Under HIPAA, "retrospective research" on collections of PHI generally requires:

Under HIPAA, "retrospective research" on collections of Protected Health Information (PHI) typically requires either authorization from the individuals whose data will be used or meeting specific criteria for a waiver of authorization. This is because retrospective research often involves accessing and analyzing individuals' health information that is collected previously for other purposes, and HIPAA emphasizes the need to protect patient privacy and confidentiality.

Obtaining patient authorization ensures that individuals have voluntarily consented to the use of their PHI for research purposes, affirming their control over personal health information. Alternatively, researchers may apply for a waiver of authorization if they can demonstrate that the research meets certain criteria established by Institutional Review Boards (IRBs) or ethical boards, such as that the study involves minimal risk to participants and that the rights and welfare of the individuals are protected.

In contrast, other choices suggest either a lack of authorization requirements or insufficiently stringent processes for accessing sensitive health information. Verbal consent may not fully comply with HIPAA's requirements for more structured and documented consent, and relying solely on public records would not pertain to PHI in private records governed by HIPAA. Thus, the requirement for authorization or a waiver emphasizes the need for safeguarding individual privacy in retrospective research initiatives.