Protected Health Information (PHI) and HIPAA Compliance (Section 3)

IMPORTANT! Any project involving access to HIPAA-regulated information must be reviewed by the HIPAA privacy officer and HIPAA security officer prior to starting. Protected Health Information (PHI) must be reviewed and approved in advance of submission to KSU by the covered entity’s Privacy Board.

3.1 What is Protected Health Information?

  • PHI is individually identifiable health information held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper or oral. More information can be found on the Health and Human Services website.

3.2 What is the Health Insurance Portability and Accountability Act (HIPAA)?

  • National standards to protect an individual's medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transaction electronically. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients' rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.   
  • HIPAA has three components, all of which are enforced by the federal Office for Civil Rights:
    • HIPAA Privacy Rule: protects the privacy of individual identifiable health information.
    • HIPAA Breach Notification Rule: requires covered entities and business associates to provide notification following a breach of unsecured PHI.
    • HIPAA Security Rule: sets standards for the security of electronic PHI.

3.3 How do I know if I am affected by the HIPAA privacy rule?

3.4 What should I do if my research involves access to PHI?

  • All research involving HIPAA regulated information is reviewed by the University Privacy and Security Officers in addition to the IRB. IRB approval is withheld until approved by the Officers. 
  • Review typically occurs on the third Thursday of each month.
  • You should review the relevant KSU policies on PHI/HIPAA protected information. 
  • Work with the privacy and security officers in advance of submitting your IRB application. 
  • IRB Policy
  • University Policy 
  • NIH Resource

3.5 What is a limited data set?

3.6 What forms are required by the IRB?

  • Your IRB application must clearly describe  use of PHI and you must append a copy of  Appendix N.
    • Research projects involving use of/access to PHI are reviewed on the third Thursday of each month. 
  • You must obtain HIPAA authorization  unless authorization can be waived, see Appendix N. 
  • Additional information:
    • HIPAA Authorization Template — A sample HIPAA Compliance Authorization document; to be used as a template for the investigator, when needed to document HIPAA Compliance Authorization in a study.
    • Requirements for a HIPAA Compliance Authorization Form — A document explaining when a HIPAA Compliance Authorization Form may be required.
    • Data Use Agreement for Limited Data Set —  This is to be used if you plan to send or receive protected health information. Contact Connie Hawke for more information.
    • Any PHI must be securely accessed and transmitted. Contact Bob Eckman for more information. 

3.7 Is there a specific method of data sharing I must follow?

  • Data must be handled securely and you need to make sure your plans are acceptable to the data owner. There is no prescribed handling plan, but helpful information on safe harbor is listed below.
  • We agree to de-identify Protected Health Information (PHI) for this research project in accordance with Section 164.514(a) of the HIPAA Privacy Rule that provides the standard for de-identification of protected health information.  Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual.  
    The following technical control plan identifies the steps that we will take according to “Safe Harbor” standards identified in the HIPAA Security rule for the Safe Harbor de-identification of PHI.  
    1.     All PHI will be stored and manipulated within the hosting organization’s environment.  Ie… Identifiable PHI will not be transferred to Kent State University at any time.
    2.    The data will be de-identified within the hosting environment as follows:
    a.    All HIPAA 18 Identifiers are to be excluded, redacted or deleted from the data set (spreadsheet or word document).  See 18 Identifiers: HIPAA Security Rule  -  Safe Harbor 
    b.    Once de-identified, the data set is to be copied to a fresh, new workbook or document. (do not include any identifiers in this copy and paste)
    c.    The new workbook/document is to be saved, this can then be shared outside of the hosting environment for analysis or reporting.
    3.    Reporting to KSU:  
    a.    The de-identified data is to be encrypted and emailed via Outlook.  
    b.    This file will be password encrypted in O365 then sent via encrypted email to the Kent State. 
    c.    The password for the file will be provided, verbally, to Kent State researchers.
    d.    Kent State is to maintain this file as a password encrypted document.
    e.    At no time will data be transmitted using any sort of portable device or drive such as USB memory stick or external hard drive without full disk encryption enabled. (BitLocker)
    f.    For more information on using Teams or OneDrive to share data with KSU, please consult with KSU Security Officer for more info.
    We agree that should there be a need to share PHI with Kent State -OR- if there is an impermissible release of PHI that no  further work will be performed until this Technical and Data Control Plan is updated and approved by KSU’s IRB.  NOTE: Unauthorized release of PHI should follow HIPAA impermissible release guidance provided by the hosting organization, with immediate notification to KSU HIPAA Security and Privacy Officers.

3.8 What are activities preparatory to research?