[Federal Register: December 28, 2000 (Volume 65, Number 250)] [Rules and Regulations] [Page 82511-82560] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr28de00-30] [[pp. 82511-82560]] Standards for Privacy of Individually Identifiable Health Information [[Continued from page 82510]] [[Page 82511]] prohibited under Sec. 164.502(a)(1) from using or disclosing protected health information for the purpose(s) included in the consent. A covered entity that seeks a consent must adhere to the individual's decision. In Sec. 164.506(a)(5), we specify that a consent obtained by one covered entity is not effective to permit another covered entity to use or disclose protected health information, unless the consent is a joint consent. See Sec. 164.506(f) and the corresponding preamble discussion below regarding joint consents. A consent provides the individual's permission only for the covered entity that obtains the consent to use or disclose protected health information for treatment, payment, and health care operations. A consent under this section does not operate to authorize another covered entity to use or disclose protected health information, except where the other covered entity is operating as a business associate. We note that, where a covered entity is acting as a business associate of another covered entity, the business associate covered entity is acting for or on behalf of the principal covered entity, and its actions for or on behalf of the principal covered entity are authorized by the consent obtained by the principal covered entity. Thus, under this section, a health plan can obtain a consent that permits the health plan and its business associates to use and disclose protected health information that the health plan and its business associates create or receive. That consent cannot, however, permit another covered entity (that is not a business associate) to disclose protected health information to the health plan or to any other person. If a covered entity wants to obtain the individual's permission for another covered entity to disclose protected health information to it for treatment, payment, or health care operations purposes, it must seek an authorization in accordance with Sec. 164.508(e). For example, when a covered provider asks the individual for written permission to obtain the individual's medical record from another provider for treatment purposes, it must do so with an authorization, not a consent. Since the permission is for disclosure of protected health information by another person, a consent may not be used. Section 164.506(b)--Consent General Requirements In the final rule, we permit a covered health care provider to condition the provision of treatment on the receipt of the individual's consent for the covered provider to use and disclose protected health information to carry out treatment, payment, and health care operations. Covered providers may refuse to treat individuals who do not consent to uses and disclosures for these purposes. See Sec. 164.506(b)(1). We note that there are exceptions to the consent requirements for covered health care providers that are required by law to treat individuals. See Sec. 164.506(a)(3), described above. Similarly, in the final rule, we permit health plans to condition an individual's enrollment in the health plan on the receipt of the individual's consent for the health plan to use and disclose protected health information to carry out treatment, payment, and health care operations, if the consent is sought in conjunction with the enrollment process. If the health plan seeks the individual's consent outside of the enrollment process, the health plan may not condition any services on obtaining such consent. Under Sec. 164.520, covered entities must produce a notice of privacy practices. A consent may not be combined in a single document with the notice of privacy practices. See Sec. 164.506(b)(3). Under Sec. 164.506(b)(4), consents for uses and disclosures of protected health information to carry out treatment, payment, and health care operations may be combined in a single document covering all three types of activities and may be combined with other types of legal permission from the individual. For example, a consent to use or disclose protected health information under this rule may be combined with an informed consent to receive treatment, a consent to assign payment of benefits to a provider, or narrowly tailored consents required under state law for the use or disclosure of specific types of protected health information (e.g., state laws requiring specific consent for any sharing of information related to HIV/AIDS). Within a single consent document, the consent for use and disclosure of protected health information required or permitted under this rule must be visually and organizationally separate from the other consents or authorizations and must be separately signed by the individual and dated. Where research includes treatment of the individual, a consent under this rule may be combined with the authorization for the use or disclosure of protected health information created for the research, in accordance with Sec. 164.508(f). (This is the only case in which an authorization under Sec. 164.508 of this rule may be combined with a consent under Sec. 164.506 of this rule. See Sec. 164.508(b)(3).) The covered entity that is creating protected health information for the research may elect to combine the consent required under this section with the research-related authorization required under Sec. 164.508(f). For example, a covered health care provider that provides health care to an individual for research purposes and for non-research purposes must obtain a consent under this section for all of the protected health information it maintains. In addition, it must obtain an authorization in accordance with Sec. 164.508(f) which describes how it will use and disclose the protected health information it creates for the research for purposes of treatment, payment, and health care operations. Section 164.506(b)(4) permits the covered entity to satisfy these two requirements with a single document. See Sec. 164.508(f) and the corresponding preamble discussion for a more detailed description of research authorization requirements. Under Sec. 164.506(b)(5), individuals may revoke a consent in writing at any time, except to the extent that the covered entity has taken action in reliance on the consent. Upon receipt of the written revocation, the covered entity must stop processing the information for use or disclosure, except to the extent that it has taken action in reliance on the consent. A covered health care provider may refuse, under this rule, to continue to treat an individual that revokes his or her consent. A health plan may disenroll an individual that revokes a consent that was sought in conjunction with the individual's enrollment in the health plan. Covered entities must document and retain any signed consent as required by Sec. 164.530(j). Section 164.506(c)--Consent Content Requirements Under Sec. 164.506(c), the consent must be written in plain language. See the preamble discussion regarding notice of privacy practices for a description of plain language requirements. We do not provide a model consent in this rule. We will provide further guidance on drafting consent documents prior to the compliance date. Under Sec. 164.506(c)(1), the consent must inform the individual that protected health information may be used and disclosed by the covered entity to carry out treatment, payment, or health care operations. The covered entity must determine which of these elements (use and/or disclosure; treatment, payment, and/or health care operations) to include in the consent [[Page 82512]] document, as appropriate for the covered entity's practices. For covered health care providers that are required to obtain consent, the requirement applies only to the extent the covered provider uses or discloses protected health information. For example, if all of a covered provider's health care operations are conducted by members of the covered provider's own workforce, the covered provider may choose to obtain consent only for uses, not disclosures, of protected health information to carry out health care operations. If an individual pays out of pocket for all services received from the covered provider and the provider will not disclose any information about the patient to a third party payor, the provider may choose not to obtain the individual's consent to disclose information for payment purposes. In order for a covered provider to be able to use and disclose information for all three purposes, however, all three purposes must be included in the consent. Under Secs. 164.506(c)(2) and (3), the consent must refer the individual to the covered entity's notice for additional information about the uses and disclosures of information described in the consent. The consent must also indicate that the individual has the right to review the notice prior to signing the consent. If the covered entity has reserved the right to change its privacy practices in accordance with Sec. 164.520(b)(1)(v)(C), the consent must indicate that the terms of the notice may change and must describe how the individual may obtain a revised notice. See Sec. 164.520 and the corresponding preamble discussion regarding notice requirements. Under Sec. 164.506(c)(4), the consent must inform individuals that they have the right to request restrictions on uses and disclosures of protected health information for treatment, payment, and health care operations purposes. It must also state that the covered entity is not required to agree to an individual's request, but that if the covered entity does agree to the request, the restriction is binding on the covered entity. See Sec. 164.522(a) regarding the right to request restrictions. Under Sec. 164.506(c)(5), the consent must indicate that the individual has the right to revoke the consent in writing, except to the extent that the covered entity has taken action in reliance on the consent. Under Sec. 164.506(c)(6), the consent must include the individual's signature and the date of signature. Once we adopt the standards for electronic signature, another of the required administrative simplification standards we are required to adopt under HIPAA, an electronic signature that meets those standards will be sufficient under this rule. We do not require any verification of the individual's identity or authentication of the individual's signature. We expect covered health care providers that are required to obtain consent to employ the same level of scrutiny to these signatures as they do to the signature obtained on a document regarding the individual's consent to undergo treatment by the provider. Section 164.506(d)--Defective Consents Under Sec. 164.506(d), there is no ``consent'' within the meaning of the rule if the completed document lacks a required element or if the individual has revoked the consent in accordance with Sec. 164.506(b)(5). Section 164.506(e)--Resolving Conflicting Consents and Authorizations Situations may arise where a covered entity that has obtained the individual's consent for the covered entity to use or disclose protected health information to carry out treatment, payment, or health care operations is asked to disclose protected health information pursuant to another written legal permission from the individual, such as an authorization, that was obtained by another person. Under Sec. 164.506(e), when the terms of a covered entity's consent conflict with the terms of another written legal permission from the individual to use or disclose protected health information (such as a consent obtained under state law by another covered entity or an authorization), the covered entity must adhere to the more restrictive document. By conflict, we mean that the consent and authorization contain inconsistencies. In implementing this section, we note that the consent under this section references the notice provided to the individual and the individual's right to request restrictions. In determining whether the covered entity's consent conflicts with another written legal permission provided by the individual, the covered entity must consider any limitations on its uses or disclosures resulting from the notice provided to the individual or from restrictions to which it has agreed. For example, a covered nursing home may elect to ask the patient to sign an authorization for the patient's covered primary care physician to forward the patient's medical records to the nursing home. The physician may have previously obtained the individual's consent for disclosure for treatment purposes. If the authorization obtained by the nursing home grants permission for the physician to disclose particular types of information, such as genetic information, but the consent obtained by the physician excludes such information or the physician has agreed to a restriction on that type of information, the physician may not disclose that information. The physician must adhere to the more restrictive written legal permission from the individual. When a conflict between a consent and another written legal permission from the individual exists, as described above, the covered entity may attempt to resolve the conflict with the individual by either obtaining a new consent from the individual or by having a discussion or otherwise communicating with the individual to determine the individual's preference regarding the use or disclosure. If the individual's preference is communicated orally, the covered entity must document the individual's preference and act in accordance with that preference. In the example described above, the primary care physician could ask the patient to sign a new consent that would permit the disclosure of the genetic information. Alternatively, the physician could ask the patient whether the patient intended for the genetic information to be disclosed to the nursing home. If the patient confirms that he or she intended for the genetic information to be shared, the physician can document that fact (e.g., by making a notation in the medical record) and disclose the information to the nursing home. We believe covered entities will rarely be faced with conflicts between consents and other written legal permission from the individual for uses and disclosures to carry out treatment, payment, and health care operations. Under Sec. 164.506(a)(5), we specify that a consent only permits the covered entity that obtains the consent to use or disclose protected health information. A consent obtained by one covered entity is not effective to permit another different covered entity to use or disclose protected health information. Conflicting consents obtained by covered entities, therefore, are not possible. We expect authorizations that permit another covered entity to use and disclose protected health information for treatment, payment, and health care operations purposes will rarely be necessary, because we expect covered entities that maintain protected health information to obtain consents that permit them to make anticipated uses and disclosures for these purposes. Nevertheless, covered entities are permitted under Sec. 164.508(e) to obtain [[Page 82513]] authorization for another covered entity to use or disclose protected health information to carry out treatment, payment, and health care operations. We recognize these authorizations may be useful to demonstrate an individual's intent and relationship to the intended recipient of the information. For example, these