Standards
for Privacy of Individually Identifiable Health Information
E. Uses and Disclosures for Which Authorization
Is Required
1. Restructuring Authorization
December 2000 Privacy Rule
The Privacy Rule requires individual authorization for uses and
disclosures of protected health information for purposes that are
not otherwise permitted or required under the Rule. To ensure that
authorizations are informed and voluntary, the Rule prohibits, with
limited exceptions, covered entities from conditioning treatment,
payment, or eligibility for benefits or enrollment in a health plan,
on obtaining an authorization. The Rule also permits, with limited
exceptions, individuals to revoke an authorization at any time.
Additionally, the Rule sets out core elements that must be included
in any authorization. These elements are intended to provide individuals
with the information they need to make an informed decision about
giving their authorization. This information includes specific details
about the use or disclosure, and provides the individual fair notice
about his or her rights with respect to the authorization and the
potential for the information to be redisclosed. Additionally, the
authorization must be written in plain language so individuals can
read and understand its contents. The Privacy Rule required that
authorizations provide individuals with additional information for
specific circumstances under the following three sets of implementation
specifications: In Sec. 164.508(d), for authorizations requested
by a covered entity for its own uses and disclosures; in Sec. 164.508(e),
for authorizations requested by a covered entity for another entity
to disclose protected health information to the covered entity requesting
the authorization to carry out treatment, payment, or health care
operations; and in Sec. 164.508(f), for authorizations requested
by a covered entity for research that includes treatment of the
individual.
March 2002 NPRM
Various issues were raised regarding the authorization requirements.
Commenters claimed the authorization provisions were too complex
and confusing. They alleged that the different sets of implementation
specifications were not discrete, creating the potential for the
implementation specifications for specific circumstances to conflict
with the required core elements. Some covered entities were confused
about which authorization requirements they should implement in
any given circumstance. Also, although the Department intended to
permit insurers to obtain necessary protected health information
during contestability periods under State law, the Rule did not
provide an exception to the revocation provision when other law
provides an insurer the right to contest an insurance policy.
To address these issues, the Department proposed to simplify the
authorization provisions by consolidating the implementation specifications
into a single set of criteria under Sec. 164.508(c), thus eliminating
paragraphs (d), (e), and (f) which contained separate implementation
specifications. Under the proposal, paragraph (c)(1) would require
all authorizations to contain the following core elements: (1) A
description of the information to be used or disclosed, (2) the
identification of the persons or class of persons authorized to
make the use or disclosure of the protected health information,
(3) the identification of the persons or class of persons to whom
the covered entity is authorized to make the use or disclosure,
(4) a description of each purpose of the use or disclosure, (5)
an expiration date or event, (6) the individual's signature and
date, and (7) if signed by a personal representative, a description
of his or her authority to act for the individual. The proposal
also included new language to clarify that when individuals initiate
an authorization for their own purposes, the purpose may be described
as "at the request of the individual."
In the NPRM, the Department proposed that Sec. 164.508(c)(2) require
authorizations to contain the following required notifications:
(1) A statement that the individual may revoke the authorization
in writing, and either a statement regarding the right to revoke
and instructions on how to exercise such right or, to the extent
this information is included in the covered entity's notice, a reference
to the notice, (2) a statement that treatment, payment, enrollment,
or eligibility for benefits may not be conditioned on obtaining
the authorization if such conditioning is prohibited by the Privacy
Rule, or, if conditioning is permitted by the Privacy Rule a statement
about the consequences of refusing to sign the authorization, and
(3) a statement about the potential for the protected health information
to be redisclosed by the recipient.
Also under the proposal, covered entities would be required to
obtain an authorization to use or disclose protected health information
for marketing purposes, and to disclose in such authorizations any
direct or indirect remuneration the covered entity would receive
from a third party as a result of obtaining or disclosing the protected
health information. The other proposed changes regarding marketing
are discussed in section III.A.1. of the preamble.
The NPRM proposed a new exception to the revocation provision at
Sec. 164.508(b)(5)(ii) for authorizations obtained as a condition
of obtaining insurance coverage when other law gives the insurer
the right to contest the policy. Additionally, the Department proposed
that the exception to permit conditioning payment of a claim on
obtaining an authorization be deleted, since the proposed provision
to permit the sharing of protected health information for the payment
activities of another covered entity or a health care provider would
eliminate the need for an authorization in such situations.
