New guidance for HIPAA-covered bodies to streamline HIPAA authorizations for uses of protected health information for research purposes has been released by the Department of Health and Human Services’ Office for Civil Rights , as required by the 21st Century Cures Act of 2016.
The HIPAA Privacy Rule does allow covered bodies to use patients’ PHI for research without seeking individual authorizations under certain circumstances, such as if recorded Institutional Review Board (IRB) or Privacy Board Approval has been received – see 45 CFR § 164.512(i)(1)(i) and (ii). However, in most cases, prior to using patients’ PHI for research, individual official permissions must be obtained from patients in writing. Without a valid authorization from a patient in question, their PHI can only be used or released for purposes permitted by the Privacy Rule.
The new guidance outlines the content that must be included in individual authorizations to adhere with HIPAA requirements.
OCR outline that individual authorizations must:
- Be stated in plain language to ensure they can be simply understood;
- Include, in a specific and meaningful manner, a description of the data that will be used and disclosed;
- List the names of the persons permitted to disclose and receive the research;
- A description of the reason for the requested use or disclosure, and;
- An expiration date or expiration time after which the authorization will no longer be valid.
Along with this, the individual authorization must state outright the following rights of the individual:
- The right to withdraw authorization in writing and any exceptions to that right;
- A description of how that right can be used;
- The ability, or lack of, to condition treatment, payment, enrollment, or eligibility for benefits on the authorization, and;
- The possibility for information disclosed in line with the authorization to be redisclosed by the recipient and no longer be safeguarded by the HIPAA Privacy Rule.
There has been some confusion regarding the content of individual authorizations with respect to research going forward, which may not have been determined at the time that the authorization is received. In such instances, the requirement to ‘each purpose’ that PHI will be used or disclosed may not be possible.
OCR has explained that in such instances, specific future uses do not need to be outlined. Instead, to adhere with 45 CFR § 164.508(c)(1)(iv) “the authorization must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research.”
OCR also stated that the requirement to define “an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure,” and explains it is enough “to state ‘end of the research study,’ ‘none,’ or similar language,” such as when the PHI will be included in the creation and maintenance of a research database or study repository. It is also allowable to state, “the authorization will remain valid unless and until it is revoked by the individual.”
While patients are allocated the right to revoke an authorization in writing at any time, there will be instances when exercising that right will not affect the person’s PHI from being used in a particular research study. Patients should be conscious of this when giving their authorization.
“A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization,” states OCR. “In cases where the research is conducted by the covered entity, the exception to revocation would permit the covered entity to continue using or disclosing the PHI to the extent necessary to maintain the integrity of the research —for example, to account for a subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.”
OCR says that it is not necessary for periodic alerts about the right to revoke authorization to be issued to patients as patients must be supplied with a copy of the signed authorization in which their rights will be outlined. However, covered bodies are encouraged to put in place procedures for revocation of authorizations such as devising a standard revocation form or adding current authorizations to a patient portal and permitting revocations to be filed through that portal.