January 23, 2020

January 23, 2020

Subscribe to Latest Legal News and Analysis

January 22, 2020

Subscribe to Latest Legal News and Analysis

January 21, 2020

Subscribe to Latest Legal News and Analysis

HHS Office for Civil Rights Issues Updated HIPAA and Research Guidance in Response to 21st Century Cures Act Mandate

Last month, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two helpful new HIPAA guidance documents regarding research uses and disclosures of PHI, fulfilling a mandate in the 21st Century Cures Act (Public Law 114-255) (the “Act”).  Although the documents merely reaffirm prior guidance in many places, the documents also contain helpful new information and serve to collect prior guidance spread in numerous places into a single location.  The first document focuses on research authorizations and revocations:

 HIPAA Authorization Expiration Date: OCR reaffirmed the existing requirement that an authorization must contain an expiration date or event, which, for research disclosures, can be a statement such as “end of the research study,” “none,” or “unless and until revoked by the individual.”

  • HIPAA Authorizations for Future Research: OCR restated its position in the Omnibus Rule preamble that authorizations can cover future research projects if there is a sufficient description of that research. However, OCR acknowledged that additional guidance on what constitutes a “sufficient description” would be helpful.  For now, OCR made clear that the Privacy Rule gives covered entities and researchers flexibility in describing the future research and the health information to be used or disclosed, so long as the description reasonably puts the individual on notice that his or her protected health information (“PHI”) could be used or disclosed for the future research (e.g., a notice that certain sensitive information may be used in future research). OCR emphasized it is not requiring a fixed level of detail and will continue working with other federal partners to provide additional guidance in the future.

  • Right to Revoke Authorization: OCR reaffirmed that revoking an authorization will not necessarily prevent the continued use and disclosure of information that has already been used or disclosed in reliance on the authorization. For example, revoking an authorization does not prevent the continued use or disclosure of information by a non-covered entity that already received it pursuant to the authorization. In addition, a covered entity may continue to use and disclose PHI that was obtained before the individual revoked the authorization “to the extent that the entity has taken action in reliance on the authorization,” including to the extent necessary to maintain the integrity of the research (i.e., to account for a subject’s withdrawal from the research study, to investigate scientific misconduct or to report adverse events) and for other activities that would be permitted by the Privacy Rule without the individual’s authorization. OCR confirmed that covered entities are not required to remind individuals of their right to revoke an authorization, though OCR encouraged covered entities to establish processes that make it easy for an individual to revoke an authorization and reaffirmed the prohibition on unduly burdensome processes. Finally, OCR clarified when revocations take effect (i.e., only once the covered entity receives the revocation or has knowledge of it, whichever occurs first).

The second research-related document contains helpful guidance for covered entities to avoid HIPAA liability when granting remote PHI access to researchers.  OCR affirmed that the HIPAA Privacy Rule does not prohibit a researcher from accessing PHI (without individual consent) through a remote access connection as a review preparatory to research, provided reasonable and appropriate safeguards are in place (described below).  Given that the HIPAA “reviews preparatory to research” provisions prohibit “removal” of PHI from the covered entity, the most helpful part of this document is defining when such “removal” occurs.

  • Although remote access involves the transmission of electronic PHI, OCR confirmed that such transmissions do not constitute removals of PHI from a covered entity unless the researcher prints, downloads and saves, copies, or otherwise retains the PHI. In particular, OCR confirmed that even temporarystorage of PHI on a researcher’s computer constitutes removal of PHI from the covered entity unless technical safeguards that prevent PHI retention are in place.

  • OCR provided several examples of the circumstances under which it is reasonable for a covered entity to rely on representations from researchers that they will not remove PHI (e.g., where the researcher is an employee or contractor of the covered entity and there are agreements in place to manage the misuse of PHI or where there are technical safeguards providing view-only access in place).

© Copyright 2020 Squire Patton Boggs (US) LLP


About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively...

Anne Harrington Energy Attorney Denver Squire Patton Boggs

Anne Harrington counsels clients in the energy and natural resources industries on a wide range of regulatory, administrative and public policy concerns ranging from compliance with federal and state environmental, health and safety laws, to Western public lands laws, to obtaining regulatory approvals.

Additionally, she draws from her past experience as a legal analyst and compliance deputy for an international biopharmaceutical and vaccines company and her training in bioethics to represent healthcare and health data companies. She advises clients ranging from small physician practices to state health information exchanges on federal and state regulatory issues with a focus on data privacy.

Energy and Natural Resources

In her energy and natural resources practice, Anne regularly advises national and international companies on regulatory compliance with state and federal health and safety laws, helps to manage company responses to regulatory inspections, investigations, citations, accidents and whistleblower actions, and defends companies in resulting state and federal enforcement actions (primarily MSHA and OSHA). She has substantial experience in drafting state and federal legislation, advising clients on public policy implications of legislative efforts, participating in federal notice and comment rulemaking efforts, and working with clients to devise and execute public policy strategies, including Congressional outreach, to address federal agency matters.


Anne has deep experience in developing risk management strategies, drafting privacy and security policies; negotiating complex data agreements with unique data privacy questions; and ensuring compliance with state and federal laws such as HIPAA and HITECH; 42 CFR Part 2, state laws and guidance governing privacy, security and breach notification; and the Children’s Online Privacy Protection Act.

In addition to her work as a lawyer, she has taught medical ethics at a large state university and sits on the ethics committee of a nationally-ranked children's hospital.


  • Energy and Natural Resources Representing oil and gas, gold, silver, trona ore, potash, copper and nickel mining companies operating on BLM and USFS land in Colorado, California, Nevada, Minnesota and Arizona, on matters arising under federal land management and environmental statutes, the General Mining Laws, Mineral Leasing Acts and counterpart state laws.

  • Representing one of the world’s largest oil industry service companies in connection with development of hydraulic fracturing disclosure and methane emission regulations in Colorado. This included securing permits for a water recycling facility to serve oil and gas well drilling contractors – a first of its kind operation – under Colorado recycling regulations.

  • Successfully negotiating major settlement with Mine Safety and Health Administration to avoid a crippling “pattern violator” designation for large Western mining client.

  • Handling multiple unwarrantable failure and flagrant citations issued by MSHA and litigating multiple employment discrimination claims under Section 105(c) of the Mine Act.