As mandated by the 21st Century Cures Act of 2016 (the “Cures Act”),  in June 2018 the Office for Civil Rights (“OCR”) issued guidance clarifying how individual authorizations under the Privacy Rule of the Health Insurance Portability and Accountability Act (“HIPAA”) apply to uses and disclosures of protected health information (“PHI”) in the context of ongoing or future research.  The Guidance offers suggested best practices for obtaining authorizations for research purposes but does not modify existing authorization requirements or otherwise include legally binding requirements. Nevertheless, covered entities may find that the Guidance provides a good opportunity to reexamine current practices both for obtaining authorizations and using or disclosing PHI pursuant to such authorizations.
This Alert discusses OCR’s attempt to clarify the best way within the construct of existing regulatory requirements for institutions to ensure that PHI remains available for future research while protecting the rights of the research subjects.
The Cures Act and the Mandate
The Cures Act was signed into law on December 13, 2016, and is intended to accelerate medical product development and bring new innovations and advances to patients. As part of the focus on accelerating development and innovation, the Cures Act requires the Secretary of Health and Human Services to issue guidance to streamline HIPAA authorization requirements. The Cures Act requires such guidance to clarify:
a) The circumstances in which the authorization for the use or disclosure of PHI sufficiently describes future research purposes, and provides clarity as to the expiration or revocation of the authorization;
b) The circumstances under which it is appropriate to provide a research subject with a notice or reminder of the right to revoke such authorization; and
c) Appropriate mechanisms by which a research subject may revoke an authorization for future research purposes. 
The recently published Guidance updates OCR’s earlier recommendations regarding authorization of the use and disclosure of PHI in research, which OCR had published in December 2017. 
Dissecting the Guidance: What’s New, What’s Not
The Guidance sets forth OCR’s suggestions for best practices on whether to remind research subjects about their right to revoke their authorizations and if so, when and how these reminders should be sent.
First, OCR encourages covered entities conducting ongoing research to remind research subjects periodically about their right under the Privacy Rule to revoke their authorizations.  Currently the Privacy Rule requires only that a covered entity include a statement on its authorization form about this right to revoke and, if not already included in the covered entity’s notice of privacy practices, also an explanation of how to make the revocation if they so choose.  In the Guidance, OCR provides two suggestions on how to make these reminders: (i) automatically, or (ii) by inquiring at the time a research subject initially authorizes the use and disclosure of their PHI for research whether they would like periodic reminders regarding their revocation rights.  OCR also encourages covered entities to make the revocation process easy in order to facilitate a research subject’s ability to invoke the right. 
For covered entities conducting ongoing research, guidance encouraging the entity to remind research subjects about the right to revoke an authorization may be unwelcome. Such a revocation would preclude use or disclosure for research purposes of new data obtained subsequent to the date of the revocation although, as discussed below, previously obtained PHI may continue to be used in certain cases.  Nevertheless, covered entities that choose to remind research subjects of their right to revoke an authorization should consider developing documented policies and procedures to ensure uniformity with respect to making and honoring such reminders. The policies and procedures should specify the criteria that covered entities will use to define when an automatic reminder should be sent (e.g., annually or upon a specific event, such as reaching the age of majority for minors whose parents originally authorized the use and disclosure). Depending on these criteria, the form of authorization itself may likewise be modified to address the question of reminders and whether a research subject wants to receive them.
Moreover, if the covered entity decides to accept requests from research subjects to stop disclosing their PHI to third parties pursuant to previously granted authorizations, a policy and procedure specifying that the request be documented should also be developed. A covered entity may also find it beneficial to review its notice of privacy practices to ensure it aligns with the covered entity’s actual practices regarding authorizations, and further consider whether to include a statement regarding a research subject’s right to orally request restrictions to the covered entity’s disclosure to third parties. In this regard, OCR reminds covered entities that pursuant to a HIPAA-compliant authorization they are permitted—but not required—to disclose PHI to a third-party.  As a consequence, unlike with formal revocation of an authorization (which the Privacy Rule requires to be in writing),  the Privacy Rule permits a covered entity to honor an oral request from the patient to not further disclose his PHI to the third party pursuant to a previously executed authorization. 
Covered Entities should conduct additional training of staff as to any newly developed or modified policies and procedures, as an instance of noncompliance with such policies and procedures could expose the covered entity to a complaint—either made to the covered entity or directly to OCR. In the event that the OCR receives a complaint regarding a covered entity’s policies, procedures, or practices regarding the use and disclosure of PHI, a documented, uniform policy and procedure addressing the covered entity’s adoption of OCR’s suggestions would support the covered entity’s position only as long as the policies, procedures, or practices are being followed.
