Comment: We received many comments in general support of requiring authorization for the use or disclosure of protected health information. Some comments suggested, however, that we should define those uses and disclosures for which authorization is required and permit covered entities to make all other uses and disclosures without authorization.
Response: We retain the requirement for covered entities to obtain authorization for all uses and disclosures of protected health information that are not otherwise permitted or required under the rule without authorization. We define exceptions to the general rule requiring authorization for the use or disclosure of protected health information, rather than defining narrow circumstances in which authorization is required.
We believe this approach is consistent with well-established privacy principles, with other law, and with industry standards and ethical guidelines. The July 1977 Report of the Privacy Protection Study Commission recommended that "each medical-care provider be considered to owe a duty of confidentiality to any individual who is the subject of a medical record it maintains, and that, therefore, no medical care provider should disclose, or be required to disclose, in individually identifiable form, any information about any such individual without the individual's explicit authorization, unless the disclosures would be" for specifically enumerated purposes such as treatment, audit or evaluation, research, public health, and law enforcement. 9 The Commission made similar recommendations with respect to insurance institutions. 10 The Privacy Act (5 U.S.C. 552a) prohibits government agencies from disclosing records except pursuant to the written request of or pursuant to a written consent of the individual to whom the record pertains, unless the disclosure is for certain specified purposes. The National Association of Insurance Commissioners' Health Information Privacy Model Act states, "A carrier shall not collect, use or disclose protected health information without a valid authorization from the subject of the protected health information, except as permitted by... this Act or as permitted or required by law or court order. Authorization for the disclosure of protected health information may be obtained for any purpose, provided that the authorization meets the requirements of this section." In its report "Best Principles for Health Privacy," the Health Privacy Working Group stated, "Personally identifiable health information should not be disclosed without patient authorization, except in limited circumstances" such as when required by law, for oversight, and for research. 11 The American Medical Association's Council on Ethical and Judicial Affairs has issued an opinion stating, "The physician should not reveal confidential communications or information without the express consent of the patient, unless required to do so by law [and] subject to certain exceptions which are ethically and legally justified because of overriding social considerations."12 We build on these standards in this final rule.
Comment: Some comments suggested that, under the proposed rule, a covered entity could not use protected health information to solicit authorizations from individuals. For example, a covered entity could not use protected health information to generate a mailing list for sending an authorization for marketing purposes.
Response: We agree with this concern and clarify that covered entities are permitted to use protected health information in this manner without authorization as part of the management activities relating to implementation of and compliance with the requirements of this rule. See § 164.501 and the corresponding preamble regarding the definition of health care operations.
Comment: We received several comments suggesting that we not require written authorizations for disclosures to the individual or for disclosures initiated by the individual or the individual's legal representative.
Response: We agree with this concern and in the final rule we clarify that disclosures of protected health information to the individual who is the subject of the information do not require the individual's authorization. See § 164.502(a)(1). We do not intend to impose barriers between individuals and disclosures of protected health information to them.
When an individual requests that the covered entity disclose protected health information to a third party, however, the covered entity must obtain the individual's authorization, unless the third party is a personal representative of the individual with respect to such protected health information. See § 164.502(g). If under applicable law a person has authority to act on behalf of an individual in making decisions related to health care, except under limited circumstances, that person must be treated as the personal representative under this rule with respect to protected health information related to such representation. A legal representative is a personal representative under this rule if, under applicable law, such person is able to act on behalf of an individual in making decisions related to health care, with respect to the protected health information related to such decisions. For example, an attorney of an individual may or may not be a personal representative under the rule depending on the attorney's authority to act on behalf of the individual in decisions related to health care. If the attorney is the personal representative under the rule, he may obtain a copy of the protected health information relevant to such personal representation under the individual's right to access. If the attorney is not the personal representative under the rule, or if the attorney wants a copy of more protected health information than that which is relevant to his personal representation, the individual would have to authorize such disclosure.
Comment: Commenters expressed concern about whether a covered entity can rely on authorizations made by parents on behalf of their minor children once the child has reached the age of majority and recommended that covered entities be able to rely on the most recent, valid authorization, whether it was authorized by the parent or the minor.
Response: We agree. If an authorization is signed by a parent, who is the personal representative of the minor child at the time the authorization is signed, the covered entity may rely on the authorization for as long as it is a valid authorization, in accordance with § 164.508(b). A valid authorization remains valid until it expires or is revoked. This protects a covered entity's reasonable reliance on such authorization. The expiration date of the authorization may be the date the minor will reach the age of majority. In that case, the covered entity would be required to have the individual sign a new authorization form in order to use or disclose information covered in the expired authorization form.
Comment: Some commenters were concerned that covered entities working together in an integrated system would each be required to obtain authorization separately. These commenters suggested the rule should allow covered entities that are part of the same system to obtain a single authorization allowing each of the covered entities to use and disclose protected health information in accordance with that authorization.
Response: If the rule does not permit or require a covered entity to use or disclose protected health information without the individual's authorization, the covered entity must obtain the individual's authorization to make the use or disclosure. Multiple covered entities working together as an integrated delivery system or otherwise may satisfy this requirement in at least three ways. First, each covered entity may separately obtain an authorization directly from the individual who is the subject of the protected health information to be used or disclosed. Second, one covered entity may obtain a compound authorization in accordance with § 164.508(b)(3) that authorizes multiple covered entities to use and disclose protected health information. In accordance with § 164.508(c)(1)(ii), each covered entity, or class of covered entities, that is authorized to make the use or disclosure must be clearly identified. Third, if the requirements in § 164.504(d) are met, the integrated delivery system may elect to designate itself as a single affiliated covered entity. A valid authorization obtained by that single affiliated covered entity would satisfy the authorization requirements for each covered entity within the affiliated covered entity. Whichever option is used, because these authorizations are being requested by a covered entity for its own use or disclosure, the authorization must contain both the core elements in § 164.508(c) and the additional elements in § 164.508(d).