---

Over 230 people attended The University HIPAA Policy: What it Means for Your Research webinar, and attendees submitted a lot of questions.

Many of these questions are answered on The Ohio State University Wexner Medical Center’s FAQs about the policy, so be sure to peruse their materials and bookmark the page for future reference.

Below are answers to questions about the distinction between protected health information (PHI) and research health information (RHI) and topics pertinent to IRB submission and review. For specific questions about information security/storage and OSUWMC policies about the use of patient data in research, contact your unit’s security coordinator and the OSUWMC Compliance Integrity and Privacy Office, respectively.

---

Q: Who participated in the panel discussion at the end of the webinar?

• Holly Drake, Chief Privacy Officer, OCIO – Information and Identity Protection
• Jennifer Elliott, Senior Privacy Officer, OCIO – Information and Identity Protection
• Roland Kreml, Security Analyst Lead, OCIO – Governance and Risk Management
• Jamie Nelson, IT Security Architect, OSUWMC Data Security
• Erin Odor, QI Specialist, Office of Responsible Research Practices
• Kathleen Ojala, Director & Privacy Officer, OSUWMC Compliance and Integrity
• Alyson Raines, Associate Director, OSUWMC Compliance and Integrity

---

PHI & RHI Definitions

Q: How do I know if my data set is RHI or PHI?

A. While both RHI and PHI are individually identifiable information about a person’s health status or health history, the two are distinguished by (1) which unit holds the data and (2) how the data are used.

• PHI is obtained, created, or held by a covered component (i.e., healthcare unit subject to HIPAA) for the purposes of treatment, payment for health services, or healthcare operations.  
• RHI is obtained, created, or held by a non-covered component for research purposes.

Check out this diagram illustrating Ohio State’s hybrid entity designation, including which components and functions are subject to HIPAA.

This means that any health data generated in a non-covered unit, such as academic departments, for research purposes is RHI. Examples:

• A social work researcher administers a clinically validated questionnaire for assessing depression to research participants at various timepoints throughout a study
• A physician-researcher administers health history surveys, takes vital signs, and obtains blood for non-therapeutic research analysis to examine correlations between biometric values and self-reported history of childhood obesity; no data from medical records or clinic schedules will be accessed/used. When conducting these research-only activities, the PI is wearing their “researcher” hat and operating within the non-covered component of the university.

Of course, every research scenario is a little bit different. Use the decision tree below to determine if your research data set is PHI or RHI.

Q: I’m collaborating with a researcher at an external academic medical center, and the study involves RHI. Does the external covered entity need to sign a business associated agreement (BAA) with OSUWMC? What about other types of agreements/contracts/MOUs?

A: A business associated agreement (BAA) has a specific meaning under the HIPAA privacy rule that is not applicable to research.  Simply put, a BAA allows a person or entity to receive PHI in order to support the business operations of a covered entity. Services for which a BAA is required include claims processing, billing, benefit management, IT support, quality assurance, data aggregation, legal services, and others. When a BAA is executed, the business associate accepts liability to the federal government for the PHI it receives—including the civil and criminal penalties in the event PHI is misused; in essence, the business associate becomes a covered entity to the extent that it performs HIPAA-covered functions.

Research is not a business operation under HIPAA; thus, a BAA is not an appropriate mechanism for managing shared patient data for research. This is a common misconception, and some covered entities issue BAAs whenever patient data is shared externally for any purpose. However, representatives of the Office of Civil Rights have explicitly stated that they will only recognize and uphold a BAA when it was executed for one of the recognized business associate services.

Nevertheless, some kind of data use agreement (DUA), memorandum of understanding (MOU), or contract is typically required whenever Ohio State data is shared with an external entity for research purposes. The document may look like a BAA and will likely include provisions about data access, privacy and security measures, and institutional liability—but, importantly, the document makes an external entity liable to Ohio State, not to the federal government.

DUAs and related agreements are not managed by the IRB or ORRP. Contact your covered component’s privacy officer for advice on using patient data in collaborative research and your unit’s security coordinator to ensure institutional data security requirements are in place.

Q: My study is a retrospective review of existing medical records. If I store identifiable research data outside of the electronic medical record, is it still PHI?

A: No, it is RHI—assuming you have obtained HIPAA research authorization or a waiver of HIPAA research authorization for your research.

Note: If you access patient data for research without valid HIPAA research authorization or an IRB-approved waiver, you must notify the covered component’s privacy officer and IRB immediately—this is a violation of the HIPAA privacy rule, the Common Rule, and university policy.

Q: My study collects self-reported health information directly from participants (e.g., by administering a survey, health questionnaire, or interview). Is this PHI or RHI? Do participants need to provide HIPAA authorization?

