HIPAA Attestations

HIPAA permits investigators to use Personal Health Information (PHI) for two activities without IRB review or approval. The investigator must submit an attestation to the IRB prior to embarking on the work. After submitting the attestation, the investigator may proceed with their work. The HIPAA regulation does not specify what the IRB is to do with the attestations. At CHOP, the IRB screens the submissions to ensure that they meet the requirements of HIPAA and acknowledges receipt.

The eIRB application includes an option to fill out and complete the required HIPAA attestations and submit them to the IRB. The IRB staff will review the attestations for completeness and to ensure that they comply with the requirements of HIPAA (below). The investigator will receive an acknowledgement letter within the eIRB system.

45 CFR 164.512(i)(1)(ii): Work Preparatory to Research

(ii) Reviews preparatory to research. The covered entity obtains from the researcher representations that:

  • (A) Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research;
  • No protected health information is to be removed from the covered entity by the researcher in the course of the review; and
  • (C) The protected health information for which use or access is sought is necessary for the research purposes.

Work preparatory to research includes activities needed to establish whether or not it is feasible to proceed with the research. The standard for how much data may be collected is that the investigator is limited to the minimum necessary PHI and other data to prepare for the research.

  • review of medical records to determine if there are sufficient number of potential subjects that might meet the entry criteria;
  • review of medical records to determine if there are sufficient number of potential subjects who are typically seen within the study time frame (e.g. children with hernia repair per year);
  • review of pathology records to determine if there are enough specimens meeting the required diagnostic criteria.
45 CFR 164.512(i)(1)(iii): Decedent Research

(iii) Research on decedent’s information. The covered entity obtains from the researcher::

  • (A) Representation that the use or disclosure sought is solely for research on the protected health information of decedents;
  • (B) Documentation, at the request of the covered entity, of the death of such individuals; and
  • C) Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes.

Research with decedents data or specimens is not subject to review by the IRB. The definition a a human subject in the Common Rule is limited to living individuals. Never-the-less, HIPAA requires investigators so submit an attestation to the IRB prior to conducting research that involves the use of the decedents' PHI. The IRB receives and acknowledges receipt of these attestations.

Top