Frequently Asked Questions

What is protected health information (PHI)?
What are the 18 items that render PHI identifiable?
What is the difference between HIPAA Privacy and Security?
What is authorization?
What is the difference between “use” and “disclosure”?
What does “tracking disclosures” mean?
What is the difference between “consent” to participate in research and “authorization”?
What does the term “minimum necessary standard” mean?
Are there any circumstances under which you could use identifiable information without an authorization?
What is considered “De-identified data”?
What does “Review Preparatory to Research” mean?
What does “limited data set” under a “Data Use Agreement for Research” mean?
How will the HIPAA regulation be enforced?
What if Health Information Management (HIM) receives medical record requests for research?

What is protected health information (PHI)?

Protected health information (PHI) is individually identifiable health information that is collected for treatment, diagnosis or research purposes.
back to top

What are the 18 items that render PHI identifiable?

  1. Names
  2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code in certain situations.
  3. All elements of date (except year) for dates directly related to an individual, including birth date, discharge data, date of death; and all ages over 89 and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Medical Device Identifiers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

Note that PHI that is stripped of all of the eighteen identifiers is not regulated by HIPAA; it is considered “de-identified”. PHI can be “de-identified” for research purposes by removing the 18 identifiers and using a linked code for which access is extremely limited and well protected. PHI can be released with identifiers for treatment, payment and operation purposes but cannot for research purposes without authorization.
back to top

What is the difference between HIPAA Privacy and Security?

The HIPAA Privacy and Security rules are separate, but similar in nature regarding protections for PHI. The key difference is the Security rule only applies to electronic PHI. The Privacy rule applies to all other communications (e.g. paper, oral, etc.).
back to top

What is authorization?

Authorization is written permission from an individual (research subject) to use and/or disclose their PHI. For research, the authorization can be included in the research consent document.

What needs to be detailed in an authorization?

  • The information that will be used or disclosed
  • The people/organizations that will use or disclose the information
  • The people/organizations who will receive the information
  • The purpose of the use or disclosure
  • An expiration date or event for the use or disclosure of the information
  • The right to refuse to provide the authorization (this will eliminate participation in the research)
  • The right to revoke authorization including the method to do so (in writing)
  • The potential for PHI to be re-disclosed by the recipient and no longer protected by federal law

back to top

What is the difference between “use” and “disclosure”?

In general, the use of PHI means communicating that information within the covered entity. A disclosure of PHI means communicating that information to a person or entity outside the covered entity.
back to top

What does “tracking disclosures” mean?

Tracking disclosures means accounting for any disclosures of PHI made without the written authorization of the research subject. This includes studies conducted under a waiver of authorization, as well as situations where consent/authorization was obtained but the recipient of the PHI is not listed on the consent/authorization form.
back to top

What is the difference between “consent” to participate in research and “authorization”?

Consent to participate in research has always detailed the level to which confidentiality of the participants information will be maintained. Authorization from the patient is similar but based upon the privacy rules of HIPAA, requires more specific details about all possible use and disclosure of PHI. When the research requires use and/or disclosure of PHI, research participants must give authorization. Otherwise, they may not participate in the research.

NOTE: At Northwell Health the authorization is part of the consent form for research.
back to top

What does the term “minimum necessary standard” mean?

A covered entity must always try to limit the PHI it uses, discloses or requests to the minimum necessary to achieve the purpose as per HIPAA regulations. For example, if you are doing a medical record chart review study, you cannot collect more information than you need and were approved to collect by the IRB. Any changes to your data collection plan should be submitted to the IRB prior to gathering additional data.
back to top

Are there any circumstances under which you could use identifiable information without an authorization?

There are situations in which the IRB can waive the requirement that subjects sign an authorization form. In general, a Waiver of Authorization could be granted under similar circumstances that the IRB grants a Waiver of Informed Consent (e.g., for retrospective chart reviews, etc.).

Any study granted a waiver of informed consent and approved by the IRB must also have a Waiver of Authorization. A Waiver of Authorization does not mean the research is exempt from HIPAA privacy rules. It only means the investigator does not need to obtain signed authorization from each research subject.

In order to qualify for a Waiver of Authorization, an investigator must represent the following:

  • The use of PHI for research does not represent more than a minimal risk to privacy
  • The research could not be done without the requested PHI
  • It would not be practical to obtain signed authorization from research subjects.

back to top

What is considered “De-identified data”?

