That is where experiments conducted by the doctors get more difficult than experiments conducted by the techies; I'm not collecting any data, I just have to show I'm not taking indecent liberties with the data on servers I have root on. But I think you're getting more directly at the same point I was trying to, that HIPAA shouldn't be that much of an obstacle so long as you're respecting the patients' privacy.Had the data been anonymized by an entity capable of separating the hospital from the liability, there probably would have been a lot less drama.
A big part of the problem is PROVING that you are taking adequate security measures and the needfulness of your study. The people okaying these sorts of things are typically not super savvy in computers or medical science(Even if they are MDs). They are savvy in bureaucracy and administration.HIPAA shouldn't be that much of an obstacle so long as you're respecting the patients' privacy.