Individual Authorization of Uses and Disclosures of PHI for Research Guidance Issued by OCR

by | Jun 21, 2018

New guidance for HIPAA-covered bodies to streamline HIPAA authorizations for uses of protected health information for research purposes has been released by the Department of Health and Human Services’ Office for Civil Rights , as required by the 21st Century Cures Act of 2016.

The HIPAA Privacy Rule does allow covered bodies to use patients’ PHI for research without seeking individual authorizations under certain circumstances, such as if recorded Institutional Review Board (IRB) or Privacy Board Approval has been received – see 45 CFR § 164.512(i)(1)(i) and (ii). However, in most cases, prior to using patients’ PHI for research, individual official permissions must be obtained from patients in writing. Without a valid authorization from a patient in question, their PHI can only be used or released for purposes permitted by the Privacy Rule.

The new guidance outlines the content that must be included in individual authorizations to adhere with HIPAA requirements.

OCR outline that individual authorizations must:

  • Be stated in plain language to ensure they can be simply understood;
  • Include, in a specific and meaningful manner, a description of the data that will be used and disclosed;
  • List the names of the persons permitted to disclose and receive the research;
  • A description of the reason for the requested use or disclosure, and;
  • An expiration date or expiration time after which the authorization will no longer be valid.

Along with this, the individual authorization must state outright the following rights of the individual:

  • The right to withdraw authorization in writing and any exceptions to that right;
  • A description of how that right can be used;
  • The ability, or lack of, to condition treatment, payment, enrollment, or eligibility for benefits on the authorization, and;
  • The possibility for information disclosed in line with the authorization to be redisclosed by the recipient and no longer be safeguarded by the HIPAA Privacy Rule.

There has been some confusion regarding the content of individual authorizations with respect to research going forward, which may not have been determined at the time that the authorization is received. In such instances, the requirement to  ‘each purpose’ that PHI will be used or disclosed may not be possible.

OCR has explained that in such instances, specific future uses do not need to be outlined. Instead, to adhere with 45 CFR § 164.508(c)(1)(iv) “the authorization must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research.”

OCR also stated that the requirement to define “an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure,” and explains it is enough “to state ‘end of the research study,’ ‘none,’ or similar language,” such as when the PHI will be included in the creation and maintenance of a research database or study repository. It is also allowable to state, “the authorization will remain valid unless and until it is revoked by the individual.”

While patients are allocated the right to revoke an authorization in writing at any time, there will be instances when exercising that right will not affect the person’s PHI from being used in a particular research study. Patients should be conscious of this when giving their authorization.

“A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization,” states OCR. “In cases where the research is conducted by the covered entity, the exception to revocation would permit the covered entity to continue using or disclosing the PHI to the extent necessary to maintain the integrity of the research —for example, to account for a subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.”

OCR says that it is not necessary for periodic alerts about the right to revoke authorization to be issued to patients as patients must be supplied with a copy of the signed authorization in which their rights will be outlined. However, covered bodies are encouraged to put in place procedures for revocation of authorizations such as devising a standard revocation form or adding current authorizations to a patient portal and permitting revocations to be filed through that portal.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy