§164.512(i) Standard: Uses and disclosures for research purposes (1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that:
(i) Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either:
(A) An Institutional Review Board (IRB), established in accordance with7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or
(B) A privacy board that:
(1) Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests;
(2) Includes at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and
(3) Does not have any member participating in a review of any project in which the member has a conflict of interest.
(ii) Reviews preparatory to research. The covered entity obtains from the researcher representations that:
(A) Uses or disclosures is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research;
(B) No protected health information is to be removed from the covered entity by the researcher in the course of the review; and
(C) The protected health information for which use or access is sought is necessary for the research purposes.
(iii) Research on decedent’s information. The covered entity obtains from the researchers:
(A) Representation that the use or disclosure sought is solely for research on the protected health information or decedents;
(B) Documentation, at the request of the covered entity, of the death of such individuals; and
(C) Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes.

Audit Inquiry

Does the covered entity use or disclose PHI for research purposes? Inquire of management.

For entities that conduct research using or disclosing PHI, obtain and review related policies and procedures.

Elements to consider include, but are not limited to, how the entity:
-Obtains documentation that an alteration to a required authorization, or waiver of the authorization, has been approved by an IRB or appropriately configured privacy board
-Obtains from the researchers the required representations regarding reviews preparatory to research on decedents.
Verify if the entity obtained the necessary authorization and/or waiver to conduct the research. Elements to consider include, but are not limited to:
-Board approval of a waiver of authorization
– Whether the use or disclosure is solely to review PHI as necessary to prepare a research protocol
-Representation that the use or disclosure is solely for research on the PHI of decedents.