HIPAA and the IRB

HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. While the primary purpose of HIPAA was to enable employees and their families to transfer health care benefits from one employer to another, or to continue coverage in the case of a job loss, many aspects of the law deal specifically with data security and privacy. These regulations are commonly referred to as the Privacy Rule.

The Privacy Rule establishes a minimum standard for the protection of Protected Health Information (PHI), which is defined as individually identifiable information maintained in any medium. Human Subject Protection and U.S. Food and Drug Administration (FDA) regulations include some provisions that are similar to, but distinct from, the Privacy Rule's provisions for research. The Privacy Rule builds upon these federal regulations, by expanding privacy protections, which apply regardless of the funding source.

The Privacy Rule recognizes the need for researchers to access, use, and disclose PHI for a wide range of research activities, and provides various ways in which researchers can access and use the information necessary for research. Of particular importance is the Privacy Rule’s requirement that written authorization be obtained from the subject for the use of PHI for research purposes (unless an exception applies).

For research activities involving PHI, the Institutional Review Board (IRB) acts as the institution’s Privacy Board (required by HIPAA) to review and approve the proposed access, use, and disclosure of the PHI. The IRB is responsible for determining whether research subjects are required to sign an authorization for the use and disclosure of their PHI, or if one of the exceptions to the authorization requirements applies. Examples of these exceptions include waivers of authorization and the use of de-identified data or limited data sets.

It is important for researchers to become familiar with how and under what conditions PHI can be accessed, used, and disclosed for research purposes.

For specific UT Southwestern information, please visit HIPAA Policies and Procedures (available on MyUTSW, the campus intranet).