Collections Access Policy

Access to Duke University Medical Center Archives Records, Including Records Containing Protected Health Information

As of April 2003, access to records containing protected health information (PHI) held by the Duke University Medical Center Archives (Archives) is regulated by the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule [45 CFR Parts 160 & 164] establishes the conditions under which records containing PHI may be used or disclosed for research purposes [45 CFR §164.512 (i)].

All researchers seeking to use records that may be presumed to contain PHI must comply with the following procedures to gain access to these materials.

I. Definition

Protected health information (PHI) is individually identifiable health information created or transmitted in any form by a covered entity. A covered entity is a health care provider, health care plan, or health care clearinghouse which transmits health information. Any records which Archives staff identifies as containing PHI are subject to the provisions of the HIPAA Privacy Rule.

Types of records containing PHI may be created by hospitals, physicians, nurses or biomedical scientists. They may be casebooks, patient files, patients'or doctors' correspondence, or laboratory notebooks.

NOTE: Records containing personally identifiable health information, but not created by covered entities, are not affected by the HIPAA Privacy Rule. However, Archives will still restrict these records to protect patient privacy. Please contact departmental staff for information on access to these collections.

NOTE: All researchers, regardless of the collections they intend to use, will be required to sign a Confidentiality Agreement.

II. Collections Access Designations

In order to facilitate researchers' awareness of collections that potentially contain PHI, the Duke University Medical Center Archives (Archives) has established three designations detailing "Access Restrictions" to all of its holdings. These designations are:

1) Open Collections - Preliminary inventory has not indicated any records that potentially contain PHI. A collection initially designated as Open, may have its designation changed upon the discovery of PHI;
2) Restricted Collections - Preliminary inventory and/or research has identified a limited amount of materials which contain PHI; and
3) Closed Collections - The vast majority of the collection contains PHI.

III. Collection Access Processes

1) De-identification/Redaction - Records containing PHI are made accessible for researchers through the removal of the following 18 identifiers:
(i) Names;
(ii) All elements of a street address, city, county, precinct, zip code, & their equivalent geocodes, except for the initial three digits of a zip code for areas that contain over 20,000 people;
(iii) All elements of dates (except year) for dates directly related to the individual, (e.g., birth date, admission/discharge dates, date of death); and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(iv) Telephone numbers;
(v) Fax numbers;
(vi) E-mail address(es);
(vii) Social security numbers;
(viii) Medical record numbers;
(ix) Health record numbers;
(x) Account numbers;
(xi) Certificate/license numbers;
(xiv) License plate numbers, vehicle identifiers, and serial numbers;
(xv) Device identifiers and serial numbers;
(xiv) URL addresses;
(xv) Internet Protocol address numbers;
(xvi) Biometric identifiers, including finger, and voice prints;
(xvii) Full face photographic images and comparable images;
(xviii) Any other unique identifying number except as created by the Institute for Human Studies (HIS) to re-identify the information.
2) Limited Data Set (LDS) - PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual. Requires "data use agreement" (see below) and needs Institutional Review Board (IRB) review:
(i) Name;
(ii) Postal address information, other than town or city, State, and zip code;
(iii) Telephone numbers;
(iv) Fax numbers;
(v) Electronic mail addresses;
(vi) Social security numbers;
(vii) Medical record numbers;
(viii) Health plan beneficiary numbers;
(ix) Account numbers;
(x) Certificate/license numbers;
(xi) Vehicle identifiers and serial numbers;
(xii) Device identifiers and serial numbers;
(xiii) Web Universal Resource Locators (URLs);
(xiv) Internet Protocol (IP) address numbers;
(xv) Biometric identifiers, including finger and voice prints; and
(xvi) Full face photographic images and any comparable images.
3) Data Use Agreement (DUA) - An agreement required by the Privacy Rule between a covered entity and a person or entity that receives a limited data set. The DUA must state that the recipient will use or disclose the information in the limited data set only for specific limited purposes. Must accompany a "limited data set" (see above) request.
Defines for what purpose the data may be used
Provides adequate assurances that data will be safeguarded and not used for unauthorized purposes
Includes recipient agreement
i. not to re-identify data or contact data subject
ii. to report improper uses and disclosures
iii. to "push down" privacy protection obligations to subcontractors
4) Waiver of Authorization - When obtaining subject/participant authorization is "impracticable," the IRB may approve a waiver of authorization for a researcher to use and disclose PHI. The purposes of the research must be described in a waiver application and the IRB must determine that the researcher has satisfied all Privacy Rule requirements for the waiver

IV. Research Access to Archives' Collections

Whenever possible, Archives staff will allow full and unfettered access to its holdings.

1) Open Collections - Collections designated "Open" are made available to researchers upon request. It is incumbent upon the research to notify Archives staff of any PHI related materials they discover in Open Collections.
2) Restricted Collections - Collections designated as "Restricted" are accessed through de-identification (or redaction), by a Waiver of Authorization, or through a LDS/DUA (see Closed Collections section below). Accordingly, access to these collections will require a delay in access. If research can be conducted on de-identified materials, the Archives staff will provide the researcher with copies of requested materials with the 18 HIPAA specified identifiers redacted. Depending on the amount of material requested, the Archives reserves the right to impose a 24 hour, or one working day, waiting period in order to prepare the redacted copies.
3) Closed Collections - Permission to access collections designated as "Closed", or to use records containing PHI for research purposes is permitted only through a Waiver of Authorization or through a LDS/DUA. Both of these requested must be applied for and be approved by the IRB of the Duke University Medical Center in accordance with the provisions of the HIPAA Privacy Rule. No access will allowed until the IRB of the Duke University Medical Center has approved the request.