• E-mail
• Print
• RSS

What actions can a privacy board take with respect to uses and disclosures of PHI for research?

HIPAA Weekly Advisor, March 13, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: What actions can a privacy board take with respect to uses and disclosures of PHI for research?

A: Privacy boards may approve alterations or waivers of the individual authorization normally required before a covered entity can use or disclose PHI for research purposes. The board must meet the following requirements, however:

• Members have varying backgrounds and competency to review the effect of the research protocol on the individual's privacy rights and related interests
• Includes at least one member not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities
• No members review projects in which they have a conflict of interest

In order for the covered entity to use or disclose information without authorization for research, a privacy board must find the following:

• The use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on the presence of at least the following criteria:

  (1) An adequate plan to protect the identifiers from improper use and disclosure.

  (2) An adequate plan to destroy the identifiers at the earliest opportunity, consistent with conduct of the research. (This criteria would not apply if there were a health or research justification for retaining the identifiers, or such retention were otherwise required by law.)

  (3) Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity. Exceptions include uses or disclosures required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI is permitted under HIPAA

• The research could not practicably be conducted without the alteration or waiver
• The research could not be conducted without access to and use of the PHI.

Documentation must be signed by the chair of the privacy board, or other member as designated by the chair, and must include the following:

• A statement identifying the privacy board and the date on which the waiver (or alteration) of authorization was approved
• A statement that the privacy board has determined that the waiver (or alteration) satisfies certain required criteria
• A brief description of the PHI for which use or access has been determined to be necessary
• A statement that the waiver (or alteration) has been reviewed and approved under either normal or expedited review procedures

The regulations impose no requirements for the location or sponsorship of the privacy board convened to review research proposals for altering or waiving authorization criteria. The HHS commentary notes that accreditation is not required, because currently there are no accepted accreditation standards for privacy boards, nor is there a designated accreditation body.

Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP (http://www.bricker.com) and The Quality Management Consulting Group, Ltd. (http://www.qmcg.com). E-mail: mbaxter@bricker.com or gmcbeath@bricker.com

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive