The HIPAA Privacy Rule (45 CFR 160, 164) generally requires researchers to obtain the permission of research subjects to use their protected health information (PHI) for research purposes. This permission is referred to as an authorization. A research authorization is a document signed and dated by a subject/participant that satisfies the requirements of the Privacy Rule and grants permission for the researcher to use and disclose the subject/participant’s PHI to perform a research protocol. A research authorization is the preferred method under the Privacy Rule for researchers to obtain permission to use PHI. The use of a research authorization is intended to involve a consent process.

An IRB, under certain circumstances, may allow researchers to forgo obtaining an authorization; this is called a waiver of authorization. A waiver of authorization may be full or partial:

• full waiver: an IRB waives the requirement for authorization for all uses of PHI for a particular research protocol;
• partial waiver: an IRB waives the requirement for an authorization only for some uses of PHI for a particular research protocol.

In certain cases, the IRB may require the researcher to obtain permission from subjects for use of their PHI, but may allow the researcher to omit some of the required elements of an authorization. This exception is called an altered authorization and is a type of waiver. For example, an IRB may determine that the signature of a research subject is not required on the authorization when the researcher conducts survey or questionnaire research.

WHEN?

Generally, an IRB cannot grant a waiver of authorization for the use of PHI in a research study that requires the informed consent of individual subjects, or in a study that involves more than minimal risk to subjects. Examples of studies that involve more than minimal risk are those that involve interventions, such as administration of a drug, or require the subject to perform tasks.

An IRB can waive an authorization only if it makes all of the following determinations:

1. the researcher has sufficiently justified that the risk to the subjects’ privacy is minimal by having adequate plans to protect the PHI from inappropriate use, and justification for retaining the PHI or plans to destroy the identifiers;
2. the researcher has given assurances (in the Application for Waiver of Authorization or Altered Authorization form) about not reusing or disclosing the PHI;
3. the research cannot be practicably conducted without use of the PHI;
4. the research cannot be practicably conducted without the waiver or alteration; and
5. the researcher will use only the minimum amount of PHI needed for the research.

If you are applying for a waiver, please refer to the detailed discussion of factors needed for IRB waiver determinations.

HOW?

Fill out an application for Waiver of Authorization in conjunction with an application for IRB review for initial review, an exemption, or a change of protocol. The research use of PHI cannot commence until IRB approval has been obtained for a Waiver or Altered Authorization.