[author: Jennifer Kirchner*]
The HIPAA Privacy Rule sets forth provisions related to the waiver or alteration of authorization in relation to clinical research studies for circumstances in which it would be impractical or impossible to obtain authorization from a potential participant in the study. In many cases, a waiver or alteration of HIPAA authorization is sought for secondary use research using medical records, where authorization is impossible to obtain because the data being reviewed relates to patients who would be difficult or impracticable to contact.
Under the HIPAA Privacy Rule, an institutional review board (IRB) or privacy board must approve a waiver or alteration of authorization. Specifically, the following must be documented:
-
Identification of the IRB or privacy board and the date of approval of the alteration or waiver of authorization;
-
A determination by the IRB or privacy board that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the rule (outlined below);
-
A brief description of the protected health information (PHI) which the IRB or privacy board has approved use or access to through the waiver or alteration;
-
“A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures”; and
-
The signature of the chair or another member designated by the chair of the IRB or the privacy board.[1]
As noted, three criteria must be fulfilled for the IRB or privacy board to approve the waiver or alteration of authorization:
-
The use or disclosure of PHI must involve no more than minimal risk to the privacy of individuals based on:
-
“An adequate plan to protect the identifiers from improper use and disclosure;
-
“An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
-
“Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
-
“The research could not practicably be conducted without the waiver or alteration; and
-
“The research could not practicably be conducted without access to and use of the protected health information.”[2]
Documentation must reflect that all three criteria are fulfilled for a waiver or alteration of authorization to meet the regulatory requirements.
HIPAA also offers an exception to the authorization process where a researcher is seeking to use PHI for purposes preparatory to research.[3] The Privacy Rule provision allows covered entities to use or disclose PHI for purposes preparatory to research, such as to aid study recruitment by identifying potential participants, to assist in development of a research hypothesis, or to help with preparation of a protocol. To fulfill the exception, a researcher must make representations that:
-
“Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research;
-
“No protected health information is to be removed from the covered entity by the researcher in the course of the review; and
-
“The protected health information for which use or access is sought is necessary for the research purposes.”[4]
In terms of the requirement that PHI not be removed from the covered entity’s site, the U.S. Department of Health and Human Services (HHS) has clarified in guidance that this does not prohibit research personnel from accessing PHI remotely. Specifically, HHS has stated in guidance issued in relation to the 21st Century Cures Act that “remote access connectivity (i.e., out-of-office computer access achieved through secure connections with access controls and authentication)” is not necessarily a removal of PHI.[5] However, HHS notes that “the printing, downloading (with a limited exception), copying, saving, data scraping, or faxing of such PHI, or any other means by which a researcher outside the covered entity might control or retain the PHI,” are prohibited because they would constitute a removal of PHI.[6] For any study relying on the preparatory to research exception, covered entities should ensure that its researchers and personnel understand the parameters within which data can be accessed and used without constituting a removal.
Waiver of authorization vs. alteration of authorization
While the Privacy Rule lumps a waiver and alteration together when discussing requirements related to each, it is important to note the distinction between them. An alteration of an authorization occurs when some elements of an authorization are removed, while a waiver eliminates an authorization. For example, National Institutes of Health (NIH) guidance states, “an IRB may alter the Authorization to remove the element that describes each purpose of the requested use or disclosure where, for example, the identification of the specific research study would affect the results of the study.”[7] An alteration may also be used instead of a waiver where the patient is able to consent to the authorization, but is not present to sign an authorization, such as through a phone screening for study recruitment.
Alterations to HIPAA authorizations must be approved by the IRB or privacy board through an evaluation of the same requirements as a waiver, as set forth at 45 C.F.R. § 164.512(i)(2)(ii). When seeking to remove some elements of an authorization, it is vital to ensure that the IRB or privacy board completes the same minimum risk analysis necessary when seeking a waiver of authorization.
Partial waiver vs. full waiver
A partial waiver may be sought where a researcher seeks to identify participants for a clinical study through a review of medical records; however, once potential participants are identified, authorization will be obtained for enrollment in the study. A full waiver is appropriate if “it would be impracticable to conduct the research if Authorization were required,” such as a study using PHI for many individuals whose contact information is unknown or where many of the involved individuals are deceased.[8]
Preparatory to research exception
If a researcher is a workforce member of the covered entity and is using PHI to identify prospective research subjects, a waiver of authorization does not need to be obtained, and the researcher may rely on the preparatory to research exception. The same researcher may also contact prospective subjects if that researcher is a member of the covered entity’s workforce, as part of the covered entity’s healthcare operations, to secure authorization from the prospective subject.[9] However, the preparatory to research exception does not permit actual patient recruitment beyond the initial contact with a potential subject. As with the waiver process, once the researcher has established contact with the potential participant, authorization from the participant must be sought before any further use or disclosure of PHI is allowed beyond contact for recruitment purposes.
It is essential to note that the preparatory to research exception does not allow researchers who are not part of the covered entity to contact prospective research subjects. Rather, the researcher would be required to seek a waiver of authorization. Alternatively, the covered entity could contract with a business associate to contact individuals on the covered entity’s behalf. Additionally, an investigator may not record or otherwise document PHI or other identifiable private information without first obtaining authorization from the research subject or a waiver of authorization from the IRB or privacy board.
