Privacy, Confidentiality and Access to Protected Health Information (PHI)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information [PHI]”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.
Title 45 Code of Federal Regulations Part 46 (45 CFR 46), also known as The Common Rule, requires that the Institutional Review Board (IRB) ensure that there are adequate provisions to protect the privacy of human subjects and to maintain the confidentiality of their data.
The Ohio State University Wexner Medical Center (OSUWMC), Office of University Compliance and Integrity (OUCI) Privacy has guides and policies regarding access to information for human subjects research (HSR) and other activities that include:
- General information
- Access to PHI for HSR
- Use of patient information to identify and/or contact potential human subjects
- Request for access to data on decedents
- Request for access to clinical information of human subjects enrolled in a clinical trial
- Access to health system data for retrospective data review
Use of Patient Information by Hospitals and Medical Staff applies to all departments and units and addresses access, use and security of patient information.
Protected Health Information and HIPAA, applies to all university faculty, staff, students, suppliers/contractors, and volunteers. This policy describes the university’s process for complying with HIPAA laws and corresponding regulations, including research activities that use protected health information (PHI).
Patient Information must be protected when sending emails to non-OSUWMC email addresses. Secure Mail is a system that securely transmits emails in a HIPAA-compliant manner. Refer to OSUWMC Guidance on Emailing Patients to learn more about how to use Secure Mail. For additional information or if you do not have an OSUWMC login and cannot access the OUCI Privacy/HIPAA website, please contact the Privacy Office at 614-293-4477.
For more information about the authorized use of PHI for research purposes, contact the Ohio State University Office of Responsible Research Practices (ORRP).
- To determine whether a case study requires approval from an Ohio State Institutional Review Board (IRB), please visit: https://orrp.osu.edu/irb/irb-faqs/#37
- For information on how to comply with Ohio State requirements in relation to case studies, read:
- HIPAA: Use of De-identified Patient Information in Case Presentations and Published Case Studies (January 2021).
- Familiarize Yourself: Combined Authorization Form Obtaining Patient Authorization for Use of Images for Media, Educational Purposes, and Case Studies (January 2021).
- Ohio State Privacy Office Guidance on Case Studies
- To obtain patient authorization for case studies, use The Ohio State University Wexner Medical Center Release of Patient Information for Media, Educational Purposes, or Case Studies form.
- To publish a case study without signed patient authorization, you may request special consideration from the Chief Clinical Officer (CCO)/Chief Medical Officer (CMO) for the OSUWMC/The James or their designee.
Note that if the patient is alive and has the capacity to make their own healthcare decisions, they must provide signed authorization to publish the case study. The patient is the ultimate decision maker. If the patient declines, we must abide by their wishes (notwithstanding how compelling the case is). We cannot disregard patient rights.
For additional questions, please contact the Privacy Office at 614-293-4477.
The Ohio State University Research Data Repository (RDR) is an IRB-approved database populated with a coded-limited dataset sourced from OSU Wexner Medical Center Electronic Health Record via the Information Warehouse. Application level access to the RDR is implemented via the Informatics for Integrating Biology and the Bedside (i2b2) software product developed at the Partners Healthcare System which has been adopted by over 80 academic medical centers across the country. The RDR provides OSU researchers the ability to perform self-service cohort discovery for research purposes in order to support hypothesis generation, feasibility analysis, and study population enrollment reports. The RDR is available for use by Ohio State biomedical research community members (faculty and staff) affiliated with the OSU Wexner Medical Center and/or one of the seven OSU health sciences colleges: Dentistry, Medicine, Nursing, Optometry, Pharmacy, Public Health, and Veterinary Medicine.
More Information about RDR and i2b2:
General RDR Questions: ctsi-informatics@osumc.edu
National i2b2 Consortium Website: https://www.i2b2.org/software
OSU RDR i2b2 Website: https://i2b2.osumc.edu/webclient/index.php
Request a project-specific RDR Consult: https://researchrecord.osu.edu
Research Data Repository (RDR) Available Data Fields (PDF)
Obtaining IHIS access for research
The College of Medicine Department of Research Information Technology (COMRIT), in collaboration with The Ohio State University Health System, has established a formal, standardized process for granting research access to the electronic health record, IHIS (Integrated Healthcare Information System). This process ensures consistent evaluation and approval of access to protected health information (PHI), while maintaining compliance with applicable regulations and institutional policies.
