{"id":744,"date":"2018-05-04T08:37:44","date_gmt":"2018-05-04T08:37:44","guid":{"rendered":"https:\/\/az.research.umich.edu\/medschool\/document\/hipaa\/"},"modified":"2026-03-06T13:37:45","modified_gmt":"2026-03-06T18:37:45","slug":"hipaa","status":"publish","type":"document","link":"https:\/\/az.research.umich.edu\/medschool\/guidance\/hipaa\/","title":{"rendered":"HIPAA"},"template":"","categories":[24],"tags":[],"content-type":[41],"topic":[45],"update-type":[],"class_list":["post-744","document","type-document","status-publish","hentry","category-institutional-review-boards-irbmed","content-type-guidance","topic-hipaa-protected-health-information"],"acf":{"use_legacy_editor":true,"updated_date":"2026-03-06 13:30:00","update_notice":false,"author":"IRBMED","summary":"The\u00a0<a href=\"https:\/\/www.hhs.gov\/hipaa\/index.html\">Health Insurance Portability and Accountability Act<\/a>\u00a0(HIPAA)\u00a0<a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/index.html\">Privacy Rule<\/a>\u00a0governs the use and release of a patient's personal health information, also known as\u00a0<a href=\"\/medschool\/guidance\/protected-health-information-phi\">Protected Health Information (PHI)<\/a>, by a\u00a0<a class=\"gtip\" href=\"\/medschool\/glossary\/covered-entity\">covered entity<\/a>.\r\n\r\n<a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/special-topics\/research\/index.html\">To use and\/or disclose PHI for research\u00a0purposes<\/a>\u00a0generally requires either a signed authorization from the individual or a\u00a0<a href=\"\/medschool\/guidance\/request-waiver-hipaa-authorization\">waiver of authorization<\/a>\u00a0by the IRBMED. The Privacy Rule also allows, without individual authorization, use\/disclosure under a selected few additional circumstances:\r\n<ul>\r\n \t<li>Use\/disclosure is solely for purposes\u00a0<a href=\"\/medschool\/guidance\/certification-preparatory-research\">preparatory to research,<\/a> such as assessing the feasibility of conducting a study.<\/li>\r\n \t<li>Use\/disclosure is solely for research on the\u00a0<a href=\"\/medschool\/guidance\/decedents\">protected health information of decedents<\/a>\u00a0(deceased individuals)<\/li>\r\n \t<li>Data is\u00a0<a href=\"\/medschool\/guidance\/de-identified-data-sets\">de-identified<\/a>\u00a0by the covered entity\u00a0<strong>before<\/strong>\u00a0being made available to the researcher (researcher never views PHI).<\/li>\r\n \t<li>A\u00a0<a href=\"\/medschool\/guidance\/limited-data-sets\">limited data set<\/a>\u00a0may be used\/disclosed under the terms of a written data use agreement.<\/li>\r\n<\/ul>\r\nFor studies subject to\u00a0<a href=\"https:\/\/medresearch.umich.edu\/office-research\/about-office-research\/our-units\/institutional-review-boards-irbmed\/irbmed-frequently-asked-questions-faq#review\">IRBMED\u00a0review and approval<\/a>, the Full Convened Board or\u00a0<a href=\"\/medschool\/guidance\/expedited-review\">Expedited Reviewer<\/a>(s) makes applicable determinations regarding HIPAA compliance along with determinations required by other\u00a0<a href=\"\/medschool\/guidance\/federal-regulations\">federal\u00a0regulations<\/a>.\r\n\r\nHIPAA Privacy Rule protections apply to research use\/disclosure of PHI,\u00a0<strong>independent\u00a0of<\/strong>\u00a0other\u00a0<a href=\"\/medschool\/guidance\/federal-regulations\">federal\u00a0regulations<\/a>\u00a0on <a class=\"gtip\" href=\"\/medschool\/glossary\/human-subject-0\">human subjects<\/a> research. For instance, \u201c<a href=\"\/medschool\/guidance\/exempt-human-subjects-research\/\">Exempt human subjects research<\/a>\u201d making use of PHI to identify <a class=\"gtip\" href=\"\/medschool\/glossary\/eligible\">eligible<\/a> subjects, or to create a research dataset, may require a waiver of HIPAA authorization.\u00a0 \u201cActivities not regulated as human subjects research\u201d that involve use\/disclosure of PHI are also regulated under HIPAA. Depending on the type of activity, HIPAA requirements may be satisfied by individual authorization, waiver, or one of the other provisions. IRBMED\u00a0makes determinations regarding HIPAA compliance for \u201cExempt human subjects research\u201d and for \u201cActivities not regulated as human subjects research.