Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Uses and Disclosures For Which an Authorization is Required: Authorizations for Uses and Disclosures - § 164.508(a)

    As Contained in the HHS HIPAA Privacy Rules

    HHS Guidance: Marketing

    HHS Guidance: Refill Reminders and Other Communications about a Drug or Biologic

     

    HHS Regulations as Amended January 2013
    Uses and Disclosures For Which an Authorization is Required: Authorizations for Uses and Disclosures - § 164.508(a)

     

    (a) Standard: Authorizations for uses and disclosures—(1) Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.

    (2) Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except:

    (i) To carry out the following treatment, payment, or health care operations:

    (A) Use by the originator of the psychotherapy notes for treatment;

    (B) Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or

    (C) Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and

    (ii) A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i).

    (3) Authorization required: Marketing. (i) Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of:

    (A) A face-to-face communication made by a covered entity to an individual; or

    (B) A promotional gift of nominal value provided by the covered entity.

    (ii) If the marketing involves financial remuneration, as defined in paragraph (3) of the definition of marketing at §164.501, to the covered entity from a third party, the authorization must state that such remuneration is involved.

    (4) Authorization required: Sale of protected health information.

    (i) Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information, as defined in §164.501 of this subpart. (ii) Such authorization must state that the disclosure will result in remuneration to the covered entity.

     

    HHS Description and Commentary From the January 2013 Amendments
    Uses and Disclosures For Which an Authorization is Required: Authorizations for Uses and Disclosures - § 164.508(a)

     

    Sale of Protected Health Information: Proposed Rule

    Section 164.508 of the Privacy Rule permits a covered entity to use and disclose protected health information for purposes not otherwise permitted by the Rule if it has obtained a valid written authorization from the individual who is the subject of the information. This section also specifies two circumstances in which authorization from the individual must be obtained: (1) most uses and disclosures of psychotherapy notes; and (2) uses and disclosures for marketing purposes. Section 13405(d) of the HITECH Act added a third circumstance that requires authorization, specifically the sale of protected health information. Section 13405(d)(1) prohibits a covered entity or business associate from receiving direct or indirect remuneration in exchange for the disclosure of protected health information unless the covered entity has obtained an individual’s authorization pursuant to § 164.508 that states whether the protected health information can be further exchanged for remuneration by the entity receiving the information.

    Section 13405(d)(2) contains several exceptions to the authorization requirement for circumstances where the purpose of the exchange is for: (1) public health activities, as described at § 164.512(b) of the Privacy Rule; (2) research purposes as described at §§ 154 164.501 and 164.512(i) of the Rule, if the price charged for the information reflects the cost of preparation and transmittal of the data; (3) treatment of the individual; (4) the sale, transfer, merger or consolidation of all or part of a covered entity and for related due diligence; (5) services rendered by a business associate pursuant to a business associate agreement and at the specific request of the covered entity; (6) providing an individual with access to his or her protected health information pursuant to § 164.524; and (7) other purposes as the Secretary deems necessary and appropriate by regulation. Section 13405(d)(4) of the Act provides that the prohibition on sale of protected health information applies to disclosures occurring six months after the date of the promulgation of the final regulations implementing this section.

    To implement section 13405(d) of the HITECH Act, we proposed to add a general rule at § 164.508(a)(4) requiring a covered entity to obtain an authorization for any disclosure of protected health information in exchange for direct or indirect remuneration from or on behalf of the recipient of the information and to require that the authorization state that the disclosure will result in remuneration to the covered entity. Consistent with the HITECH Act, the NPRM proposed to exclude several disclosures of protected health information made in exchange for remuneration from this general rule. As provided in the Act, these requirements would also apply to business associates of covered entities.

    In the NPRM we did not include language at § 164.508(a)(4) to require that the authorization under § 164.508 specify whether the protected health information disclosed by the covered entity for remuneration could be further exchanged for remuneration by the entity receiving the information. The statute refers to obtaining a valid authorization that includes a remuneration statement in accordance with § 164.508. The remuneration statement required by § 164.508 is whether remuneration will be received by the covered entity with respect to the disclosures subject to the authorization. This puts the individual on notice that the disclosure involves remuneration and thus, enables the individual to make an informed decision as to whether to sign the authorization. Thus, we interpreted the statute to mean that the authorization must include a statement that the covered entity is receiving direct or indirect remuneration in exchange for the protected health information. We note that these exact words do not need to be used in the statement. We provide discretion for covered entities to craft appropriate language that reflects, for example, the specific type of remuneration they receive. As we explained in the NPRM, with respect to the recipient of the information, if protected health information is disclosed for remuneration by a covered entity or business associate to another covered entity or business associate in compliance with the authorization requirements at proposed § 164.508(a)(4)(i), the recipient covered entity or business associate could not redisclose the protected health information in exchange for remuneration unless a valid authorization was obtained in accordance with proposed § 164.508(a)(4)(i). We requested comment on these provisions.

    At proposed § 164.508(a)(4)(ii), we set forth the exceptions to the authorization requirement. We proposed the exceptions provided for by section 13405(d)(2) of the HITECH Act, and also proposed to exercise the authority granted to the Secretary in section 13405(d)(2)(G) to include additional exceptions that we deemed to be similarly necessary and appropriate. These exceptions are discussed below.

    We requested comment on whether there were additional exceptions that should be included in the final regulation.

    First, we proposed to include an exception to cover exchanges for remuneration for public health activities pursuant to §§ 164.512(b) or 164.514(e). We added the reference to § 164.514(e) of the Privacy Rule to ensure that disclosures of protected health information for public health activities in limited data set form would also be excepted from the authorization requirement, in addition to disclosures that may occur under § 164.512(b) with more identifiable information. With respect to the exception for public health disclosures, section 13405(d)(3)(A) of the HITECH Act requires that the Secretary evaluate the impact on public health activities of restricting this exception to require that the price charged for the data reflects only the costs of preparation and transmittal of the data, including those conducted by or for the use of the Food and Drug Administration (FDA). Section 13405(d)(3)(B) further provides that if the Secretary finds that such further restriction will not impede public health activities, the restriction may then be included in the regulations. We did not propose to include such a restriction on remuneration in the Rule, but requested public comment to assist us in evaluating the impact of doing so.

    The NPRM also included an exception for disclosures of protected health information for research purposes, pursuant to §§ 164.512(i) or 164.514(e), in exchange for which the covered entity receives only a reasonable, cost based fee to cover the cost to prepare and transmit the information for research purposes.

    Like the public health exception, we proposed to add a reference to § 164.514(e) to ensure that this exception would also apply to the disclosure of protected health information in limited data set form for research purposes. We requested public comment on the types of costs that should be permitted under this provision.

    We proposed to create an exception from the authorization requirement for disclosures of protected health information for treatment and payment purposes. Though the Act only addressed treatment, we proposed to also except disclosures for payment for health care from the remuneration prohibition to make clear that the exchange of protected health information to obtain “payment,” as such term is defined in the Privacy Rule at § 164.501, would not be considered a sale of protected health information.

    Consistent with section 13405(d)(2)(D) of the HITECH Act, we proposed to except from the authorization requirement disclosures described in paragraph (6)(iv) of the definition of health care operations at § 164.501, that is, disclosures for the sale, transfer, merger, or consolidation of all or part of a covered entity, or an entity that following such activity will become a covered entity, and due diligence related to such activity.

    We proposed to provide an exception from the authorization requirement for disclosures of protected health information to or by a business associate for activities that the business associate undertakes on behalf of a covered entity pursuant to §§ 164.502(e) and 164.504(e) of the Privacy Rule, as long as the only remuneration provided is by the covered entity to the business associate for the performance of such activities. This exception would exempt from the authorization requirement at § 164.508(a)(4)(i) a disclosure of protected health information by a covered entity to a business associate or by a business associate to a third party on behalf of the covered entity as long as any remuneration received by the business associate was for the activities performed by the business associate pursuant to a business associate contract.

    We proposed to except from the authorization requirement disclosures of protected health information by a covered entity to an individual when requested under §§ 164.524 (providing a right to access protected health information) or 164.528 (providing a right to receive an accounting of disclosures).

    While section 13405(d)(2)(F) of the HITECH Act explicitly refers only to disclosures under § 164.524, we exercised our authority under section 13405(d)(2)(G) of the HITECH Act to likewise include in the exception disclosures to the individual under § 164.528. Section 164.524 permits a covered entity to impose a reasonable, cost-based fee for the provision of access to an individual’s protected health information upon request. Section 164.528 requires a covered entity to provide a requesting individual with an accounting of disclosures without charge in any 12-month period but permits a covered entity to impose a reasonable, cost-based fee for each subsequent request for an accounting of disclosures during that 12-month period. Therefore, a disclosure of protected health information under § 164.528 is similar to a disclosure under § 164.524 in that a covered entity may be paid a fee for making the disclosure.

    Pursuant to the authority granted to the Secretary in section 13405(d)(2)(G) of the HITECH Act, we proposed an additional exception for disclosures that are required by law as permitted under § 164.512(a) of the Privacy Rule. Finally, we proposed an exception, pursuant to the authority granted to the Secretary in section 13405(d)(2)(G), for disclosures of protected health information for any other purpose permitted by and in accordance with the applicable requirements of the Privacy Rule, as long as the only remuneration received by the covered entity is a reasonable, cost based fee to cover the cost to prepare and transmit the protected health information for such purpose or is a fee otherwise expressly permitted by other law. We proposed this exception to ensure that the authorization requirement would not deter covered entities from disclosing protected health information for permissible purposes under the Privacy Rule just because they routinely receive payment equal to the cost of preparing, producing, and transmitting the protected health information. We emphasized that this proposed exception would not apply if a covered entity received remuneration above the actual cost incurred to prepare, produce, and transmit the protected health information for the permitted purpose, unless such fee is expressly permitted by other law.

    As explained in the NPRM, we recognize that many States have laws in place to limit the fees a health care provider can charge to prepare, copy, and transmit medical records. Under these laws, there is great variation regarding the types of document preparation activities for which a provider can charge as well as the permissible fee schedules for such preparation activities. Some States simply require any reasonable costs incurred by the provider in making copies of the medical records to be paid for by the requesting party, while other States set forth specific cost limitations with respect to retrieval, labor, supplies, and copying costs and allow charges equal to actual mailing or shipping costs. Many of these State laws set different cost limitations based on the amount and type of information to be provided, taking into account whether the information is in paper or electronic form as well as whether the requested material includes x-rays, films, disks, tapes, or other diagnostic imaging. The proposed exception would permit recoupment of fees expressly permitted by these other laws.

    Overview of Public Comments

    Many commenters asked for clarification on the scope of activities that constitute a “sale of protected health information.” Several of these commenters asked that the final rule include a definition of “sale of protected health information” and argued that the proposed language at § 164.508(a)(4) was too broad and had the potential to capture a number of activities that should not constitute a “sale” of protected health information.

    Commenters made a variety of suggestions in this regard, including suggesting that a definition of sale should focus on the transfer of ownership of protected health information and thus exclude disclosures pursuant to an access agreement, license, or lease that appropriately limits a recipient’s uses or disclosures of the information; or that a definition of sale should more clearly capture those disclosures where remuneration is provided in exchange for protected health information, rather than all disclosures that may involve remuneration. A number of commenters were concerned that fees paid for services or programs that involve the disclosure of protected health information but that are not fees to purchase the data themselves nonetheless would turn such disclosure into a sale of protected health information. For example, some commenters were concerned that the disclosure of research results to a research sponsor would be a sale of protected health information because the sponsor paid the covered entity for its services in conducting the research study or project. Other commenters expressed concern about the authorization requirements for the sale of protected health information applying to programs for which a covered entity receives funding and, as a condition of that funding, is required to report data, such as under the Medicare and Medicaid incentive payment programs for meaningful users of certified electronic health record technology and certain State grant programs. A few commenters were concerned that the exchange of protected health information through a health information exchange (HIE) that is paid for through fees assessed on HIE participants could be considered sale of protected health information.

    Commenters also asked for clarification on the meaning and scope of the term “direct and indirect remuneration,” and some were particularly concerned that “indirect remuneration” meant nonfinancial benefits provided in exchange for protected health information could turn a disclosure into a sale of protected health information. Some commenters stated that prohibiting the receipt of indirect remuneration or nonfinancial benefits may eliminate any incentive for covered entities to participate in certain collaborative research or quality activities, in which covered entities contribute data to a centralized database to create aggregate data sets and in return may receive a number of nonfinancial benefits, such as the ability to use the aggregated information for research or access to quality assurance/quality improvement tools. Certain commenters argued that the term indirect in the statute modifies the “receipt” of remuneration (i.e., that the statute also applies to the situation where the remuneration is provided by a third party on behalf of the recipient of the protected health information) and not the type of remuneration.

    The public health exception to the remuneration prohibition received a significant amount of support from commenters. Several commenters expressed specific support for the proposal to expand the exception to also apply to disclosures of limited data sets for public health purposes. With respect to the request for comment on the impact of restricting this exception to require that the price charged for the data reflects on the costs of preparing and transmitting the data, commenters were generally opposed to imposing such a restriction. Commenters stated that it may be difficult and burdensome to determine if some of a covered entity’s routine public health reporting involve any type of remuneration and that a cost-based restriction on remuneration would discourage and impede covered entities from making important public health disclosures. One commenter was opposed to the public health exception altogether, stating that it is a privacy loophole that eliminates consumer control over their protected health information.

    Many respondents to the proposed sale prohibition commented on the proposed exception for research. While most commenters supported including an exception for research disclosures, including disclosures of limited data sets for research, many argued that the exception should not be limited to the receipt of a reasonable cost-based fee to prepare and transmit the data as such a fee limitation could impede important research efforts. A number of commenters specifically opposed imposing a fee limitation on the disclosure of limited data sets. If a fee limitation were retained, commenters argued that it should be broadly construed. The majority of commenters on this issue supported the proposed exceptions to the remuneration prohibition for treatment and health care payment purposes, as necessary so as not to impede these core health care functions.

    Overall, support was also expressed by those who commented on the exception for the sale, transfer, merger, or consolidation of a covered entity.

    Further, commenters generally agreed that a covered entity should be permitted to disclose protected health information without individual authorization as required by law, even if remuneration is received in exchange for the disclosure.

    Commenters also submitted a number of comments and questions regarding the ability of business associates to receive fees under both the proposed exception specifically for fees paid by a covered entity to a business associate and the general exception that would allow a covered entity to receive a reasonable, cost-based fee to cover the costs to prepare and transmit the data or a fee otherwise expressly permitted by other law for any disclosure permitted by the Privacy Rule. While commenters generally supported these exceptions, commenters were concerned that these exceptions appeared not to cover the common situation where a business associate, rather than the covered entity, receives remuneration from a third party for making a permitted disclosure under the Privacy Rule. For example, a number of commenters stated that covered entities often outsource to release of information (ROI) vendors the processing of requests for copies of medical records from third parties and that these vendors and not the covered entities bill for the reasonable costs of providing the records to the requestors.

    Commenters asked that the final rule clarify that business associates can continue to receive payment of costs from third parties for providing this service on behalf of covered entities. Another commenter requested that the final rule clarify that the exception for remuneration to a business associate for activities performed on behalf of a covered entity also applies to remuneration received by subcontractors performing services on behalf of business associates.

    Finally, several commenters also responded to the proposed rule’s request for comment on the general exception at § 164.508(a)(4)(ii)(H) by suggesting costs that they believed should be permitted, including but not limited to costs for: preparing, producing, and transmitting protected health information; retrieval, labor, supplies, and copying costs; personnel and overhead costs; investments and indirect costs; and any costs that are in compliance with State law.

    Final Rule

    The final rule adopts the HITECH Act’s prohibition on the sale of protected health information but makes certain changes to the provisions in the proposed rule to clarify the scope of the provisions and otherwise address certain of commenters’ concerns. First, we have moved the general prohibition on the sale of protected health information by a covered entity or business associate to § 164.502(a)(5)(ii) and created a definition of “sale of protected health information.” Numerous commenters requested that the Privacy Rule include a definition of sale to better clarify what types of transactions fall within the scope of the provisions.

    We do not limit a “sale” to those transactions where there is a transfer of ownership of protected health information as some commenters suggested. The HITECH Act does not include such a limitation and the Privacy Rule rights and protections apply to protected health information without regard to ownership interests over the data.

    Thus, the sale provisions apply to disclosures in exchange for remuneration including those that are the result of access, license, or lease agreements.

    In addition, we do not consider sale of protected health information in this provision to encompass payments a covered entity may receive in the form of grants, or contracts or other arrangements to perform programs or activities, such as a research study, because any provision of protected health information to the payer is a byproduct of the service being provided. Thus, the payment by a research sponsor to a covered entity to conduct a research study is not considered a sale of protected health information even if research results that may include protected health information are disclosed to the sponsor in the course of the study. Further, the receipt of a grant or funding from a government agency to conduct a program is not a sale of protected health information, even if, as a condition of receiving the funding, the covered entity is required to report protected health information to the agency for program oversight or other purposes.

    (Certain of these disclosures would also be exempt from the sale requirements, depending on whether the requirement to report data was included in regulation or other law.)

    Similarly, we clarify that the exchange of protected health information through a health information exchange (HIE) that is paid for through fees assessed on HIE participants is not a sale of protected health information; rather the remuneration is for the services provided by the HIE and not for the data itself. (Such disclosures may also be exempt from these provisions under the exception for disclosures to or by a business associate that is being compensated by a covered entity for its services.)

    In contrast, a sale of protected health information occurs when the covered entity primarily is being compensated to supply data it maintains in its role as a covered entity (or business associate). Thus, such disclosures require the individual’s authorization unless they otherwise fall within an exception at § 164.502(a)(5)(ii)(B)(2).

    For example, a disclosure of protected health information by a covered entity to a third party researcher that is conducting the research in exchange for remuneration would fall within these provisions, unless the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the data for such purposes (see below).

    In response to questions by commenters, we also clarify the scope of the term “remuneration.” The statute uses the term “remuneration,” and not “payment,” as it does in the marketing provisions at section 13406(a). Because the statute uses different terms, we do not believe that remuneration as applied to the sale provisions is limited to financial payment in the same way it is so limited in the marketing provisions. Thus, the prohibition on sale of protected health information applies to the receipt of nonfinancial as well as financial benefits. In response to commenters who indicated that the statute’s terms “direct and indirect” apply to how the remuneration is received rather than the remuneration itself, we agree and have moved the terms in the definition to further make clear that the provisions prohibit the receipt of remuneration not only from the third party that receives the protected health information but also from another party on behalf of the recipient of the protected health information. However, this does not change the scope of the term “remuneration.” As discussed above, we interpret the statute to mean that nonfinancial benefits are included in the prohibition. Thus, a covered entity or business associate may not disclose protected health information in exchange for in kind benefits, unless the disclosure falls within one of the exceptions discussed below. Consider, for example, a covered entity that is offered computers in exchange for disclosing protected health information. The provision of protected health information in exchange for the computers would not be considered a sale of protected health information if the computers were solely used for the purpose of preparing and transmitting protected health information to the person collecting it and were returned when such disclosure was completed. However, if the covered entity is permitted to use the computers for other purposes or to keep the computers even after the disclosures have been made, then the covered entity has received in kind remuneration in exchange for the protected health information above what is needed to make the actual disclosures.

    We retain in the final rule the broad exception for disclosures for public health purposes made pursuant to §§ 164.512(b) and 164.514(e). Based on the concerns from the public comment that narrowing the exception could discourage voluntary public health reporting, we do not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data.

    With respect to the exception for research disclosures, the final rule adopts the language as proposed, including the cost-based fee limitation provided for in the HITECH Act. Thus, disclosures for research purposes are excepted from the remuneration prohibition to the extent that the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes. We do not remove the fee limitation as requested by some commenters; the statutory language included in Section 13405(d)(2)(B) of the HITECH Act clearly states that any remuneration received in exchange for research disclosures must reflect only the cost of preparation and transmittal of the data for such purpose.

    In response to comments about the types of costs that are permitted in the reasonable cost-based fee to prepare and transmit the data, we clarify that this may include both direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the protected health information; labor and supplies to ensure the protected health information is disclosed in a permissible manner; as well as related capital and overhead costs. However, fees charged to incur a profit from the disclosure of protected health information are not allowed. We believe allowing a profit margin would not be consistent with the language contained in Section 13405 of the HITECH Act. We intend to work with the research community to provide guidance and help the research community reach a common understanding of appropriate cost-based limitations on remuneration.

    We retain the exceptions proposed for treatment and payment disclosures without modification and agree with commenters that these exceptions are necessary to make clear that these core health care functions may continue. Similarly, we retain the exception to the remuneration prohibition for disclosures for the transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or an entity that following such activity will become a covered entity, and related due diligence, to ensure that such disclosures may continue to occur in accordance with the Privacy Rule. We retain the proposed exception for disclosures that are otherwise required by law to ensure a covered entity can continue to meet its legal obligations without imposing an authorization requirement. We also retain the exception for disclosures to the individual to provide the individual with access to protected health information or an accounting of disclosures, where the fees charged for doing so are in accord with the Privacy Rule.

    We adopt the exceptions for remuneration paid by a covered entity to a business associate for activities performed on behalf of a covered entity, as well as the general exception permitting a covered entity to receive remuneration in the form of a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for any disclosure otherwise permitted by the Privacy Rule.

    However, we make a number of clarifications to address commenters questions and concerns regarding the ability of a business associate rather than a covered entity to receive the permitted remuneration. First, we add the term “business associate” in the general exception permitting reasonable, cost-based fees to prepare and transmit data (or fees permitted by State laws) to make clear that business associates may continue to recoup fees from third party record requestors for preparing and transmitting records on behalf of a covered entity, to the extent such fees are reasonable, cost-based fees to cover the cost to prepare and transmit the protected health information or otherwise expressly permitted by other law. Second, we clarify in the business associate exception that the exception would also cover remuneration by a business associate to its subcontractor for activities performed by the subcontractor on behalf of the business associate.

    Finally, we add the term “business associate” to the general prohibition on sale of protected health information for consistency, even though, without the addition, a business associate still would not be permitted to sell protected health information as a business associate may generally only make uses and disclosures of protected health information in manners in which a covered entity would be permitted under the Privacy Rule.

    With respect to the types of costs that would be permitted as part of a reasonable, cost-based fee under this provision, we clarify that the final rule permits the same types of costs under this exception as the research exception, as well as costs that are in compliance with a fee schedule provided by State law or otherwise expressly permitted by other applicable law. Thus, costs may include the direct and indirect costs to prepare and transmit the data, including labor, materials, and supplies, but not a profit margin.

    We intend to continue to work with interested stakeholders to develop more guidance on direct and indirect costs and on remuneration.

    Response to Other Public Comments

    Comment: Several commenters suggested that we make clear in the final rule that redisclosures of information by a recipient covered entity or business associate even for remuneration that are set forth in the original authorization are not restricted by this provision. Another commenter argued that the original authorization form should indicate whether the recipient of the protected health information will further exchange the information for remuneration.

    Response: It is expected to be the usual case that if a covered entity or business associate that receives protected health information in exchange for remuneration wishes to further disclose that information in exchange for remuneration, then an additional authorization in accordance with § 164.508 must be obtained because such disclosures will not be encompassed by the original authorization. However, it may be possible that redisclosures of information for remuneration by a recipient covered entity or business associate do not require an additional authorization, provided it is sufficiently clear to the individual in the original authorization that the recipient covered entity or business associate will further disclose the individual’s protected health information in exchange for remuneration. In response to the commenter that argued that the original authorization form should indicate whether the recipient of the protected health information will further exchange the information for remuneration, as explained above we believe the language included in Section 13405 of the HITECH Act was to alert the individual as to whether the disclosures he or she was authorizing at the time involved remuneration. Where the recipient of protected health information pursuant to an authorization is a third party that is not a covered entity or business associate, we do not have authority to require that entity to disclose to the disclosing covered entity or business associate whether it plans to further exchange the protected health information for remuneration for purposes of including such information on the authorization form.

    However, covered entities that are informed of such information may include it on the authorization form if they wish to. In any event, the Privacy Rule retains the requirement that an authorization inform the individual of the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and to no longer be subject to the Privacy Rule.

