Clinical Research

Research using PnC

  • Very little data in PnC are currently in “reportable” fields. This means that currently it is impossible to run reports to extract data for research purposes. However, over the next year we hope to transform many fields to make them reportable. This would allow only those fields to be reportable prospectively.
    • If deidentified data can be pulled from PnC with all 18 HIPAA identifiers removed the data are no longer subject to HIPAA. See Policy 102 – De-identification of PHI for further information.
  • There are still ways to use clinical data for research.  Review the HIPAA information sheet on the IRB website for an overview of the ways HIPAA data can be collected.  See also Policy 113 – Use and Disclosure of PHI for Research Purposes.  Note that research access for mental health records is tightly controlled.


Ways Clinical Data can be Obtained

Activities Preparatory to Research

  • A HIPAA workforce member can access PHI to determine if needed patients / patient information is available to conduct a research study.  PHI may not be removed from the covered entity and may not be shared with non-workforce members.


HIPAA Waiver (no patient consent is obtained)

  • For retrospective chart review studies, a HIPAA Waiver can be requested.  If approved, this allows a clinician researcher to access charts to extract data for research purposes without seeking patient consent.  For more information see the IRB Standard Operating Procedure for Research with PHI and the HIPAA & FERPA section under Informed Consent on the IRB website.
  • A partial waiver can be requested for recruitment purposes (e.g., identifying individuals to contact about possible participation in research by accessing chart information). 
  • Note that a Disclosure Accounting form will need to be completed for each client for whom PHI is released outside of the SCCE workforce.
  • Full HIPAA waivers will not be granted for access to notes and records in mental health service lines.  However, partial waivers for recruitment purposes may be allowed.


HIPAA Authorization (patient consent is obtained)

  • For prospective studies using a clinical sample (and for which PnC  or other clinic storage systems would need to be accessed as part of the research), researchers should obtain a HIPAA Authorization as part of the informed consent process.  Note that as part of the authorization you need to specify whether the only way to receive an intervention is through the study (e.g., declining to sign the authorization means the individual would not receive the treatment) or whether the intervention is available in another way if the person wants the intervention but does not want to agree to research.
  • If you start a clinical intervention intending it to lead to research (e.g., wanting to publish a paper on the outcome) a HIPAA authorization should be obtained (rather than asking for a waiver after the fact).


Honest Broker

  • An honest broker is someone who can access clinical data, deidentify the data and then provide the de-identified data to the researchers. An honest broker cannot be a member of the research team. The SCCE does not employ an honest broker but has information and training for honest brokers who are identified by researchers / departments. Please see the materials in this Box folder: https://usu.box.com/s/imzwqpkivselrpx0xkv2zo5zxw7uam68 for more information on the honest broker process as well as an application to complete to receive approval to use an honest broker.


Conducting Research using Clinical Data and/or Clinic Clients

  • Talk to Gretchen – it is not required but highly encouraged to discuss research plans with Gretchen ahead of time.  This will allow problem solving ahead of an IRB submission / HIPAA authorization or waiver request.
  • Talk to the Clinic Director of the clinic(s) in which you want to collect data and/or recruit participants.  To protect clients from being inundated with research requests, Clinic Directors must approve of research occurring in the service line they oversee. Clinic Director approval will be provided within Kuali – but talk to the Director ahead of time when planning the research.
  • If you have questions about HIPAA talk to the SCCE Compliance Officer (joni.black@usu.edu) ahead of time.  Every protocol that accesses PHI must be reviewed in Kuali by the SCCE Compliance Officer.  This review is specific to HIPAA compliance matters and includes evaluation of the following: whether the data are PHI; whether the storage system referenced houses the data of interest; whether the individual pulling the data is a workforce member; is access appropriately controlled; etc.
  • Plan ahead – it is relatively easy to seek a HIPAA Authorization when starting something new.  The HIPAA Authorization cannot be blanket – it must be linked to a specific study.  As you are planning new treatment protocols, groups, etc. think about whether you would want to collect data to evaluate the outcome, process, etc. from a research point of view.  If so, submit an IRB protocol and seek a HIPAA Authorization.


Additional Resources

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (DHHS)

Research (DHHS special topics summary)

HIPAA Research FAQs (DHHS)

Incident Reporting
This form is for reporting any possible privacy or security HIPAA incidents to the SCCE Compliance Office. Individuals who report concerns related to HIPAA compliance in good faith may not be subject to retaliation or harassment due to raising the concern. Please complete the form, send it to joni.black@usu.edu, or bring it to SCCE 461. Please do NOT include any PHI in the report.
Incident Report Form