In the July issue of this journal, Altschuler and Murtha discussed the impact of the Health Insurance Portability and Accountability Act of 1996 (HIPPA) on pediatric gastrointestinal practice in the United States (J Pediatr Gastroenterol Nutr 2003;37:1). We wish to add some thoughts to theirs focusing on the impact of the HIPPA legislation on the conduct of research. Consternation resonated throughout the research community in the United States when it became clear that the HIPAA would affect not only clinical care, but also human subjects' research. Civil and criminal penalties attached to HIPAA violations were enough to make law-abiding investigators throw in their data sheets. Thankfully, common sense prevailed, aided in part by publication of the Office for Civil Rights in the Department of Health and Human Service's helpful guideline “Protecting Personnel Health Information in Research: Understanding the HIPAA Privacy Rule” (http://privacyruleandresearch.nih.gov/pr_02.asp) In reality, researchers are already relatively sophisticated in protection of privacy. The Common Rule that governs all human subjects' research activities has been in existence since 1991. This federal regulation states that institutional review boards (IRB) may approve research only if “there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data” [45 CFR 46.111(a)(7); 21 CFR 56.111(a)(7)]. One of the eight basic elements of informed consent required by the Common Rule is an explanation of how confidentiality will be maintained. Thus, for many years, IRBs have evaluated an investigator's plan for protecting the privacy of subjects and their data. Our IRB at Columbus Children's Hospital regularly evaluates exactly what data will be collected, who will view it, how it will be stored to protect confidentiality, and what will happen to it once the study is completed. Columbus Children's Hospital held information and training sessions in anticipation of HIPAA implementation on April 14, 2003. Separate training sessions were held for researchers and research staff. Information about the impact of the HIPAA Privacy Rule on research was placed on the IRB web site. Now that HIPAA regulations have been implemented, an additional layer of privacy protection exists for human research subjects. Investigators must now specifically delineate for the IRB or privacy board how privacy will be protected during the course of a research study. At Columbus Children's Hospital, HIPAA forms can be downloaded from the IRB web site, and the IRB must review an investigator's plan to protect privacy. The following options are available to use “protected health information” (PHI) during the course of research. The Privacy Rule specifically defines each option. The most commonly used approach is to obtain a Privacy Rule authorization. An authorization is a subject's or parent's permission to collect, use, and disclose PHI, specific examples of which are provided in the publication referenced above. The authorization can be incorporated into an informed consent document or provided separately. The centerpiece of the authorization is a “specific and meaningful” description of the PHI to be used or disclosed during research, but other core elements also are required by HIPAA. Sample authorization language is available at http://privacyruleandresearch.nih.gov/authorization.asp. Under certain circumstances, the IRB may issue a waiver of authorization. A waiver determines that the risk to privacy incurred in a research study is so minimal that the PHI can be used without the subject's permission. De-identified data, defined in great detail by the Privacy Rule, is stripped of all identifiers and is not subject to the Privacy Rule. The category activities preparatory to research allows a researcher to conduct a preliminary review of charts and records with the understanding that no data will leave the institution. Research on decedents allows a researcher to conduct research on the deceased without obtaining authorization from the next of kin. Participation in disease registries may occur without an authorization or waiver if the data conform to the Privacy Rules definition of a limited data set and a signed Data Use Agreement is executed. The HIPAA Privacy Rule has caused researchers to take stock of their data-collection practices. Because of the longstanding practice of protecting privacy and confidentiality in human subjects' research, implementation of the Privacy Rule has not onerously affected research practices at Columbus Children's Hospital. So, despite all the initial consternation regarding HIPAA and research, it seems that research continues, albeit a little more carefully.