HIPAA Privacy Regulations: Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations: Consent for Uses and Disclosures Permitted - § 164.506(b)

As Contained in the HHS HIPAA Privacy Rules

HHS Regulations as Amended August 2002
Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations: Consent for Uses and Disclosures Permitted - § 164.506(b)

A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.
Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under § 164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart.

HHS Description of August 2002 Revisions
Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations: Consent for Uses and Disclosures Permitted

Note: The HHS Description is the same as for § 164.506(a).

December 2000 Privacy Rule. Treatment and payment for health care are core functions of the health care industry, and uses and disclosures of individually identifiable health information for such purposes are critical to the effective operation of the health care system. Health care providers and health plans must also use individually identifiable health information for certain health care operations, such as administrative, financial, and legal activities, to run their businesses and to support the essential health care functions of treatment and payment. Equally important are health care operations designed to maintain and improve the quality of health care. In developing the Privacy Rule, the Department balanced the privacy implications of uses and disclosures for treatment, payment, and health care operations and the need for these core activities to continue. The Department considered the fact that many individuals expect that their health information will be used and disclosed as necessary to treat them, bill for treatment, and, to some extent, operate the covered entity’s health care business. Given public expectations with respect to the use or disclosure of information for such activities and so as not to interfere with an individual’s access to quality health care or the efficient payment for such health care, the Department’s goal is, and has always been, to permit these activities to occur with little or no restriction.

Consistent with this goal, the Privacy Rule published in December 2000 generally provided covered entities with permission to use and disclose protected health information as necessary for treatment, payment, and health care operations. For certain health care providers that have direct treatment relationships with individuals, such as many physicians, hospitals, and pharmacies, the December 2000 Privacy Rule required such providers to obtain an individual’s written consent prior to using or disclosing protected health information for these purposes. The Department designed consent as a one-time, general permission from the individual, which the individual would have had the right to revoke. A health care provider could have conditioned treatment on the receipt of consent. Other covered entities also could have chosen to obtain consent but would have been required to follow the consent standards if they opted to do so.

The consent requirement for health care providers with direct treatment relationships was a significant change from the Department’s initial proposal published in November 1999. At that time, the Department proposed to permit all covered entities to use and disclose protected health information to carry out treatment, payment, and health care operations without any requirement that the covered entities obtain an individual’s consent for such uses and disclosures, subject to a few limited exceptions. Further, the Department proposed to prohibit covered entities from obtaining an individual’s consent for uses and disclosures of protected health information for these purposes, unless required by other applicable law.

The transition provisions of the Privacy Rule permit covered health care providers that were required to obtain consent to use and disclose protected health information they created or received prior to the compliance date of the Privacy Rule for treatment, payment, or health care operations if they had obtained consent, authorization, or other express legal permission to use or disclose such information for any of these purposes, even if such permission did not meet the consent requirements of the Privacy Rule.

March 2002 NPRM. The Department heard concerns about significant practical problems that resulted from the consent requirements in the Privacy Rule. Covered entities and others provided numerous examples of obstacles that the consent provisions would pose to timely access to health care. These examples extended to various types of providers and various settings. The most troubling, pervasive problem was that health care providers would not have been able to use or disclose protected health information for treatment, payment, or health care operations purposes prior to their initial face-to-face contact with the patient, something which is routinely done today to provide patients with timely access to quality health care. A list of some of the more significant examples and concerns are as follows:

Pharmacists would not have been able to fill a prescription, search for potential drug interactions, determine eligibility, or verify coverage before the individual arrived at the pharmacy to pick up the prescription if the individual had not already provided consent under the Privacy Rule.
Hospitals would not have been able to use information from a referring physician to schedule and prepare for procedures before the individual presented at the hospital for such procedure, or the patient would have had to make a special trip to the hospital to sign the consent form.
Providers who do not provide treatment in person may have been unable to provide care because they would have had difficulty obtaining prior written consent to use protected health information at the first service delivery.
Emergency medical providers were concerned that, if a situation was urgent, they would have had to try to obtain consent to comply with the Privacy Rule, even if that would be inconsistent with appropriate practice of emergency medicine.
Emergency medical providers were also concerned that the requirement that they attempt to obtain consent as soon as reasonably practicable after an emergency would have required significant efforts and administrative burden which might have been viewed as harassing by individuals, because these providers typically do not have ongoing relationships with individuals.
Providers who did not meet one of the consent exceptions were concerned that they could have been put in the untenable position of having to decide whether to withhold treatment when an individual did not provide consent or proceed to use information to treat the individual in violation of the consent requirements.
The right to revoke a consent would have required tracking consents, which could have hampered treatment and resulted in large institutional providers deciding that it would be necessary to obtain consent at each patient encounter instead.
The transition provisions would have resulted in significant operational problems, and the inability to access health records would have had an adverse effect on quality activities, because many providers currently are not required to obtain consent for treatment, payment, or health care operations.
Providers that are required by law to treat were concerned about the mixed messages to patients and interference with the physician-patient relationship that would have resulted because they would have had to ask for consent to use or disclose protected health information for treatment, payment, or health care operations, but could have used or disclosed the information for such purposes even if the patient said “no.”

As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded (see section III.H. of the preamble for a discussion of the strengthened notice requirements).

Specifically, the Department proposed to make the obtaining of consent to use and disclose protected health information for treatment, payment, or health care operations more flexible for all covered entities, including providers with direct treatment relationships. Under this proposal, health care providers with direct treatment relationships with individuals would no longer be required to obtain an individual’s consent prior to using and disclosing information about him or her for treatment, payment, and health care operations. They, like other covered entities, would have regulatory permission for such uses and disclosures.

The NPRM included provisions to permit covered entities to obtain consent for uses and disclosures of protected health information for treatment, payment, or health care operations, if they wished to do so. These provisions would grant providers complete discretion in designing this process. These proposed changes were partnered, however, by the proposal to strengthen the notice provisions to require direct treatment providers to make good faith efforts to obtain a written acknowledgment of receipt of the notice. The intent was to preserve the opportunity to raise questions about the entity’s privacy policies that the consent requirements previously provided.

HHS Explanation of Final Modifications
Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations: Consent for Uses and Disclosures Permitted

Note: The HHS Final Modification Explanation is the same as for § 164.506(a).

The Department continues to be concerned by the multitude of comments and examples demonstrating that the consent requirements would result in unintended consequences that would impede the provision of health care in many critical circumstances. We are also concerned that other such unintended consequences may exist which have yet to be brought to our attention. The Department would not have been able to address consent issues arising after publication of this Rule until at least a year had passed from this Rule’s publication date due to statutory limitations on the timing of modifications. The Department believes in strong privacy protections for individually identifiable health information, but does not want to compromise timely access to quality health care. The Department also understands that the opportunity to discuss privacy practices and concerns is an important component of privacy, and that the confidential relationship between a patient and a health care provider includes the patient’s ability to be involved in discussions and decisions related to the use and disclosure of protected health information about him or her.

A review of the comments showed that almost all of the commenters that discussed consent acknowledged that there are unintended consequences of the consent requirement that would interfere with treatment. These comments point toward two potential approaches to fixing these problems. The Department could address these problems by adopting a single solution that would address most or all of the concerns, or could address these problems by adopting changes targeted to each specific problem that was brought to the attention of the Department. One of the goals in making changes to the Privacy Rule is to simplify, rather than add complexity to, the Rule. Another goal is to assure that the Privacy Rule does not hamper necessary treatment. For both of these reasons, the Department is concerned about adopting different changes for different issues related to consent and regulating to address specific examples that have been brought to its attention. Therefore, the options that the Department most seriously considered were those that would provide a global fix to the consent problems. Some commenters provided global options other than the proposed approach. However, none of these would have resolved the operational problems created by a mandatory consent.

The Department also reviewed State laws to understand how they approached uses and disclosures of health information for treatment, payment, or health care operations purposes. Of note was the California Confidentiality of Medical Information Act. Cal. Civ. Code ' 56. This law permits health care providers and health plans to disclose health information for treatment, payment, and certain types of health care operations purposes without obtaining consent of the individual. The California HealthCare Foundation conducted a medical privacy and confidentiality survey in January 1999 that addressed consumer views on confidentiality of medical records. The results showed that, despite the California law that permitted disclosures of health information without an individual’s consent, consumers in California did not have greater concerns about confidentiality than other health care consumers. This is true with respect to trust of providers and health plans to keep health information private and confidential and the level of access to health information that providers and health plans have.

