Data Access and Privacy

General Rules under HIPAA 

Under HIPAA, identifiable data may be used in support of a research project either in a preparatory to research capacity or under an IRB-approved protocol, except for certain specially-regulated data that include behavioral health, HIV/AIDS, and substance use disorder treatment data. 

HIPAA’s preparatory to research provision permits covered entities to use or disclose PHI for purposes that are in preparation of research, such as to determine if there is a viable cohort of patients at a site or aid study recruitment. The preparatory to research provision allows such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose their health information as part of a research study. The Penn researcher may not reach out to those patients to recruit or enroll them in a trial without IRB approval. Also, PHI used for these purposes may not be shared outside the covered entity.  

The preparatory to research provision does not allow a researcher outside the covered entity to use or disclose Penn PHI to identify patients who may be study eligible.  This requires a full HIPAA waiver of authorization and appropriate agreements in place. 

Once IRB approval is in place for a research study, PHI may be accessed, used, and disclosed as follows: 

  1. Pursuant to a participant-signed HIPAA research authorization approved by the IRB [1]

  2. This is typically part of the research informed consent but may be separate.  This is commonly seen in prospective interventional trials/ clinical trials 

  3. Under a waiver of HIPAA authorization approved by the HIPAA privacy board (the Penn IRB) applying specific criteria [2]

  4. Regarding a “limited dataset” (where direct identifiers are removed), with a HIPAA data use agreement (DUA) in place with the recipient. 

Special Records – Behavioral Health, Substance Use, HIV / AIDS  

At the same time, identifiable health information from behavioral health visits and related to HIV/AIDS cannot be used or shared for research purposes unless there is specific patient consent.  Researchers who are providers in those areas may review records of patients they are caring for, but they cannot otherwise conduct research using records without specific consent.  Research involving substance use disorder information is also strictly regulated – please consult with Privacy Office regarding the applicable rules in this area. ( Delete ) 

Replace with – Substance abuse and behaviroal health data, as well as some other classes of data, have additional restrictions. Please reach out to OACP or OCR for more info.  

Patient Opt Outs 

Patients at Penn Medicine must be offered the opportunity to opt out of specimen use for research purposes. Patients are offered this option in the clinical care consent through the General Consent form.  As stated in that form, patients may decide that residual tissue taken, or discarded, during a clinical procedure cannot be used for research. This does not preclude research teams from reaching out to patients who have not opted out to seek specific consent to use residual specimens for research. 

Furthermore, patients at Penn Medicine are offered the opportunity to opt out from research contact. This can be done via MyPennMedicine (MPM), by speaking to a patient service representative. 

Institutional Mission, Vision and Values

Research is a core mission for Penn Medicine, and therefore it is important to have tools and policies governing research in place to support all areas of research utilizing PHI.  This includes preparatory to research activities, research with a consent/full HIPAA authorization, and research with a waiver of authorization. 


Preparatory to Research: Feasibility and Cohort Identification 

Internally:  Individuals in research roles may be provided access to systems for purposes of establishing feasibility and/or identifying a cohort.  

To establish feasibility of a protocol, the preferred systems to utilize are PennChart SlicerDicer, or another approved cohort identification tool such (delete this blue part) as Atlas or TriNetX.  Access to these datasets provides summary level data (counts) only and do not inherently provide access to record level data (names, SSNs and other direct identifiers are removed) unless IRB number is provided or the data is retained fully in the tool, in the case of Slicer Dicer. 

Externally:  The preparatory to research provision does not allow for any access to PHI outside the covered entity. Counts only of potentially eligible patients may be shared with external sponsors, external collaborators, and external staff or research sites. 

If an outside collaborator, for example a CHOP employee, would like to recruit Penn patients, they must collaborate with a Penn Medicine faculty member who is accountable for appropriate access or with a central office, such as OCR, or work with the Data Analytics Center (DAC) to serve in an honest broker capacity. 

