Institutional Review Board

POLICY

It is the policy of the University of Utah IRB (UUIRB) to assure that the privacy and confidentiality protections are adequate for all research participants. The UIRB provides guidance to IRB members and Investigators regarding privacy and confidentiality. Such guidance is available on the UUIRB website and within the ERICA online system.

Investigators must describe provisions to protect the privacy interests of participants in the IRB application. The UUIRB determines and documents whether privacy protections are adequate.

The Investigators must describe provisions to maintain the confidentiality of data in the IRB application. Investigators are required to abide by HIPAA Privacy Rule, when applicable. For researchers to gain access to health information that is stored at any HIPAA “covered entity”, investigators must provide the covered entity with written assurances describing how the health information will be used and protected.

A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that investigators’ requests for health information receive prior approval through a Privacy Board or the University of Utah Institutional Review Board. Information about designated covered entities affiliated with the UUIRB is available on the IRB website.

For studies that have been issued a Certificate of Confidentiality, investigators should follow the guidance provided in the Investigator Guidance Series: Certificates of Confidentiality available on the IRB website.

PROCEDURES

1. Procedures for Review
   1. Upon review of the investigator’s submission, the UUIRB determines whether the investigator’s proposal for protection the privacy and confidentiality of research participants is adequate. The determination is documented in the reviewer checklist.
   2. For research subject to the HIPPA Privacy Rule, investigators may request that the use of protected health information for research. The UUIRB may approve the investigator’s proposal to obtain HIPAA Authorization from individuals to use their protected health information (PHI). Generally, HIPAA Authorization is obtained in conjunction with Informed Consent but may be separate.

      If HIPAA Authorization is not obtained from individuals, the investigator must obtain approval for one of the following:

      • Alteration of (HIPAA) Authorization
      • Waiver of (HIPAA) Authorization
      • Use of a de-identified Data Set that contains no PHI
      • Use of a Limited Data Set with an effective Data Use Agreement in place, as applicable
      • Research on Decedents’ Information
   3. Investigators submit requests for any of the above by completing the applicable form in the ERICA system. The UUIRB may grant approval of HIPAA Authorization or any of the other methods for conducting HIPAA-compliant research as described in this policy. The determination of approval is documented in the Reviewer Checklist. If a waiver or alteration of HIPAA Authorization is granted, protocol-specific findings justifying the board’s determination to grant such a waiver or alteration is documented in the Reviewer Checklist. The approved study protocol in ERICA will include documentation of approved method(s) of accounting for HIPAA compliance.