HIPAA Authorization

The IRB requires that written HIPAA authorization be sought from each subject or the subject’s authorized representative prior to participation in any research activity that involves the use of the subject’s protected health information (i.e., identifiable medical record information) maintained by a covered entity (i.e., health care provider, health care plan, health care clearinghouse). See sample HIPAA authorization, found on the IRB website. HIPAA authorization must also be obtained for the placement of research data into the subject’s medical record information maintained by the covered entity.

When protected health information (PHI) will be accessed, used and/or disclosed for research purposes, the research consent may include all the necessary elements under HIPAA thereby alleviating the need for a separate HIPAA Authorization.

Regulatory Requirements

The necessary HIPAA elements include the following:

  • A specific description of PHI that will be collected for research and the purpose of collecting this information;
  • A specific description of any research-derived information that will be placed in the individual’s medical record;
  • The person or class of persons who may use or disclose the PHI collected for research;
  • The person or class of persons to whom PHI collected for research may be re-disclosed and the purpose of such re-disclosure;
  • The expiration date of the authorization;
  • Consequences to the individual of a refusal to sign the authorization;
  • The individual’s right to revoke authorization and consequences of such revocation.