The U.S. department of health and human Services (HHS) Office for civil rights (OCR) recently published new guidance on use of authorizations to use or disclose PHI for research and explains aspects of the individual’s right to revoke an authorization under the HIPAA Privacy Rule.
The guidance implemented a mandate in the 21st Century Cures Act of 2016, which is intended to accelerate the drug approval process and enhance medicinal research and streamline authorization under HIPAA for PHI utilization and disclosure for research.
OCR has addressed three areas of the act in its guidance:
- Description of the purpose of future research that the authorization relates to.
- Circumstances under which a covered entity should provide reminders to the individual concerning his or her right of revocation.
- And the appropriate systems for revocation.
OCR clarified that the HIPAA Privacy Rule affirms the person’s entitlement to revoke authorization of PHI use and disclosure for research in writing at any time.
The OCR guidance states, “To be valid, an authorization must inform the individual of the right to revoke the authorization in writing, and either: (1) the exceptions to the right to revoke and a description of how the individual may revoke authorization, or (2) reference to the corresponding section(s) of the covered entity’s Notice of Privacy Practices”. If an individual revokes authorization, a covered entity is limited in its continued use of the PHI in the original research or future research projects.
HIPAA compliance can be a long and complex process that is crucial to the successful operation of any successful business in the healthcare field. Telegenisys has been a trusted partner for over a decade supporting projects involving confidential patient data. We provide the systems, manpower and management to ensure that our client objectives are met with full compliance to HIPAA and all other regulations. know more..