NRPM: Standards for Privacy of Individually Identifiable Health Information. § 164.508 Uses and disclosures for which individual authorization is required.

11/03/1999

(a) Standard. An authorization executed in accordance with this section is required in order for the covered entity to use or disclose protected health information in the following situations:

(1) Request by individual. Where the individual requests the covered entity to use or disclose the information.

(2) Request by covered entity.

(i) Where the covered entity requests the individual to authorize the use or disclosure of the information. The covered entity must request and obtain an authorization from the individual for all uses and disclosures that are not:

(A) Except as provided in paragraph (a)(3) of this section, compatible with or directly related to treatment, payment, or health care operations;

(B) Covered by § 164.510;

(C) Covered by paragraph (a)(1) of this section; or

(D) Required by this subpart.

(ii) Uses and disclosures of protected health information for which individual authorization is required include, but are not limited to, the following:

(A) Use for marketing of health and non-health items and services by the covered entity;

(B) Disclosure by sale, rental, or barter;

(C) Use and disclosure to non-health related divisions of the covered entity, e.g., for use in marketing life or casualty insurance or banking services;

(D) Disclosure, prior to an individual’s enrollment in a health plan, to the health plan or health care provider for making eligibility or enrollment determinations relating to the individual or for underwriting or risk rating determinations;

(E) Disclosure to an employer for use in employment determinations; and

(F) Use or disclosure for fundraising purposes.

(iii) A covered entity may not condition the provision to an individual of treatment or payment on the provision by the individual of a requested authorization for use or disclosure, except where the authorization is requested in connection with a clinical trial.

(iv) Except where required by law, a covered entity may not require an individual to sign an authorization for use or disclosure of protected health information for treatment, payment, or health care operations purposes.

(3) Authorization required: special cases.

(i) Except as otherwise required by this subpart or permitted under § 164.510, a covered entity must obtain the authorization of the individual for the following uses and disclosures of protected health information about the individual:

(A) Use by a person other than the creator, or disclosure, of psychotherapy notes; and

(B) Use or disclosure of research information unrelated to treatment.

(ii) The requirements of paragraphs (b) through (e) of this section apply to such authorizations, as appropriate.

(iii) A covered entity may not condition treatment, enrollment in a health plan, or payment on a requirement that the individual authorize use or disclosure of psychotherapy notes relating to the individual.

(iv) For purposes of this section:

(A) Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. For purposes of this definition, “psychotherapy notes” excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date.

(B) Research information unrelated to treatment means health information that is received or created by a covered entity in the course of conducting research, for which there is insufficient scientific and medical evidence regarding the validity or utility of the information such that it should not be used for the purpose of providing health care, and with respect to which the covered entity has not requested payment from a third party payor.

(b) General implementation specifications for authorizations.

(1) General requirements. A copy of the model form which appears in Appendix A hereto, or a document that contains the elements listed in paragraphs (c) or (d) of this section, as applicable, must be accepted by the covered entity.

(2) Defective authorizations. There is no “authorization” within the meaning of this section, if the submitted form has any of the following defects:

(i) The expiration date has passed;

(ii) The form has not been filled out completely;

(iii) The authorization is known by the covered entity to have been revoked;

(iv) The form lacks an element required by paragraph (c) or (d) of this section, as applicable;

(v) The information on the form is known by the covered entity to be false.

(3) Compound authorizations. Except where authorization is requested in connection with a clinical trial, an authorization for use or disclosure of protected health information for purposes other than treatment or payment may not be in the same document as an authorization for or consent to treatment or payment.

(c) Implementation specifications for authorizations requested by an individual.

(1) Required elements. Before a covered entity may use or disclose protected health information of an individual pursuant to a request from the individual, it must obtain a completed authorization for use or disclosure executed by the individual that contains at least the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

(ii) The name of the covered entity, or class of entities or persons, authorized to make the requested use or disclosure;

(iii) The name or other specific identification of the person(s) or entity(ies), which may include the covered entity itself, to whom the covered entity may make the requested use or disclosure;

(iv) An expiration date;

(v) Signature and date;

(vi) If the authorization is executed by a legal representative or other person authorized to act for the individual, a description of his or her authority to act or relationship to the individual;

(vii) A statement in which the individual acknowledges that he or she has the right to revoke the authorization, except to the extent that information has already been released under the authorization; and

(viii) A statement in which the individual acknowledges that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by the federal privacy law.

(2) Plain language requirement. The model form at Appendix A to this subpart may be used. If the model form at Appendix A to this subpart is not used, the authorization form must be written in plain language.

(d) Implementation specifications for authorizations for uses and disclosures requested by covered entities.

(1) Required elements. Before a covered entity may use or disclose protected health information of an individual pursuant to a request that it has made, it must obtain a completed authorization for use or disclosure executed by the individual that meets the requirements of paragraph (c) of this section and contains the following additional elements:

(i) Except where the authorization is requested for a clinical trial, a statement that it will not condition treatment or payment on the individual’s providing authorization for the requested use or disclosure;

(ii) A description of the purpose(s) of the requested use or disclosure;

(iii) A statement that the individual may:

(A) Inspect or copy the protected health information to be used or disclosed as provided in § 164.514; and

(B) Refuse to sign the authorization; and

(iv) Where use or disclosure of the requested information will result in financial gain to the entity, a statement that such gain will result.

(2) Required procedures. In requesting authorization from an individual under this paragraph, a covered entity must:

(i) Have procedures designed to enable it to request only the minimum amount of protected health information necessary to accomplish the purpose for which the request is made; and

(ii) Provide the individual with a copy of the executed authorization.

(e) Revocation of authorizations. An individual may revoke an authorization to use or disclose his or her protected health information at any time, except to the extent that the covered entity has taken action in reliance thereon.