Skip to main content
Research Responsibilities and Compliance

Research Using Protected Health Information

What is PHI?

Protected health information (PHI) is health information that is individually identifiable and created or held by a covered entity or a covered component of a hybrid entity including:

  • a patient’s past, present, or future physical or mental health information;
  • the provision of health care to a patient until fifty (50) years following the patient's death;
  • or payment for that care.

Health information is individually identifiable when it identifies an individual or there is a reasonable basis to believe the information can be used to identify an individual.

HIPAA Identifiers

The following are considered individually identifiable information.

  1. name
  2. all geographic subdivisions smaller than a state (street address, city, county, precinct) Note: zip code or equivalents must be removed, but can retain first 3 digits of the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people
  3. for dates directly related to the individual, all elements of dates, except year (date of birth, admission date, discharge date, date of death)
  4. all ages over 89 or dates indicating such an age
  5. telephone number
  6. fax number
  7. email address
  8. social security number
  9. medical record number
  10. health plan number
  11. account numbers
  12. certificate or license numbers
  13. vehicle identification/serial numbers, including license plate numbers
  14. device identification/serial numbers
  15. universal Resource Locators (URLs)
  16. internet protocol (IP) addresses
  17. biometric identifiers, including finger and voice prints
  18. full face photographs and comparable images
  19. any other unique identifying number, characteristic, or code (known as the “catch-all” provision and is intended to include items that are not otherwise specified but could make a data set identifiable)

Covered Entity

The Privacy Rule applies only to covered entities, including:

  • health insurers
  • health care clearinghouses
  • health care providers who electronically transmit information for certain types of transactions such as billing and eligibility verification

The Privacy Rule allows covered entities to designate themselves as “hybrid entities” with selected parts subject to the requirements of the Privacy Rule. The Ohio State University is a hybrid entity. The “covered components” of the university include the health system and other university areas performing HIPAA-covered functions as illustrated in the HIPAA hybrid entity diagram.

Limited Data Sets

A limited data set is a special category of PHI that has all of the following identifiers removed:

  1. name
  2. postal address information other than town/city, state, and five-digit zip code
  3. telephone number
  4. fax number
  5. email address
  6. social security number
  7. medical record number
  8. health plan number
  9. account numbers
  10. certificate or license numbers
  11. vehicle identification/serial numbers, including license plate numbers
  12. device identification/serial numbers
  13. universal resource locators (URLs)
  14. internet protocol (IP) addresses
  15. biometric identifiers, including finger and voice prints
  16. full face photographs and comparable images

Under the Privacy Rule, use or disclosure of limited data sets for research purposes requires a data use agreement unless researchers obtain HIPAA research authorization from participants or a waiver of authorization from an Institutional Review Board or Privacy Board.

De-identified Data

De-identified data are not subject to the requirements of the Privacy Rule because they are not individually identifiable. There are two ways to de-identify data:

  1. Use of the Safe Harbor Method which involves removing all HIPAA identifiers that could be used to identify the individual or the individual's relatives, employers, or household members from the dataset, or
  2. use of the Statistical Method which requires the use of a qualified expert.

Research Authorization

Although similar to informed consent, authorization focuses on addressing privacy risks and outlining the specifics of how, why, and to whom PHI will be used or disclosed for research purposes. An authorization may not require an expiration date; this should be determined in accordance with state and local regulations. Nevertheless, it is essential to recognize that a research participant retains the right to withdraw their authorization in writing at any point. The research team must provide the participant or their authorized representative with a signed copy of the authorization, and the research team must also retain a signed copy of the authorization for a period of six years.

Translated Authorization Forms

Authorization to use or disclose PHI for research must be obtained in a language understandable to the participant. Investigators must complete all sections and are responsible for the accuracy of the forms. The translated authorization forms were provided courtesy of Ohio State's Comprehensive Cancer Center.

Waiver or Partial Waiver of Research Authorization

The requirement to obtain authorization may be waived if all the following criteria are met:

  • use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on:
    • an adequate plan to protect the identifiers from improper use and disclosure
    • an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research (unless a health or research justification for retaining the identifiers exists or retention is required by law)
    • adequate written assurances that the PHI will not be reused or disclosed to any other person or entity (except as required by law for authorized oversight of the research) or for other research for which use/disclosure of PHI would be permitted
  • waiver will not adversely affect the privacy rights and the welfare of the individuals
  • the research could not practicably be conducted without the waiver
  • the research could not practicably be conducted without access to and use of the PHI

Authorization may be waived for all, or only some uses of PHI for a particular study. At Ohio State, a partial waiver permits the use of PHI for recruitment purposes only, to allow identification and, as appropriate, contact of potential participants to determine their interest in study participation.

The Privacy Board reviews requests for waivers or alterations of authorization in exempt research. The Institutional Review Boards serve as the Privacy Board for non-exempt research.

Alteration of Research Authorization

The requirement to obtain authorization for use of PHI may also be altered for a specific study. An alteration allows a change in certain authorization requirements, while still requiring authorization for the use of PHI. Examples include making an exception to the required language in an authorization or to the requirement to obtain a signed authorization. To be granted, an alteration must meet the same criteria as a waiver or partial waiver.

Activities that are Preparatory to Research

The Privacy Rule also permits certain activities involving use or disclosure of PHI without authorization. The “preparatory to research” provision permits researchers to use PHI for limited purposes, such as a feasibility assessment (e.g., whether a sufficient population exists to conduct research). However, the Privacy Rule does not permit the researcher to remove PHI. To comply with both the Privacy Rule and human subjects protection regulations, Ohio State researchers are permitted to review PHI, but identifiers may not be recorded; and researchers may not use the preparatory to research provision to identify or recruit specific individuals for a study.

To conduct a review preparatory to research, a researcher must provide all of the following representations:

  • the use or disclosure is requested solely to review PHI as necessary to develop a research protocol or for similar purposes preparatory to research
  • PHI will not be removed in the course of review
  • the PHI for which use or access is requested is necessary for the research.

PHI Involving Decedents

The Privacy Rule provides protection to living and deceased individuals. To use decedents’ PHI for research purposes, a researcher must provide all of the following:

  • representation that the use or disclosure is solely for research involving the PHI of decedents (e.g., and not also the living relatives of decedents)
  • representation that the PHI is necessary for the research
  • documentation (at the request of the covered entity holding the PHI) of the death of the individuals whose PHI is sought

Note: If the participant population contains both living and deceased individuals, the requirements for authorization (or waiver or alteration) apply.