A covered entity must comply with HIPAA, and with the HIPAA Privacy Rule’s requirements to protect the privacy and security of health information. Covered entities are defined in 45 CFR 160.103.
University researchers are generally not considered covered entities, but in the course of health research they will often interact with covered entities in order to obtain data.