Research Health Information

This page is designed to help reduce the cybersecurity and compliance burden on research utilizing Research Health Information (RHI) data. On this page, you will find resources and instructions on how best to get your research project started with security and compliance integrated into your research workflow.

The Digital Security and Trust (DST) team within the Office of Technology and Digital Innovation is available to all researchers at The Ohio State University looking to securely manage their research activities. As the central unit for cybersecurity at Ohio State, our team is available to answer your questions, provide guidance, and connect you with other resources for securing your RHI data.  


What is RHI?

The Ohio State University defines RHI as information collected about research participants that pertains to their health or healthcare which either:  

  1. Is created or received in connection with research that does not involve a covered health care component, or  

  1. Has been reclassified and is no longer subject to Health Insurance Portability and Accountability Act (HIPAA) requirements due to a disclosure from a health care component or external covered entity pursuant to a valid HIPAA research disclosure, such as a valid authorization or waiver or alteration of authorization.  

In instance 1, RHI is gathered over the course of research, via a method such as surveying, and does not involve a health care component. This data is not subject to HIPAA guidelines; however, it must still be protected at an S4 (Restricted) level in line with the university’s Institutional Data Policy

In instance 2, Protected Health Information (PHI) is converted to RHI via one of the approved methods detailed above. Due to the sensitive nature of the data, it is imperative that the methods of reclassifying the data from PHI to RHI are correctly followed and the data is handled in accordance with university guidelines for S4 (Restricted) information. 

How does RHI relate to PHI and HIPAA?

A key difference between RHI and PHI is that PHI is associated with or derived from a healthcare service event (i.e., the provision of care or payment for care). PHI is subject to HIPAA regulations, while RHI is not. However, RHI is covered by other state and federal laws for privacy and confidentiality of research health information.

More information about the classification of RHI, PHI and HIPAA data can be found in the university's PHI and HIPAA Policy

HIPAA Compliance for Researchers

The university has laid out a PHI and HIPAA Policy, which outlines proper handling of HIPAA data. In particular, “Procedure”, Section IV (pg. 4) pertains to research.  

Below are a few notable references, which can be useful to have available when looking to ensure HIPAA compliance, all of which can be found on the website for the U.S. Department of Health & Human Services. HIPAA is comprised primarily of a few major rules: 

  • Privacy Rule: Establishes national standards to protect individuals' medical records and other individually identifiable health information. 
  • Security Rule: Establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. 
  • Enforcement Rule: Contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules and procedures for hearings. 
  • Breach Notification Rule: Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. 

The full text of HIPAA includes the above listed rules, as well as Transactions, Code Set Standards, and Identifier Standards. 


Using RHI Data

Due to the personal and sensitive nature of RHI, researchers have a duty to protect it and make every effort to gather, store, use and dispose of this information as securely as possible. Before using RHI data, researchers and/or their unit’s IT staff should create a security plan. Data should be stored an approved university service, like Microsoft 365, Microsoft Azure or Amazon Web Services. More information can be found on the Securing Research Data page.