Data Privacy and Security

Any research registry wishing to incorporate data from the electronic health record (or paper health record, if you’re going back that far!) will need to consider the substantial protections around the use of such data. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established the need for a set of standards for the protection of individuals’ health information. Those protections are addressed in the “Standards for Privacy of Individually Identifiable Health Information,” or the “Privacy Rule” for short. We will not attempt to cover the entirety of the Privacy Rule here, but will instead summarize the portions relevant for a researcher wishing to keep research registry data safe and compliant. Those looking for more detailed information can find it at https://www.hhs.gov/sites/default/files/privacysummary.pdf

The Privacy Rule defines protected health information, or PHI, as “information, including demographic data, that relates to:

• The individual’s past, present or future physical or mental health or condition,
• The provision of health care to the individual, or
• The past, present, or future payment for the provision of health care to the individual.”¹

The purpose of the Privacy Rule is to define when it is and is not acceptable to use or disclose PHI. With proper approvals in place, research can be one of these acceptable uses.

• Identifiable Data

  HIPAA applies to identified datasets, but does not apply when a dataset is completely deidentified. A common point of confusion, however, is what it means to be deidentified by HIPAA’s standards. (Moreover, by definition, a research registry is very unlikely to be deidentified.)

  Under HIPAA, a dataset is considered deidentified only if that dataset does not contain any of the following identifiers:

  1. Name
  2. Address (all geographic subdivisions smaller than state, including street address, city, county, and zip code*)
  • *Except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1)The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
  4. Telephone numbers
  5. Fax number
  6. Email address
  7. Social Security Number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate or license number
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web URL
  15. Internet Protocol (IP) Address
  16. Finger or voice print
  17. Full face photographic images or any comparable images
  18. Any other number, code, or characteristic that could uniquely identify the individual

  The inclusion of even one of these 18 identifiers effectively makes a dataset sourced from the electronic health record identifiable and subject to HIPAA.

  HIPAA Myth: “I removed patient names and addresses, so my dataset is deidentified.”

  This might be true, but only if all other HIPAA identifiers are also removed. A common point of confusion is dates of service, such as admission date or diagnosis date. Even if there are no other identifiers in the dataset, having a date of service present in the dataset means that it cannot be considered deidentified.

• Using PHI for Research

  There are many ways to use PHI for research purposes in a compliant way. If your registry includes an informed consent process before any participant data is collected, then (depending on the language in your consent form) participants may be able to give you permission to use their medical records for research purposes. On the other hand, if your registry incorporates patients who have not given specific consent for use of their PHI, the Privacy Rule permits use of PHI for research purposes under the following circumstances:

  1. An Institutional Review Board (IRB) has approved a waiver of individual authorization for use of PHI. A waiver can be requested in your IRB application;
  2. The use of PHI is purely preparatory for research (note: this will not likely apply in the case of a research registry); or
  3. The patients in the dataset are all deceased (again, not likely for a research registry)
• When Does HIPAA Apply to Research Data?

  So much focus on HIPAA may lead one to believe that any identifiable fact about a person that relates to their health or treatment and is collected as part of a research study is PHI. However, this is not the case. Remember that HIPAA applies to covered entities (e.g. health care providers) that conduct specified transactions electronically (such as billing your insurance for your visit). PHI (data subject to HIPAA) is created in the course of providing health care services when those services involve such transactions. When a researcher is not also functioning as a health care provider and creates individually identifiable health information (IIHI) in connection with pure research activities (no patient care involved), the information is not PHI.  But, if a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI, and is subject to HIPAA. 

  Once you’re dealing with PHI, then it may only be used or disclosed for research purposes (including to the clinical investigator who provided the services) under a valid HIPAA permission, such as the patient’s individual authorization or an IRB waiver of HIPAA authorization. This applies to all data that is sourced from the electronic health record.

  So (for example), if the data captured in your research registry is composed solely of consented, identified participants’ answers to survey questions that you collect from the subject directly and that have nothing to do with the delivery of health care services, then your data is IIHI research data, but not PHI. With that said, any identifiable data should be treated with the utmost care, consistent with IRB requirements and University policy, whether or not it is subject to HIPAA.

Whether your registry contains protected health information governed by HIPAA or contains other types of identifiable research data, ensuring the physical security of that data is of paramount importance. Most studies no longer rely on the “locked filing cabinet” as a sole means of data security; rather, most registries now involve some kind of electronic data capture and/or storage. It’s not necessary to be an IT security guru in order to ensure compliance; however, IT security is an area where relying as much as is feasible on the infrastructure and services already provided by your institution is nearly always advisable.

By going with a managed solution like REDCap, most of the remaining IT security considerations that fall under the study team’s responsibility are appropriate access to and use of data. After all, even the best IT security setup won’t prevent a user from misusing data they can access, whether accidentally or intentionally.