-
Section 164.508(a) - Standard
-
We proposed to require covered entities to obtain the individual's authorization for all uses and disclosures of protected health information not otherwise permitted or required under the proposed rule. Uses and disclosures that would have been permitted without individual authorization included uses and disclosures for national priority purposes such as public health, law enforcement, and research (see proposed § 164.510) and uses and disclosures of protected health information, other than psychotherapy notes and research information unrelated to treatment, for purposes of treatment, payment, and health care operations (see proposed § 164.506). We also proposed to require covered entities to disclose protected health information to the individual for inspection and copying (see proposed § 164.514) and to the Secretary as required for enforcement of the rule (see proposed § 164.522). Individual authorization would not have been required for these uses and disclosures.
We proposed to require covered entities to obtain the individual's authorization for all other uses and disclosures of protected health information. Under proposed § 164.508(a), uses and disclosures that would have required individual authorization included, but were not limited to, the following:
• use for marketing of health and non-health items and services by the covered entity;
• disclosure by sale, rental, or barter;
• use and disclosure to non-health related divisions of the covered entity, e.g., for use in marketing life or casualty insurance or banking services;
• disclosure, prior to an individual's enrollment in a health plan, to the health plan or health care provider for making eligibility or enrollment determinations relating to the individual or for underwriting or risk rating determinations;
• disclosure to an employer for use in employment determinations; and
• use or disclosure for fundraising.
In the preamble to the proposed rule, we stated that covered entities would be bound by the terms of authorizations. Uses or disclosures by the covered entity for purposes inconsistent with the statements made in the authorization would have constituted a violation of the rule.
In the final rule, under § 164.508(a), as in the proposed rule, covered entities must have authorization from individuals before using or disclosing protected health information for any purpose not otherwise permitted or required by this rule. Specifically, except for psychotherapy notes (see below), covered entities are not required to obtain the individual's authorization to use or disclose protected health information to carry out treatment, payment, and health care operations. (Covered entities may, however, be required to obtain the individual's consent for these uses and disclosures. See the preamble regarding § 164.506 for a discussion of "consent" versus "authorization".) We also do not require covered entities to obtain the individual's authorization for uses and disclosures of protected health information permitted under §§ 164.510 or 164.512, for disclosures to the individual, or for required disclosures to the Secretary under subpart C of part 160 of this subchapter for enforcement of this rule.
In the final rule, we clarify that covered entities are bound by the statements provided on the authorization; use or disclosure by the covered entity for purposes inconsistent with the statements made in the authorization constitutes a violation of this rule.
Unlike the proposed rule, we do not include in the regulation examples of the types of uses and disclosures that require individual authorization. We eliminated two examples from the proposed list due to potential confusion as to our intent: disclosure by sale, rental, or barter and use and disclosure to non-health related divisions of the covered entity. We recognize that covered entities sometimes make these types of uses and disclosures for purposes that are permitted under the rule without authorization. For example, a covered health care provider may sell its accounts receivable to a collection agency for payment purposes and a health plan may disclose protected health information to its life insurance component for payment purposes. We do not intend to require authorization for uses and disclosures made by sale, rental, or barter or for disclosures made to non-health related divisions of the covered entity, if those uses or disclosures could otherwise be made without authorization under this rule. As with any other use or disclosure, however, uses and disclosures of protected health information for these purposes do require authorization if they are not otherwise permitted under the rule.
We also eliminated the remaining proposed examples from the final rule due to concern that these examples might be misinterpreted as an exhaustive list of all of the uses and disclosures that require individual authorization. We discuss the examples here, however, to clarify the interaction of the authorization requirements and the provisions of the rule that permit uses and disclosures without authorization and/or with consent. Uses and disclosures for which covered entities must have the individual's authorization include, but are not limited to, the following activities.
Marketing
As in the proposed rule, covered entities must obtain the individual's authorization before using or disclosing protected health information for marketing purposes. In the final rule, we add a new definition of marketing (see § 164.501). For more detail on what activities constitute marketing, see § 164.501, definition of "marketing," and § 164.514(e).
Pre-enrollment underwriting
As in the proposed rule, covered entities must obtain the individual's authorization to use or disclose protected health information for the purpose of making eligibility or enrollment determinations relating to an individual or for underwriting or risk rating determinations, prior to the individual's enrollment in a health plan (that is, for purposes of pre-enrollment underwriting). For example, if an individual applies for new coverage with a health plan in the non-group market and the health plan wants to review protected health information from the individual's covered health care providers before extending an offer of coverage, the individual first must authorize the covered providers to share the information with the health plan. If the individual applies for renewal of existing coverage, however, the health plan would not need to obtain an authorization to review its existing claims records about that individual, because this activity would come within the definition of health care operations and be permissible. We also note that under § 164.504(f), a group health plan and a health insurance issuer that provides benefits with respect to a group health plan are permitted in certain circumstances to disclose summary health information to the plan sponsor for the purpose of obtaining premium bids. Because these disclosures fall within the definition of health care operations, they do not require authorization.
