Standards for Privacy of Individually
Identifiable Health Information
Guidance issued July 6, 2001
Consent
[45 CFR § 164.506]
Background
The Privacy Rule establishes a federal requirement
that most doctors, hospitals, or other health care providers
obtain a patient's written consent before using or disclosing
the patient's personal health information to carry out
treatment, payment, or health care operations (TPO).
Today, many health care providers, for professional
or ethical reasons, routinely obtain a patient's consent
for disclosure of information to insurance companies
or for other purposes. The Privacy Rule builds on these
practices by establishing a uniform standard for certain
health care providers to obtain their patients' consent
for uses and disclosures of health information about
the patient to carry out TPO.
General Provisions
- Patient consent is required before a covered health
care provider that has a direct treatment relationship
with the patient may use or disclose protected health
information (PHI) for purposes of TPO. Exceptions
to this standard are shown in the next bullet.
- Uses and disclosures for TPO may be permitted without
prior consent in an emergency, when a provider is
required by law to treat the individual, or when there
are substantial communication barriers.
- Health care providers that have indirect treatment
relationships with patients (such as laboratories
that only interact with physicians and not patients),
health plans, and health care clearinghouses may use
and disclose PHI for purposes of TPO without obtaining
a patient's consent. The rule permits such entities
to obtain consent, if they choose.
- If a patient refuses to consent to the use or disclosure
of their PHI to carry out TPO, the health care provider
may refuse to treat the patient.
- A patient's written consent need only be obtained
by a provider one time.
- The consent document may be brief and may be written
in general terms. It must be written in plain language,
inform the individual that information may be used
and disclosed for TPO, state the patient's rights
to review the provider's privacy notice, to request
restrictions and to revoke consent, and be dated and
signed by the individual (or his or her representative).
Individual Rights
- An individual may revoke consent in writing, except
to the extent that the covered entity has taken action
in reliance on the consent.
- An individual may request restrictions on uses
or disclosures of health information for TPO. The
covered entity need not agree to the restriction requested,
but is bound by any restriction to which it agrees.
- An individual must be given a notice of the covered
entity's privacy practices and may review that notice
prior to signing a consent.
Administrative Issues
- A covered entity must retain the signed consent
for 6 years from the date it was last in effect. The
Privacy Rule does not dictate the form in which these
consents are to be retained by the covered entity.
- Certain integrated covered entities may obtain
one joint consent for multiple entities.
- If a covered entity obtains consent and also receives
an authorization to disclose PHI for TPO, the covered
entity may disclose information only in accordance
with the more restrictive document, unless the covered
entity resolves the conflict with the individual.
- Transition provisions allow providers to rely on
consents received prior to April 14, 2003 (the compliance
date of the Privacy Rule for most covered entities),
for uses and disclosures of health information obtained
prior to that date.
|
