Among the many mandates of the 21st Century Cures Act,1 Congress required the Secretary of the U.S. Department of Health and Human Services (HHS) to issue guidance to clarify certain research-related issues on accessing, sharing and using health data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In response to this mandate, HHS’ Office for Civil Rights (OCR) recently issued guidance on:

  1. Permitting remote access for reviews preparatory to research.
  2. Authorizations permitting the use or disclosure of protected health information (PHI) for future research purposes.

Remote Access for Reviews Preparatory to Research

Generally, a covered entity may use and disclose PHI for activities preparatory to research (e.g., protocol development, study recruitment), so long as the covered entity obtains the following oral or written representations from the researcher:

  • That use or disclosure of PHI is necessary to prepare a research protocol or to otherwise prepare for research.
  • That no PHI will be removed from the covered entity by the researcher while the review is being conducted.
  • That the PHI is necessary for the research purposes.2

In December 2017, OCR issued guidance to clarify that remote access to PHI by researchers in connection with preparatory-to-research activities should not, in and of itself, constitute “removal” of PHI from the covered entity. Specifically, OCR concluded that “remote access” is not itself the removal of PHI. However, activities such as printing, downloading, copying, saving, or otherwise controlling and retaining PHI would be considered the removal of PHI from a covered entity, and thus are not permitted under the preparatory-to-research exception. OCR also explained that the grant of remote access to PHI to a researcher for preparatory-to-research activities requires a covered entity to comply with all relevant Privacy Rule and Security Rule standards. This means that, in addition to obtaining the above representations from the researcher, the covered entity must have appropriate safeguards in place to limit and control the remote access (e.g., access, integrity, authentication, encryption controls).

OCR further explained that a covered entity may rely on a researcher’s representations that he or she will not remove PHI from the covered entity through remote access, but only if the covered entity first determines that it would be reasonable to rely on such representations under the circumstances. For example, relying on an employed researcher’s representations may be reasonable because the access would be managed through the covered entity’s privacy and security policies and the covered entity retains employer–employee oversight. Something more may be required, however, for a covered entity to grant remote access to an independent researcher without a prior relationship, such as view-only access to PHI that prevents copying, printing, saving, data scraping, faxing or otherwise downloading.

Ultimately, a covered entity must conduct a risk analysis when selecting an appropriate remote-access solution to permit access to its patients’ electronic PHI. For example, if the covered entity’s remote access software automatically downloads files containing PHI onto a researcher’s computer for temporary storage, the covered entity must implement safeguards to ensure that the downloaded files are not retained. Depending on the circumstances, it may be reasonable for the covered entity to rely on the researcher’s representations that downloaded files are encrypted and purged as soon as their preparatory-to-research need is complete. In other instances, the covered entity should implement more robust safeguards, such as purging temporarily stored data when the remote connection is terminated.

Authorization of Uses and Disclosures of PHI for Research

In separate guidance, OCR (a) stated its intention to provide future guidance on circumstances in which an authorization contains sufficient description to allow for future research uses and disclosures, and (b) clarified how and when an individual must be informed of the right to revoke authorization for research uses and disclosures of PHI.

HIPAA Authorizations for Future Research and the Description of the Purpose of the Use or Disclosure Being Authorized

In the preamble to the 2013 HIPAA Omnibus Final Rule, OCR modified its prior position on authorizations for research by stating that authorizations may permit future research so long as the purpose of the future research is described with sufficient clarity that it would be reasonable for a research subject to expect that his or her PHI would be used for the described future research.

The generality of this standard has caused some confusion as to what constitutes sufficient detail to allow future research. In its recent statement, OCR agreed to convene a working group to analyze how PHI is used for research purposes. This working group may address what constitutes a sufficient description of future research and may issue a report on this topic. Until then, the limited preamble guidance to the HIPAA Omnibus Final Rule remains. In the guidance, OCR emphasized that an authorization for uses and disclosures of PHI for future research must contain a statement that the authorization will expire either on a particular date or as the result of an expiration event that is related to the research subject or to the purpose of the use or disclosure. OCR allowed flexibility on what this statement could be by providing the following examples: “end of the research study,” “none” and “unless and until revoked by the individual.”

The Right of an Individual to Revoke Authorization

An authorization to use and disclose PHI for research purposes must inform the research subject of his or her right to revoke authorization in writing and must contain either (i) the exceptions to the right to revoke and a description of how the individual may revoke authorization, or (ii) a reference to the relevant covered entity’s Notice of Privacy Practices.6

In its guidance, OCR reminded readers that revoking an authorization does not necessarily mean that research subjects’ PHI already obtained for research may not continue to be used for that research purpose. If the researcher is a covered entity, the researcher may continue to use PHI that was obtained pursuant to a research authorization to the extent that the researcher has already relied on the authorization and needs to continue to use the PHI to maintain the integrity of the research data or similar purpose. Similarly, revocation of an authorization would not prevent the continued use or disclosure of the PHI by a non-covered entity that received it pursuant to a valid authorization.

OCR clarified that a covered entity is not required to remind research subjects of their right to revoke authorization. Circumstances may arise in which a reminder may be appropriate, such as when a subject expresses a desire to be reminded, or when a minor subject whose authorization was granted by a parent or guardian reaches the age of majority. However, even in these circumstances, the covered entity does not have an affirmative obligation to remind subjects of their right to revoke a research authorization.

OCR also explained that a valid authorization must describe the process by which a research subject can revoke the authorization. A covered entity may establish reasonable procedures, such as requiring use of a standard revocation form, so long as the process is not unduly burdensome and would not create a delay in allowing the subject to exercise his or her revocation right. A covered entity cannot require research subjects to use a particular method, such as an online portal, unless the method is reasonably available to all subjects.

Finally, OCR pointed out that a revocation is effective only when the covered entity receives the revocation or has knowledge that the authorization has been revoked. For example, a written revocation provided by a research subject to the third party that obtained the authorization would not be effective until the third party informed the covered entity that authorization had been revoked. Conversely, if a research subject orally tells a covered entity that the subject has revoked his or her authorization in writing, the covered entity will be deemed to “know” that the authorization has been revoked and can no longer rely on it as valid. If a research subject merely tells the covered entity that he or she is revoking authorization but fails to also revoke authority by written means, the covered entity may choose to honor such request, but the HIPAA Privacy Rule imposes no obligation to do so.