Employment determinations
As in the proposed rule, covered entities must obtain the individual's authorization to use or disclose protected health information for employment determinations. For example, a covered health care provider must obtain the individual's authorization to disclose the results of a pre-employment physical to the individual's employer. The final rule provides that a covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on the provision of authorization for the disclosure of the information to the third party.
Fundraising
Under the proposed regulation, we would have required authorization before a covered entity could have used or disclosed protected health information for fundraising. In the final rule, we narrow the circumstances under which covered entities must obtain the individual's authorization to use or disclose protected health information for fundraising purposes. As provided in § 164.514(f) and described in detail in the corresponding preamble, authorization is not required when a covered entity uses or discloses demographic information and information about the dates of health care provided to an individual for the purpose of raising funds for its own benefit, nor when it discloses such information to an institutionally related foundation to raise funds for the covered entity.
Any use or disclosure for fundraising purposes that does not meet the requirements of § 164.514(f) and does not fall within the definition of health care operations (see § 164.501), requires authorization. Specifically, covered entities must obtain the individual's authorization to use or disclose protected health information to raise funds for any entity other than the covered entity. For example, a covered entity must have the individual's authorization to use protected health information about the individual to solicit funds for a non-profit organization that engages in research, education, and awareness efforts about a particular disease.
Psychotherapy Notes
In the NPRM, we proposed different rules with respect to psychotherapy notes than we proposed with respect to all other protected health information. The proposed rule would have required covered entities to obtain an authorization for any use or disclosure of psychotherapy notes to carry out treatment, payment, or health care operations, unless the use was by the person who created the psychotherapy notes. With respect to all other protected health information, we proposed to prohibit covered entities from requiring authorization for uses and disclosures for these purposes.
We significantly revise our approach to psychotherapy notes in the final rule. With a few exceptions, covered entities must obtain the individual's authorization to use or disclose psychotherapy notes to carry out treatment, payment, or health care operations. A covered entity must obtain the individual's consent, but not an authorization, for the person who created the psychotherapy notes to use the notes to carry out treatment and for the covered entity to use or disclose psychotherapy notes for conducting training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling. A covered entity may also use psychotherapy notes to defend a legal action or other proceeding brought by the individual pursuant to a consent, without a specific authorization. We note that, while this provision allows disclosure of these records to the covered entity's attorney to defend against the action or proceeding, disclosure to others in the course of a judicial or administrative proceeding is governed by § 164.512(e). This special provision is necessary because disclosure of protected health information for purposes of legal representatives may be made under the general consent as part of "health care operations." Because we require an authorization for disclosure of psychotherapy notes for "health care operations," an exception is needed to allow covered entities to use protected health information about an individual to defend themselves against an action threatened or brought by that individual without asking that individual for authorization to do so. Otherwise, a consent under § 164.506 is not sufficient for the use or disclosure of psychotherapy notes to carry out treatment, payment, or health care operations. Authorization is required. We anticipate these authorizations will rarely be necessary, since psychotherapy notes do not include information that covered entities typically need for treatment, payment, or other types of health care operations.
In the NPRM, we proposed to permit covered entities to use and disclose psychotherapy notes for all other purposes permitted or required under the rule without authorization. In the final rule, we specify a more limited set of uses and disclosures of psychotherapy notes that covered entities are permitted to make without authorization. An authorization is not required for use or disclosure of psychotherapy notes when required for enforcement purposes, in accordance with subpart C of part 160 of this subchapter; when mandated by law, in accordance with § 164.512(a); when needed for oversight of the health care provider who created the psychotherapy notes, in accordance with § 164.512(d); when needed by a coroner or medical examiner, in accordance with § 164.512(g)(1); or when needed to avert a serious and imminent threat to health or safety, in accordance with § 164.512(j)(1)(i). We also provide transition provisions in § 164.532 regarding the effect of express legal permission obtained from an individual prior to the compliance date of this rule.
-
-
Section 164.508(b) - Implementation Specifications for Authorizations
-
Valid and Defective Authorizations
We proposed to require a minimum set of elements for authorizations requested by the individual and an additional set of elements for authorizations requested by a covered entity. We would have permitted covered entities to use and disclose protected health information pursuant to authorizations containing the applicable required elements. We would have prohibited covered entities from acting on an authorization if the submitted document had any of the following defects:
• the expiration date had passed;
• the form had not been filled out completely;
• the covered entity knew the authorization had been revoked;
• the completed form lacked a required element; or
• the covered entity knew the information on the form was false.
