Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.506 - Consent for Treatment, Payment, and Health Care Operations


Comment: Many commenters supported regulatory authorization for treatment, payment, and health care operations. In particular, health plans, employers, and institutional providers supported the use of regulatory authorization for treatment, payment, and health care operations.

In contrast, a large number of commenters, particularly health care professionals, patients, and patient advocates, suggested that consent for treatment, payment, and health care operations should be required. Many commenters supported the use of consent for treatment, payment, and health care operations, considering this a requirement for maintaining the integrity of the health care system. Some commenters made a distinction between requiring and permitting providers to obtain consent.

Commenters nearly uniformly agreed that covered health care providers, health plans, and clearinghouses should not be prohibited from seeking authorization for treatment, payment, and health care operations. Some commenters stated that the prohibition against obtaining an authorization goes against professional ethics, undermines the patient-provider relationship, and is contrary to current industry practice.

Some commenters specifically noted the primacy of the doctor-patient relationship regarding consent. In general, commenters recommended that individually identifiable health information not be released by doctors without patient consent. A few commenters stated that prohibiting health care providers from obtaining consent could cause the patient to become suspicious and distrustful of the health care provider. Other commenters believed that clinicians have the responsibility for making sure that patients are fully informed about the consequences of releasing information. A few commented that the process of obtaining consent provided an opportunity for the patient and provider to negotiate the use and disclosure of patient information.

Commenters discussed how, when, and by whom consent should be sought. For example, some commenters viewed a visit between a health care provider and patient as the appropriate place for consent to be discussed and obtained. While others did not necessarily dispute the appropriateness of health care providers obtaining consent for uses and disclosures of protected health information from individuals, some said that it was appropriate for health plans to be permitted to obtain consent.

Response: In the NPRM we stated our concern that the blanket consents that individuals sign today provide these individuals with neither notice nor control over how their information is to be used. While we retain those concerns, we also understand that for many who participate in the health care system, the acts of providing and obtaining consent represent important values that these parties wish to retain. Many individuals argued that providing consent enhances their control; many advocates argued that the act of consent focuses patient attention on the transaction; and many health care providers argued that obtaining consent is part of ethical behavior.

The final rule amends our proposed approach and requires most covered health care providers to obtain a consent from their patients to use or disclose protected health information for treatment, payment, and health care operations. Providers who have an indirect treatment relationship with the patient, as defined in § 164.501, cannot be expected to have an opportunity to obtain consent and may continue to rely on regulatory authorization for their uses and disclosures for these purposes.

As described in the comments, it is the relationship between the health care provider and the patient that is the basis for many decisions about uses and disclosures of protected health information. Much of the individually identifiable health information that is the subject of this rule is created when a patient interacts with a health care provider. By requiring covered providers to obtain consent for treatment, payment, and health care operations, the individual will have appropriate opportunity to consider the appropriate uses and disclosures of his or her protected health information. We also require that the consent contain a reference to the provider's notice, which contains a more detailed description of the provider's practices relating to uses and disclosures of protected health information. This combination provides the basis for an individual to have an informed conversation with his or her provider and to request restrictions.

It is our understanding that it is common practice for providers to obtain consent for this type of information-sharing today. Many providers and provider organizations stated that they are ethically obligated to obtain the patient's consent and that it is their practice to do so. A 1998 study by Merz, et al, published in the Journal of Law, Medicine and Ethics examined hospital consent forms regarding disclosure of medical information. 8 They found that 97% of all hospitals seek consent for the release of information for payment purposes; 45% seek consent for disclosure for utilization review, peer review, quality assurance, and/or prospective review; and 50% seek consent for disclosure to providers, other health care facilities, or others for continuity of care purposes. All of these activities fall within our definitions of treatment, payment, or health care operations.

In the final rule we have not required that health plans or health care clearinghouses obtain consent for their uses and disclosures of protected health information for treatment, payment, or health care operations. The rationale underlying the consent requirements for uses and disclosures by health care providers do not pertain to health plans and health care clearinghouses. First, current practice is varied, and there is little history of health plans obtaining consent relating to their own information practices unless required to do so by some other law. This is reflected in the public comments, in which most health plans supported the regulatory authorization approach proposed in the NPRM. Further, unlike many health care providers, health plans did not maintain that they were ethically obligated to seek the consent of their patients for their use and disclosure activities. Finally, it is the unique relationship between an individual and his or her health care provider that provides the foundation for a meaningful consent process. Requiring that consent process between an individual and a health plan or clearinghouse, when no such unique relationship exists, we believe is not necessary.

Unlike their relationship with health care providers, individuals in most instances do not have a direct opportunity to engage in a discussion with a health plan or clearinghouse at the time that they enter into a relationship with those entities. Most individuals choose a health plan through their employer and often sign up through their employer without any direct contact with the health plan. We concluded that providing for a signed consent in such a circumstance would add little to the proposed approach, which would have required health plans to provide a detailed notice to their enrollees. In the final rule, we also clarify that an individual can request a restriction from a health plan or health care clearinghouse. Since individuals rarely if ever have any direct contact with clearinghouses, we concluded that requiring a signed consent would have virtually no effect beyond the provision of the notice and the opportunity to request restrictions.

We agree with the comments we received objecting to the provision prohibiting covered entities from obtaining consent from individuals. As discussed above, in the final rule we require covered health care providers with direct treatment relationships to obtain consent to use or disclose protected health information for treatment, payment, and health care operations. In addition, we have eliminated the provision prohibiting other covered entities from obtaining such consents. We note that the consents that covered entities are permitted to obtain relate to their own uses and disclosures of protected health information for treatment, payment, and health care operations and not to the practices of others. If a covered entity wants to obtain the individual's permission to receive protected health information from another covered entity, it must do so using an authorization under § 164.508.