x
Advarra

Community

Advarra Clinical Research Network

Onsemble Community

Diversity, Equity, & Inclusion

Participants & Advocacy

Advarra Partner Network

Community Advocacy

Sign up for the Site-Sponsor Consortium Newsletter

Reviews

Institutional Review Board (IRB)

Institutional Biosafety Committee (IBC)

Data Monitoring Committee (DMC)

Endpoint Adjudication (EAC)

Consulting

GxP Services

Research Compliance & Site Operations

Professional Services

Coverage Analysis​

Budget Negotiation​

Calendar Build 

Technology Staffing

Training

Clinical Research Site Training

Research-Ready Training

Virtual Investigator Meetings

Custom eLearning

Services for

Sponsors & CROs

Sites & Institutions

BioPharma & Medical Tech

Oncology Research

Decentralized Clinical Trials

Early Phase Research

Research Staffing

Cell and Gene Therapy

Ready to Increase Your Research Productivity?
Get a Quote
View All Services

Solutions for Need

Clinical Trial Management

Clinical Data Management

Research Administration

Study Startup

Site Support and Engagement

Secure Document Exchange

Decentralized Clinical Trials

Oncology Research

Early Phase Research

Research Site Cloud

Solutions for Sites

Enterprise Institution CTMS

Health System/Network/Site CTMS

Electronic Consenting System

eSource and Electronic Data Capture

eRegulatory Management System

Research ROI Reporting

Automated Participant Payments

Life Sciences Cloud

Solutions for Sponsors/CROs

Clinical Research Experience Technology

Center for IRB Intelligence

Insights for Feasibility

IRB Document Sharing
Not Sure Where To Start?
Start Here
View All Solutions

Resource Library

Podcast

Blog

White Papers

View All Resources

Webinars

eBooks

Case Studies

Events

Ask the Experts

Frequently Asked Questions

COVID-19 Support

News

Check out the latest episodes of Advarra in Conversations with..

About Advarra

Careers

Consulting Opportunities

Leadership Team

Our Experts

Accreditation & Compliance

Join Advarra

Learn more about our company team, careers, and values. Join Advarra’s Talented team to take on engaging work in a dynamic environment.

See Jobs

Blog
Resource Library

Why Keep HIPAA Separate from the Informed Consent Form

By Tom Closson, VP, IRB Services, Safety & Ongoing Review, and Stephanie Pyle, Director of Content and Communications
December 1, 2022

The research informed consent form (ICF) is designed to provide prospective participants with the necessary information to make an informed decision about whether to participate in a clinical trial.

Frequently included in the informed consent is an institution’s Health Insurance Portability and Accountability Act (HIPAA) statement, which informs participants of how their protected health information (PHI) may be used or disclosed by covered entities for research purposes.

HIPAA statements are typically provided to participants in one of two ways:

In this blog, we’ll explore why HIPAA is important to the informed consent process and why a standalone document is often the most beneficial approach, both for informing participants and for simplifying the institutional review board (IRB) review process.

Why HIPAA in Research?

The HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, was issued in 1996 in response to public concern over potential abuses of the privacy of health information.

The Privacy Rule establishes a category of health information, known as protected health information (PHI). This may only be used or disclosed to others in certain circumstances or under certain conditions. PHI is a subset of what is termed “individually identifiable health information.” With certain exceptions, individually identifiable health information becomes PHI when it is created or received by a covered entity.

Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with certain defined HIPAA transactions, such as claims or eligibility inquiries. Organizations classified as “business associates” of covered entities may also be obligated to follow HIPAA requirements.

Clinical trial protocols often seek to access patients’ personal health information, like medical charts and test results. This helps identify potential participants, confirm whether someone meets the trial’s eligibility requirements, or establish baseline medical information for trial participants.

Informing participants about their HIPAA rights as part of the informed consent process helps ensure they understand how their information will and won’t be used to make an informed decision about participating.