In § 164.508(b)(1) of the final rule, we specify that an authorization containing the applicable required elements (as described below) is a valid authorization. We clarify that a valid authorization may contain additional, non-required elements, provided that these elements are not inconsistent with the required elements. Covered entities are not required to use or disclose protected health information pursuant to a valid authorization. Our intent is to clarify that a covered entity that uses or discloses protected health information pursuant to an authorization meeting the applicable requirements will be in compliance with this rule.
We retain the provision prohibiting covered entities from acting on an authorization if the submitted document had any of the listed defects, with a few changes. First, in § 164.508(c)(1)(iv) we specify that an authorization may expire upon a certain event or on a specific date. For example, a valid authorization may state that it expires upon acceptance or rejection of an application for insurance or upon the termination of employment (for example, in an authorization for disclosure of protected health information for fitness-for-duty purposes) or similar event. The expiration event must, however, be related to the individual or the purpose of the use or disclosure. An authorization that purported to expire on the date when the stock market reached a specified level would not be valid. Under § 164.508(b)(2)(i), if the expiration event is known by the covered entity to have occurred, the authorization is defective. Second, we clarify that certain compound authorizations, as described below, are defective. We also clarify that authorizations that are not completely filled out with respect to the required elements are defective. Finally, we clarify that an authorization with information that the covered entity knows to be false is defective only if the information is material.
As under the proposed regulation, an authorization that the covered entity knows has been revoked is not a valid authorization. We note that, although an authorization must be revoked in writing, the covered entity may not always "know" that an authorization has been revoked. The writing required for an individual to revoke an authorization may not always trigger the "knowledge" required for a covered entity to consider an authorization defective. Conversely, a copy of the written revocation is not required before a provider "knows" that an authorization has been revoked.
Many authorizations will be obtained by persons other than the covered entity. If the individual revokes an authorization by writing to that other person, and neither the individual nor the other person informs the covered entity of the revocation, the covered entity will not "know" that the authorization has been revoked. For example, a government agency may obtain an individual's authorization for "all providers who have seen the individual in the past year" to disclose protected health information to the agency for purposes of determining eligibility for benefits. The individual may revoke the authorization by writing to the government agency requesting such revocation. We cannot require the agency to inform all covered entities to whom it has presented the authorization that the authorization has been revoked. If a covered entity does not know of the revocation, the covered entity will not violate this rule by acting pursuant to the authorization. At the same time, if the individual does inform the covered entity of the revocation, even orally, the covered entity "knows" that the authorization has been revoked and can no longer treat the authorization as valid under this rule. Thus, in this example, if the individual tells a covered entity that the individual has revoked the authorization, the covered entity "knows" of the revocation and must consider the authorization defective under § 164.508(b)(2).
Compound Authorizations
Except for authorizations requested in connection with a clinical trial, we proposed to prohibit covered entities from combining an authorization for use or disclosure of protected health information for purposes other than treatment, payment, or health care operations with an authorization or consent for treatment (e.g., an informed consent to receive care) or payment (e.g., an assignment of benefits).
We clarify the prohibition on compound authorizations in the final rule. Other than as described below, § 164.508(b)(3) prohibits a covered entity from acting on an authorization required under this rule that is combined with any other document, including any other written legal permission from the individual. For example, an authorization under this rule may not be combined with a consent for use or disclosure of protected health information under § 164.506, with the notice of privacy practices under § 164.520, with any other form of written legal permission for the use or disclosure of protected health information, with an informed consent to participate in research, or with any other form of consent or authorization for treatment or payment.
There are three exceptions to this prohibition. First, under § 164.508(f) (described in more detail, below), an authorization for the use or disclosure of protected health information created for research that includes treatment of the individual may be combined with a consent for the use or disclosure of that protected health information to carry out treatment, payment, or health care operations under § 164.506 and with other documents as provided in § 164.508(f). Second, authorizations for the use or disclosure of psychotherapy notes for multiple purposes may be combined in a single document, but may not be combined with authorizations for the use or disclosure of other protected health information. Third, authorizations for the use or disclosure of protected health information other than psychotherapy notes may be combined, provided that the covered entity has not conditioned the provision of treatment, payment, enrollment, or eligibility on obtaining the authorization. If a covered entity conditions any of these services on obtaining an authorization from the individual, as permitted in § 164.508(b)(4) and described below, the covered entity must not combine the authorization with any other document.
