Accessing PHI for Research

Health care providers covered by HIPAA may only use or disclose PHI for treatment, payment, and health care operations purposes. When research depends on PHI, there are six primary pathways permitting access to PHI for research related purposes. The ORP requires that all researchers working with PHI complete mandatory online training on HIPAA, which has been incorporated into the required CITI training modules.

  1. Review preparatory to research

    • For the purpose of study design and protocol development
    • Review must be essential for conduct of research
    • No PHI may be removed from the covered entity providing the data
  2. Patient (Participant) authorization

    • Similar to current informed consent requirement
    • Includes additional elements and statements pertaining specifically to data privacy
    • Can be combined with informed consent form/process
    • ORP will provide a template for use in designing a valid authorization
    • For current research, if participant consent is obtained prior to April 14, 2003, research on PHI may continue without authorization.

      • If consent is not obtained before the compliance date, authorization will be required from each participant in order to access PHI.
  3. Waiver of authorization by IRB/Privacy Board

    • Waivers may be approved when research cannot feasibly be conducted on de-identified data or authorization cannot practically be obtained from research participants
    • Must demonstrate that disclosure of PHI will involve no more than minimal risk to the privacy of the individuals

      • Must demonstrate adequate plans to protect the data from improper use and disclosure
  4. De-identification of data

    • De-identified data is not technically PHI, since it is unlikely to be able to be used to identify the individual
    • 18 categories of identifiers must be removed from the data for it to be classified as de-identified. These are:

      • Names
      • Geographic subdivisions smaller than a state except 3 initial zip code digits, with certain stipulations
      • All elements of dates (except year) and all ages over 89 (and all elements of dates, including year, indicative of such age)
      • Telephone numbers
      • Fax numbers
      • Electronic mail addresses
      • Social security numbers
      • Medical record numbers
      • Health plan beneficiary numbers
      • Account numbers
      • Certificate/license numbers
      • Vehicle identifiers and serial numbers, including license plate numbers
      • Device identifiers and serial numbers
      • Web Universal Resource Locators (URLs)
      • Internet Protocol (IP) address numbers
      • Biometric identifiers, including finger and voice prints
      • Full face photographic images and any comparable images
      • Any other unique identifying number, characteristic or code
  5. Limited data set and data use agreement

    • Requires fewer identifiers be removed than de-identified data
    • Allows use of dates and ages, device identifiers and serial numbers, and other unique identifiers not mentioned above, except those that could easily be used to identify the individual
    • Must be used in conjunction with a Data Use Agreement, a document intended to assure the data provider that the data will only be used or disclosed for limited purposes as specified in the research protocol
    • ORP will provide a template for developing a Data Use Agreement
  6. Research on decedent's information

    • Research on the PHI of decedents is allowed under the Privacy Rule
    • Several assurances will need to be provided to the covered entity in order to access decedents' PHI