HIPAA home page | Guidance (FAQ) | Working@Yale article

Can You Keep A Secret?
HIPAA Privacy and You

Research vs. Treatment Uses of PHI

As an academic medical center, many Yale faculty and staff function as both treating clinician and researcher. These dual roles can blur the distinction of research vs. treatment uses of PHI. It is not unusual for clinical data to be collected for treatment purposes and subsequently to be used for research analysis. While HIPAA does not restrict access to PHI for treatment purposes, it does limit research use and requires us to complete some additional steps.

I keep an Access database of my patients and their clinical status which I may periodically review to improve our patient care. Do I need to get an authorization or waiver to do so?
No. If the data is to be reviewed for Yale's own health care operations, which includes evaluations done to improve patient care, an authorization or waiver is not required. However, if the intent is to determine general conclusions related to patient care beyond the University, then this would be considered research and would require IRB review and a waiver of authorization.

Our lab stores excess tissue and other samples collected for research purposes. Since it is already collected for research, we plan on using it for other research projects as they are developed although we don't know exactly what yet.
Collection of data or tissue which will be maintained for future unspecified research constitutes “data banking.” The process of collecting and storing this information requires an IRB approved protocol and patient authorization specifically for banking the information. This protocol is in addition to review of the research project under which tissue or data was collected. Subsequent uses of information from the bank also require IRB review and a waiver of the HIPAA authorization.

Can I provide a researcher with an IDX report of patients with a certain diagnosis?
IDX or EMR information is maintained for our own treatment and payment purposes. Use of this data for research or for recruitment into a research project, however, requires that the IRB grant a waiver of authorization and that the research use be tracked in the accounting for disclosures log. The researcher should provide you with a copy of the Request for Access for PHI for Research Purposes form and a copy of the IRB approval.

Do I need a HIPAA authorization or waiver to identify which of my own patients may be appropriate for my research study?
No. HIPAA's authorization requirement is intended to ensure that patients maintain control over and are aware of who has access to their PHI whenever possible. Patients know that their clinician has access to their PHI for treatment purposes so an additional authorization or waiver is not required.

For more information on collection and use of data sets for research, visit the HIC web site at http://info.med.yale.edu/hic/hipaa/guide/impact.html#limited or the HIPAA web site at http://www.hipaa.yale.edu/ . You may also contact the Privacy Office at 436-3650, hipaa@yale.edu

 

 

Top of page.
     
Yale University.  
HIPAA at Yale Home.