The following are examples of valid compound authorizations: an authorization for the disclosure of information created for clinical research combined with a consent for the use or disclosure of other protected health information to carry out treatment, payment, and health care operations, and the informed consent to participate in the clinical research; an authorization for disclosure of psychotherapy notes for both treatment and research purposes; and an authorization for the disclosure of the individual's demographic information for both marketing and fundraising purposes. Examples of invalid compound authorizations include: an authorization for the disclosure of protected health information for treatment, for research, and for determining payment of a claim for benefits, when the covered entity will refuse to pay the claim if the individual does not sign the authorization; or an authorization for the disclosure of psychotherapy notes combined with an authorization to disclose any other protected health information.
Prohibition on Conditioning Treatment, Payment, Eligibility, or Enrollment
We proposed to prohibit covered entities from conditioning treatment or payment on the provision by the individual of an authorization, except when the authorization was requested in connection with a clinical trial. In the case of authorization for use or disclosure of psychotherapy notes or research information unrelated to treatment, we proposed to prohibit covered entities from conditioning treatment, payment, or enrollment in a health plan on obtaining such an authorization.
We retain this basic approach but refine its application in the final rule. In addition to the general prohibition on conditioning treatment and payment, covered entities are also prohibited (with certain exceptions described below) from conditioning eligibility for benefits or enrollment in a health plan on obtaining an authorization. This prohibition extends to all authorizations, not just authorizations for use or disclosure of psychotherapy notes. This prohibition is intended to prevent covered entities from coercing individuals into signing an authorization for a use or disclosure that is not necessary to carry out the primary services that the covered entity provides to the individual. For example, a health care provider could not refuse to treat an individual because the individual refused to authorize a disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product.
We clarify the proposed research exception to this prohibition. Covered entities seeking authorization in accordance with § 164.508(f) to use or disclose protected health information created for the purpose of research that includes treatment of the individual, including clinical trials, may condition the research-related treatment on the individual's authorization. Permitting use of protected health information is part of the decision to receive care through a clinical trial, and health care providers conducting such trials should be able to condition research-related treatment on the individual's willingness to authorize the use or disclosure of his or her protected health information for research associated with the trial.
In addition, we permit health plans to condition eligibility for benefits and enrollment in the health plan on the individual's authorization for the use or disclosure of protected health information for purposes of eligibility or enrollment determinations relating to the individual or for its underwriting or risk-rating determinations. We also permit health plans to condition payment of a claim for specified benefits on the individual's authorization for the disclosure of information maintained by another covered entity to the health plan, if the disclosure is necessary to determine payment of the claim. These exceptions do not apply, however, to authorization for the use or disclosure of psychotherapy notes. Health plans may not condition payment, eligibility, or enrollment on the receipt of an authorization for the use or disclosure of psychotherapy notes, even if the health plan intends to use the information for underwriting or payment purposes.
Finally, when a covered entity provides treatment for the sole purpose of providing information to a third party, the covered entity may condition the treatment on the receipt of an authorization to use or disclose protected health information related to that treatment. For example, a covered health care provider may have a contract with an employer to provide fitness-for-duty exams to the employer's employees. The provider may refuse to conduct the exam if an individual refuses to authorize the provider to disclose the results of the exam to the employer. Similarly, a covered health care provider may have a contract with a life insurer to provide pre-enrollment physicals to applicants for life insurance coverage. The provider may refuse to conduct the physical if an individual refuses to authorize the provider to disclose the results of the physical to the life insurer.
Revocation of Authorizations
We proposed to allow individuals to revoke an authorization at any time, except to the extent that the covered entity had taken action in reliance on the authorization.
We retain this provision, but specify that the individual must revoke the authorization in writing. When an individual revokes an authorization, a covered entity that knows of such revocation must stop making uses and disclosures pursuant to the authorization to the greatest extent practical. A covered entity may continue to use and disclose protected health information in accordance with the authorization only to the extent the covered entity has taken action in reliance on the authorization. For example, a covered entity is not required to retrieve information that it has already disclosed in accordance with the authorization. (See above for discussion of how written revocation of an authorization and knowledge of that revocation may differ.)
We also include an additional exception. Under § 164.508(b)(5), individuals do not have the right to revoke an authorization if the authorization was obtained as a condition of obtaining insurance coverage and other applicable law provides the insurer that obtained the authorization with the right to contest a claim under the policy. We intend this exception to permit insurers to obtain necessary protected health information during contestability periods under state law. For example, an individual may not revoke an authorization for the disclosure of protected health information to a life insurer for the purpose of investigating material misrepresentation if the individual's policy is still subject to the contestability period.
Documentation
In the final rule, we clarify that a covered entity must document and retain any signed authorization as required by § 164.530(j) (see below).
-
-
Section 164.508(c) - Core Elements and Requirements
-
We proposed to require authorizations requested by individuals to contain a minimum set of elements: a description of the information to be used or disclosed; the name of the covered entity, or class of entities or persons, authorized to make the use or disclosure; the name or types of recipient(s) of the information; an expiration date; the individual's signature and date of signature; if signed by a representative, a description of the representative's authority or relationship to the individual; a statement regarding the individual's right to revoke the authorization; and a statement that the information may no longer be protected by the federal privacy law. We proposed a model authorization form that entities could have used to satisfy the authorization requirements. If the model form was not used, we proposed to require covered entities to use authorization forms written in plain language.
We modify the proposed approach, by eliminating the distinction between authorizations requested by the individuals and authorizations requested by others. Instead, we prescribe a minimum set of elements for authorizations and certain additional elements when the authorization is requested by a covered entity for its own use or disclosure of protected health information it maintains or for receipt of protected health information from another covered entity to carry out treatment, payment, or health care operations.
The core elements are required for all authorizations, not just authorizations requested by individuals. Individuals seek disclosure of protected health information about them to others in many circumstances, such as when applying for life or disability insurance, when government agencies conduct suitability investigations, and in seeking certain job assignments when health status is relevant. Another common instance is tort litigation, when an individual's attorney needs individually identifiable health information to evaluate an injury claim and asks the individual to authorize disclosure of records relating to the injury to the attorney. In each of these situations, the individual may go directly to the covered entity and ask it to send the relevant information to the intended recipient. Alternatively, the intended recipient may ask the individual to complete a form, which the recipient will submit to the covered entity on the individual's behalf, that authorizes the covered entity to disclose the information. Whether the authorization is submitted to the covered entity by the individual or by another person on the individual's behalf, the covered entity maintaining protected health information may not use or disclose it pursuant to an authorization unless the authorization meets the following requirements.
First, the authorization must include a description of the information to be used or disclosed, with sufficient specificity to allow the covered entity to know which information the authorization references. For example, the authorization may include a description of "laboratory results from July 1998" or "all laboratory results" or "results of MRI performed in July 1998." The covered entity can then use or disclose that information and only that information. If the covered entity does not understand what information is covered by the authorization, the use or disclosure is not permitted unless the covered entity clarifies the request.
There are no limitations on the information that can be authorized for disclosure. If an individual wishes to authorize a covered entity to disclose his or her entire medical record, the authorization can so specify. In order for the covered entity to disclose the entire medical record, the authorization must be specific enough to ensure that the individual has a clear understanding that the entire record will be disclosed. For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description on the authorization form must specify "all health information" or the equivalent.
In some instances, a covered entity may be reluctant to undertake the effort to review the record and select portions relevant to the request (or redact portions not relevant). In such circumstances, covered entities may provide the entire record to the individual, who may then redact and release the more limited information to the requestor. This rule does not require a covered entity to disclose information pursuant to an individual's authorization.
Second, the authorization must include the name or other specific identification of the person(s) or class of persons that are authorized to use or disclose the protected health information. If an authorization permits a class of covered entities to disclose information to an authorized person, the class must be stated with sufficient specificity so that a covered entity presented with the authorization will know with reasonable certainty that the individual intended the covered entity to release protected health information. For example, a covered licensed nurse practitioner presented with an authorization for "all physicians" to disclose protected health information could not know with reasonable certainty that the individual intended for the practitioner to be included in the authorization.
Third, the authorization must include the name or other specific identification of the person(s) or class of persons to whom the covered entity is authorized to make the use or disclosure. The authorization must identify these persons with sufficient specificity to reasonably permit a covered entity responding to the authorization to identify the authorized user or recipient of the protected health information. Often, individuals provide authorizations to third parties, who present them to one or more covered entities. For example, an authorization could be completed by an individual and given to a government agency, authorizing the agency to receive medical information from any health care provider that has treated the individual within a defined period of time. Such an authorization is permissible (subject to the other requirements of this part) if it sufficiently identifies the government entity that is authorized to receive the disclosed protected health information.
Fourth, the authorization must state an expiration date or event. This expiration date or event must either be a specific date (e.g., January 1, 2001), a specific time period (e.g., one year from the date of signature), or an event directly relevant to the individual or the purpose of the use or disclosure (e.g., for the duration of the individual's enrollment with the health plan that is authorized to make the use or disclosure). We note that the expiration date or event is subject to otherwise applicable and more stringent law. For example, the National Association of Insurance Commissioners' Insurance Information and Privacy Protection Model Act, adopted in at least fifteen states, specifies that authorizations signed for the purpose of collecting information in connection with an application for a life, health, or disability insurance policy are permitted to remain valid for no longer than thirty months. In those states, the longest such an authorization may remain in effect is therefore thirty months, regardless of the expiration date or event indicated on the form.
Fifth, the authorization must state that the individual has the right to revoke an authorization in writing, except to the extent that action has been taken in reliance on the authorization or, if applicable, during a contestability period. The authorization must include instructions on how the individual may revoke the authorization. For example, the person obtaining the authorization from the individual can include an address where the individual can send a written request for revocation.
