The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently issued guidance regarding the use and disclosure of individuals’ Protected Health Information (PHI) (e.g., hospital bills, medical records, lab reports, etc.) for research under the Health Insurance Portability and Accountability Act (HIPAA). This was in response to the 21st Century Cures Act of 2016, which required HHS to clarify circumstances around authorizations to use and disclose PHI for research. This post will discuss the impact of the Cures Act on HIPAA’s Privacy Rule and highlight circumstances in which covered entities can use or disclose PHI for research under HIPAA.
HIPAA’s Privacy Rule allows covered entities to disclose PHI to researchers, public health, and health care operations for research purposes if the individual, whose PHI will be disclosed, provides written authorization, and the authorization includes a description of each purpose of the requested use or disclosure.
The Privacy Rule aims to balance the privacy rights of an individual with the ability for researchers to access PHI needed to conduct vital research. As a result, the Privacy Rule’s provisions on authorizations to use and disclose PHI for research have been clarified to ensure that authorizations include specific requirements. A HIPAA compliant authorization must include:
The Privacy Rules establishes an individual’s right to revoke his/her prior authorization, in writing, at any time.
When an individual revokes his/her authorization, a covered entity is prohibited from using or disclosing the PHI for its own use, and further prohibits making future disclosures to other entities for research purposes.
There are, however, limitations to an individual’s right to revoke. The right does not apply to PHI that was used or disclosed prior to individual’s request to revoke Therefore, a covered entity may continue to use and disclose PHI obtained prior to revocation to the extent necessary to maintain the integrity of the research.
Covered entities are not required to provide individuals with an annual reminder of their right to revoke an authorization. However, the Privacy Rule does require that covered entities provide individuals with a copy of their signed authorizations annually to ensure that they are aware that their data is still in use and to remind them of their right to revoke. In cases concerning minors, covered entities may reach out to the individual once they have turned 18 to reassess authorization (which was signed by a parent or guardian before) and allow the individual the opportunity to revoke.
Another major impact of the Cures Act to the Privacy Rule is that covered entities can now disclose PHI without the authorization of individuals. However, this can only be done under limited circumstances. To continue using an individual’s PHI for research purposes, the covered entity must obtain a waiver approved by the Documented Institutional Review Board (IRB) or Privacy Board approval. The waiver allows the covered entity to continue using the data for research. In order to attain this waiver from the IRB or a Privacy Board the Privacy Rule requires that:
For many healthcare organizations, research activities used to enhance patient safety, improve health, find new cures, stop fraud and abuse, and optimize processes are paramount. With this in mind, covered entities need to balance the interests of the organization against the privacy of individuals’ PHI. The implementation of the Cures Act provides healthcare organizations with a way to conduct this critical research while simultaneously meeting the requirements of the HIPAA Privacy Rule.
Focal Point specializes in helping organizations build HIPAA compliance programs that enable covered entities to meet the requirements of this industry regulation while also implementing sound, well-designed privacy processes that keep personal data secure and manageable.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.