IRB & Compliance
HIPAA Minimum Necessary Policy
Penn Medicine must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary information. To ensure that only the minimum necessary PHI is used or disclosed, Penn Medicine has defined appropriate access protocols for common employee roles to ensure that the appropriate level of information is used or disclosed for quality improvement and research requests. Each data request undergoes a full review to ensure that each requestor receives only the information they need and have permission to access.
This policy pertains to all data requests: quality improvement, operational, financial, research, etc.
What is considered Sensitive Data?
Sensitive Data includes anything that could be used to identify a patient or are considered especially personal. Access to these data elements requires EXPLICIT IRB approval.
|Address Information||Certificate/License Numbers|
|Telephone Numbers||Social Security Numbers|
|Device Identifiers and Serial Numbers||Medical Record Numbers|
|Health Plan Beneficiary Numbers||Full-face photographic or comparable images.|
|Unique Characteristics or Codes||Internal System Identifiers i.e. Specimen #|
|Dates, except year|
|Pediatric Patients||Mental Health Diagnoses|
|HIV Status||Substance Abuse Codes|
|Psychiatric Notes||Data from Penn Behavioral Health|
|Data from Substance Abuse Clinics at Penn|
Who can access Penn PHI?
Penn PHI may be granted to Penn Medicine employees only. This “Covered Entity” is made up of UPHS and PSOM. All other UPenn entities, including the School of Nursing, Wharton, School of engineering, etc. are considered 3rd parties. Any requestor from a 3rd party may access de-identified patient populations and may still be required to sign a Data Use Agreement (DUA). For more information regarding data sharing outside of the Covered Entity, please contact the IRB Office at 215.573.2540.
Types of Data Requests
— The use of PHI for recruitment into IRB approved studies.
— Requires an approved IRB protocol.
— The following data elements are permitted for Recruitment:
|Name||Primary Care Physician or Specialty Provider|
— The use of PHI, often including identifiers, under an approved IRB protocol
— Requested data elements be described within your IRB
— I requests focus on performance enhancement within the enterprise.
— They must have a clear and concise business case and management approval.
What to know before submitting a request
— All requests are screened before completion. Include your IRB protocol with Research Study requests to expedite this process.
— Patient lists should NEVER be included with initial requests. A team member will contact you to arrange secure transmission of this data.
— You must be listed under the “Approved Personnel” section of the applicable IRB to receive datasets including PHI
How data will be released
— Preparatory Research – Counts will be delivered over e-mail
— UPHS Secure Share
— Password Protected excel files
— Super users may gain access to views to query using SQL.
If you publish you work, we ask that you please acknowledge the Data Analytics Center within your materials. Below is a suggested note:
“We would like to thank the Data Analytics Center for their assistance in assembling the information used in this study.”
Also, If you feel that the work performed by a report developer warrants being a minor author on your materials, please let us know if you intend to do this and we will provide his/hers professional name and credentials.
Still have questions?