Medical Record Review

The use of medical records or protected health information (PHI) usually requires IRB review  (see Preparatory to Research and Review of Decedent Information below for exceptions) . Studies which involve only chart /medical record review sometimes pose significant risk to subjects. The most common risk is a breach of confidentiality with the exposure of potentially embarrassing information without the knowledge or consent of the subject. Such studies may also lead to recruitment of subjects into future non-therapeutic studies in a manner which may provoke the subject to ask how his/her record was revealed to someone not part of his/her therapeutic team. 

The HIPAA Privacy Rule requires covered entities to obtain each subject's authorization, or an IRB waiver of such authorization, before a researcher (including the subject's treating physician) may access the subject's records or other protected health information for research purposes. 
To access charts or medical records for research purposes, the researcher must submit an application to the IRB for approval. 
To obtain IRB approval to review medical records at UVa, go to IRB Onlineand proceed with a new application. This approval is required regardless of where these medical records are located (e.g., Health Information Services-HIS- formerly Medical Records, shadow records in your department, departmental databases, electronic medical record etc.). 
In addition, if you need to have charts pulled from HIS, complete a Request for Medical Records Form. Attach a copy of your IRB Approval Form to the Request for Medical Records Form in order to have the charts pulled. 

Preparatory to Research 

The IRB for Health Sciences Research (IRB-HSR) serves as both the HIPAA Privacy Board and the IRB at UVa.  

It is critical to keep in mind that even though some activities might be allowed without a HIPAA Privacy Board approval, they may not be allowed without an IRB approval under DHHS regulations.

Preparatory to Research and Researchers Will NOT Record HIPAA Identifiers (see list below)
If the researcher wishes to review charts  to design a research study or to assess the feasibility of conducting a study, IRB approval is NOT required if no HIPAA identifiers will be collected. The researcher must however complete a Request for Medical Records Form and submit this to the UVa Health System Department of Health Information Services (HIS). 
In this form the researcher will represent that the use or disclosure of the protected health information is solely to review protected health information, as necessary, to prepare a research protocol or for similar purposes preparatory to research, and that this information is necessary for research purposes. 

Preparatory to Research and Researchers WILL Record  HIPAA Identifiers
If you need to collect information to design a research study or to assess the feasibility of conducting a study and you also need to record any HIPAA identifiers, IRB approval IS required. Submit a new protocol application to the IRB using the IRB-HSR program called Protocol Builder. The IRB will provide you with an Approval/Assurance Form which may be submitted to Health Information Services to obtain the charts you need.

HIPAA Identifiers

1. Name 

2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of the zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same 3 initial digits contains more than 20,000 people and (2) The initial 3 digits of a zip code for all such geographic units containing 20,000 is changed to 000. 

3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
[This means you may record the year but not record the month or day of any date related to the subject if the subject is under the age of 89. In addition if the subject is over the age of 89 you may not record their age and  you may not record the month, day or year of any  date related to the subject ] 

4. Telephone numbers

5. Fax numbers

6. Electronic mail addresses

7. Social Security number

8. Medical Record number

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. Web Universal Resource Locators (URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images 

18. Any other unique identifying number, characteristic, code that is derived from or related to information about the individual (e.g. initials, last 4 digits of Social Security #, mother’s maiden name, first 3 letters of last name.)

19.  Any other information that could be used alone or in combination with other information to identify an individual. (e.g. rare disease, study team or company has access to the health information and a HIPAA identifier or the key to the code . )

Review of Decedent Information

The protections of the Common Rule (45CFR46) apply only to living human beings; by contrast, the Privacy Rule also protects the identifiable health information of deceased persons (“decedents”).

The Privacy Rule contains an exception to the authorization requirement for research that involves the protected health information of decedents. 
If the researcher wishes to review charts of decedents, IRB approval is not required however the researcher must complete a Request for Medical Records Form and submit this to the UVa Health System Department of Health Information Services (HIS). 
In this form the researcher will affirm the following: 

  • The requested access to a decedent’s protected health information is solely for research, and that the information requested is necessary for research purposes. 
  • The researcher will provide documentation of the deaths of such individuals at the request of Health Information Services. 

Epidemiologic Studies

Epidemiologic studies present several unique problems because they often use sensitive private documents, such as medical records, and link them with other data, such as employment, insurance or police records. The primary ethical concerns presented by epidemiologic studies are protection of subjects' privacy and the confidentiality of data. Access to those records without prior consent of the subject raises concerns about the violation of the ethical principle of respect for persons (sometimes referred to as autonomy). 
The IRB's review is to ensure that epidemiologists take adequate steps to preserve the confidentiality of the data they collect, and that they specify 

  • who will have access to the data, 
  • how and at what point in the research personal information will be separated from other data, 
  • whether the data will be retained at the conclusion of the study, and 
  • any possible disclosure of the data. 

The IRB also requires a thorough description of interview instruments and questionnaires. 
When a study involves reviews of records which can be linked to the identity of the subject, the IRB must ensure that subject's privacy interests will be adequately protected and that any uses or disclosures of protected health information for the research comply with any applicable Privacy Rule requirements. 
Where the Principal Investigator will have personal contact with subjects, a potential for harm exists since they are identified as potential subjects because they either have or are at risk of developing a disease or condition. Simple contact with subjects may present a risk of harm, either because of sensitivity to discussing a disease or condition they know they have, or because they may not be aware of their condition. Once potential subjects are identified, the Principal Investigator should obtain their consent to participate in the study. 
Disclosure of information such as that usually collected in epidemiologic studies also presents an ethical concern. All information collected as part of a study is confidential. Data must be stored in a secure manner and must not be shared inappropriately. The Principal Investigator's protocol should detail how data will be kept and how confidentiality of data will be maintained. Principal Investigators should note, however, that, unlike medical records, research data is not privileged under law unless a Certificate of Confidentiality is obtained and is current.