Institutional Review Board

PURPOSE

The University of Utah Institutional Review Board (IRB) ensures that all research participants receive adequate privacy and confidentiality protections.

SCOPE

This policy applies to human subject research conducted at the University of Utah.

POLICY

The University of Utah IRB provides guidance to IRB members and Investigators regarding privacy and confidentiality. Such guidance is available on the University of Utah IRB website and within the University of Utah Electronic Research Integrity and Compliance Administration system (ERICA) .

Investigators must describe provisions to protect the privacy interests of participants in the IRB application. The IRB determines and documents whether privacy protections are adequate.

The Investigators must describe provisions to maintain the confidentiality of data in the IRB application. Investigators are required to abide by HIPAA Privacy Rule, when applicable. For researchers to gain access to health information that is stored at any HIPAA “covered entity”, investigators must provide the covered entity with written assurances describing how the health information will be used and protected.

The University of Utah’s covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, if the investigators’ requests for health information receive prior approval through a Privacy Board or the University of Utah Institutional Review Board.

For studies that have been issued a Certificate of Confidentiality, investigators should follow the guidance provided in the Investigator Guidance Series: Certificates of Confidentiality available on the IRB website.

PROCEDURES

1. IRB Review of Privacy and Confidentiality Protections
   1. Upon review of the investigator’s submission, the University of Utah IRB determines whether the investigator’s proposal for protecting the privacy and confidentiality of research participants is adequate. This determination is documented in the reviewer checklist or IRB minutes if the study is reviewed by the convened board.
   2. For research subject to the HIPPA Privacy Rule, investigators may request that the use of protected health information for research. The University of Utah IRB may approve the investigator’s proposal to obtain HIPAA Authorization from individuals to use their protected health information (PHI). Generally, HIPAA authorization is obtained in conjunction with an informed consent document but may be separate.If HIPAA authorization is not obtained from individuals, the investigator must obtain approval for one of the following:
      • Alteration of (HIPAA) Authorization
      • Waiver of (HIPAA) Authorization
      • Use of a de-identified Data Set that contains no PHI
      • Use of a Limited Data Set with an effective Data Use Agreement in place, as applicable
      • Research on Decedents’ Information

        Investigators submit requests for any of the above by completing the applicable form in the ERICA. The IRB may grant approval of HIPAA Authorization or any of the other methods for conducting HIPAA-compliant research as described in this policy. If a waiver or alteration of HIPAA authorization is granted, protocol-specific findings justifying the board’s determination to grant such a waiver or alteration is documented in the reviewer checklist. The determination of approval is documented in the reviewer  checklist and the IRB minutes if the study is reviewed by the convened board. The approved study in ERICA includes documentation of the approved method(s) of accounting for HIPAA compliance.