HIPAA (the Health Insurance Portability and Accountability Act of 1996) required the creation of a Privacy Rule for identifiable health information. The resultant Privacy Rule, finalized in August 2002, took effect on April 14, 2003. While the main impact of the Privacy Rule is on the provision of care (treatment, payment and operations), the Rule also affects the conduct and oversight of research.

• Overview of the HIPAA Final Privacy Regulations
• Federal Privacy Regulations -General Overview and Effects on Research
• Background on HIPAA and the Privacy Rule
• FAQs
• Glossary
• Tracking Tool
• Training via HealthStream and search 'PHE HIPAA' (PHS internal only link)

HIPAA and the Security Rule

The HIPAA Security Rule, which addresses the privacy protection of electronic protected health information (PHI), went into effect in April 2005. Similar to the Privacy Rule, the Security Rule also deals with identifiable health information as defined by the HIPAA-designated 18 identifiers. The Security Rule defines standards for protecting electronic PHI with detailed attention to how PHI is stored, accessed, transmitted, and audited.

The Security Rule affects any researcher who stores PHI electronically, including (but not limited to):
1. A single researcher who stores data in a spreadsheet, Word document, etc., on an H: drive
2. A researcher who stores data on a personal laptop, zip drive, or other portable hard drive or non-Partners PC
3. A researcher and co-investigators who access data on a shared drive maintained by their department or by Partners IS
4. Researchers who transmit data electronically as part of a multi-center study
5. Researchers who maintain small, medium, or large data repositories.

HIPAA Policies

• Access to Health Information of Decedents for Research
• Certificates of Confidentiality & the HIPAA Privacy Rule
• HIPAA Privacy Rule and Adverse Event Reporting
• HIPAA Privacy Rule and Research with De-identified Information (Section 164.514)
• Individual Rights in the Research Context
• Limited Data Sets in Research
• Partners Limited Data Set Policy (PHS internal only links)
  • Internal Data Use Agreement
  • External Data Use Agreement
• Minimum Necessary Standard: Research Activities
• Waiver and Alteration of Informed Consent and Authorization for Research

Member institutions within Partners may have institution-specific HIPAA pages. Please consult these pages for additional HIPAA guidance (PHS internal only links).

• Partners HIPAA Privacy Officers Listed by Sites
• BWH HIPAA
• MGH HIPAA
• Partners HIPAA Central

Partners HIPAA Forms

• Privacy Notice -Updated 8/2013 (PHS internal only links)
  • English Version
  • Spanish Version
• Business Associate Agreement Page (PHS internal only link)
• Acknowledgement of Receipt of Privacy Notice (English and Spanish Versions) (PHS internal only link)