How does the SMART IRB Agreement handle any HIPAA Privacy Rule determinations that are required for a Relying Institution that is a Covered Entity to use and disclose Protected Health Information for research?
Many Participating Institutions that are conducting a research study and ceding IRB review (under the Agreement, called “Relying Institutions”) are Covered Entities under the Health Insurance Portability and Accountability Act of 1996 and its privacy regulations (“HIPAA”). Such Relying Institutions may not use or disclose Protected Health Information (“PHI”) for research purposes unless HIPAA’s requirements for individual authorization, waiver/alteration of authorization, or another pathway under HIPAA is met (e.g., disclosure of a Limited Data Set).
The Agreement presumes that in most cases, the IRB of the Participating Institution providing review (under the Agreement, called the “Reviewing IRB”) will, as part of its review of a research study, make a determination on behalf of a Relying Institution that is a Covered Entity as to whether authorization is required, whether waiver/alteration of authorization is permissible, or whether another pathway for use and disclosure of PHI is satisfied in connection with the study.
- The Reviewing IRB may determine that individual authorization is required. In these cases, the authorization language generally would be incorporated into the consent document and the Reviewing IRB would be responsible for approving a template combined consent and authorization form.
- The Reviewing IRB may grant a waiver or alteration of authorization.
- If the PHI to be used or disclosed for the research study constitutes a Limited Data Set, the Reviewing IRB may permit such use and disclosure to occur under a Data Use Agreement.
Note that the Reviewing IRB does not take on responsibility for any other HIPAA requirements applicable to the Relying Institution (such as compliance with or implementation of accounting of disclosures of PHI made by the Relying Institution pursuant to a waiver of authorization).
Article is closed for comments.