CPHS may grant a Waiver of Authorization for studies meeting all of the following criteria:
The use or disclosure involves no more than minimal risk to a subject’s privacy, based on at least the following principles:
A plan to protect identifiers
A plan to destroy identifiers at the earliest opportunity that is consistent with the goals of the study, unless there is a health justification for retaining the identifiers or retention is otherwise required by law
Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by the study or law enforcement agencies.
The research could not be practicably conducted without the waiver
The research could not be practicably conducted without access to and use of PHI
If a waiver is obtained, please note that the following procedures must also be in place:
- The “minimum necessary” standard (see above) – you will be asked to identify and justify what identifiable information you will need.
- Disclosures of PHI outside UTHealth must be tracked. The purpose of this tracking requirement is to provide patients, upon their request, with a list of where information about them was released for research and certain other non-treatment purposes without their knowledge. The following information must be tracked for each disclosure:
- Name of individual
- Date of disclosure
- Name of person/entity that received the information
- Brief description of PHI disclosed
- Brief statement about the purpose of the disclosure
- Disclosures must be made available to the indvidual upon request for 6 years following the disclosure
- HIPAA requires that the IRB review any changes to a waiver (for example, if you decided to add new sources of PHI).
Log into the iRIS system and fill out the authorization form to ask permission for a waiver to be granted. This will most often apply to protocols that are currently reviewed by expedited review and for which informed consent is waived under the Common Rule.
The tracking of disclosures is the responsibility of the Covered Entity disclosing the information. The entities that will be disclosing information should have their own methods in place for disclosures pursuant to a waiver. These entities will ask you for information regarding your disclosures.