IRBs have a new charge: Authorization waivers

It’s up to the researchers to justify waiver

It started out a simple premise: protect patients’ privacy by securing their health information. But the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) is raising some concerns, not just among primary caregivers and treatment facilities.

There is much to be confused about if you’re involved in research. To begin with, the regulations state that the Privacy Rule is not directly aimed at research. But there is a caveat: If the research involves access to information, then the Privacy Rule may apply. At issue is information derived from covered entities — health plans, health care providers, or health care clearinghouses that transmit information electronically. Those covered entities are required to keep prying eyes from patients’ private health care info (referred to in HIPAA guidelines as protected health information or PHI), which includes diagnoses, treatment courses, and payments related to treatment.

Given that most research will involve patient information deemed private under HIPAA, researchers and IRBs must now learn to incorporate Privacy Rule requirements into their protocols.

"HIPAA adds another layer to the IRB approval process," says Lisa Sotto, JD, a privacy regulatory specialist at Hunton & Williams in New York City. "One significant concern of IRBs is how researchers will safeguard information when data in maintained in so many downloadable formats."

The Department of Health and Human Services (HHS) issued a guidance document, "Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule," to help researchers and IRBs understand just what is required under HIPAA. The guidance, available at, tries to cover everything you’d ever want to know about HIPAA, including definitions on pertinent terms you may encounter and various aspects of the rule that may impact research.

Informed consent vs. authorization

The terms are being used interchangeably but they should not be. "Informed consent provides the research subject with a description of the study and its anticipated risks and benefits," says Sotto. "A HIPAA authorization is the participant’s permission to allow the investigator to use and share information in ways that are specified in the authorization form."

Though the consent documentation and authorization agreement can be combined, the authorization form should contain specific elements, such as what information can be used, to whom it can be disclosed, whether participation is dependent on the participant’s signing the authorization, and the participant’s signature.

According the HHS, authorization forms can be written by researchers and do not require IRB approval. Additionally, according to HHS regulations, one waiver is all that is required for multisite projects.

IRBs get involved, however, when an authorization alteration or waiver is requested. The HHS states: "A complete waiver occurs when the IRB or Privacy Board determines that no authorization will be required for a covered entity to use and disclose PHI for a particular research project."

In deciding whether to grant an authorization waiver, IRBs should be looking at how sensitive patient treatment info is. "If you’re dealing with genetics or HIV data, the IRB is going to want to see serious privacy protections in place," says Sotto.

IRB waivers should contain language that describes the following:

  • that the research poses no more than a minimal risk to the privacy of individuals;
  • that the research could not be conducted without the waiver;
  • that the research could not be conducted without access to and use of PHI.

"IRBs are charged with protecting the confidentiality of research subjects," says John Isidor, JD, CEO of Schulman Associates IRB in Cincinnati. "The waiver is designed to allow a person’s PHI to be used and/or disclosed for research purposes without the person’s authorization. The researcher must assure the IRB among other things that there is minimal risk to the person’s privacy and that the research could not be conducted without the waiver." (See form.)