HIPAA Compliance

The Institute for Health Metrics serves as a "business associate" of its hospital partners, in accordance with §164.501 of HIPAA. As a business associate, we bind ourself by contract to meet all of the federal regulatory requirements for "covered entities" under HIPAA, 45 CFR 160 and 164.

As a business associate of member hospitals, the Institute aggregates patient-level data for purposes of supporting member hospitals in the specific functions defined by HIPAA as "healthcare operations" including "quality assessment and improvement activities, outcomes evaluation, development of clinical guidelines…population-based activities relating to improving health or reducing healthcare costs and protocol development." These functions do not include any research activities as defined by HIPAA. Research activities will only be conducted with IRB review in accordance with §164.516 of the HIPAA regulations and the federal Common Rule 45 C.F.R. §46.107. Any other uses of data will only be performed on de-identified data as defined by §164.514

The Institute maintains data in full compliance with the technical security requirements set out in 45 CFR 160, 162 and 164.

We are a trusted intermediary among hospitals who are our business associates in compliance with applicable HIPAA regulations. We are at the vanguard of technology for information security and under the guidance of a carefully chosen ethics committee to guarantee that the public interest is protected. Improving the quality and safety of healthcare is an urgent goal that requires responsible and competent data collection and analysis.

 Overview + Mission | Leadership Team