Where the preparatory to research exception is relied upon, the researcher’s representations must be documented, stating that the PHI to be accessed is necessary for the research purposes and sought solely as needed to prepare a research protocol or similar purposes. Representations should also be documented, attesting that no PHI will be removed from the covered entity by the researcher during the review, including details regarding how any remote access to the data will be safeguarded through proper controls.
Waiver of authorization vs. waiver of informed consent
Although the requirements are similar, it is critical to note that a waiver of authorization differs from a waiver of informed consent. Requirements related to waivers of authorization are set forth under the HIPAA Privacy Rule; however, requirements related to waivers of informed consent are set forth under the Federal Policy for the Protection of Human Subjects (the Common Rule) and guidance issued by the Food and Drug Administration (FDA). The regulatory analysis for ensuring that a waiver of HIPAA authorization meets regulatory requirements under HIPAA must be conducted separately from the regulatory analysis for ensuring that a waiver of informed consent meets regulatory requirements under the Common Rule and/or FDA requirements.
Practical tips
Although the steps above describe circumstances under which obtaining a waiver or alteration of HIPAA authorization is appropriate, authorization should be obtained whenever practicable. If a potential participant has been contacted for recruitment into a study, the individual should be asked to complete an authorization once the individual has agreed to continue to participate. As a good rule of thumb, once contact with a potential participant is made, a waiver or alteration is no longer necessary, and the individual should be asked to sign an authorization.
Additionally, to minimize the PHI being accessed, data custodians should make efforts to de-identify information or present a limited data set to research teams where practical. Requests for a waiver or alteration of HIPAA authorization should be reserved for circumstances that align with the regulatory requirement, i.e., where the research cannot practicably be conducted without access to PHI and the waiver or alteration.
In those situations where a waiver or alteration is necessary, compliance teams can take some steps to ensure that the process is streamlined for the IRB or privacy board’s approval:
-
When determining whether a waiver is necessary, first ask whether the PHI is being used by a researcher who is a workforce member of the covered entity to review medical records for preparing a research protocol or for recruiting individuals for the study. If this is the case, the preparatory to research exception applies, and a waiver is not necessary.
-
Ensure that the IRB or privacy board is informed about what is being sought: a full waiver, partial waiver, alteration of authorization, or approval of using PHI for purposes preparatory to research.
-
Separate templates should be created outlining the necessary requirements for what the researcher is seeking. The templates can also help the research team members plan which waiver/alteration is most acceptable depending on their situation.
Conclusion
Researchers and their teams should ensure that they use the proper process when seeking to modify or waive HIPAA authorization requirements. While the regulations do not specify distinctions between partial and full waivers versus alterations to waivers, the analyses are the same. However, the researcher should be clear as to what is being sought and must fully document the request and evidence that the regulatory requirements are met for the IRB or privacy board. When recruiting individuals for a study or preparing a research protocol, researchers may rely on the preparatory to research exception when they are a workforce member of the covered entity holding the medical records. To ensure compliance with the rules and help avoid confusion, templates may be developed outlining the requirements for requests to access PHI for full waivers, partial waivers, alterations of authorization, or purposes preparatory to research.
Takeaways
-
A partial waiver is used to identify participants for a study where authorization will later be obtained.
-
A full waiver is used where authorization is impracticable or impossible for the duration of the study.
-
A waiver of authorization eliminates the need for HIPAA authorization, while an alteration involves changing an authorization form.
-
The preparatory to research exception requires documented representations by the researcher related to the use of PHI, which the institutional review board or privacy board must approve.
-
Authorization should be obtained from a participant if contact is made with the individual and the individual wants to continue participating in the study.
*Jennifer Kirchner is Senior Consultant at Strategic Management Services LLC in Alexandria, VA.
1 45 C.F.R. §164.512(i)(2)(ii).
2 45 C.F.R. §164.512(i)(2)(ii)(A).
3 45 C.F.R. §164.512(i)(2).
4 45 C.F.R. §164.512(i)(2).
5 U.S. Department of Health and Human Services, Office for Civil Rights, “21st Century Cures Act Guidance: Remote Access to PHI for Activities Preparatory to Research,” accessed November 9, 2023, https://www.hhs.gov/sites/default/files/remote-access-research-12-15-17.pdf.
6 U.S. Department of Health and Human Services, Office for Civil Rights, “21st Century Cures Act Guidance: Remote Access to PHI for Activities Preparatory to Research.”
7 National Institutes of Health, “Institutional Review Boards and the HIPAA Privacy Rule,” accessed November 9, 2023, https://privacyruleandresearch.nih.gov/irbandprivacyrule.asp.
8 National Institutes of Health, “Institutional Review Boards and the HIPAA Privacy Rule.”
9 National Institutes of Health, “Clinical Research and the HIPAA Privacy Rule,” accessed November 9, 2023. https://privacyruleandresearch.nih.gov/clin_research.asp#:~:text=Contacting%20Research%20Participants,not%20contact%2C%20potential%20study%20participants.
[View source.]
