Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Valid Authorizations


Comment: In proposed § 164.508(b)(1), we specified that an authorization containing the applicable required elements "must be accepted by the covered entity." A few comments requested clarification of this requirement.

Response: We agree with the commenters that the proposed provision was ambiguous and we remove it from the final rule. We note that nothing in the rule requires covered entities to act on authorizations that they receive, even if those authorizations are valid. A covered entity presented with an authorization is permitted to make the disclosure authorized, but is not required to do so.

We want to be clear, however, that covered entities will be in compliance with this rule if they use or disclose protected health information pursuant to an authorization that meets the requirements of § 164.508. We have made changes in § 164.508(b)(1) to clarify this point. First, we specify that an authorization containing the applicable required elements is a valid authorization. A covered entity may not reject as invalid an authorization containing such elements. Second, we clarify that a valid authorization may contain elements or information in addition to the required elements, as long as the additional elements are not inconsistent with the required elements.

Comment: A few comments requested that we provide a model authorization or examples of wording meeting the "plain language" requirement. One commenter requested changes to the language in the model authorization to avoid confusion when used in conjunction with an insurer's authorization form for application for life or disability income insurance. Many other comments, however, found fault with the proposed model authorization form.

Response: Because of the myriad of types of forms that could meet these requirements and the desire to encourage covered entities to develop forms that meet their specific needs, we do not include a model authorization form in the final rule. We intend to issue additional guidance about authorization forms prior to the compliance date. We also encourage standard-setting organizations to develop model forms meeting the requirements of this rule.