Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Revocation of Authorizations


Comment: Many commenters supported the right to revoke an authorization. Some comments, however, suggested that we require authorizations to remain valid for a minimum period of time, such as one year or the duration of the individual's enrollment in a health plan.

Response: We retain the right for individuals to revoke an authorization at any time, with certain exceptions. We believe this right is essential to ensuring that the authorization is voluntary. If an individual determines that an authorized use or disclosure is no longer in her best interest, she should be able to withdraw the authorization and prevent any further uses or disclosures.

Comment: Several commenters suggested that we not permit individuals to revoke an authorization if the revocation would prevent an investigation of material misrepresentation or fraud. Other commenters similarly suggested that we not permit individuals to revoke an authorization prior to a claim for benefits if the insurance was issued in reliance on the authorization.

Response: To address this concern, we include an additional exception to the right to revoke an authorization. Individuals do not have the right to revoke an authorization that was obtained as a condition of insurance coverage during any contestability period under other law. For example, if a life insurer obtains the individual's authorization for the use or disclosure of protected health information to determine eligibility or premiums under the policy, the individual does not have the right to revoke the authorization during any period of time in which the life insurer can contest a claim for benefits under the policy in accordance with state law. If an individual were able to revoke the authorization after enrollment but prior to making a claim, the insurer would be forced to pay claims without having the necessary information to determine whether the benefit is due. We believe the existing exception for covered entities that have acted in reliance on the authorization is insufficient to address this concern because it is another person, not the covered entity, that has acted in reliance on the authorization. In the life insurance example, it is the life insurer that has taken action (i.e., issued the policy) in reliance on the authorization. The life insurer is not a covered entity, therefore the covered entity exception is inapplicable.

Comment: Some comments suggested that a covered entity that had compiled, but not yet disclosed, protected health information would have already taken action in reliance on the authorization and could therefore disclose the information even if the individual revoked the authorization.

Response: We intend for covered entities to refrain from further using or disclosing protected health information to the maximum extent possible once an authorization is revoked. The exception exists only to the extent the covered entity has taken action in reliance on the authorization. If the covered entity has not yet used or disclosed the protected health information, it must refrain from doing so, pursuant to the revocation. If, however, the covered entity has already disclosed the information, it is not required to retrieve the information.

Comment: One comment suggested that the rule allow protected health information to be only rented, not sold, because there can be no right to revoke authorization for disclosure of protected health information that has been sold.

Response: We believe this limitation would be an unwarranted abrogation of covered entities' business practices and outside the scope of our authority. We believe individuals should have the right to authorize any uses or disclosures they feel are appropriate. We have attempted to create authorization requirements that make the individual's decisions as clear and voluntary as possible.

Comment: One commenter expressed concern as to whether the proposed rule's standard to protect the protected health information about a deceased individual for two years would interfere with the payment of death benefit claims. The commenter asked that the regulation permit the beneficiary or payee under a life insurance policy to authorize disclosure of protected health information pertaining to the cause of death of a decedent or policyholder. Specifically, the commenter explained that when substantiating a claim a beneficiary, such as a fiancee or friend, may be unable to obtain the authorization required to release information to the insurer, particularly if, for example, the decedent's estate does not require probate or if the beneficiary is not on good terms with the decedent's next of kin. Further, the commenter stated that particularly in cases where the policyholder dies within two years of the policy's issuance (within the policy's contestable period) and the cause of death is uncertain, the insurer's inability to access relevant protected health information would significantly interfere with claim payments and increase administrative costs.

Response: We do not believe this will be a problem under the final regulation, because we create an exception to the right to revoke an authorization if the authorization was obtained as a condition of obtaining insurance coverage and other applicable law provides the insurer that obtained the authorization with the right to contest a claim under the policy. Thus, if a policyholder dies within the two year contestability period, the authorization the insurer obtained from the policyholder prior to death could not be revoked during the contestability period.