There are a few things every study needs in order to be credible: funding, participants, an unbiased researcher, and accurate data. What happens when you don’t have access to one of these basic components? You get unreliable — and potentially misleading — results. Consider what happened to a recent study published in The Lancet, a respected medical journal.
Researchers used a medical database as their source for data on how a controversial treatment impacted patients with COVID-19. Readers quickly raised concerns about the quality of this report after they discovered multiple issues with the study’s data. Ultimately, the authors of the study requested a retraction because independent auditors could not access all of the information the authors used.
Using questionable data ruined the study’s credibility. That’s why some researchers and covered entities prefer to gather their own data from records or patient trials. However, using a patient’s PHI for research or non-treatment purposes requires authorization. How can you get permission to use someone’s PHI?
Use HIPAA waivers for your research
A HIPAA waiver authorizes researchers, doctors, and other covered entities to use PHI for non-healthcare purposes, such as studies or marketing. While these waivers enable you to use patient data, they don’t give you unlimited access to a person’s health information. That’s because a HIPAA waiver gives patients the right to control the use of their data.
For a HIPAA waiver to be legally valid, it must allow patients to set limitations on how someone uses their PHI. HIPAA waivers typically include the following limitations:
- What PHI you can use
- What you can use the PHI for
- Who can disclose and use the PHI
- Who you are permitted to disclose the PHI to
- How long you can use the PHI
Adding these restrictions to your waivers and having research participants sign them will ensure you stay HIPAA compliant. But do you always need to have a HIPAA waiver?
Getting a HIPAA waiver authorization is only necessary if the participant lives in the United States. If they don’t, then you don’t need a HIPAA waiver because HIPAA doesn’t apply. Foreign participants aren’t the only exception to HIPAA. Let’s consider other situations that allow you to conduct research without worrying about HIPAA authorization.
Some medical records can provide legally accessible health information. HIPAA waivers aren’t required if you’re using open public records, existing research records, or you aren’t using PHI held by a covered entity/business associate. Researchers find these records useful for studies when they can’t obtain patient authorization. Unfortunately, these records don’t always have the right data for your research. If that’s the case, there’s one more option you can leverage: an institutional review board (IRB).
If it isn’t possible to have patients sign a waiver, you can ask an IRB or a privacy board to review your proposed study. If the board decides that your study meets the qualifications necessary to protect PHI, they may grant a waiver of authorization for the whole study. An IRB’s waiver of authorization is a valuable tool for keeping your medical research legally compliant, even when you can’t get patient approval.
Whatever method you employ to use PHI, it’s important to comply with the requirements and limitations set out in the waiver. Let’s discuss how to stay legally compliant when using HIPAA waivers.
How do you use HIPAA waivers correctly?
Every study has different parameters and requirements, which means each waiver is different. Depending on how a patient fills out the form or what type of waiver an IRB issues, you’ll have to follow specific directions. Here are some basic guidelines for using HIPAA waivers:
- If you can’t get a waiver of authorization from an IRB, have every participant in the study sign a waiver. Do this before you start your research.
- Understand what the waiver allows you to do. If a patient places limits on how you can use their data, respect these restrictions.
- If you cannot use patient signed waivers, contact an IRB or privacy board with your request for a waiver of authorization. The board may require you to follow certain procedures or issue limits on how you can use this data.
- Have protections in place. You must put reasonable safeguards in place to protect the PHI in your care, such as having security features on devices that store PHI and restricting access to personal information.
- Report any data breaches immediately. You should also take steps to mitigate or correct the breach.
Whether it’s for research or a different purpose, you may need to use personal health data to do your job. By getting the proper authorization, you can perform your research ethically while staying legally compliant.
You’re authorized to use this information
While accessing PHI for research purposes is challenging, it’s not impossible. Using the right waivers and following HIPAA’s guidelines on PHI enables you to conduct studies with accurate data while respecting patient privacy.
At JotForm, we provide the tools and templates you need to build a HIPAA waiver form. Our secure online forms can help you get the patient consent needed for vital research. Check out our HIPAA-compliant online forms today.