HIPAA allows IRBs, or a special privacy board, which is like an IRB which only
deals with HIPAA, to modify the authorization requirements, consistent with
the other protections on human subjects researches. Decisions to waive or
modify the authorization must meet these standards:
Documentation of the waiver or alteration of Authorization must include a
statement identifying the IRB or Privacy Board that made the approval and
the date of approval. Among other things, the documentation must also
include statements that the IRB or Privacy Board has determined that the
waiver or alteration of Authorization, in whole or in part, satisfies the
following criteria:
-
The use or disclosure of the PHI involves no more than minimal risk
to the privacy of individuals based on, at least, the presence of the
following elements:
-
An adequate plan to protect health information identifiers from
improper use and disclosure.
-
An adequate plan to destroy identifiers at the earliest opportunity
consistent with conduct of the research (absent a health or
research justification for retaining them or a legal requirement to
do so).
-
Adequate written assurances that the PHI will not be reused or
disclosed to (shared with) any other person or entity, except as
required by law, for authorized oversight of the research study, or
for other research for which the use or disclosure of the PHI
would be permitted under the Privacy Rule.
-
The research could not practicably be conducted without the waiver
or alteration.
-
The research could not practicably be conducted without access to
and use of the PHI.
The Privacy Rule does not require an IRB or Privacy Board to review the
form or content of the Authorization a researcher or covered entity intends
to use, or the proposed uses and disclosures of PHI made according to an
Authorization. Under the Privacy Rule, an IRB or Privacy Board need only
review requests to waive or alter the Authorization requirement.[
HIPAA
Research at 17.]
