The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required Congress to enact a health information privacy law (the “Privacy Rule”). The Privacy Rule, which became effective on April 14, 2003, is intended to protect the privacy of an individual’s health care information.
The Privacy Rule establishes a category of health information, called protected health information (PHI), which a HIPAA covered entity may only use or disclose to others in certain circumstances and under certain conditions. Yale is a hybrid entity, meaning that certain departments (“covered entities”) must follow the HIPAA regulations. Any research taking place at a covered entity within the University and involving PHI must comply with the Privacy Rule.
HIPAA requires a Privacy Board to make determinations about the use of PHI in research. The Yale IRB fulfills the functions of the Privacy Board for Yale and YNHHS studies. When Yale cedes IRB review to an external IRB, Yale and the external institution will mutually decide which institution’s IRB will serve as the Privacy Board. Similarly, if Yale’s IRB reviews research for another institution, the reliance agreement will specify which IRB serves as the Privacy Board. In its role as the Privacy Board, the Yale IRB may seek guidance from the Privacy Office to ensure compliance with the HIPAA Privacy Rule.
Research participants must provide authorization for use and/or disclosure of their PHI for research purposes unless the IRB (in its role as the Privacy Board) waives the requirement. The HIPAA Authorization is distinct from the participant’s consent to participate in the research. In many cases, a single form combining the HIPAA Authorization and consent may be used. The “Compound Authorization and Consent” template is available in the IRES IRB Library.
When research consent is not required by regulation or law or the requirement for research consent has been waived by the IRB, the requirements for a HIPAA Authorization apply unless the Privacy Board determines that the criteria for a waiver or alteration of HIPAA Authorization have also been met. HIPAA waivers and alterations are distinct from consent waivers and alterations. The study approval letter will specify whether a HIPAA waiver and/or alteration has been approved.