When Protected Health Information (PHI) is used or disclosed for research purposes, you must do so in accordance with HIPAA Privacy Protections. For most projects regulated under the Common Rule, you generally may only use or disclose PHI in connection with research after the potential subject has given written authorization.
In certain situations, you may request and be granted a Waiver of HIPAA Authorization; this will allow you to use or disclose certain PHI without the written authorization of the subject. A Waiver of HIPAA Authorization may be granted by either a Full Convened Board or the Privacy Board.
The Privacy Board operates under the authority of and in accordance with HIPAA and applicable University policies and procedures. The Privacy Board is authorized to review and approve the following:
- Waivers of HIPAA Authorization for applications exempt from IRBMED oversight under OHRP or FDA regulations, but study team members will be accessing PHI.
- Waivers of HIPAA Authorization for research not subject to IRBMED oversight under OHRP or FDA regulations, but study team members will be accessing PHI; these types of projects include (but are not limited to) the following:
- Investigator certifications for reviews of PHI preparatory to research submitted in the eResearch application.
- Investigator certifications for research involving decedents’ information submitted in the eResearch application.
- In consultation with other units (e.g., the UMHS Privacy Office and DRDA), any use or disclosure of limited data sets under data use agreements.
- Case studies.
Update Approved by IRBMED Chairs and Director: October 14, 2011
Website Updated: April 18, 2011