National Institutes of Health


Sitemap Contact
National Institutes of Health HIPAA Privacy Rule - Information for Researchers
This website is currently in the process of being updated. For guidance on the HIPAA Privacy Rule in research, please see: https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
HomeDictionaryFAQResources

Educational Materials

Clinical Research

Authorizations

Institutional Review Boards

Privacy Boards

Information for Patients

HIPAA Privacy Rule Booklet for Research

Health Services Research and the HIPAA Privacy Rule

Research Repositories, Databases


HIPAA Authorization for Research

Information For Covered Entities And Researchers On Authorizations For Research Uses Or Disclosures Of Protected Health Information

Get the Adobe Acrobat Reader

Overview

A Privacy Rule Authorization is an individual's signed permission to allow a covered entity to use or disclose the individual's protected health information (PHI) that is described in the Authorization for the purpose(s) and to the recipient(s) stated in the Authorization. In contrast, an informed consent document is an individual's agreement to participate in the research study and includes a description of the study, anticipated risks and/or benefits, and how the confidentiality of records will be protected, among other things. An Authorization can be combined with an informed consent document or other permission to participate in research. If a covered entity obtains or receives a valid Authorization for its use or disclosure of PHI for research, it may use or disclose the PHI for the research, but the use or disclosure must be consistent with the Authorization.

The Authorization must be written in plain language. A copy of the signed Authorization must be provided to the individual signing it if the covered entity itself is seeking the Authorization. The Privacy Rule does not specify who must draft the Authorization, so a researcher could draft one. The Privacy Rule specifies core elements and required statements that must be included in an Authorization. An Authorization is not valid unless it contains all of the required elements and statements. An Authorization form may also, but is not required to, include additional, optional elements so long as they are not inconsistent with the required elements and statements and are not otherwise contrary to the Authorization requirements of the Privacy Rule. An Authorization, whether prepared by a covered entity or by a person requesting PHI from a covered entity, must include the following core elements and required statements:

Authorization Core Elements (see Privacy Rule, 45 C.F.R. §164.508(c)(1))

  • Description of PHI to be used or disclosed (identifying the information in a specific and meaningful manner).
  • The name(s) or other specific identification of person(s) or class of persons authorized to make the requested use or disclosure.
  • The name(s) or other specific identification of the person(s) or class of persons who may use the PHI or to whom the covered entity may make the requested disclosure.
  • Description of each purpose of the requested use or disclosure. Researchers should note that this element must be research study specific, not for future unspecified research.
  • Authorization expiration date or event that relates to the individual or to the purpose of the use or disclosure (the terms "end of the research study" or "none" may be used for research, including for the creation and maintenance of a research database or repository).
  • Signature of the individual and date. If the Authorization is signed by an individual's personal representative, a description of the representative's authority to act for the individual.
Authorization Required Statements (see Privacy Rule, 45 C.F.R. § 164.508(c)(2))
  • The individual's right to revoke his/her Authorization in writing and either (1) the exceptions to the right to revoke and a description of how the individual may revoke Authorization or (2) reference to the corresponding section(s) of the covered entity's Notice of Privacy Practices.
  • Notice of the covered entity's ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization.
  • The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule. This statement does not require an analysis of risk for re-disclosure but may be a general statement that the Privacy Rule may no longer protect health information.*

A research subject may revoke his/her Authorization at any time. However, a covered entity may continue to use and disclose PHI that was obtained before the individual revoked Authorization to the extent that the entity has taken action in reliance on the Authorization. In cases where the research is conducted by the covered entity, this would permit the covered entity to continue using or disclosing the PHI as necessary to maintain the integrity of the research, as, for example, to account for a subject's withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.

The next section of this document provides sample language and issues to consider in developing a research Authorization. The sample language addressing the required elements is listed first, followed by a set of optional elements that may be useful in specific research situations.


* If an Authorization permits disclosure of PHI to a person or organization that is not a covered entity (such as a sponsor or funding source of the research), the Privacy Rule does not continue to protect the PHI disclosed to the noncovered entity. However, other applicable Federal and State laws as well as agreements between the disclosing covered entity and the PHI recipient may establish continuing protections for the disclosed information.


SAMPLE AUTHORIZATION LANGUAGE FOR RESEARCH USES AND DISCLOSURES OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION BY A COVERED HEALTH CARE PROVIDER

Authorization to Use or Disclose (Release) Health Information that Identifies You for a Research Study

REQUIRED ELEMENTS:
If you sign this document, you give permission to [name or other identification of specific health care provider(s) or description of classes of persons, e.g., all doctors, all health care providers] at [name of covered entity or entities] to use or disclose (release) your health information that identifies you for the research study described here:

[Provide a description of the research study, such as the title and purpose of the research.]

The health information that we may use or disclose (release) for this research includes [complete as appropriate]:

[Provide a description of information to be used or disclosed for the research project. This may include, for example, all information in a medical record, results of physical examinations, medical history, lab tests, or certain health information indicating or relating to a particular condition.]

The health information listed above may be used by and/or disclosed (released) to:

[Name or class of persons involved in the research; i.e., researchers and their staff**]

[Name of covered entity] is required by law to protect your health information. By signing this document, you authorize [name of covered entity] to use and/or disclose (release) your health information for this research. Those persons who receive your health information may not be required by Federal privacy laws (such as the Privacy Rule) to protect it and may share your information with others without your permission, if permitted by laws governing them.


** Where a covered entity conducts the research study, the Authorization must list ALL names or other identification, or ALL classes, of persons who will have access through the covered entity to the protected health information (PHI) for the research study (e.g., research collaborators, sponsors, and others who will have access to data that includes PHI). Examples may include, but are not limited to the following:

  • Data coordinating centers that will receive and process PHI;
  • Sponsors who want access to PHI or who will actually own the research data; and/or
  • Institutional Review Boards or Data Safety and Monitoring Boards.

If the research study is conducted by an entity other than the covered entity, the authorization need only list the name or other identification of the outside researcher (or class of researchers) and any other entity to whom the covered entity is expected to make the disclosure.

Please note that [include the appropriate statement]:

  • You do not have to sign this Authorization, but if you do not, you may not receive research-related treatment.
    (When the research involves treatment and is conducted by the covered entity or when the covered entity provides health care solely for the purpose of creating protected health information to disclose to a researcher)

  • [Name of covered entity] may not condition (withhold or refuse) treating you on whether you sign this Authorization.
    (When the research does not involve research-related treatment by the covered entity or when the covered entity is not providing health care solely for the purpose of creating protected health information to disclose to a researcher)

Please note that [include the appropriate statement]:

  • You may change your mind and revoke (take back) this Authorization at any time, except to the extent that [name of covered entity(ies)] has already acted based on this Authorization. To revoke this Authorization, you must write to: [name of the covered entity(ies) and contact information].
    (Where the research study is conducted by an entity other than the covered entity)

  • You may change your mind and revoke (take back) this Authorization at any time. Even if you revoke this Authorization, [name or class of persons at the covered entity involved in the research] may still use or disclose health information they already have obtained about you as necessary to maintain the integrity or reliability of the current research. To revoke this Authorization, you must write to: [name of the covered entity(ies) and contact information].
    (Where the research study is conducted by the covered entity)

This Authorization does not have an expiration date [or as appropriate, insert expiration date or event, such as "end of the research study."]

_________________________
Signature of participant or participant's personal representative
_________________________
Date
_________________________
Printed name of participant or participant's personal representative
_________________________
If applicable, a description of the personal representative's authority to sign for the participant 

SAMPLE AUTHORIZATION LANGUAGE FOR RESEARCH USES AND DISCLOSURES OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION BY A COVERED HEALTH CARE PROVIDER

AUTHORIZATION TO USE OR DISCLOSE (RELEASE) HEALTH INFORMATION THAT IDENTIFIES YOU FOR A RESEARCH STUDY

Authorization to Use or Disclose (Release) Health Information that Identifies You for a Research Study

OPTIONAL ELEMENTS:
Examples of optional elements that may be relevant to the recipient of the protected health information:

  • Your health information will be used or disclosed when required by law.

  • Your health information may be shared with a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, and conducting public health surveillance, investigations or interventions.

  • No publication or public presentation about the research described above will reveal your identity without another authorization from you.

  • If all information that does or can identify you is removed from your health information, the remaining information will no longer be subject to this authorization and may be used or disclosed for other purposes.

  • When the research for which the use or disclosure is made involves treatment and is conducted by a covered entity: To maintain the integrity of this research study, you generally will not have access to your personal health information related to this research until the study is complete. At the conclusion of the research and at your request, you generally will have access to your health information that [name of the covered entity] maintains in a designated record set, which means a set of data that includes medical information or billing records used in whole or in part by your doctors or other health care providers at [name of the covered entity] to make decisions about individuals. Access to your health information in a designated record set is described in the Notice of Privacy Practices provided to you by [name of covered entity]. If it is necessary for your care, your health information will be provided to you or your physician.

  • If you revoke this Authorization, you may no longer be allowed to participate in the research described in this Authorization.

NIH Publication Number 04-5529     April 2004


Home - Dictionary - FAQ - News - Events - Resources - Site Map - Contact Information
Site last updated: 02/02/2007
Department of Health and Human Services National Institutes of Health USAGov The HIPAA Privacy Rule