HIPAA Authorization to Use and Disclose PHI in Clinical Research
Summary
This authorization template under the Health Insurance and Portability Accountability Act (HIPAA) is used when a clinician or researcher anticipates disclosing an individual's protected health information (PHI) in the course of conducting research or as a result of collecting such data during clinical research. This template provides practical guidance and drafting notes. The HIPAA Privacy Rule (45 C.F.R. § 164.500-534) governs such authorizations and is intended to protect the privacy of individuals while allowing health data to seamlessly move between authorized entities for certain types of health activities. There is an important distinction between consent and authorization under HIPAA. The Privacy Rule permits but does not require a covered entity to voluntarily obtain consent from the patient when the use or disclosure of PHI is for treatment, payment, and healthcare operations. See 45 C.F.R. § 164.506. A covered entity is required to obtain an authorization for uses and disclosures of PHI not otherwise allowed by the Privacy Rule. This template may be used under these circumstances. Authorization is required where voluntary consent is not sufficient to allow a use or disclosure of PHI, and this authorization must be for a specified purpose. The specified purpose should be something other than a use or disclosure for treatment, payment, or healthcare operations. The timing to obtain the authorization is important. It must generally be done before the individual's PHI is disclosed. For example, it should be obtained prior to: • The disclosure of PHI to a third party other than for treatment, payment, or healthcare operations • PHI being used for marketing or fundraising reasons • PHI being provided to a research organization • Psychotherapy notes being released –or– • The sale of PHI or sharing that involves remuneration An authorization must specify a number of elements including: • A description of the PHI to be used and disclosed • The person authorized to make the use of disclosure • The person to whom the covered entity may make the disclosure • An expiration date • In certain circumstances, a covered entity may also need to provide the purpose for which the PHI may be used or disclosed • Statements that alert the individual of their right to revoke the authorization • Any exceptions to the individual's right to revoke the authorization • The process to revoke the authorization –and– • The potential for the PHI to be disclosed by the recipient under the terms of the authorization that may negate the protections of the PHI under HIPAA Covered entities may not condition treatment or coverage on the individual providing an authorization except in limited circumstances, and the individual should receive a signed copy of the authorization. For a full listing of key content covering HIPAA considerations, see HIPAA Resource Kit. For more information about health information privacy and security, see Health Information Privacy and Security Resource Kit. For a full listing of related content about clinical trials, see Clinical Trials Resource Kit. For more information on privacy in clinical research, see Privacy and Confidentiality in Clinical Research. And, for more on healthcare generally, see Healthcare Fundamentals Resource Kit.