306-Can researchers access existing databanks or repositories created prior to the compliance date without permission

Question

Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?

Office for Civil Rights (OCR) · Accepted Answer

AnswerYes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i). See our research section and frequently asked questions about the research provisions for more information about Institutional Review Boards.Date Created: 12/20/2002Last Updated: 03/14/2006