Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) or Privacy Board waiver of individual authorization?

Answer:

Yes. A covered entity may use or disclose protected health information without individuals’ authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied. Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule – that is, for future studies in which individual authorization has been obtained or where the Rule would permit research without an authorization, such as pursuant to an IRB or Privacy Board waiver.

See our research section and frequently asked questions about the research provisions for more information about Institutional Review and Privacy Boards.

 

 

Date Created: 12/20/2002
Last Updated: 03/14/2006

Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013