NRPM: Standards for Privacy of Individually Identifiable Health Information. 8. Uses and disclosures with individual authorization. (§ 164.508)


Covered entities would be required to obtain individual authorization to use individually identifiable health information for purposes other than those allowed under the rule. Activities requiring authorization include, for example, marketing. Costs will be ongoing for staffing and administrative activities related to obtaining authorization from individuals.

Our proposal is based on the precept that a combination of strict limits on how covered entities can use and disclose protected health information, adequate notice to individuals about how their information will be used, and guaranteeing individuals’ rights to inspect, copy and amend their health records will provide patients with better privacy protection and more effective control over their information than alternative approaches to privacy protection.

This section addresses the requirements that we are proposing when protected health information is disclosed pursuant to the individual's explicit authorization. The regulation would require that covered entities have authorization from individuals before using or disclosing their protected health information for any purpose not otherwise recognized by this regulation. Circumstances where an individual’s protected health information could be used or disclosed without authorization are discussed in connection with proposed §§164.510 and 164.522 below.

This section proposes different conditions governing such authorizations in two situations in which individuals commonly authorize covered entities to disclose information:

  • where the individual initiates the authorization because he or she wants a covered entity to disclose his or her record, and
  • where a covered entity asks an individual to authorize it to disclose or use information for purposes other than treatment, payment or health care operations.

The requirements proposed in this section are not intended to interfere with normal uses and disclosures of information in the health care delivery or payment process, but only to allow control of uses extraneous to health care. The restrictions on disclosure that the regulation would apply to covered entities may mean that some existing uses and disclosures of information could take place only if the individual explicitly authorized them under this section.

We considered requiring a uniform set of requirements for all authorizations, but concluded that it would be appropriate to treat authorizations initiated by the individual differently from authorizations sought by covered entities. There are fundamental differences, in the uses of information and in the relationships and understandings among the parties, in these two situations. When individuals initiate authorizations, they are more likely to understand the purpose of the release and to benefit themselves from the use or disclosure. When a covered entity asks the individual to authorize disclosure, we believe the entity should make clear what the information will be used for, what the individual's rights are, and how the covered entity would benefit from the requested disclosure.

We are proposing several requirements that would have to be met in the authorization process when the individual has initiated the authorization. We understand that the requirements that we are imposing here would make it quite unlikely that an individual could actually initiate a completed authorization, because few individuals would know to include all of these elements in a request for information. In most instances, individuals authorize a use or disclosure by completing a form provided by a third party, either the ultimate recipient of the information (who may have a form authorizing them to obtain the records from the record holders) or a health care provider or health plan holding the records (who may have a form that documents a request for the release of records to a third party). For this reason, we do not believe that our proposal would create substantial new burdens on individuals or covered entities in cases when an individual is initiating an authorized release of information. We invite comment on whether we are placing new burdens on individuals or covered entities. We also invite comment on whether the approach that we have proposed provides sufficient protection to individuals who seek to have their protected health information used or disclosed.

We are proposing that when covered entities initiate the authorization by asking individuals to authorize disclosure, the authorization be required to include all of the items required above as well as several additional items. We are proposing additional requirements when covered entities initiate the request for authorization, because in many cases it could be the covered entity, and not the individual, that achieves the primary benefit of the disclosure. We considered permitting covered entities to request authorizations with only the basic features proposed for authorizations initiated by the individual, for the sake of simplicity and consistency. However, we believe that additional protections are merited when the entity that provides or pays for health care requests authorizations to avert possible coercion.

We also acknowledge that there will be costs related to moving away from a blanket authorization system. These costs will be discussed more explicitly in the sections on allowable disclosures (both with and without authorization).

Covered entities and third parties that wish to have information disclosed to them will prepare forms for individuals to use to authorize use or disclosure. A model authorization form is displayed in Appendix A to this proposed rule. We considered presenting separate model forms for the two different types of authorizations (initiated by the individual and not initiated by the individual). However, this approach could be subject to misuse and be confusing to covered entities and individuals, who may be unclear as to which form is appropriate in specific situations. The model in the appendix accordingly is a unitary model, which includes all of the requirements for both types of authorization. By following such a model, covered entities, particularly small entities, could avoid the legal and administrative expenses that would be necessary to develop an authorization form that complies with the rule’s requirements. The proposed rule does not prevent entities from developing or modifying their own authorization forms. The alternative to providing this model was to simply state that an authorization would be required and allow entities to develop the authorization independently. While we would specify some information required in the authorization in this alternative, we would not give an actual form. This was considered to be an unnecessary burden for entities.

Finally, we are proposing that an individual be permitted to revoke an authorization at any time except to the extent that action has been taken in reliance on the authorization. See proposed § 164.508(e).