A beginner’s guide to avoiding Protected Health Information (PHI) issues in clinical research – With how-to’s in REDCap Data Management Software

Abstract

Protecting personally identifiable information is important in clinical research. The authors, two faculty members involved in developing and implementing research infrastructure for a medical school, observed challenges novice researchers encountered in recognizing, collecting, and managing Protected Health Information (PHI) for clinical research. However, we had difficulty finding resources that provide practical strategies for novice clinical researchers for this topic. Common issues for beginners were: 1. Recognition of PHI, e.g. lack of recognition of ‘indirect’ PHI, i.e., that the combination of two or more non-PHI data types or other specific information could result in identifiable data requiring protection; 2. Collection of PHI, e.g., proposed collection of data not necessary for fulfillment of the project’s objectives or potential inadvertent collection of PHI in free text response items; and 3. Management of PHI, e.g., proposed use of coding systems that directly included PHI, or proposed data collection techniques, electronic data storage, or software with inadequate protections. From these observations, the authors provide the following in this paper: 1. A brief review of the elements of PHI, particularly ‘indirect’ PHI; 2. Sample data management plans for common project types relevant to novice clinical researchers to ensure planning for data security; 3. Basic techniques for avoiding issues related to the collection of PHI, securing and limiting access to collected PHI, and management of released PHI; and 4. Methods for implementing these techniques in the Research Electronic Data Capture (REDCap) system, a commonly used and readily available research data management software system.