HIPAA Privacy Regulations: Uses and Disclosures For Which an Authorization is Required: Core Elements and Requirements - § 164.508(c)
As Contained in the HHS HIPAA Privacy Rules
HHS Regulations as Amended August 2002 |
(c) Implementation specifications: Core elements and requirements—(1) Core elements. A valid authorization under this section must contain at least the following elements:
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.
(2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
(i) The individual's right to revoke the authorization in writing, and either:
(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
(B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by §164.520, a reference to the covered entity's notice.
(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or
(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.
(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.
(3) Plain language requirement. The authorization must be written in plain language.
(4) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.
HHS Description of August 2002 Revisions Uses and Disclosures For Which an Authorization is Required: Core Elements and Requirements - § 164.508(c) |
Note: The HHS Description is the same as for § 164.508(a).
1. Restructuring Authorization.
December 2000 Privacy Rule. The Privacy Rule requires individual authorization for uses and disclosures of protected health information for purposes that are not otherwise permitted or required under the Rule. To ensure that authorizations are informed and voluntary, the Rule prohibits, with limited exceptions, covered entities from conditioning treatment, payment, or eligibility for benefits or enrollment in a health plan, on obtaining an authorization. The Rule also permits, with limited exceptions, individuals to revoke an authorization at any time. Additionally, the Rule sets out core elements that must be included in any authorization. These elements are intended to provide individuals with the information they need to make an informed decision about giving their authorization. This information includes specific details about the use or disclosure, and provides the individual fair notice about his or her rights with respect to the authorization and the potential for the information to be redisclosed. Additionally, the authorization must be written in plain language so individuals can read and understand its contents. The Privacy Rule required that authorizations provide individuals with additional information for specific circumstances under the following three sets of implementation specifications: in § 164.508(d), for authorizations requested by a covered entity for its own uses and disclosures; in § 164.508(e), for authorizations requested by a covered entity for another entity to disclose protected health information to the covered entity requesting the authorization to carry out treatment, payment, or health care operations; and in § 164.508(f), for authorizations requested by a covered entity for research that includes treatment of the individual.
March 2002 NPRM. Various issues were raised regarding the authorization requirements. Commenters claimed the authorization provisions were too complex and confusing. They alleged that the different sets of implementation specifications were not discrete, creating the potential for the implementation specifications for specific circumstances to conflict with the required core elements. Some covered entities were confused about which authorization requirements they should implement in any given circumstance. Also, although the Department intended to permit insurers to obtain necessary protected health information during contestability periods under State law, the Rule did not provide an exception to the revocation provision when other law provides an insurer the right to contest an insurance policy.
To address these issues, the Department proposed to simplify the authorization provisions by consolidating the implementation specifications into a single set of criteria under § 164.508(c), thus eliminating paragraphs (d), (e), and (f) which contained separate implementation specifications. Under the proposal, paragraph (c)(1) would require all authorizations to contain the following core elements: (1) a description of the information to be used or disclosed, (2) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, (3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure, (4) a description of each purpose of the use or disclosure, (5) an expiration date or event, (6) the individual’s signature and date, and (7) if signed by a personal representative, a description of his or her authority to act for the individual. The proposal also included new language to clarify that when individuals initiate an authorization for their own purposes, the purpose may be described as “at the request of the individual.”
In the NPRM, the Department proposed that § 164.508(c)(2) require authorizations to contain the following required notifications: (1) a statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke and instructions on how to exercise such right or, to the extent this information is included in the covered entity’s notice, a reference to the notice, (2) a statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule, or, if conditioning is permitted by the Privacy Rule a statement about the consequences of refusing to sign the authorization, and (3) a statement about the potential for the protected health information to be redisclosed by the recipient.
Also under the proposal, covered entities would be required to obtain an authorization to use or disclose protected health information for marketing purposes, and to disclose in such authorizations any direct or indirect remuneration the covered entity would receive from a third party as a result of obtaining or disclosing the protected health information. The other proposed changes regarding marketing are discussed in section III.A.1. of the preamble.
The NPRM proposed a new exception to the revocation provision at § 164.508(b)(5)(ii) for authorizations obtained as a condition of obtaining insurance coverage when other law gives the insurer the right to contest the policy. Additionally, the Department proposed that the exception to permit conditioning payment of a claim on obtaining an authorization be deleted, since the proposed provision to permit the sharing of protected health information for the payment activities of another covered entity or a health care provider would eliminate the need for an authorization in such situations.
Finally, the Department proposed modifications at § 164.508(a)(2)(i)(A), (B), and (C), to clarify its intent that the proposed provisions for sharing protected health information for the treatment, payment, or health care operations of another entity would not apply to psychotherapy notes.