    Comment: Several commenters asked for clarification on the effect the final rule will have on existing research efforts and some suggested that HHS should grandfather in all Privacy Rule authorizations for research obtained under existing law before the effective date of the final rule. These commenters believed addressing current research would be necessary to ensure the rule would not frustrate ongoing research efforts.

    Response: We agree that ongoing research studies that are based on a prior permission under the Privacy Rule for the research use or disclosure of protected health information should be grandfathered so as not to disrupt these ongoing studies. We have added a reference to the authorization requirements that apply to the sale of protected health information at § 164.508(a)(4) to make clear that the transition provisions in § 164.532 apply to permissions existing prior to the applicable compliance date of the Rule.

    Thus, a covered entity may continue to rely on an authorization obtained from an individual prior to the compliance date even if remuneration is involved but the authorization does not indicate that the disclosure is in exchange for remuneration. This would apply to authorizations for any permissible purpose under the Rule and not just for research purposes. Further, in the research context, where a covered entity obtained documentation of a waiver of authorization from an Institutional Review Board or Privacy Board prior to the compliance date for this final rule, the covered entity may continue to rely on that documentation to release protected health information to a researcher, even if the covered entity receives remuneration in the form of more than a

    Finally, we also provide at new § 164.532(f) that a covered entity may continue to use or disclose a limited data set in accordance with an existing data use agreement that meets the requirements of § 164.514(e), including for research purposes, until the data use agreement is renewed or modified or until one year from the compliance date of this final rule, whichever is earlier, even if such disclosure would otherwise constitute a sale of protected health information upon the effective date of this rule.

    Comment: Some commenters were concerned that the sale prohibition would apply to a covered entity's sale of accounts receivable including protected health information to a collection agency, arguing that such disclosures should remain permissible without authorization as a payment disclosure.

    Response: Disclosures of protected health information for payment collection activities are permitted without authorization as a payment disclosure under the Privacy Rule (see §§ 164.501 and 164.506(a)) and thus, are excepted from the remuneration prohibition at § 164.502(a)(5)(ii)(B)(2)(iii).

    Comment: A few commenters asked that the final rule clarify that transfers of value among entities under common control does not implicate the authorization requirements. Similarly, some commenters sought clarification on whether business transfers on the books for internal reorganization would also be excluded under the transfer, merger, and consolidation exception to the final rule.

    Response: First, we clarify that uses of protected health information within a covered entity that is a single legal entity are not implicated by the remuneration prohibition as the prohibition applies only to disclosures outside of a covered entity.

    Second, the use of protected health information among legally separate covered entities under common ownership or control that have designated themselves as an affiliated covered entity (i.e., a single covered entity for purposes of compliance with the HIPAA Rules) is not implicated. See the requirements for affiliated covered entities at § 164.105(b). Thus, to the extent that what the commenters contemplate is an otherwise permissible use of protected health information within a single legal entity that is a covered entity or an affiliated covered entity, such use of data is not impacted by these provisions. Third, disclosures of protected health information for the sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or with an entity that following such activity will become a covered entity and due diligence related to such activity are excepted from the definition of sale of protected health information at § 164.502(a)(5)(ii)(B)(2)(iv).

    Comment: Some commenters expressed concern over the role the Institutional Review Board will play in determining reasonable costs, and several commenters asked that the final rule clarify that the Institutional Review Board is not responsible for making a determination regarding the permissibility of the fees paid in exchange for a disclosure of protected health information for research purposes.

    Response: We clarify that a covered entity, or business associate if applicable, is responsible for determining whether any fees paid to the entity in exchange for protected health information covers the covered entity’s or business associate’s costs to prepare and transmit protected health information for research.

    Comment: A few commenters sought clarification on how to differentiate access to protected health information from access to statistical data, particularly when remuneration is provided for access to a database but the party is solely interested in a population study, not an individual’s protected health information.

    Response: Disclosures of health information that has been de-identified in accordance with the Privacy Rule at § 164.514(b)-(d) are not subject to the remuneration prohibition as such information is not protected health information under the Rule.

    However, a covered entity that allows a third party access to a database containing protected health information in exchange for remuneration is subject to these provisions unless an exception applies (e.g., the remuneration received is limited to a reasonable, cost-based fee to prepare and make available the data).

    Comment: A number of commenters argued that limited data sets should be exempted entirely from the remuneration prohibition because they are not fully identifiable data sets and are subject to protections under data use agreements.

    Response: We decline to completely exempt limited data sets from these provisions as, unlike de-identified data, they are still protected health information.

    However, disclosures of limited data sets for purposes permitted under the Rule would be exempt from the authorization requirements to the extent the only remuneration received in exchange for the data is a reasonable, cost-based fee to prepare and transmit the data or a fee otherwise expressly permitted by other law. We also provide at new § 164.532(f) that a covered entity may continue to use or disclose a limited data set in accordance with an existing data use agreement that meets the requirements of § 164.514(e), including for research purposes, until the data use agreement is renewed or modified or until one year from the compliance date of this final rule, whichever is earlier, even if such disclosure would otherwise constitute a sale of protected health information upon the effective date of this rule.

     

    HHS Description of August 2002 Revisions
    Uses and Disclosures For Which an Authorization is Required: Authorizations for Uses and Disclosures - § 164.508(a)

     

    1. Restructuring Authorization.

    December 2000 Privacy Rule. The Privacy Rule requires individual authorization for uses and disclosures of protected health information for purposes that are not otherwise permitted or required under the Rule. To ensure that authorizations are informed and voluntary, the Rule prohibits, with limited exceptions, covered entities from conditioning treatment, payment, or eligibility for benefits or enrollment in a health plan, on obtaining an authorization. The Rule also permits, with limited exceptions, individuals to revoke an authorization at any time. Additionally, the Rule sets out core elements that must be included in any authorization. These elements are intended to provide individuals with the information they need to make an informed decision about giving their authorization. This information includes specific details about the use or disclosure, and provides the individual fair notice about his or her rights with respect to the authorization and the potential for the information to be redisclosed. Additionally, the authorization must be written in plain language so individuals can read and understand its contents. The Privacy Rule required that authorizations provide individuals with additional information for specific circumstances under the following three sets of implementation specifications: in § 164.508(d), for authorizations requested by a covered entity for its own uses and disclosures; in § 164.508(e), for authorizations requested by a covered entity for another entity to disclose protected health information to the covered entity requesting the authorization to carry out treatment, payment, or health care operations; and in § 164.508(f), for authorizations requested by a covered entity for research that includes treatment of the individual.

    March 2002 NPRM. Various issues were raised regarding the authorization requirements. Commenters claimed the authorization provisions were too complex and confusing. They alleged that the different sets of implementation specifications were not discrete, creating the potential for the implementation specifications for specific circumstances to conflict with the required core elements. Some covered entities were confused about which authorization requirements they should implement in any given circumstance. Also, although the Department intended to permit insurers to obtain necessary protected health information during contestability periods under State law, the Rule did not provide an exception to the revocation provision when other law provides an insurer the right to contest an insurance policy.

    To address these issues, the Department proposed to simplify the authorization provisions by consolidating the implementation specifications into a single set of criteria under § 164.508(c), thus eliminating paragraphs (d), (e), and (f) which contained separate implementation specifications. Under the proposal, paragraph (c)(1) would require all authorizations to contain the following core elements: (1) a description of the information to be used or disclosed, (2) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, (3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure, (4) a description of each purpose of the use or disclosure, (5) an expiration date or event, (6) the individual’s signature and date, and (7) if signed by a personal representative, a description of his or her authority to act for the individual. The proposal also included new language to clarify that when individuals initiate an authorization for their own purposes, the purpose may be described as “at the request of the individual.”

    In the NPRM, the Department proposed that § 164.508(c)(2) require authorizations to contain the following required notifications: (1) a statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke and instructions on how to exercise such right or, to the extent this information is included in the covered entity’s notice, a reference to the notice, (2) a statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule, or, if conditioning is permitted by the Privacy Rule a statement about the consequences of refusing to sign the authorization, and (3) a statement about the potential for the protected health information to be redisclosed by the recipient.

    Also under the proposal, covered entities would be required to obtain an authorization to use or disclose protected health information for marketing purposes, and to disclose in such authorizations any direct or indirect remuneration the covered entity would receive from a third party as a result of obtaining or disclosing the protected health information. The other proposed changes regarding marketing are discussed in section III.A.1. of the preamble.

