1. Data Types

• Aggregate: Counts to determine frequency for collected elements or variables (e.g., patient cases).
  • Results are most often used for study feasibility, funding applications, and regulatory submissions.
• De-identified: All protected health information (PHI) and any possible link to individuals are removed from that data.
• Coded-Limited: PHI will be removed except for clinical dates (e.g., service, diagnosis, procedure), city, state, zip codes, and age in years, months, or days, or hours.
  • Patient cases of 90 years of age and older should be grouped into a single category (e.g., “age ≥90 = 38 patients”).
• Identifiable (PHI included): All PHI elements reflected in the IRB-approved protocol or HIPAA waiver appendix, and any non-PHI relevant to the research can be provided.

2. Clinical Information Extraction/Abstraction for Research Use

OSUWMC Honest Broker Operations Committee (HBOC):

• Available data consists of clinical information from the (1) electronic medical record (“IHIS/EPIC”), (2) the James Cancer Registry, (3) Imaging Informatics, and (4) departmental treatment databases, such as those in Radiation Oncology and Pathology.
  • Submit a research data request form.

OSUWMC Quality Committee:

• Data requests that are procedural-based and involve internal quality or operational improvements for the James and CCC are not considered research.
  • The committee can review non-research data requests by submitting a James data quality release form.
  • Be sure to list Stephanie Cottrill (Stephanie.Cottrill@osumc.edu) as the executive sponsor.

3. Patient/Participant Privacy

Understanding the HIPAA Privacy Rule (HHS):

• The standard protects individuals’ medical records and other PHI by regulating how covered entities – like OSUWMC and CCC – can use and share that data. It also gives individuals rights over their health information, including the ability to access, correct, and control how it is disclosed.

Research Using Protected Health Information (OSU-ERIK):

• Review the list of HIPAA identifiers and determine the appropriate type of dataset and HIPAA Research Authorization for the research.

Methods for De-identification of PHI (HHS):

• Guidance about the methods and approaches to achieve de-identification in accordance with the HIPAA Privacy Rule. It explains and answers questions regarding two methods that could be used to satisfy the Privacy Rule’s de-identification standard: Expert Determination and Safe Harbor.

Secure Email (OSUSecure) (OSU-IT):

• Learn how to use Proofpoint Email Encryption when sharing patient information.