Research in family caregiving recently has become more challenging because of the strict protection of privacy mandated in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. We ask when should Institutional Review Boards (IRBs) follow HIPAA rules to the letter and when might they use the waiver option? What is the appropriate balance between the goals of protecting the privacy of patients' personal health information and facilitating family-caregiver research that may benefit them and others? More particularly, should patients be gatekeepers for caregiver participation in minimal-risk research? We describe one approach that successfully met HIPAA criteria and also allowed high-quality research. In developing protocols and applying for IRB approval, researchers must be as familiar with HIPAA regulations as they are with IRB standards. Finally, we recommend changes in the review process that may facilitate research efforts with family caregivers while protecting important privacy interests.