Finally, the Department proposed modifications at Sec. 164.508(a)(2)(i)(A),
(B), and (C), to clarify its intent that the proposed provisions
for sharing protected health information for the treatment, payment,
or health care operations of another entity would not apply to psychotherapy
notes.
There were a number of proposed modifications concerning authorizations
for research purposes. Those modifications are discussed in section
III.E.2. of the preamble.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
There was overwhelming support for the proposed modifications.
Overall, supporters were of the opinion that the consolidation and
simplification would promote efficiency, simplify compliance, and
reduce confusion. Many commenters claimed the changes would eliminate
barriers to quality health care. Some commenters claimed the proposed
modifications would make the authorization process easier for both
providers and individuals, and one commenter said they would make
authorizations easier to read and understand. A number of commenters
stated the changes would not have adverse consequences for individuals,
and one commenter noted the proposal would preserve the opportunity
for individuals to give a meaningful authorization.
However, some of the proponents suggested the Department go further
to ease the administrative burden of obtaining authorizations. Some
urged the Department to eliminate some of the required elements
which they perceived as unnecessary to protect privacy, while others
suggested that covered entities should decide which elements were
relevant in a given situation. Some commenters urged the Department
to retain the exception to the prohibition on conditioning payment
of a claim on obtaining an authorization. These commenters expressed
fear that the voluntary consent process and/or the right to request
restrictions on uses and disclosures for treatment, payment, or
health care operations might prevent covered entities from disclosing
protected health information needed for payment purposes, or providers
may be reluctant to cooperate in disclosures for payment purposes
based on inadequately drafted notices.
Comments were divided on the proposed requirement to disclose remuneration
in marketing authorizations. Recommendations ranged from requiring
the disclosure of remuneration on all authorizations, to eliminating
the requirement altogether.
Final Modifications
In the final modifications, the Department adopts the changes proposed
in the NPRM. Since the modifications to the authorization provision
are comprehensive, the Department is publishing this section in
its entirety so that it will be easier to use and understand. Therefore,
the preamble addresses all authorization requirements, and not just
those that were modified.
In Sec. 164.508(a), covered entities are required to obtain an
authorization for uses and disclosures of protected health information,
unless the use or disclosure is required or otherwise permitted
by the Rule. Covered entities may use only authorizations that meet
the requirements of Sec. 164.508(b), and any such use or disclosure
will be lawful only to the extent it is consistent with the terms
of such authorization. Thus, a voluntary consent document will not
constitute a valid permission to use or disclose protected health
information for a purpose that requires an authorization under the
Rule.
Although the requirements regarding uses and disclosures of psychotherapy
notes are not changed substantively, the Department made minor changes
to the language in paragraph (a)(2) to clarify that a covered entity
may not use or disclose psychotherapy notes for purposes of another
covered entity's treatment, payment, or health care operations without
obtaining the individual's authorization. However, covered entities
may use and disclose psychotherapy notes, without obtaining individual
authorization, to carry out its own limited treatment, payment,
or health care operations as follows: (1) Use by the originator
of the notes for treatment, (2) use or disclosure for the covered
entity's own training programs for its mental health professionals,
students, and trainees, and (3) use or disclosure by the covered
entity to defend itself in a legal action or other proceeding brought
by the individual.
Section 164.508(a)(3) requires covered entities to obtain an authorization
to use or disclose protected health information for marketing purposes,
with two exceptions. The authorization requirements for marketing
and the comments received on these provisions are discussed in detail
in section III.A.1. of the preamble.
If the marketing involves any direct or indirect remuneration to
the covered entity from a third party, the authorization must state
that fact. The comments on this requirement also are discussed in
section III.A.1. of the preamble. However, a statement concerning
remuneration is not a required notification for other authorizations.
