IRB & Compliance
HIPAA Minimum Necessary Policy
Penn Medicine must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary information. To ensure that only the minimum necessary PHI is used or disclosed, Penn Medicine has defined appropriate access protocols for common employee roles to ensure that the appropriate level of information is used or disclosed for quality improvement and research requests. Each data request undergoes a full review to ensure that each requestor receives only the information they need and have permission to access.
This policy pertains to all data requests: quality improvement, operational, financial, research, etc.
What is considered Sensitive Data?
Sensitive Data includes anything that could be used to identify a patient or are considered especially personal. Access to these data elements requires EXPLICIT IRB approval.
Direct Identifiers
Names | Account Numbers |
Address Information | Certificate/License Numbers |
Telephone Numbers | Social Security Numbers |
Fax Numbers | |
Device Identifiers and Serial Numbers | Medical Record Numbers |
Health Plan Beneficiary Numbers | Full-face photographic or comparable images. |
Indirect Identifiers
Unique Characteristics or Codes | Internal System Identifiers i.e. Specimen # |
Dates, except year |
Restricted Data
Pediatric Patients | Mental Health Diagnoses |
HIV Status | Substance Abuse Codes |
Psychiatric Notes | Data from Penn Behavioral Health |
Data from Substance Abuse Clinics at Penn |
Who can access Penn PHI?
Penn PHI may be granted to Penn Medicine employees only. This “Covered Entity” is made up of UPHS and PSOM. All other UPenn entities, including the School of Nursing, Wharton, School of engineering, etc. are considered 3rd parties. Any requestor from a 3rd party may access de-identified patient populations and may still be required to sign a Data Use Agreement (DUA). For more information regarding data sharing outside of the Covered Entity, please contact the IRB Office at 215.573.2540.
Types of Data Requests
Preparatory Research
— Focus is on study feasibility
— You may obtain aggregate counts or use data exploration tools, such as Cohort Explorer or PennSeek Preparatory to review the de-identified dataset.
Recruitment
— The use of PHI for recruitment into IRB approved studies.
— Requires an approved IRB protocol.
— The following data elements are permitted for Recruitment:
Name | Primary Care Physician or Specialty Provider |
Telephone Number | Address |
MRN | Email Address |
Research Study
— The use of PHI, often including identifiers, under an approved IRB protocol
— Requested data elements be described within your IRB
Quality Improvement
— I requests focus on performance enhancement within the enterprise.
— They must have a clear and concise business case and management approval.
What to know before submitting a request
— All requests are screened before completion. Include your IRB protocol with Research Study requests to expedite this process.
— Patient lists should NEVER be included with initial requests. A team member will contact you to arrange secure transmission of this data.
— You must be listed under the “Approved Personnel” section of the applicable IRB to receive datasets including PHI
How data will be released
— Preparatory Research – Counts will be delivered over e-mail
— Research/QI
— UPHS Secure Share
— Password Protected excel files
— Dashboards
— Super users may gain access to views to query using SQL.
Acknowledgements
If you publish you work, we ask that you please acknowledge the Data Analytics Center within your materials. Below is a suggested note:
“We would like to thank the Data Analytics Center for their assistance in assembling the information used in this study.”
Also, If you feel that the work performed by a report developer warrants being a minor author on your materials, please let us know if you intend to do this and we will provide his/hers professional name and credentials.
Still have questions?
Please submit request via IS Service Portal to Data Analytics Services.