Is documentation of Institutional Review Boards (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual's authorization?

No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.

See our research section and frequently asked questions about the research provisions for more information about Institutional Review and Privacy Boards.

Date Created: 12/20/2002
Last Updated: 03/14/2006

Content created by Office for Civil Rights (OCR)
Content last reviewed July 26, 2013