The Department adopts the approach that was proposed in the NPRM, because it is the only one that resolves the operational problems that have been identified in a simple and uniform manner. First, this Rule strengthens the notice requirements to preserve the opportunity for individuals to discuss privacy practices and concerns with providers. (See section III.H. of the preamble for the related discussion of modifications to strengthen the notice requirements.) Second, the final Rule makes the obtaining of consent to use and disclose protected health information for treatment, payment, or health care operations optional on the part of all covered entities, including providers with direct treatment relationships. A health care provider that has a direct treatment relationship with an individual is not required by the Privacy Rule to obtain an individual’s consent prior to using and disclosing information about him or her for treatment, payment, and health care operations. They, like other covered entities, have regulatory permission for such uses and disclosures. The fact that there is a State law that has been using a similar model for years provides us confidence that this is a workable approach.

Other rights provided by the Rule are not affected by this modification. Although covered entities will not be required to obtain an individual’s consent, any uses or disclosures of protected health information for treatment, payment, or health care operations must still be consistent with the covered entity’s notice of privacy practices. Also, the removal of the consent requirement applies only to consent for treatment, payment, and health care operations; it does not alter the requirement to obtain an authorization under § 164.508 for uses and disclosures of protected health information not otherwise permitted by the Privacy Rule or any other requirements for the use or disclosure of protected health information. The Department intends to enforce strictly the requirement for obtaining an individual’s authorization, in accordance with § 164.508, for uses and disclosure of protected health information for purposes not otherwise permitted or required by the Privacy Rule. Furthermore, individuals retain the right to request restrictions, in accordance with § 164.522(a). This allows individuals and covered entities to enter into agreements to restrict uses and disclosures of protected health information for treatment, payment, and health care operations that are enforceable under the Privacy Rule.

Although consent for use and disclosure of protected health information for treatment, payment, and health care operations is no longer mandated, this Final Rule allows covered entities to have a consent process if they wish to do so. The Department heard from many commenters that obtaining consent was an integral part of the ethical and other practice standards for many health care professionals. It, therefore, does not prohibit covered entities from obtaining consent.

This final Rule allows covered entities that choose to have a consent process complete discretion in designing that process. Prior comments have informed the Department that one consent process and one set of principles will likely be unworkable. Covered entities that choose to obtain consent may rely on industry practices to design a voluntary consent process that works best for their practice area and consumers, but they are not required to do so.

This final Rule effectuates these changes in the same manner as proposed by the NPRM. The consent provisions in § 164.506 are replaced with a new provision at § 164.506(a) that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment, and health care operations. A new provision is added at § 164.506(b) that permits covered entities to obtain consent if they choose to, and makes clear any such consent process does not override or alter the authorization requirements in § 164.508. Section 164.506(b) includes a small change from the proposed version to make it clearer that authorizations are still required by referring directly to authorizations under § 164.508.

Additionally, this final Rule includes a number of conforming modifications, identical to those proposed in the NPRM, to accommodate the new approach. The most substantive corresponding changes are at '§ 164.502 and 164.532. Section 164.502(a)(1) provides a list of the permissible uses and disclosures of protected health information, and refers to the corresponding section of the Privacy Rule for the detailed requirements. The provisions at '§ 164.502(a)(1)(ii) and (iii) that address uses and disclosures of protected health information for treatment, payment, and health care operations are collapsed into a single provision, and the language is modified to eliminate the consent requirement.

The references in § 164.532 to § 164.506 and to consent, authorization, or other express legal permission obtained for uses and disclosures of protected health information for treatment, payment, and health care operations prior to the compliance date of the Privacy Rule are deleted. The proposal to permit a covered entity to use or disclose protected health information for these purposes without consent or authorization would apply to any protected health information held by a covered entity whether created or received before or after the compliance date. Therefore, transition provisions are not necessary.

