Page Menu

Procedure for Third-Party Vendors and Protected Health Information


The ability to use protected health information (PHI) in research supports clinical and translational research. The use of PHI carries special obligations for management of access in order to protect the rights and welfare of patients as delineated by the Health Insurance Portability and Accountability Act (“HIPAA”). UMass Memorial Health Care (“clinical system”) and UMass Chan Medical School have entered into a business associates agreement (BAA) that delineates the conditions under which the clinical system shares PHI with the medical school. Based on the agreement, while the medical school is not a Covered Entity, the medical school is a Business Associate and as such is required to protect clinical data in compliance with the HIPAA Security and Privacy rules. The clinical system will allow the medical school to enable access to PHI in order to further the mission of research as long as standard operating procedures are established and followed to ensure appropriate protection of the data. Additionally, no third party, unless they are part of the UMass Chan Data Lake development project and have an established contract for UMass Chan Data Lake development work with the medical school, will have direct access to UMass Chan Data Lake or associated systems that store data.


Any Medical School researcher intending to use a third party vendor for developing analytics or decision support systems that use clinical data or integrates with UMMHC clinical systems or the medical school’s Data Lake needs to follow the guidelines below:

1. The PI of the study must have a current faculty appointment at the medical school.

2. The following documents must be sent to the medical school Data Science Core via

a. A Statement of Work ("SOW") that includes the following:

  • Description of the project
  • Duration of engagement
  • Payment terms
  • Data Type (aggregate/identified/deidentified) requested
  • List of data categories requested
  • Proposed technological infrastructure
  • Process workflows
  • Access requirements
  • Data encryption and transmission protocols proposed by the vendor
  • Data handling mechanisms

b. In addition, to be included in the SOW or associated documentation:

  • Data releases and data retention policies by the vendor
  • Description of all third party hosting and access platforms, including specific geographical locations
  • Third-party information security and privacy review (SSAE16, HITRUST certification, HIPAA review, etc)

3. The Data Science Core will provide these documents to UMass Chan IT Security and Compliance Office for security review.  These documents must also be provided to and reviewed by the school’s Office of General Counsel for contractual and the Privacy Officer for a privacy review.

Upon successful completion of contractual and privacy and security reviews, the school’s Office of General Counsel will establish a contractual agreement with the vendor, which may involve a BAA and data use agreement as deemed necessary.

4. Prior to the release of PHI, the medical school’s Institutional Review Board (IRB) approval must be obtained and the protocol must outline details regarding categories of data requested, data handling mechanisms and data retention policies by the vendor. The previous steps within this SOP will be completed before submission to the IRB. The PI should submit documentation associated with this SOP as part of their IRB submission.

5. Once the above conditions are met, go to the Research Informatics Website and complete the data request form.

6. Required data will be extracted either manually by the Data Science Core staff or by automated processing. The Data Science Core staff will send the data to the vendor systems through secure and medical school approved mechanisms. Identifiable information will be sent in adherence to security guidelines set forth by the UMass Chan IT Security and Compliance Office.

7. Data Science Core will maintain a log of data releases and ensure that a Confidentiality Agreement is complete before access is provided.

Information Security Procedure:

1. For all vendors providing services requiring access to protected health information and/or confidential information, UMass Chan will request the most recent SSAE16/ SOC2 and/or third-party application assessment.

Data Science Core will provide the Information Security Office the following vendor information:

a. Vendor Name

b. Vendor Address/Contact Information (phone & email address)

c. Application Name

d. Any SSAE16, 3rd party application assessment and/or HIPAA risk assessment (completed by 3rd party or internally)

2. Information Security will document any findings and recommendations resulting from document review in standard risk assessment template.  Upon completion, Information Security will provide the completed assessment to the PI, Data Science Core and the IRB.

a. High risk findings are expected to be closed within 30 days of the finding being identified.

b. Moderate findings are expected to be closed within 90 days of the finding being identified.

c. Low risk findings are expected to be closed within 6 months of the finding being identified and are of an informational nature.

3. On an annual basis, Data Science Core will send a standard memo to each vendor requesting the most recent SSAE16 and/or third party application assessment and make this report available to Information Security.