authorizations may be useful in situations where a health plan wants to obtain information from one provider in order to determine payment of a claim for services provided by a different provider (e.g., information from a primary care physician that is necessary to determine payment of services provided by a specialist) or where an individual's new physician wants to obtain the individual's medical records from prior physicians. Other persons not covered by this rule may also seek authorizations and state law may require written permission for specific types of information, such as information related to HIV/AIDS or to mental health. Because an individual may sign conflicting documents over time, we clarify that the covered entity maintaining the protected health information to be used or disclosed must adhere to the more restrictive permission the individual has granted, unless the covered entity resolves the conflict with the individual. Section 164.506(f)--Joint Consents Covered entities that participate in an organized health care arrangement and that develop a joint notice under Sec. 164.520(d) may develop a joint consent in which the individual consents to the uses and disclosures of protected health information by each of the covered entities in the arrangement to carry out treatment, payment, and/or health care operations. The joint consent must identify with reasonable specificity the covered entities, or class of covered entities, to which the joint consent applies and must otherwise meet the consent requirements. If an individual revokes a joint consent, the covered entity that receives the revocation must inform the other entities covered by the joint consent of the revocation as soon as practicable. If any one of the covered entities included in the joint consent obtains the individual's consent, as required above, the consent requirement is met for all of the other covered entities to which the consent applies. For example, a covered hospital and the clinical laboratory and emergency departments with which it participates in an organized health care arrangement may produce a joint notice and obtain a joint consent. If the covered hospital obtains the individual's joint consent upon admission, and some time later the individual is readmitted through the associated emergency department, the emergency department's consent requirement will already have been met. These joint consents are the only type of consent by which one covered entity can obtain the individual's permission for another covered entity to use or disclose protected health information to carry out treatment, payment, or health care operations. Effect of Consent These consents, as well as the authorizations described in Sec. 164.508, should not be construed to waive, directly or indirectly, any privilege granted under federal, state, or local law or procedure. Consents obtained under this regulation are not appropriate for the disposition of more technical and legal proceedings and may not comport with procedures and standards of federal, state, or local judicial practice. For example, state courts and other decision-making bodies may choose to examine more closely the circumstances and propriety of such consent and may adopt more protective standards for application in their proceedings. In the judicial setting, as in the legislative and executive settings, states may provide for greater protection of privacy. Additionally, both the Congress and the Secretary have established a general approach to protecting from explicit preemption state laws that are more protective of privacy than the protections set forth in this regulation. Section 164.508--Uses and Disclosures for Which an Authorization Is Required Section 164.508(a)--Standard We proposed to require covered entities to obtain the individual's authorization for all uses and disclosures of protected health information not otherwise permitted or required under the proposed rule. Uses and disclosures that would have been permitted without individual authorization included uses and disclosures for national priority purposes such as public health, law enforcement, and research (see proposed Sec. 164.510) and uses and disclosures of protected health information, other than psychotherapy notes and research information unrelated to treatment, for purposes of treatment, payment, and health care operations (see proposed Sec. 164.506). We also proposed to require covered entities to disclose protected health information to the individual for inspection and copying (see proposed Sec. 164.514) and to the Secretary as required for enforcement of the rule (see proposed Sec. 164.522). Individual authorization would not have been required for these uses and disclosures. We proposed to require covered entities to obtain the individual's authorization for all other uses and disclosures of protected health information. Under proposed Sec. 164.508(a), uses and disclosures that would have required individual authorization included, but were not limited to, the following: Use for marketing of health and non-health items and services by the covered entity; Disclosure by sale, rental, or barter; Use and disclosure to non-health related divisions of the covered entity, e.g., for use in marketing life or casualty insurance or banking services; Disclosure, prior to an individual's enrollment in a health plan, to the health plan or health care provider for making eligibility or enrollment determinations relating to the individual or for underwriting or risk rating determinations; Disclosure to an employer for use in employment determinations; and Use or disclosure for fundraising. In the preamble to the proposed rule, we stated that covered entities would be bound by the terms of authorizations. Uses or disclosures by the covered entity for purposes inconsistent with the statements made in the authorization would have constituted a violation of the rule. In the final rule, under Sec. 164.508(a), as in the proposed rule, covered entities must have authorization from individuals before using or disclosing protected health information for any purpose not otherwise permitted or required by this rule. Specifically, except for psychotherapy notes (see below), covered entities are not required to obtain the individual's authorization to use or disclose protected health information to carry out treatment, payment, and health care operations. (Covered entities may, however, be required to obtain the individual's consent for these uses and disclosures. See the preamble regarding Sec. 164.506 for a discussion of ``consent'' versus ``authorization''.) We also do not require covered entities to obtain the individual's authorization for uses and disclosures of protected health information permitted under Secs. 164.510 or 164.512, for disclosures to the individual, or for required disclosures to the Secretary under subpart C of part 160 of this subchapter for enforcement of this rule. In the final rule, we clarify that covered entities are bound by the [[Page 82514]] statements provided on the authorization; use or disclosure by the covered entity for purposes inconsistent with the statements made in the authorization constitutes a violation of this rule. Unlike the proposed rule, we do not include in the regulation examples of the types of uses and disclosures that require individual authorization. We eliminated two examples from the proposed list due to potential confusion as to our intent: disclosure by sale, rental, or barter and use and disclosure to non-health related divisions of the covered entity. We recognize that covered entities sometimes make these types of uses and disclosures for purposes that are permitted under the rule without authorization. For example, a covered health care provider may sell its accounts receivable to a collection agency for payment purposes and a health plan may disclose protected health information to its life insurance component for payment purposes. We do not intend to require authorization for uses and disclosures made by sale, rental, or barter or for disclosures made to non-health related divisions of the covered entity, if those uses or disclosures could otherwise be made without authorization under this rule. As with any other use or disclosure, however, uses and disclosures of protected health information for these purposes do require authorization if they are not otherwise permitted under the rule. We also eliminated the remaining proposed examples from the final rule due to concern that these examples might be misinterpreted as an exhaustive list of all of the uses and disclosures that require individual authorization. We discuss the examples here, however, to clarify the interaction of the authorization requirements and the provisions of the rule that permit uses and disclosures without authorization and/or with consent. Uses and disclosures for which covered entities must have the individual's authorization include, but are not limited to, the following activities. Marketing As in the proposed rule, covered entities must obtain the individual's authorization before using or disclosing protected health information for marketing purposes. In the final rule, we add a new definition of marketing (see Sec. 164.501). For more detail on what activities constitute marketing, see Sec. 164.501, definition of ``marketing,'' and Sec. 164.514(e). Pre-Enrollment Underwriting As in the proposed rule, covered entities must obtain the individual's authorization to use or disclose protected health information for the purpose of making eligibility or enrollment determinations relating to an individual or for underwriting or risk rating determinations, prior to the individual's enrollment in a health plan (that is, for purposes of pre-enrollment underwriting). For example, if an individual applies for new coverage with a health plan in the non-group market and the health plan wants to review protected health information from the individual's covered health care providers before extending an offer of coverage, the individual first must authorize the covered providers to share the information with the health plan. If the individual applies for renewal of existing coverage, however, the health plan would not need to obtain an authorization to review its existing claims records about that individual, because this activity would come within the definition of health care operations and be permissible. We also note that under Sec. 164.504(f), a group health plan and a health insurance issuer that provides benefits with respect to a group health plan are permitted in certain circumstances to disclose summary health information to the plan sponsor for the purpose of obtaining premium bids. Because these disclosures fall within the definition of health care operations, they do not require authorization. Employment Determinations As in the proposed rule, covered entities must obtain the individual's authorization to use or disclose protected health information for employment determinations. For example, a covered health care provider must obtain the individual's authorization to disclose the results of a pre-employment physical to the individual's employer. The final rule provides that a covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on the provision of authorization for the disclosure of the information to the third party. Fundraising Under the proposed regulation, we would have required authorization before a covered entity could have used or disclosed protected health information for fundraising. In the final rule, we narrow the circumstances under which covered entities must obtain the individual's authorization to use or disclose protected health information for fundraising purposes. As provided in Sec. 164.514(f) and described in detail in the corresponding preamble, authorization is not required when a covered entity uses or discloses demographic information and information about the dates of health care provided to an individual for the purpose of raising funds for its own benefit, nor when it discloses such information to an institutionally related foundation to raise funds for the covered entity. Any use or disclosure for fundraising purposes that does not meet the requirements of Sec. 164.514(f) and does not fall within the definition of health care operations (see Sec. 164.501), requires authorization. Specifically, covered entities must obtain the individual's authorization to use or disclose protected health information to raise funds for any entity other than the covered entity. For example, a covered entity must have the individual's authorization to use protected health information about the individual to solicit funds for a non-profit organization that engages in research, education, and awareness efforts about a particular disease. Psychotherapy Notes In the NPRM, we proposed different rules with respect to psychotherapy notes than we proposed with respect to all other protected health information. The proposed rule would have required covered entities to obtain an authorization for any use or disclosure of psychotherapy notes to carry out treatment, payment, or health care operations, unless the use was by the person who created the psychotherapy notes. With respect to all other protected health information, we proposed to prohibit covered entities from requiring authorization for uses and disclosures for these purposes. We significantly revise our approach to psychotherapy notes in the final rule. With a few exceptions, covered entities must obtain the individual's authorization to use or disclose psychotherapy notes to carry out treatment, payment, or health care operations. A covered entity must obtain the individual's consent, but not an authorization, for the person who created the psychotherapy notes to use the notes to carry out treatment and for the covered entity to use or disclose psychotherapy notes for conducting training programs in which students, trainees, or practitioners in mental health learn under supervision to [[Page 82515]] practice or improve their skills in group, joint, family, or individual counseling. A covered entity may also use psychotherapy notes to defend a legal action or other proceeding brought by the individual pursuant to a consent, without a specific authorization. We note that, while this provision allows disclosure of these records to the covered entity's attorney to defend against the action or proceeding, disclosure to others in the course of a judicial or administrative proceeding is governed by Sec. 164.512(e). This special provision is necessary because disclosure of protected health information for purposes of legal representatives may be made under the general consent as part of ``health care operations.'' Because we require an authorization for disclosure of psychotherapy notes for ``health care operations,'' an exception is needed to allow covered entities to use protected health information about an individual to defend themselves against an action threatened or brought by that individual without asking that individual for authorization to do so. Otherwise, a consent under Sec. 164.506 is not sufficient for the use or disclosure of psychotherapy notes to carry out treatment, payment, or health care operations. Authorization is required. We anticipate these authorizations will rarely be necessary, since psychotherapy notes do not include information that covered entities typically need for treatment, payment, or other types of health care operations. In the NPRM, we proposed to permit covered entities to use and disclose psychotherapy notes for all other purposes permitted or required under the rule without authorization. In the final rule, we specify a more limited set of uses and disclosures of psychotherapy notes that covered entities are permitted to make without authorization. An authorization is not required for use or disclosure of psychotherapy notes when required for enforcement purposes, in accordance with subpart C of part 160 of this subchapter; when mandated by law, in accordance with Sec. 164.512(a); when needed for oversight of the health care provider who created the psychotherapy notes, in accordance with Sec. 164.512(d); when needed by a coroner or medical examiner, in accordance with Sec. 164.512(g)(1); or when needed to avert a serious and imminent threat to health or safety, in accordance with Sec. 164.512(j)(1)(i). We also provide transition provisions in Sec. 164.532 regarding the effect of express legal permission obtained from an individual prior to the compliance date of this rule. Section 164.508(b)--Implementation Specifications for Authorizations Valid and Defective Authorizations We proposed to require a minimum set of elements for authorizations requested by the individual and an additional set of elements for authorizations requested by a covered entity. We would have permitted covered entities to use and disclose protected health information pursuant to authorizations containing the applicable required elements. We would have prohibited covered entities from acting on an authorization if the submitted document had any of the following defects: The expiration date had passed; The form had not been filled out completely; The covered entity knew the authorization had been revoked; The completed form lacked a required element; or The covered entity knew the information on the form was false. In Sec. 164.508(b)(1) of the final rule, we specify that an authorization containing the applicable required elements (as described below) is a valid authorization. We clarify that a valid authorization may contain additional, non-required elements, provided that these elements are not inconsistent with the required elements. Covered entities are not required to use or disclose protected health information pursuant to a valid authorization. Our intent is to clarify that a covered entity that uses or discloses protected health information pursuant to an authorization meeting the applicable requirements will be in compliance with this rule. We retain the provision prohibiting covered entities from acting on an authorization if the submitted document had any of the listed defects, with a few changes. First, in Sec. 164.508(c)(1)(iv) we specify that an authorization may expire upon a certain event or on a specific date. For example, a valid authorization may state that it expires upon acceptance or rejection of an application for insurance or upon the termination of employment (for example, in an authorization for disclosure of protected health information for fitness-for-duty purposes) or similar event. The expiration event must, however, be related to the individual or the purpose of the use or disclosure. An authorization that purported to expire on the date when the stock market reached a specified level would not be valid. Under Sec. 164.508(b)(2)(i), if the expiration event is known by the covered entity to have occurred, the authorization is defective. Second, we clarify that certain compound authorizations, as described below, are defective. We also clarify that authorizations that are not completely filled out with respect to the required elements are defective. Finally, we clarify that an authorization with information that the covered entity knows to be false is defective only if the information is material. As under the proposed regulation, an authorization that the covered entity knows has been revoked is not a valid authorization. We note that, although an authorization must be revoked in writing, the covered entity may not always ``know'' that an authorization has been revoked. The writing required for an individual to revoke an authorization may not always trigger the ``knowledge'' required for a covered entity to consider an authorization defective. Conversely, a copy of the written revocation is not required before a provider ``knows'' that an authorization has been revoked. Many authorizations will be obtained by persons other than the covered entity. If the individual revokes an authorization by writing to that other person, and neither the individual nor the other person informs the covered entity of the revocation, the covered entity will not ``know'' that the authorization has been revoked. For example, a government agency may obtain an individual's authorization for ``all providers who have seen the individual in the past year'' to disclose protected health information to the agency for purposes of determining eligibility for benefits. The individual may revoke the authorization by writing to the government agency requesting such revocation. We cannot require the agency to inform all covered entities to whom it has presented the authorization that the authorization has been revoked. If a covered entity does not know of the revocation, the covered entity will not violate this rule by acting pursuant to the authorization. At the same time, if the individual does inform the covered entity of the revocation, even orally, the covered entity ``knows'' that the authorization has been revoked and can no longer treat the authorization as valid under this rule. Thus, in this example, if the individual tells a covered entity that the individual has revoked the authorization, the covered entity ``knows'' of the revocation and must consider the authorization defective under Sec. 164.508(b)(2). [[Page 82516]] Compound Authorizations Except for authorizations requested in connection with a clinical trial, we proposed to prohibit covered entities from combining an authorization for use or disclosure of protected health information for purposes other than treatment, payment, or health care operations with an authorization or consent for treatment (e.g., an informed consent to receive care) or payment (e.g., an assignment of benefits). We clarify the prohibition on compound authorizations in the final rule. Other than as described below, Sec. 164.508(b)(3) prohibits a covered entity from acting on an authorization required under this rule that is combined with any other document, including any other written legal permission from the individual. For example, an authorization under this rule may not be combined with a consent for use or disclosure of protected health information under Sec. 164.506, with the notice of privacy practices under Sec. 164.520, with any other form of written legal permission for the use or disclosure of protected health information, with an informed consent to participate in research, or with any other form of consent or authorization for treatment or payment. There are three exceptions to this prohibition. First, under Sec. 164.508(f) (described in more detail, below), an authorization for the use or disclosure of protected health information created for research that includes treatment of the individual may be combined with a consent for the use or disclosure of that protected health information to carry out treatment, payment, or health care operations under Sec. 164.506 and with other documents as provided in Sec. 164.508(f). Second, authorizations for the use or disclosure of psychotherapy notes for multiple purposes may be combined in a single document, but may not be combined with authorizations for the use or disclosure of other protected health information. Third, authorizations for the use or disclosure of protected health information other than psychotherapy notes may be combined, provided that the covered entity has not conditioned the provision of treatment, payment, enrollment, or eligibility on obtaining the authorization. If a covered entity conditions any of these services on obtaining an authorization from the individual, as permitted in Sec. 164.508(b)(4) and described below, the covered entity must not combine the authorization with any other document. The following are examples of valid compound authorizations: an authorization for the disclosure of information created for clinical research combined with a consent for the use or disclosure of other protected health information to carry out treatment, payment, and health care operations, and the informed consent to participate in the clinical research; an authorization for disclosure of psychotherapy notes for both treatment and research purposes; and an authorization for the disclosure of the individual's demographic information for both marketing and fundraising purposes. Examples of invalid compound authorizations include: an authorization for the disclosure of protected health information for treatment, for research, and for determining payment of a claim for benefits, when the covered entity will refuse to pay the claim if the individual does not sign the authorization; or an authorization for the disclosure of psychotherapy notes combined with an authorization to disclose any other protected health information. Prohibition on Conditioning Treatment, Payment, Eligibility, or Enrollment We proposed to prohibit covered entities from conditioning treatment or payment on the provision by the individual of an authorization, except when the authorization was requested in connection with a clinical trial. In the case of authorization for use or disclosure of psychotherapy notes or research information unrelated to treatment, we proposed to prohibit covered entities from conditioning treatment, payment, or enrollment in a health plan on obtaining such an authorization. We retain this basic approach but refine its application in the final rule. In addition to the general prohibition on conditioning treatment and payment, covered entities are also prohibited (with certain exceptions described below) from conditioning eligibility for benefits or enrollment in a health plan on obtaining an authorization. This prohibition extends to all authorizations, not just authorizations for use or disclosure of psychotherapy notes. This prohibition is intended to prevent covered entities from coercing individuals into signing an authorization for a use or disclosure that is not necessary to carry out the primary services that the covered entity provides to the individual. For example, a health care provider could not refuse to treat an individual because the individual refused to authorize a disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product. We clarify the proposed research exception to this prohibition. Covered entities seeking authorization in accordance with Sec. 164.508(f) to use or disclose protected health information created for the purpose of research that includes treatment of the individual, including clinical trials, may condition the research-related treatment on the individual's authorization. Permitting use of protected health information is part of the decision to receive care through a clinical trial, and health care providers conducting such trials should be able to condition research-related treatment on the individual's willingness to authorize the use or disclosure of his or her protected health information for research associated with the trial. In addition, we permit health plans to condition eligibility for benefits and enrollment in the health plan on the individual's authorization for the use or disclosure of protected health information for purposes of eligibility or enrollment determinations relating to the individual or for its underwriting or risk-rating determinations. We also permit health plans to condition payment of a claim for specified benefits on the individual's authorization for the disclosure of information maintained by another covered entity to the health plan, if the disclosure is necessary to determine payment of the claim. These exceptions do not apply, however, to authorization for the use or disclosure of psychotherapy notes. Health plans may not condition payment, eligibility, or enrollment on the receipt of an authorization for the use or disclosure of psychotherapy notes, even if the health plan intends to use the information for underwriting or payment purposes. Finally, when a covered entity provides treatment for the sole purpose of providing information to a third party, the covered entity may condition the treatment on the receipt of an authorization to use or disclose protected health information related to that treatment. For example, a covered health care provider may have a contract with an employer to provide fitness-for-duty exams to the employer's employees. The provider may refuse to conduct the exam if an individual refuses to authorize the provider to disclose the results of the exam to the employer. Similarly, a covered health care provider may have a contract with a life insurer to provide pre-enrollment physicals to applicants for life insurance coverage. The provider may refuse to conduct the physical if an individual refuses to authorize the provider to disclose the results of the physical to the life insurer. [[Page 82517]] Revocation of Authorizations We proposed to allow individuals to revoke an authorization at any time, except to the extent that the covered entity had taken action in reliance on the authorization. We retain this provision, but specify that the individual must revoke the authorization in writing. When an individual revokes an authorization, a covered entity that knows of such revocation must stop making uses and disclosures pursuant to the authorization to the greatest extent practical. A covered entity may continue to use and disclose protected health information in accordance with the authorization only to the extent the covered entity has taken action in reliance on the authorization. For example, a covered entity is not required to retrieve information that it has already disclosed in accordance with the authorization. (See above for discussion of how written revocation of an authorization and knowledge of that revocation may differ.) We also include an additional exception. Under Sec. 164.508(b)(5), individuals do not have the right to revoke an authorization if the authorization was obtained as a condition of obtaining insurance coverage and other applicable law provides the insurer that obtained the authorization with the right to contest a claim under the policy. We intend this exception to permit insurers to obtain necessary protected health information during contestability periods under state law. For example, an individual may not revoke an authorization for the disclosure of protected health information to a life insurer for the purpose of investigating material misrepresentation if the individual's policy is still subject to the contestability period. Documentation In the final rule, we clarify that a covered entity must document and retain any signed authorization as required by Sec. 164.530(j) (see below). Section 164.508(c)--Core Elements and Requirements We proposed to require authorizations requested by individuals to contain a minimum set of elements: a description of the information to be used or disclosed; the name of the covered entity, or class of entities or persons, authorized to make the use or disclosure; the name or types of recipient(s) of the information; an expiration date; the individual's signature and date of signature; if signed by a representative, a description of the representative's authority or relationship to the individual; a statement regarding the