Sixth, the authorization must inform the individual that, when the information is used or disclosed pursuant to the authorization, it may be subject to re-disclosure by the recipient and may no longer be protected by this rule.
Seventh, the authorization must include the individual's signature and the date of the signature. Once we adopt the standards for electronic signature, another of the required administrative simplification standards we are required to adopt under HIPAA, an electronic signature that meets those standards will be sufficient under this rule. We do not require verification of the individual's identity or authentication of the individual's signature.
Finally, if the authorization is signed by a personal representative of the individual, the representative must indicate his or her authority to act for the individual.
As in the proposed rule, the authorization must be written in plain language. See the preamble discussion regarding notice of privacy practices (§ 164.520) for a discussion of the plain language requirement. We do not provide a model authorization in this rule. We will provide further guidance on this issue prior to the compliance date.
-
-
Section 164.508(d) - Authorizations Requested by a Covered Entity for Its Own Uses and Disclosures
-
We proposed to require covered entities to include additional elements in authorizations initiated by the covered entity. Before a covered entity could use or disclose protected health information of an individual pursuant to a request the covered entity made, we proposed to require the entity to obtain an authorization containing the minimum elements described above and the following additional elements: except for authorizations requested for clinical trials, a statement that the entity will not condition treatment or payment on the individual's authorization; a description of the purpose of the requested use or disclosure; a statement that the individual may inspect or copy the information to be used or disclosed and may refuse to sign the authorization; and, if the use or disclosure of the requested information will result in financial gain to the entity, a statement that such gain will result.
We additionally proposed to require covered entities, when requesting an individual's authorization, to request only the minimum amount of information necessary to accomplish the purpose for which the request was made. We also proposed to require covered entities to provide the individual with a copy of the executed authorization.
We retain the proposed approach, but apply these additional requirements when the covered entity requests the individual's authorization for the entity's own use or disclosure of protected health information maintained by the covered entity itself. For example, a health plan may ask individuals to authorize the plan to disclose protected health information to a subsidiary to market life insurance to the individual. A pharmaceutical company may also ask a covered provider to recruit patients for drug research; if the covered provider asks patients to sign an authorization for the provider to disclose protected health information to the pharmaceutical company for this research, this is also an authorization requested by a covered entity for disclosure of protected health information maintained by the covered entity. When covered entities initiate the authorization by asking individuals to authorize the entity to use or disclose protected health information that the entity maintains, the authorization must include all of the elements required above as well as several additional elements.
Authorizations requested by covered entities for the covered entity's own use or disclosure of protected health information must state, as applicable under § 164.508(b)(4), that the covered entity will not condition treatment, payment, enrollment, or eligibility on the individual's authorization for the use or disclosure. For example, if a health plan asks an individual to sign an authorization for the health plan to disclose protected health information to a non-profit advocacy group for the advocacy group's fundraising purposes, the authorization must contain a statement that the health plan will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual providing the authorization.
Authorizations requested by covered entities for their own uses and disclosures of protected health information must also identify each purpose for which the information is to be used or disclosed. The required statement of purpose(s) must provide individuals with the facts they need to make an informed decision whether to allow release of the information. We prohibit the use of broad or blanket authorizations requesting the use or disclosure of protected health information for a wide range of unspecified purposes. Both the information that is to be used or disclosed and the specific purpose(s) for such uses or disclosures must be stated in the authorization.
Authorizations requested by covered entities for their own uses and disclosures must also advise individuals of certain rights available to them under this rule. The authorization must state that the individual may inspect or copy the information to be used or disclosed as provided in § 164.524 regarding access for inspection and copying and that the individual may refuse to sign the authorization.
We alter the proposed requirements with respect to authorizations for which the covered entity will receive financial gain. When the covered entity initiates the authorization and the covered entity will receive direct or indirect remuneration from a third party (rather than financial gain, as proposed) in exchange for using or disclosing the protected health information, the authorization must include a statement that such remuneration will result. For example, a health plan may wish to sell or rent its enrollee mailing list or a pharmaceutical company may offer a covered provider a discount on its products if the provider obtains authorization to disclose the demographic information of patients with certain diagnoses so that the company can market new drugs to them directly. In each case, the covered entity must obtain the individual's authorization, and the authorization must include a statement that the covered entity will receive remuneration.
In § 164.508(d)(2), we continue to require a covered entity that requests an authorization for its own use or disclosure of protected health information to provide the individual with a copy of the signed authorization. While we eliminate from this section the provision requiring covered entities to obtain authorization for use or disclosure of the minimum necessary protected health information, § 164.514(d)(4) requires covered entities to request only the minimum necessary protected health information to accomplish the purpose for which the request is made. This requirement applies to these authorizations, as well as other requests.