This final Rule also includes conforming changes to the definition of “more stringent” in § 160.202; the text of § 164.500(b)(1)(v), '§ 164.508(a)(2)(i) and (b)(3)(i), and § 164.520(b)(1)(ii)(B); the introductory text of '§ 164.510 and 164.512, and the title of § 164.512 to eliminate references to required consent.

HHS Response to Comments Received - Published With the August 2002 Revisions
Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations: Consent for Uses and Disclosures Permitted

Note: The HHS Response to Comments Received is the same as for § 164.506(a).

Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.

The vast majority of commenters addressed the consent proposal. Most comments fell into three basic categories: (1) many comments supported the NPRM approach to eliminate the consent requirement; (2) many comments urged the Department to require consent, but make targeted fixes to address workability issues; and (3) some comments urged the Department to strengthen the consent requirement.

The proposed approach of eliminating required consent and making obtaining of consent permissible, at the entity’s discretion, was supported by many covered entities that asserted that it would provide the appropriate balance among access to quality health care, administrative burden, and patient privacy. Many argued that the appropriate privacy protections were preserved by strengthening the notice requirement. This approach was also supported by the NCVHS.

The comments received in response to the NPRM continued to raise the issues and obstacles described above, and others. For example, in addition to providing health care services to patients, hospices often provide psychological and emotional support to family members. These consultations often take place long distance and would likely be considered treatment. The consent requirement would make it difficult, or impossible in some circumstances, for hospices to provide these important services to grieving family members on a timely basis. Comments explained that the consent provisions in the Rule pose significant obstacles to oncologists as well. Cancer treatment is referral-based. Oncologists often obtain information from other doctors, hospital, labs, etc., speak with patients by telephone, identify treatment options, and develop preliminary treatment plans, all before the initial patient visit. The prior consent requirement would prevent all of these important preliminary activities before the first patient visit, which would delay treatment in cases in which such delay cannot be tolerated.

Other commenters continued to strongly support a consent requirement, consistent with their views expressed during the comment period in March 2001. Some argued that the NPRM approach would eliminate an important consumer protection and that such a “radical” approach to fixing the workability issues was not required. They recommended a targeted approach to fixing each problem, and suggested ways to fix each unintended consequence of the consent requirement, in lieu of removing the requirement to obtain consent.

A few commenters argued for reinstating a consent requirement, but making it similar to the proposal for acknowledgment of notice by permitting flexibility and including a “good faith” standard. They also urged the Department to narrow the definition of health care operations and require that de-identified information be used where possible for health care operations.

Finally, a few commenters continued to assert that consent should be strengthened by applying it to more covered entities, requiring it to be obtained more frequently, or prohibiting the conditioning of treatment on the obtaining of consent.

Response to Other Public Comments.

Comment: There were three categories of commenters with respect to the Rule’s general approach to consent: those that supported the changes proposed in the NPRM provisions, those that requested targeted changes to the consent requirement, and those that requested that the consent requirement be strengthened.

Many commenters supported the NPRM approach to consent, making consent to use or disclose protected health information for treatment, payment, and health care operations voluntary for all covered entities. These commenters said that this approach provided flexibility for covered entities to address consent in a way that is consistent with their practices. These commenters also stated that the NPRM approach assured that the Privacy Rule would not interfere with or delay necessary treatment.

Those that advocated retaining a consent requirement stated that the NPRM approach would undermine trust in the health care system and that requiring consent before using or disclosing protected health information shows respect for the patient’s autonomy, underscores the need to inform the patient of the risks and benefits of sharing protected health information, and makes it possible for the patient to make an informed decision. Many of these commenters suggested that the consent requirement be retained and that the problems raised by consent be addressed through targeted changes or guidance for each issue.

Some suggestions targeted to specific problems were: (1) fix the problems related to filling prescriptions by treating pharmacists as providers with indirect treatment relationships or by deeming a prescription to serve as an implied consent; and (2) allow certain uses and disclosures prior to first patient encounter. Some of these commenters argued that certain issues could be addressed through guidance on other provisions in the Rule, rather than a change in the regulation. For example, they suggested that guidance could explain that physicians who take phone calls for one another are part of an organized health care arrangement, or could provide technical assistance about revocations on consent by identifying when a covered entity has taken action in reliance on a consent.

Other suggestions were more general. They included suggestions that the Department: (1) substitute a good faith effort requirement for the current provisions; (2) provide regulatory permission for certain uses and disclosures of protected heath information prior to first service delivery; (3) permit oral consent with documentation; (4) retain a consent requirement for disclosures, but not uses; (5) retain a consent requirement for payment and operations, but not treatment uses and disclosures; (6) allow individuals to opt out of the consent requirement; (7) allow the consent to apply to activities of referred-to providers, and (8) retain the consent requirement but add flexibility, not exceptions.

The third group of commenters requested that the consent requirement be strengthened. Some requested that the Privacy Rule not permit conditioning of treatment or enrollment on consent for multiple uses and disclosures. Others requested that the consent requirement be extended to covered entities other than providers with direct treatment relationships, such as health plans. Some commenters also asked that the consent be time-limited or be required more frequently, such as at each service delivery.

Response: The Department recognizes that there are some benefits to the consent requirement and has considered all options to preserve the consent requirement while fixing the problems it raises. After examining each of these options, we do not believe that any would address all of the issues that were brought to the Department’s attention during the comment process or would be the best approach for regulating this area. For example, the suggestion to treat pharmacists as indirect treatment providers would not be consistent with the current regulatory definition of that term and would not have addressed other referral situations. This approach was also rejected by some pharmacists who view themselves as providing treatment directly to individuals. The suggestion to allow certain uses and disclosures prior to first patient encounter would not address concerns of tracking consents, use of historical data for quality purposes, or the concerns of emergency treatment providers.

The Department desired a global approach to resolving the problems raised by the prior consent requirement, so as not to add additional complexity to the Privacy Rule or apply different standards to different types of direct treatment providers. This approach is consistent with the basic goal of the Rule to provide flexibility as necessary for the standards to work for all sectors of the health care industry.

More global approaches suggested were carefully considered, but each had some flaw or failed to address all of the treatment-related concerns brought to our attention. For example, those who suggested that the Rule be modified to require a good faith effort to obtain consent at first service delivery failed to explain how that approach would provide additional protection than the approach we proposed. The Department also decided against eliminating the consent requirement only for uses and disclosures for treatment, or only for uses of protected health information but not for disclosures, because these options fall short of addressing all of the problems raised. Scheduling appointments and surgeries, and conducting many pre-admission activities, are health care operations activities, not treatment. Retaining the consent requirement for payment would be problematic because, in cases where a provider, such as a pharmacist or hospital, engages in a payment activity prior to face-to-face contact with the individual, it would prohibit the provider from contacting insurance companies to obtain pre-certification or to verify coverage.

Similarly, the suggestion to limit the prior consent requirement to disclosures and not to uses would not have addressed all of the problems raised by the consent requirements. Many of the basic activities that occur before the initial face-to-face meeting between a provider and an individual involve disclosures as well as uses. Like the previous approach, this approach also would prohibit pharmacists and hospitals from contacting insurance companies to obtain pre-certification or verify coverage if they did not have the individual’s prior consent to disclose the protected health information for payment. It also would prohibit a provider from contacting another provider to ask questions about the medical record and discuss the patient’s condition, because this would be a disclosure and would require consent.

There was a substantial amount of support from commenters for the approach taken in the NPRM. The Department continues to believe that this approach makes the most sense and meets the goals of not interfering with access to quality health care and of providing a single standard that works for the entire health care industry. Therefore, the Department has adopted the approach proposed in the NPRM.

Comment: Some commenters asserted that eliminating the consent requirement would be a departure from current medical ethical standards that protect patient confidentiality and common law and State law remedies for breach of confidentiality that generally require or support patient consent prior to disclosing patient information for any reason. Another commenter was concerned that the removal of the consent requirement from the Privacy Rule will become the de facto industry standard and supplant professional ethical duties to obtain consent for the use of protected health information.

