Important Considerations for the Institutional Review Board When Granting Health Insurance Portability and Accountability Act Authorization Waivers

Background: Privacy is recognized as a basic human right in the United States and has been identified as a core principle of ethics in clinical research. However, changes in the regulations, changes in how research is conducted, and the availability of health data stored in electronic health record systems all pose risks to individuals’ privacy. Methods: The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule addresses the use and disclosure of individuals’ health information and sets standards for privacy rights so that individuals can understand and control how their health information is used. However, despite the significant increase in the complexity of the data privacy landscape, the HIPAA Privacy Rule has been largely unchanged since its enactment in 1996. Results: Generally, healthcare entities may not use or disclose protected health information (PHI) for research without written authorization from each subject permitting that use or disclosure. However, the HIPAA Privacy Rule allows an institutional review board (IRB) to waive the need for such authorization if documentation is provided that the use or disclosure of PHI presents “no more than a minimal risk to the privacy” of the subjects. Because IRBs were one of the only bodies allowed to waive the need for authorizations in the research context, they essentially served as the gatekeepers of privacy for human subjects. However, this situation changed with the 2018 revisions to 45 CFR §46—known as the Common Rule—that added new categories of exempt research. Under the new regulations, research administrative staff may review a submitted research study and determine that it is exempt without the IRB ever being involved and with no independent review of privacy considerations. This change lessens privacy protections for research subjects. Therefore, IRBs must be mindful of the relevant HIPAA guidance and carefully consider all facts and circumstances available when granting approvals of HIPAA authorization waiver requirements, especially in the content of exempt research, so that the IRB is confident that reasonable safeguards to protect patient privacy have been maintained. Research institutions should amend their processes to ensure that the appropriate level of privacy review is given to all studies, even those that are exempt. Conclusion: Few concrete rules are applicable in the research context that ensure compliance with the HIPAA Privacy Rule. Ultimately, more definitive regulatory guidance integrating HIPAA and the revised Common Rule should be promulgated.