On June 14, 2018, the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR) issued guidance to the clinical research community about the proper content of HIPAA authorizations to use Protected Health Information (PHI) for future clinical research.
The Guidance was mandated by the federal 21st Century Cures Act (Cures Act), which among other things, encourages finding cures for disease and injury through scientific research. The Cures Act required OCR to address three points:
- What information will satisfy the “purpose” provision of a HIPAA authorization when the plan is for PHI to be used for future research that may not even be contemplated at the time the authorization is signed—e.g. when PHI will be placed in a research database or repository for use in as yet unspecified future research protocols?
- What is a sufficient expiration date or event for a HIPAA authorization for future research?
- What information must the authorization provide about the individual’s right to revoke the authorization and the mechanisms to accomplish revocation?
Purpose of Use or Disclosure:
The first question is difficult to answer when it means informing an individual about participation in research that may occur decades later, with PHI that does not yet exist, in a protocol not yet even imagined by the researcher. Acknowledging this dilemma, OCR chose to issue only interim guidance, which provides little useful assistance, while it continues to study the issue.
OCR views a description of future research purposes as compliant with 45 CFR §164.508(c)(1)(iv) if it sufficiently describes the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research. This very general statement is echoed in the preamble to the 2017 revisions to the Federal Policy for the Protection of Human Subjects; 82 FR 7149 (January 19, 2017) (Common Rule). This preamble states that consents to participate in future research must include sufficient information to allow a reasonable person to expect that the broad consent would permit the types of research conducted.
Notably, IRB review will be required for some future research involving stored PHI. In these instances, the IRB will be asked to determine whether the now desired research was sufficiently within the contemplation of an individual who signed an authorization months or years prior. The IRB’s duty is to protect the ethical rights of individuals participating in research, particularly the right to give informed consent to research. Researchers may, therefore, find it beneficial to seek an informal consult from an IRB prior to drafting a HIPAA authorization for future unspecified research.
Until more detailed guidance is issued, researchers seeking an individual’s authorization for uses and disclosures of PHI in as yet unknown future research also should consider describing the categories of likely future research protocols, and highlight those categories that might give some individuals pause. For example, research involving embryonic stem cells or involving genetic modifications may be controversial, and some individuals may not want their PHI to be used in it.
Expiration Date or Event:
OCR provides definitive guidance regarding this element of a HIPAA authorization for future research. Compliant expiration dates or events can include “the end of the research,” “none,” or a statement that the authorization remains in effect unless and until the individual revokes it.
OCR’s response to this question is straightforward but offers little advice beyond the regulatory text of HIPAA. The authorization must inform the individual of the right to revoke, any exceptions to that right, and how to accomplish a revocation. OCR declines to mandate that the researcher periodically remind the individual of the right to revoke, but states that this is a permissive option for any researcher desiring to take this extra step.
OCR offers insights into what a revocation really means in the context of research but stops short of mandating that this information be provided to the individual in the authorization form. For example, a revocation would not prevent a Covered Entity researcher from continuing to use already-collected PHI “to maintain the integrity of the research—for example, to account for a subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.” In addition, a Covered Entity researcher could continue to use PHI collected pursuant to the research authorization for non-research activities that are permitted without an authorization, such as quality assurance or improvement. OCR also notes that a revocation would not prevent a non-Covered Entity researcher from continuing to use PHI that it previously obtained from a Covered Entity pursuant to a valid authorization.
Finally, OCR states that the authorization must describe the process for an individual to revoke the authorization. The revocation must be in writing (paper or electronic) in order to be binding, but OCR notes that a Covered Entity may elect to honor an oral revocation. OCR encourages Covered Entities to establish user-friendly mechanisms for revocation.
Informed consent for the use and disclosure of PHI for future clinical research is challenging. OCR offers some guidance about how to satisfy HIPAA, but that guidance is of limited utility. In addition, clinical researchers also need to be aware of increasingly stringent state privacy laws (such as California’s recently enacted AB-375) as well as the European Union’s General Data Protection Regulations which can affect a host of U.S. entities. Careful drafting and a solid understanding of applicable legal requirements is required for any clinical researcher establishing a database or data repository for future clinical research.