Skip to main content

New PHI and HIPAA policy in effect

On Wednesday, June 2, Ohio State’s new Protected Health Information (PHI) & HIPAA Policy went into effect to establish a comprehensive policy to address PHI and HIPAA compliance across the university and the medical center.

Policy Overview

The purpose of this policy is to set forth the mechanisms to complying with HIPAA laws and corresponding regulations. This policy continues to establish and uphold the university’s commitment to complying with the HIPAA privacy, security and breach regulations. The well-established HIPAA processes established by covered components and service units are unified by the university policy.

The policy:

  1. Establishes that research is not a HIPAA covered function.
  2. Protected Health Information derived from covered entities, used for research, may be subject to HIPAA requirements.
  3. Introduces the definition of Research Health Information (RHI)
  4. Explains the mechanism of data reclassification from PHI to RHI

The policy reduces Ohio State’s regulatory exposure under HIPAA, due to RHI being outside the jurisdiction of the Office of Civil Rights of Health and Human Services. Both PHI and RHI must be safeguarded in accordance within the Ohio State information security framework.

Additional Resources

Decision Tree for Researchers - Use the decision tree to determine if your research data set is Protected Health Information (PHI) or Research Health Information (RHI) based on the regulatory mechanism under which the data were obtained.

Information Session - Thursday, June 17, from 10 to 11 a.m. via CarmenZoom

FAQ’s, diagrams and more