HIPAA and Research

Use and Disclosure of Patient Information for Research

The HIPAA Privacy Rule is a regulation that governs the way health information is collected, maintained, used, and disclosed. The HIPAA Privacy Rule requires covered entities to use and disclose Protected Health Information (PHI) according to specific requirements including:

  • Written authorization from the study participant and subject of the PHI
  • Special representations for reviews preparatory to research and use of decedent information
  • Approved waiver of HIPAA authorization from an IRB or Privacy Board
  • Data Use Agreements if the information is released as a limited data set

The Ohio State University Wexner Medical Center and Access to Patient Information for Research

Obtaining approval from the IRB is the first step to starting research involving PHI.  Once appropriate IRB approval has been obtained the research team will need to provide the proof of IRB approval to the Department of Medical Information Management to access PHI from patient medical records for the purposes of research.  Additional forms may need to be completed.

Access to electronic medical records for research is limited to employees of Ohio State Wexner Medical Center who can show proof of or have provided the appropriate representations to the Department of Medical Information Management.  If you access electronic records for research, you may be asked to provide confirmation of IRB approval prior to or after access.