Standards
for Privacy of Individually Identifiable Health Information
D. Section 164.506--Uses
and Disclosures for Treatment, Payment, and Health Care
Operations
1. Consent
December 2000 Privacy Rule
Treatment and payment for health care are core functions of the
health care industry, and uses and disclosures of individually identifiable
health information for such purposes are critical to the effective
operation of the health care system. Health care providers and health
plans must also use individually identifiable health information
for certain health care operations, such as administrative, financial,
and legal activities, to run their businesses and to support the
essential health care functions of treatment and payment. Equally
important are health care operations designed to maintain and improve
the quality of health care. In developing the Privacy Rule, the
Department balanced the privacy implications of uses and disclosures
for treatment, payment, and health care operations and the need
for these core activities to continue. The Department considered
the fact that many individuals expect that their health information
will be used and disclosed as necessary to treat them, bill for
treatment, and, to some extent, operate the covered entity's health
care business. Given public expectations with respect to the use
or disclosure of information for such activities and so as not to
interfere with an individual's access to quality health care or
the efficient payment for such health care, the Department's goal
is, and has always been, to permit these activities to occur with
little or no restriction.
Consistent with this goal, the Privacy Rule published in December
2000 generally provided covered entities with permission to use
and disclose protected health information as necessary for treatment,
payment, and health care operations. For certain health care providers
that have direct treatment relationships with individuals, such
as many physicians, hospitals, and pharmacies, the December 2000
Privacy Rule required such providers to obtain an individual's written
consent prior to using or disclosing protected health information
for these purposes. The Department designed consent as a one-time,
general permission from the individual, which the individual would
have had the right to revoke. A health care provider could have
conditioned treatment on the receipt of consent. Other covered entities
also could have chosen to obtain consent but would have been required
to follow the consent standards if they opted to do so.
The consent requirement for health care providers with direct treatment
relationships was a significant change from the Department's initial
proposal published in November 1999. At that time, the Department
proposed to permit all covered entities to use and disclose protected
health information to carry out treatment, payment, and health care
operations without any requirement that the covered entities obtain
an individual's consent for such uses and disclosures, subject to
a few limited exceptions. Further, the Department proposed to prohibit
covered entities from obtaining an individual's consent for uses
and disclosures of protected health information for these purposes,
unless required by other applicable law.
The transition provisions of the Privacy Rule permit covered health
care providers that were required to obtain consent to use and disclose
protected health information they created or received prior to the
compliance date of the Privacy Rule for treatment, payment, or health
care operations if they had obtained consent, authorization, or
other express legal permission to use or disclose such information
for any of these purposes, even if such permission did not meet
the consent requirements of the Privacy Rule.
March 2002 NPRM
The Department heard concerns about significant practical problems
that resulted from the consent requirements in the Privacy Rule.
Covered entities and others provided numerous examples of obstacles
that the consent provisions would pose to timely access to health
care. These examples extended to various types of providers and
various settings. The most troubling, pervasive problem was that
health care providers would not have been able to use or disclose
protected health information for treatment, payment, or health care
operations purposes prior to their initial face-to-face contact
with the patient, something which is routinely done today to provide
patients with timely access to quality health care. A list of some
of the more significant examples and concerns are as follows:
- Pharmacists would not have been able to fill a prescription,
search for potential drug interactions, determine eligibility,
or verify coverage before the individual arrived at the pharmacy
to pick up the prescription if the individual had not already
provided consent under the Privacy Rule.
- Hospitals would not have been able to use information from
a referring physician to schedule and prepare for procedures before
the individual presented at the hospital for such procedure, or
the patient would have had to make a special trip to the hospital
to sign the consent form.
- Providers who do not provide treatment in person may have been
unable to provide care because they would have had difficulty
obtaining prior written consent to use protected health information
at the first service delivery.
- Emergency medical providers were concerned that, if a situation
was urgent, they would have had to try to obtain consent to comply
with the Privacy Rule, even if that would be inconsistent with
appropriate practice of emergency medicine.
- Emergency medical providers were also concerned that the requirement
that they attempt to obtain consent as soon as reasonably practicable
after an emergency would have required significant efforts and
administrative burden which might have been viewed as harassing
by individuals, because these providers typically do not have
ongoing relationships with individuals.
