|Anonymized Data||Previously identifiable data (indirectly or individually identifiable) that have been de-identified and for which a code or other link no longer exists. An investigator has NO means for linking anonymized data back to a specific subjects.|
|Anonymous Data||Data that was collected without identifiers and that were never linked to an individual. Coded data are not anonymous. See also de-identified data.|
|Clinical Trial||A research study in which one or more human subjects are prospectively assigned to one or more interventions (which may include placebo or other control) to evaluate the effects of the interventions on biomedical or behavioral health-related outcomes.|
|Coded||Data are separated from personal identifiers through use of a code. As long as a link exists, data are considered indirectly identifiable and not anonymous, anonymized or de-identified.|
The Federal Policy for the Protection of Human Subjects or the “Common Rule” was published in 1991 and codified in separate regulations by 15 Federal departments and agencies. The Health and Human Services (HHS) regulations, 45 CFR Part 46, include four subparts:
See the HHS website for more information.
Confidentiality refers to the researcher’s plan to handle, manage and disseminate the participant’s identifiable private information. Researchers should only collect identifiable information when needed (see minimum necessary).
Investigators should ensure that information is not made available or disclosed to unauthorized individuals, entities or processes. Protection of confidentiality is an ethical standard of the health professions.
The voluntary agreement of an individual or their legally authorized representative (informed and competent) for participation in a study.
See IRB consent guidance for more information on the consent process and documentation of informed consent.
|Covered Entity||Refers to three types of entities that must comply with the HIPAA Privacy Rule: health care providers; health plans; and health care clearinghouses. For purposes of the HIPAA Privacy Rule, health care providers include hospitals, physicians, and other caregivers, as well as researchers who provide health care and receive, access or generate individually identifiable health care information.|
|Top of page|
|Data Use Agreement||An agreement between the investigator (recipient) and the covered entity that the investigator will protect the protected health information in a Limited Data Set and use it for the agreed upon purposes.|
A record in which identifying information is removed.
Under the HIPAA Privacy Rule, data are de-identified if either:
|Directly Identifiable||Any information that includes personal identifiers. To determine what data may be considered identifiable, please see items that must be removed under the HIPAA Privacy Rule's definition of de-identified.|
|Department or agency head||The head of any Federal department or agency, for example, the Secretary of HHS, and any other officer or employee of any Federal department or agency to whom the authority provided by these regulations to the department or agency head has been delegated.|
|Disclosure||The release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information. Requires a specific authorization under HIPAA except if disclosure is related to the provision of health care, payment or operations of the entity responsible for the PHI or under a limited set of other circumstances, as for public health purposes.|
|Federal department or agency||Refers to a federal department or agency (the department or agency itself rather than its bureaus, offices or divisions) that takes appropriate administrative action to make this policy applicable to the research involving human subjects it conducts, supports, or otherwise regulates (e.g., the U.S. Department of Health and Human Services, the U.S. Department of Defense, or the Central Intelligence Agency.|
|Health Information||Any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.|
|HIPAA||The Health Insurance Portability and Accountability Act of 1996. The HIPAA section of this site has more information.|
A human subject means a living individual about whom an investigator (whether professional or student) conducting research
|Top of page|
|Identifiable biospecimen||A biospecimen for which th eidentity of the subject is or may be established by the investigator or associated with the biospecimen.|
|Identifiable private information||Private information for which the identity of the subject is or may be established by the investigator or associated with the information.|
|Indirectly Identifiable||Data that do not include personal identifiers, but link the identifying information to the data through use of a code. These data are still considered identifiable by the Common Rule. To determine what data may be considered identifiable, please see de-identified.|
Any information that includes personal identifiers (18 HIPAA Identifiers or any subset of health information that identifies the individual or can reasonably be used to identify the individual).
|Institution||Any public or private entity, or department or agency (including federal, state, and other agencies.)|
|Institutional Review Board (IRB)|
|Limited Data Set||
A set of data in which most of the protected health information has been removed. The following identifiers of the individual or of the individual’s relatives, employers or household members must be removed:
The probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.
A HIPAA Privacy Rule standard requiring that when protected health information is used or disclosed, only the information that is needed for the immediate use or disclosure should be made available by the health care provider or other covered entity.
This standard does not apply to uses and disclosures for treatment purposes (so as not to interfere with treatment) or to uses and disclosures that an individual has authorized, among other limited exceptions. Justification regarding what constitutes the minimum necessary will be required in some situations (e.g., disclosures with a waiver of authorization and non-routine disclosures).
|Need to Know||A security principle stating that a user should have access only to the data needed to perform a particular function.|
|Top of page|
Privacy concerns people, whereas confidentiality concerns data. Privacy refers to a person’s wish to control the access of others to themselves.
The HIPAA regulations that protect the privacy of health information.
|Private Information||Information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public (e.g., a medical record).|
|Protected Information Health (PHI)||
Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
See the IRB's HIPAA guidance for more information about what is PHI and what is not PHI.
|Public health authority||An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, and Indian tribe, or a foreign government, or a person or entity acting under a grant of authority from a contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.|
|Research||A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.|
|Written (or "in writing")||For purposes of the Common Rule, refers to writing on a tangible medium (e.g. paper) or in an electronic format.|