Such a statement was never required for all authorizations and the
Department believes it would be most meaningful for consumers on
authorizations for uses and disclosures of protected health information
for marketing purposes. Some commenters urged the Department to
require remuneration statements on research authorizations. The
Department has not done so because the complexity of such arrangements
would make it difficult to define what constitutes remuneration
in the research context. Moreover, to require covered entities to
disclose remuneration by a third party on authorizations for research
would go beyond the requirements imposed in the December 2000 Rule,
which did not require such a disclosure on authorizations obtained
for the research of a third party. The Department believes that
concerns regarding financial conflicts of interest that arise in
research are not limited to privacy concerns, but also are important
to the objectivity of research and to protecting human subjects
from harm. Therefore, in the near future, the Department plans to
issue guidance for the research community on this important topic.
Pursuant to Sec. 164.508(b)(1), an authorization is not valid under
the Rule unless it contains all of the required core elements and
notification statements, which are discussed below. Covered entities
may include additional, non-required elements so long as they are
not inconsistent with the required elements and statements. The
language regarding defective authorizations in Sec. 164.508(b)(2)
is not changed substantively. However, some changes are made to
conform this paragraph to modifications to other parts of the authorization
provision, as well as other sections of the Rule. An authorization
is not valid if it contains any of the following defects: (1) The
expiration date has passed or the expiration event has occurred,
and the covered entity is aware of the fact, (2) any of the required
core elements or notification statements are omitted or incomplete,
(3) the authorization violates the specifications regarding compounding
or conditioning authorizations, or (4) the covered entity knows
that material information in the authorization is false.
In Sec. 164.508(b)(3) regarding compound authorizations, the requirements
for authorizations for purposes other than research are not changed.
That is, authorizations for use or disclosure of psychotherapy notes
may be combined only with another authorization for the use or disclosure
of psychotherapy notes. Other authorizations may be combined, unless
a covered entity has conditioned the provision of treatment, payment,
enrollment in a health plan, or eligibility for benefits on one
of the authorizations. A covered entity generally may not combine
an authorization with any other type of document, such as a notice
of privacy practices or a written voluntary consent. However, there
are exceptions for research authorizations, which are discussed
in section III.E.2. of the preamble.
Section 164.508(b)(4) prohibits the conditioning of treatment,
payment, enrollment in a health plan, or eligibility for benefits
on obtaining an authorization, with a few exceptions. The exceptions
to this requirement for research-related treatment, eligibility
for benefits and enrollment in a health plan, and health care solely
for creating protected health information for disclosure to a third
party are not changed. Moreover, the Department eliminates the exception
to the prohibition on conditioning payment of a claim on obtaining
an authorization. Although some insurers urged that this conditioning
authority be retained to provide them with more collection options,
the Department believes this authorization is no longer necessary
because we are adding a new provision in Sec. 164.506 that permits
covered entities to disclose protected health information for the
payment purposes of another covered entity or health care provider.
Therefore, that exception has been eliminated.
Section 164.508(b)(5) provides individuals the right to revoke
an authorization at any time in writing. The two exceptions to this
right are retained, but with some modification. An individual may
not revoke an authorization if the covered entity has acted in reliance
on the authorization, or if the authorization was obtained as a
condition of obtaining insurance coverage and other law gives the
insurer the right to contest the claim or the policy itself. The
Department adopts the proposed modification to the latter exception
so that insurers can exercise the right to contest an insurance
policy under other law. Public comment was generally supportive
of this proposed modification.
Section 164.508(b)(6) requires covered entities to document and
retain authorizations as required under Sec. 164.530(j). This requirement
is not changed.
The different sets of implementation criteria are consolidated
into one set of criteria under Sec. 164.508(c), thus eliminating
the confusion and uncertainty associated with different requirements
for specific circumstances. Covered entities may use one authorization
form for all purposes. The Department adopts in paragraph (c)(1),
the following core elements for a valid authorization: (1) A description
of the information to be used or disclosed, (2) the identification
of the persons or class of persons authorized to make the use or
disclosure of the protected health information, (3) the identification
of the persons or class of persons to whom the covered entity is
authorized to make the use or disclosure, (4) a description of each
purpose of the use or disclosure, (5) an expiration date or event,
(6) the individual's signature and date, and (7) if signed by a
personal representative, a description of his or her authority to
act for the individual. An authorization that does not contain all
of the core elements does not meet the requirements for a valid
authorization. The Department intends for the authorization process
to provide individuals with the opportunity to know and understand
the circumstances surrounding a requested authorization.
