The Privacy Rule affects the use of databases containing protected health information (PHI) that is used for research purposes. All research uses of PHI are subject to the Privacy Rule, even if the research is determined to be exempt under the Common Rule. The Privacy Rule regulations apply to the use of databases containing PHI just as they do to any other research using PHI.

The custodian of a database containing PHI that is used in preparatory to research activities may require a copy of a signed preparatory to research certification before permitting use of the PHI.

ACTION NEEDED:

All existing databases that contain PHI used for research purposes should be registered by the database custodian before April 14, 2003. Databases created after April 14, 2003 should be registered before research use commences. Both existing and future databases which contain information from only a single study do not need to be registered.

Use the database decision tool to determine if a particular database should be registered. To register a database, complete a database registration form and file the form with the University’s Privacy Officer. Filing instructions are on the database registration form.