In This Section

Does HIPAA apply to my study and what needs to be in a HIPAA authorization?

Published on Jun 15, 2022 · Last Updated 1 year 1 month ago
AddtoAny
Share:

WATCH THIS PAGE

Subscribe to be notified of changes or updates to this page.

12 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Requirements for Written Authorization under the HIPAA Privacy Rule

The HIPAA Privacy Rule requires written authorization for use or disclosure of private health information (PHI) for the purposes of research. If no PHI is used (e.g. obtained from the medical record), or research participants do not provide any information related to their past, present or future physical or mental health or condition, provision of health care to them or payments for the provision of health care, HIPAA may not apply to the study. When the Authorization is combined with the consent document, the IRB must review and approve the combined document. When a stand-alone authorization is used, the responsibility falls on the investigator. The IRB's responsibilities related to HIPAA are described in more detail in the IRB's Role in HIPAA.

A valid authorization must meet contain the six core elements and must include three required statements unless the IRB has approved a waiver or alteration of one or more of these elements. See Waiver or Alteration of HIPAA below for more detail.

The Authorization Core elements and Required Statements that are mandated by HIPAA are enumerated in 45 CFR 164.508.

Authorization Core Elements - 45 CFR 164.508 (c)(1)
Description of Private Health Information ('i) Description of PHI to be used or disclosed that identifies the information in a specific and meaningful manner;
Who May Use or Disclose PHI (ii) The name(s) or other specific identification of person(s) or class of persons authorized to make the requested use or disclosure;
Person Who May Receive and Use PHI (iii) The name(s) or other specific identification of the person(s) or class of persons who may use the PHI or to whom the covered entity may make the requested disclosure;
Purpose of Each Use or Disclosure (iv) Description of each purpose of the requested use or disclosure. Researchers should note that this element must be research study specific, not for future unspecified research;
Expiration Date (v) Authorization expiration date or event that relates to the individual or to the purpose of the use or disclosure. The terms end of the research study or none may be used for research, including for the creation and maintenance of a research database or repository;
Signature (vi) Signature of the individual and date. If the Authorization is signed by an individual's personal representative, a description of the individual's authority to act for the individual.
Authorization Required Statements 45 CFR 164.508(c)(2)
Right to Revoke Authorization ('i) The individual's right to revoke his/her Authorization in writing and either (A) the exceptions to the right to revoke and a description of how the individual may revoke his/her Authorization or (B) reference to the corresponding section(s) of the covered entity's Notice of Privacy Practices.
Inability to Condition Treatment (ii) Notice of the covered entity's ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the Authorization, including research-related treatment, and if applicable, consequences of refusing to sign the Authorization.
Potential for Redisclosure (iii) The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule. This statement does not require an analysis of risk for re-disclosure but may be a general statement that the Privacy Rule may no longer protect health information.

Revoking Authorization

A research subject may revoke his/her Authorization at any time. The IRB has a template HIPAA-Withdrawal of Authorization Letter available for investigators and subjects to complete.

  • The covered entity may continue to use and disclose PHI that was obtained before the individual revoked his/her Authorization.
  • This permits the covered entity and the researchers to protect the integrity of the research.
  • Withdrawal of Authorization stops the collection and use of information in the future but does not mean that the data collected to date must be disposed.

Electronic Signatures under the HIPAA Privacy Rule

The Standards for Privacy Authorization published in the Federal Register Dec 28, 2000, permit email and electronic signatures.

From page 82518:
Seventh, the authorization must include the individual's signature and the date of the signature. Once we adopt the standards for electronic signature, another of the required administrative simplification standards we are required to adopt under HIPAA, an electronic signature that meets those standards will be sufficient under this rule. We do not require verification of the individual's identity or authentication of the individual's signature.
From page 82660:

Comment - Many commenters requested clarification that covered entities may rely on electronic authorizations, including electronic signatures.

Response - All authorizations must be in writing and signed. We intend e-mail and electronic documents to qualify as written documents. Electronic signatures are sufficient, provided they meet standards to be adopted under HIPAA. In addition, we do not intend to interfere with the application of the Electronic Signature in Global and National Commerce Act.

Electronic Signature Standards

The Electronic Signature Standards in Global and National Commerce Act (E-SIGN) PUBLIC LAW 106-229-JUNE 30, 2000 establishes the standards for electronic signatures.

Sec. 106 Definitions:
(5) ELECTRONIC SIGNATURE. - The term "electronic signature" means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

When HIPAA applies to the research, the subject must provide HIPAA authorization in addition to informed consent. This can be in the form of a either

  • A combined consent/HIPAA authorization which is a single document containing that meets the regulatory requirements for research consent and HIPAA; or
  • A consent form and a stand-alone HIPAA authorization form.