To further protect the privacy interests of individuals, when individuals
initiate an authorization for their own purposes, the purpose may
be stated as "at the request of the individual." Other
changes to the core elements pertain to authorizations for research,
and are discussed in section III.E.2. of the preamble.
Also, under Sec. 164.508(c)(2), an authorization is not valid unless
it contains all of the following: (1) A statement that the individual
may revoke the authorization in writing, and either a statement
regarding the right to revoke, and instructions on how to exercise
such right or, to the extent this information is included in the
covered entity's notice, a reference to the notice, (2) a statement
that treatment, payment, enrollment, or eligibility for benefits
may not be conditioned on obtaining the authorization if such conditioning
is prohibited by the Privacy Rule or, if conditioning is permitted,
a statement about the consequences of refusing to sign the authorization,
and (3) a statement about the potential for the protected health
information to be redisclosed by the recipient. Although the notification
statements are not included in the paragraph on core elements an
authorization is not valid unless it contains both the required
core elements, and all of the required statements. This is the minimum
information the Department believes is needed to ensure individuals
are fully informed of their rights with respect to an authorization
and to understand the consequences of authorizing the use or disclosure.
The required statements must be written in a manner that is adequate
to place the individual on notice of the substance of the statements.
In response to comments, the Department clarifies that the statement
regarding the potential for redisclosure does not require an analysis
of the risk for redisclosure, but may be a general statement that
the health information may no longer be protected by the Privacy
Rule once it is disclosed by the covered entity. Others objected
to this statement because individuals might be hesitant to sign
an authorization if they knew their protected health information
could be redisclosed and no longer protected by the Rule. In response,
the Department believes that individuals need to know about the
consequences of authorizing the disclosure of their protected health
information. As the commenter recognized, the potential for redisclosure
may, indeed, be an important factor in an individual's decision
to give or deny a requested authorization.
Others suggested that the statement regarding redisclosure should
be omitted when an authorization is obtained only for a use, since
such a statement would be confusing and inappropriate when the covered
entity maintains the information. Similarly, some commenters were
concerned that the statement may be misleading where the recipient
of the information, although not a covered entity, will keep the
information confidential. In response, the Department clarifies
that, while a general statement would suffice, a covered entity
has the discretion to provide a more definitive statement where
appropriate. Thus, the covered entity requesting an authorization
for its own use of protected health information may provide assurances
that the information will remain subject to the Privacy Rule. Similarly,
if a third party, such as a researcher, is seeking an authorization
for research, the statement may refer to the privacy protections
that the researcher will provide for the data.
Under Sec. 164.508(c)(3), authorizations must be written in plain
language so that individuals can understand the information contained
in the form, and thus be able to make an informed decision about
whether to give the authorization. A few commenters urged the Department
to keep the plain language requirement as a core element of a valid
authorization. Under the December 2000 Rule, the plain language
requirement was not a requisite for a valid authorization. Nevertheless,
under both the December 2000 Rule and the final modifications, authorizations
must be written in plain language. The fact that the plain language
requirement is not a core element does not diminish its importance
or effect, and the failure to meet this requirement is a violation
of the Rule.
Finally, under Sec. 164.508(c)(4), covered entities who seek an
authorization are required to provide the individual with a copy
of the signed authorization form.
Response to Other Public Comments
Comment: A number of commenters specifically expressed support
of the proposed authorization requirement for marketing, and urged
the Department to adopt the requirement. However, one commenter
claimed that requiring authorizations for marketing would reduce
hospitals' ability to market their programs and services effectively
in order to compete in the marketplace, and that obtaining, storing,
and maintaining marketing authorizations would be too burdensome.
Response: In light of the support in the comments, the Department
has adopted the proposed requirement for an authorization before
a covered entity may use or disclose protected health information
for marketing. However, the commenter is mistaken that this requirement
will interfere with a hospital's ability to promote its own program
and services within the community. First, such broad-based marketing
is likely taking place without resort to protected health information,
through dissemination of information about the hospital through
community-wide mailing lists. Second, under the Privacy Rule, a
communication is not marketing if a covered entity is describing
its own products and services. Therefore, nothing in the Rule will
inhibit a hospital from competing in the marketplace by communicating
about its programs and services.
