Privacy in Research
Research Compliance Tip Sheet
  General Considerations:
• Patients entrust BSWH with their health information, and we all have a responsibility to protect it.
• As a covered entity, regulations restrict how BSWH permits the use and/or disclosure of protected
health information (PHI) for research purposes.
• Every component of a research project that involves PHI must be covered by one of the permitted scenarios described below.
• If something is unclear or confusing, the Research Compliance Office is available to answer questions and provide guidance. Find staff contact information on the final page of this tip sheet.
 (“HIPAA”) Privacy Rule
 The Department of Health and Human Services issued the Privacy Rule to carry out the mandate under the Health Insurance Portability and Accountability Act to safeguard the privacy of individually identifiable health information. The Privacy Rule regulates the way certain health care providers, health plans, and health care clearinghouses, called Covered Entities, use this information known as protected health information (PHI). Covered entities may permit researchers access to and use of PHI for research purposes only when certain conditions are met. The 18 protected identifiers enumerated in the Privacy Rule and the permitted conditions under which PHI may be used in research are detailed below.
18 Elements of PHI
   Name
     Social Security Number
     Medical record number
    Health plan beneficiary number
  Any other unique identifying number, characteristic, or code (e.g., subject ID)
   Vehicle identifiers and serial numbers, including license plate number
    All elements of dates (except year) for dates directly related to an individual, including:
• Birth date
• Admission date
• Date of death
• All ages over 89 and all elements of dates
(including year) indicative of age 89, except that such ages and elements may be aggregated into a single category of age 90 or older
     All geographic subdivisions smaller than a State, including:
• Street address
• City
• County
• Precinct
• Zip code, and their equivalent geocodes*
      Certificate/license number
  Full face photographic images and any comparable images
    Telephone number
     Device identifiers and serial numbers
    Fax number
 Biometric identifiers, including finger and voice prints
    Electronic mail address
     Web Universal Resource Locator (URL)
    Account number
   Internet Protocol (IP) address number
    *The initial three digits of a zip code may be used if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; AND (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
Page 1 of 3 12/10/18