- Providers who did not meet one of the consent exceptions were
concerned that they could have been put in the untenable position
of having to decide whether to withhold treatment when an individual
did not provide consent or proceed to use information to treat
the individual in violation of the consent requirements.
- The right to revoke a consent would have required tracking
consents, which could have hampered treatment and resulted in
large institutional providers deciding that it would be necessary
to obtain consent at each patient encounter instead.
- The transition provisions would have resulted in significant
operational problems, and the inability to access health records
would have had an adverse effect on quality activities, because
many providers currently are not required to obtain consent for
treatment, payment, or health care operations.
- Providers that are required by law to treat were concerned
about the mixed messages to patients and interference with the
physician-patient relationship that would have resulted because
they would have had to ask for consent to use or disclose protected
health information for treatment, payment, or health care operations,
but could have used or disclosed the information for such purposes
even if the patient said "no."
As a result of the large number of treatment-related obstacles
raised by various types of health care providers that would have
been required to obtain consent, the Department became concerned
that individual fixes would be too complex and could possibly overlook
important problems. Instead, the Department proposed an approach
designed to protect privacy interests by affording patients the
opportunity to engage in important discussions regarding the use
and disclosure of their health information through the strengthened
notice requirement, while allowing activities that are essential
to quality health care to occur unimpeded (see section III.H. of
the preamble for a discussion of the strengthened notice requirements).
Specifically, the Department proposed to make the obtaining of
consent to use and disclose protected health information for treatment,
payment, or health care operations more flexible for all covered
entities, including providers with direct treatment relationships.
Under this proposal, health care providers with direct treatment
relationships with individuals would no longer be required to obtain
an individual's consent prior to using and disclosing information
about him or her for treatment, payment, and health care operations.
They, like other covered entities, would have regulatory permission
for such uses and disclosures.
The NPRM included provisions to permit covered entities to obtain
consent for uses and disclosures of protected health information
for treatment, payment, or health care operations, if they wished
to do so. These provisions would grant providers complete discretion
in designing this process. These proposed changes were partnered,
however, by the proposal to strengthen the notice provisions to
require direct treatment providers to make good faith efforts to
obtain a written acknowledgment of receipt of the notice. The intent
was to preserve the opportunity to raise questions about the entity's
privacy policies that the consent requirements previously provided.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
The vast majority of commenters addressed the consent proposal.
Most comments fell into three basic categories: (1) Many comments
supported the NPRM approach to eliminate the consent requirement;
(2) many comments urged the Department to require consent, but make
targeted fixes to address workability issues; and (3) some comments
urged the Department to strengthen the consent requirement.
The proposed approach of eliminating required consent and making
obtaining of consent permissible, at the entity's discretion, was
supported by many covered entities that asserted that it would provide
the appropriate balance among access to quality health care, administrative
burden, and patient privacy. Many argued that the appropriate privacy
protections were preserved by strengthening the notice requirement.
This approach was also supported by the NCVHS.
The comments received in response to the NPRM continued to raise
the issues and obstacles described above, and others. For example,
in addition to providing health care services to patients, hospices
often provide psychological and emotional support to family members.
These consultations often take place long distance and would likely
be considered treatment. The consent requirement would make it difficult,
or impossible in some circumstances, for hospices to provide these
important services to grieving family members on a timely basis.
Comments explained that the consent provisions in the Rule pose
significant obstacles to oncologists as well. Cancer treatment is
referral-based. Oncologists often obtain information from other
doctors, hospital, labs, etc., speak with patients by telephone,
identify treatment options, and develop preliminary treatment plans,
all before the initial patient visit. The prior consent requirement
would prevent all of these important preliminary activities before
the first patient visit, which would delay treatment in cases in
which such delay cannot be tolerated.
Other commenters continued to strongly support a consent requirement,
consistent with their views expressed during the comment period
in March 2001. Some argued that the NPRM approach would eliminate
an important consumer protection and that such a "radical"
approach to fixing the workability issues was not required. They
recommended a targeted approach to fixing each problem, and suggested
ways to fix each unintended consequence of the consent requirement,
in lieu of removing the requirement to obtain consent.
A few commenters argued for reinstating a consent requirement,
but making it similar to the proposal for acknowledgment of notice
by permitting flexibility and including a "good faith"
standard. They also urged the Department to narrow the definition
of health care operations and require that de-identified information
be used where possible for health care operations.
