In addition to a detailed memo, the researcher must also submit a request to CPHS via the iRIS system that states:

• The use or disclosure of PHI is solely to prepare a research protocol or for similar purposes preparatory to research

• That the researcher will not remove any PHI from the covered entity, and

• The PHI for which access is sought is necessary for the research purpose

In most instances, this type of research will still be reviewed under the guidelines for expedited review.

What is a Covered Entity?

HIPAA defines a Covered Entity as a:

• Health Plan
• Health Care Provider - specifically a provider who conducts certain financial and administrative transactions electronically (e.g., billing, funds transfer, insurance claims)
• Health Care Clearing House - an organization that processes or facilitates the processing of health information in non-standard format to standard format or vice versa (e.g., a physician's billing service).