Campus alert status is yellow: For the latest campus alert status, news and resources, visit umassmed.edu/coronavirus

Search Close Search
Search Close Search
Page Menu

Third Parties and PHI Standard Operating Procedure

The ability to use protected health information (PHI) in research supports clinical and translational research. The use of PHI carries special obligations for management of access in order to protect the rights and welfare of patients as delineated by the Health Insurance Portability and Accountability Act (“HIPAA”). UMass Memorial Health Care (“clinical system”) and the University of Massachusetts Medical School (“medical school”) have entered into a business associates agreement (BAA) that delineates the conditions under which the clinical system shares PHI with the medical school. Based on the agreement, while the medical school is not a Covered Entity, the medical school is a Business Associate and as such is required to protect clinical data in compliance with the HIPAA Security and Privacy rules.

The clinical system will allow the medical school to enable access to PHI in order to further the mission of research as long as standard operating procedures are established and followed to ensure appropriate protection of the data. Additionally, no third party, unless they are part of the UMMS Data Lake development project and have an established contract for UMMS Data Lake development work with the medical school, will have direct access to UMMS Data Lake or associated systems that store data.

3rd Party Process Steps

I. The PI of the study must have a current faculty appointment at the medical school.

II. The following documents must be sent to the assigned contact at the medical school Research Informatics Core. 

a. A Statement of Work (SOW) that includes the following:

1.  Description of the project
2.  Duration of engagement
3.  Payment terms
4.  Data Type (aggregate/identified/de-identified) requested
5.  List of data categories requested
6.  Proposed technological infrastructure
7.  Process workflows
8.  Access requirements
9.  Data encryption and transmission protocols proposed by the vendor
10.Data handling mechanisms

b. In addition, to be included in the SOW or associated documentation:

1. Data releases and data retention policies by the vendor
2. Description of all third party hosting and access platforms, including specific geographical locations
3. Third-party information security and privacy review (SSAE16, HITRUST certification, HIPAA review, etc.)

III. The Research Informatics Core will provide these documents to UMMS IT Security and Compliance Office for security review. These documents must also be provided to and reviewed by the school’s Office of General Counsel for contractual and the Privacy Officer for a privacy review.
Upon successful completion of contractual and privacy and security reviews, the school’s Office of General Counsel will establish a contractual agreement with the vendor, which may involve a BAA and data use agreement as deemed necessary.

IV. Prior to the release of PHI, the medical school’s Institutional Review Board (IRB) approval must be obtained and the protocol must outline details regarding categories of data requested, data handling mechanisms, and data retention policies by the vendor. The previous steps within this SOP will be completed before submission to the IRB. The PI should submit documentation associated with this SOP as part of their IRB submission.

V. Once the above conditions are met, go to the Research Informatics Website and complete the data request form.

VI. Required data will be extracted either manually by the Research Informatics Core staff or by automated processing. The Research Informatics Core staff will send the data to the vendor systems through secure and medical school-approved mechanisms. Identifiable information will be sent in adherence to security guidelines set forth by the UMMS IT Security and Compliance Office.

VII. The Research Informatics Core will maintain a log of data releases and ensure that a Confidentiality Agreement is complete before access is provided.
Information Security