Covered entities must obtain individual authorization to use protected health information for purposes other than those allowed under the proposed rule. Activities requiring authorization would include, for example, marketing and eligibility determinations for health coverage or employment. Costs would be ongoing for staffing and administrative activities related to obtaining authorization from individuals.
In establishing the requirement for covered entities to obtain patient authorization to use individually identifiable health information for purposes other than those allowed under the proposed rule, we decided to include in the proposed rule a model “request for authorization.” By following such a model, covered entities, particularly small entities, could avoid the legal and administrative expenses that would be necessary to develop an authorization form that complies with the proposed rule’s standards. The proposed rule would not prevent entities from developing their own patient authorization forms or from modifying existing forms in a manner consistent with the model.
The alternative to providing this model would be to state that an authorization would be required and allow entities to develop the authorization. We believe that providing no guidance in this area would have caused unnecessary difficulties and burdens for small entities.