Research Health Information Policy

University Policy

Title

University of North Carolina at Chapel Hill Policy on Research Health Information

Introduction

Purpose

The University of North Carolina at Chapel Hill (UNC-Chapel Hill) is committed to conducting research in compliance with all applicable laws, regulations, and UNC-Chapel Hill policies. As part of this commitment, UNC-Chapel Hill has adopted this policy to clearly define the circumstances under which Research Health Information (RHI) may be used or disclosed in connection with research activities. Additionally, this Policy details the methods of reclassifying Protected Health Information (PHI) into RHI.

Scope

This Policy is applicable to all UNC-Chapel Hill Workforce Members, which includes faculty, staff, students, fellows, volunteers, trainees, agents, contractors, and/or other affiliates, whether paid or unpaid, who work or train in UNC-Chapel Hill departments, clinics, and programs that create, receive, maintain, or access PHI or provide support functions in connection with research activities at UNC-Chapel Hill.

Policy

A. Research Health Information

1. Once PHI has been disclosed from a UNC-Chapel Hill HIPAA Covered Component or an external Covered Entity to a UNC-Chapel Hill researcher pursuant to a valid HIPAA disclosure for research purposes, including a HIPAA Authorization or Waiver of HIPAA Authorization, the data becomes RHI as long as the data is stored outside of the electronic health record (EHR).
2. RHI is not subject to the HIPAA Rules; however, RHI may only be placed in information systems that are rated as High protection in accordance with UNC-Chapel Hill’s Information Security Controls Standard. RHI may be subject to other state and federal laws and University policies.

B. Reclassification of PHI to RHI

1. PHI may be reclassified to RHI pursuant to one of the following authorized methods:
   1. HIPAA Authorization
      1. A HIPAA Authorization approved by an IRB.
   2. Partial Waiver of HIPAA Authorization
      1. A partial waiver approved by an IRB to waive the requirement of research participant authorizations for use, access, or retention of PHI to identify potential research participants (i.e., recruitment).
      2. Data collected under a partial waiver must be destroyed at the end of the recruitment period unless a HIPAA Authorization or a full Waiver of HIPAA Authorization is obtained.
   3. Full Waiver of HIPAA Authorization
      1. A full waiver approved by an IRB to waive the requirement for patient authorization for use, access, or retention of PHI for the entire research study (e.g., retrospective chart review).
2. Workforce Members are required to follow the methods of reclassifying the data from PHI to RHI correctly and must protect the RHI in accordance with UNC-Chapel Hill’s Information Security Controls Standard with a High protection obligation level.

C. Preparatory to Research

1. Researchers may access PHI in the records of a Covered Entity without a HIPAA Authorization or Waiver of HIPAA Authorization for the purposes of development of a research protocol or assessment of feasibility of a research protocol, provided that the researcher documents that all the following criteria are satisfied:
   1. The use or disclosure of PHI is solely to prepare or assess feasibility of a research protocol;
   2. The researcher must not record PHI or remove PHI from the records reviewed;
   3. The PHI sought is necessary for the purposes of the research; and
   4. Preparatory to research does not include patient contact or recruitment.
2. Because researchers are not permitted to remove PHI from a Covered Entity for preparatory to research purposes, PHI cannot be reclassified to RHI.
3. In accordance with the Office of Human Research Ethics’ Standard Operating Procedure 1801, Section 2.4, UNC Chapel-Hill researchers seeking to use PHI for preparatory to research purposes must contact the UNC Health Privacy Office in advance to ensure compliance with applicable policies and procedures. 

D. De-Identified Health Information

1. De–identified Health Information does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. De-identified Health Information is neither PHI nor RHI.
2. However, if de-identified data is received from internal or external sources (e.g., the Carolina Data Warehouse for Health (CDW-H)) there may be external obligations or University policies that require additional safeguards (e.g., a Data Sharing Agreement).

E. Limited Data Sets

1. Limited Data Sets contain Individually Identifiable Health Information and cannot be reclassified as RHI and are therefore classified as PHI.
2. Limited Data Sets may only be used or disclosed if there is a Data Use Agreement between the Covered Entity providing the data and the recipient of the Limited Data Set.
3. If a Limited Data Set is pulled from the CDW-H, UNC-Chapel Hill is authorized to enter into a Data Use Agreement with the third-party recipient of the Limited Data Set.