    The NPRM proposed a new exception to the revocation provision at § 164.508(b)(5)(ii) for authorizations obtained as a condition of obtaining insurance coverage when other law gives the insurer the right to contest the policy. Additionally, the Department proposed that the exception to permit conditioning payment of a claim on obtaining an authorization be deleted, since the proposed provision to permit the sharing of protected health information for the payment activities of another covered entity or a health care provider would eliminate the need for an authorization in such situations.

    Finally, the Department proposed modifications at § 164.508(a)(2)(i)(A), (B), and (C), to clarify its intent that the proposed provisions for sharing protected health information for the treatment, payment, or health care operations of another entity would not apply to psychotherapy notes.

    There were a number of proposed modifications concerning authorizations for research purposes. Those modifications are discussed in section III.E.2. of the preamble.

    2. Research Authorizations.

    December 2000 Privacy Rule. The Privacy Rule requires covered entities to obtain an individual’s voluntary and informed authorization before using or disclosing protected health information for any purpose that is not otherwise permitted or required under the Rule. Uses and disclosures of protected health information for research purposes are subject to the same authorization requirements as uses and disclosures for other purposes. However, for research that includes treatment of the individual, the December 2000 Privacy Rule prescribed special authorization requirements at § 164.508(f). The December 2000 Privacy Rule, at § 164.508(b)(5), also permitted individuals to revoke their authorization at any time, with limited exceptions. Further, the December 2000 Privacy Rule prohibited the combining of the authorization for the use or disclosure of existing protected health information with any other legal permission related to the research study.

    March 2002 NPRM. Several of those who commented on the December 2000 Privacy Rule argued that certain authorization requirements in § 164.508 were unduly complex and burdensome as applied to research uses and disclosures. In particular, several commenters favored eliminating the Rule’s specific provisions at § 164.508(f) for authorizations for uses and disclosures of protected health information for research that includes treatment of the individual. The Department also heard from several provider groups who argued in favor of permitting covered entities to combine all of the research authorizations required by the Privacy Rule with the informed consent to participate in the research. Commenters also noted that the Rule’s requirement for an “expiration date or event that relates to the individual or the purpose of the use or disclosure” runs counter to the needs of research databases and repositories that are often retained indefinitely.

    In response to these concerns, the Department proposed to a number of modifications to simplify the authorization requirements both generally, and in certain circumstances, as they specifically applied to uses and disclosures of protected health information for research. In particular, the Department proposed a single set of authorization requirements for all uses and disclosures, including those for research purposes. This proposal would eliminate the additional authorization requirements for the use and disclosure of protected health information created for research that includes treatment of the individual. Consistent with this proposed change, the Department further proposed to modify the requirements prohibiting the conditioning of authorizations at § 164.508(b)(4)(i) to remove the reference to § 164.508(f).

    In addition, the Department proposed that the Privacy Rule permit an authorization for the use or disclosure of protected health information to be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research.

    Finally, the Department proposed to provide explicitly that the statement, “end of a research study,” or similar language be sufficient to meet the requirement for an expiration date in § 164.508(c)(1)(v). Additionally, the Department proposed that the statement “none” or similar language be sufficient to meet this provision if the authorization was for a covered entity to use or disclose protected health information for the creation or maintenance of a research database or repository.

    HHS Explanation of Final Modifications
    Uses and Disclosures For Which an Authorization is Required: Authorizations for Uses and Disclosures

    1. Restructuring Authorization.

    In the final modifications, the Department adopts the changes proposed in the NPRM. Since the modifications to the authorization provision are comprehensive, the Department is publishing this section in its entirety so that it will be easier to use and understand. Therefore, the preamble addresses all authorization requirements, and not just those that were modified.

    In § 164.508(a), covered entities are required to obtain an authorization for uses and disclosures of protected health information, unless the use or disclosure is required or otherwise permitted by the Rule. Covered entities may use only authorizations that meet the requirements of § 164.508(b), and any such use or disclosure will be lawful only to the extent it is consistent with the terms of such authorization. Thus, a voluntary consent document will not constitute a valid permission to use or disclose protected health information for a purpose that requires an authorization under the Rule.

    Although the requirements regarding uses and disclosures of psychotherapy notes are not changed substantively, the Department made minor changes to the language in paragraph (a)(2) to clarify that a covered entity may not use or disclose psychotherapy notes for purposes of another covered entity’s treatment, payment, or health care operations without obtaining the individual’s authorization. However, covered entities may use and disclose psychotherapy notes, without obtaining individual authorization, to carry out its own limited treatment, payment, or health care operations as follows: (1) use by the originator of the notes for treatment, (2) use or disclosure for the covered entity’s own training programs for its mental health professionals, students, and trainees, and (3) use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual.

    Section 164.508(a)(3) requires covered entities to obtain an authorization to use or disclose protected health information for marketing purposes, with two exceptions. The authorization requirements for marketing and the comments received on these provisions are discussed in detail in section III.A.1. of the preamble.

    If the marketing involves any direct or indirect remuneration to the covered entity from a third party, the authorization must state that fact. The comments on this requirement also are discussed in section III.A.1. of the preamble. However, a statement concerning remuneration is not a required notification for other authorizations. Such a statement was never required for all authorizations and the Department believes it would be most meaningful for consumers on authorizations for uses and disclosures of protected health information for marketing purposes. Some commenters urged the Department to require remuneration statements on research authorizations. The Department has not done so because the complexity of such arrangements would make it difficult to define what constitutes remuneration in the research context. Moreover, to require covered entities to disclose remuneration by a third party on authorizations for research would go beyond the requirements imposed in the December 2000 Rule, which did not require such a disclosure on authorizations obtained for the research of a third party. The Department believes that concerns regarding financial conflicts of interest that arise in research are not limited to privacy concerns, but also are important to the objectivity of research and to protecting human subjects from harm. Therefore, in the near future, the Department plans to issue guidance for the research community on this important topic.

    Pursuant to § 164.508(b)(1), an authorization is not valid under the Rule unless it contains all of the required core elements and notification statements, which are discussed below. Covered entities may include additional, non-required elements so long as they are not inconsistent with the required elements and statements. The language regarding defective authorizations in § 164.508(b)(2) is not changed substantively. However, some changes are made to conform this paragraph to modifications to other parts of the authorization provision, as well as other sections of the Rule. An authorization is not valid if it contains any of the following defects: (1) the expiration date has passed or the expiration event has occurred, and the covered entity is aware of the fact, (2) any of the required core elements or notification statements are omitted or incomplete, (3) the authorization violates the specifications regarding compounding or conditioning authorizations, or (4) the covered entity knows that material information in the authorization is false.

    In § 164.508(b)(3) regarding compound authorizations, the requirements for authorizations for purposes other than research are not changed. That is, authorizations for use or disclosure of psychotherapy notes may be combined only with another authorization for the use or disclosure of psychotherapy notes. Other authorizations may be combined, unless a covered entity has conditioned the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits on one of the authorizations. A covered entity generally may not combine an authorization with any other type of document, such as a notice of privacy practices or a written voluntary consent. However, there are exceptions for research authorizations, which are discussed in section III.E.2. of the preamble.

    Section 164.508(b)(4) prohibits the conditioning of treatment, payment, enrollment in a health plan, or eligibility for benefits on obtaining an authorization, with a few exceptions. The exceptions to this requirement for research-related treatment, eligibility for benefits and enrollment in a health plan, and health care solely for creating protected health information for disclosure to a third party are not changed. Moreover, the Department eliminates the exception to the prohibition on conditioning payment of a claim on obtaining an authorization. Although some insurers urged that this conditioning authority be retained to provide them with more collection options, the Department believes this authorization is no longer necessary because we are adding a new provision in § 164.506 that permits covered entities to disclose protected health information for the payment purposes of another covered entity or health care provider. Therefore, that exception has been eliminated.

    Section 164.508(b)(5) provides individuals the right to revoke an authorization at any time in writing. The two exceptions to this right are retained, but with some modification. An individual may not revoke an authorization if the covered entity has acted in reliance on the authorization, or if the authorization was obtained as a condition of obtaining insurance coverage and other law gives the insurer the right to contest the claim or the policy itself. The Department adopts the proposed modification to the latter exception so that insurers can exercise the right to contest an insurance policy under other law. Public comment was generally supportive of this proposed modification.