The Health Information System Access Review Committee (HISARC) is responsible for reviewing and approving requests for IHIS access for research purposes for individuals who do not obtain access through medical center employment. HISARC determines and authorizes the minimum level of access necessary for researchers to fulfill their job responsibilities.
Requirements for access to IHIS for research
- OSU Wexner Medical Center (OSUWMC) Credentials
- Active OSUWMC MedCenter credentials (name#) are required.
- Individuals without an OSUWMC user ID and password must obtain an OSUWMC Guest Account via the OSU Identity Management portal.
- Guest account requests must be submitted by an OSUWMC employee.
- Fingerprint Background Check (FBI/BCI) must be done through OSUWMC.
- Contact departmental HR representative to schedule with ID Processing.
- Drug Screening
- Contact departmental HR representative to schedule appointment with University Health Services.
- Requests must come from a supervisor.
- Employee health will not accept self-requests for drug screenings.
- Cost may be associated for certain roles/titles.
- Annual HIPAA and Institutional Data Compliance eLearning Completion
- Listed as Key Personnel on IRB Approved Protocol (some job title/role exemptions)
- Vaccination (for individuals who will have face-to-face contact with patients)
- Contact departmental HR representative to schedule appointment with University Health Services.
- (Access-specific) IHIS training is required before access is granted.
- IHIS access request can be submitted prior to IHIS training completion.
Additional requirements for students, visiting scholars, unpaid research contributors
- Researcher Confidentiality Education Form (internal access)
- Personal Attestation for Research Electronic Health Record Access (internal access)
- Estimated end date for access. HISARC will approve up to one year at a time with the option to renew.
Clinicians and Ohio State University medical students
These individuals already have clinical access by nature of their role and may use their clinical access for research once they meet the following requirements:
- Register in the IHIS Researcher Registry
- Listed as key personnel on the IRB approved protocol
- Annual HIPAA and Institutional Data Compliance eLearning Completion
- Complete appropriate IHIS research training if at least 50% of efforts on research
Overview of approval process
Once an eServices ticket to request IHIS for research is submitted by an OSUWMC employee (see submission instructions below), the approval process proceeds as follows:
- Verification by COMRIT: The College of Medicine Research IT (COMRIT) verifies the new user’s employment status, HIPAA training, background check, drug screening, IRB, and access needs prior to the next Health Information System Access Review Committee (HISARC) meeting, held on the second and fourth Thursdays of each month.
- HISARC review: HISARC reviews the request, determines the minimum necessary access level, and approves the request in eServices (typically within 2-4 business days). The ticket is then assigned to the IHIS Training Team.
- Training verification by IHIS training team: The IHIS Training Team verifies whether the user has completed all required training. If training is complete, the eServices ticket is approved and assigned to the IHIS Accounts Team (1-3 business days). If training is incomplete, the user is notified; tickets unresolved after 60 days are closed as incomplete.
- Account creation by IHIS accounts team: The IHIS Accounts Team creates the user account and provisions the approved access level within 1-5 business days. If filtering for In-basket plus SlicerDicer access is required, the ticket is assigned to the IT Team; otherwise, the ticket is marked as closed/complete.
- Configuration of SlicerDicer by IT team: The IT Team configures SlicerDicer access based on the user provided list of MRNs, providers, or department codes. This process typically takes 5-10 business days for MRNs filters and 3-7 business days for department or provider filters.
This process ensures that all requirements have been fulfilled before granting access to IHIS for research purposes.
IHIS for research request for HISARC approval flowchart:
How to request IHIS access for research purposes
To submit an eServices request, go to Service Portal - Self-Service Portal
- Supervisor/Manager's name and MedCenter Logon ID (PI or other individual involved in research)
- Cost center and fund
- Research staff external to OSU begin process by requesting and OSU Guest Account first via my.osu.edu, then proceed with the eServices “Onboarding Form”.
