Guidance for Investigators HIPAA Requirements for Case Reports
A single, retrospective case report is an activity intended to develop information to be shared for medical and educational purposes. Under JHM policy, a “single case report” is a retrospective analysis of one, two, or three clinical cases but is not research that must be approved by the IRB. (If more than three cases are involved in the analytical activity, the activity will constitute research.)
Although IRB approval is not required, certain HIPAA Privacy Rule requirements apply to the use and disclosure of PHI for a single case report:
- Investigators who remove HIPAA identifiers from the case report data prior to disclosure of the data (e.g., prior to submission of the case report to a journal) do not need to obtain a signed privacy authorization from the subject of the case report.
Please note that in addition to removing the 18 listed HIPAA identifiers, the investigator must determine that no photo or illustration in the case report could lead to identification of the patient, and that the case(s) described are not so unique as to be identifiable with reference to other public sources such as media accounts.
- Investigators who wish to publish a case report that is not completely de-identified to the standards of the HIPAA Privacy Rule (i.e., that contains any direct or indirect identifiers), must first obtain each patient’s signed HIPAA-compliant authorization. It is not necessary to submit this authorization form to the IRB for review.
The HIPAA authorization form used to obtain a patient’s authorization to use and disclose PHI for a single case report may be found at the JH Privacy Office website at: Use of Protected Health Information in a Case Report (A.2.1.v)