Protecting a patient’s personal health information (PHI) is integral to the success of clinical research. Although clinical researchers generally understand the need for PHI protection, experts are finding that some professionals don’t know how to incorporate PHI protection into their study design or protocol implementations.
Even experienced researchers demonstrated inappropriate, unnecessary, or complicated techniques for protecting PHI—such as collecting the date of birth and date of service to calculate the age at the date of service.1
Inadequate privacy preparation can result in lengthy reviews and delayed approvals by Institutional Review Boards (IRBs), jeopardize trust in the patient-clinical relationship, and result in costly delays to your trial timelines.
This article will aim to address common issues and gray areas related to collecting and protecting PHI, as well as proven ways to enhance compliance with HIPAA regulations.
PHI refers to any information in a patient’s medical record or designated record set that can1:
- Be used to identify an individual
- Be used or disclosed during the diagnosis or treatment of a health care service
PHI spans over 18 specific identifiers, according to HIPAA guidelines2. This includes demographic identifiers, direct identifiers, and biometric information such as facial images, fingerprints, and genetic information.
There’s a common misconception that all health information falls under HIPAA’s definition of PHI, but there are some exceptions. For example, health trackers that collect heart rate and blood pressure are considered PHI under HIPAA rules when the information was recorded by a healthcare provider or as part of a health plan.
However, if a device manufacturer or app developer has not been contracted by a HIPAA or the research is not being used for healthcare services, the data does not meet the qualification for PHI. Furthermore, self-standing health information (without identifiers), such as a dataset or vital signs, does not constitute as PHI.
The Devastating Consequences of Data Breaches
As more health records become electronic, the risk associated with storing and transferring them increases. For example, in 2020, there were more large healthcare data breaches than any other year on record, impacting millions of individuals and exposing their sensitive PHI.3 Over 642 significant data breaches were reported by healthcare providers last year—25% more than in 2019 and three times the number of breaches reported in 2010.3 These breaches can stem from several issues, including hacking, theft/loss, unauthorized access, improper disposal of sensitive data, or sharing data across unsupported systems and networks.
Whatever the reason, the problem is clear: health records are susceptible to a multitude of security issues and require a coordinated, comprehensive approach to protect them from falling into the wrong hands.
Ways to Reduce PHI Issues
Although there is no golden solution for protecting PHI, you can take steps to reduce risk and maintain a strong security posture.
1. Have a robust plan for data collection, storage, sharing, and reporting
Data management plans are necessary for clinical research, where trial operators are responsible for securely collecting, managing, and storing sensitive records and PHI.4
During the initial planning phase, research teams should create a comprehensive data management plan that accounts for:
- The research goal for data collection
- The type of data being collected and location of where it will be collected from
- All data collection methods—in clinic and remote
- Data access authorization/clear roles and responsibilities
- Secure data storage plan
- Current IRB status
- Data sharing strategy
Building out a thorough data management plan provides your research team with a complete understanding of the data requirements for a project and the preparation needed to protect it. Once the data management plan is created, setup and data collection can be checked for consistency against the patient intake and consent forms.
The data management plan should be treated as a living document. Although it is created during the project development stage, it should be regularly reviewed and updated to align with mid-study changes and protocol adjustments.
Be sure that your data management plan also carries through study close-out and post-publication, where data sharing and reporting is still critical.
2. Avoid Unnecessary Collection of PHI
The truth is that sometimes the easiest way to avoid issues collecting PHI is to avoid collecting it in the first place. Some PHI is necessary to analyze data in accordance with study objectives and outcomes. But consider the following scenarios when determining which PHI is necessary to your study’s success:
- Is the data relevant to the study’s objective?
- Investigators should evaluate their data collection endpoints with this in mind. Intake forms can be user-tested in advance to check for unnecessary PHI. And study protocol should be assessed to determine if any data collection is superfluous or missing.
- Does the data meet the minimum required level of specificity?
- For example, collecting a patient’s age in years (not PHI) rather than their full birthdate (is PHI) could fulfill the study need without collecting unnecessary PHI.
- Are free text fields necessary?
- Some intake forms allow for free text fields where respondents may inadvertently reveal PHI. When using free text fields, remind patients to avoid overly specific responses that can help maintain anonymity. When not needed, try to avoid free text fields altogether.
- Are all answers required?
- Studies have found that when respondents find required questions confusing, they may avoid answering them or provide unnecessary PHI.1 Avoid requiring answers to every question if the data isn’t necessary and try to provide options for “other” or “prefer not to answer.”
3. Limit Admin Access to PHI
Due to the number of stakeholders involved in complex clinical trials, patients’ PHI may need to be shared across several dispersed teams and sites. In addition to balancing the risk to privacy and identity of patient PHI, researchers should have a process for safeguarding who has access to this information.
Thankfully, many data management solutions have pre-built user-level access so trial operators can designate which roles have access to which level of information. Experts suggest building that framework in tandem with the following steps:
- Creation of a data use agreement (DUA)5 that is signed by all data holders and researchers.
- Only allowing access to data necessary to a specific role or function.
- Built-in encryption to support secure data sharing.
- Assigning individual passwords and restricting access to data behind password protection.
- Creating a process for handling potential new safety signals, if identified.
4. Source Infrastructure that is secure by design
Protecting patient PHI is increasingly difficult as the number of data endpoints rises and researchers falter under lakes of data. Trial operators need solutions that are secure by design and scalable to support all study phases.
Medrio supports higher data security standards that start at the core of our EDC and extend through all software in our unified ecosystem.6
Our servers are secure and encrypted using a multi-layered approach that protects data at the database file level. Any change to a data endpoint is subject to electronic audit trails and redundant monitoring to ensure your PHI is always safe.
Automatic backups of customer data and server maintenance are automatically conducted and protected by a continuously updated firewall protection.
Our user-restricted access and encrypted data sharing allow for confident collaboration between teams to further reinforce data integrity.
You may not always be able to predict or prevent harmful risks to your patient data. But Medrio’s pre-validated, fully-compliance ecosystem and best-in-class support team are here to support a better security stance.
Are you ready to protect your patient PHI?
1 Marjorie A. Bowman, Rose A. Maxwell, A beginner’s guide to avoiding Protected Health Information (PHI) issues in clinical research – With how-to’s in REDCap Data Management Software, Journal of Biomedical Informatics, Volume 85, 2018, Pages 49-55, ISSN 1532-0464, https://doi.org/10.1016/j.jbi.2018.07.008.
4 Mary Williams, Jacqueline Bagwell, Meredith Nahm Zozus, Data management plans: the missing perspective, Journal of Biomedical Informatics, Volume 71, 2017, Pages 130-142, ISSN 1532-0464, https://doi.org/10.1016/j.jbi.2017.05.004
5 Tucker K, Branson J, Dilleen M, et al. Protecting patient privacy when sharing patient-level data from clinical trials. BMC Med Res Methodol. 2016;16 Suppl 1(Suppl 1):77. Published 2016 Jul 8. doi:10.1186/s12874-016-0169-4