Privacy, Confidentiality & Access to Protected Health Information (PHI)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information [PHI]”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.

Title 45 Code of Federal Regulations Part 46 (45 CFR 46), also known as The Common Rule, requires that the Institutional Review Board (IRB) ensure that there are adequate provisions to protect the privacy of human subjects and to maintain the confidentiality of their data.

The Ohio State University Wexner Medical Center (OSUWMC), Office of University Compliance and Integrity (OUCI) Privacy has guides and policies regarding access to information for human subjects research (HSR) and other activities that include:

  • General information
  • Access to PHI for HSR
  • Use of patient information to identify and/or contact potential human subjects
  • Request for access to data on decedents
  • Request for access to clinical information of human subjects enrolled in a clinical trial
  • Access to health system data for retrospective data review

Use of Patient Information by Hospitals and Medical Staff applies to all departments and units and addresses access, use and security of patient information.

Protected Health Information and HIPAA, applies to all university faculty, staff, students, suppliers/contractors, and volunteers. This policy describes the university’s process for complying with HIPAA laws and corresponding regulations, including research activities that use protected health information (PHI).

Patient Information must be protected when sending emails to non-OSUWMC email addresses. Secure Mail is a system that securely transmits emails in a HIPAA-compliant manner. Refer to OSUWMC Guidance on Emailing Patients to learn more about how to use Secure Mail. For additional information or if you do not have an OSUWMC login and cannot access the OUCI Privacy/HIPAA website, please contact the Privacy Office at 614-293-4477.

For more information about the authorized use of PHI for research purposes, contact the Ohio State University Office of Responsible Research Practices (ORRP).