The 21st Century Cures Act of 2016 (Cures Act) mandated the Department of Health and Human Services (HHS) to simplify the authorization process for individuals who want to release Protected Health Information (PHI) for research purposes. Individual authorization is necessary if the information will be utilized or shared in any format other than aggregate (without patient identifiers, details specific to individual patient).
In June 2018, The HHS Office of Civil Rights (OCR) published the following guidance.
- Purpose of the Use and/or Disclosure for Future Research Authorizations
Purpose must be documented in a manner in which it is understood the individual is consenting to release PHI for “future” research (even if “future” studies not determined at the time of authorization).
- Expiration of Authorizations
Do not need to provide a specific date. It is sufficient to document “none”, “when research ends” or “when I revoke”.
- Right to Revoke Authorization
Authorization forms to release information for research purposes must contain
documentation pertinent to individual’s “right to revoke” and descriptions of how to invoke the “right to revoke”. Covered entities must provide individuals with a copy of the signed authorization for future reference pertinent to revocation authorization. (Some covered entities also notify individuals of this right on a consistent basis for the reason stated below).
It is imperative that the “revocation” be received by all parties who may receive/release the research information to avoid improper disclosure. For example, an individual may send notice of revocation to researcher. Researcher obtains PHI from hospital. Hospital will continue to release PHI unless researcher shares the revocation. The researcher is not obligated to notify the hospital of the revocation and/or may think the same revocation was submitted to the hospital.
See the full law here: Cures Act (Public Law No:114-255(12/13/2016)
For more information on the Cures Act, please contact Linda at 781-272-8001.