Waiver or Alteration of HIPAA

The IRB may approve a waiver or alteration of HIPAA provided that the research meets the criteria outlined in 45 CFR 164.512(i)(2)(ii) (see below). The requirements overlap but are not the same as those for waiver of consent and waiver of documentation of consent. There are additional requirements for HIPAA that are more stringent than for waiver under the Common Rule (research regulations).

More information on HIPAA in research can be found in the IRB's Policy on HIPAA pg.316 (PDF).

There are three terms that must be understood to properly apply waivers of HIPAA - alteration, waiver in whole (full waiver), and waiver in part (partial waiver).

45 CFR 164.512(i) Standard: Uses and disclosures for research purposes

  1. Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that:

    • Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either:

      • (A) An Institutional Review Board (IRB)... or

      • (B) A privacy board...

45 CFR 164.512(i)(2)(ii): Criteria for Waiver or Alteration of HIPAA:

A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:

  1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

    • an adequate plan to protect the identifiers from improper use and disclosure;

    • an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

    • adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

  2. The research could not practicably be conducted without the waiver or alteration; and

  3. The research could not practicably be conducted without access to and use of the protected health information.

See section "(i)" of 45 CFR 164.512(i) Uses and disclosures for which an authorization or opportunity to agree or object is not required (PDF) for the HIPAA regulations related to waivers by the IRB or privacy board.

The IRB may approve an alteration of the requirements of written HIPAA Authorization provided the research meets the criteria for waiver or alteration (see info box). The most frequent alteration is for verbal HIPAA Authorization when the IRB has also waived the requirement for written consent pg. 179 (PDF) under 45 CFR 46.117(c)(2). Demonstrating that the "research could not practicably be conducted without the waiver or alteration" is the main obstacle to approving an alteration. If the subject is physically present, it is usually practicable to obtain written HIPAA Authorization.

Alteration of HIPAA Required Statements

Any of the statements required by HIPAA in 45 CFR 164.508 can be altered or waived by the IRB. For example, if the subject's specimens will be stored without any identifiers or code that can be linked to identifiers, then the investigator need not include information about withdrawal of permission to use a specimen since they won't know which sample to throw out.

The IRB may approve a full waiver of the requirements for HIPAA Authorization to use and disclose protected health information, provided the research meets the criteria enumerated in 45 CFR 164.512.(i)(2)(ii) (PDF) (see info box). The most frequent situation where the IRB approves a full waiver of HIPAA is when the research also qualifies for a waiver of the requirements for consent pg.179 (PDF). Both waivers must demonstrate that it would not be practicable to conduct the research without the waiver, so if the research qualifies for one waiver, it will usually qualify for the other.

HIPAA authorization to use and disclose protected health information may be waived for just part of the research. The term Partial Waiver, can be confused with an Alteration of HIPAA Authorization. The The NIH Fact Sheet on Clinical Research and the HIPAA Privacy Rule (PDF) explains a partial waiver as follows:

"A partial waiver of the Authorization requirements of the Privacy Rule might be requested, for instance, to allow a researcher to obtain PHI as necessary to recruit potential research subjects. For example, even if an IRB does not waive the Authorization requirement for the entire research study, an IRB may partially waive the Authorization requirement to permit a covered entity to disclose PHI to a researcher for the purposes of contacting and recruiting individuals into the study."

Link to Emory HIPAA If the information is going to be recorded so that the prospective subject can be contacted at a later date, a partial waiver of HIPAA would be required.

Examples of situations where the IRB or privacy board could issue a partial waiver would include the following situations:

  • uses and disclosures required for recruitment purposes;
  • uses and disclosures for the use of PHI from existing data/specimens, where HIPAA authorization will subsequently be provided by the participants.

  • Each of the 3 requirements for waiver from §164.512(i)(2)(ii) should be explained and justified. The minimal risk requirement has 3 subparts and each has to be addressed.
  • It is vital to provide a compelling argument for why the research could not be practicably carried out without the waiver. Practicable means possible; it does not mean convenient. For example, if a subject is available to provide then it is usually practicable to obtain their authorization.
  • Emory's IRB will consider a request for alteration of the requirement for written HIPAA Authorization whenever the research meets the requirement for Waiver of Documentation of Consent
    • The investigator should request a verbal authorization procedure instead of a written authorization.
    • The verbal consent/authorization must contain all of the required elements for a valid consent plus HIPAA authorization.
    • The investigator must explain how they will document that the subject gave verbal authorization for the use of PHI.
    • The investigator must make a compelling case that the research would not be practicable without the waiver. NOTE: that when it is practicable to obtain written authorization - the subject is seen in person - the IRB may not be able to permit verbal authorization even though the study qualifies for a waiver of documentation of consent (verbal consent). In this situation, the investigator may choose to use verbal consent with a stand-alone HIPAA authorization.
  • See the Policy chapter covering Waiver of HIPAA authorization pg. 316 (PDF) for the IRB's complete policy on waiver of HIPAA authorization.