306-Can researchers access existing databanks or repositories created prior to the compliance date without permission

Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?

Answer

Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i).

See our research section and frequently asked questions about the research provisions for more information about Institutional Review Boards.

Date Created: 12/20/2002
Last Updated: 03/14/2006

Content created by Office for Civil Rights (OCR)
Content last reviewed February 8, 2023

Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?

Answer

Sign Up for Email Updates