Generally, when using or disclosing an individual’s Protected Health Information (“PHI”), HIPAA regulations require the covered entity to obtain an authorization from an individual, including for research purposes. The Office of Civil Rights (“OCR”), the entity that enforces HIPAA compliance, recently issued guidance for situations when an entity obtains an authorization from an individual for use and disclosure of PHI for research, focusing on the following topics:
- Sufficient Description – HIPAA regulations require that the authorization, in plain language, provide “a description of each purpose of the requested use or disclosure.” OCR guidance stated that the authorization does not need to state/list each future study, if they have not been determined; however, the authorization should describe the purposes so that the individual can reasonably anticipate that their PHI may be used or disclosed in future research studies.
- Expiration of Authorization for Future Research – The Privacy Rules require that an authorization contain “an expiration date or an expiration event that relates to the individual or the purposes of the use or disclosure.” OCR guidance explains that the authorization can provide that the authorization will expire at the “end of the research study,” “none,” or “similar language”. Additionally, the authorization can state that it will remain valid unless it is revoked by the individual.
- Right to Revoke Authorization – The Privacy Rules allow an individual to revoke their authorization, in writing, unless “the covered entity has taken action in [its] reliance.” OCR guidance explains that the authorization must provide for exceptions to the ability to revoke, such as if the entity has relied on the PHI, and the authorization must also explain the process by which an individual can revoke their authorization. If the revocation process is set forth in the Notice of Privacy, then the authorization can refer to the process in the Notice of Privacy for the entity. Additionally, the guidance explains that a revocation is effective only if the covered entity has knowledge of it. Finally, although the regulations require the revocation to be in writing, the covered entity may choose to cease using and disclosing PHI in response to an individual’s oral request.
The OCR guidance clarifies that the Privacy Rules do not require the entity to remind the individuals about their authorization or their right to revoke. However, the entity may wish to adopt such a protocol if they choose.