HIPAA and Protected Health Information (Section 3)
IMPORTANT! Any IRB regulated project involving access to HIPAA-regulated information must be reviewed by the KSU HIPAA Privacy Officer and HIPAA Security Officer and receive IRB approval prior to starting. Typically, use of Protected Health Information (PHI) must be reviewed and approved by a covered entity’s Privacy Board/IRB prior to submission to KSU IRB.
Projects involving the use of HIPAA protected information are reviewed on the Third Thursday of each month. The study PI is expected to attend the meeting.
3.1 Common Comments
- CITI IPS training is not complete.
- The HIPAA appendix describes a different process for handling data than the IRB application.
- Not all data points are disclosed (see HIPAA appendix, section 2, questions 8 and 9).
- Information is incorrectly described as deidentified (see HIPAA appendix, section 2, question 10).
- The incorrect type of authorization is selected (see HIPAA appendix, section 4).
3.2 What is Protected Health Information (PHI)?
- PHI is individually identifiable health information held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper or oral. More information can be found on the website.
3.3 What is the Health Insurance Portability and Accountability Act (HIPAA)?
- National standards to protect an individual's medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients' rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
- HIPAA has three components, all of which are enforced by the federal Office for Civil Rights:
- HIPAA Privacy Rule: protects the privacy of individual identifiable health information.
- HIPAA Breach Notification Rule: requires covered entities and business associates to provide notification following a breach of unsecured PHI.
- HIPAA Security Rule: sets standards for the security of electronic PHI.
3.4 How do I know if I am affected by the HIPAA Privacy Rule?
- The HIPAA Privacy Rule affects research and researchers when:
- Review DHHS resources at
- Research requires access to and/or use of PHI that is created or maintained by covered entities, or
- A covered entity or component of KSU performs research that creates or generates PHI
- /compliance/hipaa
3.5 What should I do if my research involves access to PHI?
- All research involving HIPAA regulated information is reviewed by the University Privacy and Security Officers in addition to the IRB. IRB approval is withheld until approved by the Officers.
- Review typically occurs on the third Thursday of each month.
- You should review the relevant KSU policies on PHI/HIPAA protected information.
- Work with the privacy and security officers in advance of submitting your IRB application.
- University Policy
3.6 What is a limited data set?
3.7 What forms are required by the IRB?
- Your IRB application must clearly describe use of PHI and you must append a copy of Appendix N.
- Research projects involving use of/access to PHI are reviewed on the third Thursday of each month.
- You must obtain HIPAA authorization unless authorization has been waived; see Appendix N.
- Additional information:
- HIPAA Authorization Template — A sample HIPAA Compliance Authorization document; to be used as a template for the investigator, when needed to document HIPAA Compliance Authorization in a study.
- Requirements for a HIPAA Compliance Authorization Form — A document explaining when a HIPAA Compliance Authorization Form may be required.
- Data Use Agreement for Limited Data Set — This is to be used if you plan to send or receive protected health information. Contact Kat Lindsey for more information.
- Any PHI must be securely accessed, transmitted, and stored. Contact Jim Raber for more information. Additionally, information is to be deidentified at the earliest time allowed by the research and you must follow the terms and conditions of any agreement.
3.8 Is there a specific method of data sharing I must follow?
- Data must be handled securely and you need to make sure your plans are acceptable to the data owner/originator. There is no prescribed handling plan, but helpful information on safe harbor is listed below.
- You must de-identify Protected Health Information (PHI) for the research project in accordance with Section 164.514(a) of the HIPAA Privacy Rule that provides the standard for de-identification of PHI. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual.
The following technical control plan identifies the steps according to “Safe Harbor” standards identified in the HIPAA Security rule for the Safe Harbor de-identification of PHI. - All PHI will be stored and manipulated within the hosting organization’s environment. Ie… Identifiable PHI will not be transferred to 91ֿ at any time without all external and internal approvals.
- The data will be de-identified within the hosting environment as follows:
a. All HIPAA 18 Identifiers are to be excluded, redacted or deleted from the data set (spreadsheet or word document). See 18 Identifiers: HIPAA Security Rule - Safe Harbor
b. Once de-identified, the data set is to be copied to a fresh, new workbook or document. (do not include any identifiers in this copy and paste)
c. The new workbook/document is to be saved, this can then be shared outside of the hosting environment for analysis or reporting. - Reporting to KSU:
a. The de-identified data is to be encrypted and transferred through a secure resource (typically the data owner's resource)..
b. This file will be password encrypted if moved to KSU’s environment.
c. The password for the file will be provided, verbally, to 91ֿ researchers.
d. 91ֿ is to maintain this file as a password encrypted document.
e. At no time will data be transmitted using any sort of portable device or drive such as USB memory stick or external hard drive without full disk encryption enabled. (BitLocker)
f. The Microsoft M365 environment (Teams, SharePoint, OneDrive) are the only approved online collaboration spaces for data of this nature. Please take care to use appropriate permissions to ensure that only those who need access, have access. For more information on using Teams or OneDrive to share data with KSU, please consult the data standards (//Ǵڴھ--dzԳ/岹ٲ-ԻԲ-…).
- We agree that should there be a need to share PHI with 91ֿ -OR- if there is an impermissible release of PHI that no further work will be performed until this Technical and Data Control Plan is updated and approved by KSU’s IRB. NOTE: Unauthorized release of PHI should follow HIPAA impermissible release guidance provided by the hosting organization, with immediate notification to KSU HIPAA Security and Privacy Officers.
3.9 What are activities preparatory to research?