Final Standards for
Privacy of Individually Identifiable Health Information

§164.508 Uses and disclosures for which an authorization is required.

(a) Standard: authorizations for uses and disclosures.

1. Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.
2. Authorization required: psychotherapy notes. Notwithstanding any other provision of this subpart, other than transition provisions provided for in § 164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except:
   1. To carry out the following treatment, payment, or health care operations, consistent with consent requirements in § 164.506:
      1. Use by originator of the psychotherapy notes for treatment;
      2. Use or disclosure by the covered entity in training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or
      3. Use or disclosure by the covered entity to defend a legal action or other proceeding brought by the individual; and

   2. A use or disclosure that is required by § 164.502(a)(2)(ii) or permitted by § 164.512(a); § 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; § 164.512(g)(1); or § 164.512(j)(1)(i).

(b) Implementation specifications: general requirements.

1. Valid authorizations.
   1. A valid authorization is a document that contains the elements listed in paragraph (c) and, as applicable, paragraph (d), (e), or (f) of this section.
   2. A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not be inconsistent with the elements required by this section.

2. Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:
   1. The expiration date has passed or the expiration event is known by the covered entity to have occurred;
   2. The authorization has not been filled out completely, with respect to an element described by paragraph (c), (d), (e), or (f) of this section, if applicable;
   3. The authorization is known by the covered entity to have been revoked;
   4. The authorization lacks an element required by paragraph (c), (d), (e), or (f) of this section, if applicable;
   5. The authorization violates paragraph (b)(3) of this section, if applicable;
   6. Any material information in the authorization is known by the covered entity to be false.

3. Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows:
   1. An authorization for the use or disclosure of protected health information created for research that includes treatment of the individual may be combined as permitted by § 164.506(b)(4)(ii) or paragraph (f) of this section;
   2. An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes;
   3. An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations.

4. Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:
   1. A covered health care provider may condition the provision of research-related treatment on provision of an authorization under paragraph (f) of this section;
   2. A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if:
      1. The authorization sought is for the health plan’s eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and
      2. The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section;

   3. A health plan may condition payment of a claim for specified benefits on provision of an authorization under paragraph (e) of this section, if:
      1. The disclosure is necessary to determine payment of such claim; and
      2. The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; and

   4. A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.

5. Revocation of authorizations. An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that:
   
   
   1. The covered entity has taken action in reliance thereon; or
   2. If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy.

6. Documentation. A covered entity must document and retain any signed authorization under this section as required by § 164.530(j).

(c) Implementation specifications: core elements and requirements.

1. Core elements. A valid authorization under this section must contain at least the following elements:
   
   1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
   2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
   3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
   4. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure;
   5. A statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization;
   6. A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by this rule;
   7. Signature of the individual and date; and
   8. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual.

2. Plain language requirement. The authorization must be written in plain language.

(d) Implementation specifications: authorizations requested by a covered entity for its own uses and disclosures. If an authorization is requested by a covered entity for its own use or disclosure of protected health information that it maintains, the covered entity must comply with the following requirements.

1. Required elements. The authorization for the uses or disclosures described in this paragraph must, in addition to meeting the requirements of paragraph (c) of this section, contain the following elements:
   
   1. For any authorization to which the prohibition on conditioning in paragraph (b)(4) of this section applies, a statement that the covered entity will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual's providing authorization for the requested use or disclosure;
   2. A description of each purpose of the requested use or disclosure;
   3. A statement that the individual may:
      
      1. Inspect or copy the protected health information to be used or disclosed as provided in § 164.524; and
      2. Refuse to sign the authorization; and

   4. If use or disclosure of the requested information will result in direct or indirect remuneration to the covered entity from a third party, a statement that such remuneration will result.

2. Copy to the individual. A covered entity must provide the individual with a copy of the signed authorization.

(e) Implementation specifications: authorizations requested by a covered entity for disclosures by others. If an authorization is requested by a covered entity for another covered entity to disclose protected health information to the covered entity requesting the authorization to carry out treatment, payment, or health care operations, the covered entity requesting the authorization must comply with the following requirements.

1. Required elements. The authorization for the disclosures described in this paragraph must, in addition to meeting the requirements of paragraph (c) of this section, contain the following elements:
   
   1. A description of each purpose of the requested disclosure;
   2. Except for an authorization on which payment may be conditioned under paragraph (b)(4)(iii) of this section, a statement that the covered entity will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual's providing authorization for the requested use or disclosure; and
   3. A statement that the individual may refuse to sign the authorization.

2. Copy to the individual. A covered entity must provide the individual with a copy of the signed authorization.

(f) Implementation specifications: authorizations for uses and disclosures of protected health information created for research that includes treatment of the individual.

1. Required elements. Except as otherwise permitted by § 164.512(i), a covered entity that creates protected health information for the purpose, in whole or in part, of research that includes treatment of individuals must obtain an authorization for the use or disclosure of such information. Such authorization must:
   1. For uses and disclosures not otherwise permitted or required under this subpart, meet the requirements of paragraphs (c) and (d) of this section; and
   2. Contain:
      1. A description of the extent to which such protected health information will be used or disclosed to carry out treatment, payment, or health care operations;
      2. A description of any protected health information that will not be used or disclosed for purposes permitted in accordance with §§ 164.510 and 164.512, provided that the covered entity may not include a limitation affecting its right to make a use or disclosure that is required by law or permitted by § 164.512(j)(1)(i); and
      3. If the covered entity has obtained or intends to obtain the individual’s consent under § 164.506, or has provided or intends to provide the individual with a notice under § 164.520, the authorization must refer to that consent or notice, as applicable, and state that the statements made pursuant to this section are binding.

2. Optional procedure. An authorization under this paragraph may be in the same document as:
   1. A consent to participate in the research;
   2. A consent to use or disclose protected health information to carry out treatment, payment, or health care operations under § 164.506; or
   3. A notice of privacy practices under § 164.520.