HIPAA Waiver of Authorization

Posted on by user

HIPAA Waiver of Authorization

What it is

A HIPAA waiver of authorization is an approval that allows a covered entity (for example, a healthcare provider, insurer, or clearinghouse) to use or disclose an individual’s protected health information (PHI) for purposes—commonly research—without obtaining the individual’s written authorization. PHI is any health-related information that can be linked to a specific person and is protected under the Health Insurance Portability and Accountability Act (HIPAA).

Key takeaways

  • A waiver permits use or disclosure of PHI without the patient’s signed authorization when HIPAA criteria are met.
  • PHI includes identifiable health information held by covered entities; HIPAA defines specific identifiers that create PHI when linked to health data.
  • For research, investigators must show minimal privacy risk, demonstrate the research cannot proceed without the PHI, and prove it is impracticable to conduct the research without the waiver.
  • Additional safeguards—such as de-identification procedures and coded data—are required to reduce re-identification risk.

Why it matters

A waiver balances the need to protect patient privacy with the practical needs of research and certain care activities. It enables important studies that rely on existing records or that create PHI during study procedures, while requiring strict privacy protections to limit misuse or re-identification of data.

Common research scenarios using PHI

  • Retrospective chart reviews and studies that abstract data from existing medical records.
  • Prospective studies that generate new medical information (for example, diagnostic assessments or trials involving investigational drugs or devices) which become part of the medical record.
  • Large-scale observational or epidemiologic research that requires access to identifiable data to link records or validate outcomes.

Privacy protections and technical safeguards

  • De-identification or limited data sets are preferred when feasible.
  • If identifiers are replaced with codes, the code must not be derived from individually related information and the method or master key should not be disclosed.
  • Access controls, data-use agreements, and secure storage/transmission reduce risks of unauthorized disclosure.

Criteria for approving a waiver (research)

A waiver may be granted only if all three of the following are satisfied:
1. Use or disclosure involves no more than minimal risk to individuals’ privacy.
2. The research could not practicably be conducted without access to and use of the PHI.
3. The research could not practicably be conducted without the waiver (i.e., obtaining individual authorizations is infeasible).

Family members and personal representatives

A designated personal representative (for example, under a medical power of attorney) can access a patient’s PHI only when the patient has expressly authorized that representative to receive protected information or when state law permits such access. A power-of-attorney or other advance directive should explicitly waive HIPAA protections if the patient intends that a named representative have access to otherwise private health information.

Conclusion

HIPAA waivers of authorization enable necessary uses of PHI—particularly for research—while imposing strict conditions and safeguards to protect patient privacy. Researchers and covered entities must document that waiver criteria are met and implement appropriate technical and administrative protections to minimize re-identification and unauthorized disclosure risks.

Source: U.S. Department of Health and Human Services — Health Information Privacy: Research.