Individual Authorization of Uses and Disclosures of PHI for Research Guidance Issued by OCR

by Ryan Coyne | Jun 21, 2018

New guidance for HIPAA-covered bodies to streamline HIPAA authorizations for uses of protected health information for research purposes has been released by the Department of Health and Human Services’ Office for Civil Rights , as required by the 21^st Century Cures Act of 2016.

The HIPAA Privacy Rule does allow covered bodies to use patients’ PHI for research without seeking individual authorizations under certain circumstances, such as if recorded Institutional Review Board (IRB) or Privacy Board Approval has been received – see 45 CFR § 164.512(i)(1)(i) and (ii). However, in most cases, prior to using patients’ PHI for research, individual official permissions must be obtained from patients in writing. Without a valid authorization from a patient in question, their PHI can only be used or released for purposes permitted by the Privacy Rule.

The new guidance outlines the content that must be included in individual authorizations to adhere with HIPAA requirements.

OCR outline that individual authorizations must:

Be stated in plain language to ensure they can be simply understood;
Include, in a specific and meaningful manner, a description of the data that will be used and disclosed;
List the names of the persons permitted to disclose and receive the research;
A description of the reason for the requested use or disclosure, and;
An expiration date or expiration time after which the authorization will no longer be valid.

Along with this, the individual authorization must state outright the following rights of the individual:

The right to withdraw authorization in writing and any exceptions to that right;
A description of how that right can be used;
The ability, or lack of, to condition treatment, payment, enrollment, or eligibility for benefits on the authorization, and;
The possibility for information disclosed in line with the authorization to be redisclosed by the recipient and no longer be safeguarded by the HIPAA Privacy Rule.

There has been some confusion regarding the content of individual authorizations with respect to research going forward, which may not have been determined at the time that the authorization is received. In such instances, the requirement to ‘each purpose’ that PHI will be used or disclosed may not be possible.

OCR has explained that in such instances, specific future uses do not need to be outlined. Instead, to adhere with 45 CFR § 164.508(c)(1)(iv) “the authorization must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research.”

OCR also stated that the requirement to define “an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure,” and explains it is enough “to state ‘end of the research study,’ ‘none,’ or similar language,” such as when the PHI will be included in the creation and maintenance of a research database or study repository. It is also allowable to state, “the authorization will remain valid unless and until it is revoked by the individual.”

While patients are allocated the right to revoke an authorization in writing at any time, there will be instances when exercising that right will not affect the person’s PHI from being used in a particular research study. Patients should be conscious of this when giving their authorization.

“A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization,” states OCR. “In cases where the research is conducted by the covered entity, the exception to revocation would permit the covered entity to continue using or disclosing the PHI to the extent necessary to maintain the integrity of the research —for example, to account for a subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.”

OCR says that it is not necessary for periodic alerts about the right to revoke authorization to be issued to patients as patients must be supplied with a copy of the signed authorization in which their rights will be outlined. However, covered bodies are encouraged to put in place procedures for revocation of authorizations such as devising a standard revocation form or adding current authorizations to a patient portal and permitting revocations to be filed through that portal.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter