|Anonymized Data||Previously identifiable data (indirectly or individually identifiable) that have been de-identified and for which a code or other link no longer exists. An investigator has NO means for linking anonymized data back to a specific subjects.|
|Anonymous Data||Data that was collected without identifiers and that were never linked to an individual. Coded data are not anonymous. See also de-identified data.|
|Coded||Data are separated from personal identifiers through use of a code. As long as a link exists, data are considered indirectly identifiable and not anonymous, anonymized or de-identified.|
The Federal Policy for the Protection of Human Subjects or the “Common Rule” was published in 1991 and codified in separate regulations by 15 Federal departments and agencies. The Health and Human Services (HHS) regulations, 45 CFR Part 46, include four subparts:
See the HHS website for more information.
Confidentiality refers to the researcher’s plan to handle, manage and disseminate the participant’s identifiable private information. Researchers should only collect identifiable information when needed (see minimum necessary).
Investigators should ensure that information is not made available or disclosed to unauthorized individuals, entities or processes. Protection of confidentiality is an ethical standard of the health professions.
The voluntary agreement of an individual or their legally authorized representative (informed and competent) for participation in a study.
See IRB consent guidance for more information on the consent process and documentation of informed consent.
|Covered Entity||Refers to three types of entities that must comply with the HIPAA Privacy Rule: health care providers; health plans; and health care clearinghouses. For purposes of the HIPAA Privacy Rule, health care providers include hospitals, physicians, and other caregivers, as well as researchers who provide health care and receive, access or generate individually identifiable health care information.|
|Top of page|
|Data Use Agreement||An agreement between the investigator (recipient) and the covered entity that the investigator will protect the protected health information in a Limited Data Set and use it for the agreed upon purposes.|
A record in which identifying information is removed.
Under the HIPAA Privacy Rule, data are de-identified if either:
|Directly Identifiable||Any information that includes personal identifiers. To determine what data may be considered identifiable, please see items that must be removed under the HIPAA Privacy Rule's definition of de-identified.|
|Disclosure||The release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information. Requires a specific authorization under HIPAA except if disclosure is related to the provision of health care, payment or operations of the entity responsible for the PHI or under a limited set of other circumstances, as for public health purposes.|
|Health Information||Any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.|
|HIPAA||The Health Insurance Portability and Accountability Act of 1996. The HIPAA section of this site has more information.|
According to 45 CFR Part 46, a human subject means a living individual about whom an investigator (whether professional or student) conducting research obtains
|Top of page|
|Indirectly Identifiable||Data that do not include personal identifiers, but link the identifying information to the data through use of a code. These data are still considered identifiable by the Common Rule. To determine what data may be considered identifiable, please see de-identified.|
Any information that includes personal identifiers (18 HIPAA Identifiers or any subset of health information that identifies the individual or can reasonably be used to identify the individual).
|Institutional Review Board (IRB)|
|Limited Data Set||
A set of data in which most of the protected health information has been removed. The following identifiers of the individual or of the individual’s relatives, employers or household members must be removed:
The probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.
A HIPAA Privacy Rule standard requiring that when protected health information is used or disclosed, only the information that is needed for the immediate use or disclosure should be made available by the health care provider or other covered entity.
This standard does not apply to uses and disclosures for treatment purposes (so as not to interfere with treatment) or to uses and disclosures that an individual has authorized, among other limited exceptions. Justification regarding what constitutes the minimum necessary will be required in some situations (e.g., disclosures with a waiver of authorization and non-routine disclosures).
|Need to Know||A security principle stating that a user should have access only to the data needed to perform a particular function.|
|Top of page|
Privacy concerns people, whereas confidentiality concerns data. Privacy refers to a person’s wish to control the access of others to themselves.
The HIPAA regulations that protect the privacy of health information.
|Protected Information Health (PHI)||
Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
See the IRB's HIPAA guidance for more information about what is PHI and what is not PHI.
|Research||A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.|