As an institution of higher education conducting health care research, KHSC-KansasCOM utilizes a Privacy Board in conjunction with its IRB process. The Privacy Board helps ensure that any KHSC-KansasCOM researchers access, receive, and use individually identifiable health information in Research in accordance with applicable privacy laws and regulations.


Federal privacy regulations (the “Privacy Rule”) are set forth under the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”). The Privacy Rule applies to covered entities, which include health care providers that engage in certain standard administrative and financial HIPAA transactions electronically (e.g., submitting a claim for payment to a health plan). The Privacy Rule articulates the conditions under which researchers may access and utilize Protected Health Information (“PHI”) in order to carry out Research activities.


KHSC-KansasCOM researchers are not subject to the Privacy Rule. However, other health care providers and institutions from whom KHSC-KansasCOM may receive individually identifiable health information may be subject to the Privacy Rule. As a result, KHSC-KansasCOM researchers will need to make sure that any request for, access to, or receipt of, individually identifiable health information from third parties is consistent with the Privacy Rule.


As part the IRB review process the IRB analyst/research officer will evaluate your materials and forward appropriate materials to the Privacy Board for review, prior to review by the IRB.


Tips for Ensuring a Smooth Privacy Board Review 

If any Research study or activity involves access to, receipt of, or request for, PHI from a Covered Entity, the researcher must include a copy of the research protocol and specify whether the researcher is relying on a HIPAA Authorization or seeking a waiver or alteration of the HIPAA Authorization requirement from the Privacy Board.


  • If relying on a HIPAA Authorization for access to or receipt of PHI, the researcher should include a copy of the HIPAA Authorization form to be used.  
  • If requesting a waiver or alteration of the HIPAA Authorization requirement, the researcher should provide information regarding the following: 
    • How the researcher plans to protect the PHI from improper use or disclosure; 
    • How and when the researcher plans to destroy the identifiers; 
    • Written assurances that the PHI will not be reused or disclosed to any other person or entity, except where required by law or for other approved Research;  
    • Whether the research could be conducted without the waiver or alteration and, if not, why not; 
    • Whether the research could be conducted without access to and use of PHI and, if not, why not;  
    • A description of the PHI for which use or access is sought; and 
    • If an alteration of the Authorization requirement is sought, the type of alteration requested and the reason why such is necessary. 
    • Research Activities that involve only information that has been fully de-identified in accordance with HIPAA do not require Privacy Board review. Where the researcher will be de-identifying the PHI (rather than just accessing or receiving de-identified information), Privacy Board review and approval is required. 
  • Research activities that involve only a Limited Data Set do not require Privacy Board review where a HIPAA-compliant Data Use Agreement is in place. 
  • If the researcher will access PHI on-site or remotely at the Covered Entity for purposes of reviews preparatory to Research (e.g., to identify potential Research participants, to prepare a Research protocol), but will not copy, download, or remove any PHI from the Covered Entity, no Privacy Board review is required. If PHI will be copied, downloaded, or removed from the Covered Entity in connection with a review preparatory to Research or for Research recruitment purposes, Privacy Board approval and a HIPAA Authorization or a Privacy Board waiver of Authorization is required. 

Questions 

For any questions regarding your proposed research, please contact Dr. David Shubert, IRB Chair or Dr. Duane Brandau​, Director of Research and Scholarly Activity.