Requirements for institutional review board (IRB) review and HIPAA waiver documentation for RIF DUA request submissions

Requirements for institutional review board (IRB) review and HIPAA waiver documentation for RIF DUA request submissions

Current Version Date: 

CMS must ensure that all research requests for identifiable (RIF) data have IRB documentation to satisfy the requirements of the Common Rule and the Health Insurance Portability and Accountability Act (HIPAA). This article describes the requirements and presents examples of acceptable IRB documentation.

The IRB documentation must indicate that there was a review that satisfies the following two requirements:

 1.       Informed consent for human subjects participation in research or waiver of informed consent

CMS requires IRB review of each research study that proposes to use RIF data, regardless of whether the participants are actively involved (e.g. a survey or clinical trial) or if you are only using existing data (e.g. CMS data) about the subjects.

The IRB may approve your study, or it may exempt it from review. Either outcome is acceptable for the RIF DUA request.

The IRB will review the study with regard to the requirements of the Common Rule:

  • The Common Rule is a federal policy that covers the protection of human subjects in research.
  • The Common Rule requires that researchers obtain informed consent from each human subject for their participation in the research, OR
  • If certain conditions are met, the IRB may waive the Common Rule requirement to obtain informed consent. The waiver is also implied if the IRB exempts the study from review (or exempts the study from the Common Rule).

 2.       Individual authorization for release of health data or waiver of authorization (HIPAA waiver)

The IRB will also review the study with regard to the requirements of the HIPAA Privacy Rule:

  • The Privacy Rule is a part of HIPAA (Health Information Portability and Accountability Act), the federal policy that covers the protection of health information.
  • The HIPAA Privacy Rule allows CMS to release protected health information for research either with individual authorization, or

If a researcher has not obtained individual authorization, a researcher must provide documentation that an IRB has approved a waiver of the research subjects' authorization for disclosure of information about them for research purposes.

CMS requires documentation of the IRB review results and waivers.

»    There isn’t one specific form or format, but there are some basic IRB documentation requirements.

A. Name of the IRB and contact information (preferably via letterhead)
B. Date of review or approval and expiration date (some exemptions may not expire)
C. Study title: Must be the exact same study title as on your documents
D. Principal Investigator (PI) name: Must be the same as the PI name on your documents
E. Determination of IRB approval or exemption, and brief explanation
F. Name/signature of the authorized IRB representative

»    There isn’t one specific wording required, but it must include language about the waivers.

G. Waiver of informed consent, or the IRB may exempt the study from review
H. Language indicating that a HIPAA waiver is included (may indicate waiver of the Privacy Rule requirements, waiver of release of information authorization, or reference the specific statute)

»    If you are obtaining informed consent and/or individual authorization, then the IRB documentation should state that.


See the following examples.

Still have questions? Check out the FAQ for additional information.


 This picture provides a sample of an IRB approval as a short memo, annotated with the guide points given in the article.

Article Number: 
This work was performed under CMS Contract Number HHSM-500-2015-00558G
Related Data Request Processes: 
Related Data Request Materials: