The individual signing the authorization must be informed that, because the authorization permits the disclosure of PHI to
a third party that is not a covered entity, like a pharmaceutical company sponsor, there will be no legal restriction (under
HIPAA) on the subsequent re-disclosure by the company of the information. The disclosing entity may impose some restrictions
on the recipient by agreement. Often, the research site or institution will attempt to include language in its agreement with
the research sponsor, in which the sponsor must agree to protect the confidentiality of PHI. Agreeing to this language may
be appropriate, but it is not required by HIPAA.
In the authorization, individuals must agree that their right to have access to their medical records may be suspended while
the clinical trial is pending. This is one of the few exceptions to the patient's right to access, but it must be stated in
the authorization to be effective.
For a facility that maintains a tissue repository or other data bank for research purposes, patients must, upon admission,
sign an authorization for the disclosure of their information to the repository. Individuals cannot, however, provide a blanket
authorization to the repository to disclose the information to any researcher who wants it in the future. That future request
must be dealt with separately.
De-identification and authorization are two methods of removing barriers that prevent the research sponsor from receiving
data containing PHI. If neither of those is available, HIPAA provides four alternative approaches:
- limited data set
- preparatory research information
- research on decedents' information.
Waiver A waiver is a procedure by which a specified third party can permit disclosure of PHI without the patient's authorization.
This third party can be either the Institutional Review Board (IRB) supervising the research or a Privacy Board, a new entity
authorized under HIPAA to perform some HIPAA-related functions similar to those performed by the IRB.
Waivers can be complete or partial. In a complete waiver, no authorization is required for the covered entity to use or disclose
the PHI for the research project. Partial waivers remove the authorization requirement only for certain aspects of the research
project. The IRB or Privacy Board also can alter or approve changes in the requirements for authorization.
There is no required number of members of a Privacy Board, but the members must have varying and appropriate backgrounds.
A sponsor may have representation on the Privacy Board, provided that the board includes at least one member who is not affiliated
with the covered entity or the sponsor. Members of the Privacy Board must not have any interest in the research project that
would pose a conflict of interest with their Privacy Board responsibilities. Privacy Boards can be smaller than IRBs, and
used to keep the burden on IRBs from becoming too great. Most institutions, however, have simply used their IRBs rather than
setting up independent Privacy Boards; this avoidance of duplication is appropriate.
The waiver provision is one of the regulations most weighted toward encouraging research because it permits a few people to
wipe away all the HIPAA protections that the individual would otherwise have.
The IRB or Privacy Board must determine that the use or disclosure of PHI involves minimal risk to the individual participant's
privacy, by proving that the research protocol has an adequate plan to protect identifiers from improper use and disclosure
and to destroy them as soon as they are no longer necessary. The researchers also must promise not to re-disclose the PHI
except in connection with oversight of the research.
The researchers also must show that they cannot conduct the research without the waiver (it's too difficult to get authorizations)
and that they can't do the research without the PHI. The IRB or Privacy Board must document its determinations. From the sponsor's
perspective, including privacy protection in the research protocol may persuade an IRB to waive all other privacy requirements.
Limited data set The limited data set is another creation of the revised regulations that assists researchers. Certain limited PHI can be
disclosed for research purposes without authorization or waiver, including certain information that technically is PHI, such
as city, state, zip code, and dates or other numbers or codes that are not direct identifiers (not social security numbers).
The covered entity and researcher must enter into a Data Use Agreement that outlines the specific permitted uses and disclosures
by the recipient, and provides assurances and agreements that will prevent further unauthorized use of the information.