HIPAA Privacy Regulations: Uses and Disclosures For Which an Authorization is Required: General Requirements for Authorizations - § 164.508(b)
As Contained in the HHS HIPAA Privacy Rules
|
HHS Regulations as Amended January 2013 |
(b) Implementation specifications: General requirements—(1) Valid authorizations. (i) A valid authorization is a document that meets the requirements in paragraphs (a)(3)(ii), (a)(4)(ii), (c)(1), and (c)(2) of this section, as applicable.
(ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.
(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:
(i) The expiration date has passed or the expiration event is known by the covered entity to have occurred;
(ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable;
(iii) The authorization is known by the covered entity to have been revoked;
(iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable;
(v) Any material information in the authorization is known by the covered entity to be false.
(3) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows:
(i) An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of protected health information for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. Where a covered health care provider has conditioned the provision of research-related treatment on the provision of one of the authorizations, as permitted under paragraph (b)(4)(i) of this section, any compound authorization created under this paragraph must clearly differentiate between the conditioned and unconditioned components and provide the individual with an opportunity to opt in to the research activities described in the unconditioned authorization.
(ii) An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes.
(iii) An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes, may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations. The prohibition in this paragraph on combining authorizations where one authorization conditions the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits under paragraph (b)(4) of this section does not apply to a compound authorization created in accordance with paragraph (b)(3)(i) of this section.
(4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:
(i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research under this section;
(ii) A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if:
(A) The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and
(B) The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; and
(iii) A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.
(5) Revocation of authorizations. An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that:
(i) The covered entity has taken action in reliance thereon; or
(ii) If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself.
(6) Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j).
|
HHS Description and Commentary as Amended January 2013 |
Compound Authorizations
Proposed Rule
Section 164.508(b)(4) of the Privacy Rule prohibits covered entities from conditioning treatment, payment, enrollment in a health plan, or eligibility for benefits on the provision of an authorization. This limitation is intended to ensure that authorization from an individual for a use or disclosure of protected health information is voluntarily provided. However, there are exceptions to this general rule for certain circumstances, including in the research context, where a covered entity may condition the provision of research-related treatment, such as in a clinical trial, on obtaining the individual’s authorization for the use or disclosure of protected health information for such research.
Permitting the use of protected health information is part of the decision to receive care through a clinical trial, and health care providers conducting such trials are able to condition research-related treatment on the individual’s willingness to authorize the use or disclosure of protected health information for research associated with the trial.
Section 164.508(b)(3) generally prohibits what are termed “compound authorizations,” i.e., where an authorization for the use and disclosure of protected health information is combined with any other legal permission. However, § 164.508(b)(3)(i) carves out an exception to this general prohibition, permitting the combining of an authorization for a research study with any other written permission for the same study, including another authorization or informed consent to participate in the research.
Nonetheless, § 164.508(b)(3)(iii) prohibits combining an authorization that conditions treatment, payment, enrollment in a health plan, or eligibility for benefits (conditioned authorization) with an authorization for another purpose for which treatment, payment, enrollment, or eligibility may not be conditioned (unconditioned authorization). This limitation on certain compound authorizations was intended to help ensure that individuals understand that they may decline the activity described in the unconditioned authorization yet still receive treatment or other benefits or services by agreeing to the conditioned authorization.
The impact of these authorization requirements and limitations can be seen during clinical trials that are associated with a corollary research activity, such as when protected health information is used or disclosed to create or to contribute to a central research database or repository. For example, § 164.508(b)(3)(iii) prohibits covered entities from obtaining a single authorization for the use or disclosure of protected health information for a research study that includes both treatment as part of a clinical trial and tissue banking of specimens (and associated protected health information) collected, since the individual generally must sign the authorization for the use of his or her protected health information in the clinical trial in order to receive the research-related treatment (conditioned authorization) but whether the individual also signs the tissue banking authorization is completely voluntary and will not affect the individual receiving the research-related treatment (unconditioned authorization). Thus, covered entities must obtain separate authorizations from research participants for a clinical trial that also collects specimens with associated protected health information for a central repository.
As stated in the NPRM, various groups, including researchers and professional organizations, have expressed concern at this lack of integration. A number of persons in the research community have stated that requiring separate forms for these corollary research activities is inconsistent with current practice under the Common Rule (45 CFR Part 46) with respect to obtaining informed consent and creates unnecessary documentation burdens. Persons have also indicated that the multiple authorization forms are potentially confusing to research subjects and/or may dissuade them altogether from participating in a clinical trial, and that redundant information on the forms diverts an individual’s attention from other content that describes how and why the personal health information may be used. In light of these concerns, the Secretary’s Advisory Committee on Human Research Protections in 2004 (Recommendation V, in a letter to the Secretary of HHS, available at http://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html [Link no longer active]), as well as the Institute of Medicine in its 2009 Report, “Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research” (Recommendation II.B.2), made specific recommendations to allow combined authorizations for clinical trials and biospecimen storage.
To address these concerns and streamline the process in the Privacy Rule for obtaining an individual’s authorization for research, we proposed to amend § 164.508(b)(3)(i) and (iii) to allow a covered entity to combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components and clearly allows the individual the option to opt in to the unconditioned research activities.
These provisions would allow covered entities to combine authorizations for the use and disclosure of protected health information for clinical trials and related biospecimen banking activities, as well as other scenarios that often occur in research studies.
While we did not propose to alter the core elements or required statements integral to a valid authorization, we stated that covered entities would have some flexibility with respect to how they met the authorization requirements. For example, covered entities could facilitate an individual’s understanding of a compound authorization by describing the unconditioned research activity on a separate page of a compound authorization and could also cross-reference relevant sections of a compound authorization to minimize the potential for redundant language.
In addition, a covered entity could use a separate check-box for the unconditioned research activity to signify whether an individual has opted-in to the unconditioned research activity, while maintaining one signature line for the authorization, or alternatively provide a distinct signature line for the unconditioned authorization to signal that the individual is authorizing optional research that will not affect research-related treatment. We requested comment on additional methods that would clearly differentiate to the individual the conditioned and unconditioned research activities on the compound authorization.
Overview of Public Comments
Almost all commenters on this topic strongly supported the proposal to allow combined authorizations for conditioned and unconditioned research activities. Many commenters supported allowing flexibility for institutions to determine how best to differentiate the unconditioned authorization for the voluntary research activity, including whether to use a check box with a single signature line, or separate signature lines. Several commenters suggested that an opt out method should be permitted as an alternative to an opt in approach.
A few commenters opposed the proposal to allow compound authorizations for conditioned and unconditioned research activities. These commenters generally felt that separate authorizations are appropriate and that there is not sufficient evidence to suggest that combining the forms will be beneficial to individuals.
The Secretary’s Advisory Committee on Human Research Protections, in its letter of comment on the Department’s NPRM, indicated its support for the proposal to permit compound authorizations for conditioned and unconditioned research activities, and expressed particular appreciation for the goal of harmonization with the Common Rule.
The Secretary’s Advisory Committee on Human Research Protections also supported flexibility in the manner that the conditioned and unconditioned research activities are differentiated. The Secretary’s Advisory Committee on Human Research Protections requested clarification that the compound authorizations permitted under this proposal would be permissible for any type of combined research studies, and not exclusively for clinical trials with a biospecimen banking component.
Final Rule
The final rule adopts the proposal to amend § 164.508(b)(3)(i) and (iii) to allow a covered entity to combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components and clearly allows the individual the option to opt in to the unconditioned research activities. We intend this provision to allow for the use of compound authorizations for any type of research activities, and not solely to clinical trials and biospecimen banking, except to the extent the research involves the use or disclosure of psychotherapy notes. For research that involves the use or disclosure of psychotherapy notes, an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes. See § 164.508(b)(3)(ii). Thus, aside from the use of psychotherapy notes, combined authorizations could be obtained for the use of protected health information in a clinical trial and optional sub-studies, as well as for biospecimen banking that also permits future secondary use of the data (to the extent the future use authorization is aligned with the discussion in the following section regarding authorizations for future research). Also, this provision continues to allow for a covered entity to combine such authorizations with informed consent documents for the research studies.
The final rule provides covered entities, institutions, and Institutional Review Boards with flexibility to determine the best approach for clearly differentiating the conditioned and unconditioned research activities and giving research participants the option to opt in to the unconditioned research activities. We decline to permit a combined authorization that only allows the individual the option to opt out of the unconditioned research activities (e.g., “check here if you do NOT want your data provided to the biospecimen bank”) because an opt out option does not provide individuals with a clear ability to authorize the optional research activity, and may be viewed as coercive by individuals. The final rule does not remove the requirement that an individual affirmatively authorize the unconditioned research activities; it merely provides flexibility to streamline the authorization process by combining the forms.
With respect to the commenters that believed there is insufficient evidence that combining conditioned and unconditioned research activities into a compound authorization would be beneficial, and that such compound authorizations may be confusing for patients, as indicated above, there have been anecdotal reports to the Department that the use of multiple authorization forms has caused confusion among research subjects. Further, we note that these modifications do not remove the required elements of an authorization that are necessary to inform the individual about the study (e.g., description of the information to be used or disclosed, description of the purpose, etc.); they merely introduce flexibility to avoid redundant language that would otherwise be necessary to include in the authorizations for the multiple research activities. In addition, these changes are intended to align the HIPAA Privacy Rule’s authorization requirements with what has been common and ongoing practice in terms of the informed consent form under the Common Rule.
We note that covered entities are permitted but not required by the modifications adopted at § 164.508(b)(3)(i) and (iii) to create compound authorizations for conditioned and unconditioned research activities. Previously approved, ongoing studies may continue to rely on the separate authorization forms that were obtained under the prior provisions. For new studies, covered entities and researchers may continue to use separate authorizations for conditioned and unconditioned research activities, or may transition to compound authorizations as they deem appropriate, which can be used beginning on the effective date of this rule.
Response to Other Public Comments
Comment: The Secretary’s Advisory Committee on Human Research Protections asked whether the following approaches for distinguishing between conditioned and unconditioned research activities would be acceptable: using (1) a combined consent/authorization form for a clinical trial and optional banking component, with a check-box for the individual to have the choice to opt in to the optional banking component, and one signature; (2) a combined consent/authorization form for a clinical trial and optional banking component, with one signature for the clinical trial and another signature to indicate the individual agrees to the optional banking component; and (3) a combined consent/authorization form for a clinical trial and optional banking component, with a check box for the individual to have the choice to opt in to the banking component, and one signature, but with detailed information about the banking component presented in a separate brochure or information sheet that is referenced directly in the consent/authorization form.
Response: Covered entities and researchers have flexibility in the methods used to distinguish the conditioned and unconditioned research activities and to provide the individual with a clear opportunity to opt in to the unconditioned portion, and all of the above approaches would be acceptable provided, with respect to the third approach, that the brochure or information sheet is incorporated by reference into the authorization/consent form such that it is considered to be part of the form (even if not physically attached to the form). In addition, if the brochure or information sheet includes required elements of the authorization (or informed consent), and authorization/consent has not been altered by an Institutional Review Board, then the brochure or information sheet must be made available to potential research participants before they are asked to sign the authorization/consent document (unless the authorization form itself includes the required elements).
Finally, in such cases, a covered entity must keep not only the signed authorization/consent form, but also a copy of the brochure or information sheet, in order to be in compliance with the documentation requirements at § 164.530(j).
Comment: The Secretary’s Advisory Committee on Human Research Protections requested confirmation that the compound authorization proposal would not affect the waiver provisions currently existing in the Privacy Rule, such that such provisions could be used, if appropriate, for new studies distinct from both the original study and the banking activity.
Response: The new compound authorization provision does not affect the waiver of authorization provisions in the Privacy Rule. A covered entity may continue to use or disclose protected health information for research purposes based on documentation that meets the requirements at § 164.512(i), indicating that an Institutional Review Board or Privacy Board has waived the obtaining of individual authorization for such purposes, based on a determination that (1) the use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals; (2) the research could not practicably be conducted without the waiver; and (3) the research could not practicably be conducted without access to and use of the protected health information.
Comment: The Secretary’s Advisory Committee on Human Research Protections requested clarification on the effect of revoking only one part of a compound authorization. For example, if an individual signs a combined authorization for conditioned and unconditioned research activities and later specifically revokes only the unconditioned research activity (e.g., the banking component), then the covered entity may continue to act in reliance on the authorization for the conditioned component (e.g., the clinical trial).
Response: Where it is clear that an individual is revoking only one part of a compound authorization, such revocation does not equate to a revocation of the entire authorization to include the other studies. However, where it is not clear exactly to which research activities the individual’s revocation applies, written clarification must be obtained from the individual in order for the revocation to apply only to certain of the research activities identified in the authorization, or the entire authorization must be treated as revoked. Further, such revocations must be maintained and documented in a manner that will ensure uses and disclosures of protected health information for the activity to which the revocation applies discontinue, except to the extent the covered entity has already acted in reliance on the authorization, which would permit certain limited, continued use and disclosure, such as necessary to maintain the integrity of the research study.
Authorizing Future Research Use or Disclosure Prior Interpretation
Research often involves obtaining health information and biological specimens to create a research database or repository for future research. For example, this frequently occurs where clinical trials are paired with corollary research activities, such as the creation of a research database or repository where information and specimens obtained from a research participant during the trial are transferred and maintained for future research. It is our understanding that Institutional Review Boards in some cases may approve an informed consent document for a clinical trial that also asks research participants to permit future research on their identifiable information or specimens obtained during the course of the trial. It is also our understanding that an Institutional Review Board may in some cases review an informed consent for a prior clinical trial to determine whether a subsequent research use is encompassed within the original consent.
The Department has previously interpreted the Privacy Rule, however, to require that authorizations for research be study specific for purposes of complying with the Rule’s requirement at § 164.508(c)(1)(iv) that an authorization must include a description of each purpose of the requested use or disclosure. See 67 FR 53182, 53226, Aug. 14, 2002. In part, the Department’s interpretation was based on a concern that patients could lack necessary information in the authorization to make an informed decision about the future research. In addition, it was recognized that not all uses and disclosures of protected health information for a future research purpose would require a covered entity to re-contact the individual to obtain another authorization (e.g., uses or disclosures with a waiver of authorization from an Institutional Review Board or Privacy Board as provided under § 164.512(i) or of a limited data set pursuant to a data use agreement under § 164.514(e) for the future research purpose).
Subsequent to issuing this interpretation, the Department heard concerns from covered entities and researchers that the Department’s interpretation encumbers secondary research, and limits an individual’s ability to agree to the use or disclosure of their protected health information for future research. In addition, many commenters noted that the Department’s interpretation limiting the scope of a HIPAA authorization for research appeared to diverge from the current practice under the Common Rule with respect to the ability of a researcher to seek subjects’ informed consent to future research so long as the future research uses are described in sufficient detail to allow an informed consent. These commenters, as well as the Secretary’s Advisory Committee on Human Research Protections in 2004 (Recommendation IV, in a letter to the Secretary of HHS, available at http://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html [Link no longer active]), and the Institute of Medicine in its 2009 Report entitled “Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research” (Recommendation II.B.1), had urged the Department to allow the HIPAA authorization to permit future research use and disclosure of protected health information.
Given these concerns, the Department explained in the NPRM that it was considering a number of options regarding authorizations for future research, including whether the Privacy Rule should: permit an authorization for uses and disclosures of protected health information for future research purposes to the extent such purposes are adequately described in the authorization such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research; or permit an authorization for future research but require certain specific elements or statements with respect to the future research, particularly where the future research may encompass certain types of sensitive research activities, such as research involving genetic analyses or mental health research, that may alter an individual’s willingness to participate in the research. We requested comment on these options and on how a revocation would operate with respect to future downstream research studies.
Overview of Public Comments
Almost all commenters on this topic supported the proposal to allow authorizations for future research. Many commenters indicated this flexibility to be important, particularly considering evolving technologies and discoveries.
About half of these commenters specifically advocated for providing investigators and Institutional Review Boards with the maximum flexibility to determine the appropriateness of the descriptions for future research and felt that this would best align with the Common Rule. These commenters were thus against requiring specific statements in the Privacy Rule about the future research, including for sensitive research.
Other commenters were in favor of requiring the additional statements about sensitive categories of research, stating that this would better inform individuals and give them greater choice in determining their willingness to participate in certain types of future research. A couple of these commenters recommended working with National Committee on Vital and Health Statistics on the categories of sensitive research, however no further examples of specific types of research were given beyond the examples provided in the proposed rule (genetic analyses or mental health research). Several commenters specifically advised against requiring specific statements for sensitive research, citing concerns of variability in what is considered sensitive information and practicality challenges due to the changing nature of the concept over time.
A few commenters opposed the proposal to allow authorizations for future research altogether. Some of these commenters felt strongly that study-specific authorizations are critical to protect patients, and are the only way that individuals can make a truly informed decision. These commenters suggested that outreach to patients and potential research participants to solicit feedback, as well as a study on the potential burdens that enhanced authorizations may have on stakeholders, were necessary before any changes were made.
In its comment letter on the NPRM, the Secretary’s Advisory Committee on Human Research Protections supported the proposal to harmonize HIPAA authorizations with the Common Rule informed consent requirements, and also requested consultation with the FDA to ensure that authorizations for future research align not only with the Common Rule standards but also FDA standards for informed consent. They indicated that the authorization should be reasonably specific such that individuals are aware of the types of research that may be conducted. However, the Secretary’s Advisory Committee on Human Research Protections emphasized the need for flexibility to rely on Institutional Review Board judgment and recommended against requiring prescribed statements about certain types of “sensitive” research, since these concepts change over time and requiring prescribed authorization statements may conflict with Institutional Review Boards’ judgments about how to appropriately describe the research in the informed consent.
Modified Interpretation
We modify the prior Departmental interpretation that research authorizations must be study specific. This modification does not make any changes to the authorization requirements at § 164.508. A HIPAA authorization for future research must still address each of the core elements and statements required at § 164.508(c). However, the Department no longer interprets the “purpose” provision at § 164.508(c)(1)(iv) as requiring that an authorization for the use or disclosure of protected health information for research purposes be study specific. In order to satisfy the requirement that an authorization include a description of each purpose of the requested use or disclosure, an authorization for uses and disclosures of protected health information for future research purposes must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research. This could include specific statements with respect to sensitive research to the extent such research is contemplated.
