Protected Health Information (PHI): A Quick Guide
What is PHI?
PHI refers to sensitive health information tied to an individual's identity. This encompasses various personal details, medical records, and identifiers that require stringent protection to preserve privacy and confidentiality.
Purpose:
This policy serves to safeguard electronic Protected Health Information (PHI) within Center for Magnetic Resonance Research (CMRR) by establishing rigorous standard operating procedures. These procedures align with the stringent mandates of regulatory bodies, including the Institutional Review Board (IRB), University Security, and Privacy office policies. The goal is to ensure utmost confidentiality and compliance in handling PHI.
Scope:
Extends its reach to encompass all researchers at CMRR engaged in studies involving PHI. This policy provides a comprehensive framework applicable to all such research endeavors.
Definition:
Refers to health information as defined by the IRB and University policies. This includes a spectrum of identifiable health data critical for research.
Researcher:
Encompasses any individual utilizing CMRR facilities for their scholarly work or research activities.
Staff:
Denotes employees working within CMRR, contributing to research operations and facility management.
Responsibility:
Those tasked with specific responsibilities outlined in the policy are expected to comply with its regulations regarding the handling of Protected Health Information (PHI). An annual review by the policy author is integral to maintaining the policy's accuracy and relevance. This routine assessment guarantees that the policy remains aligned with evolving regulations and standards.
What Does PHI Include?
Comprehensive Coverage: It includes various personal details, contact information, and unique identifiers critical for research.
Managing Paper-Based PHI
Consent Forms Handling: Consent forms and paper-based PHI are rigorously managed following the University's specific guidelines to ensure secure handling.
Electronic PHI (ePHI) Management
Strict Prohibition: PHI is not allowed in CMRR systems without clear authorization. Exceptions need documented approval via ePHI data plans, reviewed annually to maintain compliance.
PARS Application Integration
Efficient ePHI Handling: Researchers can declare and upload ePHI using the PARS application, ensuring a smooth and compliant process.
Limited Collection and Storage
Secure Handling: PHI from research volunteers is documented on paper, scanned, and securely stored for a limited period. Data entry into the UMN RedCap database is done without storing PHI on administrative PCs, following HIPAA and IRB guidelines. This policy aims to create a robust framework for PHI management at CMRR, ensuring compliance with regulations and preserving sensitive health information's confidentiality.
For further details regarding the terms and conditions of accessing and utilizing research data, including the NIMH Data Archive Data Use Certification, visit this pdf document. While not directly addressing PHI, these stringent rules underscore the importance of responsible data use, confidentiality, and privacy, which align with the principles upheld in safeguarding Protected Health Information (PHI).