There were a number of proposed modifications concerning authorizations for research purposes. Those modifications are discussed in section III.E.2. of the preamble.
2. Research Authorizations.
December 2000 Privacy Rule. The Privacy Rule requires covered entities to obtain an individual’s voluntary and informed authorization before using or disclosing protected health information for any purpose that is not otherwise permitted or required under the Rule. Uses and disclosures of protected health information for research purposes are subject to the same authorization requirements as uses and disclosures for other purposes. However, for research that includes treatment of the individual, the December 2000 Privacy Rule prescribed special authorization requirements at § 164.508(f). The December 2000 Privacy Rule, at § 164.508(b)(5), also permitted individuals to revoke their authorization at any time, with limited exceptions. Further, the December 2000 Privacy Rule prohibited the combining of the authorization for the use or disclosure of existing protected health information with any other legal permission related to the research study.
March 2002 NPRM. Several of those who commented on the December 2000 Privacy Rule argued that certain authorization requirements in § 164.508 were unduly complex and burdensome as applied to research uses and disclosures. In particular, several commenters favored eliminating the Rule’s specific provisions at § 164.508(f) for authorizations for uses and disclosures of protected health information for research that includes treatment of the individual. The Department also heard from several provider groups who argued in favor of permitting covered entities to combine all of the research authorizations required by the Privacy Rule with the informed consent to participate in the research. Commenters also noted that the Rule’s requirement for an “expiration date or event that relates to the individual or the purpose of the use or disclosure” runs counter to the needs of research databases and repositories that are often retained indefinitely.
In response to these concerns, the Department proposed to a number of modifications to simplify the authorization requirements both generally, and in certain circumstances, as they specifically applied to uses and disclosures of protected health information for research. In particular, the Department proposed a single set of authorization requirements for all uses and disclosures, including those for research purposes. This proposal would eliminate the additional authorization requirements for the use and disclosure of protected health information created for research that includes treatment of the individual. Consistent with this proposed change, the Department further proposed to modify the requirements prohibiting the conditioning of authorizations at § 164.508(b)(4)(i) to remove the reference to § 164.508(f).
In addition, the Department proposed that the Privacy Rule permit an authorization for the use or disclosure of protected health information to be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research.
Finally, the Department proposed to provide explicitly that the statement, “end of a research study,” or similar language be sufficient to meet the requirement for an expiration date in § 164.508(c)(1)(v). Additionally, the Department proposed that the statement “none” or similar language be sufficient to meet this provision if the authorization was for a covered entity to use or disclose protected health information for the creation or maintenance of a research database or repository.
HHS Explanation of Final Modifications Uses and Disclosures For Which an Authorization is Required: Core Elements and Requirements |
Note: The HHS Modification Explanation is the same as for § 164.508(a).
1. Restructuring Authorization.
In the final modifications, the Department adopts the changes proposed in the NPRM. Since the modifications to the authorization provision are comprehensive, the Department is publishing this section in its entirety so that it will be easier to use and understand. Therefore, the preamble addresses all authorization requirements, and not just those that were modified.
In § 164.508(a), covered entities are required to obtain an authorization for uses and disclosures of protected health information, unless the use or disclosure is required or otherwise permitted by the Rule. Covered entities may use only authorizations that meet the requirements of § 164.508(b), and any such use or disclosure will be lawful only to the extent it is consistent with the terms of such authorization. Thus, a voluntary consent document will not constitute a valid permission to use or disclose protected health information for a purpose that requires an authorization under the Rule.
Although the requirements regarding uses and disclosures of psychotherapy notes are not changed substantively, the Department made minor changes to the language in paragraph (a)(2) to clarify that a covered entity may not use or disclose psychotherapy notes for purposes of another covered entity’s treatment, payment, or health care operations without obtaining the individual’s authorization. However, covered entities may use and disclose psychotherapy notes, without obtaining individual authorization, to carry out its own limited treatment, payment, or health care operations as follows: (1) use by the originator of the notes for treatment, (2) use or disclosure for the covered entity’s own training programs for its mental health professionals, students, and trainees, and (3) use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual.
Section 164.508(a)(3) requires covered entities to obtain an authorization to use or disclose protected health information for marketing purposes, with two exceptions. The authorization requirements for marketing and the comments received on these provisions are discussed in detail in section III.A.1. of the preamble.
