretation for clinical research, and we should always remember the ethics, in addition to the regulations, that shape our work.


  1. U.S. Department of Health and Human Services. 2017. The Office for Human Research Protections. Federal Policy for the Protection of Human Subjects (Common Rule).
  2. Rothstein MA. 2005. Research privacy under HIPAA and the Common Rule. J Law Med & Ethics 33(1):154–9.
  3. Melton LJ. 1997. The threat to medical records research. NEJM 337(20):1466–70.
  4. Damschroder LJ, Pritts JL, Neblo MA, Kalarickal RJ, Creswell JW, Hayward RA. 2007. Patients, privacy, and trust: patients’ willingness to allow researchers to access their medical records. Soc Sci Med 64(1):223–35.
  5. Page SM. 2016. A survey of patient perspectives on the research use of health information and biospecimen. BMC Med Ethics 17(48):1–9.
  6. Nass SJ, Levit LA, Gostin LO (eds.) 2009. Institute of Medicine (now the Health and Medicine Division of the National Academies). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, D.C.: The National Academies Press.

Paula Smailes, RN, MSN, CCRC, CCRP, ( is a member of the ACRP Editorial Advisory Board, a training and optimization analyst for clinical research at The Ohio State University Wexner Medical Center, and a visiting professor with Chamberlain College of Nursing.

[DOI: 10.14524/CR-17-4017]