Proposed Standards for Privacy of Individually Identifiable Health Information. Disclosures without authorization for health care treatment, payment, and operations


  • Covered entities could use and disclose protected health information without authorization for treatment, payment and health care operations. This would include purposes such as quality assurance, utilization review, credentialing, and other activities that are part of ensuring appropriate treatment and payment.
  • Individuals generally could ask a covered entity to restrict further use and disclosure of protected health information for treatment, payment, or health care operations, with the exception of uses or disclosures required by law. The covered entity would not be required to agree to such a request, but if the covered entity and the individual agree to a restriction, the covered entity would be bound by the agreement.