    Section 164.508(b)(6) requires covered entities to document and retain authorizations as required under § 164.530(j). This requirement is not changed.

    The different sets of implementation criteria are consolidated into one set of criteria under § 164.508(c), thus eliminating the confusion and uncertainty associated with different requirements for specific circumstances. Covered entities may use one authorization form for all purposes. The Department adopts in paragraph (c)(1), the following core elements for a valid authorization: (1) a description of the information to be used or disclosed, (2) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, (3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure, (4) a description of each purpose of the use or disclosure, (5) an expiration date or event, (6) the individual’s signature and date, and (7) if signed by a personal representative, a description of his or her authority to act for the individual. An authorization that does not contain all of the core elements does not meet the requirements for a valid authorization. The Department intends for the authorization process to provide individuals with the opportunity to know and understand the circumstances surrounding a requested authorization.

    To further protect the privacy interests of individuals, when individuals initiate an authorization for their own purposes, the purpose may be stated as “at the request of the individual.” Other changes to the core elements pertain to authorizations for research, and are discussed in section III.E.2. of the preamble.

    Also, under § 164.508(c)(2), an authorization is not valid unless it contains all of the following: (1) a statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke, and instructions on how to exercise such right or, to the extent this information is included in the covered entity’s notice, a reference to the notice, (2) a statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule or, if conditioning is permitted, a statement about the consequences of refusing to sign the authorization, and (3) a statement about the potential for the protected health information to be redisclosed by the recipient. Although the notification statements are not included in the paragraph on core elements an authorization is not valid unless it contains both the required core elements, and all of the required statements. This is the minimum information the Department believes is needed to ensure individuals are fully informed of their rights with respect to an authorization and to understand the consequences of authorizing the use or disclosure. The required statements must be written in a manner that is adequate to place the individual on notice of the substance of the statements.

    In response to comments, the Department clarifies that the statement regarding the potential for redisclosure does not require an analysis of the risk for redisclosure, but may be a general statement that the health information may no longer be protected by the Privacy Rule once it is disclosed by the covered entity. Others objected to this statement because individuals might be hesitant to sign an authorization if they knew their protected health information could be redisclosed and no longer protected by the Rule. In response, the Department believes that individuals need to know about the consequences of authorizing the disclosure of their protected health information. As the commenter recognized, the potential for redisclosure may, indeed, be an important factor in an individual’s decision to give or deny a requested authorization.

    Others suggested that the statement regarding redisclosure should be omitted when an authorization is obtained only for a use, since such a statement would be confusing and inappropriate when the covered entity maintains the information. Similarly, some commenters were concerned that the statement may be misleading where the recipient of the information, although not a covered entity, will keep the information confidential. In response, the Department clarifies that, while a general statement would suffice, a covered entity has the discretion to provide a more definitive statement where appropriate. Thus, the covered entity requesting an authorization for its own use of protected health information may provide assurances that the information will remain subject to the Privacy Rule. Similarly, if a third party, such as a researcher, is seeking an authorization for research, the statement may refer to the privacy protections that the researcher will provide for the data.

    Under § 164.508(c)(3), authorizations must be written in plain language so that individuals can understand the information contained in the form, and thus be able to make an informed decision about whether to give the authorization. A few commenters urged the Department to keep the plain language requirement as a core element of a valid authorization. Under the December 2000 Rule, the plain language requirement was not a requisite for a valid authorization. Nevertheless, under both the December 2000 Rule and the final modifications, authorizations must be written in plain language. The fact that the plain language requirement is not a core element does not diminish its importance or effect, and the failure to meet this requirement is a violation of the Rule.

    Finally, under § 164.508(c)(4), covered entities who seek an authorization are required to provide the individual with a copy of the signed authorization form.

    2. Research Authorizations.

    The Department agrees with the commenters that supported the NPRM’s proposed simplification of authorizations for research uses and disclosures of protected health information and, therefore, adopts the modifications to these provisions as proposed in the NPRM. The final Rule requires a single set of authorization requirements for all uses and disclosures, including those for research purposes, and permits an authorization for the use or disclosure of protected health information to be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research.

    In addition, in response to commenters’ concerns that the Rule would prohibit important uses and disclosures of protected health information after the termination of a research project, the final Rule eliminates the requirement for an expiration date for all uses and disclosures of protected health information for research purposes, not only for the creation and maintenance of a research database or repository. The Department agrees that the line between research repositories and databases in particular, and research data collection in general, is sometimes arbitrary and unclear. If the authorization for research uses and disclosures of protected health information does not have an expiration date, the final Rule at § 164.508(c)(1)(v), requires that this fact be stated on the authorization form. Patients continue to control whether protected health information about them may be used or disclosed for research, since the authorization must include an expiration date or event, or a statement that the authorization will have no expiration date. In addition, patients will be permitted to revoke their authorization at any time during the research project, except as specified under § 164.508(b)(5). However, the Department notes that researchers may choose to include, and covered entities may choose to require, an expiration date when appropriate.

    Although the final Rule does not modify the revocation provision at § 164.508(b)(5), in response to commenters’ concerns, the Department clarifies that this provision permits covered entities to continue using and disclosing protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. An individual may not revoke an authorization to the extent the covered entity has acted in reliance on the authorization. For research uses and disclosures, this reliance exception at § 164.508(b)(5)(i) permits the continued use and disclosure of protected health information already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study. For example, the reliance exception would permit the continued use and disclosure of protected health information to account for a subject’s withdrawal from the research study, as necessary to incorporate the information as part of a marketing application submitted to the FDA, to conduct investigations of scientific misconduct, or to report adverse events. However, the reliance exception would not permit a covered entity to continue disclosing additional protected health information to a researcher or to use for its own research purposes information not already gathered at the time an individual withdraws his or her authorization. The Department believes that this clarification of the Rule will minimize the negative effects on research caused by participant withdrawal and will allow for important continued uses and disclosures to occur, while maintaining privacy protections for research subjects.

     

    HHS Response to Comments Received - Published With the August 2002 Revisions
    Uses and Disclosures For Which an Authorization is Required: Authorizations for Uses and Disclosures

     

    1. Restructuring Authorization.

    Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.

    There was overwhelming support for the proposed modifications. Overall, supporters were of the opinion that the consolidation and simplification would promote efficiency, simplify compliance, and reduce confusion. Many commenters claimed the changes would eliminate barriers to quality health care. Some commenters claimed the proposed modifications would make the authorization process easier for both providers and individuals, and one commenter said they would make authorizations easier to read and understand. A number of commenters stated the changes would not have adverse consequences for individuals, and one commenter noted the proposal would preserve the opportunity for individuals to give a meaningful authorization.

    However, some of the proponents suggested the Department go further to ease the administrative burden of obtaining authorizations. Some urged the Department to eliminate some of the required elements which they perceived as unnecessary to protect privacy, while others suggested that covered entities should decide which elements were relevant in a given situation. Some commenters urged the Department to retain the exception to the prohibition on conditioning payment of a claim on obtaining an authorization. These commenters expressed fear that the voluntary consent process and/or the right to request restrictions on uses and disclosures for treatment, payment, or health care operations might prevent covered entities from disclosing protected health information needed for payment purposes, or providers may be reluctant to cooperate in disclosures for payment purposes based on inadequately drafted notices.

    Comments were divided on the proposed requirement to disclose remuneration in marketing authorizations. Recommendations ranged from requiring the disclosure of remuneration on all authorizations, to eliminating the requirement altogether.

    Response to Other Public Comments.

    Comment: A number of commenters specifically expressed support of the proposed authorization requirement for marketing, and urged the Department to adopt the requirement. However, one commenter claimed that requiring authorizations for marketing would reduce hospitals’ ability to market their programs and services effectively in order to compete in the marketplace, and that obtaining, storing, and maintaining marketing authorizations would be too burdensome.

