- OCR has issued new guidance on the HIPAA Privacy Rule that explains certain requirements for an authorization to use or disclose PHI for research and clarifies aspects of the individual’s right to revoke an authorization.
The guidance implements a mandate in the 21st Century Cures Act of 2016, which is designed to speed up the drug approval process and improve medical research, to streamline authorization under HIPAA for PHI use and disclosure for research.
In a previous guidance update regarding the 21st Century Cures Act, OCR launched two webpages focused on mental and behavioral health information, which included how HIPAA-compliant information sharing on mental health and substance use disorder treatment can be done.
In its latest guidance, issued June 14, OCR addressed three areas of the act: description of the purpose of future research that the authorization pertains to, circumstances under which a covered entity should provide reminders to the individual concerning his or her right of revocation, and the appropriate mechanisms for revocation.
The first part of the guidance discussed the purpose of PHI use or disclosure for future research in the authorization. The statement “at the request of the individual” without any further explanation is a sufficient description of the purpose when the individual initiates the authorization, explained OCR.
OCR judged that a future research purpose description is compliant with HIPAA “if the description sufficiently describes the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research.”
In addition, an authorization of PHI use and disclosure for future research must contain an expiration date or an expiration “event,” which could be described in the statements “until the end of the research study” or “valid unless and until it is revoked by the individual.”
OCR explained that the HIPAA Privacy Rule confirms the individual’s right to revoke authorization of PHI use and disclosure for research in writing at any time.
“To be valid, an authorization must inform the individual of the right to revoke the authorization in writing, and either: (1) the exceptions to the right to revoke and a description of how the individual may revoke authorization, or (2) reference to the corresponding section(s) of the covered entity's Notice of Privacy Practices,” the OCR guidance stated.
If an individual revokes authorization, a covered entity is limited in its continued use of the PHI in the original research or future research projects, OCR explained.
However, the covered entity could continue to use and disclose the PHI to maintain the integrity of the research—e.g., to account for the individual’s withdrawal, to conduct a probe into scientific misconduct, or to report adverse events. In addition, a covered entity could disclose the individual’s PHI to conduct permitted healthcare operations, such as quality assessments and improvements.
For example, if an individual receives a written explanation on how her health data could be used in a research study, she could be told about her right to have her information withdrawn in the future. The patient's health data might be included in a study, but perhaps she chooses later on to revoke her authorization. The covered entity will no longer use the data in future studies, but that individual’s information could still potentially be used should any follow-up or clarifications need to be undertaken in that particular study.
OCR determined that the Privacy Rule does not require the covered entity to provide reminders about the individual’s right to revoke authorization, but a covered entity can provide reminders if it so chooses.
“For example, a covered entity might choose to ask, while obtaining an individual’s authorization, whether the individual would like to receive reminder(s) in the future about the right to revoke the authorization and, in accordance with such request, provide periodic reminders of such right to revoke.”
The office said that the authorization must state the individual’s right to revoke and the process for revocation.
“Covered entities are encouraged to establish processes that facilitate an individual’s exercising the right to revoke an authorization,” the agency stated. “For example, a covered entity could make authorizations currently in effect viewable by the individual through an electronic health record portal and allow the individual to submit revocations through the portal.”
The revocation would not be effective until the covered entity receives a signed copy.
“The existence of a written revocation of authorization does not always mean that a covered entity has ‘knowledge’ of the revocation that would make the authorization defective. Conversely, obtaining a copy of the written revocation is not required before a provider ‘knows’ that an authorization has been revoked,” OCR explained.
The guidance noted that a covered entity is not required to use or disclose PHI subject to an authorization.
While the Privacy Rule requires that an authorization revocation be in writing, a covered entity may choose to cease using and disclosing PHI based on an individual’s oral request if the covered entity chooses to do so, the guidance related.