Proposed Standards for Privacy and Individually Identifiable Health Information

D. Uses and disclosures with individual authorization. (§ 164.508)

This section addresses the requirements that we are proposing when protected health information is disclosed pursuant to the individual's explicit authorization. The regulation would require that covered entities have authorization from individuals before using or disclosing their protected health information for any purpose not otherwise recognized by this regulation. Circumstances where an individual’s protected health information may be used or disclosed without authorization are discussed in connection with proposed §§164.510 and 164.522 below.

This section proposes different conditions governing such authorizations in two situations in which individuals commonly authorize covered entities to disclose information:

• where the individual initiates the authorization because he or she wants a covered entity to disclose his or her record, and

• where a covered entity asks an individual to authorize it to disclose or use information for purposes other than treatment, payment or health care operations.

In addition, this section proposes conditions where a covered entity or the individual initiates an authorization for use or disclosure of psychotherapy notes or research information unrelated to treatment. See discussion above in section II.C.1.c.

Individually identifiable health information is used for a vast array of purposes not directly related to providing or paying for an individual’s health care. Examples of such uses include targeted marketing of new products and assessing the eligibility of an individual for certain public benefits or for commercial products based on their health status. Under these rules, these types of uses and disclosures could only be made by a covered entity with the specific authorization of the subject of the information. The requirements proposed in this section are not intended to interfere with normal uses and disclosures of information in the health care delivery or payment process, but only to permit control of uses extraneous to health care. The restrictions on disclosure that the regulation would apply to covered entities may mean that some existing uses and disclosures of information could take place only if the individual explicitly authorized them under this section.

Authorization would be required for these uses and disclosures because individuals probably do not envision that the information they provide when getting health care would be disclosed for such unrelated purposes. Further, once a patient’s protected health information is disclosed outside of the treatment and payment arena, it could be very difficult for the individual to determine what additional entities have seen, used and further disclosed the information. Requiring an authorization from the patient for such uses and disclosures would enhance individuals’ control over their protected health information.

We considered requiring a uniform set of requirements for all authorizations, but concluded that it would be appropriate to treat authorizations initiated by the individual differently from authorizations sought by covered entities. There are fundamental differences in the uses of information and in the relationships and understandings among the parties in these two situations. When individuals initiate authorizations, they are more likely to understand the purpose of the release and to benefit themselves from the use or disclosure. When a covered entity asks the individual to authorize disclosure, we believe the entity should make clear what the information will be used for, what the individual's rights are, and how the covered entity would benefit from the requested disclosure.

Individuals seek disclosure of their health information to others in many circumstances, such as when applying for life or disability insurance, when government agencies conduct suitability investigations, and in seeking certain job assignments where health is relevant. Another common instance is tort litigation, where an individual's attorney needs individually identifiable health information to evaluate an injury claim and asks the individual to authorize disclosure of records relating to the injury to the attorney.

There could also be circumstances where the covered entity asks an individual to authorize use or disclosure of information, for example to disclose it to a subsidiary to market life insurance to the individual. Similarly, the covered entity might ask that the individual authorize it to send information to a person outside that covered entity – possibly another covered entity or class of covered entity – for purposes outside of treatment, payment, or health care operations. See proposed § 164.508(a)(2)(ii).

1. Requirements when the individual has initiated the authorization.

We are proposing several requirements that would have to be met in the authorization process when the individual has initiated the authorization.

The authorization would have to include a description of the information to be used or disclosed with sufficient specificity to allow the covered entity to know to which information the authorization references. For example, the authorization could include a description of “laboratory results from July 1998” or “all laboratory results” or “results of MRI performed in July 1998.” The covered entity would then use or disclose that information and only that information. If the covered entity does not understand what information is covered by the authorization, the use or disclosure would not be permitted unless the covered entity were able to clarify the request.

We are proposing no limitations on the information to be disclosed. If an individual wishes to authorize a covered entity to disclose his or her entire medical record, the authorization could so specify. But in order for the covered entity to disclose the entire medical record, the authorization would have be specific enough to ensure that individuals have a clear understanding of what information is to be disclosed under the circumstances. For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description would need to specify “all health information.”

We would note that our proposal does not require a covered entity to disclose information pursuant to an individual's authorization. Therefore individuals may face reluctance on the part of covered entities that receive authorizations requiring them to classify and selectively disclose information when they do not benefit from the activity. Individuals would need to consider this when specifying the information in the authorization. Covered entities may respond to requests to analyze and separate information for selective disclosure by providing the entire record to the individual, who may then redact and release the information to others.

We do not propose to require an authorization initiated by an individual to state a purpose. When the individual has initiated the authorization, the entity would not need to know why he or she wants the information disclosed. Ideally, anyone asking an individual to authorize release of individually identifiable health information would indicate the purpose and the intended uses. We are unable to impose requirements on the many entities that make such requests, and it would not be feasible to ask covered entities to make judgments about intended uses of records that are disclosed. In the absence of legal controls in this situation, the prudent individual would obtain a clear understanding of why the requester needs the information and how it would be used.

