HIPAA Authorization
HIPAA stands for the Health Insurance Portability and Accountability Act. The privacy rule within this regulation outlines the standards for privacy for individuals and confidentiality of individually identifiable health information. The specific regulations for HIPAA are in Title 45 CFR 160 and 164.
Clinical investigators need to assess if they are a covered entity as defined by the Office for Civil Rights. All PIs who are covered entities must have HIPAA Authorization language for potential participants for study-related medical records to be available for review by the sponsor, CRO, IRB, and regulatory bodies. For your studies under the approval of WCG IRB, your HIPAA authorization language must be submitted to and approved prior to its use.
WCG IRB will review research materials to determine how the privacy and confidentiality of participants’ personal health information is protected in accordance with applicable laws and regulations. The burden of HIPAA compliance rests with the covered entity.
Researchers who are covered entities and do not wish to request a waiver, may satisfy the HIPAA requirement for authorization by choosing one of the following alternative methods:
- Obtain a HIPAA compliant signed authorization from the research participant using a stand-alone document that the covered entity has created; or
- Incorporate the HIPAA language into the ICF and submit to WCG IRB for review in accordance with applicable laws and/or institutional policy. Submission of a combined document (ICF + HIPAA authorization) is optional because some institutions and sponsors/CROs prefer to use their own separate HIPAA authorization form (stated above) for research without incorporating HIPAA language into the ICF. However, if submitted, the Board will review the incorporated information. (Note: For research that may include California sites, WCG routinely appends a complete State of California HIPAA authorization form to the template ICF); or
- Provide a separate ICF addendum that contains the HIPAA language and submit to WCG IRB for review in accordance with applicable laws and/or institutional policy.
WCG IRB will review authorization language upon the request of a covered entity. If the authorization language is embedded in the research consent document, then the IRB must review it. If the authorization language is separate from the research consent document, then the covered entity may determine whether or not to submit the language for IRB review. WCG IRB will review separate authorization documents upon request.
Waiver of Authorization for Use and Disclosure of Protected Health Information
If you are a covered entity or your organization must otherwise comply with the HIPAA, and the research requires you to use or share identifiable health information, you must obtain an authorization for the use and disclosure of protected health information. If this is not practical, you need to request a waiver of authorization. If you are requesting a waiver of consent or written documentation of consent, you also need to request a waiver of authorization. The necessary information is collected via our Initial Review Submission Form, or can be provided after initial review through ClinSphere® eReview Manager or IRBNet.