Finally, a few commenters continued to assert that consent should
be strengthened by applying it to more covered entities, requiring
it to be obtained more frequently, or prohibiting the conditioning
of treatment on the obtaining of consent.
Final Modifications
The Department continues to be concerned by the multitude of comments
and examples demonstrating that the consent requirements would result
in unintended consequences that would impede the provision of health
care in many critical circumstances. We are also concerned that
other such unintended consequences may exist which have yet to be
brought to our attention. The Department would not have been able
to address consent issues arising after publication of this Rule
until at least a year had passed from this Rule's publication date
due to statutory limitations on the timing of modifications. The
Department believes in strong privacy protections for individually
identifiable health information, but does not want to compromise
timely access to quality health care. The Department also understands
that the opportunity to discuss privacy practices and concerns is
an important component of privacy, and that the confidential relationship
between a patient and a health care provider includes the patient's
ability to be involved in discussions and decisions related to the
use and disclosure of protected health information about him or
her.
A review of the comments showed that almost all of the commenters
that discussed consent acknowledged that there are unintended consequences
of the consent requirement that would interfere with treatment.
These comments point toward two potential approaches to fixing these
problems. The Department could address these problems by adopting
a single solution that would address most or all of the concerns,
or could address these problems by adopting changes targeted to
each specific problem that was brought to the attention of the Department.
One of the goals in making changes to the Privacy Rule is to simplify,
rather than add complexity to, the Rule. Another goal is to assure
that the Privacy Rule does not hamper necessary treatment. For both
of these reasons, the Department is concerned about adopting different
changes for different issues related to consent and regulating to
address specific examples that have been brought to its attention.
Therefore, the options that the Department most seriously considered
were those that would provide a global fix to the consent problems.
Some commenters provided global options other than the proposed
approach. However, none of these would have resolved the operational
problems created by a mandatory consent.
The Department also reviewed State laws to understand how they
approached uses and disclosures of health information for treatment,
payment, or health care operations purposes. Of note was the California
Confidentiality of Medical Information Act. Cal. Civ. Code Sec.
56. This law permits health care providers and health plans to disclose
health information for treatment, payment, and certain types of
health care operations purposes without obtaining consent of the
individual. The California HealthCare Foundation conducted a medical
privacy and confidentiality survey in January 1999 that addressed
consumer views on confidentiality of medical records. The results
showed that, despite the California law that permitted disclosures
of health information without an individual's consent, consumers
in California did not have greater concerns about confidentiality
than other health care consumers. This is true with respect to trust
of providers and health plans to keep health information private
and confidential and the level of access to health information that
providers and health plans have.
The Department adopts the approach that was proposed in the NPRM,
because it is the only one that resolves the operational problems
that have been identified in a simple and uniform manner. First,
this Rule strengthens the notice requirements to preserve the opportunity
for individuals to discuss privacy practices and concerns with providers.
(See section III.H. of the preamble for the related discussion of
modifications to strengthen the notice requirements.) Second, the
final Rule makes the obtaining of consent to use and disclose protected
health information for treatment, payment, or health care operations
optional on the part of all covered entities, including providers
with direct treatment relationships. A health care provider that
has a direct treatment relationship with an individual is not required
by the Privacy Rule to obtain an individual's consent prior to using
and disclosing information about him or her for treatment, payment,
and health care operations. They, like other covered entities, have
regulatory permission for such uses and disclosures. The fact that
there is a State law that has been using a similar model for years
provides us confidence that this is a workable approach.
Other rights provided by the Rule are not affected by this modification.
Although covered entities will not be required to obtain an individual's
consent, any uses or disclosures of protected health information
for treatment, payment, or health care operations must still be
consistent with the covered entity's notice of privacy practices.
Also, the removal of the consent requirement applies only to consent
for treatment, payment, and health care operations; it does not
alter the requirement to obtain an authorization under Sec. 164.508
for uses and disclosures of protected health information not otherwise
permitted by the Privacy Rule or any other requirements for the
use or disclosure of protected health information. The Department
intends to enforce strictly the requirement for obtaining an individual's
authorization, in accordance with Sec. 164.508, for uses and disclosure
of protected health information for purposes not otherwise permitted
or required by the Privacy Rule. Furthermore, individuals retain
the right to request restrictions, in accordance with Sec. 164.522(a).
