Access & Use of Patient Records for Research Purposes

How does the HIPAA Privacy Rule pertain to research?

The HIPAA Privacy Rule (“Privacy Rule”) describes the ways in which covered entities like University Hospitals (UH) can use and disclose protected health information (PHI) for research purposes. Under the Privacy Rule, covered entities may use and disclose PHI for research purposes with individual authorization, or without individual authorization under limited circumstances.

What is PHI?

The Privacy Rule defines PHI as all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to:

the individual’s past, present or future physical or mental health or condition; or
the provision of healthcare to the individual; or
the past, present, or future payment for the provision of healthcare to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes one or more of 18 identifiers, such as name, address, birth date, Social Security Number, etc.

What must I do in order to use or disclose PHI for research purposes?

Prior to using or disclosing PHI for research purposes, you must obtain prior approval from the Research Privacy Board (RPB) or the Institutional Review Board (IRB). Approval is also required when using or disclosing decedents’ PHI, using limited data sets, or preparing or using de-identified health information for research purposes. See UH Policy R-3 – Uses and Disclosures of PHI for Research.

How do I know whether the project I am considering is research?

The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” To clarify whether your project is research, seek clarification from the UH Clinical Research Center (UHCRC).

What is the difference between research and a quality improvement activity?

Quality improvement in healthcare is a method by which individuals work together to improve systems and processes affecting outcomes. It is generally limited to: (a) implementing a practice to improve the quality of patient care; and (b) collecting patient or provider data pertaining to the implementation of the practice for clinical, practical or administrative purposes. Activities that are strictly “quality improvement” do not require IRB review and approval. If at some point the purpose of quality improvement initiative changes to include research components, then the initiative must be submitted for IRB approval. For examples of quality improvement and research, see UH Investigator Manual for IRB Submissions: Chapter 3 – Regulatory Classifications, Quality Improvements Activities.

If research participants sign an informed consent document, is this adequate to collect their PHI for research purposes?

No. A patient’s signed informed consent does not constitute authorization to use or disclose PHI for research purposes. An authorization differs from an informed consent in that an authorization focuses on privacy risks and states how, why and to whom the PHI will be used and/or disclosed for research. Whereas, an informed consent provides research subjects with a description of the study, its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected.

What is de-identified data?

De-identified health information is not considered PHI. There are two ways to de-identify data. Data is de-identified when all 18 identifiers of the individual, their relatives, employers, or household members are removed from the individual’s data set; and UH has no knowledge that the remaining information can identify the individual. Alternatively, data is de-identified when an expert determines there is a very small risk that the recipient could identify the individual.

Additional guidance regarding de-identified data is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.

Researchers must obtain approval from the UHCMC Research Privacy Board prior to creating, using or disclosing de-identified health information for research purposes. See UH Policy PH-15, De-identifying Protected Health Information (PHI).

What is a limited data set?

A limited data set is health information that excludes certain direct identifiers (such as name, social security number, medical record number, etc.) but that may include city; state; ZIP Code; elements of dates; and other numbers, characteristics, or codes not listed as direct identifiers. A limited data set is NOT considered to be “de-identified.” Researchers should use a limited data set whenever possible, particularly for work preparatory to research.

Use or disclosure of a limited data set is only permitted with a written data use agreement between UH and the limited data set recipient.

Researchers must obtain approval from the UHCMC Research Privacy Board prior to creating, using or disclosing a limited data set for research purposes. See UH Policy PH-16, Limited Data Set: Permitted Purposes for Use/Disclosure.

Do I need approval to review PHI to determine whether research is feasible?

Yes. An investigator who wishes to review PHI preparatory to research must comply with the Standard Operating Procedure (SOP) for Clinical Research “Use and Disclosure of Protected Health Information Preparatory to Research,” which includes completing the Certification Form and submitting it to the UH Director of Privacy. See Research SOP GA-102 – Use and Disclosure of Protected Health Information Preparatory to Research for more information regarding this process.

