According to the Health Insurance Portability and Accountability Act or HIPAA Privacy Rule (US) Authorizations to Use and/or Disclose Protected Health Information must be study specific.
The Board has provided sample template Authorization language that may be customized for a specific study by a Covered Entity. Each site must make its own decision as to whether or not it is a Covered Entity. The site should consult its legal counsel and review the decision tree “Am I a Covered Entity?” on the HIPAA website. Even if a site is not technically a “Covered Entity,” the study protocol may require compliance with the HIPAA Privacy Rule.
You need to be aware of any state laws that relate to the privacy of individually identifiable health information that are more restrictive than the HIPAA Privacy Rule. The HIPAA Privacy Rule does not replace more restrictive state privacy laws.
Upon request, Schulman will review HIPAA stand-alone authorizations. IRBs are not required to review HIPAA Authorizations that are separate from the informed consent (i.e. “stand-alone authorizations”). See FDA’s IRB Review of Stand-Alone HIPAA Authorizations Under FDA Regulations and NIH’s HIPAA Privacy Rule Information for Researchers. Schulman is required to review all HIPAA Authorizations incorporated into the informed consent document (i.e., “compound authorizations”). It is the investigator’s responsibility to comply with the HIPAA authorizations language to ensure that it meets federal and state privacy laws requirements.
In compliance with Canada’s Personal Information Protection and Electronic Documents Act or PIPEDA and Provincial Privacy Laws, Schulman will review privacy text regarding the collection, use and disclosure of identifiable health information that is incorporated into informed consents