Reinforcing Requirements for a Compliant Authorization
The elements of a HIPAA-compliant authorization are fairly basic for situations in which there is a single authorized disclosure or a definite end point to disclosures, but when the uses and disclosures will be ongoing—as in the case of ongoing or future research—properly satisfying these elements can be challenging. OCR attempted to answer some frequently encountered questions regarding these ongoing and future uses in the Guidance.
1. Purpose: Reasonable Expectation of Future Potential Research Uses and Disclosures
HIPAA requires an authorization to include a “description of each purpose of the requested use or disclosure.” 
Future research creates a problem because new research studies may not be envisioned when the research subject executes the authorization. OCR advises that a description is HIPAA-compliant “if the description sufficiently describes the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research.”  Notably, however, OCR believes this element of the authorization requires additional input into the complex question of what constitutes a sufficient description, and as a result, OCR will be seeking further comment on the adequacy of this guidance, which it classifies as “interim guidance, while additional inquiries and discussions proceed.”  Accordingly, future changes to the “purpose” element of an authorization in situations involving future research are a possibility.
2. Expiration: An Additional Example
The Privacy Rule requires a meaningful expiration specification related to either the research subject or to the purpose for the use or disclosure of the PHI. For expiration tied to future research-related purposes, permissible language is set forth in the Privacy Rule, which indicates that the “end of research study,” “none,” or “similar language” are acceptable expiration options for ongoing or future research, including the creation and maintenance of a research database or repository.  In this Guidance, OCR provides an example for an expiration that relates specifically to the research subject (as opposed to the purpose) and which would also encompass such future research: “[T]he authorization will remain valid unless and until it is revoked by the individual.”  OCR’s suggested language, however, appears simply to reiterate other statements that are already required to be included in the authorization.
3. Right to Revoke: Little Impact on Prior Uses and Disclosures
As discussed above, an authorization must inform the research subject that the he or she has the right to revoke the authorization, and the Guidance makes no change to this requirement. OCR notes that revocation may have a minimal impact on research, given that a revocation does not require a covered entity to remove the research subject’s PHI from research or studies in progress prior to the revocation.  While the revocation does prevent the research subject’s PHI from being used or disclosed for research purposes subsequent to the date of the revocation, the covered entity may continue to use and disclose PHI that was obtained before the research subject revoked their authorization “to the extent that the entity has taken action in reliance on the authorization.”  This exception to revocation is broad: examples OCR discusses are (i) using and disclosing the PHI to maintain the integrity of the research (e.g., to account for the subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events), and (ii) continuing to use PHI for other activities permitted by the Privacy Rule for which an authorization is not required (e.g., permitted health care operations such as quality assessment and improvement activities).  Information that was de-identified for inclusion in data warehouses and repositories is, of course, not affected.
In this Guidance, OCR focuses on balancing the legitimate need for PHI for ongoing and future research against ensuring that research subjects understand their right to stop newly generated PHI from being used or disclosed pursuant to previously provided authorizations, all while encouraging covered entities to establish a user-friendly method managing authorizations and revocations. The Guidance supports existing practices for obtaining authorizations related to ongoing and future research, and this alone should provide some comfort to covered entities using and disclosing PHI for these purposes. In short, OCR emphasizes the need for clarity when obtaining the authorization in the first instance and for clarity regarding when and how research subjects can subsequently exercise their revocation rights.
 Pub. L. 114-255.
 See Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research, https://www.hhs.gov/sites/default/files/hipaa-future-research-authorization-guidance-06122018%20v2.pdf (hereinafter, the “Guidance”).
 Pub. L. 114-255, section 2063(b).
 See OCR, “Research”, https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html (Revised December 18, 2017).
 See 45 C.F.R. §164.508(b)(5).
 See id. at §164.508(c)(2)(i).
 See Guidance, at 4–5.
 See id., at 5. OCR suggests that “a covered entity could make authorizations currently in effect viewable by the individual through an electronic health record portal and allow the individual to submit revocations through the portal.”
 See 45 C.F.R. §164.508(b)(5)(i). As discussed below, it would have little impact of any PHI used or disclosed for research prior to the revocation.
 See 45 C.F.R. §164.502(a)(1)(iv).
 See id. at §154.508(b)(5)(i).
 See Guidance, at 5.
 45 C.F.R. §164.508(c)(1)(iv).
 See Guidance, at 3 (emphasis added); see also 78 Fed. Reg. 5566, 5612 (January 25, 2013).
 See id. at 2.
 See 45 C.F.R. §164.508(c)(1)(v).
 See Guidance at 3. As noted above, while the entity obtaining the authorization must obtain a written revocation, nothing prevents covered entities from accepting an oral request from individuals to discontinue disclosing their PHI to third parties.
 See id. at 3–4.
 See 45 C.F.R. §164.508(b)(5)(i).
 See Guidance at 4.