NRPM: Standards for Privacy of Individually Identifiable Health Information. 3. Use and disclosure for treatment, payment, and health care operations. (§ 164.506(a))


We are proposing that, subject to limited exceptions for psychotherapy notes and research information unrelated to treatment discussed below, a covered entity be permitted to use or disclose protected health information without individual authorization for treatment, payment or health care operations.

We are not proposing to require individual authorizations of uses and disclosures for health care and related purposes, although such authorizations are routinely gathered today as a condition of obtaining health care or enrolling in a health plan. Although many current disclosures of health information are made pursuant to individual authorizations, these authorizations provide individuals with little actual control over their health information. When an individual is required to sign a blanket authorization at the point of receiving care or enrolling for coverage, that consent is often not voluntary because the individual must sign the form as a condition of treatment or payment for treatment. Individuals are also often asked to sign broad authorizations but are provided little or no information about how their health information would be or will in fact be used. Individuals cannot make a truly informed decision without knowing all the possible uses, disclosures and re-disclosures to which their information will be subject. In addition, since the authorization usually precedes creation of the record, the individual cannot predict all the information the record could contain and therefore cannot make an informed decision as to what would be released.

Our proposal is intended to make the exchange of protected health information relatively easy for health care purposes and more difficult for purposes other than health care. For individuals, health care treatment and payment are the core functions of the health care system. This is what they expect their health information will be used for when they seek medical care and present their proof of insurance to the provider. Consistent with this expectation, we considered requiring a separate individual authorization for every use or disclosure of information but rejected such an approach because it would not be realistic in an increasingly integrated health care system. For example, a requirement for separate patient authorization for each routine referral could impair care, by delaying consultation and referral as well as payment.

We therefore propose that covered entities be permitted to use and disclose protected health information without individual authorization for treatment and payment purposes, and for related purposes that we have defined as health care operations. For example, providers could maintain and refer to a medical record, disclose information to other providers or persons as necessary for consultation about diagnosis or treatment, and disclose information as part of referrals to other providers. Providers also could use a patient’s protected health information for payment purposes such as submitting a claim to a payer. In addition, providers could use a patient’s protected health information for health care operations, such as use for an internal quality oversight review. We would note that, in the case of an individual where the provider has agreed to restrictions on use or disclosure of the patient’s protected health information, the provider would be bound by such restrictions as provided in § 164.506(c).

We also propose to prohibit covered entities from seeking individual authorization for uses and disclosures for treatment, payment and health care operations unless required by State or other applicable law. As discussed above in section II.C, such authorizations could not provide meaningful privacy protections or individual control and could in fact cultivate in individuals erroneous understandings of their rights and protections.

The general approach that we are proposing is not new. Some existing State health confidentiality laws permit disclosures without individual authorization to other health care providers treating the individual, and the Uniform Health-Care Information Act permits disclosure “to a person who is providing health-care to the patient” (9 Part I, U.L.A. 475, 2-104 (1988 and Supp. 1998)). We believe that this approach would be the most realistic way to protect individual confidentiality in an increasingly data-driven, electronic and integrated health care system. We recognize, however, that particularly given the limited scope of the authority that we have under this proposed rule to reach some significant actors in the health care system, that other approaches could be of interest. We invite comments on whether other approaches to protecting individuals’ health information would be more effective.