HIPAA Privacy Rule Information

UMass Amherst, like all institutions, must be in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by April 14, 2003. Regulations that have come from HIPAA affect the use of protected health information (PHI, i.e. person-identifiable information produced as a result of health-care services) by researchers. UMass Amherst under HIPAA is a “hybrid entity” meaning that only part of the organization is regulated by HIPAA.

If you are not doing research that requires access to protected health information (PHI), HIPAA and the Privacy rule will not impact your research. UMass Amherst researchers who need access to their subject's PHI for research must request it from a covered entity. This includes requests for review of medical records, except where a waiver has been obtained. Once a covered entity discloses PHI to a researcher outside the covered entity, HIPAA and the Privacy rule no longer cover those records. However, a researcher outside the covered entity should expect to follow the spirit of the Privacy rule, as well as the Common Rule, and protect a subject's PHI by providing assurance to the subject in the informed consent document that the PHI will only be used for the purposes described in the informed consent document. The PHI should not be disclosed to any third parties not mentioned in the consent document without prior approval by the subject.

For additional information you can view the HIPAA rule text and get the big HIPAA picture from the Office for Civil Rights web site.

Check HIPAA Frequently Asked Questions for more information