How an Investigator Obtains Consent and HIPAA Authorization: What to Include and How to Document It

Informed Consent Process

Prepare and plan

Begin with an IRB-approved informed consent document tailored to the study’s risks, procedures, and audience. Identify who will present consent, the setting, and any cultural or language needs. Build in research confidentiality safeguards and decide how you will assess understanding before any signatures are obtained.

Conduct the discussion

Use plain language to explain the study’s purpose, procedures, duration, foreseeable risks, potential benefits, alternatives, costs or compensation, and how privacy will be protected. Emphasize the voluntary nature of participation, the right to skip questions or withdraw, and whom to contact for questions or injuries. Allow ample time for questions without pressure or undue influence.

Assess understanding

Confirm comprehension with teach-back (“Can you describe the study in your own words?”). Provide translated materials or qualified interpreters when needed. For children, obtain assent in age-appropriate language in addition to parental permission if required.

Use of a Legally Authorized Representative

When an adult lacks decision-making capacity or a minor cannot legally consent, obtain permission from a Legally authorized representative (LAR) according to local law and IRB policy. Document how capacity was assessed, the basis for using an LAR, and obtain the participant’s assent when feasible.

After the decision

Give the participant a copy of the signed form, note any study-specific instructions, and describe how new information will be shared. If the protocol changes in ways that affect participation, plan for timely re-consent.

Documentation of Consent

Required signatures and dates

Capture the participant’s signature and date, and when applicable, the LAR’s signature and relationship. The person obtaining consent should also sign and date to attest that the process occurred as described. For witness requirements (e.g., short form or verbal consent), include the witness signature and role.

IRB signature block and version control

Use the current IRB-approved version of the form and display the approval or version date on every page. Include an IRB signature block or approval stamp as required by your IRB to verify use of the authorized template. Maintain a version log to track updates and re-consent events.

Electronic consent

When using eConsent, ensure the platform captures identity, intent to sign, date/time stamps, and a secure audit trail. Provide participants with an electronic or printed copy. Store e-signatures and audit logs with the research record.

Re-consent and amendments

When new risks, procedures, or alternatives arise, obtain re-consent using the updated informed consent document. Note the reason, date, and version used, and retain the prior version in the file for traceability.

Storage and access

Keep signed documents in a secure, access-controlled location separate from study data when practical. Limit access to authorized study staff, and define retention timelines consistent with institutional policy and sponsor requirements.

Waiver of Documentation of Consent

When it applies

A waiver of documentation of consent allows you to obtain consent without a physical signature when the primary risk is a breach of confidentiality or when the research involves minimal risk and no written consent is normally required outside research. This is distinct from a waiver of consent.

IRB criteria and justification

Request the waiver from the IRB with a clear justification addressing risk level, privacy protections, and why signatures are unnecessary or potentially harmful. Describe how consent information will be conveyed (e.g., information sheet, script) and how voluntariness will be preserved.

What you must still provide

Even with a waiver of documentation of consent, you must provide the required consent elements through a script, cover letter, or online information screen. Offer a copy to participants and give them time to consider participation.

How to document the waiver in the record

Maintain evidence of the IRB’s approval of the waiver, the consent script or information sheet used, and a note-to-file indicating when and how consent was discussed. Record any questions asked and the participant’s decision.

HIPAA Authorization Requirements

Core elements to include

• Specific description of the Protected Health Information (PHI) to be used or disclosed.
• Who is authorized to use/disclose the PHI (e.g., study team, institution) and to whom it may be disclosed (e.g., sponsor, monitors).
• The purpose of the use/disclosure (e.g., conduct of the research and oversight).
• An expiration date or event (e.g., “end of the research” or a specified date).
• Participant’s signature and date, or the LAR’s signature, date, and authority.

Required statements

• Right to revoke the HIPAA authorization and how to do so, along with limits on revocation for actions already taken.
• Whether treatment, payment, enrollment, or eligibility for benefits is conditioned on signing, and the consequences of refusing.
• Potential for re-disclosure to entities not required to follow HIPAA, which may reduce privacy protections.

Clarity, readability, and alignment

Use straightforward language that aligns with the consent form. Make it clear which data elements are collected, who will see them, and how long they will be kept. Reinforce research confidentiality safeguards and data-minimization practices.

Expiration and revocation

Define a meaningful expiration event or date suitable for the study. Provide a simple revocation pathway (e.g., written request to the PI or privacy office) and describe what happens to PHI already incorporated into the study dataset.

Combining Consent and HIPAA Authorization

When to combine

Combining the consent and HIPAA authorization in a single document can reduce redundancy and participant burden. It is appropriate when the study involves creation, use, or disclosure of PHI and the same individuals are providing both consent and authorization.

Design tips

• Use clear headings to delineate the HIPAA authorization from the consent information.
• List PHI elements explicitly and match them to study procedures.
• Place signature and date lines for both sections, and indicate when an LAR must sign.
• Include version and approval details and, if required, the IRB signature block.

Common pitfalls

• Omitting required HIPAA statements or an expiration event.
• Using inconsistent terminology between sections (e.g., describing different data recipients).
• Failing to explain revocation or the limits of revocation for data already used.

Documentation of HIPAA Authorization

Signatures and recordkeeping

Obtain the participant’s (or LAR’s) signature and date on the HIPAA authorization section and provide a copy. Ensure the signer’s authority is documented when an LAR signs. Keep the authorization with the consent form but index it so it can be retrieved quickly.

Electronic authorization

For e-signatures, maintain identity verification, date/time stamps, and an immutable audit trail. Securely store signed PDFs or data exports and ensure participants can download or receive a copy.

Revocations and tracking

Log any revocation requests, who received them, and the effective date. Communicate revocations to data-holding partners and stop future PHI collection or disclosures except as permitted for integrity, safety, or required reporting.

Retention timeline

Retain HIPAA authorization documentation for at least six years from the date of creation or the date it was last in effect, whichever is later. If institutional, sponsor, or state requirements are longer, keep records for the longest applicable period.

Conclusion

Effective consent and HIPAA authorization center on clarity, voluntariness, and meticulous documentation. By planning the discussion, verifying understanding, capturing all required signatures and statements, and maintaining strong confidentiality safeguards, you create a compliant, participant-focused process that stands up to oversight.

FAQs

What must be included in an informed consent document?

An informed consent document should clearly state the study’s purpose, procedures, duration, and schedule; foreseeable risks and discomforts; potential benefits; alternatives; costs or compensation; privacy and research confidentiality safeguards; injury care or compensation if applicable; whom to contact for questions or injuries; the voluntary nature of participation and the right to withdraw; and how new information will be shared. Include signature and date lines for the participant (or LAR) and the person obtaining consent, plus version and approval details.

How is a waiver of documentation of consent applied?

You request it from the IRB with a written justification. Explain why obtaining a signature is impracticable or increases confidentiality risk, confirm that the research is minimal risk or that written consent is not normally required outside research, and provide the script or information sheet you will use. If approved, conduct the consent discussion, give participants the information sheet, and document in the research records when and how consent occurred.

What are the key elements of a HIPAA authorization?

List the PHI to be used or disclosed; identify who may use/disclose it and to whom; state the purpose; specify an expiration date or event; include the participant’s or LAR’s signature and date; explain the right to revoke and how; disclose whether signing is required for participation or care and the consequences of refusing; and warn about potential re-disclosure by recipients not bound by HIPAA.

How long must HIPAA authorizations be retained?

Keep HIPAA authorizations for at least six years from creation or the date last in effect, whichever is later. If other rules or contracts require a longer period, retain the records for the longest applicable timeframe and file them so they can be promptly retrieved during audits.