In June 2018 the Department of Health and Human Services (HHS) issued guidance related to streamlining authorization under HIPAA for uses and disclosures of protected health information (PHI) for research. Under the 21st Century Cures Act of 2016, HHS is required to help simplify the research process by clarifying:
1. the authorization for use or disclosure of for future research purposes contains a sufficient description of the purpose;
2. the date or event on which the authorization will expire unless it is revoked by the patient and instruction on how to revoke it;
3. the circumstances under which it is appropriate to provide a patient with an annual notice or reminder that the patient has the right to revoke such authorization; and
4. the appropriate way to revoke an authorization for future research purposes.
The HHS Office for Civil Rights (OCR) provides the following guidance that focuses specifically on situations in which a Covered Entity (CE) obtains the patient’s HIPAA authorization for use and disclosure of PHI for research. HIPAA allows CE and business associates to use or disclose PHI, including for research purposes, only as permitted or required by the Privacy Rule or as authorized in writing by the patient (or by the patient’s personal representative). At the same time, the Privacy Rule helps researchers to access PHI needed to conduct vital research.
Authorization for use or disclosure of protected health information (PHI) for future research purposes contains a sufficient description of the purpose.
Since what constitutes a sufficient description for the patient to expect that the PHI could be used or disclosed for such research is a complicated issue, OCR is offering interim guidance while inquiries and discussions continue. The statement ‘at the request of the patient’ is a sufficient description when a patient initiates the authorization. Otherwise, OCR views a description of future research purposes as compliant if the description sufficiently describes the purposes such that it would be reasonable for the patient to expect future research.
Revoking an Authorization
OCR clarifies that an authorization for uses and disclosures of PHI for future research must contain an expiration date or event. Patients should be made aware that revocation of an authorization does not always mean that the patient’s information may no longer be used in the research study or may no longer be used or disclosed for any other purpose such as treatment, payment and healthcare operations. A CE may continue to use and disclose PHI that was obtained before the patient revoked to the extent necessary to maintain the integrity of the research.
Reminder of the Right to Revoke
The Privacy Rule does not require a CE to provide periodic reminders about a patient’s right to revoke an authorization. Instead, the Privacy Rule requires such entities to provide patients with a copy of their signed authorization to ensure the patient is aware of the ongoing potential for the uses and disclosures of PHI. The CE may provide reminders to patients of their right to revoke. A CE might choose to ask if the patient would like to receive reminders in the future about the right to revoke and then must provide periodic reminders. Additionally a CE might remind a minor participant who reaches the age of majority of their right to revoke a HIPAA authorization originally signed by either a parent or guardian. Reminders of this nature are not, however, required under the Privacy Rule.
Appropriate Methods for Revoking Authorization for Future Research
In addition to clearly stating that a patient has a right to revoke an authorization in writing at any time, the authorization must describe the process by which a patient may revoke the authorization or refer them to the NPP if it contains a clear description of the revocation process. Covered entities are encouraged to establish ways to make this process easy for the patient.
Some suggestions are:
• Provide a standard revocation form.
• Make current authorizations viewable and allow them to submit revocations through a client portal.
Once signed, a revocation is not effective until the CE that discloses the PHI receives the revocation or has “knowledge” of the revocation. The existence of a written revocation of authorization does not always mean that a CE has ‘‘knowledge’’. For example, the patient gives the signed order to revoke the authorization to the research group. The doctor who is disclosing the information about the patient to the research group would not “know” that the authorization has been revoked unless the research group or the patient told the doctor directly. Therefore the doctor would still be disclosing the PHI in good faith. Because the Privacy Rule does not require the researcher to inform all of the CEs to whom it has presented the authorization, all the disclosing providers may not “know.” At the same time, however, if the patient tells a CE that they have revoked the authorization in writing to the researcher, the CE ‘‘knows’’ of the revocation and must then consider the authorization invalid and take action to stop future disclosures.
You can read the full guidance document at: https://www.hhs.gov/sites/default/files/hipaa-future-research-authorization-guidance-06122018%20v2.pdf
More information on the HIPAA Privacy Rule and research is available on OCR’s website at https://www.hhs.gov/hipaa/for‐professionals/special‐topics/research/index.html