However, we do not prescribe specific statements in the Rule. We agree that it is difficult to define what is sensitive and that this concept changes over time. We also agree with commenters that this approach best harmonizes with practice under the Common Rule regarding informed consent for future research, and allows covered entities, researchers and Institutional Review Boards to have flexibility in determining what adequately describes a future research purpose depending on the circumstances. We have consulted with Office for Human Research Protections (OHRP) and the FDA on this approach to ensure consistency and harmonization with the HHS and FDA human subjects protections regulations, where appropriate.
With respect to commenters that stated it is impossible for individuals to be truly informed about future research, we note that we are aligning with existing practice under the Common Rule in regard to informed consent and still require that all required elements of authorization be included in an authorization for future research, even if they are to be described in a more general manner than is done for specific studies.
Pursuant to this modified interpretation, covered entities that wish to obtain individual authorization for the use or disclosure of protected health information for future research may do so at any time after the effective date of this final rule.
Alternatively, covered entities may continue to use only study-specific authorizations for research if they choose.
Response to Other Public Comments
Comment: The Secretary’s Advisory Committee on Human Research Protections requested flexibility regarding the description in the authorization of the information to be used or disclosed for future research as well as to whom the covered entity may make the requested use or disclosure as there may be some uncertainty of the identity of future researchers. The Secretary’s Advisory Committee on Human Research Protections also suggested that the description of information to be collected be allowed to reference information beyond the time of the original study, for example “your future medical records [at Hospital]” or “your future medical records [relating to diseases/conditions].”
Response: Covered entities and researchers have flexibility to describe the information to be used or disclosed for the future research, so long as it is reasonable from such description to believe that the individual would expect the information to be used or disclosed for the future research. We also clarify that a description of the protected health information to be used for the future research may include information collected beyond the time of the original study. Further, the Privacy Rule authorization requirements allow a “class of persons” to be described for purposes of identifying in the authorization the recipients of the protected health information.
Thus, covered entities and researchers have flexibility in the manner in which they describe the recipients of the protected health information for the future research, so long as it is reasonable from such description to believe that the individual would expect his or her protected health information to be shared with such persons for the future research.
Comment: The Secretary’s Advisory Committee on Human Research Protections requested that the Department allow for grandfathering of existing, ongoing studies that involve the possibility of future/secondary research, if an Institutional Review Board approved consent reasonably informed the individuals of the future research. In these situations, researchers would have needed to obtain a study-specific authorization or waiver of authorization before commencing the future/secondary research that was encompassed in the original informed consent.
Response: Covered entities and researchers may rely on an Institutional Review Board-approved consent obtained prior to the effective date of this final rule that reasonably informed individuals of the future research, provided the informed consent was combined with a HIPAA authorization (even though the authorization itself was specific to the original study or creation and maintenance of a repository).
Comment: One commenter advocated for the use of time-limited authorizations for future research.
Response: This modification in Departmental interpretation does not change the requirement at § 164.508(c)(1)(v), which states that an authorization must contain an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. This statement may be a specific time limit, or be “end of the research study,” “none,” or similar language for a research study.
Comment: Several commenters suggested that revocation of authorizations should continue to be permitted in the same manner that it is currently allowed under the Privacy Rule. The Secretary’s Advisory Committee on Human Research Protections recommended that revocations of authorization for future research be permitted orally, rather than in writing, as is currently required for all authorizations under §§ 164.508(b)(5) and (c)(2)(i) of the Rule.
Response: Covered entities may continue to rely on existing guidance regarding how revocations of authorizations operate in the research context. Such guidance is published in several materials available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/research/index.html (see, e.g., the fact sheet entitled, “Health Services Research and the HIPAA Privacy Rule”).
The Department may issue additional guidance in the future with respect to revocation policies in the context of authorizations that specify, and under which protected health information has been disclosed for, future research uses.
In response to the Secretary’s Advisory Committee on Human Research Protections recommendation, we also clarify that while the Privacy Rule requires that a revocation of authorization from an individual be in writing, uses and disclosures pursuant to an authorization are permissive and not required, and thus, a covered entity may cease using or disclosing protected health information pursuant to an authorization based on an individual’s oral request if it chooses to do so.
| HHS Description of August 2002 Revisions General Uses and Disclosures For Which an Authorization is Required: General Requirements for Authorizations |
Note: The HHS Description is the same as for § 164.508(a).
