Skip to main content

When am I required to obtain a HIPAA Authorization?

If you plan to use or share  Protected Health Information (PHI) when conducting your research, you must conduct your study in accordance with the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). Review Northwestern University’s HIPAA webpage and the guidelines below to determine your need for a valid HIPAA Authorization.

A HIPAA Authorization is an individual's signed permission to allow a covered entity to use or disclose the individual's  Protected Health Information (PHI) as described in the Authorization. In contrast, an Informed Consent Document is an individual's agreement to participate in the research study. It includes, among other things, a description of the study, anticipated risks and benefits, and how the investigator will protect the confidentiality of records. A HIPAA Authorization is part of the Informed Consent Document or other permission to participate in research.

If you need to include a HIPAA Authorization, the TEMPLATE: Biomedical and Social Behavioral Consent Document Templates (HRP-592 and HRP-1721) already include all the required HIPAA Authorization elements. Therefore, you do not need to submit a separate HIPAA Authorization form for IRB review. One signature block will suffice for both informed consent and HIPAA Authorization.

You must write the Authorization in plain language and provide a copy of the signed Authorization to the individual signing it.

A research participant may revoke their Authorization at any time. However, a covered entity may continue to use and disclose PHI obtained before the participant revoked Authorization to the extent that the entity has taken action in reliance on the Authorization. This would permit the covered entity to continue using or disclosing the PHI as necessary to maintain the integrity of the research, as, for example, to account for a participant's withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.

The Privacy Rule does not specify who must draft the Authorization, so a researcher may draft it. However, the Privacy Rule does specify core elements and required statements that an Authorization must include. An Authorization may also, but is not required to, include additional, optional elements provided the elements are not inconsistent with the required elements and statements and are not otherwise contrary to the Authorization requirements of the Privacy Rule.

An Authorization, whether prepared by a covered entity or by a person requesting PHI from a covered entity, must include the following core elements and required statements:

Authorization Core Elements (see Privacy Rule, 45 CFR §164.508(c)(1))

  • Description of the PHI to be used or disclosed (identifying the information in a specific and meaningful manner).
  • The name(s) or other specific identification of person(s) or class of persons authorized to make the requested use or disclosure.
  • The name(s) or other specific identification of the person(s) or class of persons who may use the PHI or to whom the covered entity may make the requested disclosure.
  • Description of each purpose of the requested use or disclosure. Researchers should note that this element must be research study-specific, not for future unspecified research.
  • Authorization expiration date or event that relates to the individual or to the purpose of the use or disclosure (the terms "end of the research study" or "none" may be used for research, including for the creation and maintenance of a research database or repository).
  • Signature of the individual and date. If an individual's personal representative signs the Authorization, a description of the representative's authority to act for the individual.

Authorization Required Statements (see Privacy Rule, 45 C.F.R. § 164.508(c)(2))

  • The individual's right to revoke his/her Authorization in writing and either (1) the exceptions to the right to revoke and a description of how the individual may revoke Authorization or (2) reference to the corresponding section(s) of the covered entity's Notice of Privacy Practices.
  • Notice of the covered entity's ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization.
  • The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule. This statement does not require an analysis of risk for re-disclosure but may be a general statement that the Privacy Rule may no longer protect health information.

Under certain conditions, the IRB may waive the HIPAA authorization requirement or alter the authorization process. See “CHECKLIST: HIPAA Waiver of Authorization (HRP-441)” for the criteria the IRB uses to determine whether a waiver of HIPAA Authorization is acceptable. Including information on how your research meets the criteria for a HIPAA Authorization/alteration in your protocol will help the IRB decide.

You must request a waiver or alteration of HIPAA Authorization when applying for a waiver of documentation of consent. The IRB can grant the waiver if it determines your research meets the following criteria:

  1. An adequate plan to destroy identifiers at the earliest opportunity absent a health or research justification or legal requirement to retain them, and
    1. An adequate plan to protect health information identifiers from improper use or disclosure,
    2. An adequate plan to destroy identifiers at the earliest opportunity absent a health or research justification or legal requirement to retain them, and
    3. Adequate written assurances that the PHI will not be used or disclosed to a third party except as required by law, for authorized oversight of the research study, or for other research uses and disclosures permitted by the Privacy Rule;
  2. Research could not practicably be conducted without the waiver or alteration; and
  3. Research could not practicably be conducted without access to and use of PHI.

If the IRB has not waived the requirement to obtain HIPAA authorization, you must obtain HIPAA authorization before accessing or using Protected Health Information.

Note: IRB approval of a HIPAA Authorization or a waiver of HIPAA Authorization does not mean that you have approval to access or use PHI held by a Covered Entity. The Covered Entity holding the PHI may have additional requirements that you must meet before accessing or using that information.