HIPAA Policies for Institutional Review Boards: IRB Guide to Research Compliance

HIPAA Authorization Requirements

Under the HIPAA Privacy Rule, covered entities may use or disclose Protected Health Information (PHI) for research only with an individual’s written authorization or under a permitted alternative. To keep protocols moving, you should structure authorizations so they are complete, readable, and easy to verify.

Core elements of a valid authorization

• Specific description of the PHI to be used or disclosed, written in clear, meaningful terms.
• Who may use/disclose the PHI and to whom the disclosure may be made (named persons or defined classes).
• Each purpose for the use/disclosure (e.g., a named study or research repository).
• Expiration date or event; for research, “end of the research” or “none” is acceptable for databases/repositories.
• Signature and date of the individual (or personal representative with a description of authority).

Required statements you must include

• The individual’s right to revoke authorization in writing and how to exercise that right.
• Whether treatment, payment, enrollment, or eligibility for benefits is conditioned on the authorization (or that it is not).
• A notice that information disclosed may be re-disclosed by recipients and may no longer be protected by HIPAA.

Special cases for research

• Future research: Broad research authorizations are permitted if you describe the scope so a reasonable person understands potential future uses.
• Compound forms: You may combine the HIPAA authorization with informed consent; conditioned and unconditioned elements must be clearly distinguishable, with opt-in where needed.
• Psychotherapy Notes Protection: Psychotherapy notes require a specific, stand-alone authorization; they are not eligible for a waiver for research purposes.
• Minimum Necessary Standard: Does not apply to disclosures made pursuant to the individual’s authorization.

IRB Review of HIPAA Authorizations

Many institutions integrate HIPAA checks into the IRB Approval Process to streamline compliance. While HIPAA does not require IRB “approval” of an authorization, IRBs commonly verify that your forms and data flows satisfy the Privacy Rule.

What the IRB checks

• All core and required authorization elements are present and unambiguous.
• The description of PHI matches the protocol’s data plan and aligns with the Minimum Necessary Standard where a waiver or alternative pathway is used.
• Plans for data security, access controls, and retention are appropriate for the sensitivity of PHI.
• Whether psychotherapy notes are involved and, if so, that a specific authorization is used.
• Whether disclosures require accounting (for example, when operating under a waiver) and how you will meet that duty.

Consent versus authorization

Informed consent addresses ethical participation and risks; a HIPAA authorization permits the privacy use/disclosure of PHI. Your IRB may allow combined documents, but each function must remain clear so participants understand both agreements.

Documentation and workflow

• Use institution-approved templates and plain language.
• Ensure signatures and dates are captured before any PHI use/disclosure for research.
• Retain executed authorizations and related records for the required period (often at least six years from the date last in effect).

Waiver of HIPAA Authorization

An IRB or a duly constituted Privacy Board may approve a full waiver, partial waiver, or alteration of authorization when use or disclosure of PHI is justified for the research and privacy protections are robust. These Privacy Board Determinations must be documented before PHI is accessed.

Authorization Waiver Criteria

• Minimal risk to privacy, demonstrated by:
  • A plan to protect identifiers from improper use and disclosure,
  • A plan to destroy identifiers at the earliest opportunity consistent with research needs, and
  • Written assurances against improper re-disclosure.
• The research could not practicably be conducted without the waiver or alteration.
• The research could not practicably be conducted without access to and use of the PHI.

Partial waivers and recruitment

IRBs frequently grant partial waivers to permit activities such as screening medical records and contacting prospective participants. Your request should limit PHI to what is necessary for eligibility assessment or outreach.

Documentation, scope, and accounting

• Document the board’s findings, date of approval, and scope of PHI permitted.
• Apply the Minimum Necessary Standard to all uses/disclosures under the waiver.
• Maintain an accounting of disclosures when required; aggregate accounting is permitted for large protocols.

Use of PHI in Research Without Authorization

HIPAA permits several research pathways that do not require individual authorization. You must follow precise conditions and limit PHI to the minimum necessary for each activity.

Reviews preparatory to research

• Access is solely to prepare a protocol or determine study feasibility/eligibility.
• No PHI may be removed from the covered entity.
• You must represent that the PHI sought is necessary for these preparatory purposes.

Research solely on decedents’ information

• Use/disclosure applies only to decedents’ PHI.
• Upon request, provide documentation of death.
• Represent that the PHI is necessary for the research.

De-identified data and limited data sets

• De-identified data (via safe harbor or expert determination) is not PHI and may be used without authorization or waiver.
• A limited data set excludes direct identifiers but may include certain dates and geography; it requires a Data Use Agreement and adherence to the Minimum Necessary Standard.

Psychotherapy Notes Protection

Psychotherapy notes carry heightened restrictions. For research, you must obtain a specific authorization; IRB waivers and most alternative pathways do not apply to these records.

Institutional Policies on HIPAA and Research

Institutions translate the HIPAA Privacy Rule into operational controls that your study team must follow. Aligning your protocol with these requirements reduces delays and protects participant privacy.

Training and role-based access

• Mandatory HIPAA training and refreshers for all personnel handling PHI.
• Role-based permissions restricting PHI access to those with a study need-to-know.

Data governance and security

• Approved systems for ePHI with administrative, physical, and technical safeguards.
• Data classification, encryption, and secure transfer/storage requirements.

Data sharing and agreements

• Templates for Data Use Agreements and, where applicable, Business Associate Agreements.
• Procedures for sharing limited data sets and documenting recipients.

Accounting, retention, and oversight

• Accounting-of-disclosures processes for waiver-based disclosures.
• Retention schedules for authorizations, waivers, and HIPAA-related approvals (commonly six years or longer if required by research rules).
• Audits and monitoring to verify compliance across the IRB Approval Process.

Incident response and breach notification

• Immediate reporting channels for suspected privacy incidents.
• Investigation, containment, and notification steps aligned with institutional policy.

Conclusion

To keep research compliant and efficient, decide early whether you will obtain individual authorization, seek a waiver, or use an alternative pathway. Anchor your plan in the Minimum Necessary Standard, respect Psychotherapy Notes Protection, and document Privacy Board Determinations. Aligning authorizations, IRB review, and institutional policies creates a defensible, participant-centered compliance posture.

FAQs.

What constitutes a valid HIPAA authorization for research?

A valid authorization clearly describes the PHI, who may use/disclose it, to whom it may be disclosed, the purpose, an expiration date or event, and includes the individual’s signature/date. It also states revocation rights, any conditioning of services, and the potential for re-disclosure. For research repositories, “end of the research” or “none” is acceptable as the expiration.

When can an IRB waive the requirement for HIPAA authorization?

An IRB (or Privacy Board) may grant a full or partial waiver when privacy risks are minimal with safeguards in place, the research is impracticable without the waiver, and it is impracticable without access to PHI. Waiver-based uses must follow the Minimum Necessary Standard and be documented; some disclosures also require accounting.

How does the IRB review process incorporate HIPAA policies?

Most IRBs evaluate your authorization language, data flows, and safeguards alongside the protocol. They confirm that the HIPAA pathway (authorization, waiver, preparatory review, decedent research, or limited data set) fits the design, that required elements are present, and that responsibilities such as accounting and retention are addressed.

What institutional policies govern HIPAA compliance in research?

Institutions set requirements for HIPAA training, role-based access, approved systems for ePHI, data sharing agreements, incident response, accounting of disclosures, and record retention. These policies operationalize the HIPAA Privacy Rule so your study can lawfully collect, use, and disclose PHI throughout the IRB Approval Process.