Institutional Review Board
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Research
HIPAA Authorization as part of the Research Informed Consent
Effective January 1, 2005, the IRB is requiring all new consent forms and those under continuing review to incorporate HIPAA Authorization language into the informed consent form. You can find the WFUHS standard HIPAA Authorization language at the link below and it can also be found on pages 8 & 9 of the Informed Consent Template.
Contents of HIPAA Authorization - Checklist
All authorizations must contain certain language as required by the regulations. This checklist will provide you with the necessary elements to authorizations if the language is included in the informed consent template provided by your sponsor.
Research on Decedent’s Information Request
Research on decedents is not subject to human subject regulations; however, it is subject to the HIPAA Privacy Rule. In order to access PHI, such as medical records, on decedents, the researcher must provide the holder of the PHI with assurances that:
• The information being sought is solely for research on decedents
• The information being sought is necessary for research purposes
Reviews Preparatory to Research Request
The Privacy Rule allows researchers to review PHI in medical records or elsewhere to prepare a research protocol, or for similar purposes preparatory to research. This review allows the researcher to determine, for example, whether a sufficient number or type of records exists to conduct the research. The covered entity does not permit the researcher to remove any PHI from the covered entity.
In order to conduct a review preparatory to research, the researcher must provide the covered entity that maintains the PHI documentation that:
• The use or disclosure is sought solely to review PHI as necessary to prepare the research protocol or other similar preparatory purposes.
• No PHI will be removed from the covered entity during the review.
• The PHI the researcher seeks to use or access is necessary for the research purposes.
Limited Data Set Use Agreement
Limited Data Sets can be used for research purposes and can be either disclosed to an organization outside the covered entity or be received by Wake Forest University Health Sciences. When disclosing a Limited Use Data Set, a research must initiate a Data Use Agreement (DUA) between the institution and the organization receiving the data. You must retain a copy of DUA with the study documents. When receiving a limited data set from an entity outside WFUBMC, the researcher must request a DUA.
DUA for Employees
Limited Use Data Sets can include:
• Addresses other than street name or street address or post office boxes. (Examples: zip code geo codes, such as State, county, city, and precinct can be used).
• All elements of dates, such as date of birth, date of admission, date of discharge, and procedure dates.
• Unique identifiers if the code is not derived from or related to the information about the individual and could not be translated to identify the individual.
A limited data set is considered to be PHI under the Privacy Rule. The IRB Director, IRB Assistant Director or Institutional Legal Counsel must review and approve all Limited Data Use Agreements.
Waiver or Alteration of Informed Consent and Authorization
The IRB can waive informed consent and authorization if certain criteria are met. Complete this for to request such a waiver by the IRB.
Authorization for Release of Medical Records
At times, research staff may need to obtain medical records for event reporting. The following form is a HIPAA compliant document that can be used to obtain these records.
Presentations and Information
GCRC Presentation by: Wesley G. Byerly, Pharm.D.
General HIPAA Presentation by Wesley G. Byerly Pharm. D.