Announcements Regarding Impact of COVID-19 Response on HIRO Operations (Updated 8/7/2020):   Read more

Step 2: Obtaining an IRB Protocol and Understanding HIPAA

The Institutional Review Board

Federal regulations require an Institutional Review Board (IRB) to review research on human subjects if the research involves federal funding. The University of Chicago has determined that all research undertaken at this institution, or by those persons affiliated with this institution, must undergo an equal level of review as research that falls under federal regulations.

The Biological Sciences Division (BSD) Institutional Review Boards are administered by the Office of Clinical Research (OCR), and are responsible for all biological or medical research conducted at the University of Chicago and/or the University of Chicago Hospitals.

Applying for IRB Approval for your Research Study

To obtain IRB approval for your research study, you must submit a written protocol to the IRB. At the University of Chicago, you need to use the "AURA IRB System" online submission system. You will need either a CNetID (University employees) or a UCHAD ID (hospital employees) to log into AURA. You may use the link to the right to go to the account creation pages for CNet if needed.

The IRB has extensive documentation and guidance on its forms and guidelines, including information on submitting new protocols (for new studies) and submitting Continuing Review Submissions (for existing studies). To learn more about these topics, please use the links to the right.

HIPAA and its Application to Research

The Health Insurance Portability and Accountability Act (HIPAA), along with the follow-up HITECH Act, implemented a number of changes to the nation's health care system, including two rules that directly affect researchers: the Security Rule and the Privacy Rule. These rules regulate the use of Protected Health Information (PHI): individually identifiable health information.

The Security Rule applies to Electronic Protected Health Information. The Security Rule specifies regulations for:

  • Administrative Safeguards - preventing and handling security violations, assigning security responsibility, handling access restrictions for the workforce, authorizing access to EPHI, training for security awareness, addressing security incidents, data backup and recovery, and evaluation of security policies and procedures.
  • Physical Safeguards - limiting physical access to electronic information systems, implementing procedures for workstation use, implementing physical safeguards for workstations, and protecting hardware and media containing EPHI (including its disposal).
  • Technical Safeguards - access controls, audit controls, data integrity controls, person or entity authentication, and data transmission security.

The HIPAA Privacy Rule requires safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. A part of the Privacy Rule deals directly with research, and specifies the conditions under which patient data can be used for research.

The Privacy Rule permits a covered entity (such as the hospital) to use or disclose PHI for research under the following circumstances and conditions, among others:

  • If the subject of the PHI has granted specific written permission through an Authorization.
  • If a waiver of authorization has been granted by the Privacy Board (which at University of Chicago is the Institutional Review Board). Several criteria must be met in order for a waiver to be granted, including:

    • The research could not practicably be conducted without the requested waiver or alteration.
    • The research could not practicably be conducted without access to and use of the PHI.
    • PHI use or disclosure involves no more than minimal risk to the privacy of individuals, based on at least the presence of:

      • (1) An adequate plan presented to the IRB to protect PHI identifiers from improper use and disclosure;
      • (2) An adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and
      • (3) Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule.
  • If the information is released in the form of a limited data set, with certain identifiers removed, and with a data use agreement between the researcher and the covered entity (the hospital). Limited data sets are still PHI; they are simply partially de-identified, and therefore have a different set of restrictions. For more information on limited data sets, see pages 15-16 of "NIH - Understanding the HIPAA Privacy Rule". A link to this document is available in the "HIPAA Resources" section to the right.
  • For reviews preparatory to research if certain representations are obtained from the researcher.
  • For research solely on decedents' information if certain representations are obtained from the researcher.
  • If the PHI has been de-identified in accordance with the standards set by the Privacy Rule (in which case, the health information is no longer PHI). Requirements for this level of de-identification are quite specific and involve removal of 18 identifiers. For more information, please see pages 9-11 of "NIH - Understanding the HIPAA Privacy Rule". A link to this document is available in the "HIPAA Resources" section to the right.

HIRO and the Electronic Broker Systems: Aiding Compliance

IRB policies, HIPAA policies, University of Chicago Medical Center (UCMC) policies, and research best practices all point to reducing exposure to PHI and handling it carefully. Moreover, a goal of the UCMC is to reduce the amount of PHI that is being transferred from the hospital to the Biological Sciences Division.

Obtaining limited data sets or de-identified data through HIRO requests and the Electronic Data Broker Systems can help you comply with these best practices.

Please note: the above documentation draws extensively from documents from the NIH and others, some items are copied verbatim, and the references are not always cited above.

Next: Step 3 - Obtaining Accounts