Health Insurance Portability and Accountability Act

Research subject to the Health Insurance Portability and Accountability Act (HIPAA) must comply with the IU HRPP Policy on Use of PHI in Research. Research is subject to HIPAA when research personnel: 

  • are part of a covered entity or receive information from a covered entity, and;
  • access, use, collect, or generate protected health information (PHI) for any part of the research, including recruitment.

Covered entities include IU HIPAA-affected areas (learn more at IU HIPAA Privacy and Security Compliance), IU Health, Eskenazi, and Roudebush VAMC.

Waiver of signature requirement when obtaining authorization

As the Privacy Board, the IU IRBs may consider requests to alter the required elements of HIPAA authorization. Most often, researchers use this mechanism to obtain authorization without obtaining a physical signature or date, especially when subjects are enrolled and/or screened via phone or web. 

In order to approve the alteration, the Privacy Board must find that the following criteria are met. These are the same criteria required for a full waiver of authorization; however, the study team’s response should indicate the scope of the waiver (e.g., requesting a waiver of the signature and date requirements only).

  1. The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
    1. An adequate plan to protect health information identifiers from improper use and disclosure.
    2. An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so).
    3. Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
  2. The research could not practicably be conducted without the waiver or alteration.
  3. The research could not practicably be conducted without access to and use of the PHI.

If the alteration is approved, all other required elements of HIPAA authorization must be presented to the subject verbally, and the subject should agree to the authorization verbally, but a physical signature and date will not be required.