We are proposing that the authorization would be required to identify sufficiently the covered entity or covered entities that would be authorized to use or disclose the protected health information by the authorization. Additionally, the authorization would be required to identify the person or persons that would be authorized to use or receive the protected health information with sufficient specificity to reasonably permit a covered entity responding to the authorization to identify the authorized user or recipient. When an authorization permits a class of covered entities to disclose information to an authorized person, each covered entity would need to know with reasonable certainty that the individual intended for it to release protected health information under the authorization.

Often, individuals provide authorizations to third parties, who present them to one or more covered entities. For example, an authorization could be completed by an individual and provided to a government agency, authorizing the agency to receive medical information from any health care provider that has treated the individual within a defined period. Such an authorization would be permissible (subject to the other requirements of this part) if it sufficiently identifies the government entity as the recipient of the disclosures and it sufficiently identifies the health care providers who would be authorized to release the individual’s protected health information under the authorization.

We are proposing that the authorization must state a specific expiration date. We considered providing an alternative way of describing the termination of the authorization, such as “the conclusion of the clinical trial,” or “upon acceptance or denial of this application for life insurance” (an “event”), but we are concerned that covered entities could have difficulty implementing such an approach. We also considered proposing that if an expiration date were indicated on the authorization, it be no more than two or three years after the date of the signature. We are soliciting comment on whether an event can be a termination specification, and whether this proposed rule should permit covered entities to honor authorizations with “unlimited” or extremely lengthy expiration dates or limit it to a set term of years, such as two or three years.

We are proposing that the authorization include a signature or other authentication (e.g., electronic signature) and the date of the signature. If the authorization is signed by an individual other than the subject of the information to be disclosed, that individual would have to indicate his or her authority or relationship with the subject.

The authorization would also be required to include a statement that the individual understands that he or she may revoke an authorization except to the extent that action has been taken in reliance on the authorization.

When an individual authorizes disclosure of health information to other than a covered entity, the information would no longer be protected under this regulation once it leaves the covered entity. Therefore, we propose that the authorization must clearly state that the individual understands that when the information is disclosed to anyone except a covered entity, it would no longer be protected this regulation.

We understand that the requirements that we are imposing here would make it quite unlikely that an individual could actually initiate a completed authorization, because few individuals would know to include all of these elements in a request for information. We understand that in most instances, individuals accomplish authorizations for release of health records by completing a form provided by another party, either the ultimate recipient of the records (who may have a form authorizing them to request the records from the record holders) or a health care provider or health plan holding the records (who may have a form that documents a request for the release of records to a third party). For this reason, we do not believe that our proposal would create substantial new burdens on individuals or covered entities in cases when an individual is initiating an authorized release of information. We invite comment on whether we are placing new burdens on individuals or covered entities. We also invite comment on whether the approach that we have proposed provides sufficient protection to individuals who seek to have their protected health information used or disclosed.

2. Requirements when the covered entity initiates the authorization.

We are proposing that when covered entities initiate the authorization by asking individuals to authorize disclosure, the authorization be required to include all of the items required above as well as several additional items. We are proposing additional requirements when covered entities initiate the request for authorization because in many cases it could be the covered entity, and not the individual, that achieves the primary benefit of the disclosure. We considered permitting covered entities to request authorizations with only the basic features proposed for authorizations initiated by the individual, for the sake of simplicity and consistency. However, we believe that additional protections would be merited when the entity that provides or pays for health care requests an authorizations to avert possible coercion.

When a covered entity asks an individual to sign an authorization, we propose to require that it provide on the authorization a statement that identifies the purposes for which the information is sought as well as the proposed uses and disclosures of that information. The required statements of purpose would provide individuals with the facts they need to make an informed decision as to whether to allow release of the information. Covered entities and their business partners would be bound by the statements provided on the authorization, and use or disclosure by the covered entity inconsistent with the statement would constitute a violation of this regulation. We recognize that the covered entities cannot know or control uses and disclosures that will be made by persons who are not business partners to whom the information is properly disclosed. As discussed above, authorizations would need to notify individuals that when the information is disclosed to anyone except a covered entity, it would no longer be protected under this regulation.

We propose to require that authorizations requested by covered entities be narrowly tailored to authorize use or disclosure of only the protected health information necessary to accomplish the purpose specified in the authorization. The request would be subject to the minimum necessary requirement as discussed in section II.C.2. We would prohibit the use of broad or blanket authorizations requesting the use or disclosure of protected health information for a wide range of purposes. Both the information that would be used or disclosed and the specific purposes for such uses or disclosures would need to be specified in the notice.

We are proposing that when covered entities ask individuals to authorize use or disclosure for purposes other than for treatment, payment, or health care operations, they be required to advise individuals that they may inspect or copy the information to be used or disclosed as provided in proposed § 164.514, that they may refuse to sign the authorization, and that treatment and payment could not be conditioned on the patient’s authorization. For example, a request for authorization to use or disclose protected health information for marketing purposes would need to clearly state that the individual’s decision would have no influence on his or her health care treatment or payment. In addition, we are proposing that when a covered entity requests an authorization, it must provide the individual with a copy of the signed authorization form.

Finally, we are proposing that when the covered entity initiates the authorization and the covered entity would be receiving financial or in-kind compensation in exchange for using or disclosing the health information, the authorization would include a statement that the disclosure would result in commercial gain to the covered entity. For example, a health plan may wish to sell or rent its enrollee mailing list. A pharmaceutical company may offer a provider a discount on its products if the provider can obtain authorization to disclose the demographic information of patients with certain diagnoses so that the company can market new drugs to them directly. A pharmaceutical company could pay a pharmacy to send marketing information to individuals on its behalf. Each such case would require a statement that the requesting entity will gain financially from the disclosure.

We considered requiring a contract between the provider and the pharmaceutical company in this type of arrangement, because such a contract could enhance protections and enforcement options against entities who violate these rules. A contract also would provide covered entities a basis to enforce any limits on further use or disclosures by authorized recipients. Although we are not proposing this approach now, we are soliciting comment on how best to protect the interests of the patient when the authorization for use or disclosure would result in commercial gain to the covered entity.

3. Model forms.

Covered entities and third parties that wish to have information disclosed to them would need to prepare forms for individuals to use to authorize use or disclosure. A model authorization form is displayed in Appendix to this proposed rule. We considered presenting separate model forms for the two different types of authorizations (initiated by the individual and not initiated by the individual). However, this approach could be subject to misuse and be confusing to covered entities and individuals, who may be unclear as to which form is appropriate in specific situations. The model in the appendix accordingly is a unitary model, which includes all of the requirements for both types of authorization.

4. Plain language requirement.

We are proposing that all authorizations must be written in plain language. If individuals cannot understand the authorization they may not understand the results of signing the authorization or their right to refuse to sign. See section II.F.1 for more discussion of the plain language requirement.

5. Prohibition on conditioning treatment or payment.

We propose that covered entities be prohibited, except in the case of clinical trial as described below, from conditioning treatment or payment for health care on obtaining an authorization for purposes other than treatment, payment or health care operations. This is intended to prevent covered plans and providers from coercing individuals into signing an authorization for a disclosure that is not necessary for treatment, payment or health care operations. For example, a provider could not refuse to treat an individual because the individual refused to authorize a disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product.

We propose one exception to this provision: health care providers would be permitted to condition treatment provided as part of a clinical trial on obtaining an authorization from the individual that his or her protected health information could be used or disclosed for research associated with such clinical trial. Permitting use of protected health information is part of the decision to receive care through a clinical trial, and health care providers conducting such trials should be able to condition participation in the trial on the individual’s willingness to authorize that his or her protected health information be used or disclosed for research associated with the trial. We note that the uses and disclosures would be subject to the requirements of § 164.510(j) below.

Under the proposal, a covered entity would not be permitted to obtain an authorization for use or disclosure of information for treatment, payment or health care operations unless required by applicable law. Where such an authorization is required by law, however, it could not be combined in the same document with an individual authorization to use or disclosure of protected health information for any purpose other than treatment, payment or health care operations (e.g., research). We would require that a separate document be used to obtain any other individual authorizations to make it clear to the individual that providing an authorization for such other purpose is not a condition of receiving treatment or payment.

6. Inclusion in the accounting disclosures.

As discussed in section II.H.6, we propose that covered entities be required to keep a record of all disclosures for purposes other than treatment, payment or health care operations, including those made pursuant to authorization. In addition, we propose that when an individual requests such an accounting or requests a copy of a signed authorization form, the covered entity must give a copy to the individual. See proposed § 164.515.

7. Revocation of an authorization by the individual.

We are proposing that an individual be permitted to revoke an authorization at any time except to the extent that action has been taken in reliance on the authorization. See proposed § 164.508(e). That is, an individual could change her or his mind about an authorization and cancel it, except that she or he could not thereby prevent the use or disclosure of information if the recipient has already acted in reliance on the authorization. For example, an individual might cancel her or his authorization to receive future advertisements, but the entity may be unable to prevent mailing of the advertisements that the covered entity or third party has already prepared but not yet mailed.

An individual would revoke the old authorization and sign a new authorization when she or he wishes to change any of the information in the original authorization. Upon receipt of the revocation, the covered entity would need to stop processing the information for use or disclosure to the greatest extent practicable.

8. Expired, deficient, or false authorization.

The model authorization form or a document that includes the elements set out at proposed § 164.508 would meet the requirements of this proposed rule and would have to be accepted by the covered entity. Under § 164.508(b), there would be no “authorization” within the meaning of the rules proposed below if the submitted document has any of the following defects:

• the date has expired;

• on its face it substantially fails to conform to any of the requirements set out in proposed § 164.508, because it lacks an element;

• it has not been filled out completely. Covered entities may not rely on a blank or incomplete authorization;

• the authorization is known to have been revoked; or

• the information on the form is known by the person holding the records to be materially false.

We understand that it would be difficult for a covered entity to confirm the identity of the person who signed the authorization. We invite comment on reasonable steps that a covered entity could take to be assured that the individual who requests the disclosure is whom she or he purports to be.

[Previous] [Next: Introduction to Uses and Disclosures Without Individual...]