New guidance from OCR regarding protected health information


Doctor typing

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) has issued new guidance on HIPAA and individual authorization of uses and disclosures of protected health information (PHI) for research, as called for in the Cures Act. The new guidance provides some background on HIPAA related to provisions on authorizations for research purposes and clarifies the language of 42 CFR § 164.508, elaborating on three topics identified in the Cures Act.

(1)  The circumstances under which the authorization contains a sufficient description of the purpose of a use or disclosure for future research authorizations  

OCR couches the guidance provided on this particular section as interim guidance, stating that it is engaging in additional discussions before finalizing what constitutes a sufficient description.  The interim guidance provides that a description of purpose is considered sufficient if it reasonably puts the individual on notice to expect that the PHI could be used or disclosed in future research.

(2) The circumstances under which an entity should provide an individual with an annual reminder of that individual’s right to revoke an authorization

Noting that annual reminders of the right to revoke authorizations are not required, OCR states that it may be appropriate to send reminders when the entity gives the individual the option of receiving reminders and that individual opts in, or where the participant was a minor at the time of the original authorization, and the entity sends a reminder upon the individual turning eighteen.

(3) The appropriate means by which an individual can revoke an authorization for future research purposes

An individual has the right to revoke an authorization at any time by providing notice of such revocation in writing, the process by which is to be included on the authorization itself. Entities may institute reasonable procedures for revocation, such as by using a standard form or creating a revocation submission page on a patient’s electronic health record portal. For a revocation to be effective, the covered entity must have knowledge of it. But having knowledge of the written revocation does not require that the covered entity actually receive it.

Media Contact

Subscribe to Receive Updates
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.