Access & Use of Patient Records for Research Purposes

The HIPAA Privacy Rule (“Privacy Rule”) describes the ways in which covered entities like University Hospitals (UH) can use and disclose protected health information (PHI) for research purposes. Under the Privacy Rule, covered entities may use and disclose PHI for research purposes with individual authorization, or without individual authorization under limited circumstances.

The Privacy Rule defines PHI as all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to:

the individual’s past, present or future physical or mental health or condition; or
the provision of healthcare to the individual; or
the past, present, or future payment for the provision of healthcare to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes one or more of 18 identifiers, such as name, address, birth date, Social Security Number, etc.

Prior to using or disclosing PHI for research purposes, you must obtain prior approval from the Research Privacy Board (RPB) or the Institutional Review Board (IRB). Approval is also required when using or disclosing decedents’ PHI, using limited data sets, or preparing or using de-identified health information for research purposes. See UH Policy R-3 – Uses and Disclosures of PHI for Research.

The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” To clarify whether your project is research, seek clarification from the UH Clinical Research Center (UHCRC).

Quality improvement in healthcare is a method by which individuals work together to improve systems and processes affecting outcomes. It is generally limited to: (a) implementing a practice to improve the quality of patient care; and (b) collecting patient or provider data pertaining to the implementation of the practice for clinical, practical or administrative purposes. Activities that are strictly “quality improvement” do not require IRB review and approval. If at some point the purpose of quality improvement initiative changes to include research components, then the initiative must be submitted for IRB approval. For examples of quality improvement and research, see UH Investigator Manual for IRB Submissions: Chapter 3 – Regulatory Classifications, Quality Improvements Activities.

No. A patient’s signed informed consent does not constitute authorization to use or disclose PHI for research purposes. An authorization differs from an informed consent in that an authorization focuses on privacy risks and states how, why and to whom the PHI will be used and/or disclosed for research. Whereas, an informed consent provides research subjects with a description of the study, its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected.

De-identified health information is not considered PHI. There are two ways to de-identify data. Data is de-identified when all 18 identifiers of the individual, their relatives, employers, or household members are removed from the individual’s data set; and UH has no knowledge that the remaining information can identify the individual. Alternatively, data is de-identified when an expert determines there is a very small risk that the recipient could identify the individual.

Additional guidance regarding de-identified data is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.

Researchers must obtain approval from the UHCMC Research Privacy Board prior to creating, using or disclosing de-identified health information for research purposes. See UH Policy PH-15, De-identifying Protected Health Information (PHI).

A limited data set is health information that excludes certain direct identifiers (such as name, social security number, medical record number, etc.) but that may include city; state; ZIP Code; elements of dates; and other numbers, characteristics, or codes not listed as direct identifiers. A limited data set is NOT considered to be “de-identified.” Researchers should use a limited data set whenever possible, particularly for work preparatory to research.

Use or disclosure of a limited data set is only permitted with a written data use agreement between UH and the limited data set recipient.

Researchers must obtain approval from the UHCMC Research Privacy Board prior to creating, using or disclosing a limited data set for research purposes. See UH Policy PH-16, Limited Data Set: Permitted Purposes for Use/Disclosure.

Yes. An investigator who wishes to review PHI preparatory to research must comply with the Standard Operating Procedure (SOP) for Clinical Research “Use and Disclosure of Protected Health Information Preparatory to Research,” which includes completing the Certification Form and submitting it to the UH Director of Privacy. See Research SOP GA-102 – Use and Disclosure of Protected Health Information Preparatory to Research for more information regarding this process.

No. Creation of such a database requires separate IRB review and approval.

No. Creation of such a copy (regardless of how the data is copied, and regardless of whether the data is stored on the UH network) requires separate IRB review and approval.

No. Creating or maintaining a database containing patient information for research purposes (or to gather/store data in anticipation of possible future research activities) is generally not permitted without the patient’s express written authorization. Databases established for clinical purposes should not be intermingled with databases approved and established for research purposes.

Non-UH personnel, including CWRU employees, must follow UH Research Standard Operating Procedures and complete Research Credentialing to gain access to UH patients’ PHI. Research Credentialing must be completed and approved prior to access to any UH electronic systems or PHI.

Note that CWRU personnel are not part of UH for HIPAA purposes. Therefore, before any CWRU personnel is given access to UH patient data: (1) the CWRU personnel must have been credentialed as described above; and (2) the specific research project for which the data will be used must have been approved by the IRB. CWRU personnel, including those who have been credentialed for research, are not permitted to have routine access to UH patient data outside of an IRB-approved research project.

No. The creation or maintenance of an electronic file containing patient PHI is not permitted unless approved by the IRB. For approved cases, research data must be kept on a secure system that is password protected and that contains whole disk encryption for portable devices. Files should be password protected and stored on the UH S:Drive. It is recommended that data is stored using REDCap, and in some cases it may be required.

No, such data must only be stored on UH systems and devices. Data may be stored on a CWRU computer or device only if such storage is specifically approved by the IRB for a specific research project.

No. UH assets should be used for work purposes only. All passwords must be kept confidential and updated on a regular basis. If you believe a password has been compromised, immediately change it and report the incident to the UH Help Desk at 216-844-3327.

Unless separately approved by the IRB, data containing PHI must not be downloaded or stored on a USB drive, CD, DVD or portable disk; or sent via email and/or other electronic transmission. If the sending of data via email is permitted by the IRB, you must always use your UH email account to send and receive data. Use of a personal email account is never permitted, even for approved research.

Employees, physicians, workforce members and those who provide services to or on behalf of UH must immediately report the loss or theft of an electronic device containing PHI or an incident of unauthorized access, use, disclosure, modification or destruction of electronic PHI to the UH Help Desk at 216-844-3327. See UH Policy PH-28 – Breach Notification.

UH employees who intentionally disclose or use unsecured PHI will be terminated. UH employees who allow PHI to be disclosed improperly under circumstances in which compliance with UH policy would have prevented disclosure may be disciplined, up to and including termination. Additionally, the HITECH Act significantly increased the penalty amounts and provided for individual criminal liability.

You may direct questions to your manager or the UHCRC. Additionally, you may contact the Compliance and Ethics Department at 216-767-8227 or email Compliance@UHhospitals.org.