If someone outside the HCC is receiving fully identifiable information from a covered entity, there needs to be a legal mechanism for them to obtain the data. For fully identifiable data, those legal mechanisms are:

  1. Authorization
    • If consent/authorization was obtained under a previous study or repository and included consent/authorization for future uses, then an IRB waiver isn’t required.
  2. Waiver of authorization
    • The covered entity providing the PHI can, but does not have to, rely on our waiver of authorization for the sharing. To grant a waiver, there must be an adequate plan to protect the identifiers from improper use and disclosure. If the researchers are outside the HCC, this type of security review likely has not been done. Before the IRB issues a waiver of authorization in this case, there should be some evidence that the researcher can properly protect the data, which may include having a Cybersecurity review. Researchers should confirm that they will undergo the Cybersecurity review and not collect or store data until they have done so; IRB review and certification/approval may proceed, however.