Patient Health Information and HIPAA Policy

What data classification is RHI considered?

The data classification of RHI is S4 (restricted) institutional data, which requires the highest levels of protections outlined in the Information Security Control Requirements (ISCR). Protections include, but are not limited to: Multifactor authentication, encryption, unique user accounts, minimum necessary access, access auditing, etc. Many departments using RHI will have IT support that is familiar with the requirements that are necessary for the use and storage of S4 (restricted) institutional data or will be able to seek assistance from one of the security teams associated with OSU or OSUWMC. Reach out to your IT contacts for consultation to ensure you are properly protecting RHI.

I don’t know whether my research data protection plan meets S4 requirements. Who do I ask for help?

Many departments using RHI will have IT support that is familiar with the requirements that are necessary for the use and storage of S4 data or will be able to seek assistance from one of the security teams associated with OSU or OSUWMC. Reach out to your IT contacts for consultation to ensure you are properly protecting RHI.

What is the HIPAA compliance plan or guidance that health care components must follow?

Covered components use the university's Compliance and Integrity established reporting templates to document their HIPAA compliance plans and annual reports. The covered components report their compliance efforts to the Covered Health Care Component Committee (CHCC) at least annually, as well as to the covered components business unit leadership. Annually, the CHCC reports to the University Integrity Compliance Council (UICC) on the activities of the covered components and university service units.

What do staff, students and faculty who work on behalf of the Service Units described in this policy need to do?

Faculty, staff, students, suppliers/contractors, and volunteers need to only use and/or disclose PHI as permitted or required by the health care component or as required by law. Each unit has a privacy and information security coordinator who can guide you.

Does this policy apply if a college unit is a business associate of an outside entity?

The policy does not directly apply. The terms of the business associate agreement does apply. The policy, however, follow BAA frameworks.

Where do I report an incident involving PHI?

This policy does not change your established department incident reporting structure. Many departments have designated IT, IT Security and/or Privacy Officers to whom they should continue to report potential PHI incidents. Ultimately, all PHI incidents are reported to the OSUWMC Privacy Office at 614-293-4477 or privacyoffice@osumc.edu. If you do not have an established reporting procedure, you can always report to the OSUWMC Privacy Office.

What kind of incident classifies an inappropriate disclosure of data? How do I know when I need to report an inappropriate disclosure?

If you find that data (paper or electronic) has been lost or stolen or used in a way that is inconsistent with policy (i.e., someone not authorized to access files, did so), you need to report the missing data as soon as possible using the appropriate reporting structure. Some examples are a lost laptop, flash drive or missing paper documents. If patient confidentiality is compromised, it should be reported.

An inappropriate disclosure of data occurred. I am unsure of whether the data is PHI or RHI and where to properly report the disclosure. What do I do?

This policy does not change your established department contact structure. Many departments have designated IT, IT Security and/or Privacy Officers who you should continue to work with on disclosures and data classification questions. If you are uncertain of a data classification or where to report a disclosure, contactC7your department contacts. Ultimately, these need to be reported to either the Privacy Office or OCIO Data Security. If you do not have an established contact and/or you're not sure where to report, reach out to the office that makes sense to you: either, the medical center’s Privacy Office (614-293-4477 or PrivacyOffice@osumc.edu), or OCIO Security (614-688-HELP or Security@osu.edu). The two offices work well together and will get your potential incident to the correct response team. Incidents involving research data or incidents involving patient confidentiality also need to be reported to the IRB via an Event Report. For more information, see the Office of Responsible Research Practices' Event Reporting page.

What happens if there is an unauthorized disclosure of PHI held by a service unit or their subcontractor?

Unauthorized uses or disclosures by a service unit or their subcontractors, whether actual or suspected, need to be promptly reported to the Office of the Chief Information Officer (OCIO), Enterprise Security Operations or the medical center’s Privacy Office. (More than one reporting line exists due to how campus and the medical center have operationalized response teams). Repeated violations of university policy or HIPAA regulations can result in re-education, recommendation for disciplinary action or contract termination. Each incident is judged on the facts and circumstances.

Why would a covered health care component decline to honor a HIPAA waiver?

Under the HIPAA regulations, disclosures of PHI for research purposes is permissive, not mandatory. Data will be disclosed based on the minimum amount of information that is needed for the intended purpose. The primary reason OSU-covered components would not disclose PHI pursuant to a valid HIPAA research disclosure, such as a valid authorization or waiver or alteration of authorization, is because of concerns that the investigator's information security plan is insufficient. Covered components will work with investigators and the colleges' IT teams to confirm the sufficiency of the investigator's information security plan.

