Skip Navigation

Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?


Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i). 

See the fact sheet and frequently asked questions about the research provisions on this web site for more information about Institutional Review Boards.


Date Created: 12/20/2002
Last Updated: 03/14/2006