We proposed to require authorizations requested by individuals to contain a minimum set of elements: a description of the information to be used or disclosed; the name of the covered entity, or class of entities or persons, authorized to make the use or disclosure; the name or types of recipient(s) of the information; an expiration date; the individual's signature and date of signature; if signed by a representative, a description of the representative's authority or relationship to the individual; a statement regarding the individual's right to revoke the authorization; and a statement that the information may no longer be protected by the federal privacy law. We proposed a model authorization form that entities could have used to satisfy the authorization requirements. If the model form was not used, we proposed to require covered entities to use authorization forms written in plain language.
We modify the proposed approach, by eliminating the distinction between authorizations requested by the individuals and authorizations requested by others. Instead, we prescribe a minimum set of elements for authorizations and certain additional elements when the authorization is requested by a covered entity for its own use or disclosure of protected health information it maintains or for receipt of protected health information from another covered entity to carry out treatment, payment, or health care operations.
The core elements are required for all authorizations, not just authorizations requested by individuals. Individuals seek disclosure of protected health information about them to others in many circumstances, such as when applying for life or disability insurance, when government agencies conduct suitability investigations, and in seeking certain job assignments when health status is relevant. Another common instance is tort litigation, when an individual's attorney needs individually identifiable health information to evaluate an injury claim and asks the individual to authorize disclosure of records relating to the injury to the attorney. In each of these situations, the individual may go directly to the covered entity and ask it to send the relevant information to the intended recipient. Alternatively, the intended recipient may ask the individual to complete a form, which the recipient will submit to the covered entity on the individual's behalf, that authorizes the covered entity to disclose the information. Whether the authorization is submitted to the covered entity by the individual or by another person on the individual's behalf, the covered entity maintaining protected health information may not use or disclose it pursuant to an authorization unless the authorization meets the following requirements.
First, the authorization must include a description of the information to be used or disclosed, with sufficient specificity to allow the covered entity to know which information the authorization references. For example, the authorization may include a description of "laboratory results from July 1998" or "all laboratory results" or "results of MRI performed in July 1998." The covered entity can then use or disclose that information and only that information. If the covered entity does not understand what information is covered by the authorization, the use or disclosure is not permitted unless the covered entity clarifies the request.
There are no limitations on the information that can be authorized for disclosure. If an individual wishes to authorize a covered entity to disclose his or her entire medical record, the authorization can so specify. In order for the covered entity to disclose the entire medical record, the authorization must be specific enough to ensure that the individual has a clear understanding that the entire record will be disclosed. For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description on the authorization form must specify "all health information" or the equivalent.
In some instances, a covered entity may be reluctant to undertake the effort to review the record and select portions relevant to the request (or redact portions not relevant). In such circumstances, covered entities may provide the entire record to the individual, who may then redact and release the more limited information to the requestor. This rule does not require a covered entity to disclose information pursuant to an individual's authorization.
Second, the authorization must include the name or other specific identification of the person(s) or class of persons that are authorized to use or disclose the protected health information. If an authorization permits a class of covered entities to disclose information to an authorized person, the class must be stated with sufficient specificity so that a covered entity presented with the authorization will know with reasonable certainty that the individual intended the covered entity to release protected health information. For example, a covered licensed nurse practitioner presented with an authorization for "all physicians" to disclose protected health information could not know with reasonable certainty that the individual intended for the practitioner to be included in the authorization.
Third, the authorization must include the name or other specific identification of the person(s) or class of persons to whom the covered entity is authorized to make the use or disclosure. The authorization must identify these persons with sufficient specificity to reasonably permit a covered entity responding to the authorization to identify the authorized user or recipient of the protected health information. Often, individuals provide authorizations to third parties, who present them to one or more covered entities. For example, an authorization could be completed by an individual and given to a government agency, authorizing the agency to receive medical information from any health care provider that has treated the individual within a defined period of time. Such an authorization is permissible (subject to the other requirements of this part) if it sufficiently identifies the government entity that is authorized to receive the disclosed protected health information.
Fourth, the authorization must state an expiration date or event. This expiration date or event must either be a specific date (e.g., January 1, 2001), a specific time period (e.g., one year from the date of signature), or an event directly relevant to the individual or the purpose of the use or disclosure (e.g., for the duration of the individual's enrollment with the health plan that is authorized to make the use or disclosure). We note that the expiration date or event is subject to otherwise applicable and more stringent law. For example, the National Association of Insurance Commissioners' Insurance Information and Privacy Protection Model Act, adopted in at least fifteen states, specifies that authorizations signed for the purpose of collecting information in connection with an application for a life, health, or disability insurance policy are permitted to remain valid for no longer than thirty months. In those states, the longest such an authorization may remain in effect is therefore thirty months, regardless of the expiration date or event indicated on the form.
Fifth, the authorization must state that the individual has the right to revoke an authorization in writing, except to the extent that action has been taken in reliance on the authorization or, if applicable, during a contestability period. The authorization must include instructions on how the individual may revoke the authorization. For example, the person obtaining the authorization from the individual can include an address where the individual can send a written request for revocation.
Sixth, the authorization must inform the individual that, when the information is used or disclosed pursuant to the authorization, it may be subject to re-disclosure by the recipient and may no longer be protected by this rule.
Seventh, the authorization must include the individual's signature and the date of the signature. Once we adopt the standards for electronic signature, another of the required administrative simplification standards we are required to adopt under HIPAA, an electronic signature that meets those standards will be sufficient under this rule. We do not require verification of the individual's identity or authentication of the individual's signature.
Finally, if the authorization is signed by a personal representative of the individual, the representative must indicate his or her authority to act for the individual.
As in the proposed rule, the authorization must be written in plain language. See the preamble discussion regarding notice of privacy practices (§ 164.520) for a discussion of the plain language requirement. We do not provide a model authorization in this rule. We will provide further guidance on this issue prior to the compliance date.