What are partial and full waivers of HIPAA authorization? How do they relate to the data that can be disclosed for research purposes?

Under the Privacy Rule, HIPAA research authorization is an individual's signed permission to allow a covered entity to use or disclose the individual's PHI that is described in the authorization for the purpose(s) and to the recipient(s) stated in the authorization:

• Information to be accessed, used, or disclosed
• Identification of those authorized to use/disclose
• Potential for re-disclosure; right to revoke

The requirement for an authorization may be waived (full or partial) or altered.

Partial Waiver of Authorization: Allows PHI access/retention for the purposes of identifying potential subjects. Information collected under partial waiver must be destroyed after recruitment is complete unless authorization or additional waiver/alteration is obtained.

Full Waiver of HIPAA Authorization: Allows PHI access/retention without authorization for the entire research study (collection and data analysis).

• The fact that the research is retrospective or that the data to be used will be created regardless of the research are not sufficient justifications for granting a full waiver under the regulations.
• In general, research studies involving prospective access/collection of PHI should include a plan to obtain authorization.

De-Identified data sets do not require HIPAA waivers. Investigators are encouraged to use de-identified data.

What is the role of the Privacy Board?

A Privacy Board is a committee established to review requests for a waiver or alteration of the authorization requirement for uses and disclosures of PHI in a particular research study. A Privacy Board may waive or alter all or part of the authorization requirements. Under the Privacy Rule, an IRB may serve as a Privacy Board. At The Ohio State University, the Privacy Board reviews requests for waivers or alterations of authorization in exempt research. ORRP facilitates the review process; no additional action by the investigator is necessary. The Institutional Review Board (IRB) serves as Privacy Boards for non-exempt research.

What is the role of the IRB?

All non-exempt research activities involving human subjects must be reviewed and approved by an Institutional Review Board (IRB). See https://orrp.osu.edu/irb/irb-faqs/. The IRB reviews non-exempt human subjects research proposals to ensure risks have been minimized and assessed against the potential for benefit before human subjects participate in the research. The IRB also ensures, when required, that human subjects only volunteer to participate in research after providing legally effective informed consent. For more information about Ohio State's IRBs, see http://orrp.osu.edu/irb.

As an Ohio State investigator, how do I obtain patient data for research purposes? Does it matter if I am affiliated with an Ohio State health sciences college?

Yes, you can obtain patient data under certain circumstances. There must be an OSU credentialed faculty member on the study team (PI) and HIPAA authorization or a waiver of authorization from an IRB/privacy board is required.

For example, at the medical center, certified Honest Brokers may provide the OSU research community with access to OSU Health System data for secondary research purposes. The PI and individuals on the study team are responsible for creating and maintaining a data security plan to safeguard the RHI to S4 security protection standards. When possible, de-identified patient data should be used and does not require IRB review.

Does this policy change the way researchers can identify and recruit patients from Ohio State’s covered components?

No. Recruitment of participants from these sources is governed by IRB policy on recruitment and the OSUWMC HIPAA research policy, both of which require partial waivers of HIPAA authorization and IRB policy and OSUWMC policy prohibit cold calling of potential research participants. OSUWMC HIPAA research policy requires investigators to coordinate with a treating clinician before contacting the potential subject(s). Recruitment scripts (e.g., phone, email, and letter scripts) must contain a link between treating clinician and investigator.

Why would a covered component require a university researcher to receive HIPAA training if the data they are receiving is RHI?

There are two reasons why a covered component may require a university researcher to complete HIPAA training prior to disclosing patient data for research:

1. To ensure the researcher understands that the health information they receive is derived from a person whose information must be safeguarded and honored as private regardless of its classification as PHI or RHI.
2. To provide additional assurance to the covered component, as steward of patient data, that privacy and confidentiality will be protected after disclosure to the researcher.

Who can de-identify patient data?

The HIPAA Privacy Rule allows uses and disclosures of de-identified PHI. In order to protect patient information, two methods of de-identification have been developed.

1. Removing all of the 18 elements of PHI from a dataset and having no keys or identifiers that can link back to PHI or that are derived from PHI (Safe Harbor Method); or
2. Expert determination certifying that the statistical risk is miniscule that the data could be re-identified.