The combined consent/HIPAA authorization has the advantage of requiring a single document and requires a subject's signature on only a single document. The disadvantage is that the consent form is longer and is harder to understand.

Using a stand-alone HIPAA Authorization instead of a combined document shortens and simplifies the consent document considerably. There is another advantage to using a stand-alone HIPAA Authorization, the IRB does not review or approve stand-alone HIPAA Authorizations. The responsibility for this form falls on the investigator. There are disadvantages, subjects will need to sign twice - once for the consent form and and once for the HIPAA Authorization - instead of a signing a just one document. In addition, the investigator will need to remember to use both forms instead of just a single form.

The IRB may approve a waiver or alteration of HIPAA provided that the research meets the criteria outlined in 45 CFR 164.512(i)(2)(ii) (see below). The requirements overlap but are not the same as those for waiver of consent and waiver of documentation of consent. There are additional requirements for HIPAA that are more stringent than for waiver under the Common Rule (research regulations).

More information on HIPAA in research can be found on the IRB's HIPAA and Research page. The HIPAA Glossary contains definitions of useful terms related to HIPAA including the components of PHI.

There are three terms that must be understood to properly apply waivers of HIPAA - alteration, waiver in whole (full waiver), and waiver in part (partial waiver).

 

45 CFR 164.512(i) Standard: Uses and disclosures for research purposes

(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that:

(i) Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: (A) An Institutional Review Board (IRB)... or (B) A privacy board...

45 CFR 164.512(i)(2)(ii): Criteria for Waiver or Alteration of HIPAA:

A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:

(A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (1) an adequate plan to protect the identifiers from improper use and disclosure; (2) an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and (3) adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

(B) The research could not practicably be conducted without the waiver or alteration; and

(C) The research could not practicably be conducted without access to and use of the protected health information.

See section "(i)" of 45 CFR 164.512(i) Uses and disclosures for which an authorization or opportunity to agree or object is not required for the HIPAA regulations related to waivers by the IRB or privacy board.

Alteration of HIPAA Authorization

The IRB may approve an alteration of the requirements of written HIPAA Authorization provided the research meets the criteria for waiver or alteration (see above). The most frequent alteration is for verbal HIPAA Authorization when the IRB has also waived the requirement for written consent under 45 CFR 46.117(c)(1)(ii). Another alteration to obtain verbal HIPAA Authorization is issued when consent is not required for screening procedures limited to: (a) obtaining information through oral or written communication with the prospective subject or legally authorized representative, or (b) obtaining identifiable private information or identifiable biospecimens by accessing records or stored identifiable biospecimens. Demonstrating that the "research could not practicably be conducted without the waiver or alteration" is the main obstacle to approving an alteration. If the subject is physically present, it is usually practicable to obtain written HIPAA Authorization.

Alteration of HIPAA Required Statements

Any of the statements required by HIPAA in 45 CFR 164.508 can be altered or waived by the IRB. For example, if the subject's specimens will be stored without any identifiers or code that can be linked to identifiers, then the investigator need not include information about withdrawal of permission to use a specimen since they won't know which sample to throw out.

Waiver of HIPAA Authorization

The IRB may approve a full waiver of the requirements for HIPAA Authorization to use and disclose protected health information, provided the research meets the criteria enumerated in 45 CFR 164.512.(i)(2)(ii) (see info box). The most frequent situation where the IRB approves a full waiver of HIPAA is when the research also qualifies for a waiver of the requirements for consent. Both waivers must demonstrate that it would not be practicable to conduct the research without the waiver, so if the research qualifies for one waiver, it will usually qualify for the other.

Important Tips

  • Each of the 3 requirements for waiver from §164.512(i)(2)(ii) should be explained and justified. The minimal risk requirement has 3 subparts and each has to be addressed.

  • It is vital to provide a compelling argument for why the research could not be practicably carried out without the waiver. Practicable means possible; it does not mean convenient. For example, if a subject is available to provide authorization, then it is usually practicable to obtain their authorization.