\u201d\r\n\r\nResearch involving PHI may also require a data use agreement (DUA), even when Michigan Medicine\u00a0staff\/faculty use Michigan Medicine data. Standard Data Use Agreement (<em>aka<\/em>\u00a0Data Sharing Agreement) templates for Michigan Medicine\u00a0data are available from the\u00a0<a href=\"https:\/\/medresearch.umich.edu\/office-research\/about-office-research\/our-units\/data-office-clinical-translational-research\">UMMS Data Office for Clinical and Translational Research<\/a>\u00a0and\u00a0<a href=\"https:\/\/umhealth.sharepoint.com\/sites\/Corporate-Compliance\/SitePages\/Data-Use-and-Sharing.aspx\">Michigan Medicine Corporate Compliance Office<\/a> <em>level-2 login required<\/em>. These offices, as well as\u00a0<a href=\"http:\/\/orsp.umich.edu\/policies-procedures\/data-sharing-and-use-agreements\">ORSP Data Sharing Resource Center<\/a>, are available to assist with DUAs. External DUAs (sending data to, or obtaining from, outside the University) should be processed through the\u00a0<a href=\"http:\/\/orsp.umich.edu\/unfunded-agreement-types\">Unfunded Agreement (UFA)<\/a> form in <a href=\"https:\/\/its.umich.edu\/academics-research\/research\/eresearch\/\">eResearch<\/a>\u00a0Proposal Management (<a href=\"https:\/\/its.umich.edu\/academics-research\/research\/eresearch\/proposal-management\">eRPM<\/a>).","button_links":null,"related_content":[745,752],"legacy_path":"hipaa","legacy_node_id":284,"legacy_related_nids":"285, 293","legacy_content_section":[{"legacy_section_type":"heading","legacy_heading":"IRBMED HIPAA topics","legacy_subheading":"","legacy_section_text":"","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"text_area","legacy_heading":"","legacy_subheading":"","legacy_section_text":"<ul>\r\n \t<li><a href=\"\/medschool\/guidance\/protected-health-information-phi\/\">Protected Health Information<\/a><\/li>\r\n \t<li><a href=\"\/medschool\/guidance\/uses-disclosures-protected-health-information-phi\/\">Uses and Disclosures of Protected Health Information<\/a><\/li>\r\n \t<li><a href=\"\/medschool\/guidance\/waiver-or-alteration-hipaa-authorization\/\">Waiver of HIPAA Authorization<\/a><\/li>\r\n \t<li>IRBMED\u00a0<a href=\"https:\/\/medresearch.umich.edu\/office-research\/about-office-research\/our-units\/institutional-review-boards-irbmed\/irbmed-education\">Course Offerings<\/a>\u00a0on Privacy and <a class=\"gtip\" href=\"\/medschool\/glossary\/confidentiality\">Confidentiality<\/a><\/li>\r\n \t<li><a href=\"https:\/\/hrpp.umich.edu\/u-mic\/\">U-MIC<\/a> educational presentations\r\n<ul>\r\n \t<li>Protected Health Information (PHI)<\/li>\r\n \t<li>The HIPAA Privacy Rule: Requirements and Waivers<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"heading","legacy_heading":"HIPAA Authorization documents","legacy_subheading":"","legacy_section_text":"","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"text_area","legacy_heading":"","legacy_subheading":"","legacy_section_text":"<a href=\"https:\/\/medresearch.umich.edu\/office-research\/about-office-research\/our-units\/institutional-review-boards-irbmed\/informed-consent-assent-templates\">IRBMED Informed Consent Templates<\/a> include HIPAA Authorization section for research","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"heading","legacy_heading":"Regulations, Guidance, and Policies","legacy_subheading":"","legacy_section_text":"","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"text_area_with_subheading","legacy_heading":"","legacy_subheading":"Federal Regulations &amp; Guidance on HIPAA","legacy_section_text":"<ul>\r\n \t<li style=\"list-style-type: none\">\r\n<ul>\r\n \t<li><a href=\"https:\/\/www.ecfr.gov\/current\/title-45\/subtitle-A\/subchapter-C\/part-164\">45 CFR 164<\/a>.501, .508, .512(i)<\/li>\r\n \t<li><a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/index.html\">Office for Civil Rights<\/a>\u00a0main HIPAA site\r\n<ul>\r\n \t<li><a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/guidance\/research\/index.html\">Research<\/a> and HIPAA Privacy Rule