Paubox blog: HIPAA compliant email made easy

HIPAA authorization vs. Common Rule informed consent

Written by Kirsten Peremore | September 22, 2023

HIPAA authorization and Common Rule informed consent are two distinct but related elements in research involving protected health information (PHI). This allows patients to be fully aware of how their data will be used and the protections to guard it. 

 

HIPAA authorizations

HIPAA authorizations are official documents that patients or health plan members use to grant specific permission for the use or disclosure of their private health information, known as PHI, in ways that go beyond the normal allowances of the HIPAA Privacy Rule. These authorizations are necessary for HIPAA compliance, as they ensure individuals have control over who accesses their health information and for what purposes. 

 

Common Rule informed consent

Informed consent under the Common Rule is a fundamental aspect of research ethics. It involves obtaining voluntary permission from potential research subjects before they participate in a study. This process ensures that individuals fully understand the research, its purpose, risks, and benefits, and can make informed decisions about their participation. Informed consent includes verbal discussions and a written consent form, which guides information sharing between researchers and participants. Recent revisions to the Common Rule aim to improve subjects' understanding by emphasizing the need for clear, concise, and understandable information in the consent form. 

See also: What is the Common Rule?

 

Required elements of consent

  • Description of the PHI to be used or disclosed in a specific and meaningful manner.
  • Identification of who can make the requested use or disclosure.
  • Identification of who may use the PHI or to whom the covered entity may disclose it.
  • A description of each purpose of the requested use or disclosure must be research study-specific.
  • An expiration date or event related to the individual or the purpose of the use or disclosure.
  • Signature of the individual or their personal representative, along with the date and a description of the representative's authority if applicable.

See also: The role of patient consent in research

 

The difference between HIPAA authorizations and Common Rule informed consent

Common Rule consent, governed by the Federal Policy for the Protection of Human Subjects, is primarily associated with research ethics. It involves obtaining informed and voluntary permission from individuals before they participate in a research study. This process ensures that research participants fully understand the study's purpose, procedures, risks, and benefits. Common Rule consent emphasizes transparency, participant autonomy, and the right to withdraw from the research without penalty.

On the other hand, HIPAA authorization is related to the privacy and security of an individual's PHI in the context of healthcare. HIPAA sets rules and standards to safeguard PHI. HIPAA authorization is a separate legal document that allows covered entities (like healthcare providers and insurers) and their business associates to use or disclose an individual's PHI for specific purposes that are not covered under the HIPAA Privacy Rule. Unlike Common Rule consent, HIPAA authorization is not about participating in research but rather about granting permission for the use or sharing of one's healthcare information for various purposes, such as marketing, research, or the sale of PHI.

 

Cases where both HIPAA Authorizations and Common Rule informed consent are required

Research involving PHI

When a research study involves the collection, use, or disclosure of PHI, such as medical records, lab results, or health information, both HIPAA and Common Rule regulations may apply. This often occurs in clinical research settings or when researchers need access to individuals' health data.

 

HIPAA authorization

Researchers must obtain HIPAA authorization from participants to access their PHI for research purposes. HIPAA authorization ensures that participants are informed about and consent to the use of their health information beyond the scope of treatment, payment, or healthcare operations as allowed by the HIPAA Privacy Rule.

 

Common Rule informed consent

In addition to HIPAA authorization, researchers must obtain informed consent from participants following the Common Rule's regulations. Common Rule consent ensures that participants understand the research, its purpose, risks, benefits, and their rights as research subjects. It emphasizes voluntary participation and the ability to withdraw from the study at any time.

 

Alignment and integration

Researchers often align their HIPAA authorization process with the informed consent process to meet both requirements. This integration allows participants to provide a single consent that covers both the use of their PHI and their participation in the research study. Consent forms may include sections addressing both HIPAA and Common Rule requirements.

 

Protection of privacy and autonomy

The dual requirement for HIPAA authorization and Common Rule informed consent ensures that participants are well-informed about how their health information will be used in research. It safeguards their privacy, autonomy, and right to make an informed decision regarding participation while complying with healthcare privacy laws.

 

How to ensure HIPAA compliant communication during clinical trials?

  • Select a HIPAA compliant email service
  • Implement secure email encryption
  • Use secure email protocols
  • Enable message encryption
  • Secure user authentication
  • Access control and authorization
  • Secure mobile email access
  • Phishing awareness training
  • Email archiving and retention policies
  • Secure email attachments

See also: HIPAA compliant email during clinical trials