Confidentiality of Individually Identifiable Health Information. D. Disclosures Authorized by the Patient

09/11/1997

We recommend that providers and payers, and those receiving information under the provisions of the legislation without patient authorization, be permitted to disclose information pursuant to the authorization of a patient under the following conditions:

-- the authorization is in writing, is dated, and is signed or otherwise authenticated;

-- the authorization states an expiration date, or event, and is received by that date or event;

-- the authorization specifies the information to be disclosed;

-- the authorization specifies the entity or entities which are to disclose the information;

-- the authorization specifies the person or persons to receive the infor mation;

-- the authorization states that the patient has received a statement of the intended use of the information by the recipient; and

-- the authorization is not on the same form on which a patient consents to health care, and states that treatment, coverage, and payment are not conditioned on the patient's authorization to disclose, unless the disclosure is necessary for treatment, coverage, or payment.

We recommend that a person who requests a patient to authorize disclosure of health information be required to give the patient a copy of the authorization.

We recommend that a patient be permitted to revoke an authorization to disclose information except to the extent that action has been taken in reliance on the authorization.

We recommend that entities disclosing information pursuant to an authorization be required to retain a copy of the authorization, and a record of the disclosure.

The ability to control use and disclosure of information is central to fair information practices, and we recommend requirements to ensure that the patient understands the nature of the disclo sure being authorized, and to ensure that there is adequate specificity to the patient's authorization, and to ensure that authorizations do not become general permissions for unrelated disclosures.

The required signature may be an electronic authentication.

To assist in preparing these authorizations, the Federal agencies should be authorized to publish model authorization forms and model statements of intended uses (see below, IMPLEMENTATION).

2. DISCLOSURE WITH PATIENT AUTHORIZATION: EXPLANATION, AGREEMENT, AND REMEDY

We recommend that a person who requests a patient to authorize disclosure of health information be required to provide a statement for retention by the patient, not on the same form as the authorization, specifying the purposes for which the information is sought and the uses and disclosures to be made of it.

We recommend that use or disclosure of the health information inconsistent with the statement be the basis for a civil action for damages.

This recommendation is intended to provide patient control in the many situations in which patients authorize others to receive health information about themselves. It addresses informa tion that moves beyond the direct scope of the law we recommend.

These disclosures are made for many reasons. Applicants for life or disability insurance authorize providers to disclose existing information about themselves, and are informed by the insurer how the information will be used, including, for example, for reports to the Medical In formation Bureau, a clearing house of information about life and disability insurance applicants to detect fraudulent applications.

Claimants in liability situations authorize their providers to send information to liability insurers to show the extent of their injuries. In case which move to litigation, a plaintiff will typically authorize an attorney to receive medical records and transmit them to medical consultants for review, and then to the defendant's insurer, to show the extent of the plaintiff's injury.

Patients may authorize disclosure of health information when receiving other services, such as social services. Disability determinations in the disability program under the Social Security Act are dependent on the patient's offering evidence of his or her health condition. People may authorize disclosure of their information for suitability investigations by government agencies, or for employment or assignment determinations.

Legislation cannot address all the possible uses of health information by the great variety of persons and organizations that may receive it pursuant to patient authorization. Nonetheless, patients properly expect fair treatment of this information, and should be able to enforce that expectation. This information, obtained as it is from the health care setting, retains its sensitivity, and should be protected in a legally enforceable way. Collection of damages for use inconsistent with the stated purpose is the recommended enforcement mechanism.

This recommendation provides that protection by permitting the patient to enforce the agreement the patient and the recipient make.

The recipient may choose to promise essentially no confidential treatment, or may choose to specify, in general or in particular, how the information may be used. In some instances, other law will govern how the information may be further used (as in some collections of health infor mation by government agencies), and that law would define the recipient's promises to the patient. The patient may be able to take these promises into account in deciding whether to dis close information in a particular instance.

To assist in developing such agreements, the Federal agencies should be authorized to prepare model authorization forms and model statements of intended uses (see below, IMPLEMENTATION).

This recommendation would implement one of the Principles for Providing and Using Personal Information (discussed above in EXPLANATION OF INFORMATION PRACTICES), formulated by the Privacy Working Group of the President's Information Infrastructure Task Force:

III.C. Redress Principle
Individuals should, as appropriate, have a means of redress if harmed by an improper disclosure or use of personal information.

The President's statement on the Global Information Infrastructure, A Framework for Global Electronic Commerce (June 1997), in its discussion of privacy, reiterates this point:

Under these principles, consumers are entitled to redress if they are harmed by improper use or disclosure of personal information or if decisions are based on inaccurate, outdated, incomplete, or irrelevant personal information.

3. DISCLOSURE WITH PATIENT AUTHORIZATION: PROHIBITION ON REQUIREMENTS TO AUTHORIZE DISCLOSURE

We recommend that providers be forbidden to condition treatment on the patient's authorization to disclose health information, unless the disclosure is necessary for a health care or payment purpose.

We recommend that payers be forbidden to condition coverage or payment on the patient's authorization to disclose health information, unless the dis closure is necessary for a health care or payment purpose.

We recommend that providers and payers be required, when requesting an authorization to disclose information for purposes other than health care or payment, to advise patients that treatment, coverage, and payment are not conditioned on the patient's authorization to disclose.

We recommend this requirement so that providers and payers cannot require patients to authorize disclosure of health information as a condition of treatment, coverage, or payment unless the dis closure is actually necessary for those purposes. Such demands could nullify the legislation's controls on disclosure of information. If needed benefits or services are not available unless the patient consents to disclose information, patients could be unfairly compelled to permit disclo sures beyond those permitted by the legislation.

A patient seeking care or payment should be informed that he or she can resist a request for an authorization. It is important that the authorization clearly state that the patient will receive the same treatment, coverage, or payment, whether or not the authorization is signed (DISCLOSURE WITH PATIENT AUTHORIZATION: AUTHORIZATION CONTENT, above).

This requirement should not interfere with health care or the normal operation of the payment system. Patients may properly be required to make available information necessary to treat them, or for reimbursement. Likewise, where such requests are not forbidden by other law, patients could be asked to disclose information about past health history for underwriting purposes. Patients could be asked to authorize disclosure for purposes other than health care or payment, like marketing, as long as treatment, coverage or payment is available whether or not the patient authorizes the disclosure.

This recommendation is not intended to prevent researchers from requiring subjects to agree to disclosures necessary for participation in a clinical trial. Research subjects are often asked to consent to disclosure of their past health history, as well as to permit information generated in the trial to be reviewed by sponsoring and oversight agencies. These disclosures are integral to the operation of clinical trials, and the legislation should permit such conditions.