- Home
- » e-Newsletters
Balance patient privacy and medical research: Understand the limited data set and other options for PHI use and disclosure
HIPAA Training Advisor, January 24, 2008
The HIPAA privacy rule describes how and when covered entities can use or disclose PHI, including use and disclosure for research purposes. Generally, use and disclosure for research requires a subject's authorization. However, obtaining patient authorization can be difficult and often impossible, says Bernadette M. Broccolo, Esq., partner at McDermott Will & Emery, LLP, in Chicago, especially when researchers need to access historical data from a large number of individuals and those individuals do not need a study for their own clinical care. However, the HIPAA privacy rule permits covered entities to use and disclose PHI without authorization for certain types of research activities.
Covered entities may request a waiver from the authorization requirement by an institutional review board (IRB). However, IRBs have been unwilling to grant waivers to this point, says Broccolo, the exception being limited waivers for subject recruitment purposes.
HIPAA also has separate provisions for how PHI can be used or disclosed for activities preparatory to research. Subject recruitment falls outside the preparatory to research exception, says Broccolo. The intent of this exception is to enable researchers to determine the legitimacy of anticipated studies and whether sufficient subject pools exist.
Alternatively, researchers can use de-identified data in their studies. De-identified data are PHI that are no longer protected by the privacy rule because their personally and demographically identifying data as defined by HIPAA have been scrubbed completely. Covered entities can use and disclose de-identified health information without patient authorization; this includes allowing researchers to use the data. But however freely researchers may be able to access de-identified data, many find that the lack of demographic information renders them unusable for studies.
The limited data set solution
HIPAA provides another pathway for disclosing PHI for use in research: the limited data set. This alternative protects patient information while providing researchers with workable data. The limited data set consists of PHI from which all personally identifiable information has been scrubbed. However, this process falls short of de-identification, so many researchers can still use the data successfully in their work.
Many researchers overlook the limited data set as an option, and others haven't yet learned how to make use of this tool, says Broccolo. "I think [the limited data set] pathway is very fertile ground that hasn't been taken advantage of as much as it can be by researchers," she says, noting that increasing use of electronic health records (EHR) simplifies the creation and use of limited data sets. Researchers may not be taking full advantage of them just yet, but limited data sets may be the key to striking a balance between protecting patient privacy and facilitating medical research.
Make your use of the limited data set successful with these three tips
Broccolo offers three tips to help your facility comply with the HIPAA privacy rule while participating in meaningful research through use of a limited data set.
- Plan ahead. Using a limited data set requires careful planning. In their excitement about their work, researchers often make significant progress with study preparations before they suddenly realize they missed an important step-they didn't start clearing a pathway toward obtaining usable data that obviates the need for HIPAA patient authorizations, says Broccolo.
- Know your state law. Even if HIPAA doesn't require an authorization to work with data for research, state law may require it, especially if you need special categories of information or are likely to use records containing such information. "If you have specialized categories of information, such as mental health or genetic testing information, the limited data set option may not be available to you under state law," says Broccolo. Segregating mental health or other special categories of information from your record can be difficult, so ensure that you don't use a data set with this type of information unless you have patient consent if required by state law, she says.
- Consider limited data set use when implementing an EHR. Consider your current or potential future use of a limited data set when designing or implementing an EHR system. Design and implement your system in a way that allows you to extract certain elements from records at a later time. "Consider strategies for storing data in your EHR system that will allow you to distinguish between medical record data and research data," says Broccolo.
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- Case Management Monthly, March 2012
- Searched