Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Consent

The issue that drew the most comments overall is the question of when individuals' permission should be obtained prior to use or disclosure of their health information. We learned that individuals' views and the legal view of 'consent' for use and disclosure of health information are different and in many ways incompatible. Comments from individuals revealed a common belief that, today, people must be asked permission for each and every release of their health information. Many believe that they "own" the health records about them. However, current law and practice do not support this view.

Current privacy protection practices are determined in part by the standards and practices that the professional associations have adopted for their members. Professional codes of conduct for ethical behavior generally can be found as opinions and guidelines developed by organizations such as the American Medical Association, American Nurses' Association, the American Hospital Association, the American Psychiatric Association, and the American Dental Association. These are generally issued though an organization's governing body. The codes do not have the force of law, but providers often recognize them as binding rules.

Our review of professional codes of ethics revealed partial, but loose, support for individuals' expectations of privacy. For example, the American Medical Association's Code of Ethics recognizes both the right to privacy and the need to balance it against societal needs. It reads in part: "conflicts between a patient's right to privacy and a third party's need to know should be resolved in favor of the patient, except where that would result in serious health hazard or harm to the patient or others." AMA Policy No 140.989. See also, Mass. Med. Society, Patient Privacy and Confidentiality (1996), at 14:

Patients enter treatment with the expectation that the information they share will be used exclusively for their clinical care. Protection of our patients' confidences is an integral part of our ethical training.

These codes, however, do not apply to many who obtain information from providers. For example, the National Association of Insurance Commissioners model code, "Health Information Privacy Model Act"(1998), applies to insurers but has not been widely adopted. Codes of ethics are also often written in general terms that do not provide guidance to providers and plans confronted with specific questions about protecting health information.

State laws are a crucial means of protecting health information, and today state laws vary dramatically. Some states defer to the professional codes of conduct, others provide general guidelines for privacy protection, and others provide detailed requirements relating to the protection of information relating to specific diseases or to entire classes of information. Cf., D.C. Code Ann. §2-3305.14(16) and Haw. Rev. Stat. 323C, et seq. In general, state statutes and case law addressing consent to use of health information do not support the public's strong expectations regarding consent for use and disclosure of health information. Only about half of the states have a general law that prohibits disclosure of health information without patient authorization and some of these are limited to hospital medical records.

Even when a state has a law limiting disclosure of health information, the law typically exempts many types of disclosure from the authorization requirement. Georgetown Study, Key Findings; Lisa Dahm, "50-State Survey on Patient Health Care Record Confidentiality," American Health Lawyers Association (1999). One of the most common exemptions from a consent requirement is disclosure of health information for treatment and related purposes. See, e.g., Wis.Stat. § 164.82; Cal. Civ. Code 56:10; National Conference of Commissioners on Uniform State Laws, Uniform Health-Care Information Act, Minneapolis, MN, August 9, 1985. Some states include utilization review and similar activities in the exemption. See, e.g., Ariz. Rev. Stat. § 12-2294. Another common exemption from consent is disclosure of health information for purposes of obtaining payment. See, e.g., Fla. Stat. Ann. § 455.667; Tex. Rev. Civ. Stat. Art. 4495, § 5.08(h); 410 Ill. Comp. Stat. 50/3(d). Other common exemptions include disclosures for emergency care, and for disclosures to government authorities (such as a department of public health). See Gostin Study, at 1-2; 48-51. Some states also exempt disclosure to law enforcement officials (e.g., Massachusetts, Ch. 254 of the Acts of 2000), coroners (Wis. Stat. § 146.82), and for such purposes as business operations, oversight, research, and for directory information. Under these exceptions, providers can disclose health information without any consent or authorization from the patient. When states require specific, written authorization for disclosure of health information, the authorizations are usually only required for certain types of disclosures or certain types of information, and one authorization can suffice for multiple disclosures over time.

The states that do not have laws prohibiting disclosure of health information impose no specific requirements for consent or authorization prior to release of health information. There may, however, be other controls on release of health information. For instance, most health care professional licensure laws include general prohibitions against 'breaches of confidentiality.' In some states, patients can hold providers accountable for some unauthorized disclosures of health information about them under various tort theories, such as invasion of privacy and breach of a confidential relationship. While these controls may affect certain disclosure practices, they do not amount to a requirement that a provider obtain authorization for each and every disclosure of health information.

