A subject in a clinical trial signed the informed consent document but did not sign the HIPAA authorization. Does this failure to obtain the subject’s signature need to be reported to the IRB or can the missing signature just be documented in a Note to File?
- Project Manager, Device Company
Under the HIPAA Privacy Rule, an individual’s signed authorization allows the use or disclosure of the subject’s protected health information collected during the clinical trial. HIPAA authorizations for research can be either embedded within the research consent form or be separate from the research consent form. When they are separate, an IRB may review the HIPAA authorization but does not have to do so.
If the authorization has been reviewed and approved by the IRB, whether embedded or separate, then the failure to have the authorization signed should be reported to the IRB as noncompliance. However, if the IRB did not review the authorization, then the failure to have the authorization signed should be reported to the privacy officer or other institutional office of the covered entity.