Database review by the IRB

• If a database is developed for clinical or quality improvement purposes, the database does not need IRB review.
• If a database is developed for clinical or QI purposes and knowingly will be used for future research, the database needs IRB review.
• If a database is developed for research purposes, it needs IRB review.

Frequently asked questions

Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an IRB Privacy Board waiver of individual authorization?

Yes. A covered entity may use or disclose protected health information without individuals' authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specific waiver criteria were satisfied. Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule. That is, for future studies in which individual authorization has been obtained or where the Privacy Rule would permit research without an authorization, such as pursuant to an IRB or Privacy Board waiver.

Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an IRB?

Yes. Under the HIPAA Privacy Rule, covered entities may use or disclosure protected health information from existing databases or repositories for research purposes, either with individual authorization as required in 45 CFR 164,508, or with a waiver of individual authorization as permitted at 45 CFR 164, 512(i).