HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule

UMass Amherst, like all institutions, must be in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by April 14, 2003. Regulations that have come from HIPAA affect the use of protected health information (PHI, i.e. person-identifiable information produced as a result of health-care services) by researchers. UMass Amherst under HIPAA is a “hybrid entity” meaning that only part of the organization is regulated by HIPAA.

If you are not conducting research that requires access to protected health information (PHI), HIPAA and the Privacy rule will not impact your research. UMass Amherst researchers who need access to their subject's PHI for research must request it from a covered entity. This includes requests for review of medical records, except where a waiver has been obtained. Once a covered entity discloses PHI to a researcher outside the covered entity, HIPAA and the Privacy rule no longer cover those records. However, a researcher outside the covered entity should expect to follow the spirit of the Privacy rule, as well as the Common Rule, and protect a subject's PHI by providing assurance to the subject in the informed consent document that the PHI will only be used for the purposes described in the informed consent document. The PHI should not be disclosed to any third parties not mentioned in the consent document without prior approval by the subject.

For additional information you can view the HIPAA rule text and get the big HIPAA picture from the Office for Civil Rights web site.

Baystate Medical Center

The Privacy Rule and HIPAA regulations will impact some of the collaborative research projects between the University of Massachusetts and Baystate Medical Center (BMC).  If you are working with a BMC collaborator and need access to your subjects' protected health information (PHI) stored at BMC you will need to obtain Authorization from the subject to disclose their PHI.  Your Authorization form will need to be reviewed by the Privacy Office at BMC and they request that you use the BMC HIPAA Authorization forms for collaborative projects with BMC.  Please contact the BMC IRB for further information about how to obtain BMC's Authorization template.

Check HIPAA Frequently Asked Questions for more information.