Federal regulations require an Institutional Review Board (IRB) to review research on human subjects if the research involves federal funding. The University of Chicago has determined that all research undertaken at this institution, or by those persons affiliated with this institution, must undergo an equal level of review as research that falls under federal regulations.
The Biological Sciences Division (BSD) Institutional Review Boards are administered by the Office of Clinical Research (OCR), and are responsible for all biological or medical research conducted at the University of Chicago and/or the University of Chicago Hospitals.
To obtain IRB approval for your research study, you must submit a written protocol to the IRB. At the University of Chicago, you need to use the "AURA IRB System" online submission system. You will need either a CNetID (University employees) or a UCHAD ID (hospital employees) to log into AURA. You may use the link to the right to go to the account creation pages for CNet if needed.
The IRB has extensive documentation and guidance on its forms and guidelines, including information on submitting new protocols (for new studies) and submitting Continuing Review Submissions (for existing studies). To learn more about these topics, please use the links to the right.
The Health Insurance Portability and Accountability Act (HIPAA), along with the follow-up HITECH Act, implemented a number of changes to the nation's health care system, including two rules that directly affect researchers: the Security Rule and the Privacy Rule. These rules regulate the use of Protected Health Information (PHI): individually identifiable health information.
The Security Rule applies to Electronic Protected Health Information. The Security Rule specifies regulations for:
Technical Safeguards - access controls, audit controls, data integrity controls, person or entity authentication, and data transmission security.
The HIPAA Privacy Rule requires safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. A part of the Privacy Rule deals directly with research, and specifies the conditions under which patient data can be used for research.
The Privacy Rule permits a covered entity (such as the hospital) to use or disclose PHI for research under the following circumstances and conditions, among others:
If a waiver of authorization has been granted by the Privacy Board (which at University of Chicago is the Institutional Review Board). Several criteria must be met in order for a waiver to be granted, including:
PHI use or disclosure involves no more than minimal risk to the privacy of individuals, based on at least the presence of:
IRB policies, HIPAA policies, University of Chicago Medical Center (UCMC) policies, and research best practices all point to reducing exposure to PHI and handling it carefully. Moreover, a goal of the UCMC is to reduce the amount of PHI that is being transferred from the hospital to the Biological Sciences Division.
Obtaining limited data sets or de-identified data through HIRO requests and the Electronic Data Broker Systems can help you comply with these best practices.