Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Defective Authorizations


Comment: Some commenters suggested we insert a "good-faith reliance" or "substantial compliance" standard into the authorization requirements. Commenters suggested that covered entities should be permitted to rely on an authorization as long as the individual has signed and dated the document. They stated that individuals may not fill out portions of a form that they feel are irrelevant or for which they do not have an answer. They argued that requiring covered entities to follow up with each individual to complete the form will cause unwarranted delays. In addition, commenters were concerned that large covered entities might act in good faith on a completed authorization, only to find out that a component of the entity "knew" some of the information on the form to be false or that the authorization had been revoked. These commenters did not feel that covered entities should be held in violation of the rule in such situations.

Response: We retain the provision as proposed and include one additional element: the authorization is invalid if it is combined with other documents in violation of the standards for compound authorizations. We also clarify that an authorization is invalid if material information on the form is known to be false. The elements we require to be included in the authorization are intended to ensure that individuals knowingly and willingly authorize the use or disclosure of protected health information about them. If these elements are missing or incomplete, the covered entity cannot know which protected health information to use or disclose to whom and cannot be confident that the individual intends for the use or disclosure to occur.

We have attempted to make the standards for defective authorizations as unambiguous as possible. In most cases, the covered entity will know whether the authorization is defective by looking at the form itself. Otherwise, the covered entity must know that the authorization has been revoked, that material information on the form is false, or that the expiration date or event has occurred. If the covered entity does not know these things and the authorization is otherwise satisfactory on its face, the covered entity is permitted to make the use or disclosure in compliance with this rule.

We have added two provisions to make it easier for covered entities to "know" when an authorization has been revoked. First, under § 164.508(b)(5), the revocation must be made in writing. Second, under § 164.508(c)(1)(v), authorizations must include instructions for how the individual may revoke the authorization. Written revocations submitted in the manner appropriate for the covered entity should ease covered entities' compliance burden.