Advanced Search

Investigator Resources

Information for Research Participants
Information for Study Teams
Information for Sponsors
Institutional Review Boards
UM Policies & Procedures - HSRO/IRB
1. Preface
2. Background Topics
3. Authorities and Responsibilities
4. Conflict of Interest
5. Institutional Review Boards
6. IRB Meetings
7. General Principles for IRB Reviews
8. Definition of IRB Review Types
9. IRB Review of Initial Studies
10. IRB Review of Continuing Studies
11. Amendments
12. Closing Studies and Final Reports
13. Suspension, Termination and Administrative Closure of IRB Approved Research
14. Unanticipated Problems and Adverse Events
15. Study Violations
16. Compliance Audits
17. Data Safety Monitoring Boards
18. Ancillary Committees
19. External IRB's
20. Policies Specific to Certain Types of Research
21. Informed Consent
22. Participant Recruitment Methods, Advertising Materials and Recruitment-Relevant Payment Arrangements
23. Vulnerable Populations
24. Privacy, Security, Confidentiality and HIPAA
25. Subcontracts/Agreements for UM-Initiated Studies that Engage or Involve non-UM Institutions or Investigators
26. International Research
27. Emergency Use
28. Record Retention
Other Policies
UChart Forms & Guidance
HSRO Forms & Documents
University Fees
Ancillary Committee Information
eProst User Guide
Ethics, Federal Regulations & Guidance
Western IRB (WIRB)
About the HSRO

Basic Folder Information

24.2 Definitions

Approval Date

Review Responsibility:

IRB Policy and Procedure Committee

Current Approval Date:

August 6, 2008

24.2 Certificates of Confidentiality

Terms common to documents or discussions of privacy, security, confidentiality and HIPAA are included below.  Most HIPAA-related definitions are consistent with those in the Common Rule (i.e. the human subject research regulations codified by federal agencies).  In situations where there may be ambiguity or inconsistency in these definitions, the language of the applicable regulation (i.e. the Common Rule or HIPAA) shall govern. 

Confidentiality: the condition in which information is shared or released in a controlled manner.  Information considered confidential should be protected against theft or improper use and should not be made available or disclosed to unauthorized individuals, entities or processes without express permission from the appropriate party

Covered Entity:  a health plan, a healthcare clearinghouse or a healthcare provider who is required to comply with HIPAA regulations regarding the use and disclosure of Protected Health Information (PHI). 

Data Use Agreement: An investigator-submitted agreement required for the disclosure of a limited data set by a covered entity to the investigator.  The agreement must specify the permitted uses of the limited data set and who may use or receive the data set.  The agreement restricts further use and disclosure and restricts re-identification of the data or contact with subjects. 

De-Identified Information:  health information is considered de-identified (and therefore, not PHI) if the following apply:

  1. it does not identify an individual
  2. the covered entity has no reasonable basis to believe that the information can be used to identify an individual
  3. if the HIPAA-defined, 18 standard identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject

note – the 18 standard identifiers which must be removed for data to be     considered “de-identified” are:

  1. names
  2. geographic subdivisions smaller than a state
  3. dates including birth date, admission date, discharge date, date of death, and all ages over 89,
  4. telephone numbers
  5. fax numbers
  6. electronic mail addresses
  7. Social Security numbers
  8. medical record numbers
  9. health plan beneficiary numbers
  10. account numbers
  11. certificate/license numbers
  12. vehicle identifiers and serial numbers, including license plate numbers
  13. device identifiers and serial numbers
  14. Web Universal Resource Locator (URL)
  15. biometric identifiers, including finger or voice prints
  16. full face photographic images and any comparable images
  17. Internet Protocol address numbers
  18. any other unique identifying number characteristic or code

ePHI: electronic PHI (i.e. a subset of PHI)

HIPAA: the federal Health Insurance Portability and Accountability Act.  This act regulates, among other things, the maintenance and disclosure of protected health information (“PHI”), which includes ePHI, about patients treated by “covered entities”.  In addition, this act prescribes a process through which researchers may obtain or create PHI about patients who are also research participants or potential research participants

Hybrid Entity:  a single, legal entity that uses or discloses PHI for only a part of its business operations.  The Privacy Rule applies only to the healthcare components of a hybrid entity that use or disclose PHI. 

Limited Data Set:  health information that a covered entity may disclose (pursuant to a data use agreement) to an investigator for research purposes based on the fact that certain direct identifiers have been removed.  The investigator receiving the limited data set must submit the data use agreement signed by an authorized UM official and obtain IRB approval before obtaining the limited data set for use in his/her study

Note – direct identifiers that must be removed in order for data to be included in   a limited data set are

    1. names
    2. address information (other than city, state and zip code)
    3. telephone and fax numbers
    4. e-mail address  
    5. Social Security number
    6. certificate/license numbers
    7. vehicle identifiers and serial numbers
    8. URLs and IP addresses
    9. full face photos and other comparable images
    10. medical record numbers, health plan beneficiary numbers and other account numbers
    11. device identifiers and serial numbers

Note – the following are allowed in a limited data set:

    1. admission, discharge and service dates
    2. birth date
    3. date of death
    4. age (including age 90 or over)
    5. geographical subdivisions such as state, county, city, precinct and five digit zip code

Privacy: an individual’s right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information.  The term “privacy” applies to persons whereas the term “confidentiality” refers to the treatment of personal information. 

Privacy and Security Rule: standards for Privacy of Individually Identifiable Health Information, promulgated by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and codified at part 160 and part 164 , subpart C (Security Standards for the Protection of ePHI) and subpart E of Title 45 of the U.S. Code of Federal Regulations (as amended from time to time)

Protected Health Information (PHI): identifiable information about the past, present, or future physical or mental health or condition (including the provision of his/her health care, insurance, payment status etc) of an individual obtained or managed by a covered entity.  PHI may be information that is recorded electronically, on paper or orally.  PHI must be protected from unauthorized use or disclosure by the Covered Entity under HIPAA regulations. 

Note -- PHI must be identifiable information or information that may be linked to an identifier.  PHI does not include de-identified information

Research Related Health Information—RHI:  personally identifiable information used in research that is distinct from PHI by not being associated with, or derived from, the provision of health care or payment for care.

Security:  the safeguards placed upon the availability, integrity, and confidentiality of information to protect information from unauthorized access, disclosure, misuse and accidental damage.  Safeguards may be physical, electronic, or administrative and they may control access, training, computer systems, policies and procedures, physical environment, and behaviors.

Sensitive Information: private and/or health care information including information relating to an identifiable individual’s private activities or practices (e.g. sexual preferences or practices; drug or alcohol treatment history; mental health or treatment history; HIV status; diagnosis information; financial information including social security numbers or health insurance data; criminal history or background etc).

Footer Block

University of Miami Office of Research UM School of Medicine CITI Program Jackson Health System
 University of Miami logo University of Miami
Human Subjects Research Office

1500 NW 12th Avenue, Ste. 1002, Miami, FL 33136
Tel. 305-243-3195
Copyright, University of Miami, All Rights Reserved
Requests for information. Send technical feedback.
View Privacy statement