In the final days of his presidency, Barack Obama signed the 21st Century Cures Act, a sweeping medical innovation bill intended to boost funding for medical research, simplify the approval process for pharmaceutical products and improve the exchange of health information. The bill set several deadlines for federal agencies. Notably, by December 2017, the US Department of Health and Human Services (HHS) was to issue guidance clarifying when an individual's authorisation for a Health Insurance Portability and Accountability Act (HIPAA)-covered entity or others to use or disclose their protected health information for future research purposes contains a sufficient description of the purpose for its use or disclosure.(1) Having missed this deadline and presumably feeling pressure to issue some direction, HHS issued interim guidance in early June 2018. This update briefly reviews the relevant statutory and regulatory background before identifying three key takeaways for businesses from the interim guidance.
As an initial matter, the privacy rule promulgated under HIPAA applies to "covered entities" (eg, healthcare providers or health insurers) and their service providers (ie, their "business associates"). In addition, companies that are not covered entities or business associates may nonetheless have to comply with the privacy rule through contractual relationships with HIPAA-covered entities.
The privacy rule defines 'research' as "a systematic investigation… designed to develop or contribute to generalizable knowledge".(2) Research – medical or otherwise – is an essential tool to gain more insight into a subject. The privacy rule recognises the importance of both protecting individuals' personal health information and ensuring that entities have access to this data to conduct vital research, and contains provisions designed to balance these competing interests. For instance, it provides that – with limited exceptions – a covered entity or business associate shall not use or disclose an individual's non-de-identified protected health information to a third party for research purposes without a valid authorisation.(3) In other words, an entity may use or disclose an individual's protected health information for future research provided that the individual consents to the use or disclosure.
A valid authorisation must be written in plain language and contain "specific core elements", including a "description of each purpose of the requested use or disclosure" and "[a]n expiration date or an expiration event" for the use or disclosure.(4) Indicating that an authorisation will expire at the "end of the research study" – or even that it will not expire at all – is sufficient to satisfy this requirement.(5) Further, an authorisation must generally state that an individual has the "right to revoke" the authorisation in writing and provide instructions as to how they may do so, or reference the relevant sections of a Notice of Privacy Practices.(6)
Satisfying 'purpose' provisions for future research The department's first guidance is actually a re-clarification of an outmoded interpretation. In 2002 when HHS adopted the privacy rule, it interpreted "each purpose" in the 'purpose' provision of the rule as requiring that an authorisation for research be "study specific".(7) Thus, if a future research project for which an individual's protected health information would be used or disclosed was not specified in the initial authorisation, an entity seeking to use or disclose the individual's protected health information for that research project would need to obtain a new authorisation.
In 2013 HHS modified this interpretation, concluding that, to satisfy the purpose provision, an authorisation for:
uses and disclosures of [protected health information] for future research purposes must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her [protected health information] could be used or disclosed for such future research.(8)
HHS merely repeated this point in its interim guidance.(9) However, it also stated that it had characterised the guidance as 'interim' because it wanted to consider further what "constitutes a sufficient description such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such research".(10)
Revocation as an 'expiration event' The department's second point is more straightforward. HHS provided an example of language that would suffice for the requirement that an authorisation include an expiration date or event for an entity's use or disclosure of protected health information; for example, the authorisation could state that it "will remain valid unless and until it is revoked by the individual".(11) In other words, revocation by an individual constitutes an 'expiration event' under the privacy rule.
Suggestions regarding revocation HHS's final guidance consists of several suggestions regarding revocation.
First, while acknowledging that the privacy rule does not require an entity to provide periodic reminders about an individual's right to revoke an authorisation, HHS states that an entity might nonetheless ask an individual whether they would like to receive such a reminder when obtaining an authorisation, and also remind a "minor participant who reaches the age of majority of [their] right to revoke a HIPAA authorization originally signed by [the minor's parent]".(12)
Second, HHS encourages entities to establish processes that help individuals to exercise their right of revocation.(13) It suggests, for example, that a healthcare provider could make authorisation available on electronic health record portals and allow individuals to submit a revocation online.
Finally, HHS suggests that although the privacy rule requires a written revocation, an entity may stop using or disclosing protected health information based on an oral request from an individual.(14)
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
Endnotes
(1) See Pub L 114-255 Section 2063(b).
(3) 45 CFR Section 164.508(a)(1).
(4) Id Sections 164.508(c)(1)(iv), (v).
(5) Id Section 164.508(c)(1)(v).
(7) 67 Fed Reg 53182, 53226 (15 October 2002).
(8) 27 Fed Reg 5566, 5612 (25 January 2013).
(9) See HHS, "Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research Interim Guidance", 1 June 2018.