Comment: One commenter suggested that authorizations for
marketing should clearly indicate that they are comprehensive and
may contain sensitive protected health information.
Response: The Department treats all individually identifiable
health information as sensitive and equally deserving of protections
under the Privacy Rule. The Rule requires all authorizations to
contain the specified core elements to ensure individuals are given
the information they need to make an informed decision. One of the
core elements for all authorizations is a clear description of the
information that is authorized to be used or disclosed in specific
and meaningful terms. The authorization process provides the individual
with the opportunity to ask questions, negotiate how their information
will be used and disclosed, and ultimately to control whether these
uses and disclosures will be made.
Comment: Several commenters urged the Department to retain
the existing structure of the implementation specifications, whereby
the notification statements about the individual's right to revoke
and the potential for redisclosure are "core elements."
It was argued that this information is essential to an informed
decision. One of the commenters claimed that moving them out of
the core elements and only requiring a statement adequate to put
the person on notice of the information would increase uncertainty,
and that these two elements are too important to risk inadequate
explanation.
Response: The Department agrees that the required notification
statements are essential information that a person needs in order
to make an informed decision about authorizing the use or disclosure
of protected health information. Individuals need to know what rights
they have with respect to an authorization, and how they can exercise
those rights. However, separating the core elements and notification
statements into two different subparagraphs does not diminish the
importance or effect of the notification statements. The Department
clarifies that both the core elements and the notification statements
are required, and both must be included for an authorization to
be valid.
Comment: Several commenters urged the Department to eliminate
unnecessary authorization contents. They argued the test should
be whether the person needs the information to protect his or her
privacy, and cited the disclosure of remuneration by a third party
as an example of unnecessary content, alleging that the disclosure
of remuneration is not relevant to protecting privacy. One commenter
suggested that covered entities should be given the flexibility
to decide which contents are applicable in a given situation.
Response: The Department believes the core elements are
all essential information. Individuals need to know this information
to make an informed decision about giving the authorization to use
or disclose their protected health information. Therefore, the Department
believes all of the core elements are necessary content in all situations.
The Department does not agree that the remuneration statement required
on an authorization for uses and disclosures of an individual's
protected health information for marketing purposes is not relevant
to protecting privacy. Individuals exercise control over the privacy
of their protected health information by either giving or denying
an authorization, and remuneration from a third party to the covered
entity for obtaining an authorization for marketing is an important
factor in making that choice.
Comment: One commenter suggested that covered entities should
not be required to state on an authorization a person's authority
to act on an individual's behalf, and they should be trusted to
require such identification or proof of legal authority when the
authorization is signed. The commenter stated that this requirement
only increases administrative burden for covered entities.
Response: The Department does not agree. The authorization
requirement is intended to give individuals some control over uses
and disclosures of protected health information that are not otherwise
permitted or required by the Rule. Therefore, the Rule requires
that covered entities verify and document a person's authority to
sign an authorization on an individual's behalf, since that person
is exercising the individual's control of the information. Furthermore,
the Department understands that it is a current industry standard
to verify and document a person's authority to sign any legal permission
on another person's behalf. Thus, the requirement should not result
in any undue administrative burden for covered entities.
Comment: One commenter suggested that the Department should
require authorizations to include a complete list of entities that
will use and share the information, and that the individual should
be notified periodically of any changes to the list so that the
individual can provide written authorization for the changes.
Response: It may not always be feasible or practical for
covered entities to include a comprehensive list of persons authorized
to use and share the information disclosed pursuant to an authorization.
However, individuals may discuss this option with covered entities,
and they may refuse to sign an authorization that does not meet
their expectations. Also, subject to certain limitations, individuals
may revoke an authorization at any time.
Comment: One commenter asked for clarification that a health
plan may not condition a provider's participation in the health
plan on seeking authorization for the disclosure of psychotherapy
notes, arguing that this practice would coerce providers to request,
and patients to provide, an authorization to disclose psychotherapy
notes.