De-identified data is when all characteristics that constitute PHI are completely removed from health information and the resulting information does not identify the individual or the individual’s relatives, employers or household members. Appropriately de-identified data is no longer considered PHI and is not subject to the same requirements as PHI.

The secondary use of data that has been de-identified can include comparative effectiveness studies, policy assessment, life science research and other uses. Methods used to de-identify data include the Safe-Harbor Method and Expert Determination.

A few identifiers researchers often overlook and should be removed to be considered de-identified data are:

  • All elements of dates (except year) directly related to an individual such as: dates of service or discharge dates , date of subject enrollment, date of subject follow-up visits, and dates generated by devices used in the course of a research study.
  • Email addresses
  • Medical record numbers

A complete list of all 18 identifiers can be found in the policy or guidance document listed below.

More information on how to de-identify data can be found in Corporate Compliance policy #800.64 De-Identification of PHI or the Guidance for using De-identified data document found under the Tools and Guidance for Clinical Research page.
back to top

What does “Review Preparatory to Research” mean?

Review preparatory to research is the mechanism by which an investigator may access PHI for the purpose of designing a research study, generating a research hypothesis, or to assess the feasibility of conducting a study (e.g. to see if there are enough potential subjects, etc.). In order to review PHI preparatory to research, the PI must be able to establish that:

  • PHI is necessary for the research activity PHI will not be used for any other purpose
  • PHI will not be removed from the covered entity

An investigator who is a member of the work force of a covered entity may review medical records of subjects at that covered entity preparatory to research without any specific authorization. Northwell Health is an organized health care arrangement (OHCA).

If an investigator is NOT a member of the workforce of a covered entity and wishes to review medical records of subjects at that covered entity preparatory to research, he/she must apply for a partial waiver of authorization by submitting a request for Review Preparatory to Research (RPR). Please contact the HRPP Office at 516-321-2100.

Note: Institutional policy prohibits any contact of potential research participants without IRB approval. Therefore, a researcher may not contact individuals identified during review preparatory to research activity. If a researcher wishes to contact potential participants, s/he must submit a protocol to the IRB requesting approval, including the intent to recruit subjects through use of PHI. See Recruitment of Study Subjects.
back to top

What does “limited data set” under a “Data Use Agreement for Research” mean?

A limited data set (used in conjunction with a Data Use Agreement) refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, without obtaining either an individual’s authorization OR a waiver (or an alteration) of authorization for its use and disclosure.

The following identifiers must be removed from health information if the data are to qualify as a limited data set:
1. Names 9. Certification/license numbers
2. Postal address information, other than town or city, state and ZIP code 10. Device identifiers and serial numbers
3. Telephone numbers 11. Vehicle identifiers and serial numbers including license plate numbers
4. Fax numbers 12. Web universal resource locators (URLs)
5. Electronic mail addresses 13. Internet protocol (IP) address numbers
6. Social security numbers 14. Biometric identifiers, including fingerprints and voice prints
7. Medical record numbers 15. Full-face photographic images and any comparable images
8. Account Numbers 16. Health plan beneficiary numbers

Only the following identifiers may be used in a limited data set:

  • Dates
  • Geographic information (except for street address)
  • Other unique identifying numbers, characteristics, or codes that are not expressly excluded

When a limited data set is used, there is no requirement to track disclosures. The minimum necessary standard does apply (see below). The recipient of the limited data set must sign a data use agreement.

A data use agreement is an agreement into which the covered entity enters with the intended recipient of a limited data set that generally describes the permitted uses and disclosures of the PHI in a limited data set and how the data will be protected.

If an investigator plans to use a limited data set for research AND will not obtain a waiver of HIPAA Authorization, s/he must submit a data use agreement with his/her IRB protocol submission. Please contact the HRPP Office (516-321-2100) to obtain a copy of the agreement to use.
back to top

How will the HIPAA regulation be enforced?

The Office for Civil Rights (OCR) is responsible for enforcing HIPAA and can issue civil or criminal penalties including fines to individuals for noncompliance. The Office of Research Compliance conducts regular reviews of HIPAA compliance in research, and should be contacted for any potential HIPAA violations or concerns.
back to top

What if Health Information Management (HIM) receives medical record requests for research?

HIM should contact the HRPP Office or Research Privacy Officer for assistance with any requests for medical records from external individuals or entities pursuant to a research study. Documentation of a research subject HIPAA authorization or waiver of HIPAA authorization by the reviewing IRB and IRB approval of a research study will be required prior to release of records for research purposes.
back to top