New guidance from OCR regarding protected health information
The U.S. Department of Health and Human Services Office of Civil Rights (OCR) has issued new guidance on HIPAA and individual authorization of uses and disclosures of protected health information (PHI) for research, as called for in the Cures Act. The new guidance provides some background on HIPAA related to provisions on authorizations for research purposes and clarifies the language of 42 CFR § 164.508, elaborating on three topics identified in the Cures Act.
(1) The circumstances under which the authorization contains a sufficient description of the purpose of a use or disclosure for future research authorizations
OCR couches the guidance provided on this particular section as interim guidance, stating that it is engaging in additional discussions before finalizing what constitutes a sufficient description. The interim guidance provides that a description of purpose is considered sufficient if it reasonably puts the individual on notice to expect that the PHI could be used or disclosed in future research.
(2) The circumstances under which an entity should provide an individual with an annual reminder of that individual’s right to revoke an authorization
Noting that annual reminders of the right to revoke authorizations are not required, OCR states that it may be appropriate to send reminders when the entity gives the individual the option of receiving reminders and that individual opts in, or where the participant was a minor at the time of the original authorization, and the entity sends a reminder upon the individual turning eighteen.
(3) The appropriate means by which an individual can revoke an authorization for future research purposes
An individual has the right to revoke an authorization at any time by providing notice of such revocation in writing, the process by which is to be included on the authorization itself. Entities may institute reasonable procedures for revocation, such as by using a standard form or creating a revocation submission page on a patient’s electronic health record portal. For a revocation to be effective, the covered entity must have knowledge of it. But having knowledge of the written revocation does not require that the covered entity actually receive it.