HIPAA authorizations don’t require IRB review

FDA addresses questions, issues guidance

IRBs are not required to review stand-alone HIPAA waivers as part of their oversight of research subject protections even if their written policies and procedures indicate they will review any written documentation provided to potential study participants, the U.S. Food and Drug Administration (FDA) clarified in a recent guidance document issued Oct. 21, 2003, and published in the Nov. 7 issue of the Federal Register.

"The Privacy Rule does not require IRBs to review these authorizations," explains Catherine Lorraine, director of policy development and coordination in the FDA’s Office of the Commissioner.

The Privacy Rule section of the 1996 Health Insurance Portability and Accountability Act (HIPAA) establishes the right of individuals, including research subjects, to authorize the use and disclosure of their protected health information by signing an authorization form (also known as a waiver) for uses and disclosures not otherwise permitted under the rule.

For example, in the context of a clinical investigation, a HIPAA authorization explains the ways in which a subject’s protected health information will be used and disclosed by the clinical investigator and permits the clinical investigator to use and disclose that information as specifically described in the authorization document.

A HIPAA authorization is different from a subject’s informed consent in that a HIPAA authorization focuses on uses and disclosures of information that may be made, the FDA’s guidance notes.

Informed consent, on the other hand, apprises potential subjects of the possible risks and benefits associated with participating in the clinical.

The HIPAA Privacy Rule permits — but does not require — clinical investigators to combine a HIPAA authorization with the informed consent documents. This is known as a "compound authorization."

Internal policies complicate the issue

Following final implementation of the Privacy Rule provisions last year, the FDA and the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) received many questions from IRBs about their obligations under the new law, Lorraine says.

On April 15, 2003, the OCR issued a guidance document clarifying that IRBs were not required to review stand-alone HIPAA authorization documents.1 Obviously, IRBs are required to review compound authorizations because they still must review the informed consent documents.

However, some lingering questions remained.

Many IRBs, in adopting the International Conference on Harmonisation Good Clinical Practice Guidelines, have developed internal policies stating that they will review any written documentation provided by investigators to potential subjects.

Federal law governing protection of research subjects requires IRBs to adhere to their own written policies and procedures.

The new FDA guidance was issued to clarify that the agency would use "ongoing enforcement discretion" with regard to IRBs that decided against reviewing stand-alone HIPAA authorizations even if they have written policies that would seem to require them to do so.

"FDA is exercising this discretion in order to encourage IRBs to permit the continued enrollment of subjects in clinical investigations without IRBs’ prior review and approval of stand-alone HIPAA authorizations," the Federal Register notice indicates. "FDA believes that enrollment in well-designed and well-conducted clinical investigations should not be interrupted for the purpose of IRB review and approval of stand-alone HIPAA authorizations even though the IRB’s written procedures would otherwise require this review and/or approval."

In writing to the FDA and OCR in April, shortly before the regulations took effect, several institutions indicated that clinical investigations might be impeded because the IRBs would be backlogged with requests to review thousands of stand-alone HIPAA authorizations and some communications further stated that some IRBs intended to halt enrollment in some trials pending IRB review of the authorizations, Lorraine says.

The guidance document was written to clarify the FDA’s position and make it easier for IRBs to focus their resources on overseeing and approving good, well-designed clinical trials, she noted.

Unless the situation under the current law changes, the FDA’s enforcement discretion will continue, she says. Any changes would be announced in a new guidance document.

Copies of the FDA guidance are available on-line at: www.fda.gov/oc/gcp/guidance.html or by submitting a written request to the Dockets Management Branch (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Room 1061, Rockville, MD 20852. Requests should be identified with the docket number found in the Notice of Availability for this document published in the Federal Register (Docket No. 2003D-0204).

The HHS also has established an informational web site covering the obligations of the research community under the HIPAA Privacy Rule. The web site (http://privacyruleandresearch.nih.gov/) contains documents and lists of frequently asked questions (FAQs) covering the responsibilities of researchers and IRBs under the HIPAA regulations.


1. Department of Health and Human Services’ Office of Civil Rights. "Privacy Guidance about Authorizations for Research and Institutional Review Boards." Available on-line at: www.hhs.gov/ocr/hipaa/privguideresearch.pdf