Uses & Disclosures of Protected Health Information (PHI)

Aug 10, 2020 2:30 pm

Protected Health Information (PHI) is individually identifiable health information held or maintained by covered entities, or by business associates acting for the covered entity. PHI is subject to HIPAA Privacy Rule protections. HIPAA Privacy Rule permits researchers to access and use PHI when necessary to conduct research, with certain restrictions.


    "Use" has a HIPAA-specific technical definition: 

    Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within [a covered] entity that maintains such information. (45CFR160.103)

    For example:

    • clinical: desk staff at an outpatient clinic prints check-in materials for a patient
    • research - interventional: in an investigator-initiated clinical trial, lab results on the metabolism of the investigational agent are also entered into the medical record 
    • research - chart review: medical faculty obtain a dataset for analysis through the DataDirect PHI portal

    "Disclosure"  has a HIPAA-specific technical definition: 

    Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the [covered] entity holding the information. (45CFR160.103)

    For example:

    • clinical: patient fills out a release of information form to request a hard copy of their Michigan Medicine medical record be sent to another location such as a hospital or doctor's office.
    • research - interventional: U-M research staff on an industry-sponsored clinical trial send medical records relating to a screened subject's eligibility to the sponsor
    • research - chart review: U-M LSA faculty, staff, or students (e.g. UROP) access PHI (usually as part of a study team mostly comprising people from Michigan Medicine)
    • research - chart review: A data coordinating center site receives "limited data sets" from all sites for a multi-institutional retrospective analysis of clinical data.

    A covered entity (CE) is a health care provider, health plan, or health care clearinghouse regulated by HIPAA. The University of Michigan is a "hybrid" covered entity because some of its units are regulated by HIPAA. Interdisciplinary study teams at U-M may include members both 'inside' and 'outside' the CE: when protected health information (PHI) is accessed, obtained, analyzed etc. by such study teams, then PHI is disclosed during the study. Michigan Medicine Corporate Compliance Office also provides information (requires level-2 login) on Michigan Medicine 'hybrid covered entity'. The graphic below in this section (prepared by Compliance Office) shows that PHI crosses a "PHI Privacy Barrier" when a covered component discloses the PHI for clinical, research or other purposes. 

    U-M hospital, health centers, and medical school are the main components of the Michigan Medicine CE. Additional health care center components are the School of Dentistry Provider Clinics, Mary A. Rackham (MARI) Institute Provider Clinics, University Health Service, and the U-M Group Health Plan. Generally, faculty and staff (including research staff) in these components handle PHI as part of their jobs, and they are required annually to complete a HIPAA training module from the Corporate Compliance Office.  

    Additional units at U-M provide "covered functions" for components of the covered entity, supporting the covered entity in its primary functions of treatment, payment and operations (TPO). Faculty and staff from these units who also have hospital or health center responsibilities usually have professional appointments at a U-M 'School' and at UMHS -- for instance, School of Pharmacy faculty often also have 'Clinical Pharmacist' appointments. 

    Access or exposure to PHI also arises in educational opportunities and training inside the CE for U-M Medical School students, and students at some other U-M schools (e.g. Schools of Dentistry, Nursing, Pharmacy). However, even within these schools not all roles engage with PHI held by the Michigan Medicine Covered Entity (e.g. administrative staff at Medical School Office of Research, and bench scientists).

    Graphic: Use inside covered components, and Disclosure to other U-M Units (crossing the "PHI Privacy Barrier")


    Almost all research under IRBMED oversight involves use and/or disclosure of PHI. Researchers from other parts of U-M sometimes receive disclosed PHI. HIPAA regulations prescribe several provisions under which PHI may be used and/or disclosed for research. Every use and/or disclosure must satisfy the criteria under one of these provisions: 

    A research study may utilize several of these HIPAA provisions. For instance, an interventional study may identify eligible subjects under waiver of HIPAA authorization, then obtain signed authorization as part of the enrollment process. A chart review may collect Michigan Medicine MiChart data under waiver of HIPAA authorization, and also receive from external entities "limited data sets."

    Importantly, some research activities involving PHI must take place inside a covered entity (use of PHI, not disclosure). Also, researchers are required to keep a record of some disclosures, depending on the HIPAA regulatory provision that applies.

    • Exemption 4(iii), aka HIPAA Exemption, allows for a streamlined review pathway and oversight for secondary research uses where "the research involves only information collection and analysis involving the investigator's use of identifiable health information when that use is regulated" under HIPAA (45CFR46.104(d)(4)(iii))
    • Preparatory to research activities may not include removing PHI from a CE, though an external researcher may review PHI within the covered entity.
    • Tracking of disclosures is governed by Michigan Medicine Policy 01-04-335 (requires level-2 login), and applies to research relying on HIPAA provisions for waiver of authorization, preparatory to research, and/or research on decedents. Inappropriate disclosures (see heading below) must also be tracked. The Policy linked above includes suggested tracking methods; contact Corporate Compliance Office for further guidance.

    Occasionally, unauthorized disclosures (both incidental and accidental) of PHI will occur within the research setting. Regardless of the type, extent, or volume of PHI that is disclosed, it is important that you take appropriate actions to mitigate any potential harm and that you report the occurrence.

    If you suspect or know of an unauthorized disclosure of PHI related to research, you should take any practicable steps necessary to limit potential or ongoing harmful effects.  Additionally, you should notify IRBMED as soon as possible. You will also need to promptly report the concern to the Corporate Compliance Office (Main Number: 734-615-4400; HIPAA Concerns & Incidents webpage).

    You will be asked to submit an Other Reportable Information and Occurrences (ORIO) Form to the IRBMED through eResearch. Please include HIPAA-de-identified details of the event, how the event will be addressed, and what procedure(s) will be put in place so that this type of event does not happen again.

    You will also need to include the date that the study team reported the event to the Compliance Office, to whom they reported it, the response from the Compliance Office, and verification that the study team has complied or will comply with any Compliance Office request.


Contact us at or 734-763-4768 / (Fax 734-763-1234)

2800 Plymouth Road, Building 520, Room 3214, Ann Arbor, MI 48109-2800

A list of IRBMED staff is available in the Personnel Directory, or view the list of Regulatory Teams.

Edited By:
Last Updated: August 10, 2020 2:30 PM