§164.512(i) Standard: Uses and disclosures for research purposes (2) Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following:
(i) Identification of IRB or date of action – A statement identifying the institutional review board or privacy board and the date on which the alteration or waiver of authorization was approved;
(ii) Waiver criteria – A statement that the institutional review board or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:
(A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;
(1) An adequate plan to protect the Identifiers from improper use and disclosure;
(2) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
(3) Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
(B) The research could not practicably be conducted without the waiver or alteration; and
(C) The research could not practicably be conducted without access to and use of the protected health information.
(iii) Protected health information needed – A brief description of the protected health information for which use or access has been determined to be necessary by the institutional review board or privacy board, pursuant to paragraph (i)(2)(ii)(C) of this section;
(iv) Review and approval procedures – A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows:
(A) An institutional review board must follow the requirements of the Common Rule, including the normal review procedures or the expedited review procedures: 7 CFR 1c.108 (b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b),38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45;
(B) A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(b)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedures in accordance with paragraph (i)(2)(iv)(C) of this section;
(C) A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and
(v) Required signature – The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the institutional review board or the privacy board, as applicable.

Audit Inquiry

Do policies and procedures exist to determine what documentation of approval or waiver is needed to permit a use or disclosure and to apply that determination?
Obtain and review policies and procedures against established performance criterion. Is the entity using or disclosing PHI consistent with requirements for documentation of a waiver approval? Verify that the documentation of any approval or waiver contains all the information necessary to permit a use or disclosure. Elements to consider include, but are not limited to:
-A statement identifying IRB and the date on which the alteration or waiver of authorization was approved
-Whether IRB determined that the alteration or waiver satisfied the criteria listed in the standard, including determination of no more than minimal risk to privacy, adequate plan to protect identifiers, adequate plan to destroy identifiers, etc.