Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?
Yes. A hospital or research university can legally hold classified national security records, but only as a contractor or grantee operating under a federal sponsor’s authority. They do not classify information on their own; classification authority rests with executive-branch agencies. When such an institution performs sponsored work that touches classified material, it must do so inside the framework that governs all cleared contractors.
How an institution becomes eligible
To store, generate, or access classified records, an organization must obtain a Facility Clearance (FCL) through the National Industrial Security Program. An FCL confirms that the institution is eligible to access classified information at a given level and has the security infrastructure to protect it. Individual researchers and staff who handle the material need personnel security clearances at the matching level, and they must have a documented need-to-know.
A medical center or university typically pursues an FCL when it wins a Department of Defense, intelligence community, or other federal contract or grant involving classified research. Without that sponsoring relationship and the supporting clearance, the institution simply cannot hold classified records.
Where HIPAA fits
HIPAA governs the privacy and security of protected health information (PHI) held by covered entities and their business associates. It is a separate legal regime from national security classification. The two do not override each other; they apply in parallel.
In practice:
- A single record can be both PHI and classified. A research dataset on a classified biodefense study, for example, may contain identifiable health information and a classification marking at the same time.
- The stricter control governs each requirement. Classified handling rules dictate storage, transmission, and clearance-based access. HIPAA continues to require minimum-necessary access, safeguards, and accounting for PHI.
- Some health-related information that is sensitive but not classified is instead handled as Controlled Unclassified Information (CUI), which has its own marking and handling standards.
Practical takeaways
Institutions should keep classified holdings physically and procedurally segregated, train staff on both regimes, and align retention and declassification with the sponsoring agency’s instructions rather than disposing of records on their own schedule.
For the broader lifecycle of classified material, see the declassification topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Information Security Oversight Office (ISOO) — National Archives (NARA)
- Controlled Unclassified Information (CUI) — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?. Records Management University. https://www.recordsmgmt.org/questions/can-a-hospital-or-research-university-hold-classified-records-fcl-hipaa/
MLA
RM University Editorial. "Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/can-a-hospital-or-research-university-hold-classified-records-fcl-hipaa/.
Related questions
- Can a law firm representing a government client retain classified discovery, and who declassifies it after the case?
- Can a multinational company use ISO 15489 as a single recordkeeping standard across all of its countries?
- Can a private citizen request that a specific classified record be declassified?
- Can AI and machine learning reliably assist with declassification review of classified records?
- Can an agency be penalized for over-classifying records to avoid disclosure?