HIPAA Overview

Waiver of Authorization

lDisclosure poses no more than minimal risk to the privacy of individuals

–Plan to protect identifiers from improper disclosure

–Plan to destroy identifiers at earliest opportunity

–Written assurance that PHI will not be reused or disclosed

lResearch could not practicably be done without the waiver

lResearch could not practicably be done without access to the PHI

lPrivacy risks are reasonable in relation to expected benefits


	Waiver approved by a Privacy Board or IRB

	A CE is permitted to disclose PHI for research purposes without authorization if an IRB or Privacy Board has either waived authorization or approved a modified authorization. CE may use its own IRB or Privacy Board or accept the review of some other IRB/PB.

	Privacy Board functions much like an IRB with regard to the review of requests for waivers of authorization. Role is to assure that there is legitimate and compelling reason for allowing access to health information without patients consent

	Make up of PB is prescribed in regulation – similar to that of IRB

	IRB granting waiver must follow Common Rule plus added privacy criteria using either full or expedited review.
	Waiver of authorization criteria similar to that already used by IRB to waive informed consent

	Some university IRBs have already expressed an unwillingness to take on the dual role and responsibilities of a privacy board. Not yet decided at USC, but initial inclination is to serve dual role.