Standards and Procedures

OPRS SOP 802: Privacy And Confidentiality

Approved Date

Revised Date

Full Details


It is the policy of the University of Illinois Urbana-Champaign IRB (UIUC IRB) to assure that the privacy and confidentiality protections are adequate for all research participants. The UIUC IRB provides guidance to IRB members and Investigators regarding privacy and confidentiality. Such guidance is available on the OPRS website and as part of the submission applications.

Investigators must describe provisions to protect the privacy interests of participants in the IRB application. The UIUC IRB determines and documents whether privacy protections are adequate.

The Investigators must describe provisions to maintain the confidentiality of data in the IRB application. Investigators are required to abide by HIPAA Privacy Rule, when applicable. For researchers to gain access to health information that is stored at any HIPAA “covered entity”, investigators must provide the covered entity with written assurances describing how the health information will be used and protected.

A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that investigators’ requests for health information receive prior approval through a Privacy Board or the University of Illinois Urbana-Champaign Institutional Review Board. Information about designated covered entities affiliated with the UIUC IRB is available on the OPRS website.

For studies that have been issued a Certificate of Confidentiality, investigators should follow the guidance provided in the Research Guidance Document: Certificates of Confidentiality available on the OPRS website.


1. Procedures for Review

1.1. Upon review of the investigator’s submission, the UIUC IRB determines whether the investigator’s proposal for protection the privacy and confidentiality of research participants is adequate. The determination is documented in the reviewer checklist.

1.2. For research subject to the HIPPA Privacy Rule, investigators may request that the use of protected health information for research. The UIUC IRB may approve the investigator’s proposal to obtain HIPAA Authorization from individuals to use their protected health information (PHI). Generally, HIPAA Authorization is obtained in conjunction with Informed Consent but may be separate.

If HIPAA Authorization is not obtained from individuals, the investigator must obtain approval for one of the following:

  • Alteration of (HIPAA) Authorization
  • Waiver of (HIPAA) Authorization
  • Use of a de-identified Data Set that contains no PHI
  • Use of a Limited Data Set with an effective Data Use Agreement in place, as applicable
  • Research on Decedents’ Information

Investigators submit requests for any of the above by completing the applicable form. The UIUC IRB may grant approval of HIPAA Authorization or any of the other methods for conducting HIPAA-compliant research as described in this policy. The determination of approval is documented in the Reviewer Checklist. If a waiver or alteration of HIPAA Authorization is granted, protocol-specific findings justifying the board’s determination to grant such a waiver or alteration is documented in the Reviewer Checklist. The approved study protocol will include documentation of approved method(s) of accounting for HIPAA compliance.