The DHA Privacy Board reviews research related data requests for protected health information (PHI) about individual research participants for Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule compliance. This process is described below and illustrated in the flowchart entitled DHA Privacy Board Review Process for Research Related Data Requests.
Required Representations for Research on Decedent’s Information
If researchers seek the use or disclosure of PHI solely for research on decedents, the DHA Privacy Board will provide the Principal Investigator (PI) with the Required Representations for Research on Decedent’s Information template. The PI must initial and sign this template to document compliance with the representations required by the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(iii) and DoD 6025.18-R.
Required Representations for Review Preparatory to Research
If researchers seek the use or disclosure of PHI from DHA solely for review as necessary to prepare a research protocol or for similar purposes preparatory to research and agree not to remove the PHI from DHA in the course of the review, the DHA Privacy Board will provide the PI with the Required Representations for Review Preparatory to Research template. The PI must initial and sign this template to document compliance with the representations required by the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) and DoD 6025.18-R.
Projects That Must Obtain HIPAA Authorizations
Where the PI is able to obtain a written and signed HIPAA Authorization, also known as “Authorization,” from every participant in a research project, the DHA Privacy Board requires the PI to submit a Research Authorization Review template along with a copy of the Authorization(s) that will be provided to each participant for signature. The DHA Privacy Board reviews the Authorization(s) to ensure all of the required elements and core statements outlined in the HIPAA Privacy Rule at 45 CFR 164.508(c) and DoD 6025.18-R are included.
Projects That Require a Waiver of Authorization or an Altered Authorization
Where it is impossible or impracticable to obtain a written Authorization from each and every research participant, the PI must seek to obtain a waiver or alteration of the Authorization requirement from an IRB or the DHA Privacy Board.
If the PI is able to obtain HIPAA Privacy Rule review and appropriate documentation from an IRB or HIPAA Privacy Board, the PI must provide the DHA Privacy Board with a copy of the IRB or HIPAA Privacy Board approved HIPAA waiver of Authorization or an altered Authorization. The DHA Privacy Board will rely on approved waivers/alterations from an IRB or HIPAA Privacy Board, provided that the approval documentation contains all required elements, as set forth in the HIPAA Privacy Rule at 45 CFR at 164.512(i)(2) and DoD 6025.18-R. The DHA Privacy Board staff will work with the PI when the approved waiver/alteration is deficient and will give the IRB or HIPAA Privacy Board an opportunity to update its documentation to include all required elements.
If the PI is not able to obtain HIPAA Privacy Rule review and appropriate documentation from an IRB or HIPAA Privacy Board, the PI will be asked to complete the DHA Privacy Board’s Application for a Waiver of Authorization or an Altered Authorization. Once the application is complete, it will be assigned to a DHA Privacy Board member to determine which, if any, of the following are acceptable under the HIPAA Privacy Rule and DoD 6025.18-R: (1) Full Waiver; (2) Partial Waiver; or (3) Altered Authorization.
Completion of DHA Privacy Board Review
When reviewing the above-referenced templates, the DHA Privacy Board will contact the PI as necessary in order to complete its review. Once the DHA Privacy Board completes the HIPAA Privacy Rule review, the DHA Privacy Office continues processing the Data Sharing Agreement Application (DSAA) for other compliance requirements.