» Chapman University Fact sheet on Health Insurance Portability and Accountability Act (HIPAA) and Protected Health Information (PHI)

In the course of conducting research and/or seeing patients/clients within the University's programs, Chapman personnel may create or obtain medical information. Please note the following regarding handling of protected health information at Chapman:

  • Medical information, along with other personally identifying information, may only be collected and stored in accordance with applicable laws. If you work with or expect to begin working with this kind of data, please contact the Information Security Office to establish a data security plan that will satisfy the university's legal obligations. Once a data security plan is implemented, it is important to make sure that you and all of your colleagues working with the data comply with the plan.
  • Although the university has numerous legal obligations it must meet in terms of protecting medical information, and even though this data may be referred to as "PHI" (protected health information), a defined term in the Health Insurance Portability and Accountability Act (HIPAA), Chapman is not subject to HIPAA and does not have the systems in place to comply with HIPAA's requirements.
  • Occasionally, researchers may be interested in obtaining patient data from healthcare providers for use in research. Healthcare providers are generally subject to the requirements of HIPAA, which restricts them from disclosing the PHI except under certain limited circumstances.
  • Healthcare providers will often ask a researcher to enter into a Business Associates Agreement ("BAA") before providing the data. However, because the University does not have the systems in place to be HIPAA-compliant, the University and all personnel are prohibited from entering into a BAA. Any personnel who are asked to enter into a BAA should immediately contact the Office of Legal Affairs.
  • Researchers who wish to use HIPAA-protected PHI from a third party in their research should first consult with the Office of Research.  That office will consult with Legal Affairs and the Information Security Office to establish appropriate parameters regarding the types of data that the University can properly accept responsibility for and what written agreements can be entered into governing use and safekeeping of the data. For non-research requests, personnel should consult with the Information Security Office to ensure that this information is stored securely in accordance with an information security plan that complies with applicable laws. The information security plan must be put in place before the data is received.