If the marketing involves any direct or indirect remuneration to the covered entity from a third party, the authorization must state that fact. The comments on this requirement also are discussed in section III.A.1. of the preamble. However, a statement concerning remuneration is not a required notification for other authorizations. Such a statement was never required for all authorizations and the Department believes it would be most meaningful for consumers on authorizations for uses and disclosures of protected health information for marketing purposes. Some commenters urged the Department to require remuneration statements on research authorizations. The Department has not done so because the complexity of such arrangements would make it difficult to define what constitutes remuneration in the research context. Moreover, to require covered entities to disclose remuneration by a third party on authorizations for research would go beyond the requirements imposed in the December 2000 Rule, which did not require such a disclosure on authorizations obtained for the research of a third party. The Department believes that concerns regarding financial conflicts of interest that arise in research are not limited to privacy concerns, but also are important to the objectivity of research and to protecting human subjects from harm. Therefore, in the near future, the Department plans to issue guidance for the research community on this important topic.
Pursuant to§ 164.508(b)(1), an authorization is not valid under the Rule unless it contains all of the required core elements and notification statements, which are discussed below. Covered entities may include additional, non-required elements so long as they are not inconsistent with the required elements and statements. The language regarding defective authorizations in § 164.508(b)(2) is not changed substantively. However, some changes are made to conform this paragraph to modifications to other parts of the authorization provision, as well as other sections of the Rule. An authorization is not valid if it contains any of the following defects: (1) the expiration date has passed or the expiration event has occurred, and the covered entity is aware of the fact, (2) any of the required core elements or notification statements are omitted or incomplete, (3) the authorization violates the specifications regarding compounding or conditioning authorizations, or (4) the covered entity knows that material information in the authorization is false.
In § 164.508(b)(3) regarding compound authorizations, the requirements for authorizations for purposes other than research are not changed. That is, authorizations for use or disclosure of psychotherapy notes may be combined only with another authorization for the use or disclosure of psychotherapy notes. Other authorizations may be combined, unless a covered entity has conditioned the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits on one of the authorizations. A covered entity generally may not combine an authorization with any other type of document, such as a notice of privacy practices or a written voluntary consent. However, there are exceptions for research authorizations, which are discussed in section III.E.2. of the preamble.
Section 164.508(b)(4) prohibits the conditioning of treatment, payment, enrollment in a health plan, or eligibility for benefits on obtaining an authorization, with a few exceptions. The exceptions to this requirement for research-related treatment, eligibility for benefits and enrollment in a health plan, and health care solely for creating protected health information for disclosure to a third party are not changed. Moreover, the Department eliminates the exception to the prohibition on conditioning payment of a claim on obtaining an authorization. Although some insurers urged that this conditioning authority be retained to provide them with more collection options, the Department believes this authorization is no longer necessary because we are adding a new provision in § 164.506 that permits covered entities to disclose protected health information for the payment purposes of another covered entity or health care provider. Therefore, that exception has been eliminated.
Section 164.508(b)(5) provides individuals the right to revoke an authorization at any time in writing. The two exceptions to this right are retained, but with some modification. An individual may not revoke an authorization if the covered entity has acted in reliance on the authorization, or if the authorization was obtained as a condition of obtaining insurance coverage and other law gives the insurer the right to contest the claim or the policy itself. The Department adopts the proposed modification to the latter exception so that insurers can exercise the right to contest an insurance policy under other law. Public comment was generally supportive of this proposed modification.
Section 164.508(b)(6) requires covered entities to document and retain authorizations as required under § 164.530(j). This requirement is not changed.
The different sets of implementation criteria are consolidated into one set of criteria under § 164.508(c), thus eliminating the confusion and uncertainty associated with different requirements for specific circumstances. Covered entities may use one authorization form for all purposes. The Department adopts in paragraph (c)(1), the following core elements for a valid authorization: (1) a description of the information to be used or disclosed, (2) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, (3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure, (4) a description of each purpose of the use or disclosure, (5) an expiration date or event, (6) the individual’s signature and date, and (7) if signed by a personal representative, a description of his or her authority to act for the individual. An authorization that does not contain all of the core elements does not meet the requirements for a valid authorization. The Department intends for the authorization process to provide individuals with the opportunity to know and understand the circumstances surrounding a requested authorization.
To further protect the privacy interests of individuals, when individuals initiate an authorization for their own purposes, the purpose may be stated as “at the request of the individual.” Other changes to the core elements pertain to authorizations for research, and are discussed in section III.E.2. of the preamble.
Also, under § 164.508(c)(2), an authorization is not valid unless it contains all of the following: (1) a statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke, and instructions on how to exercise such right or, to the extent this information is included in the covered entity’s notice, a reference to the notice, (2) a statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule or, if conditioning is permitted, a statement about the consequences of refusing to sign the authorization, and (3) a statement about the potential for the protected health information to be redisclosed by the recipient. Although the notification statements are not included in the paragraph on core elements an authorization is not valid unless it contains both the required core elements, and all of the required statements. This is the minimum information the Department believes is needed to ensure individuals are fully informed of their rights with respect to an authorization and to understand the consequences of authorizing the use or disclosure. The required statements must be written in a manner that is adequate to place the individual on notice of the substance of the statements.
