HIPAA and Research

The privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have been in effect since April 2003. The Privacy Rule or HIPAA contains basic practices for protecting the privacy of patients' health information which are implemented across the CHOP health-care system. HIPAA also contains specific requirements for research with human subjects and their protected health information (PHI). Definitions of HIPAA terms can be found in the HIPAA Glossary.

CHOP Research Institute Policy and Resources

The CHOP Research Institute policy Use and Disclosure of Protected Health Information for Research updates and replaces all previous research policies related to HIPAA. The IRB's SOP's describe how the IRB will implement its responsibilities as outlined above.

For more information on CHOP Research Institute's HIPAA policies, consult the HIPAA and Research page maintained by the Office of Research Compliance.

The IRB's Role in HIPAA

IRB Responsibilities Under HIPAA and CHOP HIPAA SOPs:
  1. Review and approve HIPAA Written Authorizations (WA) when they are combined with an informed consent document 45CFR164.508(c)(1) and (2).
  2. Approve and document determinations regarding waiver or alteration of the requirements for written Authorization 45CFR164.512(i)(1)(i) and 45CFR164.512(ii) ;
  3. Receive HIPAA Attestation from investigators who propose to use PHI without an authorization including:
    • Work Preparatory to Research 45CFR164.512(i)(1)(ii)
    • Research Involving Decedents 45CFR164.512(i)(1)(iii)
  4. In addition to its regulatory responsibilities, the IRB will ensure that a stand-alone HIPAA Authorization Template that is HIPAA-compliant, will be available for use by researchers

HIPAA requires that either an IRB or a Privacy Board make determinations about the use of PHI in research. At CHOP, the IRB is responsible for playing this role. The IRB is well suited to review protections for PHI since it already has responsibilities under the Common Rule to protect the privacy of subjects and their confidential information. Consent documents also must provide information describing the how the subject's private information will be protected. Under HIPAA and CHOP Research Institute Policies, the IRB is required carry out the responsibilities outlined in the box on the right.

1. Review Combined Consent/Authorizations

The IRB must review combined consent/authorization documents to ensure that the language meets the requirements of HIPAA. While the IRB does not approve stand-alone HIPAA documents, it does check them for accuracy and that they contain the required elements. IRB SOP 707: Requirements For and Documentation of HIPAA Authorization in Research.

More Information about HIPAA Authorization:
For more information about HIPAA Authorizations in research download the NIH Factsheet: HIPAA Authorization for Research.

2. Approve Waivers or Alterations of Requirements of HIPAA

The IRB may waive the requirements for Waiver or Alteration of HIPAA or it can approve an alteration of the requirements of HIPAA. An alteration of the requirements could include omission of one or more required elements, or it could be a waiver of written documentation when documentation of consent has been waived (waiver of documentation).

3. Receive HIPAA Attestations from Investigators

Work Preparatory to Research:

An investigator may conduct work preparatory to research without Written Authorization, provided that they provide the IRB with an attestation. Work preparatory to research are activities required for planning or to determine the feasibility of a study before developing or submitting a protocol to the IRB. For example, an investigator may be interested in studying a rare condition but doesn't know if there are enough prospective subjects available to perform the study. They may submit a certification for Work Preparatory to Research in the eIRB system in order to determine if the project is feasible. The IRB receives the investigators certification and will check it for appropriateness; it does not issue an approval. The investigator will receive the IRB's acknowledgment of receipt.

Use of Decedent's PHI:

Research that involves the use of decedents PHI is not regulated by the Common Rule but is covered by HIPAA. Investigators may use the PHI of decedents without Written Authorization, provided that they provide the IRB with an attestation that certifies that the PHI is necessary for the research and that the PHI will not be used for any other purposes. The certification is submitted in the eIRB system. The IRB receives the investigators certification and will check it for appropriateness; it does not issue an approval. The investigator will receive the IRB's acknowledgment of receipt.

More information about preparing a HIPAA Attestations is available under the menu for Submissions for a Determination.

4. Provide Template HIPAA Forms

Stand-alone HIPAA Written Authorization:

When a Stand-Alone HIPAA Written Authorization is used, it is the investigator must ensure that the document complies with the requirements of HIPAA. As a service, the CHOP IRB provides a template for HIPAA Written Authorization that has been reviewed and approved by the CHOP Privacy Office. The investigator must upload the stand-alone HIPAA Written Authorization form into the eIRB application so that all research forms are stored in the same place. The IRB will review the form to make sure that it meets the regulatory requirements but the IRB does not issue an approval or stamp stand-alone forms. This remains the responsibility of the investigator.

Withdrawal of HIPAA Authorization:

Subjects can decide to withdraw authorization to use their PHI for research. To withdraw authorization they must document their decision in a letter to the investigator. The IRB has prepared template Withdrawal of Authorization Letter that investigators can provide to participants who decide to withdraw their authorization.

Additional Resources for Questions about HIPAA

Fact Sheets Prepared by the NIH

Resources for HIPAA Questions

  • For questions about HIPAA and research, contact the IRB Office at 215-590-2830.
  • For questions about HIPAA training for Research Staff, send an e-mail to researcheducation [at] email.chop.edu ( )
  • For questions about accounting for disclosures, send an e-mail to Disclosures [at] email.chop.edu
  • For all other HIPAA questions, send an email to privacyoffice [at] email.chop.edu

The Hospital maintains a web site that provides valuable information about HIPAA compliance.

Summary:

This page includes a glossary of definitions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Summary:

The HIPAA Privacy Rule requires written authorization for use or disclosure of private health information (PHI) for the purposes of research. When the Authorization is combined with the consent document, the IRB must review and approve the combined document. When a stand-alone authorization is used, the responsibility falls on the investigator. The IRB's responsibilities related to HIPAA are described in more detail in the IRB's Role in HIPAA.

Summary:

The IRB may approve a waiver or alteration of HIPAA provided that the research meets the criteria outlined in 45 CFR 164.512(i)(2)(ii) (see below). The requirements overlap but are not the same as those for waiver of consent and waiver of documentation of consent. There are additional requirements for HIPAA that are more stringent than for waiver under the Common Rule (research regulations).

Summary:
  1. How does written authorization differ from informed consent?

Top