Researchers requesting either a partial or total waiver of HIPAA Authorization must demonstrate that their research meets the following requirements. A HIPAA waiver is appropriate where the following criteria are met;
- The use or disclosure involves no more than a minimal risk to the privacy of individuals based on at least the presence of
- an adequate plan presented to the IRB or Privacy Board to protect PHI identifiers from improper use and disclosure;
- an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and
- adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule;
- The research could not practicably be conducted without the requested waiver or alteration; and,
- The research could not practicably be conducted without access to and use of the PHI.
Finally, HIPAA provides for several exceptions to the Authorization/Waiver requirement for the use of protected health information, including activities “preparatory to research,” research solely on decedents, “limited data sets,” and where research permissions are “grandfathered” by the transition provisions of the Privacy Rule. Please note that specific criteria need to be met under HIPAA for these exceptions to apply. Please contact Research Compliance Services for more information.