In response to comments, the Department clarifies that the statement regarding the potential for redisclosure does not require an analysis of the risk for redisclosure, but may be a general statement that the health information may no longer be protected by the Privacy Rule once it is disclosed by the covered entity. Others objected to this statement because individuals might be hesitant to sign an authorization if they new their protected health information could be redisclosed and no longer protected by the Rule. In response, the Department believes that individuals need to know about the consequences of authorizing the disclosure of their protected health information. As the commenter recognized, the potential for redisclosure may, indeed, be an important factor in an individual’s decision to give or deny a requested authorization.
Others suggested that the statement regarding redisclosure should be omitted when an authorization is obtained only for a use, since such a statement would be confusing and inappropriate when the covered entity maintains the information. Similarly, some commenters were concerned that the statement may be misleading where the recipient of the information, although not a covered entity, will keep the information confidential. In response, the Department clarifies that, while a general statement would suffice, a covered entity has the discretion to provide a more definitive statement where appropriate. Thus, the covered entity requesting an authorization for its own use of protected health information may provide assurances that the information will remain subject to the Privacy Rule. Similarly, if a third party, such as a researcher, is seeking an authorization for research, the statement may refer to the privacy protections that the researcher will provide for the data.
Under § 164.508(c)(3), authorizations must be written in plain language so that individuals can understand the information contained in the form, and thus be able to make an informed decision about whether to give the authorization. A few commenters urged the Department to keep the plain language requirement as a core element of a valid authorization. Under the December 2000 Rule, the plain language requirement was not a requisite for a valid authorization. Nevertheless, under both the December 2000 Rule and the final modifications, authorizations must be written in plain language. The fact that the plain language requirement is not a core element does not diminish its importance or effect, and the failure to meet this requirement is a violation of the Rule.
Finally, under § 164.508(c)(4), covered entities who seek an authorization are required to provide the individual with a copy of the signed authorization form.
2. Research Authorizations.
The Department agrees with the commenters that supported the NPRM’s proposed simplification of authorizations for research uses and disclosures of protected health information and, therefore, adopts the modifications to these provisions as proposed in the NPRM. The final Rule requires a single set of authorization requirements for all uses and disclosures, including those for research purposes, and permits an authorization for the use or disclosure of protected health information to be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research.
In addition, in response to commenters’ concerns that the Rule would prohibit important uses and disclosures of protected health information after the termination of a research project, the final Rule eliminates the requirement for an expiration date for all uses and disclosures of protected health information for research purposes, not only for the creation and maintenance of a research database or repository. The Department agrees that the line between research repositories and databases in particular, and research data collection in general, is sometimes arbitrary and unclear. If the authorization for research uses and disclosures of protected health information does not have an expiration date, the final Rule at § 164.508(c)(1)(v), requires that this fact be stated on the authorization form. Patients continue to control whether protected health information about them may be used or disclosed for research, since the authorization must include an expiration date or event, or a statement that the authorization will have no expiration date. In addition, patients will be permitted to revoke their authorization at any time during the research project, except as specified under § 164.508(b)(5). However, the Department notes that researchers may choose to include, and covered entities may choose to require, an expiration date when appropriate.
Although the final Rule does not modify the revocation provision at § 164.508(b)(5), in response to commenters’ concerns, the Department clarifies that this provision permits covered entities to continue using and disclosing protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. An individual may not revoke an authorization to the extent the covered entity has acted in reliance on the authorization. For research uses and disclosures, this reliance exception at § 164.508(b)(5)(i) permits the continued use and disclosure of protected health information already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study. For example, the reliance exception would permit the continued use and disclosure of protected health information to account for a subject’s withdrawal from the research study, as necessary to incorporate the information as part of a marketing application submitted to the FDA, to conduct investigations of scientific misconduct, or to report adverse events. However, the reliance exception would not permit a covered entity to continue disclosing additional protected health information to a researcher or to use for its own research purposes information not already gathered at the time an individual withdraws his or her authorization. The Department believes that this clarification of the Rule will minimize the negative effects on research caused by participant withdrawal and will allow for important continued uses and disclosures to occur, while maintaining privacy protections for research subjects.
HHS Response to Comments Received - Published With the August 2002 Revisions Uses and Disclosures For Which an Authorization is Required: Core Elements and Requirements |
Note: The HHS Response to Comments is the same as for § 164.508(a).
