IRB Notes: Alternatives to Signed HIPAA Research Authorization

From the Chair’s Desk

Under HIPAA, using or disclosing Protected Health Information (PHI) for research purposes generally requires a signed authorization from the subject. There are, however, a number of exceptions to this rule. When you will not be obtaining signed authorization from subjects for a research project that is eligible for an exception, you need to complete the appropriate form or agreement to document that you have met the HIPAA requirements for the exception. Below is a brief summary of the various types of HIPAA forms and agreements you may need.

Waiver of Authorization (WoA)

Allows researchers to use or disclose PHI for a research project without obtaining authorization from the subject, or without certain required elements of a full authorization (such as a signature).

  • Use this when: It is not practicable to obtain full, signed authorization from each subject and when conducting the research without such authorization will not adversely affect the rights and welfare of subjects. Common examples include retrospective chart reviews (full waiver, no authorization) and phone surveys (authorization obtained, but without signature).
  • How to submit: Upload a completed Waiver or Alteration of HIPAA Authorization form to your study in eIRB.

Prep to Research Form

Allows researchers to access PHI without authorization for activities preparatory to research.

  • Use this when: You need to access PHI to determine if your project is feasible, compile a recruitment list, or other similar purposes, and you will not need to disclose PHI outside OHSU.
  • How to submit: If you haven’t developed your study yet, submit the completed Prep to Research form via a Request for Determination in the eIRB. If you are accessing PHI for recruiting purposes, upload the form to your eIRB study.

Decedents Form

Allows researchers to access PHI for activities involving only the PHI of decedents.

  • Use this when: Some or all of the subjects in your research study are deceased.
  • How to submit: Submit the completed Representation Form for Research Involving Only Decedents’ Information as part of your IRB application. Since decedents are not considered human subjects, if all the subjects are deceased, your study does not require IRB oversight and so you can submit the Decedent’s form with a Request for Determination.

Data Use Agreement (DUA)

Allows researchers to disclose a Limited Data Set (stripped of direct identifiers such as name and address, but may include some indirect identifiers, such as dates) without authorization to another institution for research purposes.  Must be signed by authorized officials at both institutions; investigators do not sign these agreements.

  • Use this when: You need to share a Limited Data Set with a collaborator for a research project. A key benefit of a DUA is that, unlike with a WoA, you do not need to maintain an Accounting of Disclosures.
  • How to submit: If OHSU is disclosing the PHI, use OHSU’s template DUA and provide it to the recipient institution for signature first. Then upload it to your eIRB study, where it will be routed for signature by OHSU officials. If OHSU is receiving the PHI, upload the other institution’s DUA to your eIRB study for review and signature. Changes to OHSU’s template and the use of other institutions’ agreements may require negotiation with the other institution and/or review by the Legal department, which can add some time to your approval. If you expect that negotiation will be needed, contact Andrea Johnson, IRB Regulatory Specialist, to start the process early.

Business Associate Agreement

Allows researchers to disclose PHI without authorization to another institution for the purpose of performing a service. Must be signed by authorized officials at both institutions; investigators do not sign these agreements.

  • Use this when: Another institution (the Business Associate) is performing a service associated with your research project, such as recruitment services, data manipulation, analysis or aggregation, and is not otherwise a collaborator on the project. Generally, there will be some other type of contract in place with the Business Associate that describes the service agreement.
  • How to submit: Most of the time, the IRB does not review and sign BAAs, but will need to know that you have one. Contact the office that handled the original contract with the Business Associate in order to execute the BAA. When you submit to the IRB, put a note in the project log, a memo, or somewhere else in your submission that lets us know you have a BAA in place.

Keep in mind that this is a very brief overview. There may be other factors that influence whether a particular mechanism is appropriate for your study. See our HIPAA Research Guidelines website for much more information on HIPAA authorizations and their alternatives. The Information Privacy and Security Office website also contains helpful information about HIPAA. As always, feel free to contact us if you have questions about how HIPAA applies to your research project.