IRB HIPAA Requirements: A Practical Guide to Authorizations, Waivers, and PHI Compliance

This practical guide distills IRB HIPAA Requirements into clear steps you can apply across protocol design, review, and oversight. It explains when a HIPAA authorization is needed, how IRBs evaluate integrated forms, when waivers or alterations fit, and how to use limited data sets with a Data Use Agreement (DUA) while protecting Protected Health Information (PHI) under the HIPAA Privacy Rule.

Use these sections as a workflow: confirm authorization content, determine if a Waiver of Authorization is justified, assess limited data set pathways, document each decision, and manage revocations without compromising research integrity or participant rights.

HIPAA Authorization Requirements for Research

A HIPAA authorization permits a covered entity to use or disclose an individual’s PHI for research. It must be written in plain language, signed and dated by the individual (or personal representative), and include all core elements and required statements. Electronic signatures are acceptable if your organization’s policy allows them.

Core elements and required statements

• Specific description of the PHI to be used or disclosed.
• Who may use or disclose the PHI and who may receive it (e.g., the study team, data coordinating center).
• Purpose of each use or disclosure (e.g., “research for Protocol X”).
• Expiration date or event (e.g., “end of the research study” or “none” for future research, if allowed by policy).
• Signature and date of the individual or authorized representative, with a description of representative authority.
• Required statements that:
  • The individual may revoke the authorization in writing at any time.
  • Treatment, payment, enrollment, or eligibility for benefits may be conditioned on signing only when permitted; if conditioning applies to research-related treatment, state this clearly.
  • PHI disclosed may be re-disclosed by recipients and no longer protected by HIPAA.
  • Refusal to sign may limit participation in the study if research procedures require PHI use.

Informed Consent Integration

Many institutions combine HIPAA authorization with informed consent for efficiency and clarity. Keep authorization language plainly labeled, separate optional elements (e.g., banking for future research), and ensure participants can opt in or out of unconditioned activities. Use headings, checkboxes, and concise explanations to support true understanding.

When an authorization is not required

• De-identified data are used (no identifiers remain under accepted de-identification standards).
• A limited data set is used under a DUA (see section on DUAs).
• Activities are “preparatory to research” (e.g., protocol development or feasibility reviews) with required representations and without removing PHI.
• Research solely on decedents’ information, with required representations and documentation.

Minimum necessary does not apply to uses or disclosures made pursuant to a valid authorization. It does apply when relying on a waiver or other permission under the HIPAA Privacy Rule.

IRB’s Role in Reviewing Authorizations

The Institutional Review Board (IRB) verifies that authorizations meet HIPAA Privacy Rule requirements and align with ethical standards. Many IRBs also function as a Privacy Board for HIPAA decisions, ensuring consistent review of PHI protections.

What IRBs look for

• Presence of every core element and required statement listed above, written in plain language.
• Clear identification of who will use/disclose and who will receive PHI, including vendors and data coordinating centers.
• Appropriate expiration language for primary and secondary/future research, with participant choices documented.
• Transparent description of any conditions tied to signing and the consequences of refusal.
• Consistency between the authorization and the protocol, consent form, recruitment plans, and data flows.

Informed Consent Integration in practice

• Use distinct headings to separate consent information from HIPAA authorization text.
• For compound authorizations, make optional, unconditioned activities clearly distinguishable with opt-in selections.
• Align data retention, access, and sharing descriptions across the protocol, consent, and authorization.

Approving Waivers and Alterations

When obtaining an individual’s signed authorization is impracticable, an IRB or a Privacy Board may approve a Waiver of Authorization or an alteration (e.g., allowing oral authorization with later written confirmation, or omitting a signature), if criteria are met. Reviews may occur under normal or expedited procedures, depending on institutional policy.

Common scenarios

• Retrospective chart reviews using PHI from existing records across large populations.
• Feasibility assessments or identifying eligible participants where direct contact is not yet appropriate.
• Minimal-risk studies where collecting signatures is impracticable, but all HIPAA elements can be conveyed and documented.

Documentation required for waivers/alterations

• Identification of the approving IRB or Privacy Board and the approval date.
• A statement that the Board determined the criteria for waiver or alteration were satisfied.
• A brief description of the PHI for which use or disclosure is authorized under the waiver/alteration.
• Whether approval occurred under normal or expedited procedures.
• Signature of the IRB/Privacy Board chair or designee.

Criteria for Granting Waivers

1. Minimal risk to privacy from the use or disclosure of PHI, demonstrated by:
   • An adequate plan to protect identifiers from improper use and disclosure.
   • A plan to destroy identifiers at the earliest opportunity consistent with the research, unless retention is required by law or justified by research necessity.
   • Written assurances that PHI will not be reused or disclosed except as required by law, for authorized oversight, or for other approved research.
2. The research could not practicably be conducted without the waiver or alteration.
3. The research could not practicably be conducted without access to and use of the PHI.

