Permitted Use and Disclosure of PHI in Research
The Privacy Rule permits the use of PHI in Research in the following scenarios:
• Privacy Authorization – A research subject has given permission by signing and dating a privacy
authorization that outlines specific core elements and required statements, to include addressing 1) what information may be shared, 2) who may share it, 3) who it may be shared with, 4) why it may be used, and 5) for how long.
• De-identification – This Safe Harbor method of anonymization is the process of removing the 18 elements of PHI to render the information “de-identified”. This includes removal of parts or derivatives of any of the identifiers (e.g., patient initials; last 4 digits of SSN).
• Waiver of Authorization – In some instances, such as certain retrospective projects, it may not be feasible to obtain authorization or use de-identified information. The IRB may approve a request for waiver of authorization when certain criteria are met. These criteria are similar to, but in addition to, the criteria for waiver of research consent. Furthermore, a partial waiver of authorization may be granted by the IRB for only a component of a project such as accessing PHI for subject recruitment purposes.
• Limited Data Set (LDS) – Contains PHI but excludes certain direct identifiers out of the 18 elements. City, state, ZIP code, elements of date, and other numbers, characteristics, or codes not listed as direct identifiers may be shared in a limited data set. This must be approved by the BSWRI Research Regulatory Affairs Office and an agreement, called a Data Use Agreement (DUA), must be executed between the recipient of the data and the covered entity sharing the data. The DUA must include required provisions per the Privacy Rule such as how the LDS may be used and will be protected.
• Reviews Preparatory to Research – Accessing PHI for activities when preparing for research (e.g., preparing a protocol) may be permitted by the BSWRI Research Regulatory Affairs Office when justified and the PHI is not removed from BSWH.
• Research on Decedents’ Information – When research will involve the use of PHI of the deceased, BSWRI Research Regulatory Affairs may permit this activity without meeting the requirements of the permitted uses above; however, this must be justified and will require certain representations from the researcher.
Keep In Mind
• Unlike Treatment, Payment, or Operations (activities in which PHI may be shared without the patient’s authorization), research involving PHI requires specific safeguards as mentioned above.
• Privacy authorizations are typically blended with the research consent form, but be careful to retain all of the required authorization elements when blending or editing these forms.
• Be sensitive to the information you send to sponsors (or anyone outside the institution).
• Screening or “Pre-Screening” Logs: Prior to consent and authorization, sending any element of PHI
about those individuals screened for possible entry to a trial is not permitted.
• Manually encrypt emails when sending information outside the institution by typing “secure:” into the
subject line. This is a best practice whether or not emails contain private or confidential information and in
case internal communications get forwarded external to BSWH.
• The Privacy Rule imposes a minimum necessary restriction whereby certain uses/disclosures must be
limited to the information reasonably necessary to complete the task at hand. Although there are exceptions, this is always a best practice.
   Page 2 of 3 12/10/18