IRB-HIPAA

The IRB is responsible for evaluating compliance with regulations set forth by the Health Insurance Portability and Accountability Act (HIPAA) in research involving human subjects. HIPAA establishes the guidelines for protecting individuals’ health data during research by creating, obtaining, using, or disclosing the information. The primary focus is on safeguarding identifiable information related to an individual’s medical history, current condition, future healthcare payments and any other information that relates to an individual’s healthcare. HIPAA encourages individuals to contact the organization’s authorities or federal/state agencies if they have complaints or questions about protection efforts.

HIPAA defines research as a systematic investigation that involves developing, testing, and evaluating data to contribute to generalizable knowledge. However, certain investigative activities that involve patient data, such as investigations for quality assessment or improvement of guidelines and protocols, do not qualify as research under this definition. In this case, different HIPAA rules would apply.

If the dataset falls within the definition of research, HIPAA requires explicit authorization (consent) from the subject for the use of the data. Just like all consent, the subject can revoke it at any time, and they must provide written notice of withdrawal of consent. In some cases, HIPAA does allow for research related access to data without consent. A researcher does not need consent from individual data subjects in the following cases: when the research poses minimal risk, is solely for research activities, only uses information from deceased individuals, or has been grandfathered in from before legal permissions were in place. Also, when all direct identifiers related to the data are removed, meaning data is fully de-identified, researcher does not require consent.

In addition to protecting individual health information privacy, researchers are also responsible for ensuring the security of individual health information. The security rule requires researchers to inform each subject about the specific security measures implemented to protect their data.