H​IPAA Research Issues

Authorization / Waiver of Authorization


HIPAA Privacy Standards

  • Health Insurance Portability and Accountability Act, Standards for Privacy of Individually Identifiable Health Information
  • 45 CFR 160 and 45 CFR 164
  • Final rule published 12/11/23
  • Compliance date 4/14/03

Protected Health Information

  • Maintained by covered entity
  • Recorded in any medium
  • Relates to past, present, future
    • physical or mental health or condition
    • provision of health care
    • payment for provision of health care
  • Identifies individual or could reasonably be used to identify the individual

Covered Entity

  • Health care providers who transmit health information electronically
  • Health plans
  • Health care clearinghouses
  • University of Iowa - hybrid entity

Hybrid Entity

  • Single legal entity with covered and non-covered functions
  • Limits HIPAA liability for institution
  • Typical covered components include:
    • Academic medical center, student health
  • Not covered components include:
    • College of law, history department

Covered Entity Use of PHI

  • Covered entity may use or disclose PHI for treatment, payment, or operations (TPO)
  • Privacy Notice to patients
  • Covered entity may not use or disclose PHI for any other reason except as permitted in the regulations

Research Use of PHI

  • Research is not TPO
  • Covered entity may not use or disclose PHI for research except as permitted in the regulations
  • What is except as permitted?
    • Signed authorization from patient
    • Waiver of authorization

Signed Authorization

  • Authorization may be combined with research Informed Consent Document
  • One signature – two purposes
    1. Authorizing covered entity to disclose PHI to the research team
    2. Documenting voluntary participation in a research study

Core Elements

  • Description of PHI to be used/disclosed
    • Meaningful info in study procedures
  • Who is authorized to disclose
    • Your health care provider
  • Who covered entity is disclosing to
    • Members of the research team
  • Purpose for the disclosure
    • This research study
  • Expiration date or event
    • Indefinitely for purposes of research
  • Signature, date, and if signed by LAR,
    • relationship to individual

Additional Statements

  • Consequences of refusal to sign the authorization
  • Potential for the disclosed information to be redisclosed by recipient, and no longer protected by HIPAA regs
  • Right to revoke the authorization
  • How to revoke (in writing, to whom) and exceptions

Revoking Authorization

  • May use/disclose already-obtained PHI to extent necessary to “preserve the integrity of the research study”
    • Submit SAE report to IRB
    • Send data to sponsor
  • May not collect or disclose additional data after authorization is revoked

Other Requirements

  • Authorization must be written in plain language 
  • PI must give subject copy of the signed authorization
    • Xerox what was signed
    • Sign two copies

Transition Provisions

  • If subject signed Consent prior to 4/14/03, no requirement to re-sign Consent containing HIPAA authorization
  • If study was approved with waiver of consent prior to 4/14/03, study is “grandfathered in”
  • If study includes PHI, any subject enrolled after 4/14/03 must use Consent that includes HIPAA authorization language

IRB Requirements

  • Must update Consent with HIPAA section (“Will My Health Information be Used During This Study?”) by 4/14/03 by submitting Modification/Update
  • Must include new Funding section also
  • IRB will not automatically require other updates (but may!)
  • Consider updating entire Consent to new template

What’s Next

  • New Project application form revisions
  • Specific questions for documenting “waiver of authorization”
  • Types of studies
    • Retrospective chart review
    • Retrospective specimen studies

Waiver of Authorization

  • Separate waiver from 45 CFR46 waiver of consent regulations
  • Must be approved by IRB or privacy board
  • Minimum necessary requirement applies

Minimum Necessary Requirement

  • Research with waiver of authorization subject to minimum necessary requirement
  • Only the PHI reasonably necessary for purpose of the research may be accessed
  • IRB application form will ask PI for specifics on what information is needed

Waiver of Authorization Criteria

  • Research could not practicably be conducted without the waiver
  • Research could not practicably be conducted without access to PHI
  • Use/disclosure of PHI involves no more than minimal risk to privacy, based on:
    • PI has adequate plan to protect identifiers from improper use/disclosure
    • PI has adequate plan to destroy identifiers at earliest opportunity
    • PI gives adequate written assurance that PHI will not be disclosed to others