Privacy, Confidentiality & Access to Protected Health Information (PHI)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information [PHI]”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.
Title 45 Code of Federal Regulations Part 46 (45 CFR 46), also known as The Common Rule, requires that the Institutional Review Board (IRB) ensure that there are adequate provisions to protect the privacy of human subjects and to maintain the confidentiality of their data.
The Ohio State University Wexner Medical Center (OSUWMC), Office of University Compliance and Integrity (OUCI) Privacy has guides and policies regarding access to information for human subjects research (HSR) and other activities that include:
- General information
- Access to PHI for HSR
- Use of patient information to identify and/or contact potential human subjects
- Request for access to data on decedents
- Request for access to clinical information of human subjects enrolled in a clinical trial
- Access to health system data for retrospective data review
Use of Patient Information by Hospitals and Medical Staff applies to all departments and units and addresses access, use and security of patient information.
Protected Health Information and HIPAA, applies to all university faculty, staff, students, suppliers/contractors, and volunteers. This policy describes the university’s process for complying with HIPAA laws and corresponding regulations, including research activities that use protected health information (PHI).
Patient Information must be protected when sending emails to non-OSUWMC email addresses. Secure Mail is a system that securely transmits emails in a HIPAA-compliant manner. Refer to OSUWMC Guidance on Emailing Patients to learn more about how to use Secure Mail. For additional information or if you do not have an OSUWMC login and cannot access the OUCI Privacy/HIPAA website, please contact the Privacy Office at 614-293-4477.
For more information about the authorized use of PHI for research purposes, contact the Ohio State University Office of Responsible Research Practices (ORRP).
- To determine whether a case study requires approval from an Ohio State Institutional Review Board (IRB), please visit: https://orrp.osu.edu/irb/irb-faqs/#37
- For information on how to comply with Ohio State requirements in relation to case studies, read:
- HIPAA: Use of De-identified Patient Information in Case Presentations and Published Case Studies (January 2021).
- Familiarize Yourself: Combined Authorization Form Obtaining Patient Authorization for Use of Images for Media, Educational Purposes, and Case Studies (January 2021).
- Ohio State Privacy Office Guidance on Case Studies
- To obtain patient authorization for case studies, use The Ohio State University Wexner Medical Center Release of Patient Information for Media, Educational Purposes, or Case Studies form.
- To publish a case study without signed patient authorization, you may request special consideration from the Chief Clinical Officer (CCO)/Chief Medical Officer (CMO) for the OSUWMC/The James or their designee.
Note that if the patient is alive and has the capacity to make their own healthcare decisions, they must provide signed authorization to publish the case study. The patient is the ultimate decision maker. If the patient declines, we must abide by their wishes (notwithstanding how compelling the case is). We cannot disregard patient rights.
For additional questions, please contact the Privacy Office at 614-293-4477.
The Ohio State University Research Data Repository (RDR) is an IRB-approved database populated with a coded-limited dataset sourced from OSU Wexner Medical Center Electronic Health Record via the Information Warehouse. Application level access to the RDR is implemented via the Informatics for Integrating Biology and the Bedside (i2b2) software product developed at the Partners Healthcare System which has been adopted by over 80 academic medical centers across the country. The RDR provides OSU researchers the ability to perform self-service cohort discovery for research purposes in order to support hypothesis generation, feasibility analysis, and study population enrollment reports. The RDR is available for use by Ohio State biomedical research community members (faculty and staff) affiliated with the OSU Wexner Medical Center and/or one of the seven OSU health sciences colleges: Dentistry, Medicine, Nursing, Optometry, Pharmacy, Public Health, and Veterinary Medicine.
More Information about RDR and i2b2:
General RDR Questions: ctsi-informatics@osumc.edu
National i2b2 Consortium Website: https://www.i2b2.org/software
OSU RDR i2b2 Website: https://i2b2.osumc.edu/webclient/index.php
Request a project-specific RDR Consult: https://researchrecord.osu.edu
Research Data Repository (RDR) Available Data Fields (PDF)