IRB Common Rule and HIPAA Waiver Approval

Overview

CMS must ensure that all research requests for protected health information meet the requirements under the Common Rule and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As a result, researchers must submit the following as part of the research request packet:

Common Rule

  • If subject to the Common Rule:
    • documentation of institutional review board (IRB) approval of the research AND
    • informed consent of the research subjects or IRB waiver of the requirement to obtain informed consent.
  • If exempt from the Common Rule:
    • a signed and dated statement describing the basis for exemption.

HIPAA Privacy Rule

  • Individual authorization of the use of the data for the research OR
  • Documentation that an IRB or a Privacy Board has approved a waiver of research subjects' authorization for use/disclosure of information about them for research purposes.

The IRB study title must match the CMS data request study title, otherwise, a brief explanation is required.

For more information about the specific documentation that must be submitted to CMS, please see the Common Rule and HIPAA Privacy Rule tabs below.

Common Rule

For research that is subject to the U.S. Federal Policy for the Protection of Human Subjects (also known as the Common Rule) and not otherwise exempt, the researcher must provide documentation to CMS of institutional review board (IRB) approval of the research and informed consent of the research subjects, or IRB waiver of the requirement to obtain informed consent, that meets the requirements of the Common Rule [45 CFR part 46, subpart A].

Common Rule Waiver Criteria

An IRB may approve a waiver of the informed consent requirement if an IRB finds and documents that:

  • State Program Research:
  1. The research is to be conducted by or subject to the approval of state or local government officials and is designed to study, evaluate, or otherwise examine: (i) public benefit or service programs; (ii) procedures for obtaining benefits or services under those programs; (iii) possible changes in or alternatives to those programs or procedures; or (iv) possible changes in methods or levels of payment for benefits or services under those programs; and
  2. The research could not practicably be carried out without the waiver.

[45 CFR § 46.116(c)]

OR

  • Other Research:
  1. The research involves no more than minimal risk to the subjects;
  2. The waiver will not adversely affect the rights and welfare of the subjects;
  3. The research could not be practicably carried out without the waiver; and
  4. Whenever appropriate, the subjects will be provided with additional pertinent information after participation.

[45 CFR § 46.116(d)]

Documentation of Common Rule Waiver Approval/Common Rule Exemption

For research that is subject to the Common Rule, the documentation submitted to CMS should:

      i. identify the IRB;
      ii. include the date of IRB approval;
      iii. state that the applicable waiver requirements (described above) have been met, if applicable; and
      iv. be signed by the IRB chair or his/her designee.

It is the responsibility of the researcher to maintain current IRB approval for ongoing studies, including any renewals or extensions of approval, as necessary.

If the research is exempt from the requirements of the Common Rule, the Researcher should submit a signed and dated statement (preferably from an IRB) describing the basis for exemption.

Visit the Office of Human Research Protections (OHRP) website for additional guidance on the Common Rule.

HIPAA Privacy Rule

CMS is permitted to disclose protected health information for research either with individual authorization, or without individual authorization if the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are met. If a researcher has not obtained individual authorization, CMS must receive from the researcher documentation that an IRB or a HIPAA-compliant Privacy Board has approved a waiver of the research subjects' authorization for disclosure of information about them for research purposes. [45 CFR § 164.512(i)(1)]

HIPAA Waiver Criteria

The documentation submitted to CMS should include a statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies all of the following criteria:

A. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;

  1. An adequate plan to protect the identifiers from improper use and disclosure;
  2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  3. Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by the Privacy Rule;

B. The research could not practicably be conducted without the waiver or alteration; and C. The research could not practicably be conducted without access to and use of the protected health information.
[45 CFR § 164.512(i)(2)(ii)]

Documentation of HIPAA Waiver Approval

Under the HIPAA Privacy Rule, for CMS to disclose protected health information for research purposes pursuant to a waiver of authorization by an IRB or Privacy Board, the researcher must submit the following documentation:

  1. Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
  2. A statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the applicable waiver criteria in the Privacy Rule (described above);
  3. A brief description of the protected health information for which use or access has been determined to be necessary to conduct the research by the IRB or Privacy Board;
  4. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
  5. The signature of the chair or other member, as designated by the chair, of the IRB or Privacy Board, as applicable.

[45 CFR § 164.512(i)(2)]

This documentation can be a copy of your IRB or Privacy Board waiver of authorization if it contains all of the items listed above. If what you receive from your IRB or Privacy Board does not include the above items, you will need to include additional documentation which covers the above required items. This additional documentation can be a photocopy of information submitted to your IRB or a written summary clearly referencing the research study, the Principal Investigator, the IRB or Privacy Board to which the submission was directed to, and the date of the IRB or Privacy Board submission.

Visit the Office of Civil Rights (OCR) website for additional guidance on the Privacy Rule as it relates to research.