FREQUENTLY ASKED QUESTIONS:

Who needs the services of The Privacy Board?

Anyone conducting research involving identifiable health information, regardless of funding source or sponsorship, is subject to the provisions of the Privacy Rule. If it will not be feasible to obtain an Authorization, or the consent, of the individuals whose health information you will be using or disclosing, you may need the services of The Privacy Board in order to have the Authorization requirement waived under HIPAA.

I have a local IRB, can I still use The Privacy Board?

Yes. However, if your institution's policies require you to use the institution's IRB or Privacy Board, then you should comply with those policies.

Will a Waiver of Authorization from The Privacy Board satisfy a Covered Entity's (CE) concern that the information requested for the research meets the criteria for "minimum necessary" for the research purposes?

Yes. According to HHS, the Privacy Rule (at 45 CFR 164.512(i)) permits a Covered Entity to rely on the representations of a Privacy Board that the information requested is the minimum necessary for the research purpose. This is true regardless of whether the documentation is obtained from an external Privacy Board or one that is associated with the Covered Entity.

Do I need to get Authorization or Request a Waiver of Authorization in order to use PHI to contact individuals to see if they are interested in participating in a clinical trial?

That depends. According to HHS, under the rule, a Covered Entity is permitted to disclose protected health information to the individual who is the subject of the information, regardless of the purpose of the disclosure. Therefore, covered health care providers and patients may continue to discuss the option of enrolling in a clinical trial without patient authorization, and without an IRB or Privacy Board Waiver of Authorization.

However, where a Covered Entity wants to disclose an individual's information to a third party for purposes of recruitment in a research study, the CE first must obtain either Authorization from the individuals or a Waiver of Authorization from an IRB or Privacy Board.

I have studies that began before April 14, 2003 and will continue afterward. Do I need to have subjects sign new consent forms that include HIPAA Authorization language or a separate Authorization?

No. According to the regulations at 164.532(b), which address the effectiveness of prior consents and authorizations, Covered Entity may continue to use or disclose protected health information pursuant to a consent, authorization, or other express legal permission obtained from an individual permitting the use or disclosure of protected health information that does not comply with 164.506 or 164.508 of this subpart consistent with paragraph (b) of this section.

In the case of a consent, authorization, or other express legal permission obtained from an individual that identifies a specific research project that includes treatment of individuals:

(i) If the consent, authorization, or other express legal permission obtained from an individual specifically permits a use or disclosure for purposes of the project, the Covered Entity may, with respect to protected health information that it created or received either before or after the applicable compliance date of this subpart and to which the consent or authorization applies, make such use or disclosure for purposes of that project, provided that the Covered Entity complies with all limitations placed by the consent, authorization, or other express legal permission obtained from an individual.

In order to ensure compliance with HIPAA regulations, investigators and IRBs should do the following now:

• Set a date after which all new projects will include HIPAA compliant consent forms or authorization.
• Have the IRB amend the consent form to include Authorization language at the time of continuing review and renewal.
  
• Establish procedures to include the authorization in the consent form or as an addendum either at the time of renewal or when there is a revision to the consent form.
• Subjects enrolled after April 14, 2003 should sign HIPAA compliant consents or authorizations.

What is the fee for using The Privacy Board?
Please contact Jim Saunders for information regarding fees.