Winthrop.edu Sponsored Programs and Research, SPAR

Room 149 McLaurin Building; Winthrop University, Rock Hill, SC  29733  •  803/323-2460  •  803/323-4893 (Fax)   

 
45CFR Part 160 and 164 - HIPAA
Standards of Privacy of Individually Identifiable Health Information - Office of Civil Rights
 
HIPAA Authorization Form
HIPAA Authorization Waiver
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 

 

Winthrop University
Institutional Review Board
HIPAA: Health Insurance Portability and Accountability Act
 

Under HIPAA regulations (45CFR Part 160 and 164), health information about an individual to be used or disclosed in research requires authorization from the individual prior to such use or disclosure. This authorization must be in writing, signed by the individual and a copy of the authorization provided to the individual.

 Throughout the following PHI refers to “protected health information”.

 Written HIPAA Authorizations must meet the following criteria: [45CFR164.508(c)(1)] 

  1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
  2. The name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure
  3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure
  4. A description of each purpose of the requested use or disclosure
  5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure
  6. Signature of the individual and date.  If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

 The authorization must contain these required statements: [45CFR164.508(c)(2)] 

  1. The individual’s right to revoke his/her authorization in writing and either (1) the exceptions to the right to revoke and a description of how the individual may revoke authorization or (2) reference to the corresponding sections(s) of the covered entity’s Notice of Privacy Practices.
  2. Notice of the covered entity’s ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization, including research related treatment, and if applicable, consequences of refusing to sign the authorization.
  3. The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule.  This statement does not require an analysis of risk for re-disclosure, but may be a general statement that the Privacy Rule may no longer protect health information.

 Waiver of HIPAA Authorization

 The written authorization requirement may be waived under one of the following conditions:  

  1. The researcher must have IRB Approval for the waiver of authorization. [45CFR164.512(i)(1)(i)] – See approval criteria below .
  2. The collection of the PHI is solely to prepare a research protocol and that the researcher will not remove any PHI from the health care entity and the PHI is necessary for the research purpose. [45CFR164.512(i)(1)(ii)]
  3. The use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for research. [45CFR164-512(i)(1)(iii)]
  4. The researcher has entered into a Data Use Agreement with the health care entity. [45CFR164.514(e)]

In order for an IRB to waive the HIPAA authorization requirement, all three of the following criteria must be satisfied: 

  1. The use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on at least the presence of the following elements:
    1. An adequate plan to protect the identifiers from improper use and disclosure, AND
    2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; AND
    3. Adequate written assurances that the PHI will not be used or disclosed to any other person or entity, except as required by law , for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted
  2. The research could not practicably be conducted without the waiver or alteration, AND
  3. The research could not practicably be conducted without access to and use of the PHI.

 FORMS:

  1. HIPAA Authorization Form
  2. Request for Waiver of HIPAA  Authorization Requirement

 

Source of information:
45CFR Part 164
Office of Civil Rights (OCR), US Department of Health and Human Services – “Standards for Privacy of    Individually Identifiable Health Information” http://www.hhs.gov/OCR/hipaa/privacy.html

 

 

Rock Hill, South Carolina   29733
University Disclaimer Statement