-
-
Section 164.508(e) - Authorizations Requested by a Covered Entity for Disclosures by Others
-
In the proposed rule, we would have prohibited all covered entities from requiring the individual's written legal permission (as proposed, an "authorization") for the use or disclosure of protected health information to carry out treatment, payment, or health care operations. We generally eliminate this prohibition in the final rule, except to specify that a consent obtained by one covered entity is not effective to permit another covered entity to use or disclose protected health information. See § 164.506(a)(5) and the corresponding preamble discussion.
In the final rule, if a covered entity seeks the individual's written legal permission to obtain protected health information about the individual from another covered entity for any purpose, it must obtain the individual's authorization for the covered entity that maintains the protected health information to make the disclosure. If the authorization is for the purpose of obtaining protected health information for purposes other than treatment, payment, or health care operations, the authorization need only contain the core elements required by § 164.508(c) and described above.
If the authorization, however, is for the purpose of obtaining protected health information to carry out treatment, payment, or health care operations, the authorization must meet the requirements of § 164.508(e). We expect such authorizations will rarely be necessary, because we expect covered entities that maintain protected health information to obtain consents that permit them to make anticipated uses and disclosures for these purposes. An authorization obtained by another covered entity that authorizes the covered entity maintaining the protected health information to make a disclosure for the same purpose, therefore, would be unnecessary.
We recognize, however, that these authorizations may be useful to demonstrate an individual's intent and relationship to the intended recipient of the information when the intent or relationship is not already clear. For example, a long term care insurer may need information from an individual's health care providers about the individual's ability to perform activities of daily living in order to determine payment of a long term care claim. The providers that hold the information may not be providing the long term care and may not, therefore, be aware of the individual's coverage under the policy or that the individual is receiving long term care services. An authorization obtained by the long term care insurer will help to demonstrate these facts to the providers holding the information, which will make them more confident that the individual intends for the information to be shared. Similarly, an insurer with subrogation obligations may need health information from the enrollee's providers to assess or prosecute the claim. A patient's new physician may also need medical records from the patient's prior providers in order to treat the patient. Without an authorization that demonstrates the patient's intent for the information to be shared, the covered entity that maintains the protected health information may be reluctant to provide the information, even if that covered entity's consent permits such disclosure to occur.
These authorizations may also be useful to accomplish clinical coordination and integration among covered entities that do not meet the definitions of affiliated covered entities or organized health care arrangements. For example, safety-net providers that participate in the Community Access Program (CAP) may not qualify as organized health care arrangements but may want to share protected health information with each other in order to develop and expand integrated systems of care for uninsured people. An authorization under this section would permit such providers to receive protected health information from other CAP participants to engage in such activities.
Because of such concerns, we permit a covered entity to request the individual's authorization to obtain protected health information from another covered entity to carry out treatment, payment, and health care operations. In these situations, the authorization must contain the core elements described above and must also describe each purpose of the requested disclosure.
With one exception, the authorization must also indicate that the authorization is voluntary. It must state that the individual may refuse to sign the authorization and that the covered entity requesting the authorization will not condition the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on obtaining the individual's authorization. If the authorization is for a disclosure of information that is necessary to determine payment of a claim for specified benefits, however, the health plan requesting the authorization may condition the payment of the claim on obtaining the authorization from the individual. See § 164.508(b)(4)(iii). In this case, the authorization does not have to state that the health plan will not condition payment on obtaining the authorization.
The covered entity requesting the authorization must provide the individual with a copy of the signed authorization. We note that the covered entity requesting the authorization is also subject to the requirements in § 164.514 to request only the minimum necessary information needed for the purpose of the authorization.
We additionally note that, when the covered entity that maintains the protected health information has already obtained a consent for disclosure of protected health information to carry out treatment, payment, and/or health care operations under § 164.506, and that consent conflicts with an authorization obtained by another covered entity under § 164.508(e), the covered entity maintaining the protected health information is bound by the more restrictive document. See § 164.506(e) and the corresponding preamble discussion for further explanation.
-
-
Section 164.508(f) - Authorizations for Uses and Disclosures of Protected Health Information Created for Research that Includes Treatment of Individuals
-
In the proposed rule, we would have required individual authorization for any use or disclosure of research information unrelated to treatment. In the final rule, we eliminate the special rules for this category of information and, instead, require covered entities to obtain an authorization for the use or disclosure of protected health information the covered entity creates for the purpose of research that includes treatment of individuals, except as otherwise permitted by § 164.512(i).
