Office of Research Integrity Staff for Office of Research Integrity Research Bulletin Board Research Index research.musc.edu
 

 

Databases: IRB Approval & HIPAA Authorization

 

  1. Clinical Databases
    1. Developed for clinical purposes of tracking and monitoring care
    2. Allowed by the covered entity’s HIPAA notice of privacy practices
    3. If an individual wants to query the database for research:
      1. IRB approval is required.
      2. HIPAA de-identification certification or a HIPAA waiver* is required.
      3. Research must present minimal risk to privacy of the individuals.
  2. Clinical Databases with Possibility of Future Research
    1. Developed for clinical purposes of tracking and monitoring care but “maybe”will be used for research purposes at a later time.
    2. Allowed by the covered entity’s HIPAA notice of privacy practices.
    3. If an individual wants to query the database for research:
      1. IRB approval is required.
      2. HIPAA de-identification certification or a HIPAA waiver is required.
      3. Research must present minimal risk to privacy of the individuals.
  3. Clinical Databases for Research
    1. Developed for the express purpose of research with specific research questions not identified as of yet.
    2. Requires IRB approval before the database is initiated.
    3. Requires informed consent and HIPAA authorization from patients/subjects to be included in the research database.
    4. When an individual wants to query the database for research: 1) IRB approval is required relative to the specific protocol, and 2) a HIPAA authorization or a waiver of authorization is required. Federal guidance regarding the HIPAA regulations states, When a (research) database is maintained by the covered entity, any use of the database for a particular research purpose will require a new, protocol-specific authorization or waiver of authorization as well as a research protocol specifically describing the new study which must be approved by an IRB.

* A HIPAA waiver can only be approved if the IRB assesses the PHI to be used as presenting no more than minimal risk to the privacy of subjects. A HIPAA waiver may limit use of the available data; the IRB decides which of the available data elements may be used.
search Last Update
5/17/05