Access to Protected Health Info (PHI) ≠ Self Determination of Exemption

Office of Research

Institutional Review Board

Human Research Protections (HRP)

Access to Protected Health Info (PHI) ≠ Self Determination of Exemption

Version August 12, 2024

Studies that qualify through the self-determination of exemption IRB application process must strictly avoid accessing PHI. This prohibition extends to observing clinical care encounters for the purposes of human subject research.
Doctor showing comforting a patientUnless a permitted use and disclosure under HIPAA, which could include training, Researchers must obtain a prospective HIPAA authorization from UCI patients before the observation of medical care and treatment of a patient. Moreover, when the intent is for research, prospective UCI IRB approval must be obtained, including the requisite privacy review. As a reminder, the UCI IRB serves as the privacy board for UCI (even if the IRB review is delegated to a commercial IRB). The UCI IRB may require either a signed research HIPAA authorization or, the UCI IRB may waive research HIPAA research authorization entirely. To confirm, the UCI IRB makes this decision, not the Researcher.

 

If a researcher completes a self-determination of exemption application with the UCI IRB, indicating their human research activity includes access to PHI, the application should include text that specifies the activity is not eligible for an exempt self-determination. UCI IRB review is required. Accordingly, it is imperative that Researchers please read all text within the exempt self-determination application before proceeding with any research activity. Important Note: The UCI IRB will not provide a retroactive approval. If Researchers are unsure, contact HRP Staff.

 

HRP is actively reviewing the self-determination of exemption applications, submitted in Kuali Research Protocols (KRP). If it is found that a self-determination of exemption application was submitted that includes access to PHI, and the research activity was completed, this will be considered non-compliance. A “new information report” application will need to be submitted for The words HIPPA Compliance written on a piece of paperreview by the IRB Chair. Most likely, this application will be forwarded to the convened IRB. In addition, the UCI Health Privacy and Compliance Office must be notified of a possible HIPAA breach at 714-456-3674. Possible outcomes of the UCI IRB review for non-compliance include a determination that data may not be used, published or presented. If already published, the IRB may require retraction of the data and even of the publication.

For more information on this topic, review the applicable HRP policies or
reach out to HRP Staff directly.

 

Scroll to Top