Guidance: Obtaining Patient Consent to Use PHI in ResearchNew HIPAA Guidance Was Called for Under the 21st Century Cures Act
Addressing an important privacy issue, federal regulators have issued guidance to clarify details about how patients should authorize the use or disclosure of their protected health information for future research - and their right to revoke that authorization.
On Thursday, the Department of Health and Human Services' Office for Civil Rights issued the document, "Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research."
The guidance was called for under the 21st Century Cures Act. Signed into law in 2016, the Cures Act aims to promote medical innovation and advancement of more individualized healthcare treatments.
"While the [HIPAA] Privacy Rule does permit certain uses and disclosures of PHI for research purposes without an individual's authorization, this document focuses specifically on situations in which an entity obtains the individual's HIPAA authorization for uses and disclosures of PHI for [future] research," the guidance notes.
In accordance with the Cures Act, OCR's new guidance explains what form of description of "future research" is sufficient to comply with federal regulations; clarifies expiration of authorizations for PHI to be used/disclosed for future research; and describes an individual's right to revoke consent.
The issuance of the guidance "is part of a continuing and complicated effort to 'streamline' the ability of the healthcare industry to capitalize on patient data for research purposes," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"This particular provision relates to future uses of PHI for research, a situation where OCR has been easing the rules for a while and 21st Century Cures requires even more guidance," he notes.
Changes under the HIPAA Omnibus final rule in 2013 made the process of obtaining patients' permission for use of their information in medical research projects more streamlined. Previously, healthcare organizations often needed to obtain multiple authorizations from patients to use their information for research studies and clinical trials.
OCR notes in the guidance that the HIPAA Omnibus final rule stated that, with "regard to future research authorizations, the requirement to describe 'each purpose' means that such authorizations do not need to specify each specific future study if the particular studies to be conducted are not yet determined; rather, the authorization must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research."
"This will be helpful for patients who are willing to have data used in the future and covered entities that participate in research."
—Kirk Nahra, Wiley Rein
Nahra notes: "While this may seem like a weakening of the rule, it actually creates a more meaningful opportunity for individuals to permit utilization of their data in the future, even if the specific research project for the future is not yet defined. This will be helpful for patients who are willing to have data used in the future and covered entities that participate in research."
In the guidance, OCR notes that an authorization for uses and disclosures of PHI for future research must contain "an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure."
Right to Revoke Authorization
The guidance notes that the HIPAA Privacy Rule establishes an individual's right to revoke an authorization for uses and disclosures of PHI for research, in writing, at any time, except to the extent that the covered entity has taken action in reliance on the authorization.
A HIPAA authorization can allow a covered entity to use or disclose an individual's PHI for its own research purposes or disclose PHI to another entity for that entity's research activities, the guidance explains.
"Thus, revocation of an authorization limits a covered entity's own continued use of the health information for research that was conducted based on the authorization, and prevents the covered entity from making future disclosures for research purposes based on the authorization," the guidance states.
The guidance notes that in cases where research is conducted by the covered entity, the organization could continue using or disclosing the PHI, even if the patient revokes authorization, to the extent necessary to maintain the integrity of the research. A covered entity also could continue to use the PHI it collected for research purposes for permitted healthcare operations, such as quality assessment activities.
An individual's right to revoke consent for PHI to be used in future research creates some potential complications for organizations, Nahra says.
"This guidance seems to say that the CE has to police what it does with the data if a patient revoked [consent] but also seems to say that this does not necessarily extend to others to whom the data has been disclosed," he says.
"Keep in mind that research entities also have to incorporate the Common Rule so that will be an additional restriction on some of these future projects, he notes, referring to the federal regulation related to principles in research involving human subjects.
"Covered entities generally will want to keep track of to whom they have disclosed this data, and should evaluate how far they want to go in a particular patient revocation situation," he says. "I doubt this will happen a lot, so companies probably can address each individual situation on its own."