OCR Issues Guidance on Individual Authorization of Uses and Disclosures of PHI for Research

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance for HIPAA-covered entities to streamline HIPAA authorizations for uses of protected health information for research purposes, as required by the 21st Century Cures Act of 2016.

Uses and Disclosure of PHI for Research

The HIPAA Privacy Rule does permit covered entities to use patients’ PHI for research without obtaining individual authorizations under certain circumstances, such as if documented Institutional Review Board (IRB) or Privacy Board Approval has been obtained – see 45 CFR § 164.512(i)(1)(i) and (ii). However, in most cases, prior to using patients’ PHI for research, individual authorizations must be obtained from patients in writing. Without a valid authorization from a patient, their PHI can only be used or disclosed for purposes permitted by the Privacy Rule.

The new guidance explains the content that must be included in individual authorizations to meet HIPAA requirements.

OCR explains that individual authorizations must:

  • Be written in plain language to ensure they can be easily understood;
  • Include, in a specific and meaningful fashion, a description of the information that will be used and disclosed;
  • Include the names of the persons authorized to disclose and receive the information;
  • A description of the purpose of the requested use or disclosure, and;
  • An expiration date or expiration event after which the authorization will be invalid.

In addition, the individual authorization must make clear the following rights of the individual:

  • The right to revoke authorization in writing and any exceptions to that right;
  • Details of how that right can be exercised;
  • The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization, and;
  • The potential for information disclosed in accordance with the authorization to be redisclosed by the recipient and no longer be protected by the HIPAA Privacy Rule.

There has been some confusion about the content of individual authorizations with respect to future research, which may not have been determined at the time that the authorization is obtained. In such situations, the requirement to describe ‘each purpose’ that PHI will be used or disclosed may not be possible.

OCR has clarified that in such situations, specific future uses do not need to be described. Instead, to comply with 45 CFR § 164.508(c)(1)(iv) “the authorization must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research.”

OCR also clarifies the requirement to include “an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure,” and explains it is sufficient “to state ‘end of the research study,’ ‘none,’ or similar language,” such as when the PHI will be included in the creation and maintenance of a research database or study repository. It is also permitted to state, “the authorization will remain valid unless and until it is revoked by the individual.”

While patients are given the right to revoke an authorization in writing at any time, there will be situations when exercising that right will not stop the individual’s PHI from being used in a particular research study. Patients should be made aware of this when giving their authorization.

“A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization,” explains OCR. “In cases where the research is conducted by the covered entity, the exception to revocation would permit the covered entity to continue using or disclosing the PHI to the extent necessary to maintain the integrity of the research —for example, to account for a subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.”

OCR explains that it is not necessary for periodic reminders about the right to revoke authorization to be sent to patients as patients must be provided with a copy of the signed authorization in which their rights will be explained. However, covered entities are encouraged to implement procedures for revocation of authorizations such as creating a standard revocation form or adding current authorizations to a patient portal and allowing revocations to be submitted through that portal.

OCR’s Guidance on Individual Authorization of Uses and Disclosures of PHI for Research can be downloaded on this link (PDF).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.