This week, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the use of HIPAA-compliant authorizations for research based on a mandate in the Cures Act for such guidance. The guidance addresses authorizations and expiration language for future research as well as revocation of the authorization. A copy of the guidance can be obtained here.
OCR first clarifies that authorizations for future research do not need to specify each specific future study information would be used for, so long as those studies have not yet been determined. Rather, the authorization must adequately describe the research purposes so that an individual reasonably could expect that his or her protected health information (PHI) could be used or disclosed for such future research. Next, OCR explains that, if the purpose of the research is to create a research database or repository, the statements “end of the research study” or “none” are sufficient to meet the requirement that the authorization contain an expiration date or event that relates to the individual or the purpose of the use or disclosure. It also is sufficient to state that the authorization will remain in effect unless and until the individual revokes it.
With respect to revocation, OCR reminds covered entities that they must explain how an individual can exercise his or her right to revoke. The covered entity can do this in the authorization or it can refer the individual to the Notice of Privacy Practices if the process is detailed in that document. Covered entities can establish reasonable procedures for revocation such as completing a revocation form, although OCR encourages covered entities to ensure that the process does not make it difficult for the individual to exercise his or her right to revoke. Any revocation is not effective until the covered entity receives it or has knowledge of it. While the right to revoke remains in effect at all times, OCR confirms that periodic reminders of a right to revoke are not necessary; however, nothing prevents a covered entity from providing periodic reminders.
OCR notes some exceptions to an individual’s right to revoke. A covered entity is permitted to continue to use and disclose PHI it obtained prior to revocation if the covered entity acted in reliance on that authorization. A covered entity may also continue to use or disclose for its research after the revocation if it is necessary to maintain the integrity of the research. OCR provides the following examples: “to account for a subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.” Finally, HIPAA permits certain uses and disclosures without an authorization such as the use of PHI for research purposes related to health care operations, such as quality assessment and improvement activities.