Compliance Overview

Waiver of Authorization

¡Disclosure poses no more than minimal risk to the privacy of individuals

lPlan to protect identifiers from improper disclosure

lPlan to destroy identifiers at earliest opportunity

lWritten assurance that PHI will not be reused or disclosed

¡Research could not practicably be done without the waiver

¡Research could not practicably be done without access to the PHI

¡Privacy risks are reasonable in relation to expected benefits


	Waiver approved by a Privacy Board or IRB

	As rule of thumb, many IRBs are using the minimal risk criteria from Common Rule. Others in health care organizations are being guided by use and disclosure. Use = within organization = usually minimal risk. Disclosure outside is held to a higher standard = likely to be considered more than minimal

	A CE is permitted to disclose PHI for research purposes without authorization if an IRB or Privacy Board has either waived authorization or approved a modified authorization. CE may use its own IRB or Privacy Board or accept the review of some other IRB/PB.

	Privacy Board functions much like an IRB with regard to the review of requests for waivers of authorization. Role is to assure that there is legitimate and compelling reason for allowing access to health information without patients consent

	Make up of PB is prescribed in regulation – similar to that of IRB

	IRB granting waiver must follow Common Rule plus added privacy criteria using either full or expedited review.
	Waiver of authorization criteria similar to that already used by IRB to waive informed consent

	Some university IRBs have already expressed an unwillingness to take on the dual role and responsibilities of a privacy board. Not yet decided at USC, but initial inclination is to serve dual role.