NRPM: Standards for Privacy of Individually Identifiable Health Information. D. Uses and disclosures with individual authorization. (§ 164.508)


This section addresses the requirements that we are proposing when protected health information is disclosed pursuant to the individual's explicit authorization. The regulation would require that covered entities have authorization from individuals before using or disclosing their protected health information for any purpose not otherwise recognized by this regulation. Circumstances where an individual’s protected health information may be used or disclosed without authorization are discussed in connection with proposed §§164.510 and 164.522 below.

This section proposes different conditions governing such authorizations in two situations in which individuals commonly authorize covered entities to disclose information:

  • where the individual initiates the authorization because he or she wants a covered entity to disclose his or her record, and
  • where a covered entity asks an individual to authorize it to disclose or use information for purposes other than treatment, payment or health care operations.

In addition, this section proposes conditions where a covered entity or the individual initiates an authorization for use or disclosure of psychotherapy notes or research information unrelated to treatment. See discussion above in section II.C.1.c.

Individually identifiable health information is used for a vast array of purposes not directly related to providing or paying for an individual’s health care. Examples of such uses include targeted marketing of new products and assessing the eligibility of an individual for certain public benefits or for commercial products based on their health status. Under these rules, these types of uses and disclosures could only be made by a covered entity with the specific authorization of the subject of the information. The requirements proposed in this section are not intended to interfere with normal uses and disclosures of information in the health care delivery or payment process, but only to permit control of uses extraneous to health care. The restrictions on disclosure that the regulation would apply to covered entities may mean that some existing uses and disclosures of information could take place only if the individual explicitly authorized them under this section.

Authorization would be required for these uses and disclosures because individuals probably do not envision that the information they provide when getting health care would be disclosed for such unrelated purposes. Further, once a patient’s protected health information is disclosed outside of the treatment and payment arena, it could be very difficult for the individual to determine what additional entities have seen, used and further disclosed the information. Requiring an authorization from the patient for such uses and disclosures would enhance individuals’ control over their protected health information.

We considered requiring a uniform set of requirements for all authorizations, but concluded that it would be appropriate to treat authorizations initiated by the individual differently from authorizations sought by covered entities. There are fundamental differences in the uses of information and in the relationships and understandings among the parties in these two situations. When individuals initiate authorizations, they are more likely to understand the purpose of the release and to benefit themselves from the use or disclosure. When a covered entity asks the individual to authorize disclosure, we believe the entity should make clear what the information will be used for, what the individual's rights are, and how the covered entity would benefit from the requested disclosure.

Individuals seek disclosure of their health information to others in many circumstances, such as when applying for life or disability insurance, when government agencies conduct suitability investigations, and in seeking certain job assignments where health is relevant. Another common instance is tort litigation, where an individual's attorney needs individually identifiable health information to evaluate an injury claim and asks the individual to authorize disclosure of records relating to the injury to the attorney.

There could also be circumstances where the covered entity asks an individual to authorize use or disclosure of information, for example to disclose it to a subsidiary to market life insurance to the individual. Similarly, the covered entity might ask that the individual authorize it to send information to a person outside that covered entity – possibly another covered entity or class of covered entity – for purposes outside of treatment, payment, or health care operations. See proposed § 164.508(a)(2)(ii).