1. Restructuring Authorization.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.
There was overwhelming support for the proposed modifications. Overall, supporters were of the opinion that the consolidation and simplification would promote efficiency, simplify compliance, and reduce confusion. Many commenters claimed the changes would eliminate barriers to quality health care. Some commenters claimed the proposed modifications would make the authorization process easier for both providers and individuals, and one commenter said they would make authorizations easier to read and understand. A number of commenters stated the changes would not have adverse consequences for individuals, and one commenter noted the proposal would preserve the opportunity for individuals to give a meaningful authorization.
However, some of the proponents suggested the Department go further to ease the administrative burden of obtaining authorizations. Some urged the Department to eliminate some of the required elements which they perceived as unnecessary to protect privacy, while others suggested that covered entities should decide which elements were relevant in a given situation. Some commenters urged the Department to retain the exception to the prohibition on conditioning payment of a claim on obtaining an authorization. These commenters expressed fear that the voluntary consent process and/or the right to request restrictions on uses and disclosures for treatment, payment, or health care operations might prevent covered entities from disclosing protected health information needed for payment purposes, or providers may be reluctant to cooperate in disclosures for payment purposes based on inadequately drafted notices.
Comments were divided on the proposed requirement to disclose remuneration in marketing authorizations. Recommendations ranged from requiring the disclosure of remuneration on all authorizations, to eliminating the requirement all together.
Response to Other Public Comments.
Comment: A number of commenters specifically expressed support of the proposed authorization requirement for marketing, and urged the Department to adopt the requirement. However, one commenter claimed that requiring authorizations for marketing would reduce hospitals’ ability to market their programs and services effectively in order to compete in the marketplace, and that obtaining, storing, and maintaining marketing authorizations would be too burdensome.
Response: In light of the support in the comments, the Department has adopted the proposed requirement for an authorization before a covered entity may use or disclose protected health information for marketing. However, the commenter is mistaken that this requirement will interfere with a hospital’s ability to promote its own program and services within the community. First, such broad-based marketing is likely taking place without resort to protected health information, through dissemination of information about the hospital through community-wide mailing lists. Second, under the Privacy Rule, a communication is not marketing if a covered entity is describing its own products and services. Therefore, nothing in the Rule will inhibit a hospital from competing in the marketplace by communicating about its programs and services.
Comment: One commenter suggested that authorizations for marketing should clearly indicate that they are comprehensive and may contain sensitive protected health information.
Response: The Department treats all individually identifiable health information as sensitive and equally deserving of protections under the Privacy Rule. The Rule requires all authorizations to contain the specified core elements to ensure individuals are given the information they need to make an informed decision. One of the core elements for all authorizations is a clear description of the information that is authorized to be used or disclosed in specific and meaningful terms. The authorization process provides the individual with the opportunity to ask questions, negotiate how their information will be used and disclosed, and ultimately to control whether these uses and disclosures will be made.
Comment: Several commenters urged the Department to retain the existing structure of the implementation specifications, whereby the notification statements about the individual’s right to revoke and the potential for redisclosure are “core elements.” It was argued that this information is essential to an informed decision. One of the commenters claimed that moving them out of the core elements and only requiring a statement adequate to put the person on notice of the information would increase uncertainty, and that these two elements are too important to risk inadequate explanation.
Response: The Department agrees that the required notification statements are essential information that a person needs in order to make an informed decision about authorizing the use or disclosure of protected health information. Individuals need to know what rights they have with respect to an authorization, and how they can exercise those rights. However, separating the core elements and notification statements into two different subparagraphs does not diminish the importance or effect of the notification statements. The Department clarifies that both the core elements and the notification statements are required, and both must be included for an authorization to be valid.
Comment: Several commenters urged the Department to eliminate unnecessary authorization contents. They argued the test should be whether the person needs the information to protect his or her privacy, and cited the disclosure of remuneration by a third party as an example of unnecessary content, alleging that the disclosure of remuneration is not relevant to protecting privacy. One commenter suggested that covered entities should be given the flexibility to decide which contents are applicable in a given situation.
Response: The Department believes the core elements are all essential information. Individuals need to know this information to make an informed decision about giving the authorization to use or disclose their protected health information. Therefore, the Department believes all of the core elements are necessary content in all situations. The Department does not agree that the remuneration statement required on an authorization for uses and disclosures of an individual’s protected health information for marketing purposes is not relevant to protecting privacy. Individuals exercise control over the privacy of their protected health information by either giving or denying an authorization, and remuneration from a third party to the covered entity for obtaining an authorization for marketing is an important factor in making that choice.
