Waiver or Alteration of Authorization Requirements

The second condition under which PHI may be used or disclosed is if the use or disclosure has been obtained under a waiver of authorization. In some instances, obtaining an authorization for research purposes may be difficult or unfeasible (e.g., contact information is unknown for several hundred research subjects). Under such circumstances, an IRB or a Privacy Board may approve a waiver or alteration of authorization for the use and disclosure of PHI.

As mentioned, an IRB is body that typically reviews research protocols, informed consent documents, and related materials to ensure protection of the rights and welfare of human subjects in research. A Privacy Board is a review body that is created under the Privacy Rule. It is established to act solely on requests for a waiver or an alteration of the authorization requirement under the Privacy Rule for a particular research study. Privacy Boards are not involved in creating authorization forms and do not monitor uses and disclosures of PHI made pursuant to an authorization.

A Privacy Board must meet certain membership requirements, such as (a) members must have varying backgrounds and appropriate professional competency to review the effect of the research protocol on the individual's privacy rights and related interests; (b) there must be at least one member who is not affiliated with the covered entity, at least one member who is not affiliated with any entity conducting or sponsoring the research, and at least one member who is not related to any persons affiliated with any of such entities; and (c) the board must not have any member participating in a review of any project in which the member has a conflict of interest.27 These requirements are not necessarily the same as those for IRB membership under other relevant federal regulations.

A Privacy Board or IRB may waive or alter all or part of the authorization requirements. The waiver or alteration must meet the following criteria: (a) the use or disclosure of PHI involves no more than a minimal risk to individual privacy based on an adequate plan to protect the PHI from improper use and disclosure, there is an adequate plan to destroy the PHI at the earliest opportunity consistent with conduct of the research, and there are adequate written assurances that PHI will not be reused or disclosed to any other person or entity, except as otherwise permitted under the Privacy Rule; (b) the research could not practicably be conducted without the waiver or alteration; and (c) the research could not be conducted without access to and use of the PHI.22

A covered entity may use and disclose PHI once it receives proper documentation of waiver/alteration approval from the Privacy Board or IRB.23 Documentation must be retained by the covered entity for 6years from the date of its creation or the date it was last in effect, whichever is later.24 When IRBs and Privacy Boards coexist, the Privacy Rule does not require approval of a waiver or an alteration of authorization by both bodies; a covered entity may rely on a waiver or an alteration of authorization approved by any appropriate IRB or Privacy Board.25

5. Limited Data Sets and Data-Use Agreement

The third condition under which PHI may be used or disclosed by a covered entity is if certain PHI has been provided through the use of a limited data set.

A limited data set is information stripped of certain direct identifiers (e.g., name, address) but may include other data not considered to be direct identifiers (e.g., city, state, elements of a date). A covered entity may use or disclose only a limited data set for research, public health, or health care operations purposes.26

In addition, a limited data set may be used or disclosed by a covered entity only if the covered entity and the recipient of the data set enter into a data-use agreement.27 A data-use agreement provides satisfactory assurances that the recipient of the limited data set only will use or disclose the enclosed PHI for the purposes mentioned in the document. Any person, including an employee or other member of a covered entity's workforce, requesting a limited data set from a covered entity must enter into a data-use agreement.28

If the covered entity providing the limited data set knows of recipient activities that violate the data-use agreement, the covered entity must take reasonable steps to correct the inappropriate activities. If the covered entity has been unsuccessful in correcting those activities, it must discontinue disclosure of PHI to the recipient and notify HHS.29 Many researchers are already familiar with data-use agreements, as such documents are required to access federal, population-based health utilization, and morbidity and mortality data.

0 0

Post a comment