Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Introduction: "Consent" versus "Authorization"

12/28/2000

In the proposed rule, we used the term "authorization" to describe the individual's written permission for a covered entity to use and disclose protected health information, regardless of the purpose of the use or disclosure. Authorization would have been required for all uses and disclosures that were not otherwise permitted or required under the NPRM.

We proposed to permit covered entities, subject to limited exceptions for psychotherapy notes and research information unrelated to treatment, to use and disclose protected health information to carry out treatment, payment, and health care operations without authorization. See proposed § 164.506(a)(1).

We also proposed to prohibit covered entities from requiring individuals to sign authorizations for uses and disclosures of protected health information for treatment, payment, and health care operations, unless required by other applicable law. See proposed § 164.508(a)(iv). We instead proposed requiring covered entities to produce a notice describing their information practices, including practices with respect to uses and disclosures to carry out treatment, payment, and health care operations.

In the final rule, we retain the requirement for covered entities to obtain the individual's written permission (an "authorization") for uses and disclosures of protected health information that are not otherwise permitted or required under the rule. However, under the final rule, we add a second type of written permission for use or disclosure of protected health information: a "consent" for uses and disclosures to carry out treatment, payment, and health care operations. In the final rule, we permit, and in some cases require, covered entities to obtain the individual's written permission for the covered entity to use or disclose protected health information other than psychotherapy notes to carry out treatment, payment, and health care operations. We refer to this written permission as a "consent."

The "consent" and the "authorization" do not overlap. The requirement to obtain a "consent" applies in different circumstances than the requirement to obtain an authorization. In content, a consent and an authorization differ substantially from one another.

As described in detail below, a "consent" allows use and disclosure of protected health information only for treatment, payment, and health care operations. It is written in general terms and refers the individual to the covered entity's notice for further information about the covered entity's privacy practices. It allows use and disclosure of protected health information by the covered entity seeking the consent, not by other persons. Most persons who obtain a consent will be health care providers; health plans and health care clearinghouses may also seek a consent. The consent requirements appear in § 164.506 and are described in this section of the preamble.

With a few exceptions, an "authorization" allows use and disclosure of protected health information for purposes other than treatment, payment, and health care operations. In order to make uses and disclosures that are not covered by the consent requirements and not otherwise permitted or required under the final rule, covered entities must obtain the individual's "authorization." An "authorization" must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. In some instances, a covered entity may not refuse to treat or cover individuals based on the fact that they refuse to sign an authorization. See § 164.508 and the corresponding preamble discussion regarding authorization requirements.