This allows individuals and covered entities to enter into agreements
to restrict uses and disclosures of protected health information
for treatment, payment, and health care operations that are enforceable
under the Privacy Rule.
Although consent for use and disclosure of protected health information
for treatment, payment, and health care operations is no longer
mandated, this Final Rule allows covered entities to have a consent
process if they wish to do so. The Department heard from many commenters
that obtaining consent was an integral part of the ethical and other
practice standards for many health care professionals. It, therefore,
does not prohibit covered entities from obtaining consent.
This final Rule allows covered entities that choose to have a consent
process complete discretion in designing that process. Prior comments
have informed the Department that one consent process and one set
of principles will likely be unworkable. Covered entities that choose
to obtain consent may rely on industry practices to design a voluntary
consent process that works best for their practice area and consumers,
but they are not required to do so.
This final Rule effectuates these changes in the same manner as
proposed by the NPRM. The consent provisions in Sec. 164.506 are
replaced with a new provision at Sec. 164.506(a) that provides regulatory
permission for covered entities to use or disclose protected health
information for treatment, payment, and health care operations.
A new provision is added at Sec. 164.506(b) that permits covered
entities to obtain consent if they choose to, and makes clear any
such consent process does not override or alter the authorization
requirements in Sec. 164.508. Section 164.506(b) includes a small
change from the proposed version to make it clearer that authorizations
are still required by referring directly to authorizations under
Sec. 164.508.
Additionally, this final Rule includes a number of conforming modifications,
identical to those proposed in the NPRM, to accommodate the new
approach. The most substantive corresponding changes are at Secs.
164.502 and 164.532. Section 164.502(a)(1) provides a list of the
permissible uses and disclosures of protected health information,
and refers to the corresponding section of the Privacy Rule for
the detailed requirements. The provisions at Secs. 164.502(a)(1)(ii)
and (iii) that address uses and disclosures of protected health
information for treatment, payment, and health care operations are
collapsed into a single provision, and the language is modified
to eliminate the consent requirement.
The references in Sec. 164.532 to Sec. 164.506 and to consent,
authorization, or other express legal permission obtained for uses
and disclosures of protected health information for treatment, payment,
and health care operations prior to the compliance date of the Privacy
Rule are deleted. The proposal to permit a covered entity to use
or disclose protected health information for these purposes without
consent or authorization would apply to any protected health information
held by a covered entity whether created or received before or after
the compliance date. Therefore, transition provisions are not necessary.
This final Rule also includes conforming changes to the definition
of "more stringent" in Sec. 160.202; the text of Sec.
164.500(b)(1)(v), Secs. 164.508(a)(2)(i) and (b)(3)(i), and Sec.
164.520(b)(1)(ii)(B); the introductory text of Secs. 164.510 and
164.512, and the title of Sec. 164.512 to eliminate references to
required consent.
Response to Other Public Comments
Comment: There were three categories of commenters with
respect to the Rule's general approach to consent-those that supported
the changes proposed in the NPRM provisions, those that requested
targeted changes to the consent requirement, and those that requested
that the consent requirement be strengthened.
Many commenters supported the NPRM approach to consent, making
consent to use or disclose protected health information for treatment,
payment, and health care operations voluntary for all covered entities.
These commenters said that this approach provided flexibility for
covered entities to address consent in a way that is consistent
with their practices. These commenters also stated that the NPRM
approach assured that the Privacy Rule would not interfere with
or delay necessary treatment.
Those that advocated retaining a consent requirement stated that
the NPRM approach would undermine trust in the health care system
and that requiring consent before using or disclosing protected
health information shows respect for the patient's autonomy, underscores
the need to inform the patient of the risks and benefits of sharing
protected health information, and makes it possible for the patient
to make an informed decision. Many of these commenters suggested
that the consent requirement be retained and that the problems raised
by consent be addressed through targeted changes or guidance for
each issue.
Some suggestions targeted to specific problems were: (1) Fix the problems
related to filling prescriptions by treating pharmacists as providers
with indirect treatment relationships or by deeming a prescription
to serve as an implied consent; and (2) allow certain uses and disclosures
prior to first patient encounter. Some of these commenters argued
that certain issues could be addressed through guidance on other provisions
in the Rule, rather than a change in the regulation. For example,
they suggested that guidance could explain that physicians who take
phone calls for one another are part of an organized health care arrangement,
or could provide technical assistance about revocations on consent
by identifying when a covered entity has taken action in reliance
on a consent.
