The U.S. Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) has issued new guidance for HIPAA-covered entities to streamline HIPAA authorizations for uses of protected health information (“PHI”) for research purposes. Under this guidance, authorizations for the use or disclosure of PHI for future research (or other purposes) must include a “description of each purpose of the requested use or disclosure. The statement ‘at the request of the individual’ is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.” 45 C.F.R. § 164.508(c)(1)(iv). OCR views a description of future research purposes as compliant with 508(c)(1)(iv) if the description sufficiently describes the purposes such that it would be reasonable for the individual to expect that the PHI could be used or disclosed for such future research.
All authorizations must contain “an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.” 508(c)1)(v).When the authorization is for a use or disclosure of PHI for research, “including for the creation and maintenance of a research database or research repository,” the guidance provides that “the statement ‘end of the research study,’ ‘none,’ or similar language is sufficient.” Id.
Additional guidance is also provided on the right of research subjects to revoke the authorization. For the complete guidance, go to https://www.hhs.gov/sites/default/files/hipaa-future-research-authorization-guidance-06122018%20v2.pdf.
FYI, in case you are keeping track, this blog item is the fourth in the HIPAA potpourri series that Jon announced a few weeks ago in this blog. Stay tuned, same time, same station, next week, for the next item in the potpourri. As always, thanks for reading Jon’s blog, including this one about the new DHHS OCR HIPAA guidance on authorizations for PHI for research subjects, and remember to contact us if you need HIPAA compliance help. If you need help with drafting/updating/implementing your policies on this and other issues, you can find the help you need in the book by Jonathan P. Tomes, The Complete HIPAA Policies and Procedures Guide, with its accompanying CD of sample policies that you can easily make your own, available at http://www.veteranspress.com/product/hipaa-policies-and-procedures. Jon is still out of the loop for a while longer, but you can reach Alice at iammccart@gmail.com.