  • CHOP's IRB will consider a request for alteration of the requirement for written HIPAA Authorization whenever the research meets the requirement for Waiver of Documentation of Consent:

    • The investigator should request a verbal authorization procedure instead of a written authorization.
    • The verbal consent/authorization must contain all of the required elements for a valid consent plus HIPAA authorization.
    • The investigator must explain how they will document that the subject gave verbal authorization for the use of PHI.
    • The investigator must make a compelling case that the research would not be practicable without the waiver. NOTE: When it is practicable to obtain written authorization (e.g. the subject is seen in person) the IRB may not be able to permit verbal authorization even though the study qualifies for a waiver of documentation of consent (verbal consent). In this situation, the investigator may choose to use verbal consent with a stand-alone HIPAA authorization.
    • Even if consent is not required for certain screening procedures, HIPAA may still apply and need to be obtained if the requirements for a waiver of HIPAA are not met. In this situation, the investigator will need to obtain HIPAA authorization with a stand-alone HIPAA authorization form. For additional information concerning screening procedures, see Recruitment vs Screening.
  • See the IRB SOP 706: Waiver of Elements of Consent and Waiver of Written Authorization for the IRB's complete policy on waiver of HIPAA authorization.

Frequently Asked Questions

  1. How does written authorization differ from informed consent?

    Informed consent is specified by required elements that ensure that the subject understands the nature of the research and its risks and potential benefits and agrees to participate in research. A subject's written Authorization is for the use and disclosure of protected health information in the course of research that are not otherwise permitted under the Privacy Rule. An authorization specifies a set of core elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed.

    There are circumstances where HIPAA authorization, but not consent, may be required. This may be the case for screening procedures. For additional information concerning screening procedures, see Recruitment vs Screening.

  2. If consent is not required for screening procedures but HIPAA authorization is, do I need to submit a HIPAA authorization form?

    The investigators should submit a stand-alone HIPAA authorization form to the IRB. While the IRB does not approve stand-alone HIPAA authorization forms, it does check them for accuracy and to ensure that they contain the required elements. The IRB's responsibilities related to HIPAA are described in more detail in the IRB's Role in HIPAA.

  3. Can I review my own office records to plan for a new study without IRB approval?

    You cannot use, access, or record PHI on human subjects without doing one of the following three things:

    1. a Written Authorization; or
    2. IRB Waiver of Written Authorization; or
    3. submitting a certification to the IRB for Work preparatory to Research.

    The IRB will acknowledge the certification after it is submitted but does not approve the submission.

    If the review of records does not involve use of PHI then it can proceed without IRB approval or submission of a Work Preparatory to Research certification. For example, if a database administrator runs a report to count up the number of potential subjects with a specific medical condition between the ages of 1 and 5 years, that search would not involve use of PHI by the investigator. The report would simply provide a summary of the number of potential subjects. If PHI is viewed, recorded or used in any way, the investigator must submit a Work Preparatory to Research certification before doing the work.

  4. Do I need to obtain consent and HIPAA authorization to do study recruitment?

    It depends.

    If recruitment is limited to review of existing medical records as part of an IRB-approved protocol, then HIPAA authorization and consent are not required (a waiver of HIPAA authorization and a waiver of consent [when applicable] can be granted by the IRB). The subjects will have an opportunity, at the time they are approached to participate, to provide informed consent and HIPAA authorization. The investigator is obligated to protect the PHI of prospective subjects just as they are obligated to protect the PHI of every patient cared for at CHOP.

    If the investigator intends to screen potential subjects for eligibility by asking them questions, these questions are considered part of the research. Consent and HIPAA authorization may have to be obtained for screening procedures. For additional information, see Recruitment vs Screening or IRB's Role in HIPAA.

  5. I am submitting a Work Preparatory to Research attestation so that I can review my records to identify how many potential subjects are in my clinic. What information, if anything can I retain when I'm done?

    The data collected must be limited to the minimum necessary to meet the objectives of the Work Preparatory to Research (e.g., establish feasibility, plan the study, identify potentially eligible subjects, etc.). Study data may not be collected, but the investigator may retain names and contact information to be used, after the study is approved by the IRB, for recruitment purposes.

  6. There are decedents whose records will be included amongst those in the study; do we need to file the Decedents HIPAA Attestation?

    The HIPAA attestation for the use of decadents PHI is only for research that will be exclusively limited to decedents. The attestation provides a means for the investigator to attest to their intent to adhere to the requirements of HIPAA related to the use of decedents PHI. The IRB receives the investigators attestation and checks it for appropriateness; it does not issue an approval. The investigator will receive the IRB's acknowledgment of receipt. If decedents PHI is used as part of a study that also enrolls human subjects, the investigator can request a waiver of HIPAA authorization for the use of decedents PHI.

  7. I am doing research in Botswana, does HIPAA apply to research performed at international sites?

    Since the research is taking place in an international setting, HIPAA authorization is not required from study participants. However, HIPAA protections apply to the use and collection of protected health information (PHI) by agents of the University of Pennsylvania and the Children's Hospital of Philadelphia as part of this research. This means that as an investigator, you are obligated to treat the data to the same protections as if it were collected from subjects at CHOP.