HIPAA Security for Institutional Review Boards (IRBs): Requirements, Safeguards, and a Practical Checklist

HIPAA Security Rule Overview

The HIPAA Security Rule sets standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). It applies to covered entities and their business associates that create, receive, maintain, or transmit ePHI. IRBs often interact with ePHI during protocol review and oversight, whether they are part of a covered entity or collaborating with one.

While the HIPAA Privacy Rule governs when and how PHI may be used or disclosed for research, the Security Rule focuses on how ePHI is safeguarded. IRBs must align oversight with both: ensure appropriate authorizations or waivers and verify that any ePHI entering review systems is protected throughout its lifecycle.

• Administrative safeguards: policies, workforce measures, risk management, and training.
• Physical safeguards: facility access controls, workstation security, and device/media protections.
• Technical safeguards: access control, audit controls, integrity protections, authentication, and transmission security.

The Rule’s “flexibility of approach” allows right-sized controls based on risk, size, and complexity. Required and addressable specifications must be implemented or formally justified, documented, and reviewed. As a best practice, IRBs should also enforce minimum necessary data in submissions to reduce exposure.

Administrative Safeguards for IRBs

Security management process

Establish a documented security program that includes a periodic risk assessment, risk management plan, sanction policies, and processes to prevent, detect, contain, and correct security violations. Integrate security review into IRB workflows for protocol intake, reviewer assignment, and continuing review.

Workforce security and training

Define who may access ePHI and for what purpose. Onboard and offboard staff and IRB members promptly. Provide role-based security and privacy training that covers secure handling of ePHI, phishing awareness, remote work expectations, and incident reporting obligations.

Information access management

Grant least-privilege, time-bounded access to IRB systems. Use role-based access controls for staff, chairs, members, and external reviewers. Validate access at regular intervals and after role changes to prevent privilege creep.

Security incident procedures

Maintain a clear process to identify, triage, document, and escalate incidents involving ePHI. Coordinate with the covered entity’s privacy and security teams on investigation, containment, and notifications. Capture lessons learned to strengthen controls.

Contingency planning

Implement and test data backup, disaster recovery, and emergency operations procedures for IRB platforms, reviewer portals, and shared repositories. Ensure critical records, decisions, and determinations remain available during outages.

Documentation, agreements, and oversight

Maintain current policies, procedures, risk decisions, and training records. Where research uses a limited data set, ensure data use agreements are executed to define permitted uses, safeguards, and prohibitions on re-identification. Confirm business associate agreements where vendors handle ePHI for the IRB or the covered entity.

Physical Safeguards for Research Data

Facility access controls

Protect areas where IRB systems or records are stored using badge or key controls, visitor logs, and escort procedures. Define contingency access during emergencies and routinely review who has physical access.

Workstation and meeting security

Configure automatic screen locks, privacy filters for shared spaces, and clean-desk expectations. For convened meetings and remote sessions, restrict attendance, verify identities, and prohibit recording unless explicitly authorized and secured.

Device and media controls

Encrypt laptops and removable media, track custody, and use secure transfer methods. Sanitize or destroy devices and media containing ePHI using approved methods, with documented chain-of-custody and disposal logs.

Technical Safeguards Implementation

Access control

Issue unique user IDs, require strong authentication (preferably MFA), and apply session timeouts and automatic logoff. Use role-based access and emergency access procedures to preserve availability without expanding routine privileges.

Audit controls

Enable detailed logging for IRB applications, reviewer portals, file repositories, and email systems handling ePHI. Monitor access, creation, modification, and download events; retain logs per policy; and review alerts for anomalous activity.

Integrity and authentication

Protect against improper alteration with checksums, version control, and write-once repositories for finalized minutes and determinations. Verify user identity before granting ePHI access, and require re-authentication for privileged actions.

Transmission security

Encrypt ePHI in transit with modern TLS, secure file transfer, or VPN. Prohibit unencrypted email or personal cloud storage for reviewer materials. Apply data loss prevention rules to reduce inadvertent disclosures.

Encryption at rest and key management

Use full-disk and server-side encryption for endpoints, servers, and backups storing ePHI. Protect encryption keys with separation of duties, rotation schedules, and secure vaulting.