individual's right to revoke the authorization; and a statement that the information may no longer be protected by the federal privacy law. We proposed a model authorization form that entities could have used to satisfy the authorization requirements. If the model form was not used, we proposed to require covered entities to use authorization forms written in plain language. We modify the proposed approach, by eliminating the distinction between authorizations requested by the individuals and authorizations requested by others. Instead, we prescribe a minimum set of elements for authorizations and certain additional elements when the authorization is requested by a covered entity for its own use or disclosure of protected health information it maintains or for receipt of protected health information from another covered entity to carry out treatment, payment, or health care operations. The core elements are required for all authorizations, not just authorizations requested by individuals. Individuals seek disclosure of protected health information about them to others in many circumstances, such as when applying for life or disability insurance, when government agencies conduct suitability investigations, and in seeking certain job assignments when health status is relevant. Another common instance is tort litigation, when an individual's attorney needs individually identifiable health information to evaluate an injury claim and asks the individual to authorize disclosure of records relating to the injury to the attorney. In each of these situations, the individual may go directly to the covered entity and ask it to send the relevant information to the intended recipient. Alternatively, the intended recipient may ask the individual to complete a form, which the recipient will submit to the covered entity on the individual's behalf, that authorizes the covered entity to disclose the information. Whether the authorization is submitted to the covered entity by the individual or by another person on the individual's behalf, the covered entity maintaining protected health information may not use or disclose it pursuant to an authorization unless the authorization meets the following requirements. First, the authorization must include a description of the information to be used or disclosed, with sufficient specificity to allow the covered entity to know which information the authorization references. For example, the authorization may include a description of ``laboratory results from July 1998'' or ``all laboratory results'' or ``results of MRI performed in July 1998.'' The covered entity can then use or disclose that information and only that information. If the covered entity does not understand what information is covered by the authorization, the use or disclosure is not permitted unless the covered entity clarifies the request. There are no limitations on the information that can be authorized for disclosure. If an individual wishes to authorize a covered entity to disclose his or her entire medical record, the authorization can so specify. In order for the covered entity to disclose the entire medical record, the authorization must be specific enough to ensure that the individual has a clear understanding that the entire record will be disclosed. For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description on the authorization form must specify ``all health information'' or the equivalent. In some instances, a covered entity may be reluctant to undertake the effort to review the record and select portions relevant to the request (or redact portions not relevant). In such circumstances, covered entities may provide the entire record to the individual, who may then redact and release the more limited information to the requestor. This rule does not require a covered entity to disclose information pursuant to an individual's authorization. Second, the authorization must include the name or other specific identification of the person(s) or class of persons that are authorized to use or disclose the protected health information. If an authorization permits a class of covered entities to disclose information to an authorized person, the class must be stated with sufficient specificity so that a covered entity presented with the authorization will know with reasonable certainty that the individual intended the covered entity to release protected health information. For example, a covered licensed nurse practitioner presented with an authorization for ``all physicians'' to disclose protected health information could not know with reasonable certainty that the individual intended for the practitioner to be included in the authorization. Third, the authorization must include the name or other specific identification of the person(s) or class of persons to [[Page 82518]] whom the covered entity is authorized to make the use or disclosure. The authorization must identify these persons with sufficient specificity to reasonably permit a covered entity responding to the authorization to identify the authorized user or recipient of the protected health information. Often, individuals provide authorizations to third parties, who present them to one or more covered entities. For example, an authorization could be completed by an individual and given to a government agency, authorizing the agency to receive medical information from any health care provider that has treated the individual within a defined period of time. Such an authorization is permissible (subject to the other requirements of this part) if it sufficiently identifies the government entity that is authorized to receive the disclosed protected health information. Fourth, the authorization must state an expiration date or event. This expiration date or event must either be a specific date (e.g., January 1, 2001), a specific time period (e.g., one year from the date of signature), or an event directly relevant to the individual or the purpose of the use or disclosure (e.g., for the duration of the individual's enrollment with the health plan that is authorized to make the use or disclosure). We note that the expiration date or event is subject to otherwise applicable and more stringent law. For example, the National Association of Insurance Commissioners' Insurance Information and Privacy Protection Model Act, adopted in at least fifteen states, specifies that authorizations signed for the purpose of collecting information in connection with an application for a life, health, or disability insurance policy are permitted to remain valid for no longer than thirty months. In those states, the longest such an authorization may remain in effect is therefore thirty months, regardless of the expiration date or event indicated on the form. Fifth, the authorization must state that the individual has the right to revoke an authorization in writing, except to the extent that action has been taken in reliance on the authorization or, if applicable, during a contestability period. The authorization must include instructions on how the individual may revoke the authorization. For example, the person obtaining the authorization from the individual can include an address where the individual can send a written request for revocation. Sixth, the authorization must inform the individual that, when the information is used or disclosed pursuant to the authorization, it may be subject to re-disclosure by the recipient and may no longer be protected by this rule. Seventh, the authorization must include the individual's signature and the date of the signature. Once we adopt the standards for electronic signature, another of the required administrative simplification standards we are required to adopt under HIPAA, an electronic signature that meets those standards will be sufficient under this rule. We do not require verification of the individual's identity or authentication of the individual's signature. Finally, if the authorization is signed by a personal representative of the individual, the representative must indicate his or her authority to act for the individual. As in the proposed rule, the authorization must be written in plain language. See the preamble discussion regarding notice of privacy practices (Sec. 164.520) for a discussion of the plain language requirement. We do not provide a model authorization in this rule. We will provide further guidance on this issue prior to the compliance date. Section 164.508(d)--Authorizations Requested by a Covered Entity for Its Own Uses and Disclosures We proposed to require covered entities to include additional elements in authorizations initiated by the covered entity. Before a covered entity could use or disclose protected health information of an individual pursuant to a request the covered entity made, we proposed to require the entity to obtain an authorization containing the minimum elements described above and the following additional elements: except for authorizations requested for clinical trials, a statement that the entity will not condition treatment or payment on the individual's authorization; a description of the purpose of the requested use or disclosure; a statement that the individual may inspect or copy the information to be used or disclosed and may refuse to sign the authorization; and, if the use or disclosure of the requested information will result in financial gain to the entity, a statement that such gain will result. We additionally proposed to require covered entities, when requesting an individual's authorization, to request only the minimum amount of information necessary to accomplish the purpose for which the request was made. We also proposed to require covered entities to provide the individual with a copy of the executed authorization. We retain the proposed approach, but apply these additional requirements when the covered entity requests the individual's authorization for the entity's own use or disclosure of protected health information maintained by the covered entity itself. For example, a health plan may ask individuals to authorize the plan to disclose protected health information to a subsidiary to market life insurance to the individual. A pharmaceutical company may also ask a covered provider to recruit patients for drug research; if the covered provider asks patients to sign an authorization for the provider to disclose protected health information to the pharmaceutical company for this research, this is also an authorization requested by a covered entity for disclosure of protected health information maintained by the covered entity. When covered entities initiate the authorization by asking individuals to authorize the entity to use or disclose protected health information that the entity maintains, the authorization must include all of the elements required above as well as several additional elements. Authorizations requested by covered entities for the covered entity's own use or disclosure of protected health information must state, as applicable under Sec. 164.508(b)(4), that the covered entity will not condition treatment, payment, enrollment, or eligibility on the individual's authorization for the use or disclosure. For example, if a health plan asks an individual to sign an authorization for the health plan to disclose protected health information to a non-profit advocacy group for the advocacy group's fundraising purposes, the authorization must contain a statement that the health plan will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual providing the authorization. Authorizations requested by covered entities for their own uses and disclosures of protected health information must also identify each purpose for which the information is to be used or disclosed. The required statement of purpose(s) must provide individuals with the facts they need to make an informed decision whether to allow release of the information. We prohibit the use of broad or blanket authorizations requesting the use or disclosure of protected health information for a wide range of unspecified purposes. Both the information that is to be used or disclosed and the specific purpose(s) for such uses or disclosures must be stated in the authorization. [[Page 82519]] Authorizations requested by covered entities for their own uses and disclosures must also advise individuals of certain rights available to them under this rule. The authorization must state that the individual may inspect or copy the information to be used or disclosed as provided in Sec. 164.524 regarding access for inspection and copying and that the individual may refuse to sign the authorization. We alter the proposed requirements with respect to authorizations for which the covered entity will receive financial gain. When the covered entity initiates the authorization and the covered entity will receive direct or indirect remuneration from a third party (rather than financial gain, as proposed) in exchange for using or disclosing the protected health information, the authorization must include a statement that such remuneration will result. For example, a health plan may wish to sell or rent its enrollee mailing list or a pharmaceutical company may offer a covered provider a discount on its products if the provider obtains authorization to disclose the demographic information of patients with certain diagnoses so that the company can market new drugs to them directly. In each case, the covered entity must obtain the individual's authorization, and the authorization must include a statement that the covered entity will receive remuneration. In Sec. 164.508(d)(2), we continue to require a covered entity that requests an authorization for its own use or disclosure of protected health information to provide the individual with a copy of the signed authorization. While we eliminate from this section the provision requiring covered entities to obtain authorization for use or disclosure of the minimum necessary protected health information, Sec. 164.514(d)(4) requires covered entities to request only the minimum necessary protected health information to accomplish the purpose for which the request is made. This requirement applies to these authorizations, as well as other requests. Section 164.508(e)--Authorizations Requested by a Covered Entity for Disclosures by Others In the proposed rule, we would have prohibited all covered entities from requiring the individual's written legal permission (as proposed, an ``authorization'') for the use or disclosure of protected health information to carry out treatment, payment, or health care operations. We generally eliminate this prohibition in the final rule, except to specify that a consent obtained by one covered entity is not effective to permit another covered entity to use or disclose protected health information. See Sec. 164.506(a)(5) and the corresponding preamble discussion. In the final rule, if a covered entity seeks the individual's written legal permission to obtain protected health information about the individual from another covered entity for any purpose, it must obtain the individual's authorization for the covered entity that maintains the protected health information to make the disclosure. If the authorization is for the purpose of obtaining protected health information for purposes other than treatment, payment, or health care operations, the authorization need only contain the core elements required by Sec. 164.508(c) and described above. If the authorization, however, is for the purpose of obtaining protected health information to carry out treatment, payment, or health care operations, the