A: The data is RHI. The source of data is participants themselves, who are not covered entities bound by the HIPAA privacy and security rules. In this case, participant informed consent is sufficient to obtain and use identifiable health data provided directly to researchers.

In some cases, self-reported RHI may also warrant clinical evaluation. For example, researchers may administer a questionnaire to assess suicide ideation during a study; participants who score in a particular range may be referred for further clinical evaluation. If a copy of the completed questionnaire or results are sent to the participant’s physician or entered into the medical record, that copy sent to/recorded in a treatment record is PHI because it will be used for treatment, payment, or operations by a clinician. The copy of the questionnaire/results retained by the researcher remains RHI. (If the researcher is also the participant’s physician, she may have access to two copies—one in the research records (RHI), and one in the patient’s treatment file (PHI).)

Q: Is RHI defined the same across academic medical centers?

A: No. Most academic medical centers are hybrid entities and have designated covered components subject to HIPAA and non-covered components; however, where they draw the line between the covered and non-covered components can vary.

Some institutions have adopted the term research health information as a category of data distinct from—but similar to—protected health information to help researchers better understand when individually identifiable health data is subject to HIPAA. Even among these institutions, RHI is defined in different ways.

Ohio State’s definition of RHI and the decision to designate research as a non-covered function is modeled on the policies of Columbia University, University of Delaware, University of Miami, Vanderbilt University, and others, and was developed in consultation with internal and external legal counsel with expertise in HIPAA regulations.

---

Q: How does the HIPAA and Protected Health Information policy impact the use of patient data in research?

A: In general, the policy memorializes and clarifies well-established Ohio State processes related to HIPAA.

Regulatory requirements for using HIPAA-protected data in research are unchanged: researchers must still obtain participants’ HIPAA research authorization or a waiver of authorization from an IRB/Privacy Board in order to obtain/collect protected health information for research purposes.

Investigators should evaluate if their study involves storage of PHI, RHI, or other types of data and ensure that the data is secured to the appropriate data classification level.

Q: How does the policy affect privacy concerns in research?

A: The policy does not change the expectation that researchers will adequately protect participant privacy. The Common Rule, FDA regulations, and foundational ethical principles governing human subjects research state that risks to subjects must be minimized and that participants’ privacy and confidentiality of data are protected. The HIPAA privacy rule requires similar protections when patient data is disclosed for research purposes.

Data security is just one aspect of privacy; at Ohio State, the Institutional Data Policy and Research Data Policy establish requirements for securing research information, including RHI.

Q: How does the policy impact community-partnered research?

A: There are no impacts specific to this type of research. Data obtained from a covered entity—Wexner Medical Center, community clinic, or local pharmacy—still requires HIPAA research authorization (or waiver approved by an IRB/Privacy Board) before it can be disclosed for research purposes, and it must continue to be protected after disclosure.

Q: My study collects information about participants’ health but was initiated prior to the effective date of the policy (June 2, 2021). Does my study have to comply with the policy?

A: Yes, all activities that use health information for research purposes are subject to the policy.

Q: If my current study involves RHI, do I have to submit an amendment to the IRB in order to comply with the policy?

A: Not necessarily.

• Studies currently using data obtained from the OSUWMC or other HIPAA covered entity will have already obtained HIPAA research authorization or waivers of authorization to cover the disclosure of PHI for research purposes (reclassifying it as RHI). These studies should already be protecting study data to an S4 level, so there is no need to change study procedures or data storage.
• Other studies may use, collect, or create RHI that is not derived from a HIPAA covered entity. If such research data is not currently protected to S4 (restricted) data security standards, researchers should contact their college/unit Security Coordinator for guidance on employing appropriate data protections. Although data management may be changed, an amendment is likely not necessary if your security measures are adequate. The IRB is not scrutinizing existing studies for compliance.

This data must be protected to S4 levels, and a change in data storage/management may be required in order to comply with the university’s data standards.

Q: How do IRB protocol submissions involving RHI differ from those involving PHI?

A: Studies involving RHI only will not address questions related to PHI, including HIPAA research authorization and/or waivers of authorization.

Q: Are breaches or security incidents involving RHI considered “reportable events” under IRB policy?

A: Yes. In addition to notifying Enterprise Security, researchers should report any breaches of participant confidentiality to the reviewing IRB. For studies reviewed by an Ohio State IRB, an event report application should be submitted in Buck-IRB within 10 days of learning of the event.

More information: Event Reporting | ORRP (osu.edu)

Q: Does ORRP plan to update the Buck-IRB application form to include a checkbox for RHI?

A: At this time, there are no immediate plans to revise the application form to add this checkbox; however, the application may be adapted to elicit information about the use of RHI.