A HIPAA Authorization allows a covered entity to use or disclose the patient’s PHI in a way not otherwise allowed by the HIPAA Privacy Rule. For clinical research, this may include local researchers sharing the information with a third party, or, in the case of a partial waiver of Authorization, reviewing PHI for recruitment purposes. HIPAA Authorizations must contain numerous required elements, including details about who may use the PHI and for what purposes.

HIPAA and IRB Review

For certain clinical trials, it may be beneficial for recruitment purposes for researchers to request a waiver or alteration (sometimes called a partial waiver) of research participants’ HIPAA Authorization for use/disclosure of their information. Or as NIH explains, “[f]or some types of research, it is impracticable for researchers to obtain written Authorization from research participants.”

By waiving some or all of the Authorization requirements, researchers may more easily access information necessary for activities “preparatory to research,” such as preparing a research protocol or developing a research hypothesis, or for identifying prospective participants who would meet the study’s eligibility criteria for enrollment.

The regulations at 45 CFR Part 164.512 indicate a privacy board or an IRB may waive or alter, in whole or in part, Authorization requirements for use and disclosure of PHI connected with a particular research project.

It’s important to note: “IRB” is not synonymous with “privacy board,” as each board has its own unique membership requirements. To put it another way, a privacy board meeting the Privacy Rule’s membership requirements does not necessarily satisfy the IRB membership requirements laid out in HHS and FDA regulations or other federal laws and requirements applicable to research.

Covered entities may reasonably rely upon documentation from an IRB (whose membership satisfies the requirements of HHS or FDA regulations) in order to use or disclose PHI without Authorization, as permitted by the Privacy Rule at 45 CFR 164.512(i)(1)(i). The Privacy Rule permits a covered entity to accept documentation of such an approval from any qualified IRB or privacy board – this permission does not necessarily need to come from the IRB overseeing the institution’s research.

Why Keep HIPAA Separate from the ICF?

Determining whether an organization is a HIPAA “covered entity” must be made at the individual site level. So including HIPAA in a multisite study-wide ICF doesn’t make sense – HIPAA typically includes unique choices made by the site or institution.

Also worth noting is the IRB’s role under the Privacy Rule is “limited to acting on requests for a waiver or an alteration of the Privacy Rule’s Authorization requirement. IRBs are, thus, not required to review and approve Authorizations under the Privacy Rule…[and] are not required to approve standalone Authorizations” (NIH, Institutional Review Boards and the HIPAA Privacy Rule).

However, when HIPAA language is incorporated into the ICF itself, it becomes part of the IRB’s responsibility to review the HIPAA language in the ICF for required consent elements. Covered entities may want to consider whether such review is necessary.

HIPAA can be particularly troublesome for IRBs serving as the single IRB (sIRB) for a given study. When research sites incorporate their HIPAA content into the ICF language specific to their location, it can require a lot more work for the sIRB to keep the ICF up to date.

For example, any time a study-wide amendment requires site-specific revisions, the sIRB must ensure site-specific HIPAA language is properly incorporated into the revised ICF – adding an additional administrative step to a process usually requiring very timely action. Already managing multiple site-specific ICF requirements, an sIRB may find the HIPAA aspect an additional complication potentially impacting the efficiencies inherent in sIRB oversight.

Ultimately, it is better for all stakeholders to keep HIPAA language separate from the research informed consent:

Since HIPAA considerations are unique to the individual covered entity, it’s important to consult with your Privacy Officer or another responsible official to understand your local policies and requirements.

Informed ConsentResearch Operations

Tagged in: , , , , ,

Back to Resources

Our white paper outlines six approaches to increase participant comprehension in the informed consent process.

Download the White Paper

Subscribe to our monthly email

Receive updates monthly about webinars for CEUs, white papers, podcasts, and more.

Subscribe

Advancing Clinical Research: Safer, Smarter, Faster

Copyright © 2024 Advarra. All Rights Reserved.