authorization must meet the requirements of Sec. 164.508(e). We expect such authorizations will rarely be necessary, because we expect covered entities that maintain protected health information to obtain consents that permit them to make anticipated uses and disclosures for these purposes. An authorization obtained by another covered entity that authorizes the covered entity maintaining the protected health information to make a disclosure for the same purpose, therefore, would be unnecessary. We recognize, however, that these authorizations may be useful to demonstrate an individual's intent and relationship to the intended recipient of the information when the intent or relationship is not already clear. For example, a long term care insurer may need information from an individual's health care providers about the individual's ability to perform activities of daily living in order to determine payment of a long term care claim. The providers that hold the information may not be providing the long term care and may not, therefore, be aware of the individual's coverage under the policy or that the individual is receiving long term care services. An authorization obtained by the long term care insurer will help to demonstrate these facts to the providers holding the information, which will make them more confident that the individual intends for the information to be shared. Similarly, an insurer with subrogation obligations may need health information from the enrollee's providers to assess or prosecute the claim. A patient's new physician may also need medical records from the patient's prior providers in order to treat the patient. Without an authorization that demonstrates the patient's intent for the information to be shared, the covered entity that maintains the protected health information may be reluctant to provide the information, even if that covered entity's consent permits such disclosure to occur. These authorizations may also be useful to accomplish clinical coordination and integration among covered entities that do not meet the definitions of affiliated covered entities or organized health care arrangements. For example, safety-net providers that participate in the Community Access Program (CAP) may not qualify as organized health care arrangements but may want to share protected health information with each other in order to develop and expand integrated systems of care for uninsured people. An authorization under this section would permit such providers to receive protected health information from other CAP participants to engage in such activities. Because of such concerns, we permit a covered entity to request the individual's authorization to obtain protected health information from another covered entity to carry out treatment, payment, and health care operations. In these situations, the authorization must contain the core elements described above and must also describe each purpose of the requested disclosure. With one exception, the authorization must also indicate that the authorization is voluntary. It must state that the individual may refuse to sign the authorization and that the covered entity requesting the authorization will not condition the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on obtaining the individual's authorization. If the authorization is for a disclosure of information that is necessary to determine payment of a claim for specified benefits, however, the health plan requesting the authorization may condition the payment of the claim on obtaining the authorization from the individual. See Sec. 164.508(b)(4)(iii). In this case, the authorization does not have to state that the health plan will not condition payment on obtaining the authorization. The covered entity requesting the authorization must provide the individual with a copy of the signed authorization. We note that the covered entity requesting the authorization is also subject to the requirements in [[Page 82520]] Sec. 164.514 to request only the minimum necessary information needed for the purpose of the authorization. We additionally note that, when the covered entity that maintains the protected health information has already obtained a consent for disclosure of protected health information to carry out treatment, payment, and/or health care operations under Sec. 164.506, and that consent conflicts with an authorization obtained by another covered entity under Sec. 164.508(e), the covered entity maintaining the protected health information is bound by the more restrictive document. See Sec. 164.506(e) and the corresponding preamble discussion for further explanation. Section 164.508(f)--Authorizations for Uses and Disclosures of Protected Health Information Created for Research that Includes Treatment of Individuals In the proposed rule, we would have required individual authorization for any use or disclosure of research information unrelated to treatment. In the final rule, we eliminate the special rules for this category of information and, instead, require covered entities to obtain an authorization for the use or disclosure of protected health information the covered entity creates for the purpose of research that includes treatment of individuals, except as otherwise permitted by Sec. 164.512(i). The intent of this provision is to permit covered entities that conduct research involving treatment to bind themselves to a more limited scope of uses and disclosures of research information than they would otherwise be permitted to make with non-research information. Rather than creating a single definition of ``research information,'' we allow covered entities the flexibility to define that subset of protected health information they create during clinical research that is not necessary for treatment, payment, or health care operations and that the covered entity will use or disclose under more limited circumstances than it uses or discloses other protected health information. In designing their authorizations, we expect covered entities to be mindful of the often highly sensitive nature of research information and the impact of individuals' privacy concerns on their willingness to participate in research. Covered entities seeking authorization to use or disclose protected health information they create for the purpose of research that includes treatment of individuals, including clinical trials, must include in the authorization (in addition to the applicable elements required above) a description of the extent to which some or all of the protected health information created for the research will also be used or disclosed for purposes of treatment, payment, and health care operations. For example, if the covered entity intends to seek reimbursement from the individual's health plan for the routine costs of care associated with the research protocol, it must explain in the authorization the types of information that it will provide to the health plan for this purpose. This information, and the circumstances under which disclosures will be made for treatment, payment, and health care operations, may be more limited than the information and circumstances described in the covered entity's general consent and notice of privacy practices. To the extent the covered entity limits itself to a subset of uses or disclosures that are otherwise permissible under the rule and the covered entity's consent and notice, the covered entity is bound by the statements made in the research- related authorization. In these circumstances, the authorization must indicate that the authorization, not the general consent and notice, controls. If the covered entity's primary interaction with the individual is through the research, the covered entity may combine the general consent for treatment, payment, and health care operations required under Sec. 164.506 with this research authorization and need not obtain an additional consent under Sec. 164.506. If the entity has already obtained, or intends to obtain, a separate consent as required under Sec. 164.506, the research authorization must refer to that consent and state that the practices described in the research-related authorization are binding on the covered entity as to the information covered by the research-related authorization. The research-related authorization may also be combined in the same document as the informed consent for participation in the research. This is an exception to the general rule in Sec. 164.508(b)(3) that an authorization under this section may not be combined with any other document (see above). The covered entity must also include in the authorization a description of the extent to which it will not use or disclose the protected health information it obtains in connection with the research protocol for purposes that are permitted without individual authorization under this rule (under Secs. 164.510 and 164.512). To the extent that the entity limits itself to a subset of uses or disclosures that are otherwise permissible under the rule and the entity's notice, the entity is bound by the statements made in the research authorization. In these circumstances, the authorization must indicate that the authorization, not the notice, controls. The covered entity may not, however, purport to preclude itself from making uses or disclosures that are required by law or that are necessary to avert a serious and imminent threat to health or safety. In some instances, the covered entity may wish to make a use or disclosure of the research information that it did not include in its general consent or notice or for which authorization is required under this rule. To the extent the entity includes uses or disclosures in the research authorization that are otherwise not permissible under the rule and the entity's consent and notice of information practices, the entity must include all of the elements required by Secs. 164.508(c) and (d) in the research-related authorization. The covered entity is bound by these statements. Research that involves the delivery of treatment to participants sometimes relies on existing health information, such as to determine eligibility for the trial. We note that under Sec. 164.508(b)(3)(iii), the covered entity may combine the research-related authorization required under Sec. 164.508(f) with any other authorization for the use or disclosure of protected health information (other than psychotherapy notes), provided that the covered entity does not condition the provision of treatment on the individual signing the authorization. For example, a covered health care provider that had a treatment relationship with an individual prior to the individual's enrollment in a clinical trial, but that is now providing research-related treatment to the individual, may elect to request a compound authorization from the individual: an authorization under Sec. 164.508(d) for the provider to use the protected health information it created prior to the initiation of the research that involves treatment, combined with an authorization under Sec. 164.508(f) regarding use and disclosure of protected health information the covered provider will create for the purpose of the clinical trial. This compound authorization would be valid, provided the covered provider did not condition the research- related treatment on obtaining the authorization required under Sec. 164.508(f), as permitted in Sec. 164.508(b)(4)(i). However, we anticipate that covered entities will almost always, if not always, condition the provision of research-related treatment on the individual signing the authorization under Sec. 164.508(f) for the covered [[Page 82521]] entity's use or disclosure of protected health information created for the research. Therefore, we expect that the vast majority of covered providers who wish to use or disclose protected health information about an individual that will be created for research that includes treatment and wish to use existing protected health information about that individual for the research that includes treatment, will be required to obtain two authorizations from the individual: (1) an authorization for the use and disclosure of protected health information to be created for the research that involves treatment of the individual (as required under Sec. 164.508(f)), and (2) an authorization for the use of existing protected health information for the research that includes treatment of the individual (as required under Sec. 164.508(d)). Effect of Authorization As noted in the discussion about consents in the preamble to Sec. 164.506, authorizations under this rule should not be construed to waive, directly or indirectly, any privilege granted under federal, state, or local laws or procedures. Section 164.510--Uses and Disclosures Requiring an Opportunity for the Individual To Agree or To Object Introduction Section 164.510 of the NPRM proposed the uses and disclosures of protected health information that covered entities could make for purposes other than treatment, payment, or health care operations and for which an individual authorization would not have been required. These allowable uses and disclosures were designed to permit and promote key national health care priorities, and to promote the smooth operation of the health care system. In each of these areas, the proposal permitted, but would not have required, covered entities to use or disclose protected health information. We proposed to require covered entities to obtain the individual's oral agreement before making a disclosure to a health care facility's directory or to the individual's next-of-kin or to another person involved in the individual's health care. Because there is an expectation in these two areas that individuals will have some input into a covered entity's decision to use or disclose protected health information, we decided to place disclosures to health facility directories and to persons involved in an individual's care in a separate section. In the final rule, requirements regarding disclosure of protected health information for facility directories and to others involved in an individual's care are included in Sec. 164.510(a) and Sec. 164.510(b), respectively. In the final rule, we include in Sec. 164.510(b) provisions to address a type of disclosure not addressed in the NPRM: disclosures to entities providing relief and assistance in disasters such as floods, fires, and terrorist attacks. Requirements for most of the remaining categories of disclosures addressed in proposed Sec. 164.510 of the NPRM are included in a new Sec. 164.512 of the final rule, as discussed below. Section 164.510 of the final rule addresses situations in which the interaction between the covered entity and the individual is relatively informal and agreements are made orally, without written authorizations for use or disclosure. In general, under the final rule, to disclose or use protected health information for these purposes, covered entities must inform individuals in advance and must provide a meaningful opportunity for the individual to prevent or restrict the disclosure. In exceptional circumstances, where even this informal discussion cannot practicably take place, covered entities are permitted to make decisions regarding disclosure or use based on the exercise of professional judgment of what is in the individual's best interest. Section 164.510(a)--Use and Disclosure for Facility Directories The NPRM proposed to allow covered health care providers to disclose through an inpatient facility's directory a patient's name, location in the facility, and general health condition, provided that the