Comment: One commenter suggested that covered entities should not be required to state on an authorization a person’s authority to act on an individual’s behalf, and they should be trusted to require such identification or proof of legal authority when the authorization is signed. The commenter stated that this requirement only increases administrative burden for covered entities.
Response: The Department does not agree. The authorization requirement is intended to give individuals some control over uses and disclosures of protected health information that are not otherwise permitted or required by the Rule. Therefore, the Rule requires that covered entities verify and document a person’s authority to sign an authorization on an individual’s behalf, since that person is exercising the individual’s control of the information. Furthermore, the Department understands that it is a current industry standard to verify and document a person’s authority to sign any legal permission on another person’s behalf. Thus, the requirement should not result in any undue administrative burden for covered entities.
Comment: One commenter suggested that the Department should require authorizations to include a complete list of entities that will use and share the information, and that the individual should be notified periodically of any changes to the list so that the individual can provide written authorization for the changes.
Response: It may not always be feasible or practical for covered entities to include a comprehensive list of persons authorized to use and share the information disclosed pursuant to an authorization. However, individuals may discuss this option with covered entities, and they may refuse to sign an authorization that does not meet their expectations. Also, subject to certain limitations, individuals may revoke an authorization at any time.
Comment: One commenter asked for clarification that a health plan may not condition a provider’s participation in the health plan on seeking authorization for the disclosure of psychotherapy notes, arguing that this practice would coerce providers to request, and patients to provide, an authorization to disclose psychotherapy notes.
Response: The Privacy Rule does not permit a health plan to condition enrollment, eligibility for benefits, or payment of a claim on obtaining the individual’s authorization to use or disclose psychotherapy notes. Nor may a health care provider condition treatment on an authorization for the use or disclosure of psychotherapy notes. In a situation such as the one described by the commenter, the Department would look closely at whether the health plan was attempting to accomplish indirectly that which the Rule prohibits. These prohibitions are to ensure that the individual’s permission is wholly voluntary and informed with regard to such an authorization. To meet these standards, in the circumstances set forth in the comment, the Department would expect the provider subject to such a requirement by the health plan to explain to the individual in very clear terms that, while the provider is required to ask, the individual remains free to refuse to authorize the disclosure and that such refusal will have no effect on either the provision of treatment or the individual’s coverage under, and payment of claims by, the health plan.
Comment: A few commenters suggested the Department should allow covered entities to combine an authorization with other documents, such as the notice acknowledgment, claiming it would reduce administrative burden and paperwork, as well as reduce patient confusion and waiting times, without compromising privacy protections.
Response: The Department disagrees that combining an authorization with other documents, such as the notice acknowledgment, would be less confusing for individuals. To the contrary, the Department believes that combining unrelated documents would be more confusing. However, the Rule does permit an authorization to be combined with other authorizations so long as the provision of treatment, payment, enrollment in a health plan or eligibility for benefits is not conditioned on obtaining any of the authorizations, and the authorization is not for the use or disclosure of psychotherapy notes.
Also, authorizations must contain the same information, whether it is a separate document or combined with another document; and the individual must be given the opportunity to read and discuss that information. Combining an authorization with routine paperwork diminishes individuals’ ability to make a considered and informed judgment to permit the use or disclosure of their medical information for some other purpose.
Comment: One commenter stated that the requirement for covered entities to use only authorizations that are valid under the Rule must be an unintended result of the Rule, because covered entities would have to use only valid authorizations when requesting information from non-covered entities. The commenter did not believe the Department intended this requirement to apply with respect to non-covered entities, and gave the example of dental health plans obtaining protected health information in connection with paper claims submitted by dental offices. The commenter requested clarification that health plans may continue to use authorization forms currently in use for all claims submitted by non-covered entities.
Response: The commenter misapprehends the Rule’s requirements. The requirements apply to uses and disclosure of protected health information by covered entities. In the example provided, where a health plan is requesting additional information in support of a claim for payment by a non-covered health care provider, the health plan is not required to use an authorization. The plan does not need the individual’s authorization to use protected health information for payment purposes, and the non-covered health care provider is not subject to any of the Rule’s requirements. Therefore, the exchange of information may occur as it does today. The Department notes that, based on the modifications regarding consent adopted in this rulemaking, neither a consent nor an authorization would be required in this example even if the health care provider was also a covered entity.
Comment: Several commenters urged the Department to add a transition provision to permit hospitals to use protected health information in already existing databases for marketing and outreach to the communities they serve. Commenters claimed that these databases are important assets that would take many years to rebuild, and hospitals may not have an already existing authorization or other express legal permission for such use of the information. They contended that, without a transition provision, these databases would become useless under the Rule. Commenters suggested the Department should adopt an “opt out” provision that would allow continued use of these databases to initially communicate with the persons listed in the database; at that time, they could obtain authorization for future communications, thus providing a smooth transition.
