June 27, 2018
New help for HIPAA-protected organizations to streamline HIPAA approvals for uses of PHI for research purposes has been issued by the Division of Health and Human Services’ Office for Civil Rights, as needed by the 21st Century Cures Act of 2016.
The HIPAA Secrecy Law does allow protected organizations to use patients’ PHI for study without requesting individual permissions under specific situations, like if documented Institutional Review Board (IRB) or Privacy Board Authorization has been received – see 45 CFR § 164.512(i)(1)(i) and (ii). Nevertheless, in most instances, before using patients’ PHI for study, separate official authorizations should be obtained from patients in writing. Without a legal permission from a patient in question, their PHI can only be used or issued for purposes allowed by the Secrecy Law.
The new help summarizes the content that should be included in separate approvals to comply with HIPAA requirements.
OCR summarize that separate approvals should:
- Be specified in simple language to make sure they can be simply understood;
- Include, in a particular and meaningful way, an explanation of the data that will be used and disclosed;
- List the names of the people allowed to disclose and get the research;
- An explanation of the reason for the requested use or exposure, and;
- An end date or end time after which the permission will no longer be lawful.
Along with this, the separate approval should state outright the following rights of the person:
- The right to take away approval in writing and any exclusions to that right;
- An explanation of how that privilege can be used;
- The capability, or lack of, to condition treatment, payment, registration, or entitlement for benefits on the approval, and;
- The probability for information unveiled in line with the approval to be disclosed by the receiver and no longer be protected by the HIPAA Secrecy Law.
There has been some misunderstanding about the matter of separate approvals regarding research going forward, which might not have been decided at the time that the approval is received. In such cases, the requirement to ‘each purpose’ that PHI will be used or unveiled might not be possible.
OCR has described that in such cases, particular future uses don’t need to be summarized. In its place, to adhere with 45 CFR § 164.508(c)(1)(iv) “the approval should sufficiently explain such reasons such that it would be sensible for the person to expect that his or her PHI might be used or unveiled for such future research.”
OCR also specified that the requirement to describe “an end date or an expiration event that links to the individual or the purpose of the use or exposure,” and describes it is sufficient “to state ‘conclusion of the research study,’ ‘none,’ or similar language,” like when the PHI will be included in the formation and maintenance of a research database or study repository. It is also permissible to state, “the approval will remain legal unless and until it is canceled by the person.”
Although patients are given the right to cancel an approval in writing at any time, there will be cases when using that right will not affect the person’s PHI from being used in a specific research study. Patients must be aware of this when giving their approval.
“A protected unit might carry on to use and unveil PHI that was gotten prior to the person canceled approval to the extent that the unit has taken action in reliance on the approval,” states OCR. “In instances where the research is carried out by the protected unit, the exception to cancelation would allow the protected unit to carry on using or unveiling the PHI to the extent required to keep the integrity of the research —for instance, to justify a subject’s removal from the research study, to carry out examinations of scientific misconduct, or to report adverse occasions.”
OCR says that it is not essential for periodic warnings regarding the right to cancel approval to be issued to patients as patients should be supplied with a copy of the initialed approval in which their rights will be defined. Nevertheless, protected bodies are persuaded to put in place processes for the cancelation of approvals like developing a standard cancelation form or adding existing approvals to a patient portal and allowing cancelations to be filed through that portal.