The Ohio State University and The Ohio State University Wexner Medical center are committed to improving people’s lives in central Ohio and across the world through innovation, research, education and patient care. Patient privacy is a key aspect of this mission. The university and the Wexner Medical Center are committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).

On Tuesday, May 25, The Ohio State University President’s Cabinet approved the new Protected Health Information (PHI) & HIPAA Policy, which establishes a comprehensive policy to address PHI and HIPAA compliance across the university and the medical center.

The policy will go into effect on June 2.

The purpose of this policy is to set forth the mechanisms to complying with HIPAA laws and corresponding regulations. This policy continues to establish and uphold the university’s commitment to complying with the HIPAA privacy, security and breach regulations. The well-established HIPAA processes established by covered components and service units are unified by the university policy.

The policy:

  1. Establishes that research is not a HIPAA covered function.
  2. Protected Health Information derived from covered entities, used for research, may be subject to HIPAA requirements.
  3. Introduces the definition of Research Health Information (RHI)
  4. Explains the mechanism of data reclassification from PHI to RHI

The policy reduces Ohio State’s regulatory exposure under HIPAA, due to RHI being outside the jurisdiction of the Office of Civil Rights of Health and Human Services. Both PHI and RHI must be safeguarded in accordance within the Ohio State information security framework.

Benefits of the policy:

  • The new joint policy unifies current efforts, departments and programs across the university and the medical center
  • Builds efficiencies
  • Increases compliance
  • Reduces the risk of conflicting standards

What you should know about the policy:

  • The policy largely memorializes well-established Ohio State processes related to HIPAA, provides transparency for the Ohio State community and clarifies roles and responsibilities.
  • If your role includes use of patient information, the policy applies to you. If your role does not involve use of patient information, the policy does not change what you've been doing.
  • The policy defines Research Health Information, which is a broad term for information that:
    • Is created or received in connection with research that does not involve a covered health care component OR
    • Has been reclassified and is no longer subject to HIPAA requirements
  • The data classification of RHI data is classified as S4 (restricted) institutional data per the Institutional Data Policy and requires the highest levels of protections documented outlined in the Risk Management Framework and Information Security Control Requirements.
  • If patient confidentiality is compromised, it must be reported. If you find that data has been lost or stolen (paper or electronic), you must report the missing data as soon as possible using the appropriate reporting structure. (e.g., lost laptop, flash drive, paper documents, etc.)

Learn more about the umbrella policy. You can find FAQs, diagrams and more here.

Managers, please share and review this policy with your staff.

For questions, contact the Compliance Integrity and Privacy Office at 614-293-4477 or Wexner Medical Center faculty and staff can also visit MyTools for more information. Additional University policies can be found here: