Revised Definition of “Protected Health Information” Effective 9/28/2020
Effective 9/28/2020, VCU Health/VCU is narrowing the definition of “Protected Health Information” (PHI)
[revised definition] Protected Health Information (PHI):
Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral, in relation to the provision of healthcare, healthcare operations and payment for healthcare services.
[new definition] Research Health Information (RHI):
Individually identifiable health-related information that is not associated with or derived from a healthcare service event (e.g. treatment, payment, operations, medical records, etc.) and that is not entered into the medical records.
Identifiable health information is considered RHI when it is self-reported or generated through research procedures and is kept only in the researcher’s records or when secondary data is obtained from a source other than a covered entity.
Examples of research using only RHI and thus NOT subject to HIPAA include:
- use of identifiable research health information from another research study;
- diagnostic tests from which results are not entered into the medical record and are not disclosed to the subject; and
- identifiable health information reported in a research survey or interview.
- some basic genetic research can be RHI, such as the search for potential genetic markers, promoter control elements, and other exploratory genetic research. In contrast, genetic testing for a known disease, as part of diagnosis, treatment, and health care, would be considered a use of PHI and therefore subject to HIPAA regulations.
Why is the definition of “PHI” changing?
- This definition is a closer interpretation of the HIPAA regulations.
- VCU Health is working to improve oversight over how PHI is used and disclosed. HIPAA requires that VCU Health be able to account for all disclosures to researchers when patients ask who has received their PHI.
- This change helps to limit the institution’s liability if data breaches occur in a research study. HIPAA breaches have serious consequences.
Which studies does this change apply to?
This change will apply to:
- All initial studies approved on or after the RAMS-IRB patch date of 9/28/2020
- Studies may need to be sent back to the PIs for further revision to the smartform or ICF
- Ongoing research studies with currently active participants whose RAMS-IRB smartforms indicated they were ONLY using self-reported PHI (est. up to 120 studies)
- These studies will be individually contacted to explain how this change impacts their study
- Investigators will be provided with a notice to send/give to all their currently active participants to inform them that their data is no longer protected under HIPAA.
- Studies that are still enrolling will be required to submit an amendment within 1 month of receiving the amendment request to remove the HIPAA language from their consent documents or information sheets.
This change will NOT apply to the following types of studies – they will continue to be covered by HIPAA (i.e. grandfathered in):
- Ongoing research with an approved HIPAA pathway that has completed all participant interactions/interventions
- Ongoing research that used/uses a mix of secondary/existing PHI and self-reported PHI
- Ongoing research using secondary data/biospecimens that has an approved HIPAA pathway
- Closed and completed research studies that had an approved HIPAA pathway
Learn more in this Google Document