Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.506(a) - Consent Requirements

12/28/2000

We make significant changes in the final rule with respect to uses and disclosures of protected health information to carry out treatment, payment, and health care operations. We do not prohibit covered entities from seeking an individual's written permission for use or disclosure of protected health information to carry out treatment, payment, or health care operations.

Except as described below, we instead require covered health care providers to obtain the individual's consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. If the covered provider does not obtain the individual's consent, the provider is prohibited from using or disclosing protected health information about the individual for purposes of treating the individual, obtaining payment for health care delivered to the individual, or for the provider's health care operations. See § 164.506(a)(1).

We except two types of health care providers from this consent requirement. First, covered health care providers that have an indirect treatment relationship with an individual are not required to obtain the individual's consent prior to using or disclosing protected health information about the individual to carry out treatment, payment, and health care operations. An "indirect treatment relationship" is defined in § 164.501 and described in the corresponding preamble. These providers may use and disclose protected health information as otherwise permitted under the rule and consistent with their notice of privacy practices (see § 164.520 regarding notice requirements and § 164.502(i) regarding requirements to adhere to the notice). For example, a covered provider that provides consultation services to another provider without seeing the patient would have an indirect treatment relationship with that patient and would not be required to obtain the patient's consent to use protected health information about the patient for the consultation. These covered providers are, however, permitted to obtain consent, as described below.

Second, covered health care providers that create or receive protected health information in the course of providing health care to inmates of a correctional institution are not required to obtain the inmate's consent prior to using or disclosing protected health information about the inmate to carry out treatment, payment, and health care operations. See § 164.501 and the corresponding preamble discussion regarding the definitions of "correctional institution" and "inmate." These providers may use and disclose protected health information as otherwise permitted under the rule. These providers are permitted, however, to obtain consent, as described below.

In addition, we permit covered health care providers to use and disclose protected health information, without consent, to carry out treatment, payment, and health care operations, if the protected health information was created or received in certain treatment situations. In the treatment situations described in § 164.506(a)(3) and immediately below, the covered health care provider must attempt to obtain the individual's consent. If the covered provider is unable to obtain consent, but documents the attempt and the reason consent was not obtained, the covered provider may, without consent, use and disclose the protected health information resulting from the treatment as otherwise permitted under the rule. All other protected health information about that individual that the covered health care provider creates or receives, however, is subject to the consent requirements.

This exception to the consent requirement applies to protected health information created or received in any of three treatment situations. First, the exception applies to protected health information created or received in emergency treatment situations. In these situations, covered providers must attempt to obtain the consent as soon as reasonably practicable after the delivery of the emergency treatment. Second, the exception applies to protected health information created or received in situations where the covered health care provider is required by law to treat the individual (for example, certain publicly funded providers) and the covered health care provider attempts to obtain such consent. Third, the exception applies to protected health information created or received in treatment situations where there are substantial barriers to communicating with the individual and, in the exercise of professional judgment, the covered provider clearly infers from the circumstances the individual's consent to receive treatment. For example, there may be situations in which a mentally incapacitated individual seeks treatment from a health care provider but is unable to provide informed consent to undergo such treatment and does not have a personal representative available to provide such consent on the individual's behalf. If the covered provider, in her professional judgment, believes she can legally provide treatment to that individual, we also permit the provider to use and disclose protected health information resulting from the treatment without the individual's consent. We intend covered health care providers that legally provide treatment without the individual's consent to that treatment to be able to use and disclose protected health information resulting from that treatment to carry out treatment, payment, or health care operations without obtaining the individual's consent for such use or disclosure. We do not intend to impose unreasonable barriers to individuals' ability to receive, and health care providers' ability to provide, health care.

Under § 164.506(a)(4), covered health care providers that have an indirect treatment relationship with an individual, as well as health plans and health care clearinghouses, may elect to seek consent for their own uses and disclosures to carry out treatment, payment, and health care operations. If such a covered entity seeks consent for these purposes, the consent must meet the minimum requirements described below.

If a covered health care provider with an indirect treatment relationship, a health plan, or a health care clearinghouse does not seek consent, the covered entity may use or disclose protected health information to carry out treatment, payment, and health care operations as otherwise permitted under the rule and consistent with its notice of privacy practices (see § 164.520 regarding notice requirements and § 164.502(i) regarding requirements to adhere to the notice).

If a covered health care provider with an indirect treatment relationship, a health plan, or a health care clearinghouse does ask an individual to sign a consent, and the individual does not do so, the covered entity is prohibited under § 164.502(a)(1) from using or disclosing protected health information for the purpose(s) included in the consent. A covered entity that seeks a consent must adhere to the individual's decision.

In § 164.506(a)(5), we specify that a consent obtained by one covered entity is not effective to permit another covered entity to use or disclose protected health information, unless the consent is a joint consent. See § 164.506(f) and the corresponding preamble discussion below regarding joint consents. A consent provides the individual's permission only for the covered entity that obtains the consent to use or disclose protected health information for treatment, payment, and health care operations. A consent under this section does not operate to authorize another covered entity to use or disclose protected health information, except where the other covered entity is operating as a business associate. We note that, where a covered entity is acting as a business associate of another covered entity, the business associate covered entity is acting for or on behalf of the principal covered entity, and its actions for or on behalf of the principal covered entity are authorized by the consent obtained by the principal covered entity. Thus, under this section, a health plan can obtain a consent that permits the health plan and its business associates to use and disclose protected health information that the health plan and its business associates create or receive. That consent cannot, however, permit another covered entity (that is not a business associate) to disclose protected health information to the health plan or to any other person.

If a covered entity wants to obtain the individual's permission for another covered entity to disclose protected health information to it for treatment, payment, or health care operations purposes, it must seek an authorization in accordance with § 164.508(e). For example, when a covered provider asks the individual for written permission to obtain the individual's medical record from another provider for treatment purposes, it must do so with an authorization, not a consent. Since the permission is for disclosure of protected health information by another person, a consent may not be used.