Proposed Standards for Privacy of Individually Identifiable Health Information. Uses and disclosures with individual authorization


  • Covered entities could use or disclose protected health information with the individual’s authorization for almost any lawful purpose.
  • We would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes, and require the authorization form to state this prohibition.
  • While the provisions of this proposed rule are intended to make authorizations for treatment and payment purposes unnecessary, some States may continue to require them. Generally, this rule would not supersede such State requirements. However:
    • the rule would impose a new requirement that such State-mandated authorizations must be physically separate from an authorization for other purposes described in this rule.
    • the authorization would have to meet the rule’s requirements for the content of such authorizations (although a state law could require that an authorization contain additional provisions).
  • We would require authorizations to specify the information to be disclosed, who would get the information, and when the authorization would expire. If an authorization is sought so that a covered entity may sell or barter the information, the covered entity would have to disclose this fact on the authorization form.
  • Use or disclosure of information by the covered entity inconsistent with the authorization would be unlawful.
  • Individuals could revoke an authorization.