Health Insurance Portability and Accountability Act (HIPAA)
Under HIPAA regulations (45CFR Part 160 and 164), health information about an individual
to be used or disclosed in research requires authorization from the individual prior
to such use or disclosure. This authorization must be in writing, signed by the individual
and a copy of the authorization provided to the individual.
Throughout the following PHI refers to "protected health information".
Written HIPAA Authorizations must meet the following criteria: [45CFR164.508(c)(1)]
- A description of the information to be used or disclosed that identifies the information
in a specific and meaningful fashion.
- The name or other specific identification of the person(s) or class of persons authorized
to make the requested use or disclosure.
- The name or other specific identification of the person(s), or class of persons, to
whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure.
- An expiration date or an expiration event that relates to the individual or the purpose
of the use or disclosure.
- Signature of the individual and date. If the authorization is signed by a personal
representative of the individual, a description of such representative's authority
to act for the individual must also be provided.
The authorization must contain these required statements: [45CFR164.508(c)(2)]
- The individual's right to revoke his/her authorization in writing and either (1) the
exceptions to the right to revoke and a description of how the individual may revoke
authorization or (2) reference to the corresponding sections(s) of the covered entity's
Notice of Privacy Practices.
- Notice of the covered entity's ability or inability to condition treatment, payment,
enrollment, or eligibility for benefits on the authorization, including research related
treatment, and if applicable, consequences of refusing to sign the authorization.
- The potential for the PHI to be re-disclosed by the recipient and no longer protected
by the Privacy Rule. This statement does not require an analysis of risk for re-disclosure,
but may be a general statement that the Privacy Rule may no longer protect health
information.
Waiver of HIPAA Authorization
The written authorization requirement may be waived under one of the following conditions:
- The researcher must have IRB Approval for the waiver of authorization. [45CFR164.512(i)(1)(i)]
— See approval criteria below .
- The collection of the PHI is solely to prepare a research protocol and that the researcher
will not remove any PHI from the health care entity and the PHI is necessary for the
research purpose. [45CFR164.512(i)(1)(ii)]
- The use or disclosure being sought is solely for research on the PHI of decedents,
that the PHI being sought is necessary for research. [45CFR164-512(i)(1)(iii)]
- The researcher has entered into a Data Use Agreement with the health care entity.
[45CFR164.514(e)]
In order for an IRB to waive the HIPAA authorization requirement, all three of the
following criteria must be satisfied:
- The use or disclosure of PHI involves no more than minimal risk to the privacy of
individuals, based on at least the presence of the following elements:
- An adequate plan to protect the identifiers from improper use and disclosure, AND
- An adequate plan to destroy the identifiers at the earliest opportunity consistent
with conduct of the research, unless there is a health or research justification for
retaining the identifiers or such retention is otherwise required by law; AND
- Adequate written assurances that the PHI will not be used or disclosed to any other
person or entity, except as required by law, for authorized oversight of the research
project, or for other research for which the use or disclosure of PHI would be permitted
- The research could not practicably be conducted without the waiver or alteration,
AND
- The research could not practicably be conducted without access to and use of the PHI.
Forms
Helpful Links