- Newly hired OSUWMC staff can begin process with an Onboarding Form.
- OSUWMC staff can begin process with a “Modification to General Accounts and Access for an Established User”.
- View step-by-step instructions (internal access only)
HISARC is charged with determining the minimum access necessary to complete the research. There are several access levels that can be granted for research purposes:
- IHIS research aggregate data only: Users can use SlicerDicer to determine feasibility. This template is also required for Cosmos users.
- In-basket only: Users can only view charts that are sent to them via IHIS in-basket (similar to email). This is typically used for users who are only looking at a defined subset of patients.
- In-basket plus SlicerDicer (filtered access): In-basket functionality plus access to an identified set of MRNs/departments/studies (provided by requestor). Parameters set by IT. Best for users with a large number of identified charts to review. View Quick Start Guide
- Read/view only: Only (all records): users can see all charts in the system but cannot edit the chart contents. This access can be used for research recruitment under a HIPAA waiver, including viewing outpatient schedules and inpatient units, and data extraction.
- Full/documentation access (all records): Users can see all charts in the system and can document within the record. This is useful for researchers who wish to record research related activities, such as the consent process or research notes, or pending orders to a licensed provider, such as an order for research samples.
- Research scheduling: Access allows researchers to schedule patients to their schedule or to a provider’s schedule.
- Research billing: Access used to assure research-related charges are not billed to the patient. Will reconcile patient accounts and study work queues.
- IHIS reporting power user research SlicerDicer: Restricted level which allows patient level information PHI via SlicerDicer. Requires read only or documentation main templates. Must enter IRB protocol upon access.
- Requests can be submitted via eServices/Service Now Portal
- Tip sheet: Requesting IHIS access for research
- Cosmos requests
- In-basket plus SlicerDicer (filtered access)
- Quick start guide
- Provider-based departments (for clinic codes)
- MyTools - Physician finder (for provider codes)
- For internal transfers between research roles, IHIS access must be requested by the individual’s new supervisor through eServices. These requests are subject to the standard research access provisioning and approval process.
- IHIS research training team email: ihisresearchtraining@osumc.edu
- Approval of access modeled after another user is not guaranteed.
- Information regarding required CITI training can be found on the Office of Responsible Research Practices (ORRP) website
- Information about eCOI can be found at the Office of Research Compliance website
- IT Help Desk at 614-293-3861, option 8 for IHIS
Individuals in this category must maintain a current, formal affiliation with OSU, which includes active enrollment at OSU, participation in an approved and documented research rotation, or active employment and compensation through OSU or OSUMC.
Inclusion on an approved IRB protocol does not constitute an acceptable affiliation on its own. Access to IHIS for research purposes is not permitted for non-OSU undergraduate students or former OSU/OSUMC employees, including professors, researchers, and physicians unless they meet one of the above criteria.
Only someone associated with the medical center can submit these requests.
- An OSUWMC identity is required and may be requested through my.osu.edu. Instructions are available at https://my.osu.edu/user/medCenterGuestProcessDoc (OSU log-in required). Only someone currently associated with OSUWMC will be able to request a guest account.
- An onboarding request must be submitted through eServices to establish the user in the system. Step-by-step instructions are available below.
- Please note that guest accounts and IHIS access expire one year after creation. The guest account can be extended through my.osu.edu, and a new eServices request will need to be submitted for IHIS access.
- Approval can take 2-6 weeks, so please plan accordingly.
Research study monitors and FDA auditors
Research monitor and auditor access requests are made through CareLink rather than through eServices. Requests must be submitted by OSU/OSUMC research study staff. Monitor self-requests will be denied.
Use these internal access links for requesting access, releasing charts, and monitor/auditor guidance to understanding this system.
- Requesting Monitor or FDA Auditor Access to CareLink
- Releasing Patient Records to Research Monitors and Auditors
- CareLink User Manual for Research Monitors and Auditors
Please contact Kristin Scarpitti (kristin.page@osumc.edu) with any questions.