When Protected Health Information (PHI) is used or disclosed for research purposes, you must do so in accordance with HIPAA Privacy Protections. For most projects regulated under the Common Rule, you generally may only use or disclose PHI in connection with research after the potential subject has given written authorization.
In certain situations, you may request and be granted a Waiver of HIPAA Authorization; this will allow you to use or disclose certain PHI without the written authorization of the subject. A Waiver of HIPAA Authorization may be granted by either an IRB or a Privacy Board.
The Privacy Board operates under the authority of and in accordance with HIPAA and applicable University policies and procedures. The Privacy Board is authorized to review and approve the following:
- Waivers of HIPAA Authorization for applications exempt from IRBMED oversight under OHRP or FDA regulations, but study team members will be accessing PHI.
- Waivers of HIPAA Authorization for research not subject to IRBMED oversight under OHRP or FDA regulations, but study team members will be accessing PHI; these types of projects include (but are not limited to) the following:
- Investigator certifications for reviews of PHI preparatory to research submitted in the eResearch application.
- Investigator certifications for research involving decedents’ information submitted in the eResearch application.
- In consultation with other units (e.g., the UMHS Privacy Office and ORSP), any use or disclosure of limited data sets under data use agreements.
- Multi-site research where U-M has ‘ceded’ IRB review but retains review responsibilities under HIPAA.
For studies subject to IRBMED review and approval under the full regulatory requirements, the Full Convened Board or Expedited Reviewer(s) makes applicable determinations regarding HIPAA compliance along with determinations required by other federal regulations.
PRIVACY BOARD APPLICATIONS
Overall process flowchart
- Waiver for studies Exempt under OHRP/FDA, but Regulated by HIPAA
- Waiver for projects Not Regulated under OHRP/FDA, but Regulated by HIPAA
- Other HIPAA provisions
- De-Identified Data Sets
- Protected Health Information
- Uses and Disclosures of Protected Health Information
- Waiver of HIPAA Authorization
REGULATIONS, GUIDANCE & POLICIES
The Privacy Board operates under the authority of and in accordance with HIPAA Privacy Rule and applicable University policies and procedures.
- IRBMED SOPs Part 3, III, C, 4, e, 7 "Studies Subject to HIPAA Regulations"
- UMHS Policy 01-04-360 Use of Protected Health Information (PHI) in Research
- UMHS Compliance Office
- Privacy Boards and the HIPAA Privacy Rule from NIH
- OCR Research and HIPAA Privacy Rule page
Chair: Alan Sugar, MD
- Robertson Davenport, MD
- William Ensminger, MD
- Michael Geisser, PhD
- Duke Morrow, DMin
- Joy Stair, MS, RN
Coordinator: Lark Speyer, BS
If you have any questions or comments regarding Privacy Board, Waivers of HIPAA Authorization, or project submission, please contact:
Updated: May 8, 2015