If you are not doing research that requires access to protected health information (PHI), HIPAA and the Privacy rule will not impact your research. UMass Amherst researchers who need access to their subject's PHI for research purposes should understand the structure of UMass Amherst as an organization under HIPAA. Under HIPAA, UMass Amherst is a hybrid entity. Researchers outside a covered entity (like most UMass Amherst PIs) must request the covered entity, via a signed authorization from the subject, to "disclose" the subject's PHI to them. This includes requests for review of medical records except where a waiver has been obtained. Once a covered entity discloses PHI to a researcher outside the covered entity, HIPAA and the Privacy rule no longer cover those records. However, a researcher outside the covered entity should expect to follow the spirit of the Privacy rule, as well as the Common Rule, and protect a subject's PHI by providing assurance to the subject in the informed consent document that the PHI will only be used for the purposes described in the informed consent document. The PHI should not be disclosed to any third parties not mentioned in the consent document without prior approval by the subject.