The University of MichiganNews Services
The University Record Online
Updated 3:00 PM May 2, 2005




view events

submit events

UM employment

police beat
regents round-up
research reporter


Advertise with Record

contact us
meet the staff
contact us
contact us
Researchers—Do new HIPAA rules apply to your data?

Researchers throughout the University may think that HIPAA (Health Insurance Portability and Accountability Act)—the federal regulation requiring medical information privacy and security—only is relevant to those who provide patient care. Not so. If you are responsible for a database, registry or spreadsheet of information about patients or human subjects, the HIPAA Security Rule—which took effect April 21—may apply to you.

So far, most HIPAA-related publicity has been about the HIPAA Privacy Rule, which took effect April 14, 2003. This rule requires health care organizations to take measures to protect the privacy of identifiable information about patients (termed protected health information, or PHI). It also established additional rights for patients with regard to their information.

The new HIPAA Security Rule focuses on protecting the confidentiality, integrity and availability of PHI in electronic form. It covers many databases or applications that provide access to identifiable information about the health of patients or human subjects. Unlike the Privacy Rule, this rule's implementation is mostly technical—but it does have implications for non-technical staff, and specifically for researchers.

If you or a member of your research staff is responsible for any electronic collections of patient or human subject data, or programs that access such information, the Security Rule may apply. This can be true even if your specific unit is not part of a health care organization.

To find out if the new rule applies to you, please e-mail the Health System's Compliance Office at The e-mail should include the facility location, its organizational affiliation with U-M, what data its collections contain, and who are the subjects of the data. Also, please include the name of the person responsible for managing the database or registry. Please note that the Health System Compliance Office is able to help all University researchers, even those outside the Medical School and Hospitals & Health Centers, in this matter.

If you have any questions, feel free to e-mail the Compliance Office at the above address, or call (734) 615-4759. You also can learn more about HIPAA security at the Compliance Web site:

More Stories