IRB-HIPAA Waiver Documentation FAQs


IRB = Institutional Review Board
HIPAA = Health Information Portability and Accountability Act
RIF = Research Identifiable File

For explanations and additional information about the Common Rule, the Privacy Rule, waiver of informed consent, waiver of individual authorization (HIPAA waiver), and examples of acceptable language, please see this article: Requirements for institutional review board (IRB) review and HIPAA waiver documentation for RIF DUA request submissions.


My IRB didn’t approve my study, they exempted it from review. What does that mean?

Under the guidelines for the IRB review, a study may be exempted from review if the study has minimal risk to participants or it doesn’t qualify as human subjects research. This IRB outcome is acceptable to satisfy the CMS RIF DUA request requirements for IRB review and a waiver of informed consent; however, the IRB will still need to provide a HIPAA waiver of individual authorization. 

My IRB says that my study is exempt and that they don’t need to provide a HIPAA waiver. What now?

CMS requires that a researcher provide documentation from an IRB that waiver of informed consent for human subjects participation has been obtained AND provide a waiver of individual authorization for release of health data (HIPAA waiver) for all RIF DUA requests. You must specifically request that the IRB provide documentation to satisfy both requirements – the Common Rule and HIPAA. Examples of acceptable language can be found in this ResDAC article.

I received approval from my IRB, but the notification they sent me doesn’t mention anything about a waiver of informed consent or a HIPAA waiver. What should I do?

You will need to communicate with the IRB about the need for documentation to satisfy both the requirement of a waiver of informed consent and a HIPAA waiver of individual authorization.  CMS requires these for all RIF DUA requests. We have some examples of acceptable language. If you require further assistance, contact ResDAC.

If I am using participants, such as patients in my health system or an acquired list of patients, who are giving documented consent to participate, do I still need to have an IRB review my study?

Yes. IRB review is required. Depending on your consent contents, the IRB may acknowledge that it meets the Privacy Rule or HIPAA authorization requirements instead of providing a waiver of individual authorization (HIPAA waiver). 

The data that I’m requesting don’t include identifiers, so how could I possibly obtain consent?

Even though the standard identifiers are not included in RIF data, the data files are, by definition, identifiable.  

My IRB approval is expired or expires in a couple months. Is that OK?

No. You will need to provide an updated approval or renewal letter from your IRB. The DUA request review process takes time, so we recommend that your IRB expiration date be at least 4 months after your final, completed DUA request packet is submitted by ResDAC to CMS for review. Your ResDAC Executive Advisor will assist you with making sure the expiration date is far enough in the future, or submitting a renewal, if needed. 

My organization doesn’t have an IRB. Now what?

You may use an independent IRB to review your study, which may charge a fee. The same type of documentation is required, including documentation that satisfies the Common Rule and a HIPAA waiver. Make sure to use a registered IRB.

I’m a graduate student working on a dissertation, but my school’s IRB won’t review my study because I’m not currently enrolled in classes. What do I do?

You may use an independent IRB to review your study, which may charge a fee. The same type of documentation is required, including a waiver of consent and a HIPAA waiver. Make sure to use a registered IRB.

Can you recommend an independent IRB?

No, we are unable to provide recommendations. However, a web search should reveal many options. Verify that the IRB meets the Common Rule requirements for IRBs and will provide the necessary documentation. Details about the Common Rule requirements for IRB membership, function, and operations may be found here: The Department of Health and Human Services has a list of all registered IRBs here:

Do I have to wait for my IRB review results before I submit my draft request documents to ResDAC?

No. We can proceed with the ResDAC review while the IRB review is in process. We will accept requests if the study has been submitted to the IRB. The complete IRB documentation is required prior to submission of your request to CMS.

I received some documentation from my IRB, but I’m not sure if it meets the requirements. How can I tell?

You may submit the documentation to ResDAC and an Executive Advisor will review it and let you know if additional documentation or information is needed. You may also look at the examples to see if the documentation has the required components.

Do you have examples of IRB documentation and HIPAA waiver?

The study title on the IRB documentation is different from the study title I’m using for my DUA request. Is that a problem?

Yes.  If the study titles are different, provide us with an explanation. We can review and let you know if a revised approval from the IRB with the correct study title is needed. 

I have IRB documentation from a similar study that I am working on or completed. Can I use that for this DUA request?

No. You will need to have the IRB review the current study. Past approval does not equal current or future approval. DUAs are study-specific, so you must provide documentation that this particular study has been reviewed by the IRB.

My organization/institution will access the data through the Virtual Research Data Center (VRDC) environment. Do we need an IRB review?

Yes, researchers that receive physical data and those that access data in the VRDC must have IRB review and provide the required documentation.

Do all organizations need IRB review for each new RIF DUA request?

Yes. All organizations (academic, non-profit, for-profit, state agencies, and federal agencies) requesting a research DUA for RIF data must have IRB review and provide the required documentation.