45 CFR 164.502(a): Authorizations for use and disclosures —
(1) Authorization required: General rule. Except as otherwise permitted or required by [regulation], a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.
The Health Insurance Portability and Accountability Act (HIPAA) provides that a covered entity may not use or disclose protected health information (PHI), as defined by HIPAA, without a valid authorization, except as otherwise permitted or required by law. Any use or disclosure of PHI through an authorization must be consistent with the authorization.
Individuals engaged in human subject research are responsible for complying with all requirements regarding use or disclosure of PHI, including those set forth in HIPAA and implemented by the covered entity(ies). The covered entity is also responsible for the proper use or disclosure of protected health information for research purposes.
Under 45 CFR164.502(a)(1)(iv), a covered entity is permitted to use or disclose PHI with a valid authorization. The Michigan State University Compliance office is assigned to projects that may involve PHI being disclosed through the use of an authorization.
If the PHI will be obtained from a clinic that is part of the MSU covered entity, use of the template “MSU Health Team Research Authorization Form” is required. The Compliance office will review the authorization form and provide feedback on use of the appropriate form for MSU covered entity or whether the authorization is valid for non-MSU covered entities. However, it is the responsibility of the researcher and the covered entity to ensure that the requirements for use or disclosure of PHI through an authorization is valid prior to the use or disclosure of the PHI.
If PHI will be obtained from MSU, the Compliance office will also provide notice to the MSU Health Team and copy the Principal Investigator (PI). The MSU Health Team then follows its procedures (e.g. interacts with the researcher(s) to ensure that appropriate requirements are met for valid authorization and appropriate access). If the PHI will be obtained from a non-MSU covered entity, the Compliance office will provide notice to the PI that they must contact that particular covered entity for its requirements.
HIPAA Requirements for Valid Authorizations
To be considered valid, an authorization for research must contain both:
Core Elements
Required Statements
An authorization may contain elements or information in addition to the elements required by HIPAA, provided that the additional elements or information are not inconsistent with the core elements and required statements.
HIPAA also requires additional statements if the authorization involves marketing or sale of protected health information.
Core Elements
A valid authorization under must contain at least the following elements:
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. 45 CFR 164.508(1)(c)
Authorizations that for use at MSU cannot include language that indicates that the authorization does not expire (e.g. “none”).
Required Statements
In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
(i) The individual's right to revoke the authorization in writing, and either:
(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
(B) To the extent that the information in paragraph (i)(A) is included in the Notice of Privacy Practices, a reference to the covered entity's Notice.
(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or
(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.
(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart. 45 CFR 164.508(2)
HIPAA Requirement for Plain Language
The authorization form must be written in plain language.
Defective HIPAA Authorizations
An authorization for research is considered defective under HIPAA if:
Expiration date has passed
Expiration event is known by the covered entity to have occurred
Authorization has not been filled out completely with respect to an element required for a valid authorization
Authorization is known by the covered entity to have been revoked
Authorization violates requirements for compound authorizations and the prohibition on conditioning of authorizations, if applicable
Any material information in the authorization is known by the covered entity to be false
Conditioning of Authorizations Related to Research
The general requirement under HIPAA is that a covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefit on the provision of an authorization.
However, there are several exceptions, one of which is research related: A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research.
Compound Authorizations
The general requirement under HIPAA is that an authorization for use or disclosure of protected health information may not be combined with any other document to create what is known as a “compound authorization.” However, there are several exceptions, one of which is research related:
An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same or another research study.
This includes combining an authorization for the use or disclosure of protected health information for a research study with:
However, HRPP Manual Section 6-4 does not permit the combining an authorization for the use or disclosure of protected health information for a research study with a consent document to participate in research.
If a covered health care provider has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must
clearly differentiate between the condition component and the unconditioned component
provide the individual with an opportunity to opt in to the research activities described in the unconditioned authorization
Copy of Signed Authorization
HIPAA requires that if a covered entity seeks an authorization from an individual for use or disclosure of PHI, the covered entity must provide the individual with a copy of the signed authorization. An MSU researcher who obtains an individual authorization from a research subject must provide a copy of the signed authorization to the individual.
Documentation of Signed Authorizations
The covered entity must document and retain any signed authorizations for, whichever is later:
six years from the date of its creation or
the date when it last was in effect
Therefore, a copy of the signed authorization must be provided to the covered entity, prior to accessing PHI, following the covered entity’s requirements.
In addition to any recordkeeping requirements as part of the covered entity, the MSU PI is responsible for maintaining a signed copy of the HIPAA authorization form in compliance with the IRB record related requirements in HRPP Manual Section 4-7, Recordkeeping.
Revocation
The general requirement under HIPAA is that an individual may revoke an authorization at any time, provided that the revocation is in writing, except to the extent that the covered entity has taken action in reliance thereon. When MSU is the covered entity, revocation should be to the MSU Health Team Privacy Officer.
Additional Requirements
There are additional requirements or limitations if the authorization is related to psychotherapy notes, marketing, or sale of protected health information.
This policy and procedure supersedes those previously drafted.