Take home message: If you have any interface with protected health information (PHI) – which may include patient data you see or use in your research, even if you are not yourself a part of the UMHS workforce – then you must make sure you understand the privacy and security laws that apply to the protection and use of such information.
- HIPAA, or the Health Insurance Portability and Accountability Act and its regulations impose requirements on the use and disclosure of protected health information by U-M as a health provider (a “covered entity” under the Act), as well as imposing security requirements that must be in place to protect any electronic health information (such as limiting access, and using encryption). For further background information, see the Department of Health and Human Services Office for Civil Rights site on health information privacy.
- The UMHS Compliance Office oversees U-M’s compliance with HIPAA and other health information privacy & security requirements. For an overview of HIPAA and U-M’s approach to meeting its requirements (including UMHS Policies), see the HIPAA page on the UMHS Compliance site (viewable on U-M networks only). For an overview of the security requirements, see the iSecure awareness page.
- Protected Health Information (or PHI) includes any information that concerns health status, provision of health care, or payment for health care that can be linked to an individual; this includes a patient’s medical records and clinical billing records.
- UMHS is required to give patients a Notice of Privacy Practices telling how their PHI is protected. If a practitioner wants to do research involving a patient or their records, the patient must specifically consent to that use of their information.
- Circumstances where PHI can be lawfully disclosed under HIPAA include: to a patient requesting their own records; when disclosure is required to facilitate treatment, payment, or health care operations; and when disclosure is required by law (such as reporting suspected child abuse to state child welfare agencies) or in response to an emergency or disaster situation, where disclosure would lessen a serious and imminent threat to the health and safety or a person or the public. Any other kinds of disclosure must be authorized in writing by the patient. See the UMHS Compliance HIPAA page for more information (viewable on U-M networks only), and in particular the Guidelines on releasing information on the condition of patients to the media and others (which include scenarios where limited information can be given to outsiders who ask about a patient by name).
- HIPAA training is mandatory for the whole UMHS workforce, and anyone who could potentially have access to PHI in the course of their work – including those outside the UMHS, such as researchers or students from other U-M Departments that are performing work in connection with the UMHS; and those who work in other parts of the University that form part of the HIPAA “Covered Entity” (such as certain offices who advise or support the Health System). See the UMHS Compliance page on HIPAA training to find the training that is most relevant to you – or, if you are viewing this site from outside the U-M network, go to the off-campus HIPAA training site.
- If you are in a Department outside the UMHS, doing research that is related in any way to patient care or health care systems, and are unsure whether HIPAA might be relevant to your research, contact the Institutional Review Board to talk through your scenario.
- Protecting the privacy of patient information includes securing that information at all times. Storing patient information on unsecured, portable devices such as thumb drives or smart phones (even temporarily) is a violation of the law and could result in serious consequences – up to and including jail! See the UMHS Compliance Office page on Information Security (iSecure) awareness for helpful hints on securing sensitive information; see also the separate IT Security compliance page.
- If you are a U-M researcher from outside the Health System, who is doing any work in collaboration or connection with the Health System, you must make sure you understand the laws (including HIPAA) that apply to patient data and information. Even if you are using de-identified data, or focusing on some aspect other than patient care (such as hospital administration or processes) make sure you double check what the privacy and security requirements are, and how they may apply to your work. See the training materials on the UMHS Compliance pages on HIPAA training, and on Information Security (iSecure) awareness, or contact the UMHS Compliance Office or the Institutional Review Board for guidance.
- If a clinical practitioner wants to do research involving a patient or their records, that research must first be approved by the Institutional Review Board (IRB). Either the patient must expressly authorize the use of their data for research, or the IRB needs to waive the requirement for patient authorization. See the UMHS Compliance page on privacy and security in research, and the FAQs on research for guidance; and see also the Human Subjects Research compliance page for information about the IRB process.
- Remember that protected health information (PHI) may not be the only information U-M holds about a patient that is subject to privacy requirements: depending on their other connections to U-M, we may hold information such as student records, employee records, credit card or SSN information. Each of these types of information are subject to different requirements: see the Privacy & Confidentiality compliance page for more information.
For questions relating to HIPAA, or to request HIPAA training, contact the UMHS Compliance Office [if you are outside the U-M network, go to their external page] by calling (734) 615-4400 or emailing them.
For questions relating to human subjects research, and the use of patient records, contact the Institutional Review Board most relevant to your research (Medical, Behavioral & Health Sciences, U-M Flint or U-M Dearborn).
For legal assistance or advice relating to clinical billing, contact Health System Legal Office (security issues) or Kara Morgenstern (privacy issues) in the Health System Legal Office (a part of the Office of the General Counsel).
Established 3/4/11, last updated 3/7/17 – Contact us if you believe any information is incorrect or outdated