Health Insurance Portability and Accountability Act (HIPAA)
What is HIPAA?
Health Insurance Portability and Accountability Act (HIPAA) is a complex regulation that affects many researchers at the University of Massachusetts Medical School. The HIPAA regulation was designed to protect the use and disclosure of Protected Health Information (PHI).
Is my Research Covered by HIPAA?
HIPAA is applicable if your research study uses or will use Protected Health Information belonging to UMass Memorial Medical Center (UMMMC) or another HIPAA covered entity.
HIPAA Forms to be Used (for research purposes only)
- UMMS HIPAA Research Policy - Patient information being used for research purposes
- HIPAA Authorization Form
- Waiver of Authorization
- Preparatory to Research
- De-Identified Research
- Accounting for Use/Disclosures
- Accounting of Research Disclosures-Summary Form
Research Subjects’ Rights Under HIPAA
What information can be disclosed without my consent?
Do I have access to any of the information in my research record?
How do I know if my record has been accessed?
Who do I call if I have questions?
- For questions about your general privacy rights, contact the Privacy Officer of your health care provider. At UMass Memorial Healthcare, Inc., please call 508-334-5551 (privacy line).
- For questions about use and handling of data in a particular study you are enrolled in, or considering enrolling in, contact the Principal Investigator or a member of the study team.
Researchers may only create, access or use individually identifiable data for research purposes under certain circumstances, and with certain permissions.
The HIPAA Privacy Rule applies to individually identifiable private information held by covered entities and researchers may access/use this information with appropriate permissions (i.e. an Authorization or a waiver of Authorization) and must only use the information in accordance with the applicable permission. The HIPAA Privacy Rule creates special exceptions for:
- Limited Data Sets obtained through a Data Use Agreement
- Decedent Data
- Activities Preparatory to Research
The HIPAA Privacy Rule does not apply to:
- De-identified data (as defined by the Privacy Rule)
Researchers must ensure that the data is appropriately used and protected through appropriate physical, technical and administrative means. These protections include:
- Ensuring that all data is stored appropriately and securely
- Ensuring that all devices and networks storing data are secure and free from viruses, malware or other harmful software
- Limiting access to identifiable data to appropriate individuals
- Protecting against inappropriate re-use
- Promptly reporting any breach (electronic, loss of paper files or other compromise to data or identifiable information) to appropriate parties including Information Technology: http://www.umassmed.edu/it/security/report-a-problem/ and the IRB as a Reportable New Information
How Do I?
Get appropriate approvals related to research?