A covered company has the right to de-define the PPH or to entrust the identification of PHI to a business partner. For example, a researcher may be a covered company that performs the identification itself or may be hired as a business partner to perform the de-identification. In most cases, the covered entity must have a written contract with the counterparty, which contains the provisions of the data protection rule before making it available to the PHI counterparty. In addition, where a hybrid company, a hybrid company, may designate parts of the business that perform functions similar to counterparties such as identification. The data protection rule allows three methods of collecting research-related information that are provided without the person`s permission or a limited data set: (1) A standard approach, 2) an approach for multiple data and (3) an alternative for statements involving 50 or more people. Whichever approach is chosen, accounting is done in writing and is made available to the requesting person. Accounting reports to the individual may contain results from several accounting methods. In order to remedy these and other situations that may arise in the context of a research project or protocol, the data protection rule contains criteria for waiving or modifying authorizations by an IRB or other control body called Privacy Board. Many of these provisions have been printed on the protection of HHS from human subjects. The data protection rule does not change the current requirements that determine when researchers must send verification and authorization protocols to the IRB and obtain informed consent documents. The data protection rule only complements these requirements if a researcher requests a waiver or a change in the authorization.

When a covered company has used or published POS for research conducted with a niRB or data protection committee approved by the waiver or modification of the authorization, the covered company must have retained the documents relating to that authorization for six years from the date of its creation or the date on which it was in force last, with the latest date being chosen. In order to use or disclose the deceased`s PHI for research purposes, the entities concerned are not required to obtain authorizations from the personal representative or his family, a waiver or a change in the authorization or an agreement on the use of the data. However, the company concerned is obliged by the researcher who seeks access to the oral or written statements of the decision (1). ask the researcher seeking access to the oral or written statements of the decision-makers, that the use and disclosure are necessary only for the search for PPH fraudsters, (2) oral or written explanations for the use or disclosure of the persons for whom the researchers are requested, and (3) documentation of the death of persons whose PHI is requested by the researchers is required at the request of the company concerned. The „limited dataset“ provisions also require covered companies to take appropriate measures to remedy any breaches by a recipient of the data usage agreement. In other words, if Hopkins finds that the data provided to a recipient is being used in a way that is not authorized by the agreement, it must work with the recipient to resolve that issue. If these measures are not successful, Hopkins should terminate the transfer of PHI to the recipient as part of the data usage agreement and report the situation to the privacy office ji at 410-614-9900 or hipaa@jhmi.edu. An authorization differs from informed consent by the fact that an authorization focuses on data protection risks and indicates how, why and to whom the PHI is used and/or disclosed for research. On the other hand, informed consent provides subjects with a description of the study and its expected risks and/or benefits, as well as a description of the