Response: Covered entities are provided a two-year period in which to come into compliance with the Privacy Rule. One of the purposes of the compliance period is to allow covered entities sufficient time to undertake actions such as those described in the comment (obtaining the legal permissions that would permit databases to continue to operate after the compliance date). An additional transition period for these activities has not been justified by the commenters. However, the Department notes that a covered entity is permitted to use the information in a database for communications that are either excepted from or that do not meet the definition of “marketing” in § 164.501, without individual authorization. For example, a hospital may use protected health information in an existing database to distribute information about the services it provides, or to distribute a newsletter with general health or wellness information that does not promote a particular product or service.
2. Research Authorizations.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.
The vast majority of commenters were very supportive of the proposed revisions to the Rule’s provisions for research authorizations. However, the Department did hear from several commenters that the Privacy Rule’s requirement for an expiration date or event should be eliminated for all research uses and disclosures of protected health information, not just for uses and disclosures for the creation or maintenance of a research database or repository, as was proposed in the NPRM. These commenters were concerned that the Privacy Rule would prohibit important uses and disclosures of protected health information after the termination of a research project, such as the reporting of research results to the Food and Drug Administration (FDA) for an FDA investigational new drug application, unless the covered entity obtained another patient authorization. In addition, several of these commenters cited confusion in defining repositories and databases. Some of these commenters stated that an individual who authorizes information to be used for an indeterminate time most likely expects and intends for the information to be used and disclosed if needed well into the future, regardless of whether or not the research involves the use or disclosure of protected health information for the creation or maintenance of a database or repository.
Several commenters responded to the Department’s request for comments on how to appropriately limit uses and disclosures following revocation of an authorization, while preserving the integrity of the research. The NPRM attempted to clarify that “even though a revocation will prevent a covered entity from further disclosing protected health information for research purposes, the exception to this requirement is intended to allow for certain continued uses of information as appropriate to preserve the integrity of the research study.” However, the NPRM further stated that “if covered entities were permitted to continue using or disclosing protected health information for the research project even after an individual had revoked his or her authorization, this would undermine the primary objective of the authorization requirements to be a voluntary, informed choice of the individual.” Several commenters were concerned and confused by the NPRM’s statements. In particular, the Department received comments urging that the regulation permit covered entities to use and disclose research data already obtained, even after an individual has withdrawn his or her authorization. These commenters suggested that once a subject has authorized the use and disclosure of protected health information for research and the covered entity has relied on the authorization, the covered entity must retain the ability to use or disclose the subject’s pre-withdrawal information for purposes consistent with the overall research. One commenter argued that it would be inadequate for the reliance exception at § 164.508(b)(5) to be interpreted to permit continued uses of the individual’s information as appropriate only to account for an individual’s withdrawal from the study. In this commenter’s opinion, most research would call for the continued use of protected health information obtained prior to an individual’s revocation of their authorization to safeguard statistical validity and truly to preserve the integrity of human research.
Response to Other Public Comments.
Comment: In opposition to the March 2002 NPRM, one commenter suggested prohibiting the combining of authorization forms with an informed consent when the covered entity disclosing the protected health information is not otherwise participating in research. The commenter argued that the NPRM would allow covered entities to receive more information than necessary to fulfill a patient’s authorization request, such as information about the particular type or purpose of the study itself, and could, thereby, violate the patient’s privacy.
Response: The Department acknowledges the concern raised by these commenters; however, prohibiting the combination of authorization forms with an informed consent reduces the flexibility proposed in the March 2002 NPRM. Since the final modifications permit, but do not require, such combining of forms, the Department has decided to leave it to the discretion of researchers or the IRBs to determine whether the combining of authorization forms and consent forms for research would be appropriate for a particular research study.
Comment: Some commenters supported retaining the December 2000 Privacy Rule requirement that a description of the extent to which protected health information will be used or disclosed for treatment, payment, or health care operations be included in an authorization to use or disclose protected health information for a research study that includes treatment of individuals. These commenters argued that an individual’s ability to make informed decisions requires that he or she know how research information will and will not be used and disclosed.
Response: The Department agrees with the majority of the commenters who were in support of the March 2002 NPRM proposal to eliminate the additional authorization requirements for research that includes treatment, and has adopted these proposed modifications in the final Rule. Retaining the distinction between research that involves treatment and research that does not would require overly subjective decisions without providing commensurate privacy protections for individuals. However, the Department notes that it may sometimes be advisable for authorization forms to include a statement regarding how protected health information obtained for a research study will be used and disclosed for treatment, payment, and health care operations, if such information would assist individuals in making informed decisions about whether or not to provide their authorization for a research study.
Comment: One commenter argued that expiration dates should be included on authorizations and that extensions should be required for all research uses and disclosures made after the expiration date or event has passed.
Response: The Department disagrees. We have determined that an expiration date or event would not always be feasible or desirable for some research uses and disclosures of protected health information. By allowing for no expiration date, the final Rule permits without separate patient authorization important disclosures even after the “termination of the research project” that might otherwise be prohibited. However, the final Rule contains the requirement that the patient authorization specify if the authorization would not have an expiration date or event. Therefore, patients will have this information to make an informed decision about whether to sign the authorization.
Comment: Another commenter suggested permitting covered entities/researchers to continue using or disclosing protected health information even after a revocation of the initial authorization but only if an IRB or Privacy Board approved the continuation. This commenter argued that such review by an IRB or Privacy Board would protect privacy, while permitting continued uses and disclosures of protected health information for important purposes.
Response: As stated above, the Department agrees that it may sometimes be necessary to continue using and disclosing protected health information even after an individual has revoked his or her authorization in order to preserve the integrity of a research study. Therefore, the Department has clarified that the reliance exception at § 164.508(b)(5)(i) would permit the continued use and disclosure of protected health information already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study. A requirement for documentation of IRB or Privacy Board review and approval of the continued use or disclosure of protected health information after an individual’s authorization had been revoked could protect patient privacy. However, the Department believes that the additional burden on the IRB or Privacy Board could be substantial, and is not warranted at this time.
Comment: A commenter requested clarification that the “reliance exception” does not permit covered entities as researchers to continue analyzing data once an individual has revoked his or her authorization.
Response: As discussed above, the Department disagrees with this comment. Patient privacy must be balanced against other public goods, such as research and the risk of compromising such research projects if researchers could not continue to use such data. The Department determined that permitting continued uses and disclosures of protected health information already obtained to protect the integrity of research, even after an individual’s authorization has been revoked, would pose minimal privacy risk to individuals without compromising research.
Comment: Several commenters suggested permitting the proposed authorization requirement for a “description of each purpose of the requested use or disclosure” at § 164.508 to be sufficiently broad to encompass future unspecified research. These commenters argued that this option would reduce the burden for covered entities and researchers by permitting covered entities to use or disclose protected health information for re-analysis without having to obtain an additional authorization from the individual. Some discussed the possibility that burden for patients would also be reduced because they would not have to provide additional authorizations. These commenters also argued that such a provision would more directly align the Rule with the Common Rule, which permits broad informed consent for secondary studies if the IRB deems the original informed consent to be adequate.
Response: The Department disagrees with broadening the required “description of the purpose of the use or disclosure” because of the concern that patients would lack necessary information to make an informed decision. In addition, unlike the Common Rule, the Privacy Rule does not require IRB or Privacy Board review of research uses and disclosures made with individual authorization. Therefore, instead of IRBs or Privacy Boards reviewing the adequacy of existing patient authorizations, covered entities would be left to decide whether or not the initial authorization was broad enough to cover subsequent research analyses. Furthermore, it should be noted that patient authorization would not be required for such re-analysis if, with respect to the re-analysis, the covered entity obtains IRB or Privacy Board waiver of such authorization as required by § 164.512(i). For these reasons, the Department has decided to retain the requirement that each purpose of the requested use or disclosure described in the authorization form be research study specific. However, the Department understands that, in the past, some express legal permissions and informed consents have not been study-specific and sometimes authorize the use or disclosure of information for future unspecified research. Furthermore, some IRB-approved waivers of informed consent have been for future unspecified research. Therefore, the final Rule at § 164.532 permits covered entities to rely on an express legal permission, informed consent, or IRB-approved waiver of informed consent for future unspecified research, provided the legal permission, informed consent or IRB-approved waiver was obtained prior to the compliance date.
Comment: Several commenters suggested retaining the authorization element requiring a statement regarding “the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer protected by this Rule” but with one addition. This addition would state that “researchers could only use or disclose the protected health information for purposes approved by the IRB or as required by law or regulation.” These commenters argued that this would be clearer to participants and would prevent the misconception that their information would not be protected by any confidentiality standards.
Response: The Department recognizes the concern of the commenters seeking to supplement the requirement, but points out that, although the final Rule will not require this addition, it is permissible to include such a statement in the authorization. In addition, since the Privacy Rule does not require IRB or Privacy Board review of research uses and disclosures made with patient authorization, the Department determined that adding the commenters’ suggestion to the final Rule would be inappropriate. Section III.E.1. above provides further discussion of this provision.