Does HIPAA apply to Institutional Review Boards?

IRBs serve as a bridge between the ethical principles of research and the legal mandates of HIPAA, helping to strike a balance that benefits both research and patient privacy.

What are Institutional Review Boards (IRBs)?

Institutional Review Boards (IRBs) are administrative bodies tasked with safeguarding the rights, well-being, and privacy of human participants involved in research conducted within affiliated institutions. These boards are responsible for thoroughly reviewing all research protocols, whether funded or not, to ensure they meet ethical and regulatory standards. IRBs are committed to protecting the welfare of research subjects, assessing the informed consent process, and verifying the ethical conduct of research. 

Comprising members from various backgrounds, including non-affiliated individuals and non-scientists, IRBs offer diverse perspectives during their comprehensive review process. Their authority extends to approving research, requesting modifications for safety and ethics, exempting certain studies, or disapproving research that does not align with established ethical principles and regulations. Additionally, IRBs may provide education and training to researchers and maintain records of reviewed protocols while reporting adverse events or non-compliance to relevant authorities.

See also: What are the HIPAA exceptions for research purposes?

How does HIPAA apply to IRBs?

HIPAA (Health Insurance Portability and Accountability Act) primarily applies to healthcare providers and organizations that handle protected health information (PHI). While IRBs are not directly subject to HIPAA regulations, they play a role in ensuring that research involving PHI complies with HIPAA requirements. IRBs review research protocols to safeguard the privacy and confidentiality of research participants' health information. They do not enforce HIPAA but help researchers align their studies with HIPAA standards to protect PHI and ensure ethical research practices.

See also: Addressing HIPAA and reproductive health research

Does the IRB need to check if HIPAA authorization forms follow the Privacy Rule?

HIPAA authorization forms are crucial for ensuring the privacy and confidentiality of individuals' health information. They grant researchers the legal authority to access and use PHI while providing safeguards to prevent unauthorized disclosures.

The IRB is not required to check if HIPAA authorization forms comply with the Privacy Rule. While the Privacy Rule mandates that all HIPAA authorizations must adhere to its requirements, the responsibility for ensuring compliance typically rests with the covered entity, in this case, the researcher. 

HHS overview of IRBs

The U.S. Department of Health and Human Services (HHS) relates to IRBs through regulatory oversight and guidance. Here's how they relate

1. Regulatory authority: HHS is the federal department responsible for implementing and enforcing regulations related to research involving human participants. IRBs fall under the regulatory purview of HHS, particularly with respect to the HHS regulations found in 45 CFR Part 46, which govern the protection of human research subjects.
2. Regulatory compliance: IRBs must adhere to the HHS regulations, which outline the ethical and legal standards for the protection of human subjects in research. These regulations include requirements for informed consent, ethical review, and reporting of adverse events.
3. Guidance and support: HHS provides guidance and support to IRBs to ensure they understand and comply with the regulations. This may include issuing clarifications, updates, and educational materials to help IRBs fulfill their responsibilities.
4. Oversight: HHS has oversight authority to ensure that institutions and IRBs are conducting research involving human participants in accordance with the regulations. HHS may investigate complaints, conduct audits, and take enforcement actions when necessary to uphold ethical standards and protect research participants.

See also: HIPAA Compliant Email: The Definitive Guide