Comment: Some commenters suggested that we should not require different elements in authorizations initiated by the covered entity versus authorizations initiated by the individual. The commenters argued the standards were unnecessary, confusing, and burdensome.
Response: The proposed authorization requirements are intended to ensure that an individual's authorization is truly voluntary. The additional elements required for authorizations initiated by the covered entity for its own uses and disclosures or for receipt of protected health information from other covered entities to carry out treatment, payment, or health care operations address concerns that are unique to these forms of authorization. (See above regarding requirements for research authorizations under § 164.508(f).)
First, when applicable, these authorizations must state that the covered entity will not condition treatment, payment, eligibility, or enrollment on the individual's providing authorization for the requested use or disclosure. This statement is not appropriate for authorizations initiated by the individual or another person who does not have the ability to withhold services if the individual does not authorize the use or disclosure.
Second, the authorization must state that the individual may refuse to sign the authorization. This statement is intended to signal to the individual that the authorization is voluntary and may not be accurate if the authorization is obtained by a person other than a covered entity.
Third, these authorizations must describe the purpose of the use or disclosure. We do not include this element in the core requirements because we understand there may be times when the individual does not want the covered entity maintaining the protected health information to know the purpose for the use or disclosure. For example, an individual contemplating litigation may not want the covered entity to know that litigation is the purpose of the disclosure. If the covered entity is initiating the authorization for its own use or disclosure, however, the individual and the covered entity maintaining the protected health information should have a mutual understanding of the purpose of the use or disclosure. Similarly, when a covered entity is requesting authorization for a disclosure by another covered entity that may have already obtained the individual's consent for the disclosure, the individual and covered entity that maintains the protected health information should be aware of this potential conflict.
There are two additional requirements for authorizations requested by a covered entity for its own use or disclosure of protected health information it maintains. First, we require the covered entity to describe the individual's right to inspect or copy the protected health information to be used or disclosed. Individuals may want to review the information to be used or disclosed before signing the authorization and should be reminded of their ability to do so. This requirement is not appropriate for authorizations for a covered entity to receive protected health information from another covered entity, however, because the covered entity requesting the authorization is not the covered entity that maintains the protected health information and cannot, therefore, grant or describe the individual's right to access the information.
If applicable, we also require a covered entity that requests an authorization for its own use or disclosure to state that the use or disclosure of the protected health information will result in direct or indirect remuneration to the entity. Individuals should be aware of any conflicts of interest or financial incentives on the part of the covered entity requesting the use or disclosure. These statements are not appropriate, however, in relation to uses and disclosures to carry out treatment, payment, and health care operations. Uses and disclosures for these purposes will often involve remuneration by the nature of the use or disclosure, not due to any conflict of interest on the part of either covered entity.
We note that authorizations requested by a covered entity include authorizations requested by the covered entity's business associate on the covered entity's behalf. Authorizations requested by a business associate on the covered entity's behalf and that authorize the use or disclosure of protected health information by the covered entity or the business associate must meet the requirements in § 164.508(d). Similarly, authorizations requested by a business associate on behalf of a covered entity to accomplish the disclosure of protected health information to that business associate or covered entity as described in § 164.508(e) must meet the requirements of that provision.
We disagree that these elements are unnecessary, confusing, or burdensome. We require them to ensure that the individual has a complete understanding of what he or she is agreeing to permit.
Comment: Many commenters suggested we include in the regulation text a provision stated in the preamble that entities and their business partners must limit their uses and disclosures to the purpose(s) specified by the individual in the authorization.
Response: We agree. In accordance with § 164.508(a)(1), covered entities may only use or disclose protected health information consistent with the authorization. In accordance with § 164.504(e)(2), a business associate may not make any uses or disclosures that the covered entity couldn't make.
Comment: Some comments suggested that authorizations should identify the source and amount of financial gain, if any, resulting from the proposed disclosure. Others suggested that the proposed financial gain requirements were too burdensome and would decrease trust between patients and providers. Commenters recommended that the requirement either should be eliminated or should only require covered entities, when applicable, to state that direct and foreseeable financial gain to the covered entity will result. Others requested clarification of how the requirement for covered entities to disclose financial gain relates to the criminal penalties that accrue for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Some commenters advocated use of the term "financial compensation" rather than "financial gain" to avoid confusion with in-kind compensation rules. Some comments additionally suggested excluding marketing uses and disclosures from the requirements regarding financial gain.
Response: We agree that clarification is warranted. In § 164.508(d)(1)(iv) of the final rule, we require a covered entity that asks an individual to sign an authorization for the covered entity's use or disclosure of protected health information and that will receive direct or indirect remuneration from a third party for the use or disclosure, to state that fact in the authorization. Remuneration from a third party includes payments such as a fixed price per disclosure, compensation for the costs of compiling and sending the information to be disclosed, and, with respect to marketing communications, a percentage of any sales generated by the marketing communication. For example, a device manufacturer may offer to pay a fixed price per name and address of individuals with a particular diagnosis, so that the device manufacturer can market its new device to people with the diagnosis. The device manufacturer may also offer the covered entity a percentage of the profits from any sales generated by the marketing materials sent. If a covered entity seeks an authorization to make such a disclosure, the authorization must state that the remuneration will occur. We believe individuals should have the opportunity to weigh the covered entity's potential conflict of interest when deciding to authorize the covered entity's use or disclosure of protected health information. We believe that the term "remuneration from a third party" clarifies our intent to describe a direct, tangible exchange, rather than the mere fact that parties intend to profit from their enterprises.
Comment: One commenter suggested we require covered entities to request authorizations in a manner that does not in itself disclose sensitive information.
Response: We agree that covered entities should make reasonable efforts to avoid unintentional disclosures. In § 164.530(c)(2), we require covered entities to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
Comment: Some commenters requested clarification that covered entities are permitted to seek authorization at the time of enrollment or when individuals otherwise first interact with covered entities. Similarly, commenters requested clarification that covered entities may disclose protected health information created after the date the authorization was signed but prior to the expiration date of the authorization. These commenters were concerned that otherwise multiple authorizations would be required to accomplish a single purpose. Other comments suggested that we prohibit prospective authorizations (i.e., authorizations requested prior to the creation of the protected health information to be disclosed under the authorization) because it is not possible for individuals to make informed decisions about these authorizations.
Response: We confirm that covered entities may act on authorizations signed in advance of the creation of the protected health information to be released. We note, however, that all of the required elements must be completed, including a description of the protected health information to be used or disclosed pursuant to the authorization. This description must identify the information in a specific and meaningful fashion so that the individual can make an informed decision as to whether to sign the authorization.
Comment: Some commenters suggested that the final rule prohibit financial incentives, such as premium discounts, designed to encourage individuals to sign authorizations.
Response: We do not prohibit or require financial incentives for authorizations. We have attempted to ensure that authorizations are entered into voluntary. If a covered entity chooses to offer a financial incentive for the individual to sign the authorization, and the individual chooses to accept it, they are free to do so.