My department would like to create (or already has) a large database of patient information for research use, is this ok?

No. Creation of such a database requires separate IRB review and approval.

I would like to save a copy of certain patient information, either on the UH network, on my UH or personal computer, on a USB or other flash drive, or on some other storage device. I don’t have a research need for it right now, but I would like to preserve it so that I have it for potential future research activities. Is this ok?

No. Creation of such a copy (regardless of how the data is copied, and regardless of whether the data is stored on the UH network) requires separate IRB review and approval.

Is it ok to ‘data mine’ a clinical database to collect cases for potential research without IRB approval?

No. Creating or maintaining a database containing patient information for research purposes (or to gather/store data in anticipation of possible future research activities) is generally not permitted without the patient’s express written authorization. Databases established for clinical purposes should not be intermingled with databases approved and established for research purposes.

What must I do in order for a study team member who is not a UH employee to assist with data extraction or data entry for my research project?

Non-UH personnel, including CWRU employees, must follow UH Research Standard Operating Procedures and complete Research Credentialing to gain access to UH patients’ PHI. Research Credentialing must be completed and approved prior to access to any UH electronic systems or PHI.

Note that CWRU personnel are not part of UH for HIPAA purposes. Therefore, before any CWRU personnel is given access to UH patient data: (1) the CWRU personnel must have been credentialed as described above; and (2) the specific research project for which the data will be used must have been approved by the IRB. CWRU personnel, including those who have been credentialed for research, are not permitted to have routine access to UH patient data outside of an IRB-approved research project.

I have a spreadsheet, protected with a password, containing all my research data. Does this adequately protect my data?

No. The creation or maintenance of an electronic file containing patient PHI is not permitted unless approved by the IRB. For approved cases, research data must be kept on a secure system that is password protected and that contains whole disk encryption for portable devices. Files should be password protected and stored on the UH S:Drive. It is recommended that data is stored using REDCap, and in some cases it may be required.

Is it ok to store my research data on a personal device, such as my personal computer or a personal thumb drive? What about my computer at CWRU?

No, such data must only be stored on UH systems and devices. Data may be stored on a CWRU computer or device only if such storage is specifically approved by the IRB for a specific research project.

Sometimes I bring my work laptop home to complete work. Is it ok to let my spouse/significant other/children use it?

No. UH assets should be used for work purposes only. All passwords must be kept confidential and updated on a regular basis. If you believe a password has been compromised, immediately change it and report the incident to the UH Help Desk at 216-844-3327.

What other ways can I protect PHI related to research?

Unless separately approved by the IRB, data containing PHI must not be downloaded or stored on a USB drive, CD, DVD or portable disk; or sent via email and/or other electronic transmission. If the sending of data via email is permitted by the IRB, you must always use your UH email account to send and receive data. Use of a personal email account is never permitted, even for approved research.

What should I do if my laptop or other mobile device containing PHI is stolen or lost?

Employees, physicians, workforce members and those who provide services to or on behalf of UH must immediately report the loss or theft of an electronic device containing PHI or an incident of unauthorized access, use, disclosure, modification or destruction of electronic PHI to the UH Help Desk at 216-844-3327. See UH Policy PH-28 – Breach Notification.

What are the consequences of failing to protect the privacy of patient health information?

UH employees who intentionally disclose or use unsecured PHI will be terminated. UH employees who allow PHI to be disclosed improperly under circumstances in which compliance with UH policy would have prevented disclosure may be disciplined, up to and including termination. Additionally, the HITECH Act significantly increased the penalty amounts and provided for individual criminal liability.

What if I have questions about access to a patient record for research purposes or how to ensure the data that I have collected is appropriately protected?

You may direct questions to your manager or the UHCRC. Additionally, you may contact the Compliance and Ethics Department at 216-767-8227 or email Compliance@UHhospitals.org.