    Response: In light of the support in the comments, the Department has adopted the proposed requirement for an authorization before a covered entity may use or disclose protected health information for marketing. However, the commenter is mistaken that this requirement will interfere with a hospital’s ability to promote its own program and services within the community. First, such broad-based marketing is likely taking place without resort to protected health information, through dissemination of information about the hospital through community-wide mailing lists. Second, under the Privacy Rule, a communication is not marketing if a covered entity is describing its own products and services. Therefore, nothing in the Rule will inhibit a hospital from competing in the marketplace by communicating about its programs and services.

    Comment: One commenter suggested that authorizations for marketing should clearly indicate that they are comprehensive and may contain sensitive protected health information.

    Response: The Department treats all individually identifiable health information as sensitive and equally deserving of protections under the Privacy Rule. The Rule requires all authorizations to contain the specified core elements to ensure individuals are given the information they need to make an informed decision. One of the core elements for all authorizations is a clear description of the information that is authorized to be used or disclosed in specific and meaningful terms. The authorization process provides the individual with the opportunity to ask questions, negotiate how their information will be used and disclosed, and ultimately to control whether these uses and disclosures will be made.

    Comment: Several commenters urged the Department to retain the existing structure of the implementation specifications, whereby the notification statements about the individual’s right to revoke and the potential for redisclosure are “core elements.” It was argued that this information is essential to an informed decision. One of the commenters claimed that moving them out of the core elements and only requiring a statement adequate to put the person on notice of the information would increase uncertainty, and that these two elements are too important to risk inadequate explanation.

    Response: The Department agrees that the required notification statements are essential information that a person needs in order to make an informed decision about authorizing the use or disclosure of protected health information. Individuals need to know what rights they have with respect to an authorization, and how they can exercise those rights. However, separating the core elements and notification statements into two different subparagraphs does not diminish the importance or effect of the notification statements. The Department clarifies that both the core elements and the notification statements are required, and both must be included for an authorization to be valid.

    Comment: Several commenters urged the Department to eliminate unnecessary authorization contents. They argued the test should be whether the person needs the information to protect his or her privacy, and cited the disclosure of remuneration by a third party as an example of unnecessary content, alleging that the disclosure of remuneration is not relevant to protecting privacy. One commenter suggested that covered entities should be given the flexibility to decide which contents are applicable in a given situation.

    Response: The Department believes the core elements are all essential information. Individuals need to know this information to make an informed decision about giving the authorization to use or disclose their protected health information. Therefore, the Department believes all of the core elements are necessary content in all situations. The Department does not agree that the remuneration statement required on an authorization for uses and disclosures of an individual’s protected health information for marketing purposes is not relevant to protecting privacy. Individuals exercise control over the privacy of their protected health information by either giving or denying an authorization, and remuneration from a third party to the covered entity for obtaining an authorization for marketing is an important factor in making that choice.

    Comment: One commenter suggested that covered entities should not be required to state on an authorization a person’s authority to act on an individual’s behalf, and they should be trusted to require such identification or proof of legal authority when the authorization is signed. The commenter stated that this requirement only increases administrative burden for covered entities.

    Response: The Department does not agree. The authorization requirement is intended to give individuals some control over uses and disclosures of protected health information that are not otherwise permitted or required by the Rule. Therefore, the Rule requires that covered entities verify and document a person’s authority to sign an authorization on an individual’s behalf, since that person is exercising the individual’s control of the information. Furthermore,
    the Department understands that it is a current industry standard to verify and document a person’s authority to sign any legal permission on another person’s behalf. Thus, the requirement should not result in any undue administrative burden for covered entities.

    Comment: One commenter suggested that the Department should require authorizations to include a complete list of entities that will use and share the information, and that the individual should be notified periodically of any changes to the list so that the individual can provide written authorization for the changes.

    Response: It may not always be feasible or practical for covered entities to include a comprehensive list of persons authorized to use and share the information disclosed pursuant to an authorization. However, individuals may discuss this option with covered entities, and they may refuse to sign an authorization that does not meet their expectations. Also, subject to certain limitations, individuals may revoke an authorization at any time.

    Comment: One commenter asked for clarification that a health plan may not condition a provider’s participation in the health plan on seeking authorization for the disclosure of psychotherapy notes, arguing that this practice would coerce providers to request, and patients to provide, an authorization to disclose psychotherapy notes.

    Response: The Privacy Rule does not permit a health plan to condition enrollment, eligibility for benefits, or payment of a claim on obtaining the individual’s authorization to use or disclose psychotherapy notes. Nor may a health care provider condition treatment on an authorization for the use or disclosure of psychotherapy notes. In a situation such as the one described by the commenter, the Department would look closely at whether the health plan was attempting to accomplish indirectly that which the Rule prohibits. These prohibitions are to ensure that the individual’s permission is wholly voluntary and informed with regard to such an authorization. To meet these standards, in the circumstances set forth in the comment, the Department would expect the provider subject to such a requirement by the health plan to explain to the individual in very clear terms that, while the provider is required to ask, the individual remains free to refuse to authorize the disclosure and that such refusal will have no effect on either the provision of treatment or the individual’s coverage under, and payment of claims by, the health plan.

    Comment: A few commenters suggested the Department should allow covered entities to combine an authorization with other documents, such as the notice acknowledgment, claiming it would reduce administrative burden and paperwork, as well as reduce patient confusion and waiting times, without compromising privacy protections.

    Response: The Department disagrees that combining an authorization with other documents, such as the notice acknowledgment, would be less confusing for individuals. To the contrary, the Department believes that combining unrelated documents would be more confusing. However, the Rule does permit an authorization to be combined with other authorizations so long as the provision of treatment, payment, enrollment in a health plan or eligibility for benefits is not conditioned on obtaining any of the authorizations, and the authorization is not for the use or disclosure of psychotherapy notes.

    Also, authorizations must contain the same information, whether it is a separate document or combined with another document; and the individual must be given the opportunity to read and discuss that information. Combining an authorization with routine paperwork diminishes individuals’ ability to make a considered and informed judgment to permit the use or disclosure of their medical information for some other purpose.

    Comment: One commenter stated that the requirement for covered entities to use only authorizations that are valid under the Rule must be an unintended result of the Rule, because covered entities would have to use only valid authorizations when requesting information from non-covered entities. The commenter did not believe the Department intended this requirement to apply with respect to non-covered entities, and gave the example of dental health plans obtaining protected health information in connection with paper claims submitted by dental offices. The commenter requested clarification that health plans may continue to use authorization forms currently in use for all claims submitted by non-covered entities.

    Response: The commenter misapprehends the Rule’s requirements. The requirements apply to uses and disclosure of protected health information by covered entities. In the example provided, where a health plan is requesting additional information in support of a claim for payment by a non-covered health care provider, the health plan is not required to use an authorization. The plan does not need the individual’s authorization to use protected health information for payment purposes, and the non-covered health care provider is not subject to any of the Rule’s requirements. Therefore, the exchange of information may occur as it does today. The Department notes that, based on the modifications regarding consent adopted in this rulemaking, neither a consent nor an authorization would be required in this example even if the health care provider was also a covered entity.

    Comment: Several commenters urged the Department to add a transition provision to permit hospitals to use protected health information in already existing databases for marketing and outreach to the communities they serve. Commenters claimed that these databases are important assets that would take many years to rebuild, and hospitals may not have an already existing authorization or other express legal permission for such use of the information. They contended that, without a transition provision, these databases would become useless under the Rule. Commenters suggested the Department should adopt an “opt-out” provision that would allow continued use of these databases to initially communicate with the persons listed in the database; at that time, they could obtain authorization for future communications, thus providing a smooth transition.

    Response: Covered entities are provided a two-year period in which to come into compliance with the Privacy Rule. One of the purposes of the compliance period is to allow covered entities sufficient time to undertake actions such as those described in the comment (obtaining the legal permissions that would permit databases to continue to operate after the compliance date). An additional transition period for these activities has not been justified by the commenters. However, the Department notes that a covered entity is permitted to use the information in a database for communications that are either excepted from or that do not meet the definition of “marketing” in § 164.501, without individual authorization. For example, a hospital may use protected health information in an existing database to distribute information about the services it provides, or to distribute a newsletter with general health or wellness information that does not promote a particular product or service.

    2. Research Authorizations.

    Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.

