OCR Releases New Guidance on Uses and Disclosures of PHI for Research

PUBLISHED: Jul 10, 2018
Relevant to: All Healthcare Organizations

The 21st Century Cures Act of 2016 (Cures Act) mandates that Secretary of the Department of Health and Human Services (HHS) issue “Guidance Related to Streamlining Authorization” under Health Insurance Portability and Accountability Act of 1996 (HIPAA) for uses and disclosures of protected health information (PHI) for research. The HHS Office for Civil Rights (OCR) has now released this guidance.

Requirements for General Authorization and Expiration of Authorizations:

  • HIPAA-compliant authorizations must be in plain language and contain specific language regarding:
  • A description of the information to be used or disclosed that identified the information in a specific and meaningful fashion
  • The names or other specific identification of the persons authorized to disclose and receive the information
  • A description of each purpose of the requested use or disclosure
  • An expiration date or expiration event that relates to the individual or the purpose of the use or disclosure

HIPAA-compliant authorizations must also include statements adequate to ensure that the individual agreeing to the authorization is aware of all of the following:

  • The individual’s right to revoke the authorization in writing; any exceptions to the right to revoke the authorization and a description of how the individual may revoke the authorization or, if such information is included in the notice required by 45 CFR § 164.520, a reference to the covered entity’s notice
  • The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization
  • The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by the HIPAA Privacy Rule

OCR is also offering interim guidance on the circumstances in which an authorization for uses and disclosures of PHI for future research contains a sufficient description of the purpose of the use or disclosure being authorized.

  • Authorizations for the use or disclosure of PHI for future research (or other purposes) must include a “description of each purpose of the requested use or disclosure. The statement ‘at the request of the individual’ is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.”
  • According to OCR, the requirement to describe “each purpose” means that such authorizations do not need to specify each specific future study if the particular studies to be conducted are not yet determined; rather, the authorization “must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research.”
  • OCR will consider a description of future research purposes as compliant with 45 CFR § 164.508(c)(1)(iv) if the description sufficiently describes the purposes in a manner so that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research.

Included with today’s notice is an example policy related to uses and disclosures of PHI for research purposes.

Want to read the full alert and receive alert emails?

Browse Additional Alerts