1. Restructuring Authorization.
December 2000 Privacy Rule. The Privacy Rule requires individual authorization for uses and disclosures of protected health information for purposes that are not otherwise permitted or required under the Rule. To ensure that authorizations are informed and voluntary, the Rule prohibits, with limited exceptions, covered entities from conditioning treatment, payment, or eligibility for benefits or enrollment in a health plan, on obtaining an authorization. The Rule also permits, with limited exceptions, individuals to revoke an authorization at any time. Additionally, the Rule sets out core elements that must be included in any authorization. These elements are intended to provide individuals with the information they need to make an informed decision about giving their authorization. This information includes specific details about the use or disclosure, and provides the individual fair notice about his or her rights with respect to the authorization and the potential for the information to be redisclosed. Additionally, the authorization must be written in plain language so individuals can read and understand its contents. The Privacy Rule required that authorizations provide individuals with additional information for specific circumstances under the following three sets of implementation specifications: in § 164.508(d), for authorizations requested by a covered entity for its own uses and disclosures; in § 164.508(e), for authorizations requested by a covered entity for another entity to disclose protected health information to the covered entity requesting the authorization to carry out treatment, payment, or health care operations; and in § 164.508(f), for authorizations requested by a covered entity for research that includes treatment of the individual.
March 2002 NPRM. Various issues were raised regarding the authorization requirements. Commenters claimed the authorization provisions were too complex and confusing. They alleged that the different sets of implementation specifications were not discrete, creating the potential for the implementation specifications for specific circumstances to conflict with the required core elements. Some covered entities were confused about which authorization requirements they should implement in any given circumstance. Also, although the Department intended to permit insurers to obtain necessary protected health information during contestability periods under State law, the Rule did not provide an exception to the revocation provision when other law provides an insurer the right to contest an insurance policy.
To address these issues, the Department proposed to simplify the authorization provisions by consolidating the implementation specifications into a single set of criteria under § 164.508(c), thus eliminating paragraphs (d), (e), and (f) which contained separate implementation specifications. Under the proposal, paragraph (c)(1) would require all authorizations to contain the following core elements: (1) a description of the information to be used or disclosed, (2) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, (3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure, (4) a description of each purpose of the use or disclosure, (5) an expiration date or event, (6) the individual’s signature and date, and (7) if signed by a personal representative, a description of his or her authority to act for the individual. The proposal also included new language to clarify that when individuals initiate an authorization for their own purposes, the purpose may be described as “at the request of the individual.”
In the NPRM, the Department proposed that § 164.508(c)(2) require authorizations to contain the following required notifications: (1) a statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke and instructions on how to exercise such right or, to the extent this information is included in the covered entity’s notice, a reference to the notice, (2) a statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule, or, if conditioning is permitted by the Privacy Rule a statement about the consequences of refusing to sign the authorization, and (3) a statement about the potential for the protected health information to be redisclosed by the recipient.
Also under the proposal, covered entities would be required to obtain an authorization to use or disclose protected health information for marketing purposes, and to disclose in such authorizations any direct or indirect remuneration the covered entity would receive from a third party as a result of obtaining or disclosing the protected health information. The other proposed changes regarding marketing are discussed in section III.A.1. of the preamble.
The NPRM proposed a new exception to the revocation provision at § 164.508(b)(5)(ii) for authorizations obtained as a condition of obtaining insurance coverage when other law gives the insurer the right to contest the policy. Additionally, the Department proposed that the exception to permit conditioning payment of a claim on obtaining an authorization be deleted, since the proposed provision to permit the sharing of protected health information for the payment activities of another covered entity or a health care provider would eliminate the need for an authorization in such situations.
Finally, the Department proposed modifications at § 164.508(a)(2)(i)(A), (B), and (C), to clarify its intent that the proposed provisions for sharing protected health information for the treatment, payment, or health care operations of another entity would not apply to psychotherapy notes.
There were a number of proposed modifications concerning authorizations for research purposes. Those modifications are discussed in section III.E.2. of the preamble.
2. Research Authorizations.
December 2000 Privacy Rule. The Privacy Rule requires covered entities to obtain an individual’s voluntary and informed authorization before using or disclosing protected health information for any purpose that is not otherwise permitted or required under the Rule. Uses and disclosures of protected health information for research purposes are subject to the same authorization requirements as uses and disclosures for other purposes. However, for research that includes treatment of the individual, the December 2000 Privacy Rule prescribed special authorization requirements at § 164.508(f). The December 2000 Privacy Rule, at § 164.508(b)(5), also permitted individuals to revoke their authorization at any time, with limited exceptions. Further, the December 2000 Privacy Rule prohibited the combining of the authorization for the use or disclosure of existing protected health information with any other legal permission related to the research study.
March 2002 NPRM. Several of those who commented on the December 2000 Privacy Rule argued that certain authorization requirements in § 164.508 were unduly complex and burdensome as applied to research uses and disclosures. In particular, several commenters favored eliminating the Rule’s specific provisions at § 164.508(f) for authorizations for uses and disclosures of protected health information for research that includes treatment of the individual. The Department also heard from several provider groups who argued in favor of permitting covered entities to combine all of the research authorizations required by the Privacy Rule with the informed consent to participate in the research. Commenters also noted that the Rule’s requirement for an “expiration date or event that relates to the individual or the purpose of the use or disclosure” runs counter to the needs of research databases and repositories that are often retained indefinitely.
