Guidance on Use of Protected Health Information for Research Purposes

Revision date: April 18, 2024

MIT values its collaborative relationship with its research partners and other entities providing data for research and strives always to be a proper steward of the information entrusted to it. MIT researchers assist this effort in ensuring that MIT adheres to the highest standard of care for protecting the personal, private, or confidential information provided to MIT by third parties.  

The purpose of this memorandum is to provide guidance to MIT researchers for when MIT is the recipient of third party protected health information (“PHI”) used for MIT research purposes, including guidance on how to secure PHI through the use of MIT’s Information Protection Data Classification system (“Infoprotect”). 

Legal Basis of Protection – Protected Health Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations, including the Privacy Rule and the Security Rule, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act, (collectively referred to herein as “HIPAA”) set forth the legal requirements for how certain health information is collected, maintained, used and, most importantly for current purposes, disclosed by covered entities.[1]  While it is important to recognize that MIT, when conducting research with PHI, is not a covered entity for purposes of HIPAA,[2] MIT researchers must be mindful of the requirements of HIPAA to ensure that (1) MIT has received PHI from a covered entity only as permitted under HIPAA and (2) that MIT institutes the proper administrative and technical safeguards to protect PHI while in MIT’s care and control. 

How Researchers Obtain PHI from Covered Entities

There are four (4) recognized methods under HIPAA in which a covered entity may disclose PHI for research purposes.

  1. If the subject of the PHI has granted specific written permission for the use of PHI for research through an approved authorization for Release of Protected health Information;
  2. If the covered entity’s IRB or HIPAA Privacy Board has granted a waiver of the authorization requirement; 
  3. If the PHI has been de-identified as provided under HIPAA (i.e. all of the 18 HIPAA identifiers have been removed from the data), and, therefore, no longer qualifies as PHI; or 
  4. If the information is released in the form of a limited data set, with certain identifiers removed and through the execution of data use agreement.[3]

How PHI is Secured and Protected at MIT for Research Purposes

While MIT is not subject to the Security Rule under HIPAA (and therefore is not required to meet this technical standard), researchers must adhere to appropriate standards for protecting the privacy and the confidentiality of the information entrusted to them. To assist researchers in developing appropriate security plans for the receipt of PHI, MIT has developed Infoprotect, a three-part risk classification system designed to map the appropriate physical, technical, and administrative safeguards for certain types of information. 

For identifiable PHI, MIT provides a high risk classification which requires the implementation of fifty-six (56) technical controls to properly store, secure, use, and dispose of this regulated data.  Some of these tasks are single occurrences, while others are on-going or recurring tasks and InfoProtect provides additional guidance through Knowledge Base (KB) articles to explain how such technical controls should be implemented.    All of these tasks can be memorialized in a data security annex and appended to the applicable Data Use Agreement with the provider.

For de-identified or anonymized PHI, less technical controls are required. MIT provides a medium risk classification for this category of data which only requires the implementation of forty-one (41) technical controls.  These tasks can also be memorialized in a data security annex and appended to the applicable Data Use Agreement with the provider.  

For both medium and high risk classifications, the safeguards provided in Infoprotect include a variety of tasks organized in the following family of controls:

  • Access Control
  • Asset and Information Management
  • Awareness and Training
  • Configuration and Vulnerability Management
  • Data Minimization and Retention
  • Governance
  • Identification and Authentication
  • Physical Security
  • Protective Technology

A CSV file with these controls and links to KnowledgeBase articles can be found here.

Requesting and Processing Data Use Agreements

For all incoming data, MIT researchers should use the Hermes Portal. The Office of Strategic Alliances and Technology Transfer (OSATT) will assist in the review, negotiation and execution of the DUA.  To the extent additional technical safeguards or contractual terms are required, the COUHESOffice of the General CounselInformation Systems and Technology, and the Office of Research Computing and Data are available for additional support and guidance.

[1]  HIPAA defines a “covered entity” as including the following:  (1) health plans; (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with certain health care transactions.

[2] MIT is considered a hybrid entity under HIPAA with MIT Health and MIT’s self-insured benefit plans qualifying as covered entities.

[3] A limited data set contains PHI but includes only the following types of identifiers: admission, discharge, and service dates; birth date; date of death; age (including 90 or over) in years, months, days, or hours; and geographical subdivisions such as state, county, city, precinct and five digit zip code. HIPAA permits Covered Entities to disclose PHI in a limited data set for research purposes subject to the execution of a data use agreement, which requires the researcher receiving the limited data set to observe security safeguards.