Appendix F: Administrative burden of IRB waiver of the authorization requirement for research not required to receive IRB review is unnecessary
There is an odd discontinuity in the Privacy Rule between research exempt from Common Rule requirements due to "anonymized" data and research exempt from HIPAA requirements through de-identification of data. The result of this discontinuity is that HIPAA's requirements often apply to a research study even if the research is considered "exempt" from the requirements of the Common Rule. For example, retrospective chart reviews in which data are recorded by the investigator in a form such that the subjects' identities cannot be ascertained are subject to the Privacy Rule though not to the Common Rule. In this example, the "anonymized" manner in which the data are recorded may exempt the study form the Common Rule, but such anonymization is not necessarily equivalent to removing the 18 identifiers that HIPAA requires be removed for data to be completely "de-identified." Therefore, although IRB oversight and informed consent are not required to conduct exempt research, the investigator in such an exempt study nevertheless is under an obligation either (1) to obtain a HIPAA authorization from each research subject enrolled in the exempt research or, more likely, (2) to obtain from the IRB a waiver of HIPAA's authorization requirement.
The categories of research exempt from the Common Rule are those which have been determined to involve minimal risk to the subjects involved. Although SACHRP recognizes that the definition of minimal risk under the Common Rule is not focused solely on the risk to privacy, the Common Rule minimal risk analysis does include an assessment of the impact of the research on subjects' privacy. Furthermore, these categories of research would universally be eligible for IRB/privacy board waiver of HIPAA's authorization requirement. In light of these factors, SACHRP concludes that the administrative burden of requiring investigators to seek IRB waiver of the authorization requirement for research that is not required to receive IRB review and oversight is unnecessary and does not serve meaningfully to enhance protection of subjects' PHI.
Content last reviewed on March 30, 2016