NRPM: Standards for Privacy of Individually Identifiable Health Information. c. Privacy board review requirement.


In § 154.510(j), we would require covered entities that wish to use or disclose protected health information for research without individual authorization to obtain documentation that a privacy board has reviewed the research protocol and has determined that specified criteria (described below) for waiver of authorization for use or disclosure of the information have been met. The board could be an IRB constituted under the Common Rule, or an equivalent privacy board that meets the requirements in this proposed rule. We propose to apply these requirements to uses and disclosures of protected health information by all covered entities, regardless of the source of funding of the research.

We propose no requirements for the location or sponsorship of the IRB or privacy board. The covered entity could create such a board, and could rely on it to review proposals for uses and disclosure of records. An outside researcher could come to the covered entity with the necessary documentation from his or her own university IRB. A covered entity could engage the services of an outside IRB or privacy board to obtain the necessary documentation. The documentation would have to be reviewed by the covered entity prior to a use or disclosure subject to this provision.

Under our proposal, we would require that the documentation provided by the IRB or privacy board state: (1) that the waiver of authorization has been approved by the IRB or privacy board; (2) that the board either is an IRB established in accordance with the HHS regulations (45 CFR 46.107) or equivalent regulations of another federal agency, or is a privacy board whose members (i) have appropriate expertise for review of records research protocols, (ii) do not have a conflict of interest with respect to the research protocol, and (iii) include at least one person not affiliated with the institution conducting the research; (3) that the eight criteria for waiver of authorization (described below) are met by the protocol; and (4) the date of board approval of the waiver of authorization. We would also require that the documentation be signed by the chair of the IRB or privacy board.