A Road Map to Research at Jefferson:
HIPAA Privacy and Security Rules
for Researchers
Presented By: Privacy Officer/Office of Legal Counsel
October 2015
Introduction
The HIPAA Privacy Rule establishes the conditions under
which Covered Entities can provide researchers access to
and use of protected health information for research
purposes.
The HIPAA Privacy Rule does not replace or act in lieu of
other federal regulations such as HHS Protection of
Human Subjects and the FDA Protection of Human
Subjects
Research is defined under the HIPAA Privacy Rule as:
“a systematic investigation, including research
development, testing and evaluation, designed to develop
or contribute to generalized knowledge”
HIPAA Privacy Rule
• Covered Entity is a health plan, a health care provider or a
health care clearinghouse who electronically transmit any
health information in connection with transactions for which
HHS has adopted standards
• Protected Health Information (PHI):
 Relates to past, present, or future physical or mental condition
of an individual; provisions of healthcare to an individual; or for
payment of care provided to an individual.
 Is transmitted or maintained in any form (electronic, paper, or
oral representation).
 Identifies, or can be used to identify the individual.
How Can Covered Entities Use and Disclose PHI for
Research and Comply with the HIPAA Privacy Rule?
1. De-identified health information, as described in the
Privacy Rule, is not PHI, and thus not protected by the
Privacy Rule
2. PHI may be used and disclosed for research WITH an
individual’s written permission
3. PHI may be used and disclosed for research WITHOUT an
Authorization in limited circumstances: (a) under a
waiver of the Authorization requirement; (b) for
research on decedents’ information; (c) preparatory to
research; and (d) as a limited data set with a data use
agreement
Request for Information from a Covered Entity
Scenario #1: A sponsor has asked you for information to determine if
Jefferson has a sufficient number of patients with a specific
diagnosis to conduct a study at Jefferson. How do you proceed?
Why is the information needed?
What type of information is needed to make this determination?
Is PHI needed?
Is de-identified information needed?
Is an approved IRB study needed to request de-identified
information?
To whom and how is the request made?
Request for Information from a Covered Entity
Scenario #2: The PI is considering conducting a study. The PI would
like to review potential subjects’ PHI before submitting a protocol to
the IRB. How do you proceed?
Why is the information needed?
What type of information is needed?
Is PHI needed?
Is IRB approval needed before the review may be conducted?
To whom and how is the request for PHI made?
Hint: See, OHR-29 Review Preparatory to Research Request Form
Request for Information from a Covered Entity
Scenario #3: The PI is conducting a clinical trial. Patient data needs
to be obtained from the patients’ EMRs. How do you proceed?
Why is the information needed?
What type of information is needed?
Is IRB approval needed before study coordinators are permitted to
access patients’ EMRs?
Is a signed Research Informed Consent Form needed?
Are copies of relevant sections of the patients EMRs permitted to
be made?
Hint: See, Jefferson Policy No. 110.19 “Access to JUP Electronic
Records by Research Coordinators for Research Purposes”
Minimum Necessary Restriction
• With some exceptions, the HIPAA Privacy Rule
minimum necessary requirements apply
• Researchers should only secure the minimum
information necessary to achieve the research
purpose
How do we protect PHI when conducting
Research?
• Maintain the privacy and security of research documents.
• When you talk about patients/subjects as part of your
research, try to prevent others from overhearing the
conversation. Hold conversations in private areas; do not
discuss patients in public areas.
• Do not leave PHI unattended
• Remove patient/subject documents from faxes/copiers as
soon as you can.
• When you throw away documents containing PHI, properly
dispose of documents, e.g. shredding.
• Never remove the patient's official medical record from a
Covered Entity.
• Do not leave PHI where your family members or other
unauthorized individuals may see it.
How do we protect e-PHI when conducting
Research?
• Never use anyone else’s log-on, or a computer someone
else is logged-on to. Do not share passwords.
• Never download PHI on personal laptops and PDAs.
• Never leave PHI unattended.
• Never “Blog” disclosing PHI.
• Do use automatic locks on laptop computers and PDAs.
• Do log off after each time you use a computer.
• Do purge PHI from devices as soon as possible.
• Do use secure networks for e-mails with PHI and add a
confidentiality disclaimer to the footer of such e-mails.
• Do provide for confidential sending and receipt of faxes
that contain PHI and other confidential information.
Mandatory Breach Notification
• The HITECH Act applies to breaches of “unsecured protected
health information”
• Information must be encrypted or destroyed in order to be
considered “secured”
• If you suspect a breach has occurred, promptly notify your
immediate supervisor.
• If a breach has occurred, reporting requirements must be
satisfied.
• See, Jefferson Policy No. 122.37, “Mandatory Reporting,
Investigation and Notification of Breaches of Health or Personal
Information”.
HITECH-What Constitutes a Breach?
A “breach” is an impermissible acquisition, access, use
or disclosure not permitted by the HIPAA Privacy or
Security Rules.
Examples include:
• Laptop containing PHI is stolen
• Researcher who is not authorized to access PHI
looks through patient files in order to learn of a
person’s treatment
• Researcher misplaces research documents with
study subject PHI
• Researcher sends study subject information
including PHI to the wrong sponsor
• Researcher sends sponsor more PHI than stated in
Informed Consent Form
• Research office theft results in stolen PHI
Penalties for Violations
• A violation of federal regulations can result in
civil money penalties or criminal penalties.
• Penalties can be imposed for underlying HIPAA
Privacy Rule violation even if the breach is
properly handled.
Conclusion
If you have questions, please feel free to contact
Doreen Kornrumpf, Privacy Officer/Legal Counsel.