The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule governs the use and release of a patient's personal health information, also known as Protected Health Information (PHI), by a covered entity.
To use and/or disclose PHI for research purposes generally requires either a signed authorization from the individual or a waiver of authorization by the IRBMED or Michigan Medicine Privacy Board. The Privacy Rule also allows, without individual authorization, use/disclosure under a selected few additional circumstances:
For studies subject to IRBMED review and approval, the Full Convened Board or Expedited Reviewer(s) makes applicable determinations regarding HIPAA compliance along with determinations required by other federal regulations.
HIPAA Privacy Rule protections apply to research use/disclosure of PHI, independent of other federal regulations on human subjects research. For instance, “Exempt human subjects research” making use of PHI to identify eligible subjects, or to create a research dataset, may require a waiver of HIPAA authorization. “Activities not regulated as human subjects research” that involve use/disclosure of PHI are also regulated under HIPAA. Depending on the type of activity, HIPAA requirements may be satisfied by individual authorization, waiver, or one of the other provisions. Michigan Medicine Privacy Board makes determinations regarding HIPAA compliance for “Exempt human subjects research” and for “Activities not regulated as human subjects research.”
Research involving PHI may also require a data use agreement (DUA), even when Michigan Medicine staff/faculty use Michigan Medicine data. Standard Data Use Agreement (aka Data Sharing Agreement) templates for Michigan Medicine data are available from the UMMS Data Office for Clinical and Translational Research and Michigan Medicine Compliance Office. These offices, as well as ORSP Data Sharing Resource Center, are available to assist with DUAs. External DUAs (sending data to, or obtaining from, outside the University) should be processed through the Unfunded Agreement (UFA) form in eResearch Proposal Management (eRPM).