OCR Provides HIPAA Research Clarifications: Remote Access and Authorization for Future Use of Protected Health Information
Health Law Alert 07/31/18 Meghan C. O'Connor, Rachel H. Weiss, Sarah A. Erdmann
Great Scott, Marty McFly!
While not as exciting as a trip back to the future in a DeLorean, we think that Doc would have appreciated the OCR’s recent guidance on authorizations for future research (though we expect he may also have been impressed by anyone remotely accessing information as well).
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance providing research-related clarifications regarding access to and use of health information subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance—including guidance related to streamlining authorizations for uses and disclosures of protected health information (PHI) and remote access to PHI for activities preparatory to research—was released in response to mandates from the 21st Century Cures Act of 2016 (“Cures Act”).
This guidance, in conjunction with changes to the Federal Policy on the Protection of Human Subjects (Common Rule) effective July 2018, emphasize the importance of understanding HIPAA compliance obligations in the research setting.
Authorizations for Future Research
In June, OCR issued interim guidance on individual authorizations for the use and disclosure of PHI for future research. This guidance stems from a Cures Act mandate calling for clarifications on requirements for authorizations for future research, including:
- Circumstances under which a research subject’s authorization for use or disclosure of PHI for future research purposes contains a sufficient description of the purpose of the use or disclosure;
- Circumstances under which it is appropriate to provide a research subject with an annual notice or reminder that the individual has the right to revoke such authorization; and
- Appropriate mechanisms by which a research subject may revoke an authorization for future research purposes.
Key takeaways from this guidance include:
Sufficient Description of Purpose
As a general matter, authorizations for the use or disclosure of PHI must include a description of each purpose of the requested use or disclosure. The 2013 Omnibus Final Rule preamble modified the OCR’s interpretation and clarified that, with regard to future research authorizations, the requirement to describe “each purpose” does not mean that the authorization needs to specify each specific future study but that the authorization must describe the purpose of the future research.
The OCR declined to prescribe specific statements in the Omnibus Rule, and the lack of specificity has caused some confusion as to what constitutes sufficient detail. The OCR’s June 2018 guidance provides slightly more information, clarifying that a description of purpose is viewed as sufficient if it reasonably puts the research subject on notice to expect that his or her PHI could be used or disclosed in future research. This guidance, taken in combination with the Omnibus Rule preamble discussion, is the total scope of the OCR’s guidance on this topic. We are hopeful that the OCR will add some definition as to what constitutes sufficient detail.
Expiration of Authorization
The June 2018 guidance also clarifies that an authorization for use and disclosure of PHI for future research must contain a statement that the authorization will expire on a particular date or event. Valid statements of expiration could include “at the end of the research study” or “none.” It is also sufficient for the authorization to state that it will remain valid unless and until it is revoked by the research subject.
Right to Revoke Authorization
An authorization to use and disclose PHI for research purposes must inform a research subject about the right to revoke the authorization, including any exceptions to this right or a reference to the covered entity’s Notice of Privacy Practices.
The June 2018 guidance reaffirms that covered entities may continue to use and disclose PHI obtained before the research subject revoked the authorization, to the extent the entity has taken action in reliance on the authorization (e.g., maintaining integrity of the research, quality assessment and improvement activities). Along these same lines, revocation of an authorization does not prevent continued use or disclosure of PHI by a non-covered entity that received such PHI pursuant to a valid authorization.
The guidance also clarifies that, while covered entities have the option to provide reminders regarding a research subject’s right to revoke a research authorization, such reminders are not required. Rather, a covered entity is merely required to provide a research subject with a copy of his/her signed authorization to ensure the research subject is aware of the ongoing potential for the uses and disclosures of PHI pursuant to an authorization that has not expired. The OCR does suggest that, while not an affirmative obligation, there are opportunities for covered entities to provide research subjects with reminders regarding this right to revoke; for example:
- Choosing to ask, while obtaining a research subject’s initial authorization, whether the research subject would like to receive reminder(s) in the future about the right to revoke; or
- Reminding minor participants who reach the agent of majority of their right to revoke an authorization originally signed by the minor’s personal representative.
The OCR also noted that valid authorizations must describe the process by which a research subject may revoke the authorization (which may be accomplished in paper or electronic form). While covered entities may establish reasonable procedures for revocation (e.g., standard revocation form), such procedures should facilitate a research subject’s exercise of this right to revoke. In order for a revocation to be effective, the covered entity must have knowledge of the revocation. The guidance notes, however, that a covered entity may be considered to have knowledge of a revocation prior to actually receiving the revocation.
In separate guidance, the OCR provided separate Cures Act guidance regarding remote access to PHI. In general, that covered entities may use and disclose PHI for activities preparatory to research (e.g., study recruitment/screening, development of protocols) as long as the entity obtains representations from the researcher that:
- Use or disclosure of PHI is necessary to prepare a research protocol or to otherwise prepare for research;
- No PHI will be removed from the covered entity by the researcher while the review is being conducted; and
- The PHI is necessary for research purposes.
This “preparatory to research” exception is not new. However, in December 2017, the OCR issued guidance discussing researchers’ remote access to PHI as appropriate under the preparatory-to-research exception, provided certain safeguards are in place. Specifically, the OCR clarified that remote access to PHI is not, in and of itself, removal of PHI. However, printing, downloading, copying, saving, data scraping, faxing, or otherwise allowing a researcher outside the covered entity with the ability to control or retain the PHI would be considered removal of PHI and would not be permitted under the preparatory-to-research exception.
Covered entities are permitted to rely on the representations of researchers that researches will not remove PHI from the covered entity if the covered entity can demonstrate it is reasonable to rely on such representations under the circumstances. However, while covered entities can rely on researcher representations, the OCR emphasized that covered entities should also implement appropriate safeguards. For example, covered entities should implement technical safeguards (e.g., active view-only settings, data integrity controls, authentication, encryption controls) rather than simply relying on researcher representations and administrative safeguards.
In the end, there are no prescribed safeguards. Instead, the OCR recommends that covered entities must conduct a risk analysis when selecting an appropriate remote access solution to permit access to its PHI. Covered entities may want to consider relationships between the researcher and the institute (which can vary by researcher) as well as the type of data at issue and implement varying remote access solutions.
Organizations should be prepared for greater research-related attention from the OCR as HIPAA takes on a more prominent role in research. Updates to the Common Rule creating a new exemption category for certain secondary research activities regulated under HIPAA provide the OCR with another avenue for attention with such activities exempt from Common Rule jurisdiction. Entities should be mindful of the potential for increased OCR scrutiny of research-related HIPAA compliance activities.
With regard to this OCR guidance, organizations should confirm authorization templates are up to date to ensure that any authorization used for purposes of use and disclosure of PHI for future research contains a sufficient description of such purpose and the process by which a research subject may revoke the authorization. Be mindful that rolling out new authorization templates for ongoing and new studies can take time.
Covered entities should also review remote access practices and consider the available technical safeguards that can supplement existing policy and procedure administrative safeguards that apply to preparatory-to-research access to PHI.