Series 204 Privacy Board

The Utah State University Privacy Board reviews research-related data requests to use and/or disclose Protected Health Information (PHI) that is managed at Utah State University. At Utah State University, the Privacy Board is the Institutional Review Board. Membership of the Institutional Review Board meets and exceeds membership requirements for Privacy Boards articulated at 45 C.F.R. 164.512(i)(1)(i)(B), including: (a) having at least one member that is not affiliated with the covered entity that will use or disclose PHI; (2) having at least one member who is not affiliated with the entity conducting or sponsoring research; and (3) having at least one member who is not related to any person who is affiliated with the covered entity or the entities conducting or sponsoring the research. 

A Privacy Board may take action via one of two review processes: review by the Convened Privacy Board (i.e. the Convened IRB), or Expedited Review. The Privacy Board’s activities are limited to acting upon requests for waivers or alterations of the Authorization requirement under the Privacy Rule for uses and disclosures of Protected Health Information for a particular research study. No covered component of Utah State University may release PHI without an Authorization, or with an altered Authorization, without receiving proper documentation of approval of the alteration or waiver from the USU Privacy Board, which is the USU Institutional Review Board. 

Waiver or Alteration of Authorization Requirements^[1]

For some types of research, it is impracticable for researchers to obtain written Authorization from research participants. A “participant” is a human subject, as defined in 45 C.F.R. 46.102(e). To address this type of situation, the HIPAA Privacy Rule contains criteria for approval of a waiver or alteration of the Authorization requirement by an IRB or a Privacy Board. Under the Privacy Rule, either board may waive or alter, in whole or in part, the Privacy Rule's Authorization requirements for the use and disclosure of PHI in connection with a particular research project.

A waiver in whole occurs when the Privacy Board determines that no Authorization will be required for a covered entity to use or disclose PHI for a particular research project because certain criteria set forth in the Privacy Rule have been met (see section 164.512(i) of the Privacy Rule). For example, if a study involved the use of PHI pertaining to numerous individuals where contact information is unknown, and it would be impracticable to conduct the research if Authorization were required, a Privacy Board could waive the Authorization requirements for research participants if the Privacy Board determined that all the Privacy Rule waiver criteria had been satisfied. If the Privacy Board approves such a waiver, the receipt of the requisite documentation of the approval permits a covered entity to use or disclose PHI in connection with a particular research project without Authorization. 

A partial waiver of the Authorization requirements of the Privacy Rule might be requested to allow a researcher to obtain PHI as necessary to recruit potential research subjects. For example, even if a Privacy Board does not waive the Authorization requirement for the entire research study, a Privacy Board may partially waive the Authorization requirement to permit a covered entity to disclose PHI to a researcher for the purposes of contacting and recruiting individuals into the study.

A Privacy Board may also approve a request that removes some, but not all, required elements of an Authorization (an alteration). For example, a Privacy Board may approve the alteration of the Authorization to remove the element that describes each purpose of the requested use or disclosure where, for example, the identification of the specific research study would affect the results of the study. Before a covered entity could use or disclose PHI pursuant to the altered Authorization, however, it would need to receive documentation that a Privacy Board determined that all the Privacy Rule waiver criteria at section 164.512(i)(2)(ii) had been satisfied. Any subsequent use or disclosure of PHI by a covered entity for a different research study would require an additional Authorization, except as permitted without Authorization under section 164.512(i) (e.g., with a waiver of Authorization) or 164.514(e) (i.e., as a limited data set with a data use agreement).

The Privacy Rule establishes the criteria to be evaluated by a Privacy Board in approving an Authorization waiver or alteration. For a covered entity to use or disclose PHI under a waiver or an alteration of the Authorization requirement, it must receive documentation of, among other things, the IRB or Privacy Board's determination that the following criteria have been met:

The PHI use or disclosure involves no more than minimal risk to the privacy of individuals based on at least the presence of:

1. an adequate plan presented to the Privacy Board to protect PHI identifiers from improper use and disclosure;
2. an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and
3. adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except
   1. as required by law,
   2. or authorized oversight of the research study, or
   3. for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule.
4. The research could not practicably be conducted without the requested waiver or alteration; and
5. The research could not practicably be conducted without access to and use of the PHI.

---

[1] Section II of this Standard Operating Procedure is a slightly modified version of the U.S. Department of Health and Human Services guidance on the HIPAA Privacy Rule (last accessed May. 11, 2023).