Institutional Review Board (IRB) HIPAA Compliance Checklist

This Institutional Review Board (IRB) HIPAA Compliance Checklist helps you translate privacy and security requirements into clear, review-ready actions. Use it to confirm how Protected Health Information (PHI) will be accessed, protected, and documented throughout the research lifecycle.

Institutional Review Board Role

The IRB evaluates whether a study’s use of PHI is ethically justified, legally permissible, and operationally safeguarded. You assess privacy risks, confirm the legal pathway for PHI access, and document determinations that anchor compliance throughout the project.

• Determine whether HIPAA applies by mapping data sources, covered entities, and data flows.
• Verify the legal basis for PHI use: participant authorization, HIPAA Authorization Waiver or alteration, preparatory-to-research representations, limited data set with a data use agreement, or Data De-identification.
• Review the Minimum Necessary Standard, ensuring protocols limit PHI collection, access, and sharing to what is required.
• Confirm safeguards, including Access Controls, audit logging, and breach handling steps.
• Document IRB decisions and conditions of approval; require continuing review when PHI risk or scope changes.

HIPAA Compliance in Research

HIPAA applies when research uses PHI from a covered entity or its business associates. Your plan must specify what PHI is needed, who will access it, how it will be secured, and how identifiers will be limited or removed when possible.

• Participant authorization: individuals permit specified PHI uses for a defined purpose and timeframe.
• Waiver or alteration: the IRB may approve access without authorization when strict criteria are met, with documented privacy protections.
• Preparatory to research: review feasibility using PHI without recording identifiers beyond what is allowed.
• Limited data set: share restricted identifiers under a data use agreement that sets permitted uses and safeguards.
• De-identified data: remove or transform identifiers to a standard that reasonably prevents reidentification.

IRB HIPAA Compliance Checklist Items

• Define PHI scope: list data elements, sources, and whether electronic PHI is involved.
• Identify the legal pathway: authorization, HIPAA Authorization Waiver/alteration, preparatory-to-research, limited data set, or Data De-identification.
• Authorization elements: purpose, specific PHI, who may disclose/receive, expiration/event, participant rights (including revocation) and signatures.
• Minimum Necessary Standard: role-based access, data minimization, and masked views for nonessential fields.
• Access Controls: unique user IDs, least-privilege roles, multi-factor authentication for remote or high-risk access.
• Auditability: system logs for access, queries, exports, and administrative overrides; routine review procedures.
• Security safeguards: encryption in transit and at rest, secure key management, hardened endpoints, and vetted storage locations.
• Data sharing: data use agreements for limited data sets; verify vendor protections and agreements where applicable.
• Data De-identification plan: method, reidentification risk assessment, and separate storage of linkage keys.
• Retention and destruction: schedules aligned to protocol, with verifiable disposal of PHI and media.
• Breach Notification Procedures: incident intake, risk assessment, timely notifications, and corrective actions.
• Contingency planning: backups, disaster recovery, and continuity testing for systems storing PHI.
• Training and oversight: Privacy Training Documentation for all staff with PHI access; designate data stewards.
• Ongoing compliance: change-control for amendments, periodic reviews, and documented monitoring results.

PHI Protection Requirements

Protected Health Information (PHI) requires layered administrative, technical, and physical safeguards proportionate to risk. Your protocol should explain how each safeguard is implemented and monitored.

• Administrative: policies for the Minimum Necessary Standard, role approvals, incident response, vendor oversight, and periodic risk assessment.
• Technical: Access Controls, encryption, endpoint protection, network segmentation, and audit controls with alerting.
• Physical: secure work areas, locked storage, device inventories, and clean-desk/media protections.
• Data De-identification: apply de-identification or pseudonymization when possible; store linkage files separately with restricted access.
• Data integrity: hash-based verification for transfers, checksums on archives, and documented quality checks.

Participant Consent and Authorization

Informed consent and HIPAA authorization serve different purposes. Consent addresses research participation; authorization addresses PHI use and disclosure. You may combine them when allowed, provided each required element is explicit and understandable.

If obtaining authorization is impracticable, the IRB may approve a HIPAA Authorization Waiver or alteration when criteria are met, including minimal privacy risk and strong plans to protect identifiers. Partial waivers can support recruitment or screening using PHI.

• Use plain language that specifies what PHI is involved, who will use it, why, and for how long.
• Explain rights: refusal without penalty, revocation process, and any limits on downstream revocation.
• Provide contacts for privacy questions and concerns, separate from study staff when feasible.

Data Handling and Management

Describe your full data lifecycle: collection, storage, analysis, sharing, retention, and destruction. Align each step with the Minimum Necessary Standard to prevent unnecessary PHI exposure.

• Collection: capture only essential fields; segregate identifiers at intake; validate data at the source.
• Storage: approved repositories with encryption, Access Controls, and environment hardening; document backup and restoration tests.
• Use and analysis: masked datasets, privacy-preserving methods, and reproducible pipelines with controlled exports.
• Sharing: limited data sets under data use agreements; secure transfer channels; watermarking and data release logs.
• Retention: justify durations; automate archival and destruction; record destruction certificates.
• Vendors and tools: vet platforms handling PHI, restrict admin access, and monitor with continuous logging.

Training and Documentation

Ensure all personnel with PHI access complete role-specific privacy and security training before work begins. Maintain Privacy Training Documentation, including dates, curricula, attestations, and retraining intervals.

• Keep IRB determinations, authorizations, waivers, data flow diagrams, and risk assessments in the study file.
• Record Access Controls (roles, approvals), audit review results, incident reports, and corrective actions.
• Version-control SOPs, forms, and code used to handle PHI; archive de-identification and linkage procedures.

By documenting decisions, limiting PHI to the minimum necessary, and enforcing strong safeguards with continuous monitoring, you create a defensible, participant-centered compliance posture that supports ethical, high-quality research.

FAQs

What is the role of the IRB in HIPAA compliance?

The IRB determines whether HIPAA applies, confirms the lawful basis for PHI use, assesses privacy risks, and documents conditions of approval. You also verify safeguards, require training, and ensure continuing review when PHI scope or risk changes.

How does the IRB verify HIPAA authorization?

You review authorization language for required elements, clarity, and scope; confirm the Minimum Necessary Standard; and ensure processes exist to capture, store, and honor revocations. For impracticable scenarios, you evaluate and document criteria for a HIPAA Authorization Waiver or alteration.

What are PHI protection requirements in research?

Implement administrative, technical, and physical safeguards proportionate to risk. Core controls include Access Controls, encryption, audit logging, personnel training, and Data De-identification or minimization wherever feasible, all documented and monitored.

How should data breaches be handled under HIPAA?

Activate Breach Notification Procedures: contain the incident, assess risk, preserve evidence, notify your privacy/compliance contacts, provide required notices without undue delay, and implement corrective actions. Document each step and update safeguards to prevent recurrence.