The Privacy Rule, at 45 CFR parts 160 and 164, establishes a category of health information, defined as protected health information (PHI), that a covered entity may only use or disclose to others in certain circumstances and under certain conditions. In general, the Privacy Rule requires an individual to provide signed permission, known as an Authorization under section 164.508 of the Privacy Rule, before a covered entity can use or disclose the individual’s PHI for research purposes. Under certain circumstances, however, the Privacy Rule permits a covered entity to use or disclose PHI for research without an individual’s Authorization. One way a covered entity can use or disclose PHI for research without an Authorization is by obtaining proper documentation of a waiver of the Authorization requirement by an Institutional Review Board (IRB) or a new type of review body, a Privacy Board.
This fact sheet is limited to the Privacy Rule’s requirements relating to a Privacy Board and approvals of research-related requests for Authorization waivers or alterations and how those requirements relate to the functioning of a Privacy Board. A separate fact sheet entitled Institutional Review Boards and the HIPAA Privacy Rule discusses the concurrent authority of IRBs established under the Privacy Rule to approve such waivers or alterations. Additional information about the Privacy Rule can be found in the booklet, Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule.
For guidance on the Privacy Rule, see the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Web site at http://www.hhs.gov/ocr/hipaa/. For guidance on the interpretation of HHS or the Food and Drug Administration (FDA) Protection of Human Subjects Regulations at 45 CFR part 46 or 21 CFR parts 50 and 56, respectively, visit the Office for Human Research Protections (OHRP) Web site at http://ohrp.osophs.dhhs.gov/or the FDA Web site at http://www.fda.gov/oc/gcp/, respectively.
Introduction to the Privacy Rule
In response to a congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HHS issued regulations entitled Standards for Privacy of Individually Identifiable Health Information. For most covered entities, compliance with these regulations, known as the Privacy Rule, was required by April 14, 2003.
The Privacy Rule is a response to public concern over potential abuses of the privacy of health information. The Privacy Rule establishes a category of health information, PHI, which may only be used or disclosed to others in certain circumstances or under certain conditions. PHI is a subset of what is termed individually identifiable health information and must be protected when it is created, received, maintained, or transmitted by a covered entity. Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain defined HIPAA transactions, such as claims or eligibility inquiries. Researchers are not themselves covered entities, unless they also provide health care and engage in any of the covered electronic transactions. If, however, researchers are employees or other workforce members of a covered entity (e.g., a hospital or health insurer), they may have to comply with that entity’s new HIPAA privacy policies and procedures. A researcher who is not a covered entity or is not a workforce member of a covered entity may be indirectly affected by the Privacy Rule, if the researcher wants data from a covered entity for research.
What Is a Privacy Board and What Is its Role Under the Privacy Rule?