Protected Health Information, HIPAA, Opt-Out

Data Access and Privacy

Legal Background and Basis

Institutional Mission, Vision and Values

Research is a core mission for Penn Medicine, and therefore it is important to have tools and policies governing research in place to support all areas of research utilizing PHI.  This includes preparatory to research activities, research with a consent/full HIPAA authorization, and research with a waiver of authorization.

General Rules under HIPAA

Under HIPAA, identifiable data may be used in support of a research project either in a preparatory to research capacity or under an IRB-approved protocol, except for certain specially regulated data that include behavioral health, HIV/AIDS, and substance use disorder treatment data.

HIPAA’s preparatory to research provision permits covered entities to use or disclose PHI for purposes that are in preparation of research, such as to determine if there is a viable cohort of patients at a site or aid study recruitment. The preparatory to research provision allows such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose their health information as part of a research study. The Penn researcher may not reach out to those patients to recruit or enroll them in a trial without IRB approval. Also, PHI used for these purposes may not be shared outside the covered entity. 

The preparatory to research provision does not allow a researcher outside the covered entity to use or disclose Penn PHI to identify patients who may be study eligible.  This requires a full HIPAA waiver of authorization and appropriate agreements in place.

Covered entity includes the Perelman School of Medicine (PSOM) and University of Pennsylvania Health System (UPHS). It does not include all schools at the University of Pennsylvania, Children’s Hospital of Philadelphia (CHOP). UPenn’s Dental School is their own legal covered entity.

Once IRB approval is in place for a research study, PHI may be accessed, used, and disclosed as follows:

1. Pursuant to a participant-signed HIPAA research authorization approved by the IRB. This should be part of the research informed consent but may be separate.  This is commonly seen in prospective interventional trials/ clinical trials
2. Under a waiver of HIPAA authorization approved by the HIPAA privacy board (the Penn IRB) applying specific criteria
3. Using a “limited dataset” (where direct identifiers are removed), with a HIPAA data use agreement (DUA) in place with the recipient.

Special Records – Behavioral Health, Substance Use, HIV / AIDS 

Identifiable health information from behavioral health visits and related to HIV/AIDS cannot be used or shared for research purposes unless there is specific patient consent.  Researchers who are providers in those areas may review records of patients they are caring for, but they cannot conduct research using records without specific consent.

Substance abuse and behavioral health data, as well as some other classes of data, have additional restrictions. Please reach out to OCR for more info. 

Patient Opt-Outs

Specimen research: Patients at Penn Medicine must be offered the opportunity to opt out of specimen use for research purposes. Patients are offered this option in the clinical care consent through the General Consent form.  As stated in that form, patients may decide that residual tissue taken, or discarded, during a clinical procedure cannot be used for research. This does not preclude research teams from reaching out to patients who have not opted out to seek specific consent to use residual specimens for research.

Contacting and communication for research participation: For studies that involve any level of patient contact; recruitment messaging, text messaging, nudges, consent administration, questionnaires, etc. “Research Do Not Contact” patients must be removed from any data set.

This includes studies which involve a waiver of consent and authorization for a subset of the study and have subsequent patient contact in of any form. The approval for a waiver of consent and authorization by the IRB, alone, does not permit the use of Research Do Not Contact patients. If there is any contact intended, these patients need to be excluded.

Research approved that does not involve patient contact may include “Research Do Not Contact” patients in the data set. This would include secondary data analysis, longitudinal studies, biospecimen studies with no contact, etc. For some studies it may be appropriate to include Research Do Not Contact Opt Outs in a primary dataset and then they may need to be exclude from subsequent uses that involve contact in the research study.

Authorized Users, Uses, Disclosures and Risk Mitigation

Preparatory to Research: Feasibility and Cohort Identification

Penn users: Individuals in research roles may be provided access to systems for purposes of establishing feasibility and/or identifying a cohort. 

To establish feasibility of a protocol, the preferred systems to utilize are PennChart SlicerDicer, or another approved cohort identification tool such (delete this blue part) as Atlas or TriNetX.  Access to these datasets provides summary level data (counts) only and do not inherently provide access to record level data (names, SSNs and other direct identifiers are removed) unless IRB number is provided or the data is retained fully in the tool, in the case of Slicer Dicer.

non-Penn users:  The preparatory to research provision does not allow for any access to PHI outside the covered entity. Counts only of potentially eligible patients may be shared with external sponsors, external collaborators, and external staff or research sites.

