HHS Office for Civil Rights Issues Updated HIPAA and Research Guidance in Response to 21st Century Cures Act Mandate
Last month, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two helpful new HIPAA guidance documents regarding research uses and disclosures of PHI, fulfilling a mandate in the 21st Century Cures Act (Public Law 114-255) (the “Act”). Although the documents merely reaffirm prior guidance in many places, the documents also contain helpful new information and serve to collect prior guidance spread in numerous places into a single location. The first document focuses on research authorizations and revocations:
HIPAA Authorization Expiration Date: OCR reaffirmed the existing requirement that an authorization must contain an expiration date or event, which, for research disclosures, can be a statement such as “end of the research study,” “none,” or “unless and until revoked by the individual.”
HIPAA Authorizations for Future Research: OCR restated its position in the Omnibus Rule preamble that authorizations can cover future research projects if there is a sufficient description of that research. However, OCR acknowledged that additional guidance on what constitutes a “sufficient description” would be helpful. For now, OCR made clear that the Privacy Rule gives covered entities and researchers flexibility in describing the future research and the health information to be used or disclosed, so long as the description reasonably puts the individual on notice that his or her protected health information (“PHI”) could be used or disclosed for the future research (e.g., a notice that certain sensitive information may be used in future research). OCR emphasized it is not requiring a fixed level of detail and will continue working with other federal partners to provide additional guidance in the future.
Right to Revoke Authorization: OCR reaffirmed that revoking an authorization will not necessarily prevent the continued use and disclosure of information that has already been used or disclosed in reliance on the authorization. For example, revoking an authorization does not prevent the continued use or disclosure of information by a non-covered entity that already received it pursuant to the authorization. In addition, a covered entity may continue to use and disclose PHI that was obtained before the individual revoked the authorization “to the extent that the entity has taken action in reliance on the authorization,” including to the extent necessary to maintain the integrity of the research (i.e., to account for a subject’s withdrawal from the research study, to investigate scientific misconduct or to report adverse events) and for other activities that would be permitted by the Privacy Rule without the individual’s authorization. OCR confirmed that covered entities are not required to remind individuals of their right to revoke an authorization, though OCR encouraged covered entities to establish processes that make it easy for an individual to revoke an authorization and reaffirmed the prohibition on unduly burdensome processes. Finally, OCR clarified when revocations take effect (i.e., only once the covered entity receives the revocation or has knowledge of it, whichever occurs first).
The second research-related document contains helpful guidance for covered entities to avoid HIPAA liability when granting remote PHI access to researchers. OCR affirmed that the HIPAA Privacy Rule does not prohibit a researcher from accessing PHI (without individual consent) through a remote access connection as a review preparatory to research, provided reasonable and appropriate safeguards are in place (described below). Given that the HIPAA “reviews preparatory to research” provisions prohibit “removal” of PHI from the covered entity, the most helpful part of this document is defining when such “removal” occurs.
Although remote access involves the transmission of electronic PHI, OCR confirmed that such transmissions do not constitute removals of PHI from a covered entity unless the researcher prints, downloads and saves, copies, or otherwise retains the PHI. In particular, OCR confirmed that even temporarystorage of PHI on a researcher’s computer constitutes removal of PHI from the covered entity unless technical safeguards that prevent PHI retention are in place.
OCR provided several examples of the circumstances under which it is reasonable for a covered entity to rely on representations from researchers that they will not remove PHI (e.g., where the researcher is an employee or contractor of the covered entity and there are agreements in place to manage the misuse of PHI or where there are technical safeguards providing view-only access in place).