WVU Health System Medical Records & Patient Information
Using WVU Health System Medical Record or Patient Information for Research
When planning to use data from the WVU Health System Electronic Medical Record (EMR) system or other clinical systems/data repositories for research, it is essential to note that the WVU Health System owns the data. Using this data for research requires reviews and approvals depending on the data, even if the researcher has access to the data as part of their clinical or educational responsibilities.
Preparing for a Research Project
If a researcher has clinical access to EMRs, this does NOT mean the EMR data can be accessed or used for research purposes without prior approvals.
As a clinician and a researcher, you wear two hats: when conducting research for WVU, you are acting on behalf of the University and must comply with University policies. West Virginia University and the WVU Health System are separate legal entities. WVU has an agreement for using WVU Health System data for research. Also note that there are differences in HIPAA compliance requirements for healthcare and research.
Research vs. Not Research
Not Research
Activities that are NOT considered research under the HHS federal definition of research and do not require WVU IRB review:
- WVU or WVU Health System Quality Improvement, Program Evaluation, or Evidence Based Practice
- Case Reviews using five or less EMRs
- A Case Authorization Form is required
- WVU Classroom Activities using EMRs
- Public Health Surveillance
- Oral Histories (non-clinical)
These activities DO NOT require a Data Protection form or an IRB protocol unless a publisher requires a Letter of Determination of Not Research/Not Human Subjects Research is required from the WVU IRB. Data protection and WVU Health System data use should follow institutional policy.
Not Human Subjects Research
Not Human Subject Research (NHSR) projects are considered research under the HHS federal definition.
- Must comply with WVU institutional policy for data compliance and data use.
- A Data Protection Form is required.
- HIPAA Waivers are not needed, as PIs should not access the EMR directly for NHSR.
WVU's agreement with the WVU Health System
- WV CTSI acts as the HIPAA Honest Broker and must review each request to access the EMR (via the Data Protection Process or through WVCTSI iLAB for Prep-to-Research and EMR datasets).
- All data derived from the EMR (identifiable, coded, or de-identified) that is to be shared or transferred to external parties during research or in results format MUST be approved by OSP, WV CTSI, and WVU Health System. This process is initiated during the Data Protection Process.
- All data derived from the EMR that is to be de-identified before sharing or transferring with external parties MUST be de-identified by WV CTSI, or WV CTSI must be consulted to ensure compliant de-identification. Contact WV CTSI.
- Other WVU Health System clinical systems or data repositories targeted for research MUST be approved for research during the Data Protection Process or the New Data Repository Form. The University does not own clinical systems; therefore, the data is an asset of the WVU Health System and subject to data use restrictions.
Other Compliance Considerations for EMR Use
WVU considers coded Data and Limited Datasets to be high-risk data when the source is WVU Health System clinical information. When using EMRs from an external source, HIPAA does not apply as WVU is not the covered entity in this case. However the data must be protected in compliance with data agreements from the source. If protection requirements are not specified by the source, WVU defaults to high-risk data protection requirements.