If someone outside the HCC is receiving fully identifiable information from a covered entity, there needs to be a legal mechanism for them to obtain the data. For fully identifiable data, those legal mechanisms are:
- Authorization
- If consent/authorization was obtained under a previous study or repository and included consent/authorization for future uses, then an IRB waiver isn’t required.
- Waiver of authorization
- The covered entity providing the PHI can, but does not have to, rely on our waiver of authorization for the sharing. To grant a waiver, there must be an adequate plan to protect the identifiers from improper use and disclosure. If the researchers are outside the HCC, this type of security review likely has not been done. Before the IRB issues a waiver of authorization in this case, there should be some evidence that the researcher can properly protect the data. Researchers should confirm that they will undergo the Cybersecurity review and not collect or store data until they have done so; IRB review and certification/approval may proceed, however.
- Business Associate Agreement (BAA)
- In rare cases, a BAA may be an appropriate mechanism to receive fully identifiable data, such as when the researcher is analyzing data on behalf of the covered entity. Researchers should consult with the HIPAA Privacy Officer as to whether a BAA is appropriate and what steps must be taken to ensure the security of the data.
For more information about requirements to access PHI by individuals outside of the HCC, see the Office of Compliance’s guidance here.