Institutional Review Board Manual
HIPAA and Research
Criteria for and Requesting Waivers
Without the Written Authorization Disclosure/Use
The third condition under which a covered entity may approve the use/disclosure of data/ information is by waiver of the Authorization requirement.
Criteria for Waiver
Documentation of the waiver must include a statement that the Intstitutional Review Board (IRB) has determined that the waiver, in whole or in part, satisfies the following criteria:
- The use or disclosure of the Protected Health Information (PHI) involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
- An adequate plan to protect health information identifiers from improper use and disclosure.
- An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so).
- Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
- The research could not practicably be conducted without the waiver or alteration.
- The research could not practicably be conducted without access to, and use of, the PHI.
To Request a waiver of authorization from the IRB the researcher MUST:
- Provide a brief description of the PHI to be used.
- Use the following methods to ensure minimal risk to privacy of individuals:
- Describe an adequate plan to protect the identifiers from improper use or disclosure.
- Describe an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of research, unless there is a health or research justification for retaining the identifiers or retentions is required by law.
- Assure the IRB in writing that the PHI will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research as permitted by the HIPAA regulations.
Researchers may submit the above information by completing the Request for a Waiver or an Alteration of Individual Alteration.
Activities Preparatory to Research
A covered entity may approve the use/disclosure of data/information without an Authorization or waiver as “preparatory to research,” such as to aid study recruitment. However, the provision does not permit the researcher to remove protected health information from the covered entity's site. As such, a researcher who is an employee of SCDMH could use protected health information to contact prospective research subjects. The preparatory research provision would allow such a researcher to identify prospective research participants for purposes of seeking their Authorization to use or disclose protected health information for a research study.
For recruitment purposes, the researcher cannot contact potential research subjects if they do not have a direct treatment relationship with those subjects. If the researcher does not have a direct treatment relationship with the subjects, they must approach the subjects through someone who does have a direct treatment relationship with the subjects. The outside researcher could obtain contact information through a partial waiver of individual authorization by an IRB.