F. Research Involving Decedents

1. The Individually Identifiable Health Information of decedent’s continues to be classified as PHI for 50 years following death and cannot be reclassified as RHI. Once permission is obtained from the decedent’s personal representative in accordance with subsection II.F.2 below, then researchers may use the decedent’s health information in accordance with the terms of the permission received from the personal representative.  
2. Researchers may use or disclose a decedent's PHI for research without a HIPAA Authorization or Waiver of HIPAA Authorization, provided that the researchers represent, either in writing or orally, that all the following criteria are satisfied:
   1. The use will be solely for research on the PHI of a decedent;
   2. The PHI sought is necessary for the purposes of the research; and
   3. The researcher has documentation of the death of the individual about whom information is being sought.
      1. Permission is required from the decedent’s personal representative.  To obtain permission from the decedent's personal representative, the researcher must go through the Covered Entity or health care provider (e.g., UNC Health) that is responsible for the decedent’s PHI.
      2. To the extent the decedent’s health care provider is UNC Health, then In accordance with the Office of Human Research Ethics’ Standard Operating Procedure 1801, Section 2.5, UNC Chapel-Hill researchers seeking to use decedents’ PHI for research purposes must contact the UNC Health Privacy Office to ensure compliance with applicable policies and procedures.

G. UNC-Chapel Hill Roles and Responsibilities

1. UNC-Chapel Hill through its Office of Human Research Ethics will:
   1. Follow regulations related to permitted disclosures for research purposes, including HIPAA Authorizations from participants and full or partial Waivers of HIPAA Authorization; and
   2. Maintain a review process specific to disclosing information for research purposes.
2. UNC-Chapel Hill HIPAA Privacy and Security Officials may:
   1. Use their discretion to impose additional restrictions related to the disclosure of data, including requiring a HIPAA Authorization be completed by a participant, notwithstanding an IRB’s determination;
   2. Modify or require additional privacy and security safeguards as conditions for disclosure of data to UNC-Chapel Hill researchers; and
   3. Require UNC-Chapel Hill researchers to complete and maintain UNC-Chapel Hill’s HIPAA Privacy and Security Rule Training as a prerequisite for obtaining data.
3. UNC-Chapel Hill Researchers will:
   1. Maintain PHI and RHI in line with UNC-Chapel Hill’s Information Security Controls Standard with a High protection obligation level;
   2. Follow UNC-Chapel Hill policies and procedures surrounding data privacy and security incident response management, including promptly and appropriately reporting known or suspected incidents of any information;
   3. Not use any information received for research purposes from a UNC-Chapel Hill HIPAA Covered Component or external Covered Entity for marketing or fundraising purposes;
   4. Not use any information received for research purposes from a UNC-Chapel Hill HIPAA Covered Component or external Covered Entity for future recruitment unless explicitly authorized by the participant; and
   5. Receive, use, and disclose only the minimum amount of data necessary for the research.

Definitions

1. Covered Entity. A health plan, health care clearinghouse, or healthcare provider who transmits any health information in electronic form in connection with a transaction covered under the HIPAA regulations.
2. De-identified Health Information. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. Health information is considered de–identified:
   1. If stripped of all of the 18 direct identifiers (Safe Harbor Method); or
   2. If an expert in statistical and scientific method determines that there is a very small risk that the information could be used alone or in combination with other information to identify an individual (Expert Determination Method).
      HIPAA does not apply to de–identified health information and, therefore, there are no restrictions on the use or disclosure of de-identified health information under the HIPAA Rules.
3. Expert Determination Method. A de-identification method for PHI in which a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
   1. Applying such principles and methods determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
   2. Documents the methods and results of the analysis that justify such determination.
4. HIPAA Authorization. A specific type of written permission given by the individual to use or disclose PHI about the individual that is not for treatment, payment, or health care operations or otherwise permitted or required by the HIPAA Privacy Rule. The requirements of a valid HIPAA Authorization are defined in the HIPAA regulations.
5. HIPAA Hybrid Entity. A single legal entity that is a Covered Entity, whose business activities include both covered and non-covered functions, and designates components covered by the HIPAA Rules. UNC-Chapel Hill has designated itself as a HIPAA Hybrid Entity.
6. HIPAA Rules. All regulatory requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and all regulations promulgated thereunder.
7. Individually Identifiable Health Information. A subset of health information, including demographic data, that is:
   1. Created or received by a health care provider, health plan, employer, or health care clearinghouse;
   2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
   3. Identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
8. Limited Data Set. PHI that excludes all direct identifiers of the individual or of relatives, employers, or household members of the individual, except geographic subdivisions larger than the postal address and elements of dates. Limited data sets may only be used for research, public health, or for health care operations; and only with a data use agreement that limits the use of the data by the recipient.
9. Minimum Necessary. As stated in the HIPAA Privacy Rule, a Covered Entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request.
10. Protected Health Information (PHI). PHI is defined as:
    1. Information (in any format whether electronic, paper or oral) that:
       1. is created or received by a health care provider, health plan, or health care clearinghouse; and
          1. relates to the past, present, or future physical or mental health or condition of any individual; or
          2. the provision of health care to an individual; or
          3. the past, present, or future payment for the provision of health care to an individual.
    2. AND there is a reasonable basis to believe the information can be used to identify the individual; OR
    3. The information includes one or more of the following eighteen (18) identifiers (of the individual or the individual's relatives, household members, or even of the individual's employer):
       1. Name
       2. Geographic subdivisions smaller than a state (i.e., county, town or city, street address, and zip code and equivalent geocode) (note: in some cases, the initial three digits of a zip code may be used)
       3. All elements of dates (except year) for dates directly related to an individual (including birth date, admission date, discharge date, date of death, all ages over 89, and dates indicative of age over 89) (note: ages and elements may be aggregated into a single category of age 90 or older)
       4. Phone numbers
       5. Fax numbers
       6. Email addresses
       7. Social Security Number
       8. Medical record number
       9. Health plan beneficiary number
       10. Account numbers
       11. Certificate/license numbers
       12. Vehicle identifiers and serial numbers, including license plate numbers
       13. Device identifiers and serial numbers
       14. Web Uniform Resource Locators ("URLs")
       15. Internet Protocol ("IP") address numbers
       16. Biometric identifiers (e.g., fingerprints, retinal and voice prints)
       17. Full face photographic and any comparable images
       18. Any other unique identifying number, characteristic, or code.
11. Research. HIPAA defines research as "a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge." Any project involving PHI where one of the primary goals is generalizable knowledge, with or without publication or public presentation, is considered research. In contrast to research use of PHI, requests for access, use, and disclosure of PHI for purposes of treatment, payment, or healthcare operations are governed by a different set of rules.
12. Research Health Information (RHI). Individually Identifiable Health Information collected about research participants that is stored, collected, or maintained outside of an electronic health record (EHR), and is either:  
    1. Created or received in connection with research that does not involve a UNC-CH HIPAA Covered Component or an external Covered Entity; OR
    2. Has been reclassified and is no longer subject to HIPAA requirements due to a disclosure from a UNC-CH HIPAA Covered Component or an external Covered Entity (e.g., UNC Health) pursuant to a valid HIPAA research disclosure, such as a valid HIPAA Authorization or a full or partial Waiver of HIPAA Authorization.  
13. Safe Harbor Method. A de-identification method for PHI in which the 18 HIPAA identifiers of the individual or of relatives, employers, or household members of the individual, are removed and the Covered Entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information.
14. UNC-Chapel Hill’s HIPAA Covered Components. All units, departments, divisions, clinics, and programs that have been designated under UNC-Chapel Hill’s HIPAA Hybrid Entity Designation to which the HIPAA Rules apply.
15. Waiver of HIPAA Authorization. The documentation establishing that an Institutional Review Board (IRB) has waived or altered HIPAA’s regulatory requirement that an individual must complete a written HIPAA Authorization to use or disclose the individual's PHI for research purposes.
16. Workforce Member. UNC-Chapel Hill faculty, staff, students, fellows, volunteers, trainees, agents, contractors, and/or other affiliates, whether paid or unpaid, who work or train in UNC-Chapel Hill departments, clinics, and programs that create, receive, maintain, or access PHI or provide support functions in connection with research activities at UNC-Chapel Hill.

Related Requirements

External Regulations

• 45 CFR 164 Subpart A: General Provisions
• 45 CFR 164 Subpart E: Privacy of Individually Identifiable Health Information

University Policies, Standards, and Procedures

• Information Security Controls Standard
• Office of Human Research Ethics SOP 1801: Health Insurance Portability and Accountability Act (HIPAA)
• HIPAA Research Policy
• Data Ownership Policy

Contact Information

Primary Contact

Name: Katherine Georger

Title: Associate Vice Chancellor, Chief Privacy Officer, Chief Digital Risk Officer, and Special Counsel

Unit: Institutional Privacy Office

Email: privacy@unc.edu