Response: The Privacy Rule provides a floor of privacy protection. State laws that are more stringent remain in force. In order not to interfere with such laws and ethical standards, this Rule permits covered entities to obtain consent. Nor is the Privacy Rule intended to serve as a “best practices” standard. Thus, professional standards that are more protective of privacy retain their vitality.

Comment: Some commenters requested that, if the Department adopts the NPRM approach to eliminate the consent requirement for uses and disclosures of protected health information for treatment, payment, or health care operations, the definition of “health care operations” should also be narrowed to protect individual expectations of privacy.

Response: We disagree. As stated in the preamble to the December 2000 Privacy Rule, the Department believes that narrowing the definition of “health care operations” will place serious burdens on covered entities and impair their ability to conduct legitimate business and management functions.

Comment: Some commenters requested that the regulation text state more specifically that a voluntary consent cannot substitute for an authorization when an authorization is otherwise required under the Privacy Rule.

Response: The Department agrees and modifies the regulation text, at § 164.506(b)(2), to make this clear. As stated in the preamble to the NPRM, the Department intends to enforce strictly the requirement for obtaining an individual’s authorization, in accordance with § 164.508, for uses and disclosures of protected health information for purposes not otherwise permitted or required by the Privacy Rule. A consent obtained voluntarily would not be sufficient to permit a use or disclosure which, under the Privacy Rule, requires an authorization or is otherwise expressly conditioned under the Rule. For example, a consent under § 164.506 could not be obtained in lieu of an authorization required by § 164.508 or a waiver of authorization by an IRB or Privacy Board under § 164.512(i) to disclose protected health information for research purposes.

Comment: Some commenters requested that, if the Department decides to allow consent on a voluntary basis, the Privacy Rule include requirements for those covered entities that voluntarily choose to obtain consents.

Response: The goal of the NPRM approach was to enhance flexibility for covered entities by allowing them to design a consent process that best matches their needs. The Department learned over the past year that no single consent process works for all covered entities. In addition, the Department wants to encourage covered entities to adopt a consent process, and is concerned that by prescribing particular rules, it would discourage some covered entities from doing so.

Comment: Some commenters asserted that the consent requirement provides individuals with control because providers may not opt to withhold treatment if a patient refuses consent only for the use or disclosure of protected health information for health care operations.

Response: These commenters may not fully understand the consent requirements in the December 2000 Rule. That requirement did not allow separate consents for use of protected health information for treatment, payment, and health care operations. The only way to allow use of protected health information for treatment but not for health care operations purposes would have been to invoke the right to request restrictions (§ 164.522(a)); the provider could agree or not agree to restrict use and disclosure of protected health information for health care operations. That is also how the Rule will work with these modifications. The Department is not modifying the right to request restrictions.

Comment: Some commenters were confused about the relationship between the proposed changes to the consent provisions and State law. Some were concerned that the Privacy Rule would override State consent laws which provide stronger protections for medical and psychotherapeutic privacy.

Response: The Privacy Rule does not weaken the operation of State laws that require consent to use or disclose health information. The Privacy Rule permits a covered entity to obtain consent to use or disclose health information, and, therefore, presents no barrier to the entity’s ability to comply with State law requirements.

Comment: One commenter suggested that the consent requirement be retained to protect victims of domestic violence.

Response: The Department understands the concerns that the Privacy Rule not endanger victims of domestic violence, but we do not believe that eliminating the consent requirement will do so. The Department believes that the provisions that provide real protections to victims of domestic violence in how information is used or disclosed for treatment, payment, and health care operations, are provisions that allow an individual to object to disclosure of directory information and of protected health information to family members or friends involved in the individual’s care (see § 164.510), that provide an individual the right to request restrictions (see § 164.522(a)), and that grant an individual the right to request confidential communications (see § 164.522(b)). These provisions are not affected by the changes in this final Rule.

Comment: One commenter asserted that written consent represents a signed agreement between the provider and patient regarding the manner in which covered entities will use and disclose health information in the future, and that the removal of this requirement would shift “ownership” of records from patients to doctors and corporate entities.

Response: The Department disagrees with this position. Our research indicates that a signed consent form is most typically treated as a waiver of rights by a patient and not as a binding agreement between a provider and a patient. Further, many States have laws assigning the ownership of records, apart from any consent requirements. The Privacy Rule does not address, and is not intended to affect, existing laws governing the ownership of health records.