individual had agreed to the disclosure. The NPRM would have allowed this agreement to be oral. Pursuant to the NPRM, when making decisions about incapacitated individuals, a covered health care provider could have disclosed such information at the entity's discretion and consistent with good medical practice and any prior expressions of patient preference of which the covered entity was aware. The preamble to the NPRM listed several factors that we encouraged covered entities to take into account when making decisions about whether to include an incapacitated patient's information in the directory. These factors included: (1) Whether disclosing that an individual is in the facility could reasonably cause harm or danger to the individual (e.g., if it appeared that an unconscious patient had been abused and disclosing the information could give the attacker sufficient information to seek out the person and repeat the abuse); (2) whether disclosing a patient's location within a facility implicitly would give information about the patient's condition (e.g., whether a patient's room number revealed that he or she was in a psychiatric ward); (3) whether it was necessary or appropriate to give information about patient status to family or friends (e.g., if giving information to a family member about an unconscious patient could help a physician administer appropriate medications); and (4) whether an individual had, prior to becoming incapacitated, expressed a preference not to be included in the directory. The preamble stated that if a covered entity learned of such a preference, it would be required to act in accordance with the preference. The preamble to the NPRM said that when individuals entered a facility in an incapacitated state and subsequently gained the ability to make their own decisions, health facilities should ask them within a reasonable time period for permission to include their information in the facility's directory. In the final rule, we change the NPRM's opt-in authorization requirement to an opt-out approach for inclusion of patient information in a health care facility's directory. The final rule allows covered health care providers--which in this case are health care facilities-- to include patient information in their directory only if: (1) They inform incoming patients of their policies regarding the directory; (2) they give patients a meaningful opportunity to opt out of the directory listing or to restrict some or all of the uses and disclosures that can be included in the directory; and (3) the patient does not object to being included in the directory. A patient must be allowed, for example, to have his or her name and condition included in the directory while not having his or her religious affiliation included. The facility's notice and the individual's opt-out or restriction may be oral. Under the final rule, subject to the individual's right to object, or known prior expressed preferences, a covered health care provider may disclose the following information to persons who inquire about the individual by name: (1) The individual's general condition in terms that do not communicate specific medical information about the individual (e.g., fair, critical, stable, etc.); and (2) location in the facility. This approach represents a slight change to the NPRM, which did not require members of the general public to ask for a patient by name in order to obtain directory information and which, [[Page 82522]] in fact, would have allowed covered entities to disclose the individual's name as part of directory information. Under the final rule, we also establish provisions for disclosure of directory information to clergy that are slightly different from those which apply for disclosure to the general public. Subject to the individual's right to object or restrict the disclosure, the final rule permits a covered entity to disclose to a member of the clergy: (1) The individual's name; (2) the individual's general condition in terms that do not communicate specific medical information about the individual; (3) the individual's location in the facility; and (4) the individual's religious affiliation. A disclosure of directory information may be made to members of the clergy even if they do not inquire about an individual by name. We note that the rule in no way requires a covered health care provider to inquire about the religious affiliation of an individual, nor must individuals supply that information to the facility. Individuals are free to determine whether they want their religious affiliation disclosed to clergy through facility directories. We believe that allowing clergy to access patient information pursuant to this section does not violate the Establishment Clause of the First Amendment, which prohibits laws ``respecting an establishment of religion.'' Courts traditionally turn to the Lemon test when evaluating laws that might raise Establishment Clause concerns. A law does not violate the Clause if it has a secular purpose, is not primarily to advance religion, and does not cause excessive government entanglement with religion. The privacy regulation passes this test because its purpose is to protect the privacy of individuals-- regardless of their religious affiliation--and it does not cause excessive government entanglement. More specifically, although this section provides a special rule for members of the clergy, it does so as an accommodation to patients who seek to engage in religious conduct. For example, restricting the disclosure of an individual's religious affiliation, room number, and health status to a priest could cause significant delay that would inhibit the ability of a Catholic patient to obtain sacraments provided during the last rites. We believe this accommodation does not violate the Establishment Clause, because it avoids a government-imposed restriction on the disclosure of information that could disproportionately affect the practice of religion. In that way, it is no different from accommodations upheld by the U.S. Supreme Court, such as exceptions to laws banning the use of alcohol in religious ceremonies. The final rule expands the circumstances under which health care facilities can disclose specified health information to the patient directory without the patient's agreement. Besides allowing such disclosures when patients are incapacitated, as the NPRM would have allowed, the final rule allows such disclosures in emergency treatment circumstances. For example, when a patient is conscious and capable of making a decision, but is so seriously injured that asking permission to include his or her information in the directory would delay treatment such that the patient's health would be jeopardized, health facilities can make decisions about including the patient's information in the directory according to the same rules that apply when the patient is incapacitated. The final rule modifies the NPRM requirements for cases in which an incapacitated patient is admitted to a health care facility. Whereas the NPRM would have allowed health care providers to disclose an incapacitated patient's information to the facility's directory ``at its discretion and consistent with good medical practice and any prior expressions of preference of which the covered entity [was] aware,'' the final rule states that in these situations (and in other emergency treatment circumstances), covered health care providers must make the decision on whether to include the patient's information in the facility's directory in accordance with professional judgment as to the patient's best interest. In addition, when making decisions involving incapacitated patients and patients in emergency situations, covered health care providers may decide to include some portions of the patient's information (such as name) but not other information (such as location in the facility) in order to protect patient interests. As in the preamble to the NPRM, we encourage covered health care providers to take into account the four factors listed above when making decisions about whether to include patient information in a health care facility's directory when patients are incapacitated or are in an emergency treatment circumstance. In addition, we retain the requirement stated in the preamble of the NPRM that if a covered health care provider learns of an incapacitated patient's prior expression of preference not to be included in a facility's directory, the facility must not include the patient's information in the directory. For cases involving patients admitted to a health care facility in an incapacitated or emergency treatment circumstance who during the course of their stay become capable of decisionmaking, the final rule takes an approach similar to that described in the NPRM. The final rule states that when an individual who was incapacitated or in an emergency treatment circumstance upon admission to an inpatient facility and whose condition stabilizes such that he or she is capable of decisionmaking, a covered health care provider must, when it becomes practicable, inform the individual about its policies regarding the facility's directory and provide the opportunity to object to the use or disclosure of protected health information about themselves for the directory. Section 164.510(b)--Uses and Disclosures for Involvement in the Individual's Care and Notification Purposes In cases involving an individual with the capacity to make health care decisions, the NPRM would have allowed covered entities to disclose protected health information about the individual to a next- of-kin, to other family members, or to close personal friends of the individual if the individual had agreed orally to such disclosure. If such agreement could not practicably or reasonably be obtained (e.g., when the individual was incapacitated), the NPRM would have allowed disclosure of protected health information that was directly relevant to the person's involvement in the individual's health care, consistent with good health professional practices and ethics. The NPRM defined next-of-kin as defined under state law. Under the final rule, we specify that covered entities may disclose to a person involved in the current health care of the individual (such as a family member, other relative, close personal friend, or any other person identified by the individual) protected health information directly related to the person's involvement in the current health care of an individual or payment related to the individual's health care. Such persons involved in care and other contact persons might include, for example: blood relatives; spouses; roommates; boyfriends and girlfriends; domestic partners; neighbors; and colleagues. Inclusion of this list is intended to be illustrative only, and it is not intended to change current practices with respect to: (1) Involvement of other persons in individuals' treatment decisions; (2) informal information- sharing among individuals involved in a person's care; or (3) sharing of protected health [[Page 82523]] information to contact persons during a disaster. The final rule also includes new language stating that covered entities may use or disclose protected health information to notify or assist in notification of family members, personal representatives, or other persons responsible for an individual's care with respect to an individual's location, condition, or death. These provisions allow, for example, covered entities to notify a patient's adult child that his father has suffered a stroke and to tell the person that the father is in the hospital's intensive care unit. The final rule includes separate provisions for situations in which the individual is present and for when the individual is not present at the time of disclosure. When the individual is present and has the capacity to make his or her own decisions, a covered entity may disclose protected health information only if the covered entity: (1) Obtains the individual's agreement to disclose to the third parties involved in their care; (2) provides the individual with an opportunity to object to such disclosure and the individual does not express an objection; or (3) reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. Situations in which covered providers may infer an individual's agreement to disclose protected health information pursuant to option (3) include, for example, when a patient brings a spouse into the doctor's office when treatment is being discussed, and when a colleague or friend has brought the individual to the emergency room for treatment. We proposed that when a covered entity could not practicably obtain oral agreement to disclose protected health information to next-of-kin, relatives, or those with a close personal relationship to the individual, the covered entity could make such disclosures consistent with good health professional practice and ethics. In such instances, we proposed that covered entities could disclose only the minimum information necessary for the friend or relative to provide the assistance he or she was providing. For example, health care providers could not disclose to a friend or relative simply driving a patient home from the hospital extensive information about the patient's surgery or past medical history when the friend or relative had no need for this information. The final rule takes a similar approach. Under the final rule, when an individual is not present (for example, when a friend of a patient seeks to pick up the patient's prescription at a pharmacy) or when the opportunity to agree or object to the use or disclosure cannot practicably be provided due to the individual's incapacity or an emergency circumstance, covered entities may, in the exercise of professional judgment, determine whether the disclosure is in the individual's best interests and if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care. For example, this provision allows covered entities to inform relatives or others involved in a patient's care, such as the person who accompanied the individual to the emergency room, that a patient has suffered a heart attack and to provide updates on the patient's progress and prognosis when the patient is incapacitated and unable to make decisions about such disclosures. In addition, this section allows covered entities to disclose functional information to individuals assisting in a patient's care; for example, it allows hospital staff to give information about a person's mobility limitations to a friend driving the patient home from the hospital. It also allows covered entities to use professional judgment and experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on an individual's behalf to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. Thus, under this provision, pharmacists may release a prescription to a patient's friend who is picking up the prescription for him or her. Section 164.510(b) is not intended to disrupt most covered entities' current practices or state law with respect to these types of disclosures. This provision is intended to allow disclosures directly related to a patient's current condition and should not be construed to allow, for example, disclosure of extensive information about the patient's medical history that is not relevant to the patient's current condition and that could prove embarrassing to the patient. In addition, if a covered entity suspects that an incapacitated patient is a victim of domestic violence and that a person seeking information about the patient may have abused the patient, covered entities should not disclose information to the suspected abuser if there is reason to believe that such a disclosure could cause the patient serious harm. In all of these situations regarding possible disclosures of protected health information about an patient who is not present or is unable to agree to such disclosures due to incapacity or other emergency circumstance, disclosures should be in accordance with the exercise of professional judgment as to the patient's best interest. This section is not intended to provide a loophole for avoiding the rule's other requirements, and it is not intended to allow disclosures to a broad range of individuals, such as journalists who may be curious about a celebrity's health status. Rather, it should be construed narrowly, to allow disclosures to those with the closest relationships with the patient, such as family members, in circumstances when a patient is unable to agree to disclosure of his or her protected health information. Furthermore, when a covered entity cannot practicably obtain an individual's agreement before disclosing protected health information to a relative or to a person involved in the individual's care and is making decisions about such disclosures consistent with the exercise of professional judgment regarding the individual's best interest, covered entities must take into account whether such a disclosure is likely to put the individual at risk of serious harm. Like the NPRM, the final rule does not require covered entities to verify the identity of relatives or other individuals involved in the individual's care. Rather, the individual's act of involving the other persons in his or her care suffices as verification of their identity. For example, the fact that a person brings a family member into the doctor's office when treatment information will be discussed constitutes verification of the involved person's identity for purposes of this rule. Likewise, the fact that a friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that the friend is involved in the individual's care, and the rule allows the pharmacist to give the filled prescription to the friend. We also clarify that the final rule does not allow covered entities to assume that an individual's agreement at one point in time to disclose protected health information to a relative or to another person assisting in the individual's care implies agreement to disclose protected health information indefinitely in the future. We encourage the exercise of professional judgment in determining the scope of the person's involvement in the individual's care and the time period for which the individual is agreeing to the other person's involvement. For example, if a friend simply picks up a patient from the hospital but has played no other role [[Page 82524]] in the individual's care, hospital staff should not call the friend to disclose lab test results a month after the initial encounter with the friend. However, if a patient routinely brings a spouse into the doctor's office when treatment is discussed, a physician can infer that the spouse is playing a long-term role in the patient's care, and the rule allows disclosure of protected health information to the spouse consistent with his or her role in the patient's care, for example, discussion of treatment options. The NPRM did not specifically address situations in which disaster relief organizations may seek to obtain protected health information from covered entities to help coordinate the individual's care, or to notify family or friends of an individual's location or general condition in a disaster situation. In the final rule, we account for disaster situations in this paragraph. Specifically, we allow covered entities to use or disclose protected health information without individual agreement to federal, state, or local government agencies engaged in disaster relief activities, as well as to private disaster relief or disaster assistance organizations (such as the Red Cross) authorized by law or by their charters to assist in disaster relief efforts, to allow these organizations to carry out their responsibilities in a specific disaster situation. Covered entities may make these disclosures to disaster relief organizations, for example, so that these organizations can help family members, friends, or others involved in the individual's care to locate individuals affected by a disaster and to inform them of the individual's general health condition. This provision also allows disclosure of information to disaster relief or disaster assistance organizations so that these organizations can help individuals obtain needed medical care for injuries or other health conditions caused by a disaster. We encourage disaster relief organizations to protect the privacy of individual health information to the extent practicable in a disaster situation. However, we recognize that the nature of disaster situations often makes it impossible or impracticable for disaster relief organizations and covered entities to seek individual agreement or authorization before disclosing protected health information necessary for providing disaster relief. Thus, we note that we do not intend to impede disaster relief organizations in their critical mission to save lives and reunite loved ones and friends in disaster situations. Section 164.512--Uses and Disclosures for Which Consent, an Authorization, or Opportunity To Agree or Object Is Not Required Introduction The final rule's requirements regarding disclosures for directory information and to family members or others involved in an individual's care are in a section separate from that covering disclosures allowed for other national priority purposes. In the final rule, we place most of the other disclosures for national priority purposes in a new Sec. 164.512. As in the NPRM, in Sec. 164.512 of the final rule, we allow covered entities to make these national priority uses and disclosures without individual authorization. As in the NPRM, these uses and disclosures are discretionary. Covered entities are free to decide whether or not to use or disclose protected health information for any or all of the permitted categories. However, as in the NPRM, nothing in the final rule provides authority for a covered entity to restrict or refuse to make a use or disclosure mandated by other law. The new Sec. 164.512 includes paragraphs on: Uses and disclosures required by law; uses and disclosures for public health activities; disclosures about victims of abuse, neglect, or domestic violence; uses and disclosures for health oversight activities; disclosures for judicial and administrative proceedings; disclosures for law enforcement purposes; uses and disclosures about decedents; uses and disclosures for cadaveric donation of organs, eyes, or tissues; uses and disclosures for research purposes; uses and disclosures to avert a serious threat to health or safety (which we had called ``emergency circumstances'' in the NPRM); uses and disclosures for specialized government functions (referred to as ``specialized classes'' in the NPRM); and disclosures to comply with workers' compensation laws. Section 164.512(c) in the final rule, which addresses uses and disclosures regarding adult victims of abuse, neglect and domestic violence, is new, although it incorporates some provisions from proposed Sec. 164.510 of the NPRM. In the final rule we also eliminate proposed Sec. 164.510(g) on government health data systems and proposed Sec. 164.510(i) on banking and payment processes. These changes are discussed below. Approach to Use of Protected Health Information Proposed Sec. 164.510 of the NPRM included specific subparagraphs addressing uses of protected health information by covered entities that were also public health agencies, health oversight agencies, government entities conducting judicial or administrative proceedings, or government heath data systems. Such covered entities could use protected health information in all instances for which they could disclose the information for these purposes. In the final rule, as discussed below, we retain this language in the paragraphs on public health activities and health oversight. However, we eliminate this clause with respect to uses of protected health information for judicial and administrative proceedings, because we no longer believe that there would be any situations in which a covered entity would also be a judicial or administrative tribunal. Proposed Sec. 164.510(e) of the NPRM, regarding disclosure of protected health information to coroners, did not include such a provision. In the final rule we have added it because we believe there are situations in which a covered entity, for example, a public hospital conducting post-mortem investigations, may need to use protected health information for the same purposes for which it would have disclosed the information to a coroner. While the right to request restrictions under Sec. 164.522 and the consents required under Sec. 164.506 do not apply to the use and disclosure of protected health information under Sec. 164.512, we do not intend to preempt any state or other restrictions, or any right to enforce such agreements or consents under other law. We note that a covered entity may use or disclose protected health information as permitted by and in accordance with one of the paragraphs of Sec. 164.512, regardless of whether that use or disclosure fails to meet the requirements for use or disclosure under a different paragraph in Sec. 164.512 or elsewhere in the rule. Verification for Disclosures Under Sec. 164.512 In Sec. 164.510(a) of the NPRM, we proposed that covered entities verify the identity and authority of persons to whom they made disclosure under the section. In the final rule, we generally have retained the proposed requirements. Verification requirements are discussed in Sec. 164.514 of the final rule. Section 164.512(a)--Uses and Disclosures Required by Law In the NPRM we would have allowed covered entities to use or disclose protected health information without individual authorization where such use [[Page 82525]] or disclosure was required by other law, as long as the use or disclosure met all relevant requirements of such law. However, a legally mandated use or disclosure which fell into one or more of the national priority purposes expressly identified in proposed Sec. 164.510 of the NPRM would have been subject to the terms and conditions specified by the applicable paragraph of proposed Sec. 164.510. Thus, a disclosure required by law would have been allowed only to the extent it was not otherwise prohibited or restricted by another provision in proposed Sec. 164.510. For example, mandatory reporting to law enforcement officials would not have been allowed unless such disclosures conformed to the requirements of proposed Sec. 164.510(f) of the NPRM, on uses and disclosures for law enforcement purposes. As explained in the NPRM, this provision was not intended to obstruct access to information deemed important enough by federal, state or other government authorities to require it by law. In Sec. 164.512(a) of the final rule, we retain the proposed approach, and we permit covered entities to comply with laws requiring the use or disclosure of protected health information, provided the use or disclosure meets and is limited to the relevant requirements of such other laws. To more clearly address where the substantive and procedural requirements of other provisions in this section apply, we have deleted the general sentence from the NPRM which stated that the provision ``does not apply to uses or disclosures that are covered by paragraphs (b) through (m)'' of proposed Sec. 164.510. Instead, in Sec. 164.512 (a)(2) we list the specific paragraphs that have additional requirements with which covered entities must comply. They are disclosures about victims of abuse, neglect or domestic violence (Sec. 164.512(c)), for judicial and administrative proceedings (Sec. 164.512(e)), and for law enforcement purposes (Sec. 164.512(f)). We include a new definition of ``required by law.'' See Sec. 164.501. We clarify that the requirements provided for in Sec. 164.514(h) relating to verification apply to disclosures under this paragraph. Those provisions require covered entities to verify the identity and authority of persons to whom they make disclosures. We note that the minimum necessary requirements of Sec. 164.514(d) do not apply to disclosures made under this paragraph. We note that this rule does not affect what is required by other law, nor does it compel a covered entity to make a use or disclosure of protected health information required by the legal demands or reporting requirements listed in the definition of ``required by law.'' Covered entities will not be sanctioned under this rule for responding in good faith to such legal process and reporting requirements. However, nothing in this rule affects, either by expanding or contracting, a covered entity's right to challenge such process or reporting requirements under other laws. The only disclosures of protected health information compelled by this rule are disclosures to an individual (or the personal representative of an individual) or to the Secretary for the purposes of enforcing this rule. Uses and disclosures permitted under this paragraph must be limited to the protected health information necessary to meet the requirements of the law that compels the use or disclosure. For example, disclosures pursuant to an administrative subpoena are limited to the protected health information authorized to be disclosed on the face of the subpoena. Section 164.512(b)--Uses and Disclosures for Public Health Activities The NPRM would have allowed covered entities to disclose protected health information without individual authorization to: (1) A public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; (2) a public health authority or other appropriate authority authorized by law to receive reports of child abuse or neglect; (3) a person or entity other than a governmental authority that could demonstrate or demonstrated that it was acting to comply with requirements or direction of a public health authority; or (4) a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition and was authorized by law to be notified as necessary in the conduct of a public health intervention or investigation. In the final rule, we broaden the scope of permissible disclosures pursuant to item (1) listed above. We narrow the scope of disclosures permissible under item (3) of this list, and we add language to clarify the scope of permissible disclosures with respect to item (4) on the list. We broaden the scope of allowable disclosures regarding item (1) by allowing covered entities to disclose protected health information not only to U.S. public health authorities but also, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. For example, we allow covered entities to disclose protected health information to a foreign government agency that is collaborating with the Centers for Disease Control and Prevention to limit the spread of infectious disease. We narrow the conditions under which covered entities may disclose protected health information to non-government entities. We allow covered entities to disclose protected health information to a person subject to the FDA's jurisdiction, for the following activities: to report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems, or biological product deviations, if the disclosure is made to the person required or directed to report such information to the FDA; to track products if the disclosure is made to a person required or directed by