Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA?

Health Insurance Portability and Accountability Act (HIPAA) is a complex regulation that affects many researchers at the University of Massachusetts Medical School. The HIPAA regulation was designed to protect the use and disclosure of Protected Health Information (PHI).

Is my Research Covered by HIPAA?

HIPAA is applicable if your research study uses or will use Protected Health Information belonging to UMass Memorial Medical Center (UMMMC) or another HIPAA covered entity.

HIPAA Forms to be Used (for research purposes only)

Links to Additional Information

Research Subjects’ Rights Under HIPAA

What information can be disclosed without my consent? (coming soon...)

Do I have access to any of the information in my research record? (coming soon...)

How do I know if my record has been accessed? (coming soon...)

Who do I call if I have questions?

  • For questions about your general privacy rights, contact the Privacy Officer of your health care provider.  At UMass Memorial Healthcare, Inc., please call 508-334-5551 (privacy line).
  • For questions about use and handling of data in a particular study you are enrolled in, or considering enrolling in, contact the Principal Investigator or a member of the study team.
Researcher Obligations Under HIPAA 

Researchers may only create, access or use individually identifiable data for research purposes under certain circumstances, and with certain permissions.

The HIPAA Privacy Rule applies to individually identifiable private information held by covered entities and researchers may access/use this information with appropriate permissions (i.e. an Authorization or a waiver of Authorization) and must only use the information in accordance with the applicable permission.  The HIPAA Privacy Rule creates special exceptions for: 

  • Limited Data Sets obtained through a Data Use Agreement (coming soon...)
  • Decedent Data (coming soon...)
  • Activities Preparatory to Research (coming soon...)

The HIPAA Privacy Rule does not apply to:

  • De-identified data (as defined by the Privacy Rule)

Researchers must ensure that the data is appropriately used and protected through appropriate physical, technical and administrative means.  These protections include:

  • Ensuring that all data is stored appropriately and securely
  • Ensuring that all devices and networks storing data are secure and free from viruses, malware or other harmful software
  • Limiting access to identifiable data to appropriate individuals
  • Protecting against inappropriate re-use
  • Promptly reporting any breach (electronic, loss of paper files or other compromise to data or identifiable information) to appropriate parties including Information Technology: http://www.umassmed.edu/it/security/report-a-problem/ and the IRB as a Reportable New Information

How Do I?

Get appropriate approvals related to research?

Obtain information about data use agreements for limited data sets? (coming soon...)

Obtain access to the EHR or other clinical applications for research personnel? (coming soon...)

Obtain access to PHI or data sets from the data repository? (coming soon...)

Frequently Asked Questions (coming soon...)

▴ Back To Top