Who determines whether an authorization is required or whether the requirement for an authorization may be waived?
- The organization funding the research
- The principal investigator, using his or her best judgment about an assessment of risk and the application of HIPAA regulations
- It is up to each research subject to decide whether an authorization is necessary
- The organization's IRB, privacy board, or a designated privacy official, depending on the circumstances