Privacy, Confidentiality & Access to Protected Health Information (PHI)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information [PHI]”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.

Title 45 Code of Federal Regulations Part 46 (45 CFR 46), also known as The Common Rule, requires that the Institutional Review Board (IRB) ensure that there are adequate provisions to protect the privacy of human subjects and to maintain the confidentiality of their data.

The Ohio State University Wexner Medical Center (OSUWMC), Office of University Compliance and Integrity (OUCI) Privacy has guides and policies regarding access to information for human subjects research (HSR) and other activities that include:

General information
Access to PHI for HSR
Use of patient information to identify and/or contact potential human subjects
Request for access to data on decedents
Request for access to clinical information of human subjects enrolled in a clinical trial
Access to health system data for retrospective data review

Use of Patient Information by Hospitals and Medical Staff applies to all departments and units and addresses access, use and security of patient information.

Protected Health Information and HIPAA, applies to all university faculty, staff, students, suppliers/contractors, and volunteers. This policy describes the university’s process for complying with HIPAA laws and corresponding regulations, including research activities that use protected health information (PHI).

Patient Information must be protected when sending emails to non-OSUWMC email addresses. Secure Mail is a system that securely transmits emails in a HIPAA-compliant manner. Refer to OSUWMC Guidance on Emailing Patients to learn more about how to use Secure Mail. For additional information or if you do not have an OSUWMC login and cannot access the OUCI Privacy/HIPAA website, please contact the Privacy Office at 614-293-4477.

For more information about the authorized use of PHI for research purposes, contact the Ohio State University Office of Responsible Research Practices (ORRP).

Information about case studies
A case study limited to one or two cases typically does not require IRB approval, but authorization from the patient is still needed. For case studies involving OSUWMC patients, the Release of Information (ROI) form should be used to get the patient’s authorization for their de-identified information to be used in a case study. The case study must be de-identified. The form should say that they authorize the staff writing the case study to release information to x journal/meeting for the purpose of a de-identified case study. Put the range of the specific dates that will be referenced. Under ‘Specific Reports to be Disclosed’ indicate that the case study will be de-identified. Once the form is signed, it should be kept in your record in case the case study is ever questioned. Please see below for example of how the form can be completed for obtaining permission from the patient.
- View blank release of information form
- View an example of release of information form
If a signed authorization cannot be obtained, the Chair of the HIPAA Steering Committee would need to grant an exception. Please contact the Privacy Office or the HIPAA Helpline at (614) 293-4477 for more information.
RDR i2b2 - The Ohio State Research Data Repository

The Ohio State University Research Data Repository (RDR) is an IRB-approved database populated with a coded-limited dataset sourced from OSU Wexner Medical Center Electronic Health Record via the Information Warehouse. Application level access to the RDR is implemented via the Informatics for Integrating Biology and the Bedside (i2b2) software product developed at the Partners Healthcare System which has been adopted by over 80 Academic Health Centers across the country. The RDR provides OSU researchers the ability to perform self-service cohort discovery for research purposes in order to support hypothesis generation, feasibility analysis, and study population enrollment reports. The RDR is available for use by Ohio State biomedical research community members (faculty and staff) affiliated with the OSU Wexner Medical Center and/or one of the seven OSU health sciences colleges: Dentistry, Medicine, Nursing, Optometry, Pharmacy, Public Health, and Veterinary Medicine.
Training
More information about RDR and i2b2

More Information about RDR and i2b2:

General RDR Questions: ccts-informatics@osumc.edu
National i2b2 Consortium Website: https://www.i2b2.org/software
OSU RDR i2b2 Website: https://i2b2.osumc.edu/webclient/index.php
Request a project-specific RDR Consult: https://researchrecord.osu.edu
Research Data Repository (RDR) Available Data Fields (PDF)

Research and HIPAA

Privacy, Confidentiality & Access to Protected Health Information (PHI)

Information about case studies

RDR i2b2 - The Ohio State Research Data Repository

Training

More information about RDR and i2b2

Share this page