    The vast majority of commenters were very supportive of the proposed revisions to the Rule’s provisions for research authorizations. However, the Department did hear from several commenters that the Privacy Rule’s requirement for an expiration date or event should be eliminated for all research uses and disclosures of protected health information, not just for uses and disclosures for the creation or maintenance of a research database or repository, as was proposed in the NPRM. These commenters were concerned that the Privacy Rule would prohibit important uses and disclosures of protected health information after the termination of a research project, such as the reporting of research results to the Food and Drug Administration (FDA) for an FDA investigational new drug application, unless the covered entity obtained another patient authorization. In addition, several of these commenters cited confusion in defining repositories and databases. Some of these commenters stated that an individual who authorizes information to be used for an indeterminate time most likely expects and intends for the information to be used and disclosed if needed well into the future, regardless of whether or not the research involves the use or disclosure of protected health information for the creation or maintenance of a database or repository.

    Several commenters responded to the Department’s request for comments on how to appropriately limit uses and disclosures following revocation of an authorization, while preserving the integrity of the research. The NPRM attempted to clarify that “even though a revocation will prevent a covered entity from further disclosing protected health information for research purposes, the exception to this requirement is intended to allow for certain continued uses of information as appropriate to preserve the integrity of the research study.” However, the NPRM further stated that “if covered entities were permitted to continue using or disclosing protected health information for the research project even after an individual had revoked his or her authorization, this would undermine the primary objective of the authorization requirements to be a voluntary, informed choice of the individual.” Several commenters were concerned and confused by the NPRM’s statements. In particular, the Department received comments urging that the regulation permit covered entities to use and disclose research data already obtained, even after an individual has withdrawn his or her authorization. These commenters suggested that once a subject has authorized the use and disclosure of protected health information for research and the covered entity has relied on the authorization, the covered entity must retain the ability to use or disclose the subject’s pre-withdrawal information for purposes consistent with the overall research. One commenter argued that it would be inadequate for the reliance exception at § 164.508(b)(5) to be interpreted to permit continued uses of the individual’s information as appropriate only to account for an individual’s withdrawal from the study. In this commenter’s opinion, most research would call for the continued use of protected health information obtained prior to an individual’s revocation of their authorization to safeguard statistical validity and truly to preserve the integrity of human research.

    Response to Other Public Comments.

    Comment: In opposition to the March 2002 NPRM, one commenter suggested prohibiting the combining of authorization forms with an informed consent when the covered entity disclosing the protected health information is not otherwise participating in research. The commenter argued that the NPRM would allow covered entities to receive more information than necessary to fulfill a patient’s authorization request, such as information about the particular type or purpose of the study itself, and could, thereby, violate the patient’s privacy.

    Response: The Department acknowledges the concern raised by these commenters; however, prohibiting the combination of authorization forms with an informed consent reduces the flexibility proposed in the March 2002 NPRM. Since the final modifications permit, but do not require, such combining of forms, the Department has decided to leave it to the discretion of researchers or the IRBs to determine whether the combining of authorization forms and consent forms for research would be appropriate for a particular research study.

    Comment: Some commenters supported retaining the December 2000 Privacy Rule requirement that a description of the extent to which protected health information will be used or disclosed for treatment, payment, or health care operations be included in an authorization to use or disclose protected health information for a research study that includes treatment of individuals. These commenters argued that an individual’s ability to make informed decisions requires that he or she know how research information will and will not be used and disclosed.

    Response: The Department agrees with the majority of the commenters who were in support of the March 2002 NPRM proposal to eliminate the additional authorization requirements for research that includes treatment, and has adopted these proposed modifications in the final Rule. Retaining the distinction between research that involves treatment and research that does not would require overly subjective decisions without providing commensurate privacy protections for individuals. However, the Department notes that it may sometimes be advisable for authorization forms to include a statement regarding how protected health information obtained for a research study will be used and disclosed for treatment, payment, and health care operations, if such information would assist individuals in making informed decisions about whether or not to provide their authorization for a research study.

    Comment: One commenter argued that expiration dates should be included on authorizations and that extensions should be required for all research uses and disclosures made after the expiration date or event has passed.

    Response: The Department disagrees. We have determined that an expiration date or event would not always be feasible or desirable for some research uses and disclosures of protected health information. By allowing for no expiration date, the final Rule permits without separate patient authorization important disclosures even after the “termination of the research project” that might otherwise be prohibited. However, the final Rule contains the requirement that the patient authorization specify if the authorization would not have an expiration date or event. Therefore, patients will have this information to make an informed decision about whether to sign the authorization.

    Comment: Another commenter suggested permitting covered entities/researchers to continue using or disclosing protected health information even after a revocation of the initial authorization but only if an IRB or Privacy Board approved the continuation. This commenter argued that such review by an IRB or Privacy Board would protect privacy, while permitting continued uses and disclosures of protected health information for important purposes.

    Response: As stated above, the Department agrees that it may sometimes be necessary to continue using and disclosing protected health information even after an individual has revoked his or her authorization in order to preserve the integrity of a research study. Therefore, the Department has clarified that the reliance exception at § 164.508(b)(5)(i) would permit the continued use and disclosure of protected health information already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study. A requirement for documentation of IRB or Privacy Board review and approval of the continued use or disclosure of protected health information after an individual’s authorization had been revoked could protect patient privacy. However, the Department believes that the additional burden on the IRB or Privacy Board could be substantial, and is not warranted at this time.

    Comment: A commenter requested clarification that the “reliance exception” does not permit covered entities as researchers to continue analyzing data once an individual has revoked his or her authorization.

    Response: As discussed above, the Department disagrees with this comment. Patient privacy must be balanced against other public goods, such as research and the risk of compromising such research projects if researchers could not continue to use such data. The Department determined that permitting continued uses and disclosures of protected health information already obtained to protect the integrity of research, even after an individual’s authorization has been revoked, would pose minimal privacy risk to individuals without compromising research.

    Comment: Several commenters suggested permitting the proposed authorization requirement for a “description of each purpose of the requested use or disclosure” at § 164.508 to be sufficiently broad to encompass future unspecified research. These commenters argued that this option would reduce the burden for covered entities and researchers by permitting covered entities to use or disclose protected health information for re-analysis without having to obtain an additional authorization from the individual. Some discussed the possibility that burden for patients would also be reduced because they would not have to provide additional authorizations. These commenters also argued that such a provision would more directly align the Rule with the Common Rule, which permits broad informed consent for secondary studies if the IRB deems the original informed consent to be adequate.

    Response: The Department disagrees with broadening the required “description of the purpose of the use or disclosure” because of the concern that patients would lack necessary information to make an informed decision. In addition, unlike the Common Rule, the Privacy Rule does not require IRB or Privacy Board review of research uses and disclosures made with individual authorization. Therefore, instead of IRBs or Privacy Boards reviewing the adequacy of existing patient authorizations, covered entities would be left to decide whether or not the initial authorization was broad enough to cover subsequent research analyses. Furthermore, it should be noted that patient authorization would not be required for such re-analysis if, with respect to the re-analysis, the covered entity obtains IRB or Privacy Board waiver of such authorization as required by § 164.512(i). For these reasons, the Department has decided to retain the requirement that each purpose of the requested use or disclosure described in the authorization form be research study specific. However, the Department understands that, in the past, some express legal permissions and informed consents have not been study-specific and sometimes authorize the use or disclosure of information for future unspecified research. Furthermore, some IRB-approved waivers of informed consent have been for future unspecified research. Therefore, the final Rule at § 164.532 permits covered entities to rely on an express legal permission, informed consent, or IRB-approved waiver of informed consent for future unspecified research, provided the legal permission, informed consent or IRB-approved waiver was obtained prior to the compliance date.

    Comment: Several commenters suggested retaining the authorization element requiring a statement regarding “the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer protected by this Rule” but with one addition. This addition would state that “researchers could only use or disclose the protected health information for purposes approved by the IRB or as required by law or regulation.” These commenters argued that this would be clearer to participants and would prevent the misconception that their information would not be protected by any confidentiality standards.

    Response: The Department recognizes the concern of the commenters seeking to supplement the requirement, but points out that, although the final Rule will not require this addition, it is permissible to include such a statement in the authorization. In addition, since the Privacy Rule does not require IRB or Privacy Board review of research uses and disclosures made with patient authorization, the Department determined that adding the commenters’ suggestion to the final Rule would be inappropriate. Section III.E.1. above provides further discussion of this provision.