Yes, under the Privacy Rule, covered entities are permitted to use and disclose PHI for research either:
I. With individual authorization; or
II. Without individual authorization under limited circumstances
A. The data requestor/recipient provides documentation that an alteration or a waiver of the requirement for participants’ authorization has been approved by an IRB or Privacy Board (PB). In addition to a statement that the alteration/waiver has been approved by an IRB or PB that was constituted as stipulated in the Rule, the documentation should include other specific information:
1. Identity of the IRB/PB;
2. Date the alteration/waiver was approved;
3. Statement that the alteration/waiver satisfies the following 3 criteria:
a. The use/disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on at least the following elements:
i. An adequate plan has been proposed to protect the identifiers from improper use and disclosure;
ii. An adequate plan has been proposed to destroy identifiers at the earliest possible opportunity, unless there is a health or research justification for retaining it, or is required by law; and,
iii. There is adequate written assurance that the PHI will not be reused or disclosed
b. The research could not practicably be conducted without the alteration/waiver
c. The research could not practicably be conducted without access to and use of the PHI
B. Limited Data Sets — Covered entities may use or disclose limited data sets, i.e., a data set that excludes direct identifiers (16 specific identifiers, including name, street address, tel./FAX numbers, VIN, SSN, e-mail address, full face photographs, etc.), after obtaining from the recipient a data use agreement that specifies permitted uses and disclosures of the PHI, limits who can use or receive the data, and requires the recipient to agree not to re-identify the data or contact the individuals.
When a covered entity discloses PHI in a limited data set to a researcher who has entered into an appropriate data use agreement, then documentation of IRB/PB approval of waiver of individual authorization is not required.