Sample Policy on the Use and Disclosure of Protected Health Information for Research Purposes

I. To What Does This Policy Apply:

This policy defines the standards and parameters for the use of protected health information (PHI) in biomedical, behavioral and social science research. The components of this institution which qualify as a HIPAA covered entity will adhere to those regulations set forth in the HIPAA Privacy and Security Rules (45 CFR 160 and 164).

II. Policy Statement:

• This institution respects an individual's right to keep identifiable health information private and protected. This institution will only use or disclose protected health information (PHI) in research if such use is in accordance with the HIPAA Privacy and Security Rule requirements. In particular, PHI will only be used for research if one of the following conditions are met:
• The research project has been approved by an IRB and the patient has provided written authorization for the research use or disclosure.
• The research project has been approved by an IRB and patient authorization has been waived by an IRB or Privacy Board.
• The PHI requested is limited to that of decedents and conforms to the minimum necessary information needed to conduct the research.
• The PHI is sought for use preparatory to research and the review of PHI is necessary for the preparatory activities and no PHI will be removed from the covered entity.
• The research project has been approved by an IRB, the PHI requested constitutes a limited data set and a Data Use agreement has been signed by the investigator and institution.
• Disclosures of patient information will be limited to the terms of an investigator's patient authorization, certifications, IRB waiver, or data use agreement, as applicable.
• No investigator (other than a potential subject's direct health care provider) may use patient information to initiate contact with a patient for recruitment purposes except as approved by the IRB.
• Employees and workforce members will identify any databases containing PHI that were created or are maintained solely for research purposes (including recruitment). Investigators who maintain such databases will be required to obtain an IRB waiver of authorization (and waiver of consent, where applicable) prior to making any use or disclosure of the database information for research.
• PHI which created, maintained or transmitted electronically for research purposes will adhere to the institutions policies for the Security of electronic PHI in accordance with the HIPAA Security Rule including appropriate administrative, physical and technical safeguards to protect the integrity, availability and confidentiality of ePHI.
• The institution will track all disclosures of PHI for research purposes (including disclosures from research databases) when the PHI is disclosed under a waiver of authorization or is limited to decedent PHI and generate an accounting of such disclosures upon patient request. Disclosures of PHI in accordance with patient authorization, under the restriction of a review preparatory to research or of a limited data set do not require that the disclosure be accounted for.
• Patient authorization will be obtained in a form which has been reviewed by the IRB before the creation, collection, use, or disclosure of PHI for research (other than a review preparatory to research or to research on decedents' health information), unless the IRB has waived authorization or the PHI will be disclosed in the form of a HIPAA limited data set. Use of the research authorization template is recommended.
• PHI created or collected for research purposes may be disclosed as otherwise permitted or required under HIPAA, in accordance with institutional policies for the use and disclosure of PHI.

Word format		PDF format