What is RHI?

The Ohio State University defines Research Health Information (RHI) as information collected about research participants that pertains to their health or healthcare which either:  

  1. Is created or received in connection with research that does not involve a covered health care component, or  

  1. Has been reclassified and is no longer subject to Health Insurance Portability and Accountability Act (HIPAA) requirements due to a disclosure from a health care component or external covered entity pursuant to a valid HIPAA research disclosure, such as a valid authorization or waiver or alteration of authorization.  

In instance 1, RHI is gathered over the course of research, via a method such as surveying, and does not involve a health care component. This data is not subject to HIPAA guidelines; however, it must still be protected at an S4 (Restricted) level in line with the university’s Institutional Data Policy

In instance 2, Protected Health Information (PHI) is converted to RHI via one of the approved methods detailed above. Due to the sensitive nature of the data, it is imperative that the methods of reclassifying the data from PHI to RHI are correctly followed and the data is handled in accordance with university guidelines for S4 (Restricted) information. 

How does RHI relate to PHI and HIPAA?

A key difference between RHI and PHI is that PHI is associated with or derived from a healthcare service event (i.e., the provision of care or payment for care). PHI is subject to HIPAA regulations, while RHI is not. However, RHI is covered by other state and federal laws for privacy and confidentiality of research health information.

More information about the classification of RHI, PHI and HIPAA data can be found in the university's PHI and HIPAA Policy

HIPAA Compliance for Researchers  

The university has laid out a PHI and HIPAA Policy, which outlines proper handling of HIPAA data. In particular, “Procedure”, Section IV (pg. 4) pertains to research.  

Below are a few notable references, which can be useful to have available when looking to ensure HIPAA compliance, all of which can be found on the website for the U.S. Department of Health & Human Services. HIPAA is comprised primarily of a few major rules: 

  • Privacy Rule: Establishes national standards to protect individuals' medical records and other individually identifiable health information. 
  • Security Rule: Establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. 
  • Enforcement Rule: Contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules and procedures for hearings. 
  • Breach Notification Rule: Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. 

The full text of HIPAA includes the above listed rules, as well as Transactions, Code Set Standards, and Identifier Standards.