HIPAA in Research
The Health Insurance Portability and Accountability Act established a Security and Privacy Rule for the protection of protected health information (PHI). These rules:
- Establish appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI;
- Protect privacy of patient records while patient is living and for 50 years following the date of death;
- Provide patients with access to their records and more control over how their PHI is used and disclosed; and
- Regulate the collection and use of PHI for research purposes.
Using PHI in Research
Protocols that involve accessing, collecting, or disclosing protected health information are required to include data confidentiality plans that align with institutional policies and guidance.
The IRB & Penn Medicine Requirements regarding PHI Security and Storage provides guidance on the key elements of a confidentiality plan, guidelines for physical security (paper files/ biospecimens), and guidelines for electronic file and data security, storage, and transmission.
The IRB & Penn Medicine Requirements regarding PHI Security and Storage also provides guidance on key features of IRB‐approved mechanisms for data storage/transmission when research involves the use of protected health information (PHI).
Use of Email During the Conduct of Research
The IRB & Penn Medicine Requirements regarding PHI Security and Storage also provides guidance on avoiding and minimizing PHI in email as well as communicating with research subjects via email and best practices for communications among the research team in a research study.
Use of Text Messaging During the Conduct of Research
The Office of Clinical Research (OCR) and Penn IRB have developed the below guidance to provide best practices, considerations and parameters around when texting may, or may not, be appropriate in the conduct of research.
Research that Requires Access to Penn Medicine Systems
Penn Medicine has great resources for researchers who need to access Penn Medical records either in preparation for research or for retrospective data analysis. The Data Analytics Center will work with you one on one to ensure you can obtain the data you need and stay compliant. Working with the Data Analytics Center during protocol development is likely to shorten the amount of time it takes for the IRB to approve your project.
Levels of Identifiability
The figure below outlines the various levels of identifiability for participant data and biospecimens.
- The data/sample was collected without knowing the identity of the subject.
- There is no chance of re-dentification because no identifiers were collected
- The data/sample was collected knowing the identity of the subject, but identifiers were removed.
- There is no chance of re-identification because:
- All identifiers were removed; OR
- There is no link between identifiers and data/sample
- The data/sample include indirect identifiers only
- Re-identification is improbable
- Assigned a unique random ID code that is linked to identifiers. Link must be stored separately to be coded.
- Re-identification is possible
- 1+ identifiers (e.g. name, medical record number, etc) are stored with the health information