Issues Raised by Unauthorized Access
These standards recognize that there are situations where the individual's right to control his/her PHI is overridden by society's need for the that individual's PHI for research that will benefit others. In theory, these exceptions should be as narrow as possible, and the information should be carefully protected from further disclosure. The identifiers should be destroyed as soon as they are no longer needed, absent specific reasons to retain them. There are two problems with these standards which raise troubling questions. First, there is no review of the underlying importance of the research being done. There is no balancing between the value of the research and the individual's privacy: any research can qualify for a waiver or modification of the authorization requirements, without regard to its merits. Second, the IRB or Privacy Board does not review the actual authorization that will be used. It is only required to decide whether a waiver or modification is allowable, but it is the researchers who get to decide what the form will look like. Since this provision does not prohibit IRBs or Privacy Boards from reviewing these modified forms, it is anticipated that they will get some review to assure that they really meet the representations made to the IRB or Privacy Board.