Guidance

Waiver or Alteration of HIPAA Authorization

IRBMED
Sep 21, 2020 3:00 pm
Login to Bookmark  Share

To use and/or disclose Protected Health Information (PHI) for research purposes, the HIPAA Privacy Rule in general requires that researchers obtain signed authorization from the individual. An IRB can grant a Waiver of HIPAA Authorization to permit use and/or disclosure of PHI for research purposes, without obtaining authorization. An IRB may also approve an alteration of the requirements of written HIPAA Authorization provided the research meets the criteria for waiver or alteration (see info below).

Michigan Medicine study teams request waivers and alterations of HIPAA authorization through eResearch Regulatory Management application sections 25-1 (select the box for waiver) and 25-2 (complete the waiver request).

NOTE: If the HIPAA authorization will be obtained electronically, the electronic medium should be HIPAA compliant. For example: SignNow or Qualtrics with signature question.

  • Criteria for Waiver or Alteration

    The following three criteria must be satisfied for an IRB to approve a waiver of authorization under the Privacy Rule:

    1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: 

    • an adequate plan to protect the identifiers from improper use and disclosure; 
    • an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and 
    • adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

    2. The research could not practicably be conducted without the waiver or alteration; and

    3. The research could not practicably be conducted without access to and use of the protected health information. 

  • When is this appropriate?

    Waiver

    Waiver of HIPAA Authorization is often appropriate for:

    • identifying eligible potential participants for a clinical trial through medical record review (Part of the project)
    • secondary use research on a large set of medical records (Entire project)

    Waiver for part of a project, or an entire project, can also be appropriate in other situations.

    Research activities that involve PHI should be conducted whenever practicable with patient authorization.

    Alteration

    Any of the HIPAA authorization requirements in 45 CFR 164.508 can be altered (modified or removed) by the IRB.  The most frequent HIPAA alterations accompany a waiver of documentation of informed consent under 45 CFR 46.117(c)(1):

    • Removal of the requirement that the participant signs and dates the HIPAA authorization form
    • Removal of the requirement that the participant receives a copy of the signed, dated form

  • Requesting Waivers and Alterations in eResearch

    Comparison to Informed Consent Regulations under Common Rule

    A Waiver of HIPAA Authorization is similar to waiver of informed consent under OHRP (Common Rule) or FDA regulations, but the regulatory criteria are not identical.

    Informed consent processes and HIPAA authorization processes should be compatible in any study that

    • Is subject to IRB oversight, and
    • Involves PHI

    Examples:

    Consent process

    		 HIPAA authorization How
    Waiver of informed consent for "ALL of the study" Waiver of HIPAA authorization for "Entire project" Request consent waiver in Sec 10-3
    Request HIPAA waiver in Sec 25-2
    Waiver of informed consent for "part of the study” Waiver of HIPAA authorization for specific purpose chosen in 25-2.1

    Request consent waiver in Sec 10-3

    Request HIPAA waiver in Sec 25-2
    Signed (or, Written) informed consent Signed HIPAA authorization IRBMED Informed consent templates incorporate HIPAA authorization
    Waiver of documentation of informed consent Alteration of HIPAA authorization to remove the documentation requirement

    Request Documentation waiver in Section 10-4

    Enter ”HIPAA alteration” as the type in question 25-2.1 and fill out the rest of Sec 25-2.

     

  • See Also
Units: Institutional Review Boards (IRBMED)
Topic: HIPAA & Protected Health Information
Questions?

Contact us at [email protected] or 734-763-4768 / (Fax 734-763-1234)
2800 Plymouth Road, Building 520, Room 3214, Ann Arbor, MI 48109-2800

A list of IRBMED staff is available in the Personnel Directory, or view the list of Regulatory Teams.

Edited By: [email protected]
Last Updated: September 21, 2020 3:00 pm

Related Documents

HIPAAProtected Health Information (PHI)Uses & Disclosures of Protected Health Information (PHI)Informed Consent Procedures Using Electronic Systems and Remote Use of Paper Documents