Generally, when using or disclosing an individual’s Protected Health Information (“PHI”), HIPAA regulations require the covered entity to obtain an authorization from an individual, including for research purposes[1]. The Office of Civil Rights (“OCR”), the entity that enforces HIPAA compliance, recently issued guidance for situations when an entity obtains an authorization from an individual for use and disclosure of PHI for research[2], focusing on the following topics:
Sufficient Description – HIPAA regulations require that the authorization, in plain language, provide “a description of each purpose of the requested use or disclosure.