Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.506(e) - Resolving Conflicting Consents and Authorizations

12/28/2000

Situations may arise where a covered entity that has obtained the individual's consent for the covered entity to use or disclose protected health information to carry out treatment, payment, or health care operations is asked to disclose protected health information pursuant to another written legal permission from the individual, such as an authorization, that was obtained by another person. Under § 164.506(e), when the terms of a covered entity's consent conflict with the terms of another written legal permission from the individual to use or disclose protected health information (such as a consent obtained under state law by another covered entity or an authorization), the covered entity must adhere to the more restrictive document. By conflict, we mean that the consent and authorization contain inconsistencies. In implementing this section, we note that the consent under this section references the notice provided to the individual and the individual's right to request restrictions. In determining whether the covered entity's consent conflicts with another written legal permission provided by the individual, the covered entity must consider any limitations on its uses or disclosures resulting from the notice provided to the individual or from restrictions to which it has agreed. For example, a covered nursing home may elect to ask the patient to sign an authorization for the patient's covered primary care physician to forward the patient's medical records to the nursing home. The physician may have previously obtained the individual's consent for disclosure for treatment purposes. If the authorization obtained by the nursing home grants permission for the physician to disclose particular types of information, such as genetic information, but the consent obtained by the physician excludes such information or the physician has agreed to a restriction on that type of information, the physician may not disclose that information. The physician must adhere to the more restrictive written legal permission from the individual.

When a conflict between a consent and another written legal permission from the individual exists, as described above, the covered entity may attempt to resolve the conflict with the individual by either obtaining a new consent from the individual or by having a discussion or otherwise communicating with the individual to determine the individual's preference regarding the use or disclosure. If the individual's preference is communicated orally, the covered entity must document the individual's preference and act in accordance with that preference. In the example described above, the primary care physician could ask the patient to sign a new consent that would permit the disclosure of the genetic information. Alternatively, the physician could ask the patient whether the patient intended for the genetic information to be disclosed to the nursing home. If the patient confirms that he or she intended for the genetic information to be shared, the physician can document that fact (e.g., by making a notation in the medical record) and disclose the information to the nursing home.

We believe covered entities will rarely be faced with conflicts between consents and other written legal permission from the individual for uses and disclosures to carry out treatment, payment, and health care operations. Under § 164.506(a)(5), we specify that a consent only permits the covered entity that obtains the consent to use or disclose protected health information. A consent obtained by one covered entity is not effective to permit another different covered entity to use or disclose protected health information. Conflicting consents obtained by covered entities, therefore, are not possible. We expect authorizations that permit another covered entity to use and disclose protected health information for treatment, payment, and health care operations purposes will rarely be necessary, because we expect covered entities that maintain protected health information to obtain consents that permit them to make anticipated uses and disclosures for these purposes. Nevertheless, covered entities are permitted under § 164.508(e) to obtain authorization for another covered entity to use or disclose protected health information to carry out treatment, payment, and health care operations. We recognize these authorizations may be useful to demonstrate an individual's intent and relationship to the intended recipient of the information. For example, these authorizations may be useful in situations where a health plan wants to obtain information from one provider in order to determine payment of a claim for services provided by a different provider (e.g., information from a primary care physician that is necessary to determine payment of services provided by a specialist) or where an individual's new physician wants to obtain the individual's medical records from prior physicians. Other persons not covered by this rule may also seek authorizations and state law may require written permission for specific types of information, such as information related to HIV/AIDS or to mental health. Because an individual may sign conflicting documents over time, we clarify that the covered entity maintaining the protected health information to be used or disclosed must adhere to the more restrictive permission the individual has granted, unless the covered entity resolves the conflict with the individual.