The Privacy Rule affects the use of PHI in research protocols. In order to use PHI in a research protocol, you should:

1. Obtain a signed and valid research authorization from each subject/participant, or
2. Obtain a waiver of authorization from the IRB, or
3. Use one of the following altered forms of PHI as permitted by the Privacy Rule.
   1. Obtain a limited data set (LDS) by signing a data use agreement (DUA) with the data custodian.
   2. Use de-identified information, to which the Privacy Rule does not apply.

ACTION NEEDED:

For all protocols, a researcher should continue to follow all applicable Common Rule requirements.

1. For protocols approved prior to April 14, 2003 that will not enroll new subjects on or after April 14, 2003, no additional action is necessary for compliance with the Privacy Rule.

   For protocols approved prior to April 14, 2003 that will enroll new subjects on or after April 14, 2003, the researcher should:

   Begin using a Research Authorization form [see the Instructions for Research Authorization Form] and submit a copy of this form to the IRB at the time of continuing review.

2. For all protocols approved on or after April 14, 2003, a researcher should either:

   Submit the Research Authorization form together with the application for review of the protocol to the IRB [see the Instructions for Research Authorization Form]; or

   Submit an application for a waiver of authorization [see FAQ about waivers of authorization].