Other suggestions were more general. They included suggestions
that the Department: (1) Substitute a good faith effort requirement
for the current provisions; (2) provide regulatory permission for
certain uses and disclosures of protected heath information prior
to first service delivery; (3) permit oral consent with documentation;
(4) retain a consent requirement for disclosures, but not uses;
(5) retain a consent requirement for payment and operations, but
not treatment uses and disclosures; (6) allow individuals to opt
out of the consent requirement; (7) allow the consent to apply to
activities of referred- to providers, and (8) retain the consent
requirement but add flexibility, not exceptions.
The third group of commenters requested that the consent requirement
be strengthened. Some requested that the Privacy Rule not permit
conditioning of treatment or enrollment on consent for multiple
uses and disclosures. Others requested that the consent requirement
be extended to covered entities other than providers with direct
treatment relationships, such as health plans. Some commenters also
asked that the consent be time-limited or be required more frequently,
such as at each service delivery.
Response: The Department recognizes that there are some
benefits to the consent requirement and has considered all options
to preserve the consent requirement while fixing the problems it
raises. After examining each of these options, we do not believe
that any would address all of the issues that were brought to the
Department's attention during the comment process or would be the
best approach for regulating this area. For example, the suggestion
to treat pharmacists as indirect treatment providers would not be
consistent with the current regulatory definition of that term and
would not have addressed other referral situations. This approach
was also rejected by some pharmacists who view themselves as providing
treatment directly to individuals. The suggestion to allow certain
uses and disclosures prior to first patient encounter would not
address concerns of tracking consents, use of historical data for
quality purposes, or the concerns of emergency treatment providers.
The Department desired a global approach to resolving the problems
raised by the prior consent requirement, so as not to add additional
complexity to the Privacy Rule or apply different standards to different
types of direct treatment providers. This approach is consistent
with the basic goal of the Rule to provide flexibility as necessary
for the standards to work for all sectors of the health care industry.
More global approaches suggested were carefully considered, but
each had some flaw or failed to address all of the treatment-related
concerns brought to our attention. For example, those who suggested
that the Rule be modified to require a good faith effort to obtain
consent at first service delivery failed to explain how that approach
would provide additional protection than the approach we proposed.
The Department also decided against eliminating the consent requirement
only for uses and disclosures for treatment, or only for uses of
protected health information but not for disclosures, because these
options fall short of addressing all of the problems raised. Scheduling
appointments and surgeries, and conducting many pre-admission activities,
are health care operations activities, not treatment. Retaining
the consent requirement for payment would be problematic because,
in cases where a provider, such as a pharmacist or hospital, engages
in a payment activity prior to face-to-face contact with the individual,
it would prohibit the provider from contacting insurance companies
to obtain pre-certification or to verify coverage.
Similarly, the suggestion to limit the prior consent requirement
to disclosures and not to uses would not have addressed all of the
problems raised by the consent requirements. Many of the basic activities
that occur before the initial face-to-face meeting between a provider
and an individual involve disclosures as well as uses. Like the
previous approach, this approach also would prohibit pharmacists
and hospitals from contacting insurance companies to obtain pre-
certification or verify coverage if they did not have the individual's
prior consent to disclose the protected health information for payment.
It also would prohibit a provider from contacting another provider
to ask questions about the medical record and discuss the patient's
condition, because this would be a disclosure and would require
consent.
There was a substantial amount of support from commenters for the
approach taken in the NPRM. The Department continues to believe
that this approach makes the most sense and meets the goals of not
interfering with access to quality health care and of providing
a single standard that works for the entire health care industry.
Therefore, the Department has adopted the approach proposed in the
NPRM.
Comment: Some commenters asserted that eliminating the consent
requirement would be a departure from current medical ethical standards
that protect patient confidentiality and common law and State law
remedies for breach of confidentiality that generally require or
support patient consent prior to disclosing patient information
for any reason. Another commenter was concerned that the removal
of the consent requirement from the Privacy Rule will become the
de facto industry standard and supplant professional ethical duties
to obtain consent for the use of protected health information.
Response: The Privacy Rule provides a floor of privacy protection.
