116 Huntington Ave, Suite 1002. Boston, MA 02116
Tel: 617-424-4100, Fax: 617-424-4199



HIPAA and the Privacy Rule

HIPAA (the Health Insurance Portability and Accountability Act of 1996) required the creation of a Privacy Rule for identifiable health information. The resultant Privacy Rule, finalized in August 2002, took effect on April 14, 2003. While the main impact of the Privacy Rule is on the provision of care (treatment, payment and operations), the Rule also affects the conduct and oversight of research.

HIPAA and the Security Rule

The HIPAA Security Rule, which addresses the privacy protection of electronic protected health information (PHI), went into effect in April 2005. Similar to the Privacy Rule, the Security Rule also deals with identifiable health information as defined by the HIPAA-designated 18 identifiers. The Security Rule defines standards for protecting electronic PHI with detailed attention to how PHI is stored, accessed, transmitted, and audited.

The Security Rule affects any researcher who stores PHI electronically, including (but not limited to):
1. A single researcher who stores data in a spreadsheet, Word document, etc., on an H: drive
2. A researcher who stores data on a personal laptop, zip drive, or other portable hard drive or non-Partners PC
3. A researcher and co-investigators who access data on a shared drive maintained by their department or by Partners IS
4. Researchers who transmit data electronically as part of a multi-center study
5. Researchers who maintain small, medium, or large data repositories.

HIPAA Policies

Member institutions within Partners may have institution-specific HIPAA pages. Please consult these pages for additional HIPAA guidance (PHS internal only links).

Partners HIPAA Forms