IRB & Compliance

HIPAA Minimum Necessary Policy

Penn Medicine must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary information. To ensure that only the minimum necessary PHI is used or disclosed, Penn Medicine has defined appropriate access protocols for common employee roles to ensure that the appropriate level of information is used or disclosed for quality improvement and research requests. Each data request undergoes a full review to ensure that each requestor receives only the information they need and have permission to access.

This policy pertains to all data requests: quality improvement, operational, financial, research, etc.

What is considered Sensitive Data?

Sensitive Data includes anything that could be used to identify a patient or are considered especially personal. Access to these data elements requires EXPLICIT IRB approval.

Direct Identifiers

Names Account Numbers
Address Information Certificate/License Numbers
Telephone Numbers Social Security Numbers
Fax Numbers E-mail
Device Identifiers and Serial Numbers Medical Record Numbers
Health Plan Beneficiary Numbers Full-face photographic or comparable images.

Indirect Identifiers

Unique Characteristics or Codes Internal System Identifiers i.e. Specimen #
Dates, except year  


Restricted Data

Pediatric Patients Mental Health Diagnoses
HIV Status Substance Abuse Codes
Psychiatric Notes Data from Penn Behavioral Health
Data from Substance Abuse Clinics at Penn  


Who can access Penn PHI?

Penn PHI may be granted to Penn Medicine employees only. This “Covered Entity” is made up of UPHS and PSOM. All other UPenn entities, including the School of Nursing, Wharton, School of engineering, etc. are considered 3rd parties. Any requestor from a 3rd party may access de-identified patient populations and may still be required to sign a Data Use Agreement (DUA).  For more information regarding data sharing outside of the Covered Entity, please contact the IRB Office at 215.573.2540.

Types of Data Requests

Preparatory Research

— Focus is on study feasibility
— You may obtain aggregate counts or use data exploration tools, such as Cohort Explorer or PennSeek Preparatory to review the de-identified dataset.


—  The use of PHI for recruitment into IRB approved studies.
—  Requires an approved IRB protocol.
—  The following data elements are permitted for Recruitment:

Name Primary Care Physician or Specialty Provider
Telephone Number Address
MRN Email Address


Research Study

—  The use of PHI, often including identifiers, under an approved IRB protocol
—  Requested data elements be described within your IRB

Quality Improvement

—  I requests focus on performance enhancement within the enterprise.
—  They must have a clear and concise business case and management approval.

What to know before submitting a request

—  All requests are screened before completion. Include your IRB protocol with Research Study requests to expedite this process.
—  Patient lists should NEVER be included with initial requests.  A team member will contact you to arrange secure transmission of this data.
—  You must be listed under the “Approved Personnel” section of the applicable IRB to receive datasets including PHI

How data will be released

—  Preparatory Research – Counts will be delivered over e-mail
—  Research/QI

—  UPHS Secure Share
—  Password Protected excel files
—  Dashboards
—  Super users may gain access to views to query using SQL.


If you publish you work, we ask that you please acknowledge the Data Analytics Center within your materials.  Below is a suggested note:

“We would like to thank the Data Analytics Center for their assistance in assembling the information used in this study.”

Also, If you feel that the work  performed by a report developer warrants being a minor author on your materials, please let us know if you intend to do this and we will provide his/hers professional name and credentials.

Still have questions?

Please feel free to reach out to Yuliya Borovskiy – or setup time during our Open Office Hours.