Under HIPAA, what is required for retrospective research on collections of PHI?

For retrospective research involving collections of Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), it is indeed necessary to obtain either authorization from the individuals whose data will be used or a waiver of authorization from an Institutional Review Board (IRB) or Privacy Board. This requirement is in place to ensure that individuals' privacy and confidentiality are respected when their health information is being utilized for research purposes.

Retrospective research often involves accessing data that has already been collected, and because this data can reveal personal health information, the safeguards provided by HIPAA need to be upheld to protect patient privacy. If the research does not involve direct interaction with the individuals, the waiver process allows researchers to use PHI without needing consent if certain criteria are met, such as minimal risk to privacy and the research being conducted for a public benefit.

In contrast, the other options do not align with the regulatory framework set by HIPAA. The absence of prior authorization would not be compliant for most circumstances involving PHI. Additionally, the requirement is not limited to healthcare settings, as PHI can exist in various contexts, and the standards apply regardless of the setting. Similarly, public data analysis, which typically involves de-identified data, operates under