Risk Analysis and Management Procedures

Conducting the risk assessment

Inventory systems, data stores, and vendors that touch IRB-related ePHI. Map data flows from source systems to reviewer distribution and archival. Identify threats, vulnerabilities, and existing controls; rate likelihood and impact to prioritize remediation.

Risk treatment and tracking

Develop a risk management plan with owners, timelines, and acceptance criteria. Address high-risk items first—such as weak access controls or unencrypted storage—and validate fixes through testing and metrics. Maintain a living risk register.

Ongoing evaluation

Reassess risks after system changes, new partnerships, or security incidents. Schedule periodic evaluations to test controls’ effectiveness and confirm that risk decisions remain appropriate as research activities evolve.

Role and Responsibilities of Institutional Review Boards

HIPAA-aware protocol review

Ensure protocols describe the ePHI needed, why it is necessary, and how it will be secured. Verify that authorization forms or alternative HIPAA pathways are correct, readable, and aligned with minimum necessary principles.

Waiver of authorization

When criteria are met, IRBs may approve a waiver of authorization for research. Typical criteria include minimal risk to privacy with adequate safeguards, plans to destroy identifiers when no longer needed, assurances against improper reuse or disclosure, and a showing that the research could not practicably be conducted without the waiver and without access to ePHI. Document the determination and scope precisely.

Limited data sets and data use agreements

For limited data sets, require data use agreements that specify permitted uses, who may receive the data, safeguards, breach reporting, and prohibitions on re-identification or contact. Confirm that the controls in the DUA align with the Security Rule’s expectations for protecting ePHI.

Continuing oversight and accountability

During continuing review, confirm that data protections match what was approved, audit controls are active, and any incidents were reported and resolved. Train IRB members annually on secure handling of reviewer materials and confidentiality obligations.

Compliance Checklist for HIPAA Security

• Determine whether your IRB operates within a covered entity or independently and identify all touchpoints with ePHI.
• Designate a security official responsible for IRB systems and workflows.
• Complete a documented risk assessment and update it at defined intervals.
• Implement written policies for administrative, physical, and technical safeguards.
• Apply least-privilege, role-based access with MFA and periodic access reviews.
• Enable audit controls and log retention for all platforms handling reviewer materials.
• Secure facilities with facility access controls and protect workstations with screen locks and privacy measures.
• Encrypt ePHI at rest and in transit; avoid personal storage and unencrypted email.
• Establish incident response procedures and coordinate with the covered entity on investigation and notifications.
• Back up critical IRB records and test disaster recovery and emergency access procedures.
• Train staff and IRB members on security, confidentiality, and secure remote review practices.
• Use data use agreements for limited data sets and ensure appropriate business associate agreements with vendors.
• Define secure processes for distributing, collecting, and archiving reviewer packets and meeting materials.
• Document all determinations, including any waiver of authorization and associated safeguards.
• Schedule periodic evaluations to verify control effectiveness and update risk decisions.

Conclusion

Embedding HIPAA Security Rule requirements into IRB governance protects participants, preserves research integrity, and reduces organizational risk. By aligning administrative, physical, and technical safeguards with a disciplined risk management process, you create a defensible, efficient review environment for ePHI.

FAQs

What are the key administrative safeguards IRBs must implement?

Core measures include a documented risk assessment and risk management plan, designated security leadership, workforce training and sanctions, least-privilege access provisioning, incident response procedures, contingency planning, and ongoing evaluations. These policies should be embedded in IRB workflows from protocol intake to continuing review.

How do IRBs manage physical protections of ePHI?

IRBs manage physical safeguards through facility access controls (badging, visitor logs), secure meeting practices, workstation protections (screen locks, privacy filters), and device/media controls such as encryption, custody tracking, and certified destruction. Remote and hybrid activities must apply equivalent protections.

When can IRBs waive authorization for the use of ePHI in research?

An IRB may approve a waiver of authorization when privacy risks are minimal with adequate safeguards, identifiers will be destroyed when no longer needed, assurances prevent improper reuse or disclosure, and the research would not be practicable without the waiver and the corresponding access to ePHI. The decision and scope must be precisely documented.

What is the role of data use agreements in HIPAA compliance for IRBs?

Data use agreements govern limited data sets by defining permitted uses, authorized recipients, required safeguards, breach reporting, and prohibitions on re-identification or contact. IRBs ensure these terms align with the protocol and that the Security Rule’s protections are reflected in how the data are handled across systems and partners.