Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Consent Requirements

12/28/2000

Comment: Many commenters believed that consent might be problematic in that it could allow covered entities to refuse enrollment or services if the individual does not grant the consent. Some commenters proposed that covered entities be allowed to condition treatment, payment, or health care operations on whether or not an individual granted consent. Other commenters said that consent should be voluntary and not coerced.

Response: In the final rule (§ 164.506(b)(1)), we permit covered health care providers to condition treatment on the individual's consent to the covered provider's use or disclosure of protected health information to carry out treatment, payment, and health care operations. We recognize that it would be difficult, if not impossible, for health care providers to treat their patients and run their businesses without being able to use or disclose protected health information for these purposes. For example, a health care provider could not be reimbursed by a health plan unless the provider could share protected health information about the individual with the health plan. Under the final rule, if the individual refuses to grant consent for this disclosure, the health care provider may refuse to treat the individual. We encourage health care providers to exhaust other options, such as making alternative payment arrangements with the individual, before refusing to treat the individual on these grounds.

We also permit health plans to condition enrollment in the health plan on the individual's consent for the health plan to use and disclose protected health information to carry out treatment, payment, and health care operations (see § 164.506(b)(2)). The health plan must seek the consent in conjunction with the individual's enrollment in the plan for this provision to apply. For example, a health plan's application for enrollment may include a consent for the health plan to use or disclose protected health information to carry out treatment, payment, and/or health care operations. If the individual does not sign this consent, the health plan, under § 164.502(a)(1)(iii), is prohibited from using or disclosing protected health information about the individual for the purposes stated in the consent form. Because the health plan may not be able adequately to provide services to the individual without these uses and disclosures, we permit the health plan to refuse to enroll the individual if the consent is not signed.

Comment: Some commenters were concerned that the NPRM conflicted with state law regarding when covered entities would be required to obtain consent for uses and disclosures of protected health information.

Response: We have modified the provisions in the final rule to require certain health care providers to obtain consent for uses and disclosures for treatment, payment, and health care operations and to permit other covered entities to do so. A consent under this rule may be combined with other types of written legal permission from the individual, such as state-required consents for uses and disclosures of certain types of health information (e.g., information relating to HIV/AIDS or mental health). We also permit covered entities to seek authorization from the individual for another covered entity's use or disclosure of protected health information for these purposes, including if the covered entity is required to do so by other law. Though we do not believe any states currently require such authorizations, we wanted to avoid future conflicts. These changes should resolve the concerns raised by commenters regarding conflicts with state laws that require consent, authorization, or other types of written legal permission for uses and disclosures of protected health information.

Comment: Some commenters noted that there would be circumstances when consent is impossible or impractical. A few commenters suggested that in such situations patient information be de-identified or reviewed by an objective third party to determine if consent is necessary.

Response: Covered health care providers with direct treatment relationships are required to obtain consent to use or disclose protected health information to carry out treatment, payment, and health care operations. In certain treatment situations where the provider is permitted or required to treat an individual without the individual's written consent to receive health care, the provider may use and disclose protected health information created or obtained in the course of that treatment without the individual's consent under this rule (see § 164.506(a)(3)). In these situations, the provider must attempt to obtain the individual's consent and, if the provider is unable to obtain consent, the provider must document the attempt and the reason consent could not be obtained. Together with the uses and disclosures permitted under §§ 164.510 and 164.512, the concerns raised regarding situations in which it is impossible or impractical for covered entities to obtain the individual's permission to use or disclose protected health information about the individual have been addressed.

Comment: An agency that provides care to individuals with mental retardation and developmental disabilities expressed concern that many of their consumers lack capacity to consent to the release of their records and may not have a surrogate readily available to provide consent on their behalf.

Response: Under § 164.506(a)(3), we provide exceptions to the consent requirement for certain treatment situations in which consent is difficult to obtain. In these situations, the covered provider must attempt to obtain consent and must document the reason why consent was not obtained. If these conditions are met, the provider may use and disclose the protected health information created or obtained during the treatment for treatment, payment, or health care operations purposes, without consent.

Comment: Many commenters were concerned that covered entities working together in an integrated health care system would each separately be required to obtain consent for use and disclosure of protected health information for treatment, payment, and health care operations. These commenters recommend that the rule permit covered entities that are part of the same integrated health care system to obtain a single consent allowing each of the covered entities to use and disclose protected health information in accordance with that consent form. Some commenters said that it would be confusing to patients and administratively burdensome to require separate consents for health care systems that include multiple covered entities.

Response: We agree with commenters' concerns. In § 164.506(f) of the final rule we permit covered entities that participate in an organized health care arrangement to obtain a single consent on behalf of the arrangement. See § 164.501 and the corresponding preamble discussion regarding organized health care arrangements. To obtain a joint consent, the covered entities must have a joint notice and must refer to the joint notice in the joint consent. See § 164.520(d) and the corresponding preamble discussion regarding joint notice. The joint consent must also identify the covered entities to which it applies so that individuals will know who is permitted to use and disclose information about them.

Comment: Many commenters stated that individuals own their medical records and, therefore, should have absolute control over them, including knowing by whom and for what purpose protected health information is used, disclosed, and maintained. Some commenters asserted that, according to existing law, a patient owns the medical records of which he is the subject.

Response: We disagree. In order to assert an ownership interest in a medical record, a patient must demonstrate some legitimate claim of entitlement to it under a state law that establishes property rights or under state contract law. Historically, medical records have been the property of the health care provider or medical facility that created them, and some state statutes directly provide that medical records are the property of a health care provider or a health care facility. The final rule is consistent with current state law that provides patients access to protected health information but not ownership of medical records. Furthermore, state laws that are more stringent than the rule, that is, state laws that provide a patient with greater access to protected health information, remain in effect. See discussion of "Preemption" above.