June 17, 2018
The Division of Health and Human Services’ Office for Civil Rights has released new guidance for HIPAA-covered units to simplify HIPAA approvals for uses of PHI for research purposes, as needed by the 21st Century Cures Law of 2016.
Disclosure and Uses of PHI for Research
The HIPAA Secrecy Rule does permit protected units to use patients’ PHI for research without obtaining separate approvals under certain situations, such as if documented Institutional Review Board (IRB) or Privacy Board Consent has been taken – see 45 CFR § 164.512(i)(1)(i) and (ii). Nevertheless, in most instances, before using patients’ PHI for research, separate approvals should be obtained from patients in writing. Without a legal approval from a patient, their PHI can only be disclosed or used for purposes allowed by the Secrecy Law.
The new advice describes the content that should be included in individual approvals to meet HIPAA requirements.
OCR clarifies that individual approvals should:
• Be written in plain language to make sure they can be easily understood;
• Include, in a particular and meaningful fashion, an explanation of the information that will be used and disclosed;
• Include the names of the people allowed to disclose and get the information;
• An explanation of the purpose of the requested use or exposure, and;
• An ending date or ending event after which the approval will be illegal.
In addition, the separate approval should make clear the following rights of the person:
• The right to cancel approval in writing and any exclusions to that right;
• Details of how that right can be used;
• The ability or inability to condition payment, treatment, enrollment, or eligibility for benefits on the approval, and;
• The possibility for information exposed in accordance with the approval to be redisclosed by the receiver and no longer be safeguarded by the HIPAA Secrecy Law.
There has been some misunderstanding about the matter of separate approvals with respect to upcoming research, which might not have been decided at the time that the approval is obtained. In such conditions, the requirement to explain ‘each purpose’ that PHI will be used or exposed might not be possible.
OCR has explained that in such conditions, particular future uses don’t need to be described. Instead, to abide by 45 CFR § 164.508(c)(1)(iv) “the approval should sufficiently explain such purposes such that it would be reasonable for the person to expect that his or her PHI might be used or exposed for such future research.”
OCR also explains the requirement to include “an ending date or an ending happening that relates to the person or the aim of the disclosure or use,” and clarifies it’s enough “to state ‘conclusion of the research study,’ ‘none,’ or similar language,” such as when the PHI will be included in the formation and maintenance of a research databank or study repository. It is also allowed to state, “the approval will remain legal unless and until it is canceled by the person.”