Institutional Review Boards

Is an IRB required to review HIPAA authorization forms for their compliance with the Privacy Rule?

No.  The Privacy Rule requires that all HIPAA authorizations, including those used for research purposes, comply with the requirements established in 45 CFR §164.508, regardless of whether they are created by the covered entity itself or by a third party.  While the covered entity is ultimately responsible for ensuring all authorization forms are valid, the Rule does not specifically require that IRBs review and approve each form.  

Covered entities should be aware, however, that the Common Rule does require IRB review and approval of HIPAA authorizations, in the event the authorization language is integrated in the informed consent document for human subjects research.  See 45 C.F.R. 46.117(a).

The International Council on Harmonization (ICH) allegedly contained provisions that led several IRBs to conclude they were required to review all written materials or information provided to subjects, including HIPAA authorizations.  The IRBs were concerned that such a mandate would create a backlogging of thousands of requests for review, which might impede clinical research trials by halting studies and depriving subjects to access to those studies.  This misinterpretation led some IRBs to refuse to allow continued enrollment of subjects in ongoing studies without first reviewing and approving standalone HIPAA authorizations.

Relevant Excerpt from OCR response:

The Privacy Rule does not require IRBs to review HIPAA authorizations for compliance with the Rule's requirements. From the point of view of Privacy Rule compliance and enforcement, all that is required is that HIPAA authorizations used for research or other disclosures comply with the requirements of the Rule, whether the HIPAA authorization form is created by the covered entity itself or by a third party.  Under the Privacy Rule, Rule, a covered entity may disclose protected health information for research purposes with an authorization that is valid under the Rule, whether or not an IRB has approved the form.

The Food and Drug Administration (FDA) does not recognize the ICH guidance as legal requirements subject to enforcement under U.S. authorities, including the FDA…[E]ven where an IRB's written procedures may present an obstacle, the FDA has advised that it intends to consider exercising enforcement discretion with respect to the requirements of 21 C.F.R. 56.108(a) to the extent that maybe necessary, and expects to address the matter in guidance as expeditiously as possible.

The HHS regulations 45 CFR Part 46 do not require that stand-alone HIPAA authorizations be reviewed or approved by the IRB.  Under the HHS regulations at 45 CFR 46.117(a), IRB review and approval of HIPAA authorizations is only required if the authorization language is integrated in the informed consent document for human subjects research.  The Office for Human Research protections advises it would not undertake any compliance action with respect to activities, including review of stand-alone HIPAA authorizations, that are not required by the regulations at 45 CFR Part 46.

…Thus, the Privacy Rule, FDA guidance, and the HHS Protections of Human Subject Regulations, all provide significant and broad flexibility for obtaining authorizations that comply with HIPAA.



Content created by Office for Civil Rights (OCR)
Content last reviewed