When relying on a waiver, apply the minimum necessary standard to each use, disclosure, and data set shared with collaborators or vendors.

Use of Limited Data Sets and Data Use Agreements

A limited data set (LDS) is PHI that excludes direct identifiers such as names, street addresses, and full contact details but may include elements like dates, city, state, ZIP code, and some unique codes. An LDS may be used or disclosed for research without individual authorization if a Data Use Agreement (DUA) is in place.

Required elements of a DUA

• Permitted uses and disclosures by the recipient limited to research, public health, or health care operations.
• Identification of who may receive and use the LDS.
• Agreement not to use or disclose the LDS beyond the DUA’s terms.
• Appropriate safeguards to prevent unauthorized use or disclosure.
• Obligation to report any improper use or disclosure to the covered entity.
• Flow-down requirements ensuring agents and subcontractors agree to the same restrictions.
• No re-identification of individuals or contact with them.

IRB and Privacy Office coordination

• The IRB verifies that the data elements qualify as an LDS and that risks are minimized within the protocol.
• The Privacy Office or authorized official executes the DUA and confirms safeguards and recipient responsibilities.
• Researchers share only the minimum necessary LDS elements consistent with study aims.

LDS versus de-identified data

• De-identified data are not PHI and require no DUA under HIPAA, but may still need data sharing agreements by policy.
• An LDS remains PHI, requires a DUA, and carries obligations for safeguards and limited use.

Documentation and Recordkeeping

Strong documentation underpins compliance. Covered entities and IRBs/Privacy Boards must maintain HIPAA-related records for defined retention periods, commonly at least six years from creation or last effective date, and ensure consistency with institutional and regulatory requirements.

What to retain

• Signed authorizations (including electronic versions) and any revocations.
• IRB/Privacy Board determinations, including waivers/alterations with required documentation and minutes or review notes.
• Executed Data Use Agreements and any amendments or terminations.
• Representations for preparatory-to-research and decedent-only research, when used.
• Accounting of disclosures logs for research disclosures made without authorization (note: disclosures of an LDS are generally excluded from accounting).

Operational good practices

• Use standardized templates for authorizations, waivers, and DUAs aligned with current policy.
• Maintain version control and archive superseded forms to support audits.
• Train study teams on minimum necessary, secure transmission, and breach reporting.

Revocation of HIPAA Authorization

Individuals may revoke a HIPAA authorization at any time by submitting a written request. After revocation, you may not make new uses or disclosures for research under that authorization. Uses or disclosures already made in reliance on the authorization may generally be retained, and limited continued use may be permitted as necessary to preserve research integrity, meet safety reporting duties, or satisfy oversight requirements.

Handling revocations in practice

• Route revocations to the Privacy Officer or designated contact and acknowledge receipt promptly.
• Update study trackers, halt new PHI collection for that participant, and adjust workflows for labs, imaging, and registries.
• Notify data recipients, repositories, and vendors to prevent further disclosures based on the revoked authorization.
• Document what PHI was already used or disclosed and the rationale for any limited ongoing retention or reporting.

Conclusion

IRB HIPAA Requirements center on matching the data pathway to the correct permission: a valid authorization, a properly justified waiver or alteration, or an LDS under a robust DUA. Anchor each decision in the HIPAA Privacy Rule, limit PHI to the minimum necessary when a waiver is used, document thoroughly, and respond promptly to revocations. With clear forms, coordinated review, and disciplined recordkeeping, you can protect participants’ privacy while enabling high‑quality research.

FAQs.

What are the criteria for an IRB to approve a waiver of HIPAA authorization?

The IRB (or Privacy Board) must determine that: (1) the PHI use/disclosure poses no more than minimal privacy risk, supported by plans to protect and, when appropriate, destroy identifiers and by assurances against improper re‑use; (2) the research could not practicably be conducted without the waiver or alteration; and (3) it could not practicably be conducted without access to and use of the PHI.

How does an IRB review HIPAA authorization integrated into informed consent?

The IRB checks that authorization language is plainly labeled and complete, includes all core elements and required statements, and aligns with the protocol’s data flows. For compound authorizations, the IRB ensures optional, unconditioned activities (such as specimen banking) are clearly separated with participant choices, maintaining true informed consent integration.

When can a verbal HIPAA authorization be used?

HIPAA generally requires written, signed authorization. A purely verbal authorization is permissible for research only if an IRB or Privacy Board approves an alteration that waives the signature or modifies specific elements, and the process is documented. Electronic signatures are acceptable where policy permits and count as “in writing.”

What protections are required when using limited data sets without individual authorization?

You must execute a Data Use Agreement that limits permitted uses to research (or other allowed purposes), identifies recipients, prohibits re‑identification and contact, requires safeguards and breach reporting, and flows restrictions down to agents. Share only the minimum necessary elements of the limited data set consistent with your protocol.