Institutional Review Board Manual
HIPAA and Research
Obtaining Authorization from Subjects
The first condition under which Protected Health Information (PHI) may be used and disclosed in research is by obtaining the subject's written permission.
The Written Authorization: A valid Privacy Rule Authorization is an individual's signed permission that allows a covered entity (SCDMH) to use or disclose the individual's PHI for the purposes stated in the Authorization and to the recipient or recipients as stated in the Authorization.
The Privacy Rule requires that an Authorization pertain only to a specific research study, not to nonspecific research or to future, unspecified projects. The Privacy Rule considers the creation and maintenance of a research repository or database as a specific research activity, but the subsequent use or disclosure by a covered entity of information from the database for a specific research study will require separate Authorization unless a waiver is granted. If an Authorization for research is obtained, the actual uses and disclosures made must be consistent with what is stated in the Authorization. In SCDMH, Authorizations are usually managed in the individual patient’s Community Mental Health Center or inpatient facility.
An Authorization can be combined with an informed consent document. Whether combined with an informed consent or separate, an Authorization must contain the specific core elements and required statements stipulated in the Rule. These elements may be reviewed at: http://privacyruleandresearch.nih.gov/authorization.asp
Authorization Core Elements
- A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.
- The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.
- The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure.
- Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure. An Authorization for research uses and disclosures need not have a fixed expiration date or state a specific expiration event. "End of the research study" or "none" is permissible for research, including for the creation and maintenance of a research database or repository.
- Signature of the individual and date. If the individual's legally authorized representative signs the Authorization, a description of the representative's authority to act for the individual must also be provided.
Authorization Required Statements
- A statement of the individual's right to revoke his/her Authorization and how to do so, and, if applicable, the exceptions to the right to revoke his/her Authorization or reference to the corresponding section of the covered entity's notice of privacy practices.
- Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization, if applicable.
- A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.