Access and Use of Patient Records for Research Purposes

Access and Use of Patient Records for Research Purposes Frequently Asked Questions

How does the HIPAA Privacy Rule pertain to research?

The HIPAA Privacy Rule (“Privacy Rule”) describes the ways in which covered entities like University Hospitals (UH) can use and disclose protected health information (PHI) for research purposes. Under the Privacy Rule, covered entities may use and disclose PHI for research purposes with individual authorization, or without individual authorization under limited circumstances.

What is PHI?
What must I do in order to use or disclose PHI for research purposes?

Prior to using or disclosing PHI for research purposes, you must obtain prior approval from the Research Privacy Board (RPB) or the Institutional Review Board (IRB). Approval is also required when using or disclosing decedents’ PHI, using limited data sets, or preparing or using de-identified health information for research purposes. See UH Policy R-3 – Uses and Disclosures of PHI for Research.

How do I know whether the project I am considering is research?
What is the difference between research and a quality improvement activity?

Quality improvement in healthcare is a method by which individuals work together to improve systems and processes affecting outcomes. It is generally limited to: (a) implementing a practice to improve the quality of patient care; and (b) collecting patient or provider data pertaining to the implementation of the practice for clinical, practical or administrative purposes. Activities that are strictly “quality improvement” do not require IRB review and approval. If at some point the purpose of quality improvement initiative changes to include research components, then the initiative must be submitted for IRB approval. For examples of quality improvement and research, see UH IRB policy – Quality Improvement Activities.

If research participants sign an informed consent document, is this adequate to collect their PHI for research purposes?
What is de-identified data?

De-identified health information is not considered PHI. There are two ways to de-identify data. Data is de-identified when all 18 identifiers of the individual, their relatives, employers, or household members are removed from the individual’s data set; and UH has no knowledge that the remaining information can identify the individual. Alternatively, data is de-identified when an expert determines there is a very small risk that the recipient could identify the individual.

Additional guidance regarding de-identified data is available at:

Researchers must obtain approval from the UHCMC Research Privacy Board prior to creating, using or disclosing de-identified health information for research purposes. See UH Policy PH-15, De-identifying Protected Health Information (PHI).

What is a limited data set?
Do I need approval to review PHI to determine whether research is feasible?

Yes. An investigator who wishes to review PHI preparatory to research must comply with the Standard Operating Procedure (SOP) for Clinical Research “Use and Disclosure of Protected Health Information Preparatory to Research,” which includes completing the Certification Form and submitting it to the UH Director of Privacy. See Use and Disclosure of Protected Health Information for Review Preparatory to Research for more information regarding this process.

My department would like to create (or already has) a large database of patient information for research use, is this ok?
I would like to save a copy of certain patient information, either on the UH network, on my UH or personal computer, on a USB or other flash drive, or on some other storage device. I don’t have a research need for it right now, but I would like to preserve it so that I have it for potential future research activities. Is this ok?

No. Creation of such a copy (regardless of how the data is copied, and regardless of whether the data is stored on the UH network) requires separate IRB review and approval.

Is it ok to ‘data mine’ a clinical database to collect cases for potential research without IRB approval?
What must I do in order for a study team member who is not a UH employee to assist with data extraction or data entry for my research project?

Non-UH personnel, including CWRU employees, must follow UH Research Standard Operating Procedures and complete Research Credentialing to gain access to UH patients’ PHI. Research Credentialing must be completed and approved prior to access to any UH electronic systems or PHI.

Note that CWRU personnel are not part of UH for HIPAA purposes. Therefore, before any CWRU personnel is given access to UH patient data: (1) the CWRU personnel must have been credentialed as described above; and (2) the specific research project for which the data will be used must have been approved by the IRB. CWRU personnel, including those who have been credentialed for research, are not permitted to have routine access to UH patient data outside of an IRB-approved research project.

I have a spreadsheet, protected with a password, containing all my research data. Does this adequately protect my data?
Is it ok to store my research data on a personal device, such as my personal computer or a personal thumb drive? What about my computer at CWRU?

No, such data must only be stored on UH systems and devices. Data may be stored on a CWRU computer or device only if such storage is specifically approved by the IRB for a specific research project.

Sometimes I bring my work laptop home to complete work. Is it ok to let my spouse/significant other/children use it?
What other ways can I protect PHI related to research?

Unless separately approved by the IRB, data containing PHI must not be downloaded or stored on a USB drive, CD, DVD or portable disk; or sent via email and/or other electronic transmission. If the sending of data via email is permitted by the IRB, you must always use your UH email account to send and receive data. Use of a personal email account is never permitted, even for approved research.

What should I do if my laptop or other mobile device containing PHI is stolen or lost?
What are the consequences of failing to protect the privacy of patient health information?

UH employees who intentionally disclose or use unsecured PHI will be terminated. UH employees who allow PHI to be disclosed improperly under circumstances in which compliance with UH policy would have prevented disclosure may be disciplined, up to and including termination. Additionally, the HITECH Act significantly increased the penalty amounts and provided for individual criminal liability.

What if I have questions about access to a patient record for research purposes or how to ensure the data that I have collected is appropriately protected?