Comment: A few commenters claimed that the signed notice of a provider’s privacy policy is meaningless if the individual has no right to withhold consent and the NPRM approach would reinforce the fact that individuals have no say in how their health information is used or disclosed.

Response: The Department disagrees. The individual’s options under the consent requirement established by the Privacy Rule published in December 2000 and the voluntary consent and strengthened notice provisions adopted by this Rule are the same. Under the previous Rule, a patient who disagreed with the covered entity’s information practices as stated in the notice could withhold consent and not receive treatment, or could sign the consent form and obtain treatment despite concerns about the information practices. The patient could request that the provider restrict the use and/or disclosure of the information. Under the Rule as modified, a patient who disagrees with the covered entity’s information practices as stated in the notice, can choose not to receive treatment from that provider, or can obtain treatment despite concerns about the information practices. The patient can request that the provider restrict the use and/or disclosure of the information. The result, for the patient, is the same.

Comment: One commenter requested clarification with respect to the effect of a revocation of voluntary consent and whether agreed-to restrictions must be honored.

Response: The final Rule is silent as to how a covered entity handles the revocation of a voluntary consent under § 164.506(b)(1). The Rule provides the covered entity that chooses to adopt a consent process discretion to design the process that works for that entity.

The change to the consent provision in the Privacy Rule does not affect the right of an individual under § 164.522(a) to request restrictions to a use or disclosure of protected health information. While a covered entity is not required to agree to such restrictions, it must act in accordance with any restriction it does agree to. Failure of a covered entity to act in accordance with an agreed-to restriction is a violation of the Rule.

Comment: Commenters asked the Department to rename consent to “consent for information use” to reduce confusion with consent for treatment.

Response: In order to clear up confusion between informed consent for treatment, which is addressed by State law, and consent to use or disclose protected health information under the Privacy Rule, we changed the title of § 164.506(b) from “Consent permitted” to “Consent for uses and disclosures of information permitted.” The Privacy Rule does not affect informed consent for treatment.

Comment: A few commenters requested that the Department modify the regulation to state that de-identified information should be used for health care operations where possible.

Response: The Department continues to encourage covered entities to use de-identified information wherever possible. As the Department has made this position clear in the preambles to both the December 2000 Privacy Rule and the March 2002 NPRM, as well as in this preamble, we do not believe that it is necessary to modify the regulation to include such language. Further, the minimum necessary requirements, under '§ 164.502(b)(2) and 164.514(d), already require a covered entity to make reasonable efforts to limit protected health information used for health care operations and other purposes to the minimum necessary to accomplish the intended purpose, which may, in some cases, be de-identified information.

Comment: One commenter requested that the Privacy Rule state that consent is not required for provider-to-provider communications.

Response: Prior to these final modifications, the consent requirements of the Privacy Rule would have required a provider to obtain written consent to disclose protected health information to another provider for treatment purposes - which could have interfered with an individual’s ability to obtain timely access to quality care. This is one reason the Department has eliminated the consent requirement for treatment, payment, and health care operations. Providers will not need a patient’s consent to consult with other providers about the treatment of a patient. However, if a provider is disclosing protected health information to another provider for purposes other than treatment, payment, or health care operations, an authorization may be required under § 164.508 (e.g., generally, disclosures for clinical trials would require an authorization).

Comment: One commenter asserted that, without a consent requirement, nothing will stop a health plan from demanding a patient’s mental health records as a condition of payment for physical therapy.

Response: The Department does not agree that the former consent requirement is the relevant standard with respect to the activities of the health plan that concern the commenter. Rather, the Transactions Rule and the minimum necessary standard of the Privacy Rule prescribe and limit the health information that may be disclosed as part of payment transactions between health plans and health care providers. Although a health plan may request additional information to process a specific claim, in addition to the required and situational elements under the Transactions Rule, the request must comply with the Privacy Rule’s minimum necessary requirements. In this example, the health plan can only request mental health records if they are reasonably necessary for the plan to process the physical therapy claim.