In response to these concerns, the Department proposed to a number of modifications to simplify the authorization requirements both generally, and in certain circumstances, as they specifically applied to uses and disclosures of protected health information for research. In particular, the Department proposed a single set of authorization requirements for all uses and disclosures, including those for research purposes. This proposal would eliminate the additional authorization requirements for the use and disclosure of protected health information created for research that includes treatment of the individual. Consistent with this proposed change, the Department further proposed to modify the requirements prohibiting the conditioning of authorizations at § 164.508(b)(4)(i) to remove the reference to § 164.508(f).
In addition, the Department proposed that the Privacy Rule permit an authorization for the use or disclosure of protected health information to be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research.
Finally, the Department proposed to provide explicitly that the statement, “end of a research study,” or similar language be sufficient to meet the requirement for an expiration date in § 164.508(c)(1)(v). Additionally, the Department proposed that the statement “none” or similar language be sufficient to meet this provision if the authorization was for a covered entity to use or disclose protected health information for the creation or maintenance of a research database or repository.
| HHS Explanation of Final Modifications of August 2002 Uses and Disclosures For Which an Authorization is Required: General Requirements for Authorizations |
Note: The HHS Modification Explanation is the same as for § 164.508(a).
1. Restructuring Authorization.
In the final modifications, the Department adopts the changes proposed in the NPRM. Since the modifications to the authorization provision are comprehensive, the Department is publishing this section in its entirety so that it will be easier to use and understand. Therefore, the preamble addresses all authorization requirements, and not just those that were modified.
In § 164.508(a), covered entities are required to obtain an authorization for uses and disclosures of protected health information, unless the use or disclosure is required or otherwise permitted by the Rule. Covered entities may use only authorizations that meet the requirements of § 164.508(b), and any such use or disclosure will be lawful only to the extent it is consistent with the terms of such authorization. Thus, a voluntary consent document will not constitute a valid permission to use or disclose protected health information for a purpose that requires an authorization under the Rule.
Although the requirements regarding uses and disclosures of psychotherapy notes are not changed substantively, the Department made minor changes to the language in paragraph (a)(2) to clarify that a covered entity may not use or disclose psychotherapy notes for purposes of another covered entity’s treatment, payment, or health care operations without obtaining the individual’s authorization. However, covered entities may use and disclose psychotherapy notes, without obtaining individual authorization, to carry out its own limited treatment, payment, or health care operations as follows: (1) use by the originator of the notes for treatment, (2) use or disclosure for the covered entity’s own training programs for its mental health professionals, students, and trainees, and (3) use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual.
Section 164.508(a)(3) requires covered entities to obtain an authorization to use or disclose protected health information for marketing purposes, with two exceptions. The authorization requirements for marketing and the comments received on these provisions are discussed in detail in section III.A.1. of the preamble.
If the marketing involves any direct or indirect remuneration to the covered entity from a third party, the authorization must state that fact. The comments on this requirement also are discussed in section III.A.1. of the preamble. However, a statement concerning remuneration is not a required notification for other authorizations. Such a statement was never required for all authorizations and the Department believes it would be most meaningful for consumers on authorizations for uses and disclosures of protected health information for marketing purposes. Some commenters urged the Department to require remuneration statements on research authorizations. The Department has not done so because the complexity of such arrangements would make it difficult to define what constitutes remuneration in the research context. Moreover, to require covered entities to disclose remuneration by a third party on authorizations for research would go beyond the requirements imposed in the December 2000 Rule, which did not require such a disclosure on authorizations obtained for the research of a third party. The Department believes that concerns regarding financial conflicts of interest that arise in research are not limited to privacy concerns, but also are important to the objectivity of research and to protecting human subjects from harm. Therefore, in the near future, the Department plans to issue guidance for the research community on this important topic.
Pursuant to§ 164.508(b)(1), an authorization is not valid under the Rule unless it contains all of the required core elements and notification statements, which are discussed below. Covered entities may include additional, non-required elements so long as they are not inconsistent with the required elements and statements. The language regarding defective authorizations in § 164.508(b)(2) is not changed substantively. However, some changes are made to conform this paragraph to modifications to other parts of the authorization provision, as well as other sections of the Rule. An authorization is not valid if it contains any of the following defects: (1) the expiration date has passed or the expiration event has occurred, and the covered entity is aware of the fact, (2) any of the required core elements or notification statements are omitted or incomplete, (3) the authorization violates the specifications regarding compounding or conditioning authorizations, or (4) the covered entity knows that material information in the authorization is false.