If an outside collaborator, for example a CHOP employee, would like to recruit Penn patients, they must collaborate with a Penn Medicine faculty member who is accountable for appropriate access or with a central office, such as OCR, or work with the Data Analytics Center (DAC) to serve in an honest broker capacity.

Research Recruitment and Research Under HIPAA Authorization

HIPAA authorization describes PHI that will be collected during a research study, who it will be collected by, and with whom it will be shared within the covered entity and outside the covered entity. It specifies the need for the PHI, how it will be stored and protected, and how the participant may revoke access to the PHI.

The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: an adequate plan to protect the identifiers from improper use and disclosure; an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted; 2) the research could not practicably be conducted without the waiver or alteration; and (3) the research could not practicably be conducted without access to and use of the PHI but that the minimum amount of identifiable PHI is being used.

Penn users: Once IRB approval has been obtained, patients may be contacted to participate in a research study and, if they agree, will be asked to sign a consent form and authorization. This will detail with whom and how data may be shared.

Individual patient level research data that qualifies as “source” (the first place that a research datapoint is recorded) must be stored securely either in PennChart, Penn’s Clinical Research Management Systems (PennCRMS), Penn+Box, or in other HIPAA-compliant systems, as well as on secured shared drives or on paper.  For more details refer to the following, Information Handling Standard.

PennChart, at a minimum, for all studies that involve hospital services will contain a record of the study, subjects enrolled on the study, research encounter information and, if applicable, information about the investigational medication being provided.

Clinical trial data in aggregate or Case Report Form data must be stored in a HIPAA compliant database such as the PennCRMS, Veeva EDC, or REDCap or a 3d party sponsor system (external organizations such as pharmaceutical companies)

Such data management systems should negate the need for any emailing of spreadsheets of data.

non-Penn users/ collaborators:  When collaborating with external users on a clinical research trial, only PHI outlined in the authorization or contract, should be shared. This can be shared via secure electronic data capture systems or via secure methods for external sharing such as Citrix or use of an ftp server. The latter is more efficient for a large share of data and the former more appropriate for ongoing study activities.  Further, if using third parties, a HIPAA business associate agreement (BAA) may be required.  Please consult Privacy Office for guidance.  

Research on Identifiable Data sets under a waiver of HIPAA authorization

In addition to the safeguards and tools described above in the context of a HIPAA authorization, note the following distinct rules that apply in the context of a waiver of HIPAA authorization.  First, the research must involve only the minimum PHI necessary.  Second, under the new Common Rule provisions, the research must be supported by documented reasoning as to why these studies cannot be conducted without the requisite PHI.  Further, if using third parties, a HIPAA business associate agreement (BAA) may be required.  Please consult Privacy Office and Data Access Center for guidance.

Research Using a Limited Data Set 

A limited data set includes only indirect identifiers, and it can include any date information (for example date of birth, date of service, date of discharge) as well as limited address information excluding street address (for example town, county, state, zip code). 

Penn users: Limited Data sets may be used for research with IRB approval by Penn researchers, provided the research application includes a commitment that the research team will abide by HIPAA DUA terms.  Penn researchers not committing to such terms in the research application must agree to them via a separate agreement.

non-Penn users/ collaborators:  To share a limited data set externally, a signed Data Use Agreement (DUA) must be in place. This is a written agreement that establishes how a limited data set will be transferred between one covered entity to an intended recipient and establishes how that data will be protected. A DUA can be put in place by the Office of Research Services.

In all these cases, PennDNA is a resource to assist in data extraction.  See the PennDNA website

Security/ Storage of Data

Security is of the utmost importance in addressing privacy risks to research data.  Key components are secure storage, transmission and a plan for destruction where feasible.  Regarding storage, all PHI must be maintained on secure devices, secure systems and approved services.  PHI may be maintained for example, as described above, on Penn’s CRMS, the Veeva electronic data capture (EDC) systems, REDCap or Penn Box. 

Transmission of PHI- Citrix FileShare, Penn Secure Share, and secure FTPs may be used. 

Destruction of PHI- researchers should consider whether and when they can securely destroy PHI without compromise to research integrity or obligations to the sponsor or others.