Authorization is the responsibility of the Covered Entity
The HIPAA Privacy Rule is centered on the responsibilities and duties of the Covered Entity. Researchers working in Covered Entities are likely to have privacy duties that are broader than those solely related to their research data involvement.
E&I's Basic Policy
IRB/Privacy Board review is required for (a) review for a waiver of authorization and (b) review of authorization embedded as a part of a consent form needing IRB review. This will be the extent of involvement of the IRB as a part of the review process. E&I staff can and may comment on other aspects of our client's compliance with HIPAA. Such comment should be considered informational only; it should lead to better focusing a clients questions directed to its own HIPAA advisor.
E&I requires receipt of HIPAA information from sites.
This is an effort to assure that sites are aware of the rules. If, for instance, they are a Covered Entity and they don't know what a privacy notice is or whether authorization is required, it is evidence of a need to get them to a place where they can get practice-related information.
The IRB will not review or approve separate authorization forms unless asked.
E&I's IRB will not approve authorization forms unless specifically asked to do so. E&I staff can review to determine presence of elements and may complete an evaluation form. If there are issues, we will inform the site/sponsor. This is advisory only. E&I has a courtesy approved HIPAA form to assist with compliance. It is not a required form; its function is to work through the various regulatory obligations. When a separate Authorization form is used, the consent form should refer to the Authorization. Good places for this are at the end of the paragraph on privacy or at the point where the subject is promised a signed copy of the consent form.
The IRB must review HIPAA information when it is integrated into the consent form.
E&I strongly discourages including HIPAA language in the consent document.
California requires separation. If, for some reason, it must be integrated, then:
1. All authorization elements will be necessary and must be in plain language.
2. Ideally, the authorization information should be set aside graphically to distinguish it from the usual information.
For more guidance, see the HIPAA Requirements and Waivers section of the website.