Generally, Protected Health Information (PHI) may be used or disclosed only if the use or disclosure is for one of the following four categories:
- Required uses and disclosures.
- Permitted uses and disclosures.
- Uses and disclosures with written authorization.
- Uses and disclosures with a Waiver of HIPAA Authorization.
Importantly, when PHI is used or disclosed for purposes other than one of these four categories, the use or disclosure is considered to be unauthorized. As discussed below, all unauthorized uses or disclosures need to be reported at the earliest possible time.
There are only two situations where Protected Health Information must be disclosed:
- When an individual, or their legally authorized representative, specifically request access to PHI or for an accounting of disclosures of his or her PHI.
- When the Department of Health and Human Services (HHS) is conducting a compliance investigation, review, or enforcement action.
2. Permitted Uses and Disclosures
PHI may be used or disclosed, without an individual’s authorization, for the certain purposes or situations. These include disclosures:
- To the individual (unless required for access or accounting of disclosures as discussed above).
- For treatment, payment (including billing), and health care operations.
- With the opportunity for the individual (or legally authorized representative) to agree or object or object to the use or disclosure.
- For incidental uses or disclosures related to an otherwise permitted use or disclosure.
- For public interest and benefit activities.
- For Limited Data Sets for research, public health, or health care operations purposes (discussed more below).
3. Uses and Disclosures with Written Authorization
When PHI is used or disclosed for research purposes, you must do so in accordance with HIPAA Privacy Protections. For most projects regulated under the Common Rule, you generally may only use or disclose PHI in connection with research after the potential subject has given written authorization.
PHI may only be used for the purposes described in the Authorization. The Authorization should outline what PHI will be used or disclosed. Additionally, the Authorization should detail who will be using or disclosing the PHI as well as any person or entity to which the PHI will be disclosed.
4. Uses and Disclosures with a Waiver of HIPAA Authorization
In certain situations, you may request and be granted a Waiver of HIPAA Authorization; this will allow you to use or disclose certain PHI without the written authorization of the subject. A Waiver of HIPAA Authorization may be requested for the following categories:
• Regulated projects that are simultaneously seeking a Waiver of Informed Consent or a Waiver of Documentation of Informed Consent.
• Waivers of Authorization for applications exempt from IRBMED oversight under the Common Rule when accessing PHI.
• Waivers of Authorization for research not subject to the Common Rule when accessing PHI, including (but not limited to):
- Investigator certifications for reviews of Protected Health Information (PHI) preparatory to research submitted in the eResearch application.
- Investigator certifications for research involving decedents’ information submitted in the eResearch application.
- In consultation with other units (e.g., the UMHS Privacy Office and DRDA), any use or disclosure of limited data sets under data use agreements.
- Case studies.
- Quality Improvement /Quality Assurance.
PHI may only be used for the purposes described in the Application. The Application should outline what PHI will be used or disclosed. Additionally, the Application should detail who will be using or disclosing the PHI as well as any person or entity to which the PHI will be disclosed.
Occasionally, unauthorized disclosures (both incidental and accidental) of PHI will occur within the research setting. Regardless of the type, extent, or volume of PHI that is disclosed, it is important that you take appropriate actions to mitigate any potential harm and that you report the occurrence.
If you suspect or know of an unauthorized disclosure of PHI related to research, you should take any practicable steps necessary to limit potential or ongoing harmful effects. Additionally, you should notify IRBMED as soon as possible. You will also need to promptly report the concern to the Compliance Office (Main Number: 734.615.4400).
You will be asked to submit an Other Reportable Information and Occurrences (ORIO) Form to the IRBMED through eResearch. Please include de-identified details of the event, how the event will be addressed, and what procedure(s) will be put in place so that this type of event does not happen again.
You will also need to include the date that the study team reported the event to the Compliance Office, to whom they reported it, the response from the Compliance Office, and verification that the study team has complied or will comply with any Compliance Office request.
Update Approved by IRBMED Chairs and Director: October 14, 2011
Website Updated: October 17, 2011