When can PHI be used for research purposes?
HIPAA does allow PHI to be used for research purposes under the following circumstances:
- Review preparatory to research
- For the purpose of study design and protocol development
- Review must be essential for conduct of research
- No PHI may be removed from the covered entity providing the data
- Patient (Participant) authorization
- Similar to current informed consent requirement
- Includes additional elements and statements pertaining specifically to data privacy
- Can be combined with informed consent form/process
- ORP will provide a template for use in designing a valid authorization
- For current research, if participant consent is obtained prior to April 14, 2003, research on PHI may continue without authorization.
- Waiver of authorization by IRB/Privacy Board
- Waivers may be approved when research cannot feasibly be conducted on de-identified data or authorization cannot practically be obtained from research participants
- Must demonstrate that disclosure of PHI will involve no more than minimal risk to the privacy of the individuals
Must demonstrate adequate plans to protect the data from improper use and disclosure
- De-identification is the removal of personally identifying information in order to protect an individual’s privacy. Data that excludes all eighteen HIPAA identifiers. (See “What is de-identified data?”) De-identified data is not the same as “anonymous data” under the Common Rule.
- Limited data set and data use agreement (See “What is a limited data set?”)
- Requires fewer identifiers be removed than de-identified data
- Allows use of dates and ages, diagnoses, and other unique identifiers not mentioned above, except those that could easily be used to identify the individual
- Must be used in conjunction with a Data Use Agreement, a document intended to assure the data provider that the data will only be used or disclosed for limited purposes as specified in the research protocol
- Data use agreements may be obtained by contacting the Research Compliance Office at 317-278-7189.
- Research on decedents’ information is allowed by the Privacy Rule under certain circumstances. The Research must represent:
- Uses or disclosure are solely for research on decedents
- PHI is necessary for research or the research could not practicably be done without PHI
- Individuals are deceased (the researcher may have to provide documentation)
« Return to previous FAQs page