Common Rule and HIPAA authorizations' impact on patient email consent

The Common Rule and HIPAA authorization apply in specific circumstances related to research and the use of patient data. This requires HIPAA compliant communication when receiving or discussing aspects of consent and authorization with patients. 

Cases where both HIPAA Authorizations and Common Rule informed consent are required 

The HHS provides the following differentiation between HIPAA’s Authorizations, “Under the Privacy Rule, a patient’s authorization is for the use and disclosure of protected health information for research purposes. In contrast, an individual’s informed consent, as required by the Common Rule and the Food and Drug Administration’s (FDA) human subjects regulations, is consent to participate in the research study as a whole, not simply consent for the research use or disclosure of protected health information.” 

There are still areas where these intersect:

Research involving PHI 

When a research study involves the collection, use, or disclosure of protected health information (PHI), such as medical records, lab results, or health information, both HIPAA and Common Rule regulations, may apply. This often occurs in clinical research settings or when researchers need access to individuals' health data.

HIPAA authorization

Researchers must obtain HIPAA authorization from participants to access their PHI for research purposes. HIPAA authorization ensures that participants are informed about and consent to the use of their health information beyond the scope of treatment, payment, or healthcare operations as allowed by the HIPAA Privacy Rule.

Common Rule informed consent

In addition to HIPAA authorization, researchers must obtain informed consent from participants following the Common Rule's regulations. Common Rule consent ensures that participants understand the research, its purpose, risks, benefits, and their rights as research subjects. 

Alignment and integration

Researchers often align their HIPAA authorization process with the informed consent process to meet both requirements. This integration allows participants to provide a single consent that covers both the use of their PHI and their participation in the research study. Consent forms may include sections addressing both HIPAA and Common Rule requirements.

Protection of privacy and autonomy

The dual requirement for HIPAA authorization and Common Rule informed consent ensures that participants are well informed about how their health information will be used in research.

See also: HIPAA authorization vs. Common Rule informed consent

What are the requirements for patient consent?

Common Rule informed consent:

• Obtain voluntary and informed consent from research participants.
• Clearly explain the purpose, risks, benefits, and procedures of the research.
• Emphasize the right to withdraw from the study at any time without penalty.
• Provide understandable information in the consent form.
• Include the signature of the individual or their authorized representative.
• Specify the expected duration of the individual's participation in the research.
  
  

HIPAA authorization (When PHI is involved):

• Obtain specific authorization from individuals for the use or disclosure of their PHI for research purposes.
• Clearly state the purpose of the PHI use or disclosure.
• Specify who can make the requested use or disclosure.
• Identify who may access the PHI or to whom it may be disclosed.
• Include an expiration date for the authorization or specify that it has no expiration date.
• Obtain the individual's or their representative's signature.

How to make use of HIPAA compliant email inpatient authorization and informed consent

Select a HIPAA compliant email service

Choose a HIPAA compliant email service provider that offers compliance features. Ensure that the provider signs a business associate agreement (BAA) with your organization, as this is required by HIPAA.

Use secure email protocols

Utilize secure email protocols such as Transport Layer Security (TLS) for encrypting email transmissions. TLS ensures that email data is encrypted during transit between email servers.

Implement secure user authentication

Require strong user authentication methods to access email accounts. This may include multi factor authentication (MFA) to ensure that only authorized individuals can access PHI.

Access control and authorization

Implement access controls to restrict access to PHI within the email system. Only authorized personnel should have access to patient authorization and informed consent forms sent via email.

Secure mobile email access

If staff members access email on mobile devices, ensure that these devices are also secured and compliant with HIPAA regulations. Mobile email apps should provide encryption and require user authentication.

Email archiving and retention policies

Establish email archiving and retention policies to ensure that patient authorization and informed consent emails are retained for the required period as per HIPAA regulations. This helps with compliance and audit trails.

Secure email attachments

When sending patient authorization and informed consent forms as email attachments, ensure that these attachments are encrypted and password protected if necessary. Provide the password separately to the recipient.

See also: What is transport layer security (TLS)?

What risks do you face when you fail to use HIPAA compliant communications?

Failing to implement HIPAA compliant communication for authorization and informed consent can have niche consequences that directly impact patient care and research. Firstly, it can lead to miscommunication or delays in obtaining necessary consent, potentially hindering patient participation in clinical trials or research studies. This can slow down medical advancements and limit treatment options. 

This lack of secure communication can result in the inadvertent exposure of patient's sensitive health information, violating their privacy rights and eroding trust in healthcare providers. When patients and research participants perceive inadequate protection of their data, they may be less willing to engage with healthcare providers or participate in research, hindering the progress of medical research and innovation. 

See also: The risks of shared email inboxes in healthcare practices

FAQs

What is the Common Rule?

The Common Rule governs the ethical conduct and oversight of research involving human subjects in the United States.

How does the Common Rule differ from HIPAA?

The Common Rule focuses on protecting human subjects in research, while HIPAA primarily addresses the privacy and security of individuals' health information.

Why is email the best way to get patient consent?

Email is often considered the best way to get patient consent because it provides a written record, allows for clear communication, and is convenient for both patients and healthcare providers.