The intent of this provision is to permit covered entities that conduct research involving treatment to bind themselves to a more limited scope of uses and disclosures of research information than they would otherwise be permitted to make with non-research information. Rather than creating a single definition of "research information," we allow covered entities the flexibility to define that subset of protected health information they create during clinical research that is not necessary for treatment, payment, or health care operations and that the covered entity will use or disclose under more limited circumstances than it uses or discloses other protected health information. In designing their authorizations, we expect covered entities to be mindful of the often highly sensitive nature of research information and the impact of individuals' privacy concerns on their willingness to participate in research.
Covered entities seeking authorization to use or disclose protected health information they create for the purpose of research that includes treatment of individuals, including clinical trials, must include in the authorization (in addition to the applicable elements required above) a description of the extent to which some or all of the protected health information created for the research will also be used or disclosed for purposes of treatment, payment, and health care operations. For example, if the covered entity intends to seek reimbursement from the individual's health plan for the routine costs of care associated with the research protocol, it must explain in the authorization the types of information that it will provide to the health plan for this purpose. This information, and the circumstances under which disclosures will be made for treatment, payment, and health care operations, may be more limited than the information and circumstances described in the covered entity's general consent and notice of privacy practices. To the extent the covered entity limits itself to a subset of uses or disclosures that are otherwise permissible under the rule and the covered entity's consent and notice, the covered entity is bound by the statements made in the research-related authorization. In these circumstances, the authorization must indicate that the authorization, not the general consent and notice, controls.
If the covered entity's primary interaction with the individual is through the research, the covered entity may combine the general consent for treatment, payment, and health care operations required under § 164.506 with this research authorization and need not obtain an additional consent under § 164.506. If the entity has already obtained, or intends to obtain, a separate consent as required under § 164.506, the research authorization must refer to that consent and state that the practices described in the research-related authorization are binding on the covered entity as to the information covered by the research-related authorization. The research-related authorization may also be combined in the same document as the informed consent for participation in the research. This is an exception to the general rule in § 164.508(b)(3) that an authorization under this section may not be combined with any other document (see above).
The covered entity must also include in the authorization a description of the extent to which it will not use or disclose the protected health information it obtains in connection with the research protocol for purposes that are permitted without individual authorization under this rule (under §§ 164.510 and 164.512). To the extent that the entity limits itself to a subset of uses or disclosures that are otherwise permissible under the rule and the entity's notice, the entity is bound by the statements made in the research authorization. In these circumstances, the authorization must indicate that the authorization, not the notice, controls. The covered entity may not, however, purport to preclude itself from making uses or disclosures that are required by law or that are necessary to avert a serious and imminent threat to health or safety.
In some instances, the covered entity may wish to make a use or disclosure of the research information that it did not include in its general consent or notice or for which authorization is required under this rule. To the extent the entity includes uses or disclosures in the research authorization that are otherwise not permissible under the rule and the entity's consent and notice of information practices, the entity must include all of the elements required by §§ 164.508(c) and (d) in the research-related authorization. The covered entity is bound by these statements.
Research that involves the delivery of treatment to participants sometimes relies on existing health information, such as to determine eligibility for the trial. We note that under § 164.508(b)(3)(iii), the covered entity may combine the research-related authorization required under § 164.508(f) with any other authorization for the use or disclosure of protected health information (other than psychotherapy notes), provided that the covered entity does not condition the provision of treatment on the individual signing the authorization. For example, a covered health care provider that had a treatment relationship with an individual prior to the individual's enrollment in a clinical trial, but that is now providing research-related treatment to the individual, may elect to request a compound authorization from the individual: an authorization under § 164.508(d) for the provider to use the protected health information it created prior to the initiation of the research that involves treatment, combined with an authorization under § 164.508(f) regarding use and disclosure of protected health information the covered provider will create for the purpose of the clinical trial. This compound authorization would be valid, provided the covered provider did not condition the research-related treatment on obtaining the authorization required under § 164.508(f), as permitted in § 164.508(b)(4)(i).
However, we anticipate that covered entities will almost always, if not always, condition the provision of research-related treatment on the individual signing the authorization under § 164.508(f) for the covered entity's use or disclosure of protected health information created for the research. Therefore, we expect that the vast majority of covered providers who wish to use or disclose protected health information about an individual that will be created for research that includes treatment and wish to use existing protected health information about that individual for the research that includes treatment, will be required to obtain two authorizations from the individual: (1) an authorization for the use and disclosure of protected health information to be created for the research that involves treatment of the individual (as required under § 164.508(f)), and (2) an authorization for the use of existing protected health information for the research that includes treatment of the individual (as required under § 164.508(d)).
-
-
Effect of Authorization
-
As noted in the discussion about consents in the preamble to § 164.506, authorizations under this rule should not be construed to waive, directly or indirectly, any privilege granted under federal, state, or local laws or procedures.
-