The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently issued guidance regarding the use and disclosure of individuals’ Protected Health Information (PHI) (e.g., hospital bills, medical records, lab reports, etc.) for research under the Health Insurance Portability and Accountability Act (HIPAA). This was in response to the 21st Century Cures Act of 2016, which required HHS to clarify circumstances around authorizations to use and disclose PHI for research. This post will discuss the impact of the Cures Act on HIPAA’s Privacy Rule and highlight circumstances in which covered entities can use or disclose PHI for research under HIPAA.

The Impact of the Cures Act on the HIPAA Privacy Rule

PHI blog graphic-1The Cures Act was signed into law on December 12, 2016, with the purpose of funding improvements to medical research, development, and medical device innovation. The Cures Act primarily focuses on improving mental health care and drug addiction treatment by expediting medical product development and research to advance clinical trials to bring treatments to market faster. As a result, the Cures Act required HHS to issue “Guidance Related to Streamlining Authorization” for uses and disclosures of PHI for research purposes under HIPAA and to provide further clarity around the requirements for disclosing PHI under the HIPAA Privacy Rule.


When Can Covered Entities Disclose PHI?

HIPAA’s Privacy Rule allows covered entities to disclose PHI to researchers, public health, and health care operations for research purposes if the individual, whose PHI will be disclosed, provides written authorization, and the authorization includes a description of each purpose of the requested use or disclosure.


Authorization Requirements

The Privacy Rule aims to balance the privacy rights of an individual with the ability for researchers to access PHI needed to conduct vital research. As a result, the Privacy Rule’s provisions on authorizations to use and disclose PHI for research have been clarified to ensure that authorizations include specific requirements. A HIPAA compliant authorization must include:

  • The name of the individual whose PHI will be used;
  • The name of the entity who will be using PHI for research;
  • A description of the purposes of use;
  • A set expiration date or event relating to the purpose and/or use of the disclosure; and
  • Instructions to the individual on how to revoke such authorization at any time.


The Right to Revoke

The Privacy Rules establishes an individual’s right to revoke his/her prior authorization, in writing, at any time.

When an individual revokes his/her authorization, a covered entity is prohibited from using or disclosing the PHI for its own use, and further prohibits making future disclosures to other entities for research purposes.

There are, however, limitations to an individual’s right to revoke. The right does not apply to PHI that was used or disclosed prior to individual’s request to revoke Therefore, a covered entity may continue to use and disclose PHI obtained prior to revocation to the extent necessary to maintain the integrity of the research.


Providing Reminders of the Right to Revoke

Covered entities are not required to provide individuals with an annual reminder of their right to revoke an authorization. However, the Privacy Rule does require that covered entities provide individuals with a copy of their signed authorizations annually to ensure that they are aware that their data is still in use and to remind them of their right to revoke. In cases concerning minors, covered entities may reach out to the individual once they have turned 18 to reassess authorization (which was signed by a parent or guardian before) and allow the individual the opportunity to revoke.


Disclosing PHI without Authorization

Another major impact of the Cures Act to the Privacy Rule is that covered entities can now disclose PHI without the authorization of individuals. However, this can only be done under limited circumstances. To continue using an individual’s PHI for research purposes, the covered entity must obtain a waiver approved by the Documented Institutional Review Board (IRB) or Privacy Board approval. The waiver allows the covered entity to continue using the data for research. In order to attain this waiver from the IRB or a Privacy Board the Privacy Rule requires that:

  1. The disclosure of an individual’s PHI is limited to minimal risk (i.e., that the information will not be retained longer than necessary, and that the information will not be reused by another individual, entity, or research project);
  2. The research cannot be conducted without the approval of the waiver; and
  3. The research cannot be conducted without access to said PHI.

For many healthcare organizations, research activities used to enhance patient safety, improve health, find new cures, stop fraud and abuse, and optimize processes are paramount. With this in mind, covered entities need to balance the interests of the organization against the privacy of individuals’ PHI. The implementation of the Cures Act provides healthcare organizations with a way to conduct this critical research while simultaneously meeting the requirements of the HIPAA Privacy Rule.

Focal Point specializes in helping organizations build HIPAA compliance programs that enable covered entities to meet the requirements of this industry regulation while also implementing sound, well-designed privacy processes that keep personal data secure and manageable.

Talk to an Expert


Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.


Get more insights into the latest privacy news.

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.