HIPAA Authorization for Research: HHS Issues Interim Guidance on Authorization Sufficiency

In the final days of his presidency, Barack Obama signed the 21st Century Cures Act, a sweeping medical innovation bill intended to boost funding for medical research, simplify the approval process for pharmaceutical products and improve the exchange of health information. This bill set several deadlines for federal agencies. Notably, by December 2017, the US Department of Health and Human Services (“HHS” or the “Department”) was to issue guidance clarifying when an individual’s authorization for a HIPAA-covered entity or others to use or disclose his or her protected health information (“PHI”) for future research purposes contains a sufficient description of the purpose for the use or disclosure.¹ Having missed its deadline and presumably feeling pressure to issue some direction, the Department issued interim guidance in early June. Below we discuss three key takeaways for businesses from this interim guidance after briefly reviewing the relevant statutory and regulatory background.

HIPAA and Its Privacy Rule

As an initial matter, the Health Insurance Portability and Accountability Act’s (“HIPAA”) privacy regulation (the “Privacy Rule”) applies to “covered entities,” such as health care providers or health insurers, and to their service providers (i.e., their “business associates”). Moreover, many companies that are not covered entities or business associates may nonetheless have to comply with the Privacy Rule through contractual relationships with HIPAA-covered entities. 

The Privacy Rule defines “research” as “a systematic investigation . . . designed to develop or contribute to generalizable knowledge.”² Research, be it medical or nonmedical, is an essential tool to gain more insight into a subject. Recognizing the importance of both protecting individuals’ PHI and ensuring that entities have access to this data to conduct vital research, the Privacy Rule contains provisions designed to balance these competing interests. For instance, it provides that, with limited exceptions, a covered entity or business associate shall not use or disclose an individual’s non-de-identified PHI to a third party for research purposes absent a valid authorization.³ Put differently, an entity may use or disclose an individual’s PHI for future research provided that the individual consents to the use or disclosure. 

A valid authorization must be written in plain language and contain “specific core elements,” including a “description of each purpose of the requested use or disclosure” and “[a]n expiration date or an expiration event” for the use or disclosure.⁴ Indicating that an authorization will expire at the “end of the research study” or even that it won’t expire at all satisfies the expiration.⁵ Furthermore, an authorization must generally state that an individual has the “right to revoke” the authorization in writing and provide instructions as to how an individual may revoke the authorization or reference the relevant sections of a Notice of Privacy Practices.⁶

The Department’s Interim Guidance

Satisfying the “Purpose” Provisions for Future Research

The Department’s first guidance is actually a re-clarification of an outmoded interpretation. In 2002, when HHS adopted the Privacy Rule, it interpreted the “each purpose” language of the “purpose” provision in the rule to require that an authorization for research be “study specific.”⁷ Thus, if a future research project for which an individual’s PHI would be used or disclosed was not specified in the initial authorization, an entity seeking to use or disclose the individual’s PHI for that research project would need to obtain a new authorization. 

In 2013, the Department modified that interpretation, concluding that, to satisfy the purpose provision, an authorization for “uses and disclosures of [PHI] for future research purposes must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her [PHI] could be used or disclosed for such future research.”⁸ The Department merely repeated this point in its interim guidance.⁹ Of note, however, HHS said that it was characterizing its guidance as “interim” because it wants to consider further what “constitutes a sufficient description such that it would be reasonable for the individual to expect that the PHI could be used or disclosed for such research.”¹⁰

Revocation Can Constitute an “Expiration Event” for Use or Disclosure

The Department’s second point is more straightforward. HHS provided an example of language that would suffice for the requirement that an authorization include an expiration date or event for an entity’s use or disclosure of PHI—e.g., the authorization could state that it “will remain valid unless and until it is revoked by the individual.”¹¹ In other words, revocation by an individual constitutes an “expiration event” under the Privacy Rule. 

Suggestions Regarding Revocation

The Department’s final guidance consists of several suggestions regarding revocation. First, while acknowledging that the Privacy Rule doesn’t require an entity to provide periodic reminders about an individual’s right to revoke an authorization, HHS says that an entity might nonetheless ask an individual whether he or she would like to receive such a reminder when obtaining an authorization and also remind a “minor participant who reaches the age of majority of [his or her] right to revoke a HIPAA authorization originally signed by [the minor’s parent].”¹² Second, the Department “encourages” entities to establish processes that help individuals exercise their right of revocation.¹³ It suggests, for example, that a health care provider could make authorization available on electronic health record portals and allow individuals to submit a revocation through the portal. Lastly, the Department suggests that, even though the Privacy Rule requires a written revocation, an entity may stop using or disclosing PHI based on an oral request from an individual.¹⁴

¹ See Pub. L. 114-255 § 2063(b).

² 45 C.F.R. § 164.501.

³ 45 C.F.R. § 164.508(a)(1).

⁴ Id. § 164.508(c)(1)(iv),(v).

⁵ Id. § 164.508(c)(1)(v).

⁶ Id. § 164.508(c)(2).

⁷ 67 Fed. Reg.53182, 53226 (Oct. 15, 2002).

⁸ 27 Fed. Reg. 5566, 5612 (Jan. 25, 2013).

⁹ See HHS, Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research Interim Guidance, available at https://www.hhs.gov/sites/default/files/hipaa-future-research-authorization-guidance-06122018 v2.pdf (June 1, 2018).

¹⁰ Id.

¹¹ Id.

¹² Id.

¹³ Id.

¹⁴ Id.