Response: The Privacy Rule does not permit a health plan
to condition enrollment, eligibility for benefits, or payment of
a claim on obtaining the individual's authorization to use or disclose
psychotherapy notes. Nor may a health care provider condition treatment
on an authorization for the use or disclosure of psychotherapy notes.
In a situation such as the one described by the commenter, the Department
would look closely at whether the health plan was attempting to
accomplish indirectly that which the Rule prohibits. These prohibitions
are to ensure that the individual's permission is wholly voluntary
and informed with regard to such an authorization. To meet these
standards, in the circumstances set forth in the comment, the Department
would expect the provider subject to such a requirement by the health
plan to explain to the individual in very clear terms that, while
the provider is required to ask, the individual remains free to
refuse to authorize the disclosure and that such refusal will have
no effect on either the provision of treatment or the individual's
coverage under, and payment of claims by, the health plan.
Comment: A few commenters suggested the Department should
allow covered entities to combine an authorization with other documents,
such as the notice acknowledgment, claiming it would reduce administrative
burden and paperwork, as well as reduce patient confusion and waiting
times, without compromising privacy protections.
Response: The Department disagrees that combining an authorization
with other documents, such as the notice acknowledgment, would be
less confusing for individuals. To the contrary, the Department
believes that combining unrelated documents would be more confusing.
However, the Rule does permit an authorization to be combined with
other authorizations so long as the provision of treatment, payment,
enrollment in a health plan or eligibility for benefits is not conditioned
on obtaining any of the authorizations, and the authorization is
not for the use or disclosure of psychotherapy notes.
Also, authorizations must contain the same information, whether
it is a separate document or combined with another document; and
the individual must be given the opportunity to read and discuss
that information. Combining an authorization with routine paperwork
diminishes individuals' ability to make a considered and informed
judgment to permit the use or disclosure of their medical information
for some other purpose.
Comment: One commenter stated that the requirement for covered
entities to use only authorizations that are valid under the Rule
must be an unintended result of the Rule, because covered entities
would have to use only valid authorizations when requesting information
from non-covered entities. The commenter did not believe the Department
intended this requirement to apply with respect to non-covered entities,
and gave the example of dental health plans obtaining protected
health information in connection with paper claims submitted by
dental offices. The commenter requested clarification that health
plans may continue to use authorization forms currently in use for
all claims submitted by non-covered entities.
Response: The commenter misapprehends the Rule's requirements.
The requirements apply to uses and disclosure of protected health
information by covered entities. In the example provided, where
a health plan is requesting additional information in support of
a claim for payment by a non-covered health care provider, the health
plan is not required to use an authorization. The plan does not
need the individual's authorization to use protected health information
for payment purposes, and the non-covered health care provider is
not subject to any of the Rule's requirements. Therefore, the exchange
of information may occur as it does today. The Department notes
that, based on the modifications regarding consent adopted in this
rulemaking, neither a consent nor an authorization would be required
in this example even if the health care provider was also a covered
entity.
Comment: Several commenters urged the Department to add
a transition provision to permit hospitals to use protected health
information in already existing databases for marketing and outreach
to the communities they serve. Commenters claimed that these databases
are important assets that would take many years to rebuild, and
hospitals may not have an already existing authorization or other
express legal permission for such use of the information. They contended
that, without a transition provision, these databases would become
useless under the Rule. Commenters suggested the Department should
adopt an "opt out" provision that would allow continued
use of these databases to initially communicate with the persons
listed in the database; at that time, they could obtain authorization
for future communications, thus providing a smooth transition.
Response: Covered entities are provided a two-year period
in which to come into compliance with the Privacy Rule.
One of the purposes of the compliance period is to allow
covered entities sufficient time to undertake actions
such as those described in the comment (obtaining the
legal permissions that would permit databases to continue
to operate after the compliance date). An additional
transition period for these activities has not been
justified by the commenters. However, the Department
notes that a covered entity is permitted to use the
information in a database for communications that are
either excepted from or that do not meet the definition
of "marketing" in Sec. 164.501, without individual
authorization. For example, a hospital may use protected
health information in an existing database to distribute
information about the services it provides, or to distribute
a newsletter with general health or wellness information
that does not promote a particular product or service.
|
