While HIPAA only applies to healthcare providers, health plans or healthcare clearinghouses that are covered entities and does not apply to the research component of the University, researchers at The University of Akron should be aware of the HIPAA Privacy rule because it impacts how covered entities use or disclose protected health information. Because of this, the HIPAA Privacy Rule may affect the University's researchers because it will affect their interactions with covered entities.
The HIPAA Privacy Rule protects patient information called Protected Health Information or PHI. PHI is individually identifiable health information, including genetic information, that is created or maintained by covered entities and their business associates. However, several types of individually identifiable health information is not covered by the Privacy Rule. Non-protected health information includes individually identifiable health information that is not created or maintained by a covered entity or its business associates, education records covered by the Family Educational Right and Privacy Act (FERPA) (For more information about FERPA protections on campus, see the
University's FERPA rule.), and records held by a covered entity in its role as an employer.
| Area of Distinction |
HIPAA Privacy Rule |
HHS Protection of Human Subjects Regulations |
FDA Protection of Human Subjects Regulations |
| Applicability |
Applies to HIPAA-defined covered entities, regardless of the source of funding. |
Applies to human subjects research conducted or supported by HHS. |
Applies to research involving products regulated by FDA. Federal support is not necessary for FDA regulations to be applicable. When research subject to FDA jurisdiction is federally funded, both the HHS Protection of Human Subjects Regulations and the FDA Protection of Human Subjects Regulations apply. |
| Identifiable Information |
Defines PHI as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral or paper) by a covered entity or its business associates, excluding certain educational and employment records. |
Private information must be individually identifiable in order for obtaining the information to constitute research involving human subjects. Individually indentifiable means the identity of the subject is or readily may be ascertained by the investigator or others associated with the information. |
Title 21 CFR Parts 50 and 56 do not define individually identifiable health information. |
| Permissions for Research |
Authorization |
Informed Consent |
Informed Consent |
| IRB/Privacy Board Responsibilities |
Requires the covered entity to obtain Authorization for research use or disclosure of PHI unless a regulatory permission applies. Because of this, the IRB or Privacy Board would only see requests to waive or alter the Authorization requirement. In exercising Privacy Rule authority, the IRB or Privacy Board does not review the Authorization form. |
The IRB must insure that informed consent will be sought from, and documented for, each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by, HHS regulations. If specified criteria are met, the IRB may waive the requirements for either obtaining informed consent or documenting informed consent. The IRB must review and approve the Authorization form if it is combined with the consent document. Privacy Boards have no authority under the HHS Protection of Human Subjects Regulations. |
The IRB must insure that informed consent will be sought from, and documented for, each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by, FDA regulations. If specified criteria are met, the requirements for either obtaining informed consent or documenting informed consent may be waived. The IRB must review and approve the Authorization form if it is combined with the informed consent document. Privacy Boards have no authority under the FDA Protection of Human Subjects Regulations. |
| Review of Cooperative Research |
Requests to waive or alter the Authorization requirement are reviewed and approved by an IRB or Privacy Board. The Privacy Rule permits a covered entity to reasonably rely on the determination of an IRB or Privacy Board, if the covered entity obtains appropriate documentation of such determination. |
Each institution is responsible for safeguarding the rights and welfare of human subjects and for complying with the HHS Protection of Human Subjects Regulations. With the approval of HHS, an institution participating in a cooperative project may enter into a joint review arrangement, rely upon the review of another qualified IRB, or make similar arrangements for avoiding duplication of effort. |
Cooperative research/multi-institutional studies may use joint review, reliance upon the review of another qualified IRB, or similar arrangements aimed at avoiding duplication of effort. |
| Waivers of Authorization or Informed Consent Requirements |
Allows waiver or alteration of Authorization when IRB or Privacy Board deems the following criteria are met: (1) Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following elements: (a) An adequate plan to protect health information identifiers from improper use or disclosure, (b) an adequate plan to destroy identifiders at the earliest opportunity absent a health or research justification or legal requirement to retain them, and (c) adequate written assurances that the PHI will not be used or disclosed to a third party except as required by law, for authorized oversight of the research study, or for other research uses and disclosures permitted by the Privacy Rule; (2) research could not practicably be conducted without the waiver or alteration; and (3) research could not practicably be conducted without access to and use of PHI. |
Permits an IRB to waive some or all of the elements of informed consent, or to waive the requirement to obtain informed consent, provided the IRB finds and documents that (1) the research involves no more than minimal risk to the subjects; (2) the waiver or alteration will not adversely affect the rights and welfare of the subjects; (3)) the research could not practicably be carried out without the waiver or alteration; (4) whenever appropriate, the subjects will be provided with additional pertinent information after participation. Permits an IRB to waive the requirement for the investigator to obtain a signed consent for some or all of the subjects if it finds either (1) that the only record linking the subject and the research would be the consent document and the princial risk would be potential harm resulting from a breach of confidentiality; or (2) that the research presents no more than minimal risk or harm to subjects and involves no procedures for which written consent is normally required outside of the research constitute. |
Permits FDA to waive the IRB review requirement. Permits an IRB to approve a clinical investigation without sujects' informed consent in c ertain circumstances. These include: (1) circumstances in which immediate use of the test article is, in the investigator's opinion, required to preserve the life of the subject, and time is not sufficient to obtain informed consent; (2) circumstances when the U.S. President may waive informed consent for military personnel for administration of an investigational product to members of the armed forces; and (3) circusmstances involving emergency research. |