Researchers may de-identify datasets as described in 1), but the de-identification must be validated by Information Security and the process of de-identification must have IRB approval.

Researchers may not de-identify datasets as described in 2) and provide their own expert determination. Expert determination requires a qualified third party. Contact Compliance and Integrity for additional information and support.

At OSU, certified honest brokers have authorization to de-identify data.

• Researchers requesting de-identified data from OSU health system through an honest broker do not require an IRB approval, if the researcher provides the criteria to the honest broker to pull PHI data from the EHR and the honest broker de-identifies it.
• Researchers disclosing (sending) PHI they have collected to an honest broker for the purpose of de-identification does require an IRB approval.

Can I store RHI in HIPAA approved systems?

Yes, you should store RHI in data systems that meet S4 requirements.

What is Research Health Information (RHI)?

Research health information (RHI) is information that: (1) is created or received in connection with research that does not involve a covered health care component or (2) has been reclassified and is no longer subject to HIPAA requirements.

Although the definition of RHI includes information that is created or received in connection with research that does not involve a covered health care component, the university HIPAA policy’s main purpose is to define the reclassification of PHI into RHI when information is disclosed from a health care component to a university researcher pursuant to a permitted research disclosure under HIPAA.

I'm conducting a therapeutic clinical trial pursuant to patient consent and the patient's HIPAA authorization. Is the information I am gathering and entering into the electronic medical record (EMR) RHI or PHI?

Patient information generated in a therapeutic clinical trial is PHI when entered into an EMR for the purposes of treatment or clinical care; the data is being used for patient care within the covered component and is therefore subject to HIPAA.

Concurrently, the signed participant HIPAA research authorization allows that data to also be used for research purposes. When data generated during a therapeutic clinical trial is extracted or maintained separately from the EMR for analysis, sponsor reporting, or other research-related activities, the patient data becomes RHI pursuant to the HIPAA research authorization. Therefore, identical data points are considered PHI in one context and RHI in another, depending upon how the data are used (treatment vs. research) and where they are stored (EMR vs. non-PHI record set).

Non-therapeutic clinical trials will typically generate only RHI, as the research activities are not intended to treat or mitigate a particular health condition or improve the health of research participants.

How is Protected Health Information (PHI) reclassified as RHI?

PHI becomes reclassified as RHI, and is therefore no longer subject to HIPAA, when it is stored outside of the EMR for research purposes pursuant to a valid written HIPAA research authorization or a waiver or alteration of authorization. This is because, as a hybrid entity, the university has designated its research function as occurring in its non-covered, academic component(s), whereas clinical activities occur within the university's covered component(s) and are therefore subject to HIPAA. Although no longer subject to HIPAA, RHI must still be protected to S4 data security standards.

Is my research data set PHI or RHI?

Does Research Health Information (RHI) include information only from a covered component, such as OSUWMC's electronic medical record (EMR)?

No. RHI is a broad term that refers to identifiable information pertaining to research participants' health or health care that either:

1. had been PHI when held by a covered health care component but has been reclassified as RHI via a valid HIPAA research authorization or approved waiver/alteration of authorization from an IRB or privacy board; or
2. is created or received in connection with research that does not involve a covered component (e.g., social science surveys, MRIs performed only for research purposes, etc.).

Which units are the designated health care components subject to HIPAA?

The university’s designated health care components can be found in The Hybrid Entity Designation Statement. (need website)

The university’s designated health care components can be found in The Hybrid Entity Designation Statement. The components are: The Ohio State University Wexner Medical Center (University Hospital, East Hospital, Brain and Spine Hospital, Richard M. Ross Heart Hospital, Harding Hospital, Dodd Rehabilitation Hospital, Ambulatory Clinics and Services); Arthur G. James Cancer Hospital and the Richard J. Solove Research Institute - Comprehensive Cancer Center; College of Dentistry; College of Optometry; Nisonger Center; OSU Health Plan; OSU Physicians Inc.; Wilce Student Health Center.

What is a service unit? Which Ohio State units are service units subject to HIPAA?

A university unit that creates, receives, maintains or transmits PHI on behalf of a health care component. The service unit is subject to HIPAA only as it is performing functions on behalf of a covered component.