State laws that are more stringent remain in force. In order not
to interfere with such laws and ethical standards, this Rule permits
covered entities to obtain consent. Nor is the Privacy Rule intended
to serve as a "best practices" standard. Thus, professional
standards that are more protective of privacy retain their vitality.
Comment: Some commenters requested that, if the Department
adopts the NPRM approach to eliminate the consent requirement for
uses and disclosures of protected health information for treatment,
payment, or health care operations, the definition of "health
care operations" should also be narrowed to protect individual
expectations of privacy.
Response: We disagree. As stated in the preamble to the
December 2000 Privacy Rule, the Department believes that narrowing
the definition of "health care operations" will place
serious burdens on covered entities and impair their ability to
conduct legitimate business and management functions.
Comment: Some commenters requested that the regulation text
state more specifically that a voluntary consent cannot substitute
for an authorization when an authorization is otherwise required
under the Privacy Rule.
Response: The Department agrees and modifies the regulation
text, at Sec. 164.506(b)(2), to make this clear. As stated in the
preamble to the NPRM, the Department intends to enforce strictly
the requirement for obtaining an individual's authorization, in
accordance with Sec. 164.508, for uses and disclosures of protected
health information for purposes not otherwise permitted or required
by the Privacy Rule. A consent obtained voluntarily would not be
sufficient to permit a use or disclosure which, under the Privacy
Rule, requires an authorization or is otherwise expressly conditioned
under the Rule. For example, a consent under Sec. 164.506 could
not be obtained in lieu of an authorization required by Sec. 164.508
or a waiver of authorization by an IRB or Privacy Board under Sec.
164.512(i) to disclose protected health information for research
purposes.
Comment: Some commenters requested that, if the Department
decides to allow consent on a voluntary basis, the Privacy Rule
include requirements for those covered entities that voluntarily
choose to obtain consents.
Response: The goal of the NPRM approach was to enhance flexibility
for covered entities by allowing them to design a consent process
that best matches their needs. The Department learned over the past
year that no single consent process works for all covered entities.
In addition, the Department wants to encourage covered entities
to adopt a consent process, and is concerned that by prescribing
particular rules, it would discourage some covered entities from
doing so.
Comment: Some commenters asserted that the consent requirement
provides individuals with control because providers may not opt
to withhold treatment if a patient refuses consent only for the
use or disclosure of protected health information for health care
operations.
Response: These commenters may not fully understand the
consent requirements in the December 2000 Rule. That requirement
did not allow separate consents for use of protected health information
for treatment, payment, and health care operations. The only way
to allow use of protected health information for treatment but not
for health care operations purposes would have been to invoke the
right to request restrictions (Sec. 164.522(a)); the provider could
agree or not agree to restrict use and disclosure of protected health
information for health care operations. That is also how the Rule
will work with these modifications. The Department is not modifying
the right to request restrictions.
Comment: Some commenters were confused about the relationship
between the proposed changes to the consent provisions and State
law. Some were concerned that the Privacy Rule would override State
consent laws which provide stronger protections for medical and
psychotherapeutic privacy.
Response: The Privacy Rule does not weaken the operation
of State laws that require consent to use or disclose health information.
The Privacy Rule permits a covered entity to obtain consent to use
or disclose health information, and, therefore, presents no barrier
to the entity's ability to comply with State law requirements.
Comment: One commenter suggested that the consent requirement
be retained to protect victims of domestic violence.
Response: The Department understands the concerns that the
Privacy Rule not endanger victims of domestic violence, but we do
not believe that eliminating the consent requirement will do so.
The Department believes that the provisions that provide real protections
to victims of domestic violence in how information is used or disclosed
for treatment, payment, and health care operations, are provisions
that allow an individual to object to disclosure of directory information
and of protected health information to family members or friends
involved in the individual's care (see Sec. 164.510), that provide
an individual the right to request restrictions (see Sec. 164.522(a)),
and that grant an individual the right to request confidential communications
(see Sec. 164.522(b)). These provisions are not affected by the
changes in this final Rule.
Comment: One commenter asserted that written consent represents
a signed agreement between the provider and patient regarding the
manner in which covered entities will use and disclose health information
in the future, and that the removal of this requirement would shift
"ownership" of records from patients to doctors and corporate
entities.
Response: The Department disagrees with this position. Our
research indicates that a signed consent form is most typically
treated as a waiver of rights by a patient and not as a binding
agreement between a provider and a patient. Further, many States
have laws assigning the ownership of records, apart from any consent
requirements. The Privacy Rule does not address, and is not intended
to affect, existing laws governing the ownership of health records.
