HRPP policies & procedures manual

1000: HIPAA waivers, authorization, decedents, and review preparatory to research

1. Purpose

To define the HIPAA requirements and the procedures necessary to conduct full-board review and expedited review of HIPAA waivers of authorization, authorizations for use and disclosure of protected health information (PHI) for research.

2. Policy

Researchers should be aware of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose PHI for many purposes, including for research.  Although not all researchers will have to comply with the Privacy Rule, the manner in which the Rule protects PHI could affect certain aspects of research.

Applications must include Addendum 7 when the study will be accessing PHI. In order to render PHI anonymous, all 18 identifiers must be removed. Contact the IRB coordinator for more information.

3. Specific policies

3.1 Full/partial waivers of authorization, reviews of PHI of decedents and reviews preparatory to research

Full waiver

Covered entities may use and disclose identifiable health information for research without an authorization from the individual if the researcher has a waiver issued by an Institutional Review Board (IRB) or a privacy board. Before the IRB can issue a waiver of authorization; it must determine that all of the following criteria are met:

  1. The use or disclosure of the PHI involves no more than minimal risk to the individuals, based on the following elements:
  • An adequate plan to protect identifiers from improper use and disclosure,
  • An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research (unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law), and
  • Adequate written assurances that the PHI will not be reused or re-disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use of disclosure of PHI would be permitted by HIPAA.
  1. The research could not be practicably conducted without access to and use of the PHI; and
  2. The research could not practicably be conducted without the waiver.
Partial waiver

A partial waiver of the individual’s authorization may be used for recruitment purposes if the IRB determines that the treating physician’s direct approach to the individual or obtaining the individual’s prior authorization is impracticable. The request for waiver of authorization may include:

  • A partial waiver of authorization for treatment personnel to refer individuals to the researcher or share PHI with the researcher without first speaking to the individual about the referral.
  • A partial waiver of authorization for the researcher to look at medical records, or schedules, patient lists, etc., and then contact potential subjects.
PHI of decedents

Investigators wishing to use the PHI of subjects who are deceased must certify that:

  • The PHI sought is only that of decedents
  • Documentation of the death of each individual may be provided if asked to do so, and
  • The PHI is necessary to the research purposes.
Reviews preparatory to research

The investigator submits to the IRB/privacy board:

  1. The PHI is requested solely to review PHI as necessary to prepare a research protocol,
  2. The PHI will not be removed from the covered entity during the course of review, and
  3. The PHI sought is necessary for the research.

3.2 Review of full and partial waivers at covered entities

Full/partial waivers, PHI of decedents and review preparatory to research will be reviewed by the privacy officer of the covered entity. The privacy officer will make a recommendation that the IRB either approve or disapprove the waiver, or the request for review preparatory to research. The IRB will review the waiver or request along with the privacy officer’s recommendation and will vote on a final ruling.

3.3 Authorizations

HIPAA authorizations must be obtained by the investigator for prospective use or disclosure of PHI within a covered entity.

3.4 IRB review and approval

The IRB reviews HIPAA authorizations for all research requests and follows all policies and procedures regulating Institutional Review Boards.

There will be two types of review of HIPAA related research requests:

  • Full-board review, where the entire IRB/privacy board reviews full/partial waiver, PHI of decedents, and review preparatory to research.
  • Expedited review, where the chairperson or designee reviews the full/partial waiver, PHI of decedents, and review preparatory to research

3.5 Documentation and correspondence

  • IRB actions will be recorded in the meeting minutes
  • Expedited reviews of full and partial waivers of authorization will be documented on the reviewer checklists and will be reported to the IRB.
  • Documentation of approval will be sent to the Investigator as per notification policies.

4. Applicable regulations and guidelines

45 CFR 164.512 (i)

RCW 70.02 Washington State Health Care Information Access and Disclosure

5. Forms

Addendum 7: HIPAA Authorization Form and Appendix A

RCW 70.02 Washington State Health Care Information Access and Disclosure

6. Procedures employed to implement this policy & assignment of responsibility

IRB coordinator Review expedited HIPAA research related requests.
Notify principal investigator of committee decision.
IRB members Review HIPAA research-related requests.