Institutional Review Board Manual
HIPAA and Research
How HIPAA Affects a Researcher
The Privacy Rule of HIPAA (Health Insurance Portability and Accountability Act) regulates the way DMH (a covered entity) may use or disclose individually identifiable health information known as protected health information (PHI). In general, the Privacy Rule requires an individual to provide his/her signed permission, known as an Authorization before a covered entity can use or disclose the individual's PHI for research purposes.
HIPAA Authorizations may be included as content in an Informed Consent or they may be a separate document. In either case, the “Core Elements” that must be included in an Authorization may be found at Obtaining Authorizations from Subjects.
Under certain circumstances the Privacy Rule permits a covered entity to use or disclose PHI for research without an individual's Authorization. The documentation required for a waiver of the Authorization may be found at Criteria for Requesting Waivers.
For additional information on HIPAA and special requirements for researchers, see: