NRPM: Standards for Privacy of Individually Identifiable Health Information. § 164.508 Standards and implementation specifications for uses and disclosures for which individual authorization would be required.


Pursuant to the conditions set forth in this section, a covered entity would need to obtain a written request from an individual, before it uses or discloses protected health information of an individual. A copy of the model form which appears in the Appendix to subpart E of part 164, or a form that contains the elements listed in paragraphs (c) or (d) of this section, as applicable, would need to be accepted by the covered entity.

The burden associated with these proposed requirements is the time and effort necessary for a covered entity to obtain written authorization prior to the disclosure of identifiable information. On an annual basis it is estimated that it will take 890,269 entities, a range of 0 to 80 hours per entity to obtain and maintain authorization documentation on an annual basis. Given that we believe the majority of the covered entities will be minimally affected by this requirement, we estimate the annual average burden per entity to be 4 hours for a total annual burden of 3,561,076 hours. Collecting such authorization should have costs on the order of those associated with providing access to records (not on a per page basis). Since the proposed requirement does not apply to treatment and payment, assuming 1% of the 543 million health care encounters might be reasonable. At a cost of about $10 each, the aggregate cost would be about $54 million. Therefore, on average the cost per entity would be about $60, with many entities receiving no requests and thus having no costs.