Breadcrumb
Introduction to HIPAA
Main navigation
HIPAA Research Issues
Authorization / Waiver of Authorization
HIPAA Privacy Standards
- Health Insurance Portability and Accountability Act, Standards for Privacy of Individually Identifiable Health Information
- 45 CFR 160 and 45 CFR 164
- Final rule published 12/11/23
- Compliance date 4/14/03
Protected Health Information
- Maintained by covered entity
- Recorded in any medium
- Relates to past, present, future
- physical or mental health or condition
- provision of health care
- payment for provision of health care
- Identifies individual or could reasonably be used to identify the individual
Covered Entity
- Health care providers who transmit health information electronically
- Health plans
- Health care clearinghouses
- University of Iowa - hybrid entity
Hybrid Entity
- Single legal entity with covered and non-covered functions
- Limits HIPAA liability for institution
- Typical covered components include:
- Academic medical center, student health
- Not covered components include:
- College of law, history department
Covered Entity Use of PHI
- Covered entity may use or disclose PHI for treatment, payment, or operations (TPO)
- Privacy Notice to patients
- Covered entity may not use or disclose PHI for any other reason except as permitted in the regulations
Research Use of PHI
- Research is not TPO
- Covered entity may not use or disclose PHI for research except as permitted in the regulations
- What is except as permitted?
- Signed authorization from patient
- Waiver of authorization
Signed Authorization
- Authorization may be combined with research Informed Consent Document
- One signature – two purposes
- Authorizing covered entity to disclose PHI to the research team
- Documenting voluntary participation in a research study
Core Elements
- Description of PHI to be used/disclosed
- Meaningful info in study procedures
- Who is authorized to disclose
- Your health care provider
- Who covered entity is disclosing to
- Members of the research team
- Purpose for the disclosure
- This research study
- Expiration date or event
- Indefinitely for purposes of research
- Signature, date, and if signed by LAR,
- relationship to individual
Additional Statements
- Consequences of refusal to sign the authorization
- Potential for the disclosed information to be redisclosed by recipient, and no longer protected by HIPAA regs
- Right to revoke the authorization
- How to revoke (in writing, to whom) and exceptions
Revoking Authorization
- May use/disclose already-obtained PHI to extent necessary to “preserve the integrity of the research study”
- Submit SAE report to IRB
- Send data to sponsor
- May not collect or disclose additional data after authorization is revoked
Other Requirements
- Authorization must be written in plain language
- PI must give subject copy of the signed authorization
- Xerox what was signed
- Sign two copies
Transition Provisions
- If subject signed Consent prior to 4/14/03, no requirement to re-sign Consent containing HIPAA authorization
- If study was approved with waiver of consent prior to 4/14/03, study is “grandfathered in”
- If study includes PHI, any subject enrolled after 4/14/03 must use Consent that includes HIPAA authorization language
IRB Requirements
- Must update Consent with HIPAA section (“Will My Health Information be Used During This Study?”) by 4/14/03 by submitting Modification/Update
- Must include new Funding section also
- IRB will not automatically require other updates (but may!)
- Consider updating entire Consent to new template
What’s Next
- New Project application form revisions
- Specific questions for documenting “waiver of authorization”
- Types of studies
- Retrospective chart review
- Retrospective specimen studies
Waiver of Authorization
- Separate waiver from 45 CFR46 waiver of consent regulations
- Must be approved by IRB or privacy board
- Minimum necessary requirement applies
Minimum Necessary Requirement
- Research with waiver of authorization subject to minimum necessary requirement
- Only the PHI reasonably necessary for purpose of the research may be accessed
- IRB application form will ask PI for specifics on what information is needed
Waiver of Authorization Criteria
- Research could not practicably be conducted without the waiver
- Research could not practicably be conducted without access to PHI
- Use/disclosure of PHI involves no more than minimal risk to privacy, based on:
- PI has adequate plan to protect identifiers from improper use/disclosure
- PI has adequate plan to destroy identifiers at earliest opportunity
- PI gives adequate written assurance that PHI will not be disclosed to others