Further, patients are typically not given a choice; they must sign the "consent" in order to receive care. As the Georgetown Study points out, "In effect, the authorization may function more as a waiver of consent -- the patient may not have an opportunity to object to any disclosures." Georgetown Study, Key Findings.

In the many cases where neither state law nor professional ethical standards exist, the only privacy protection individuals have is limited to the policies and procedures that the health care entity adopts. Corporate privacy policies are often proprietary. While several professional associations attached their privacy principles to their comments, health care entities did not. One study we found indicates that these policies are not adequate to provide appropriate privacy protections and alleviate public concern. The Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure made multiple findings highlighting the need for heightened privacy and security, including:

Finding 5: The greatest concerns regarding the privacy of health information derives from widespread sharing of patient information throughout the health care industry and the inadequate federal and state regulatory framework for systematic protection of health information.

For the Record: Protecting Electronic Health Information, National Academy Press, Washington DC, 1997.

In the NPRM, we expressed concern about the coercive nature of consents currently obtained by providers and plans relating to the use and disclosure of health information. We also expressed concern about the lack of information available to the patient during the process, and the fact that patients often were not even presented with a copy of the consent that they have signed. These and other concerns led us to propose that covered entities be permitted to use and disclose protected health information for treatment, payment and health care operations without the express consent of the subject individual.

In the final rule, we alter our proposed approach and require, in most instances, that health care providers who have a direct treatment relationship with their patients obtain the consent of their patients to use and disclose protected health information for treatment, payment and health care operations. While our concern about the coerced nature of these consents remains, many comments that we received from individuals, health care professionals, and organizations that represent them indicated that both patients and practitioners believe that patient consent is an important part of the current health care system and should be retained.

Providing and obtaining consent clearly has meaning for patients and practitioners. Patient advocates argued that the act of signing focuses the patient's attention on the substance of the transaction and provides an opportunity for the patient to ask questions about or seek modifications in the provider's practices. Many health care practitioners and their representatives argued that seeking a patient's consent to disclose confidential information is an ethical requirement that strengthens the physician-patient relationship. Both practitioners and patients argued that the approach proposed in the NPRM actually reduced patient protections by eliminating the opportunity for patients to agree to how their confidential information would be used and disclosed.

While we believe that the provisions in the NPRM that provided for detailed notice to the patient and the right to request restrictions would have provided an opportunity for patients and providers to discuss and negotiate over information practices, it is clear from the comments that many practitioners and patients believe the approach proposed in the NPRM is not an acceptable replacement for the patient providing consent. To encourage a more informed interaction between the patient and the provider during the consent process, the final rule requires that the consent form that is presented to the patient be accompanied by a notice that contains a detailed discussion of the provider's health information practices. The consent form must reference the notice and also must inform the patient that he or she has the right to ask the health care provider to request certain restrictions as to how the information of the patient will be used or disclosed. Our goal is to provide an opportunity for and to encourage more informed discussions between patients and providers about how protected health information will be used and disclosed within the health care system.

We considered and rejected other approaches to consent, including those that involved individuals providing a global consent to uses and disclosures when they sign up for insurance. While such approaches do require the patient to provide consent, it is not really an informed one or a voluntary one. It is also unclear how a consent obtained at the enrollment stage would be meaningfully communicated to the many providers who create the health information in the first instance. The ability to negotiate restrictions or otherwise have a meaningful discussion with the front-line provider would be independent of, and potentially in conflict with, the consent obtained at the enrollment stage. In addition, employers today are moving toward simplified enrollment forms, using check-off boxes and similar devices. The opportunity for any meaningful consideration or interaction at that point is slight. For these and other reasons, we decided that, to the extent a consent can accomplish the goal sought by individuals and providers, it must be focused on the direct interaction between an individual and provider.

The comments and fact-finding indicate that our approach will not significantly change the administrative aspect of consent as it exists today. Most direct treatment providers today obtain some type of consent for some uses and disclosures of health information. Our regulation will ensure that those consents cover the routine uses and disclosures of health information, and provide an opportunity for individuals to obtain further information and have further discussion, should they so desire.