Understanding the Requirements on Issuing Individual Authorization for Uses and Disclosures of PHI for Research

Protected Health Information Breach Report

To help HIPAA-covered entities to streamline HIPAA authorizations for the use of protected health information (PHI) in research, as mandated by the 21st Century Cures Act of 2016, the Department of Health and Human Services’ Office for Civil Rights has issued guidance.

The HIPAA Privacy Rule does allow covered entities to utilize patients’ PHI for research with no individual authorization required in particular instances, for example, if written approval from the Institutional Review Board (IRB) or Privacy Board has been acquired – see 45 CFR § 164.512(i)(1)(i) and (ii). Nevertheless, generally, before using the PHI of patients for research, individual authorizations from patients must be obtained in writing. When patients do not provide valid authorizations to use their PHI for research, the Privacy Rule does not allow the use or disclosure of their PHI.

OCR’s new guidance details the following requirements for individual authorizations to satisfy HIPAA Rules:

  • They must be written in simple language to make sure they can be easily understood
  • They should include, in a precise and meaningful way, a description of the data that are going to be used and shared
  • They should include the names of the individuals approved to disclose and get the data
  • There must be a description of the reason for requesting the use or disclosure the information
  • The expiration date after which the authorization becomes invalid must be stated
  • The individual authorization should also explain the following rights of the patient: the right to cancel authorization in writing and any exclusions to that right; the specifics of how that right may be exercised; the ability or inability to condition treatment, payment, enrollment, or qualification for benefits on the authorization, and; the whether the information could be redisclosed by the receiver and no longer be covered by the HIPAA Privacy Rule.

It had become clear to OCR that there were misunderstandings concerning the content of individual authorizations with respect to future research, which was not known during the time that the authorization was acquired. In such circumstances, the necessity to explain ‘each purpose’ that PHI is going to be used or shared might not be possible. OCR explained that in such scenarios, specific future uses need not be defined. Rather, to adhere to 45 CFR § 164.508(c)(1)(iv), the authorization should sufficiently explain such purposes so that it is acceptable for the individual to anticipate that his or her PHI may be used or disclosed for future research.

OCR additionally makes clear that with respect to the expiration date or event, it is sufficient to simply state ‘end of the research study,’ ‘none,’ or similar terms, for example, when the PHI is going to be made part of the formation and upkeep of a research database or study archive. Additionally it is possible to just state that the authorization is valid until it is canceled by the individual.

Although patients have the right to issue a written termination of the authorization any time, there will be circumstances when that right won’t stop the use of the individual’s PHI in a specific research study. Patients must know this when providing their consent. For example, the covered entity may need to keep on using or disclosing the data to maintain the integrity of the research study.

OCR points out that it’s not required to send regular reminders to patients concerning the right to cancel authorization. Nevertheless, covered entities must apply procedures for termination of authorizations like making a standard termination form or adding existing authorizations to a patient website and enabling revocations to be posted through that website.

OCR’s Guidance on Individual Authorization of Uses and Disclosures of PHI for Research are available here.