PHI and HIPAA Policy out for university-wide feedback

As announced in OnCampus yesterday, the Wexner Medical Center Compliance and Integrity office is proposing a new Protected Health Information and HIPAA Policy. Once in effect, “research” will be designated as a non-covered function and fall outside of HIPAA regulations, regardless of the unit employing the researchers. Procedure IV concerns the disclosure of PHI for research purposes. ORRP encourages the research community to review and comment on the proposed policy during the public comment period, which closes January 25, 2021.

Quick take: Portions of the policy relevant to research

  • Establishes that research is not a HIPAA covered function (Policy Details IV), which places breaches of research health information (defined in the policy) outside the bounds of jurisdiction of the regulator (Office for Civil Rights).
  • Creates a definition of Research Health Information (RHI):
    Information collected about research subjects that pertains to their health or healthcare which either (1) is created or received in connection with research that does not involve a covered health care component or (2) has been reclassified and is no longer subject to HIPAA requirements due to a disclosure from a health care component pursuant to a valid HIPAA research disclosure, such as a valid authorization or a full or partial waiver of HIPAA research authorization.
  • Requires researchers to protect RHI according to university data security and breach reporting policies, including Institutional Data and Information Security Incident Response Management (Procedure IV.B).

The public comment period is January 11, 2021 to January 25, 2021. Review and provide feedback at the link below.


Is this an IRB policy?

No. The proposed policy is overseen and managed by the Wexner Medical Center Compliance and Integrity office. It was developed with input from a number of stakeholders across the institution, including representatives from the Office of Responsible Research Practices.

If the policy is adopted, ORRP will partner with OSUWMC to develop guidance and educational materials for the research community.

Deeper dive

The primary purpose of these research-related changes is to limit Ohio State’s regulatory exposure and prevent financial civil money penalties from the Office of Civil Rights (OCR) in the event of a breach of research data, such as the $4.3 million fine imposed on MD Anderson Comprehensive Cancer Center following research data breaches in 2012 and 2013.

Since 2003, the university has designated itself a hybrid entity, which allows the university to limit its HIPAA obligations only to those health care components and units that perform HIPAA-covered functions. The current hybrid entity designation does not clearly define when research data is subject to HIPAA regulation, particularly when researchers or research teams hold appointments in both covered health care components (e.g., the Wexner Medical Center) and non-covered components (e.g., the College of Medicine).

By clarifying that research is not a covered function subject to HIPAA, the institution is both reducing regulatory risk and providing transparency for the research community.

Please note: The projected implications for research described below are based on the current version of the proposed policy, which may change due to feedback received during the public comment period.

We anticipate these changes will have minimal impact on everyday research activities at Ohio State if adopted as written.

For example:

  • In order to use PHI in research, researchers must still obtain participants’ HIPAA research authorization or a waiver of authorization from an Institutional Review Board or Privacy Board.
  • Although reclassified as RHI, such data must continue to be protected to an S4 data security standard per Ohio State’s Institutional Data Policy. Researchers who are already using HIPAA-compliant platforms to store and analyze PHI-derived research data are encouraged to continue doing so.
  • In the event of a breach of RHI:
    • Researchers must continue to report the incident to appropriate security officers (see below) and the IRB.
    • Consequences to individual researchers are unchanged: breaches of research data may result in reporting to federal agencies (e.g., NIH, FDA); loss of grant funds; an investigation of research misconduct; loss of PI privileges; civil or criminal charges; and others.

The most noticeable change will likely be where researchers will report breaches of RHI.

If adopted, such events will be reported to the university’s data incident team at security@osu.edu, rather than a HIPAA Privacy Officer. All breaches of research data should also be reported to the IRB via the Event Report form in Buck-IRB.

For questions about how to provide feedback, contact policies@osu.edu.

Leave a Reply

Your email address will not be published. Required fields are marked *