HIPAA provides for an entity called a Privacy Board, the primary task of which is to review authorization waiver requests for research.

Such a board could also have a general mandate to address institutional privacy issues, in addition to the responsibilities given to the privacy officer, though this function is not addressed in the HIPAA regulations.

The specifications for Privacy Board membership closely match those for Institutional Review Boards (IRB) under the federal Common Rule. A Privacy Board must:

• have members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests;

• include at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and

• not have any member participating in a review of any project in which the member has a conflict of interest.
  

See also:

• 45 CFR 164.512(i)

Last modified: 14-May-2005 [RC]