Research Recruitment and Research Under HIPAA Authorization: 

Internally:  Once IRB approval has been obtained, patients may be contacted to participate in a research study and, if they agree, will be asked to sign a consent form and authorization. This will detail with whom and how data may be shared.  rag 

Individual patient level research data that qualifies as “source” (the first place that a research datapoint is recorded) must be stored securely either in PennChart, Penn’s Clinical Research Management Systems (PennCRMS), Penn+Box, or in other HIPAA-compliant systems, as well as on secured shared drives or on paper.  For more details refer to the following, Information Handling Standard

PennChart, at a minimum, for all studies that involve hospital services will contain a record of the study, subjects enrolled on the study, research encounter information and, if applicable, information about the investigational medication being provided. 

Clinical trial data in aggregate or Case Report Form data must be stored in a HIPAA compliant database such as the PennCTMS, Veeva EDC, or RedCap or a 3d party sponsor system.  

Such data management systems should negate the need for any emailing of spreadsheets of data. 

Externally:  When collaborating with external users on a clinical research trial, only PHI outlined in the authorization, should be shared. This can be shared via secure electronic data capture systems or via secure methods for external sharing such as Citrix or use of an ftp server. The latter is more efficient for a large share of data and the former more appropriate for ongoing study activities.  Further, if using third parties, a HIPAA business associate agreement (BAA) may be required.  Please consult Privacy Office for guidance.   

Special Note regarding: Texting Potential Subjects and Subjects:  If research recruitment or research under a HIPAA authorization involves texting potential subjects or subjects, specific texting consent may be required as well as certain disclaimers and operationalizing an opt-out system. Contact the Privacy Office for additional guidance.  

 Special Note regarding: Blinded and Highly Sensitive Studies:  With such studies, additional steps in PennChart to protect the sharing of results and certain other research data with patients and internal and external providers should be taken.  See Guidance for Blinded Studies and MyPennMedicine 

Research on Identifiable Data sets under a waiver of HIPAA authorization: In addition to the safeguards and tools described above in the context of a HIPAA authorization, note the following distinct rules that apply in the context of a waiver of HIPAA authorization.  First, the research must involve only the minimum PHI necessary.  Second, under the new Common Rule provisions, the research must be supported by documented reasoning as to why these studies cannot be conducted without the requisite PHI.  Further, if using third parties, a HIPAA business associate agreement (BAA) may be required.  Please consult Privacy Office and Data Access Center for guidance. 

Research Using a Limited Data Set: A limited data set includes only indirect identifiers, and it can include any date information (for example date of birth, date of service, date of discharge) as well as limited address information excluding street address (for example town, county, state, zip code).  

Internally:  Limited Data sets may be used for research with IRB approval by Penn researchers, provided the research application includes a commitment that the research team will abide by HIPAA DUA terms.  Penn researchers not committing to such terms in the research application must agree to them via a separate agreement. 

Externally:  To share a limited data set externally, a signed DUA must be in place. This is a written agreement that establishes how a limited data set will be transferred between one covered entity to an intended recipient and establishes how that data will be protected. A DUA can be put in place by the Office of Research Services. 

In all these cases, the DAC is a resource to assist in data extraction.  See the Data Analytics Center website.


Security is of the utmost importance in addressing privacy risks to research data.  Key components are secure storage, transmission and a plan for destruction where feasible.  Regarding storage, all PHI must be maintained on secure devices, secure systems and approved services.  PHI may be maintained for example, as described above, on Penn’s CTMS, the Veeva electronic data capture systems, RedCap or Penn Box.  Regarding transmission of PHI, Citrix FileShare, Penn Secure Share, and secure FTPs may be used.  As for destruction of PHI, researchers should consider whether and when they can securely destroy PHI without compromise to research integrity or obligations to the sponsor or others. 

  •  A HIPAA authorization describes PHI that will be collected during a research study, who it will be collected by, and with whom it will be shared within the covered entity and outside the covered entity. It specifies the need for the PHI, how it will be stored and protected, and how the participant may revoke access to the PHI. 
  • The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: an adequate plan to protect the identifiers from improper use and disclosure; an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted; 2) the research could not practicably be conducted without the waiver or alteration; and (3) the research could not practicably be conducted without access to and use of the PHI but that the minimum amount of identifiable PHI is being used.