NRPM: Standards for Privacy of Individually Identifiable Health Information. 2. Requirements when the covered entity initiates the authorization.


We are proposing that when covered entities initiate the authorization by asking individuals to authorize disclosure, the authorization be required to include all of the items required above as well as several additional items. We are proposing additional requirements when covered entities initiate the request for authorization because in many cases it could be the covered entity, and not the individual, that achieves the primary benefit of the disclosure. We considered permitting covered entities to request authorizations with only the basic features proposed for authorizations initiated by the individual, for the sake of simplicity and consistency. However, we believe that additional protections would be merited when the entity that provides or pays for health care requests an authorizations to avert possible coercion.

When a covered entity asks an individual to sign an authorization, we propose to require that it provide on the authorization a statement that identifies the purposes for which the information is sought as well as the proposed uses and disclosures of that information. The required statements of purpose would provide individuals with the facts they need to make an informed decision as to whether to allow release of the information. Covered entities and their business partners would be bound by the statements provided on the authorization, and use or disclosure by the covered entity inconsistent with the statement would constitute a violation of this regulation. We recognize that the covered entities cannot know or control uses and disclosures that will be made by persons who are not business partners to whom the information is properly disclosed. As discussed above, authorizations would need to notify individuals that when the information is disclosed to anyone except a covered entity, it would no longer be protected under this regulation.

We propose to require that authorizations requested by covered entities be narrowly tailored to authorize use or disclosure of only the protected health information necessary to accomplish the purpose specified in the authorization. The request would be subject to the minimum necessary requirement as discussed in section II.C.2. We would prohibit the use of broad or blanket authorizations requesting the use or disclosure of protected health information for a wide range of purposes. Both the information that would be used or disclosed and the specific purposes for such uses or disclosures would need to be specified in the notice.

We are proposing that when covered entities ask individuals to authorize use or disclosure for purposes other than for treatment, payment, or health care operations, they be required to advise individuals that they may inspect or copy the information to be used or disclosed as provided in proposed § 164.514, that they may refuse to sign the authorization, and that treatment and payment could not be conditioned on the patient’s authorization. For example, a request for authorization to use or disclose protected health information for marketing purposes would need to clearly state that the individual’s decision would have no influence on his or her health care treatment or payment. In addition, we are proposing that when a covered entity requests an authorization, it must provide the individual with a copy of the signed authorization form.

Finally, we are proposing that when the covered entity initiates the authorization and the covered entity would be receiving financial or in-kind compensation in exchange for using or disclosing the health information, the authorization would include a statement that the disclosure would result in commercial gain to the covered entity. For example, a health plan may wish to sell or rent its enrollee mailing list. A pharmaceutical company may offer a provider a discount on its products if the provider can obtain authorization to disclose the demographic information of patients with certain diagnoses so that the company can market new drugs to them directly. A pharmaceutical company could pay a pharmacy to send marketing information to individuals on its behalf. Each such case would require a statement that the requesting entity will gain financially from the disclosure.

We considered requiring a contract between the provider and the pharmaceutical company in this type of arrangement, because such a contract could enhance protections and enforcement options against entities who violate these rules. A contract also would provide covered entities a basis to enforce any limits on further use or disclosures by authorized recipients. Although we are not proposing this approach now, we are soliciting comment on how best to protect the interests of the patient when the authorization for use or disclosure would result in commercial gain to the covered entity.