Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

<img class="size-medium wp-image-5394 alignright" src="https://dataprivacymonitor.bakerhostetlerblogs.com/wp-content/uploads/sites/5/2018/07/HIPAA_iStock_000078022683_Full-300x200.jpg" alt="" width="300" height="200" />

The Department of Health and Human Services (HHS) recently released interim guidance on sufficiency of authorizations for future uses or disclosures of protected health information (PHI) for research purposes.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits covered entities and business associates to use or disclosure PHI only as permitted by the Privacy Rule or as authorized in writing by the information’s owner or that person’s personal representative. The 21<sup>st</sup> Century Cures Act, enacted in 2016, sought, in part, to improve accessibility to medical information for research purposes. It mandated HHS issue guidance on how to allow for this improved access while still protecting patients’ rights under HIPAA.



Generally, an authorization must be in plain language and contain a description of the information to be used, names or some other identifying language of the individuals who will receive the information, a description of the purpose for the disclosure, and an expiration date or event for the authorization. Furthermore, the authorization must notify the individual that they have the right to revoke the authorization in writing, and of any exceptions to that right. The notice must also specify any ability or inability of the organization to make any conditions contingent on the authorization and the potential for re-disclosure of any information outside of any HIPAA protections.

Obtaining authorization for future use or disclosure can present certain challenges when preparing the description for the purpose of the use or disclosure. This most recent guidance from HHS clarifies that so long as the purpose is written in such a way as to set reasonable expectations for future use, it satisfies this requirement.

Revocation of permission is also addressed in this guidance. The authorization must contain language dictating when the permission expires. However, this guidance clarifies that language stating the authorization is valid until revoked is acceptable. Additionally, the guidance addresses how to handle the requirement under HIPAA that individuals have the opportunity to revoke. The guidance encourages, but does not mandate, covered entities to establish standard revocation forms. Additionally, the revocation does not take effect until the covered entity that would rely on that revocation has actual knowledge. This can play out two ways: If an individual revokes authorization, it does not take effect the day the individual revokes; rather, it takes effect the day the covered entity learns of the revocation. Alternatively, the Office for Civil Rights clarifies that if a covered entity has knowledge someone is revoking their authorization, the revocation takes effect at that time and not when the individual actually signs the revocation. The Privacy Rule does require revocations be in writing, but this guidance permits a covered entity to accept an oral revocation. HHS also clarifies that a covered entity has no obligation to remind individuals of their right to revoke.

When an individual does revoke their authorization, this affects not only a covered entity’s use of that PHI going forward, but also any further disclosure for research purposes of PHI collected and used under the authorization. This guidance explains that a covered entity can continue to use PHI obtained prior to the revocation if the covered entity has taken action in reliance on that authorization, to the extent necessary to maintain the integrity of the research. The guidance gives very specific examples of this kind of action, including reporting adverse events, investigating scientific misconduct and accounting for the subject’s withdrawal from the study. This list is clearly not exclusive, and the guidance also clarifies that a revocation of authorization does not prohibit a covered entity from disclosing PHI for permitted health care operations under HIPAA.

HHS recognizes that additional input from the public on this complex question would better help it provide meaningful guidance. Therefore, HHS is inviting comments from the public before issuing final rules.

HHS Releases Interim Guidance on Authorizations for Research