The rule would require that covered entities have authorization from individuals before using or disclosing their protected health information for any purpose not otherwise recognized by this rule. In § 164.508, we propose rules for obtaining authorizations. Authorizations are needed in a wide array of circumstances. Entities not covered by this rule often want access to individually identifiable health information . For example, a potential employer may require health information as part of a background check for security purposes, or the patient may request a plan or provider to disclose information to obtain eligibility for disability benefits or to an attorney for use in a law suit. Covered entities may also seek such an authorization in order to use protected health information for a purpose not otherwise permitted under this rule. For example, a health plan may wish to use a person’s records for developing a marketing strategy.
The proposed authorization requirements are intended to ensure that an individual’s authorization is truly voluntary. We would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes. We also would require authorizations to clearly and specifically describe the information to be disclosed. If an authorization is sought so that a covered entity may sell, barter, or otherwise exchange the information for purposes other than treatment, payment, or health care operations, the covered entity would have to disclose this fact on the authorization form. We would also require authorizations to be revocable. We do not seek to limit the purposes for which authorization of records disclosure may be sought, but rather to ensure that these authorizations are voluntary, fair, and enforceable.
While the provisions of this proposed rule are intended to make authorizations for treatment and payment purposes unnecessary, some States may continue to require them. This rule would not supersede such State requirements generally, but would impose a new requirement that such State-mandated authorizations must be physically separate from an authorization for other purposes described in this rule.