OSU Service Units are:

1. College of Medicine
2. College of Nursing
3. College of Pharmacy
4. Office of Administration and Planning
5. Office of Business and Finance
• University Risk Management
• Department of Internal Audit
6. Office of Technology and Digital Innovation
7. Office of Human Resources
8. Office of Institutional Equity
9. Office of Legal Affairs
10. Office of University Compliance and Integrity
11. Technology Commercialization Office
12. University Office of Advancement

Example: UniPrint is only subject to HIPAA when producing documents related to a covered component's treatment, payment or operations, but not when providing services to units for non-health care purposes.

What is a Covered Entity?

A Covered Entity includes the following types of organizations if they conduct certain types of transactions in electronic form: health plans, health care clearinghouses, and health care providers. HIPAA addresses Protected Health Information (PHI) that is created, received, maintained or transmitted by a Covered Entity.

What is OSU’s designation?

The Ohio State University (University) conducts both Covered and Non-Covered Functions and elects to be a Hybrid Entity under HIPAA. As a Hybrid Entity, the University is responsible for designating the Components that are Health Care Components within the University.

What is a Hybrid Entity?

A Covered Entity that is a single legal entity and conducts both Covered and Non-Covered Functions may elect to be a Hybrid Entity. To be a Hybrid Entity, a Covered Entity must identify its components that perform Covered Functions and designate these components as Health Care Components. HIPAA compliance obligations apply only to designated Health Care Components; a Covered Entity that does not make the Hybrid Entity designation is subject to HIPAA in its entirety.

My college has agreed to be a HIPAA business associate of a non-OSU covered entity (e.g., Ohio Health). Does this policy apply to me?

Generally, the policy does not apply. You are obligated under the business associate contract terms, which will generally follow the OSU policy.

What are examples of use and disclosure under HIPAA?

Use: A hospital may use protected health information about an individual to provide health care to the individual and may consult with other health care providers about the individual's treatment.

Disclosure: A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual.

Research-related disclosure: A covered component may disclose PHI pursuant to a HIPAA authorization or waiver for retrospective chart review.

How will this policy change your current practices/processes?

For most people, the policy does not change what you've been doing. The policy largely memorializes well established processes related to HIPAA.

How do I know if this policy applies to me?

If your role includes use of patient information, the policy applies to you.

What action, if any, must HIPAA MOU Colleges take as a result of this policy?

College of Nursing's, College of Public Health's, and College of Engineering’s MOUs with the medical center will sunset with the adoption of the policy. The policy contains the relevant language from the MOU. By placing the language regarding safeguarding of RHI in the policy, administrative burdens of maintaining the MOUs are eliminated.

Why is the university putting forth a policy now?

Since the enactment of the law (HIPAA) and related regulations, OSU has adopted numerous policies, procedures and processes consistent with the HIPAA regulations. Research hadn't been clearly designated as within or without the university's covered components. Therefore, the policy memorializes what OSU has in place, provides transparency for the OSU community and clarifies roles and responsibilities.

What do we do to protect the privacy of a patient's medical information?

We believe that every piece of a patient's medical information is private and deserves protection. Long before there were HIPAA regulations, OSU developed policies to safeguard the confidentiality of patient medical records. In 1996, HIPAA brought broader reaching guidelines that added security to handling of electronic health records. Use of medical information at OSU undergoes regular ongoing inspection (or review) by privacy and information security units to assure a patient's confidentiality is constantly maintained.

I hear that it will be easier to get information from the medical center, is that true?

No. The policy does not make it easier nor harder to obtain PHI from the medical center (or any other covered component). The policy describes how PHI can be obtained.

I am a researcher who is also a clinician. How does the policy apply to me?

In your role as a workforce member of a covered component, you are subject to existing policies and procedures of the covered component (e.g., OSUWMC, College of Dentistry, College of Optometry, etc.).

If you are performing research and conducting research activities unrelated to your clinical role, you are acting as non-covered component workforce. Generally, the PHI is contained in the electronic medical record. If the PHI is subsequently disclosed (released) from the EMR (as would occur with a request via the Honest Broker protocol), pursuant to a valid HIPAA research disclosure, such as a valid authorization or waiver or alteration of authorization, PHI would be reclassified as RHI. The Investigator has the responsibility to safeguard the RHI to S4 level of information security protections.

PHI as used for therapeutic trials (i.e., clinical treatment) is subject to all HIPAA protections including safeguarding the information to S4 level of security protections.

How does the university policy impact policies that covered components established policies?

As with all university policies, business units may have more specific policies that apply. OSU's covered components have extensive HIPAA policies.

Wexner Medical Center HIPAA and Research Policy

Use of Patient Information