Comment: A few commenters claimed that the signed notice
of a provider's privacy policy is meaningless if the individual
has no right to withhold consent and the NPRM approach would reinforce
the fact that individuals have no say in how their health information
is used or disclosed.
Response: The Department disagrees. The individual's options
under the consent requirement established by the Privacy Rule published
in December 2000 and the voluntary consent and strengthened notice
provisions adopted by this Rule are the same. Under the previous
Rule, a patient who disagreed with the covered entity's information
practices as stated in the notice could withhold consent and not
receive treatment, or could sign the consent form and obtain treatment
despite concerns about the information practices. The patient could
request that the provider restrict the use and/or disclosure of
the information. Under the Rule as modified, a patient who disagrees
with the covered entity's information practices as stated in the
notice, can choose not to receive treatment from that provider,
or can obtain treatment despite concerns about the information practices.
The patient can request that the provider restrict the use and/or
disclosure of the information. The result, for the patient, is the
same.
Comment: One commenter requested clarification with respect
to the effect of a revocation of voluntary consent and whether agreed-to
restrictions must be honored.
Response: The final Rule is silent as to how a covered entity
handles the revocation of a voluntary consent under Sec. 164.506(b)(1).
The Rule provides the covered entity that chooses to adopt a consent
process discretion to design the process that works for that entity.
The change to the consent provision in the Privacy Rule does not
affect the right of an individual under Sec. 164.522(a) to request
restrictions to a use or disclosure of protected health information.
While a covered entity is not required to agree to such restrictions,
it must act in accordance with any restriction it does agree to.
Failure of a covered entity to act in accordance with an agreed-to
restriction is a violation of the Rule.
Comment: Commenters asked the Department to rename consent
to "consent for information use" to reduce confusion with
consent for treatment.
Response: In order to clear up confusion between informed
consent for treatment, which is addressed by State law, and consent
to use or disclose protected health information under the Privacy
Rule, we changed the title of Sec. 164.506(b) from "Consent
permitted" to "Consent for uses and disclosures of information
permitted." The Privacy Rule does not affect informed consent
for treatment.
Comment: A few commenters requested that the Department
modify the regulation to state that de-identified information should
be used for health care operations where possible.
Response: The Department continues to encourage covered
entities to use de-identified information wherever possible. As
the Department has made this position clear in the preambles to
both the December 2000 Privacy Rule and the March 2002 NPRM, as
well as in this preamble, we do not believe that it is necessary
to modify the regulation to include such language. Further, the
minimum necessary requirements, under Secs. 164.502(b)(2) and 164.514(d),
already require a covered entity to make reasonable efforts to limit
protected health information used for health care operations and
other purposes to the minimum necessary to accomplish the intended
purpose, which may, in some cases, be de- identified information.
Comment: One commenter requested that the Privacy Rule state
that consent is not required for provider-to-provider communications.
Response: Prior to these final modifications, the consent
requirements of the Privacy Rule would have required a provider
to obtain written consent to disclose protected health information
to another provider for treatment purposes--which could have interfered
with an individual's ability to obtain timely access to quality
care. This is one reason the Department has eliminated the consent
requirement for treatment, payment, and health care operations.
Providers will not need a patient's consent to consult with other
providers about the treatment of a patient. However, if a provider
is disclosing protected health information to another provider for
purposes other than treatment, payment, or health care operations,
an authorization may be required under Sec. 164.508 (e.g., generally,
disclosures for clinical trials would require an authorization).
Comment: One commenter asserted that, without a consent
requirement, nothing will stop a health plan from demanding a patient's
mental health records as a condition of payment for physical therapy.
Response: The Department does not agree that the former
consent requirement is the relevant standard with respect
to the activities of the health plan that concern the
commenter. Rather, the Transactions Rule and the minimum
necessary standard of the Privacy Rule prescribe and
limit the health information that may be disclosed as
part of payment transactions between health plans and
health care providers. Although a health plan may request
additional information to process a specific claim,
in addition to the required and situational elements
under the Transactions Rule, the request must comply
with the Privacy Rule's minimum necessary requirements.
In this example, the health plan can only request mental
health records if they are reasonably necessary for
the plan to process the physical therapy claim.
|