page<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"text_area_with_subheading","legacy_heading":"","legacy_subheading":"Michigan Medicine Guidance on HIPAA","legacy_section_text":"<em>(requires level-2 login)<\/em>\r\n<ul>\r\n \t<li><a href=\"https:\/\/umhealth.sharepoint.com\/sites\/Corporate-Compliance\/SitePages\/HIPAA.aspx\">Michigan Medicine HIPAA Information<\/a><\/li>\r\n \t<li><a href=\"https:\/\/umhealth.sharepoint.com\/sites\/Corporate-Compliance\/SitePages\/HIPAA-Training.aspx\">HIPAA &amp; Research Education Module<\/a><\/li>\r\n \t<li><a href=\"https:\/\/umhealth.sharepoint.com\/sites\/Corporate-Compliance\/SitePages\/The-University-of-Michigan-HIPAA-Hybrid-Covered-Entity.aspx\">UM HIPAA Hybrid Covered Entity<\/a><\/li>\r\n<\/ul>","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"text_area_with_subheading","legacy_heading":"","legacy_subheading":"Michigan Medicine Policies on HIPAA, Security, and Privacy","legacy_section_text":"<em>(requires level-2 login)<\/em>\r\n<ul>\r\n \t<li><a href=\"https:\/\/michmed-administration.policystat.com\/policy\/6450709\/latest\/\">01-04-300<\/a> Introduction to Privacy and Security Concepts and Definitions<\/li>\r\n \t<li><a href=\"https:\/\/michmed-administration.policystat.com\/policy\/7029333\/latest\/\">01-04-340<\/a> De-identification and Re-identification of <a class=\"gtip\" href=\"\/medschool\/guidance\/protected-health-information-phi\">Protected Health Information (PHI)<\/a><\/li>\r\n \t<li><a href=\"https:\/\/michmed-administration.policystat.com\/policy\/6450653\/latest\/\">01-04-342<\/a> Limited Data Sets<\/li>\r\n \t<li><a href=\"https:\/\/michmed-administration.policystat.com\/policy\/7304325\/latest\/\">01-04-360<\/a> Use of Protected Health Information (PHI) in Research<\/li>\r\n \t<li><a href=\"https:\/\/michmed-administration.policystat.com\/policy\/8074687\/latest\/\">01-04-001<\/a> Corporate Compliance Program (code of conduct which contains requirements for securing\r\ndata)<\/li>\r\n<\/ul>\r\n<a href=\"mailto:irbmed@umich.edu?subject=HIPPA\">Email Questions about IRBMED HIPAA documents, applications, and processes<\/a>","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null}],"update_notice_type":[],"update_notice_start":"","update_notice_end":"","update_notice_text_blocks":null,"global_contact_block":false,"contact_name":"","contact_email":"","contact_additional_info":"Contact us at\u00a0<a href=\"mailto:irbmed@umich.edu\">irbmed@umich.edu<\/a>\u00a0or 734-763-4768 \/ (Fax 734-763-1234)\r\n2800 Plymouth Road, Ann Arbor, MI 48109-2800\r\n\r\n<p>A <a href=\"https:\/\/medresearch.umich.edu\/office-research\/about-office-research\/our-units\/institutional-review-boards-irbmed\/irbmed-contacts-roster#irbmed-staff\">list of IRBMED staff<\/a> is available at our website.<\/p>\r\n\r\nEdited By: <a href=\"mailto:larkspur@umich.edu\">larkspur@umich.edu<\/a>\r\nLast Updated: March 6, 2026 1:30PM","global_contact_block_select":null},"_links":{"self":[{"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/document\/744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/document"}],"about":[{"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/types\/document"}],"version-history":[{"count":2,"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/document\/744\/revisions"}],"predecessor-version":[{"id":1908,"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/document\/744\/revisions\/1908"}],"acf:post":[{"embeddable":true,"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/document\/752"},{"embeddable":true,"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/document\/745"}],"wp:attachment":[{"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/media?parent=744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/categories?post=744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/tags?post=744"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/content-type?post=744"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/topic?post=744"},{"taxonomy":"update-type","embeddable":true,"href":"https:\/\/az.research.umich.edu\/medschool\/wp-json\/wp\/v2\/update-type?post=744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}