NRPM: Standards for Privacy of Individually Identifiable Health Information. 1. Requirements when the individual has initiated the authorization.

11/03/1999

We are proposing several requirements that would have to be met in the authorization process when the individual has initiated the authorization.

The authorization would have to include a description of the information to be used or disclosed with sufficient specificity to allow the covered entity to know to which information the authorization references. For example, the authorization could include a description of “laboratory results from July 1998” or “all laboratory results” or “results of MRI performed in July 1998.” The covered entity would then use or disclose that information and only that information. If the covered entity does not understand what information is covered by the authorization, the use or disclosure would not be permitted unless the covered entity were able to clarify the request.

We are proposing no limitations on the information to be disclosed. If an individual wishes to authorize a covered entity to disclose his or her entire medical record, the authorization could so specify. But in order for the covered entity to disclose the entire medical record, the authorization would have be specific enough to ensure that individuals have a clear understanding of what information is to be disclosed under the circumstances. For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description would need to specify “all health information.”

We would note that our proposal does not require a covered entity to disclose information pursuant to an individual's authorization. Therefore individuals may face reluctance on the part of covered entities that receive authorizations requiring them to classify and selectively disclose information when they do not benefit from the activity. Individuals would need to consider this when specifying the information in the authorization. Covered entities may respond to requests to analyze and separate information for selective disclosure by providing the entire record to the individual, who may then redact and release the information to others.

We do not propose to require an authorization initiated by an individual to state a purpose. When the individual has initiated the authorization, the entity would not need to know why he or she wants the information disclosed. Ideally, anyone asking an individual to authorize release of individually identifiable health information would indicate the purpose and the intended uses. We are unable to impose requirements on the many entities that make such requests, and it would not be feasible to ask covered entities to make judgments about intended uses of records that are disclosed. In the absence of legal controls in this situation, the prudent individual would obtain a clear understanding of why the requester needs the information and how it would be used.

We are proposing that the authorization would be required to identify sufficiently the covered entity or covered entities that would be authorized to use or disclose the protected health information by the authorization. Additionally, the authorization would be required to identify the person or persons that would be authorized to use or receive the protected health information with sufficient specificity to reasonably permit a covered entity responding to the authorization to identify the authorized user or recipient. When an authorization permits a class of covered entities to disclose information to an authorized person, each covered entity would need to know with reasonable certainty that the individual intended for it to release protected health information under the authorization.

Often, individuals provide authorizations to third parties, who present them to one or more covered entities. For example, an authorization could be completed by an individual and provided to a government agency, authorizing the agency to receive medical information from any health care provider that has treated the individual within a defined period. Such an authorization would be permissible (subject to the other requirements of this part) if it sufficiently identifies the government entity as the recipient of the disclosures and it sufficiently identifies the health care providers who would be authorized to release the individual’s protected health information under the authorization.

We are proposing that the authorization must state a specific expiration date. We considered providing an alternative way of describing the termination of the authorization, such as “the conclusion of the clinical trial,” or “upon acceptance or denial of this application for life insurance” (an “event”), but we are concerned that covered entities could have difficulty implementing such an approach. We also considered proposing that if an expiration date were indicated on the authorization, it be no more than two or three years after the date of the signature. We are soliciting comment on whether an event can be a termination specification, and whether this proposed rule should permit covered entities to honor authorizations with “unlimited” or extremely lengthy expiration dates or limit it to a set term of years, such as two or three years.

We are proposing that the authorization include a signature or other authentication (e.g., electronic signature) and the date of the signature. If the authorization is signed by an individual other than the subject of the information to be disclosed, that individual would have to indicate his or her authority or relationship with the subject.

The authorization would also be required to include a statement that the individual understands that he or she may revoke an authorization except to the extent that action has been taken in reliance on the authorization.

When an individual authorizes disclosure of health information to other than a covered entity, the information would no longer be protected under this regulation once it leaves the covered entity. Therefore, we propose that the authorization must clearly state that the individual understands that when the information is disclosed to anyone except a covered entity, it would no longer be protected this regulation.

We understand that the requirements that we are imposing here would make it quite unlikely that an individual could actually initiate a completed authorization, because few individuals would know to include all of these elements in a request for information. We understand that in most instances, individuals accomplish authorizations for release of health records by completing a form provided by another party, either the ultimate recipient of the records (who may have a form authorizing them to request the records from the record holders) or a health care provider or health plan holding the records (who may have a form that documents a request for the release of records to a third party). For this reason, we do not believe that our proposal would create substantial new burdens on individuals or covered entities in cases when an individual is initiating an authorized release of information. We invite comment on whether we are placing new burdens on individuals or covered entities. We also invite comment on whether the approach that we have proposed provides sufficient protection to individuals who seek to have their protected health information used or disclosed.