HHS Addresses Authorizations of Uses and Disclosures of PHI for Research | Practical Law

HHS Addresses Authorizations of Uses and Disclosures of PHI for Research | Practical Law

The Department of Health and Human Services (HHS) has issued interim guidance addressing authorizations for disclosing an individual's protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) in the research context.

HHS Addresses Authorizations of Uses and Disclosures of PHI for Research

Practical Law Legal Update w-015-2812 (Approx. 5 pages)

HHS Addresses Authorizations of Uses and Disclosures of PHI for Research

by Practical Law Employee Benefits & Executive Compensation
Published on 18 Jun 2018USA (National/Federal)
The Department of Health and Human Services (HHS) has issued interim guidance addressing authorizations for disclosing an individual's protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) in the research context.
HHS has issued interim guidance (June 14, 2018) regarding the rules for HIPAA authorizations for disclosing an individual's protected health information (PHI) in the research context (see Standard Document, HIPAA Authorization for Health Plans to Use and Disclose PHI and Practice Note, HIPAA Privacy Rule: Marketing, Sales, and Research; see also HIPAA Privacy, Security, and Breach Notification Toolkit). The guidance, which HHS was required to issue under the 21st Century Cures Act of 2016 (Cures Act), addresses the following topics:
  • Use and disclosure descriptions in an authorization so individuals can reasonably expect when their PHI may be used or disclosed for future research.
  • The situations when it may be appropriate to provide individuals an annual notice or reminder of the individual's right to revoke the authorization.
  • Methods by which an individual can revoke an existing authorization.
(21st Century Cures Act of 2016, Pub. L. No. 114-255, § 2063(b) (2016); see Practice Note, Mental Health Parity: 21st Century Cures Act and Subsequent Guidance and Legal Update, Obama Signs 21st Century Cures Act into Law.)

HIPAA Authorizations

Under HIPAA's implementing regulations, a valid authorization must be written in plain language and include:
  • A description of the information, identified specifically, to be used or disclosed.
  • The names or other specific identification of the persons authorized to disclose and receive the information.
  • A description of each purpose of the requested use or disclosure.
  • An expiration date or expiration event that relates to the individual (or the purpose of a use or disclosure).
(45 C.F.R. § 164.508(c).)

Authorization Standards and Expiration

The guidance addresses when an authorization for uses and disclosures of PHI for future research sufficiently describes the purpose of the use or disclosure being authorized. According to HHS, an authorization's description of future research purposes satisfies the HIPAA regulations if it adequately explains the purposes so that an individual may reasonably expect that the PHI could be used or disclosed for the future research.
Regarding authorization expiration dates in the research context (including the creation or maintenance of research databases or repositories), the statements "end of the research study," "none," or similar language is adequate. As another example, an authorization could state that it will remain valid unless and until it is revoked by the individual.

Revoking an Authorization

The guidance also addresses an individual's right to revoke an existing authorization. In the research context, a revocation:
  • Limits a covered entity's (CE's) continued use of the health information for research that was conducted based on the authorization.
  • Prevents the CE from making future disclosures for research purposes based on the authorization.
However, a revocation does not always mean that the individual's information may no longer be used in the research study (or may no longer be used or disclosed for any other purpose). Rather, a CE may continue to use and disclose PHI that was obtained before the individual revoked authorization if the CE has acted in reliance on the authorization. For example, a CE could continue using or disclosing the PHI as required to maintain the integrity of the research, including to:
  • Account for a subject's withdrawal from the research study.
  • Conduct investigations of scientific misconduct.
  • Report adverse events.
The PHI could also be used for other activities that would be permitted by HIPAA's Privacy Rule without the individual's authorization (for example, to conduct permitted health care operations).
Also, though not required under the HIPAA regulations, a CE may provide reminders to individuals of their right to revoke a research authorization.

Revocation Process

In general, a HIPAA authorization must:
  • Clearly state that an individual has a right to revoke the authorization in writing at any time.
  • Describe the process by which an individual may revoke the authorization, which can be done in paper form or electronically.
An authorization might also cross-reference the revocation process discussion in a CE's Notice of Privacy Practices, assuming the notice describes the process clearly and completely (see Standard Document, HIPAA Notice of Privacy Practices for Group Health Plans). CEs may also adopt reasonable revocation procedures, which could include a standard revocation form. For example, a CE might:
  • Make authorizations that are currently in effect viewable through an electronic health record portal.
  • Allow individuals to submit revocations through the portal.
The HHS guidance includes additional rules concerning the premise that a revocation is not effective until the CE that relies on the revocation either receives the revocation or otherwise knows of its existence. For example, the guidance addresses authorization revocations submitted by an individual to a person or entity other than the CE (for example, a non-HIPAA covered researcher).

Practical Impact

This HHS guidance may have limited applicability to health plan CEs, which are not known for conducting a great deal of research (see Group Health Plans Toolkit). Rather, the guidance is geared to health providers and many of its examples address researchers and other affiliates in the health care context. Nonetheless, the guidance includes a good discussion of issues in the authorization context – particularly as to revocations – and may be instructive in reflecting HHS's current standards in that regard.