the FDA to track the product; to enable product recalls, repairs, or replacement, including locating and notifying individuals who have received products regarding product recalls, withdrawals, or other problems; or to conduct post-marketing surveillance to comply with requirements or at the direction of the FDA. The terms included in Sec. 164.512(b)(iii) are intended to have both their commonly understood meanings, as well as any specialized meanings, pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 321 et seq.) or the Public Health Service Act (42 U.S.C. 201 et seq.). For example, ``post-marketing surveillance'' is intended to mean activities related to determining the safety or effectiveness of a product after it has been approved and is in commercial distribution, as well as certain Phase IV (post-approval) commitments by pharmaceutical companies. With respect to devices, ``post-marketing surveillance'' can be construed to refer to requirements of section 522 of the Food, Drug, and Cosmetic Act regarding certain implanted, life-sustaining, or life- supporting devices. The term ``track'' includes, for example, tracking devices under section 519(e) of the Food, Drug, and Cosmetic Act, units of blood or other blood products, as well as trace-backs of contaminated food. In Sec. 164.512(b)(iii), the term ``required'' refers to requirements in statute, regulation, order, or other [[Page 82526]] legally binding authority exercised by the FDA. The term ``directed,'' as used in this section, includes other official agency communications such as guidance documents. We note that under this provision, a covered entity may disclose protected health information to a non-governmental organization without individual authorization for inclusion in a private data base or registry only if the disclosure is otherwise for one of the purposes described in this provision (e.g., for tracking products pursuant to FDA direction or requirements, for post-marketing surveillance to comply with FDA requirements or direction.) To make a disclosure that is not for one of these activities, covered entities must obtain individual authorization or must meet the requirements of another provision of this rule. For example, covered entities may disclose protected health information to employers for inclusion in a workplace surveillance database only: with individual authorization; if the disclosure is required by law; if the disclosure meets the requirements of Sec. 164.512(b)(v); or if the disclosure meets the conditions of another provision of this regulation, such as Sec. 154.512(i) relating to research. Similarly, if a pharmaceutical company seeks to create a registry containing protected health information about individuals who had taken a drug that the pharmaceutical company had developed, covered entities may disclose protected health information without authorization to the pharmaceutical company pursuant to FDA requirements or direction. If the pharmaceutical company's registry is not for any of these purposes, covered entities may disclose protected health information to it only with patient authorization, if required by law, or if disclosure meets the conditions of another provision of this rule. The final rule continues to permit covered entities to disclose protected health information without individual authorization directly to public health authorities, such as the Food and Drug Administration, the Occupational Safety and Health Administration, the Centers for Disease Control and Prevention, as well as state and local public health departments, for public health purposes as specified in the NPRM. The final rule retains the NPRM provision allowing covered entities to disclose protected health information to public health authorities or other appropriate government authorities authorized by law to receive reports of child abuse or neglect. In addition, we clarify the NPRM's provision regarding disclosure of protected health information to persons who may have been exposed to a communicable disease or who may otherwise be at risk of contracting or spreading a disease or condition. Under the final rule, covered entities may disclose protected health information to such individuals when the covered entity or public health authority is authorized by law to notify these individuals as necessary in the conduct of a public health intervention or investigation. In addition, as in the NPRM, under the final rule, a covered entity that is acting as a public health authority--for example, a public hospital conducting infectious disease surveillance in its role as an arm of the public health department--may use protected health information in all cases for which it is allowed to disclose such information for public health activities as described above. The proposed rule did not contain a specific provision relating to disclosures by covered health care providers to employers concerning work-related injuries or illnesses or workplace medical surveillance. Under the proposed rule, a covered entity would have been permitted to disclose protected health information without individual authorization for public health purposes to private person if the person could demonstrate that it was acting to comply with requirements or at the direction of a public health authority. As discussed above, in the final rule we narrow the scope of this paragraph as it applies to disclosures to persons other than public health authorities. To ensure that covered health care providers may make disclosures of protected health information without individual authorization to employers when appropriate under federal and state laws addressing work-related injuries and illnesses or workplace medical surveillance, we include a new provision in the final rule. The provision permits covered health care providers who provide health care as a workforce member of or at the request of an employer to disclose to that employer protected health information concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty under the Occupational Safety and Health Act, the Federal Mine Safety and Health Act, or under a similar state law, to keep records on or act on such information. For example, OSHA regulations in 29 CFR part 1904 require employers to record work- related injuries and illnesses if medical treatment is necessary; MSHA regulations at 30 CFR part 50 require mine operators to report injuries and illnesses experienced by miners. Similarly, OSHA rules require employers to monitor employees' exposure to certain substances and to remove employees from exposure when toxic thresholds have been met. To obtain the relevant health information necessary to determine whether an injury or illness should be recorded, or whether an employee must be medically removed from exposure at work, employers must refer employees to health care providers for examination and testing. OSHA and MSHA rules do not impose duties directly upon health care providers to disclose health information pertaining to recordkeeping and medical monitoring requirements to employers. Rather, these rules operate on the presumption that health care providers who provide services at the request of an employer will be able to disclose to the employer work-related health information necessary for the employer to fulfill its compliance obligations. This new provision permits covered entities to make disclosures necessary for the effective functioning of OSHA and MSHA requirements, or those of similar state laws, by permitting a health care provider to make disclosures without the authorization of the individual concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty under OSHA and MSHA requirements, or under a similar state laws, to keep records on or act on such information. We require health care providers who make disclosures to employers under this provision to provide notice to individuals that it discloses protected health information to employers relating to the medical surveillance of the workplace and work-related illnesses and injuries. The notice required under this provision is separate from the notice required under Sec. 164.520. The notice required under this provision may be met giving a copy of the notice to the individual at the time it provides the health care services, or, if the health care services are provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care services are provided. This provision applies only when a covered health care provider provides health care services as a workforce member of or at the request of an employer and for the purposes discussed above. The provision does not affect the application of this rule to other health care provided to [[Page 82527]] individuals or to their relationship with health care providers that they select. Section 164.512(c)--Disclosures About Victims of Abuse, Neglect or Domestic Violence The NPRM included two provisions related to disclosures about persons who are victims of abuse. In the NPRM, we would have allowed covered entities to report child abuse to a public health authority or other appropriate authority authorized by law to receive reports of child abuse or neglect. In addition, under proposed Sec. 164.510(f)(3) of the NPRM, we would have allowed covered entities to disclose protected health information about a victim of a crime, abuse or other harm to a law enforcement official under certain circumstances. The NPRM recognized that most, if not all, states had laws that mandated reporting of child abuse or neglect to the appropriate authorities. Moreover, HIPAA expressly carved out state laws on child abuse and neglect from preemption or any other interference. The NPRM further acknowledged that most, but not all, states had laws mandating the reporting of abuse, neglect or exploitation of the elderly or other vulnerable adults. We did not intend to impede reporting in compliance with these laws. The final rule includes a new paragraph, Sec. 164.512(c), which allows covered entities to report protected health information to specified authorities in abuse situations other than those involving child abuse and neglect. In the final rule, disclosures of protected health information related to child abuse continues to be addressed in the paragraph allowing disclosure for public health activities (Sec. 164.512(b)), as described above. Because HIPAA addresses child abuse specifically in connection with a state's public health activities, we believe it would not be appropriate to include child abuse-related disclosures in this separate paragraph on abuse. State laws continue to apply with respect to child abuse, and the final rule does not in any way interfere with a covered entity's ability to comply with these laws. In the final rule, we address disclosures about other victims of abuse, neglect and domestic violence in Sec. 164.512(c) rather than in the law enforcement paragraph. Section 164.512(c) establishes conditions for disclosure of protected health information in cases involving domestic violence other than child abuse (e.g., spousal abuse), as well as those involving abuse or neglect (e.g., abuse of nursing home residents or residents of facilities for the mentally retarded). This paragraph addresses reports to law enforcement as well as to other authorized public officials. The provisions of this paragraph supersede the provisions of Sec. 164.512(a) and Sec. 164.512(f)(1)(i) to the extent that those provisions address the subject matter of this paragraph. Under the circumstances described below, the final rule allows covered entities to disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence. In this paragraph, references to ``individual'' should be construed to mean the individual believed to be the victim. The rule allows such disclosure to any governmental authority authorized by law to receive reports of such abuse, neglect, or domestic violence. These entities may include, for example, adult protective or social services agencies, state survey and certification agencies, ombudsmen for the aging or those in long-term care facilities, and law enforcement or oversight. The final rule specifies three circumstances in which disclosures of protected health information is allowed in order to report abuse, neglect or domestic violence. First, this paragraph allows disclosure of protected health information related to abuse if required by law and the disclosure complies with and is limited to the relevant requirements of such law. As discussed below, the final rule requires covered entities that make such disclosures pursuant to a state's mandatory reporting law to inform the individual of the report. Second, this paragraph allows covered entities to disclose protected health information related to abuse if the individual has agrees to such disclosure. When considering the possibility of disclosing protected health information in an abuse situation pursuant to this section, we encourage covered entities to seek the individual's agreement whenever possible. Third, this paragraph allows covered entities to disclose protected health information about an individual without the individual's agreement if the disclosure is expressly authorized by statute or regulation and either: (1) The covered entity, in the exercise of its professional judgment, believes that the disclosure is necessary to prevent serious harm to the individual or to other potential victims; or (2) if the individual is unable to agree due to incapacity, a law enforcement or other public official authorized to received the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual, and that an immediate enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. We emphasize that disclosure under this third part of the paragraph also may be made only if it is expressly authorized by statute or regulation. We use this formulation, rather than the broader ``required by law,'' because of the heightened privacy and safety concerns in these situations. We believe it appropriate to defer to other public determinations regarding reporting of this information only where a legislative or executive body has determined the reporting to be of sufficient importance to warrant enactment of a law or promulgation of a regulation. Law and regulations reflect a clear decision to authorize the particular disclosure of protected health information, and reflect greater public accountability (e.g., through the required public comment process or because enacted by elected representatives). For example, a Wisconsin law (Wis. Stat Sec. 46.90(4)) states that any person may report to a county agency or state official that he or she believes that abuse or neglect has occurred. Pursuant to Sec. 164.512(c)(1)(iii), a covered entity may make a report only if the specific type or subject matter of the report (e.g., abuse or neglect of the elderly) is included in the law authorizing the report, and such a disclosure may only be made to a public authority specifically identified in the law authorizing the report. Furthermore, we note that disclosures under this part of the paragraph are further limited to two circumstances. In the first case, a covered entity, in the exercise of professional judgment, must believe that the disclosure is necessary to prevent serious harm to the individual or to other potential victims. The second case addresses situations in which an individual who is a victim of abuse, neglect or domestic violence is unable to agree due to incapacity and a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate law enforcement activity that depends on the disclosure would be materially and adversely affected by waiting