New Guidance on HIPAA and Individual Authorization of Uses and Disclosures of PHI for Research
On June 18, 2018, the Office for Civil Rights issued new guidance on HIPAA and individual authorization of uses and disclosures of protected health information (PHI) for research. The guidance explains certain requirements for an authorization to use or disclose PHI for future research and clarifies aspects of the individual's right to revoke an authorization for research uses and disclosures of PHI.
Authorization General Requirements
With few exceptions, HIPAA requires individual authorization from patients prior to using patients' PHI for research. A HIPAA-compliant authorization for use of PHI for research:
- must be in plain language
- must contain specific information regarding:
- a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion,
- the names or other specific identification of the persons authorized to disclose and receive the information,
- a description of each purpose of the requested use or disclosure, and
- an expiration date or expiration event that relates to the individual or the purpose of the use or disclosure.
- must also include statements adequate to place the individual on notice of all of the following:
- the individual's right to revoke the authorization in writing, any exceptions to the right to revoke the authorization and a description of how the individual may revoke the authorization;
- the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization; and
- the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by the HIPAA Privacy Rule.
Authorizations for Future Research
Authorizations for the use or disclosure of PHI for future research must include a description of each purpose of the requested use or disclosure. "Each purpose" means that such authorizations do not need to specify each specific future study if the particular studies to be conducted are not yet determined; rather, the authorization must sufficiently describe the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research.
Expiration of Authorization for Future Research
Authorizations for the use or disclosure of PHI for future research must include and expiration date or event. The statement "end of the research study," "none," "until it is revoked by the individual" or similar language is sufficient.
Right to Revoke Authorization
Individuals should be aware that revocation of an authorization does not always mean that the individual's information may no longer be used in the research study. A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization.