Skip to main content

3.4 Use of Protected Health Information in Research

1.0 Purpose

The purpose of this policy and procedure is to describe the Organization’s requirements for ensuring the appropriate protections for use of Protected Health Information (PHI) in research.


2.0 Policy

  • 2.1. It is the policy of the Organization that investigator access to records containing PHI will comply with: 1) HHS regulations at 45 CFR 46.111(a)(7) and 45 CFR 164.512(i) (HIPAA Privacy and Security Act); 2) 21 CFR 11 (as applicable), 3) UNMC policies #6045, 6057, 6059, 6061, 6071; and 4) UNMC Board of Regents Executive Memorandum No. 27 (HIPAA Compliance Policy).
  • 2.2. It is the policy of the Organization that all patients have a right to privacy which precludes the use of their records containing any PHI by an individual who does not have permitted access as defined in HRPP policy 3.12 (Ethical Access).
  • 2.3. It is the policy of the Organization that records containing PHI, in any form, are the property of the Organization, and that the PHI contained in the record is the property of the individual who is the subject of the record.
  • 2.4. It is the policy of the Organization that, when using or disclosing PHI or when requesting PHI from another covered entity, the investigator must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the research.
  • 2.5. It is the policy of the Organization that a compound authorization process for research will be used where the HIPAA authorization is merged within the research ICF.

3.0 Definitions

  • 3.1. Protected Health Information (PHI) is individually identifiable health information, whether oral or recorded in any medium, that:
    • 3.1.1. Is created or received by the Organization; and
    • 3.1.2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual (45 CFR 160.103).
  • 3.2. HIPAA Identifiers are the characteristics of health information that make such information about the individual (or of relatives, employers, or household members of the individual) identifiable. Per the HIPAA Privacy Rule (45 CFR 164.51(b)(2)(i)), identifiers include the following:
    • 3.2.1. Names
    • 3.2.2. All geographic subdivisions smaller than a state, including street address, city county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if, according to the current publicly available data from the Bureau of the Census:
      • 3.2.2.1. The geographic unit formed by combing all zip codes with the same three initial digits contains more than 20,000 people, and
      • 3.2.2.2. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to 000.
    • 3.2.3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
    • 3.2.4. Telephone numbers
    • 3.2.5. Fax numbers
    • 3.2.6. Electronic mail addresses
    • 3.2.7. Social security numbers
    • 3.2.8. Medical record numbers
    • 3.2.9. Health plan beneficiary numbers
    • 3.2.10. Account numbers
    • 3.2.11. Certificate/license numbers
    • 3.2.12. Vehicle identifiers and serious numbers, including license plate numbers
    • 3.2.13. Device identifiers and serial numbers
    • 3.2.14. Web Universal Resource Locators (URLs)
    • 3.2.15. Internet Protocol (IP) address numbers
    • 3.2.16. Biometric identifiers, including finger and voice prints
    • 3.2.17. Full face photographic images and any comparable images
    • 3.2.18. Any other unique identifying number, characteristic, or code
  • 3.3. Limited Data Set means health information that excludes the direct HIPAA identifiers listed in section 3.2 above, except that it may include:
    • 3.3.1. City; state; ZIP Code; and
    • 3.3.2. Elements of date; and
    • 3.3.3. Other numbers, characteristics, or codes not listed as direct identifiers
  • 3.4. Honest Broker (as defined in UNMC Policy 6074 is a neutral intermediary (person or system), who is a workforce member and is certified to collect specified health information from the tissue or data bank, remove all patient identifiers, and provide the de-identified health information or tissue to research investigators, clinicians, or other healthcare workforce members, in such a manner that it would not be reasonably possible for any individual to identify the patients directly or indirectly.

4.0 Use or Disclosure of PHI for Research

The Privacy Rule permits the Organization to use or disclose PHI for research only under certain circumstances and conditions as described below:

  • 4.1. The subject of the PHI has granted specific written authorization, in accordance with 45 CFR 164.508(c).
    • 4.1.1. The Organization utilizes a compound authorization process for research in which the HIPAA authorization is merged within the research ICF
    • 4.1.2. The HIPAA Authorization must include the following Core Elements per 45 CFR 164.508(c)(1):
      • 4.1.2.1. Description of PHI to be used or disclosed (identifying the information in a specific and meaningful manner).
      • 4.1.2.2. The name(s) or other specific identification of person(s) or class of persons authorized to make the requested use or disclosure.
      • 4.1.2.3. The name(s) or other specific identification of the person(s) or class of persons who may use the PHI or to whom the covered entity may make the requested disclosure.
      • 4.1.2.4. Description of each purpose of the requested use or disclosure. This section must “adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research.” (78 FR 5612, 2013)
      • 4.1.2.5. Authorization expiration date or event (for example, "end of the research study" or "none")
      • 4.1.2.6. Signature of the individual and date. If the Authorization is signed by an individual's personal representative, a description of the representative's authority to act for the individual.
    • 4.1.3. The HIPAA Authorization must include the following Required Statements, per 45 CFR 164.508(c)(2):
      • 4.1.3.1. The individual's right to revoke his/her Authorization in writing and either (1) the exceptions to the right to revoke and a description of how the individual may revoke Authorization.

      • 4.1.3.2. Notice of the covered entity's ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization.

      • 4.1.3.3. The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule. This statement does not require an analysis of risk for re-disclosure but may be a general statement that the Privacy Rule may no longer protect health information.

        Note: The templates for the ICFs are designed to meet all of the regulatory requirements required under the HIPAA regulations.

    • 4.1.4. A research subject may revoke his/her Authorization at any time. However, the investigator may continue to use and disclose PHI that was obtained before the individual revoked Authorization. This would permit the investigator to continue using or disclosing the PHI as necessary to maintain the integrity of the research, as, for example, to account for a subject's withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.
  • 4.2. The PHI will be used for reviews preparatory to research per 164.512(i)(1)(ii)
    • 4.2.1. Activities "preparatory to research" include, but are not limited to, (1) preparing a research protocol, (2) assisting in the development of a research hypothesis, or (3) aiding in research recruitment, such as identifying prospective research participants who would meet the eligibility criteria for enrollment into a research study.
    • 4.2.2. The investigator must have ethical access to the PHI in accordance with HRPP policy 3.12 (Ethical Access).
    • 4.2.3. PHI obtained and recorded may not be removed from the Organization during the course of the review.
    • 4.2.4. PHI obtained and recorded may not be used for research purposes other than those described above without IRB approval
    • 4.2.5. Activities “preparatory to research” may still constitute “research” under 45 CFR 46, and therefore, may require informed consent under 45 CFR 46.116, even though HIPAA requirements are met.
  • 4.3. The IRB or Privacy Board has granted a waiver of Authorization per 164.512(i) and HRPP policy 5.2 (Waiver or Alteration of Informed Consent and HIPAA Authorization).
  • 4.4. The PHI has been de-identified per 45 CFR 164.514(b) or (c) (in which case, the health information is no longer PHI)
    • 4.4.1. PHI is de-identified (and therefore becomes health information and no longer PHI) if either of the following applies:
      • 4.4.1.1. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable (a) applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (b) documents the methods and results of the analysis that justify such determination; OR
      • 4.4.1.2. The identifiers of the individual or of relatives, employers, or household members of the individual listed in section 3.2 (HIPAA Identifiers) are removed, and the Organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information 45 CFR 154.512(b)(2)(ii).
    • 4.4.2. De-identification is performed by the designated “honest broker” in the Office of the Vice-Chancellor for Research, following the procedure described in UNMC Policy 6074.
  • 4.5. The PHI is released in the form of a Limited Data Set (as defined in section 3.3 above), with a data use agreement between the researcher and the Organization per 45 CFR 164.514(e)
    • 4.5.1. The Data Use Agreement (DUA): 1) establishes the permitted uses and disclosures of the information by the recipient of the Limited Data Set, and 2) establishes who is permitted use or receive the data set and (3) specifies that the recipient of the LDS will:
      • 4.5.1.1. Not use or further disclose the information other than as permitted by the DUA/DTA or as otherwise required by law.
      • 4.5.1.2. Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the DUA.
      • 4.5.1.3. Report to the Organization (the ORA and the Privacy Office) any use or disclosure of the information not provided for by its DUA of which it becomes aware.
      • 4.5.1.4. Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to such information.
      • 4.5.1.5. Not attempt to identify or contact the individuals.
    • 4.5.2. The DUA will be negotiated through Sponsored Programs Administration.
    • 4.5.3. The investigator must have ethical access to the PHI in accordance with HRPP policy 3.12 (Ethical Access).
    • 4.5.4. The LDS will be prepared by the designated “honest broker” in the Office of the Vice-Chancellor for Research, following the procedure described in UNMC Policy 6074.

5.0 Procedures

  • 5.1. Research Involving the Use of PHI
    • 5.1.1. The Investigator must submit the IRB application that is appropriate for the proposed research in accordance with HRPP policy 2.1 (Submission of Items for Review by the IRB).
    • 5.1.2. Applications requiring full IRB review will be reviewed in accordance with HRPP policy 2.2 (Full IRB Review).
    • 5.1.3. Applications that are eligible for review by the expedited method will be reviewed in accordance with HRPP policy 2.3 (Expedited Review of Research).
    • 5.1.4. Applications which are eligible for exemption under 45 CFR 46.101(b) (or rev 45 CFR 46.104(d)) or 21 CFR 56.104(d) will be processed and reviewed in accordance with HRPP policy 2.6 (Exempt Research).
    • 5.1.5. In all cases, the minimum amount of PHI should be recorded, and, whenever possible, data should be recorded without PHI.
    • 5.1.6. Individuals who do not have ethical access to records containing PHI (as defined in HRPP policy 3.12; Ethical Access) must obtain data from the designated “honest broker” as described in section 4.4 above, or which has only a one-way code (for which the custodian of the records has the link and the code is not any part of the 18 HIPAA identifiers).
    • 5.1.7. If the PHI will be sent to an external entity, a Data Use Agreement or sponsored agreement must be finalized by Sponsored Programs Administration prior to final IRB approval
  • 5.2. Research Utilizing Decedent PHI
    • 5.2.1. Research involving decedents does not constitute human subject research under 45 CFR 46. However, HIPAA applies to PHI of individuals deceased for 50 years or less; therefore, the IRB, in its capacity as HIPAA Privacy Board, must review the use of such PHI.
    • 5.2.2. To approve the use of PHI, the IRB, in its capacity as HIPAA Privacy Board, must obtain from the researcher who is seeking access to decedents' PHI:
      • 5.2.2.1. Oral or written assurance that the use or disclosure sought is solely for research on the PHI of decedents.
      • 5.2.2.2. Oral or written assurance that use or disclosure of the PHI is necessary for the purposes of the research.
      • 5.2.2.3. Documentation, at the request of the Organization, of the death of the individuals whose PHI is sought.
    • 5.2.3. An investigator conducting such research is not required to obtain Authorizations from the personal representative or next of kin under the Privacy Rule; however, permission may be required by State Law, and is certainly respectful of the survivors. Investigators should contact the UNMC Office of the General Counsel.
    • 5.2.4. The HIPAA Privacy Rule does not apply to identifiable health information on individuals who have been deceased for more than 50 years (45 CFR 164.512(i)(1)(iii)). Therefore, research involving health information from such individuals does not require review or approval of the Privacy Board.

DOCUMENT HISTORY:

 Written: 1/28/2016 (Approved: 1/28/2016) - original author not recorded

 Revised: 4/9/2018 - revision not documented