What patient data can a hospital keep in research records after a HIPAA authorization is revoked?
When a patient signs a HIPAA authorization to participate in research, they generally keep the right to revoke it. But revocation is not retroactive. Under HIPAA, a revocation stops future uses and disclosures going forward; it does not erase data the hospital or researchers already collected and relied on while the authorization was valid.
What the hospital may keep
A covered entity may retain and continue to use protected health information (PHI) already obtained under the authorization to the extent the research team has acted in reliance on it. In practice this commonly includes:
- Data already gathered or recorded before the revocation took effect.
- Information needed to preserve the integrity of the study — for example, accounting for a participant’s withdrawal so the research results remain valid and complete.
- Records required to support safety reporting, adverse-event tracking, or regulatory submissions tied to the research.
This “reliance” exception exists so that revoking authorization does not invalidate work already done or undermine the scientific and regulatory record.
What changes after revocation
Going forward, the hospital generally should not collect new PHI from that individual for the study, nor make new disclosures, unless another lawful basis applies. The boundary is timing: pre-revocation data tied to reliance may stay; post-revocation collection usually stops.
Other laws and overlapping requirements can also keep data in place. Research records may be subject to FDA recordkeeping rules, institutional review board (IRB) requirements, grant conditions, or retention schedules that operate independently of HIPAA. A revocation does not override a separate legal retention obligation.
Records management takeaways
- Document the revocation — capture the date received and what it covers, so the reliance boundary is defensible.
- Distinguish data sets — separate pre-revocation (retainable) information from anything that must not be reused.
- Apply purpose and use limits — restrict retained PHI to the study integrity and compliance purposes that justify keeping it, consistent with data-minimization and privacy-by-design principles.
- Honor the full retention picture — align disposition with the longest applicable requirement, then dispose securely.
For broader guidance on handling sensitive personal data, see the privacy and PII topic hub.
Always confirm specifics with your privacy officer, IRB, and counsel, since exact obligations depend on the study, the authorization language, and applicable law.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). What patient data can a hospital keep in research records after a HIPAA authorization is revoked?. Records Management University. https://www.recordsmgmt.org/questions/what-patient-data-hospital-keep-after-hipaa-authorization-revoked/
MLA
RM University Editorial. "What patient data can a hospital keep in research records after a HIPAA authorization is revoked?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-patient-data-hospital-keep-after-hipaa-authorization-revoked/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?