In § 164.508(b)(3) regarding compound authorizations, the requirements for authorizations for purposes other than research are not changed. That is, authorizations for use or disclosure of psychotherapy notes may be combined only with another authorization for the use or disclosure of psychotherapy notes. Other authorizations may be combined, unless a covered entity has conditioned the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits on one of the authorizations. A covered entity generally may not combine an authorization with any other type of document, such as a notice of privacy practices or a written voluntary consent. However, there are exceptions for research authorizations, which are discussed in section III.E.2. of the preamble.
Section 164.508(b)(4) prohibits the conditioning of treatment, payment, enrollment in a health plan, or eligibility for benefits on obtaining an authorization, with a few exceptions. The exceptions to this requirement for research-related treatment, eligibility for benefits and enrollment in a health plan, and health care solely for creating protected health information for disclosure to a third party are not changed. Moreover, the Department eliminates the exception to the prohibition on conditioning payment of a claim on obtaining an authorization. Although some insurers urged that this conditioning authority be retained to provide them with more collection options, the Department believes this authorization is no longer necessary because we are adding a new provision in § 164.506 that permits covered entities to disclose protected health information for the payment purposes of another covered entity or health care provider. Therefore, that exception has been eliminated.
Section 164.508(b)(5) provides individuals the right to revoke an authorization at any time in writing. The two exceptions to this right are retained, but with some modification. An individual may not revoke an authorization if the covered entity has acted in reliance on the authorization, or if the authorization was obtained as a condition of obtaining insurance coverage and other law gives the insurer the right to contest the claim or the policy itself. The Department adopts the proposed modification to the latter exception so that insurers can exercise the right to contest an insurance policy under other law. Public comment was generally supportive of this proposed modification.
Section 164.508(b)(6) requires covered entities to document and retain authorizations as required under § 164.530(j). This requirement is not changed.
The different sets of implementation criteria are consolidated into one set of criteria under § 164.508(c), thus eliminating the confusion and uncertainty associated with different requirements for specific circumstances. Covered entities may use one authorization form for all purposes. The Department adopts in paragraph (c)(1), the following core elements for a valid authorization: (1) a description of the information to be used or disclosed, (2) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, (3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure, (4) a description of each purpose of the use or disclosure, (5) an expiration date or event, (6) the individual’s signature and date, and (7) if signed by a personal representative, a description of his or her authority to act for the individual. An authorization that does not contain all of the core elements does not meet the requirements for a valid authorization. The Department intends for the authorization process to provide individuals with the opportunity to know and understand the circumstances surrounding a requested authorization.
To further protect the privacy interests of individuals, when individuals initiate an authorization for their own purposes, the purpose may be stated as “at the request of the individual.” Other changes to the core elements pertain to authorizations for research, and are discussed in section III.E.2. of the preamble.
Also, under § 164.508(c)(2), an authorization is not valid unless it contains all of the following: (1) a statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke, and instructions on how to exercise such right or, to the extent this information is included in the covered entity’s notice, a reference to the notice, (2) a statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule or, if conditioning is permitted, a statement about the consequences of refusing to sign the authorization, and (3) a statement about the potential for the protected health information to be redisclosed by the recipient. Although the notification statements are not included in the paragraph on core elements an authorization is not valid unless it contains both the required core elements, and all of the required statements. This is the minimum information the Department believes is needed to ensure individuals are fully informed of their rights with respect to an authorization and to understand the consequences of authorizing the use or disclosure. The required statements must be written in a manner that is adequate to place the individual on notice of the substance of the statements.
In response to comments, the Department clarifies that the statement regarding the potential for redisclosure does not require an analysis of the risk for redisclosure, but may be a general statement that the health information may no longer be protected by the Privacy Rule once it is disclosed by the covered entity. Others objected to this statement because individuals might be hesitant to sign an authorization if they new their protected health information could be redisclosed and no longer protected by the Rule. In response, the Department believes that individuals need to know about the consequences of authorizing the disclosure of their protected health information. As the commenter recognized, the potential for redisclosure may, indeed, be an important factor in an individual’s decision to give or deny a requested authorization.
Others suggested that the statement regarding redisclosure should be omitted when an authorization is obtained only for a use, since such a statement would be confusing and inappropriate when the covered entity maintains the information. Similarly, some commenters were concerned that the statement may be misleading where the recipient of the information, although not a covered entity, will keep the information confidential. In response, the Department clarifies that, while a general statement would suffice, a covered entity has the discretion to provide a more definitive statement where appropriate. Thus, the covered entity requesting an authorization for its own use of protected health information may provide assurances that the information will remain subject to the Privacy Rule. Similarly, if a third party, such as a researcher, is seeking an authorization for research, the statement may refer to the privacy protections that the researcher will provide for the data.
Under § 164.508(c)(3), authorizations must be written in plain language so that individuals can understand the information contained in the form, and thus be able to make an informed decision about whether to give the authorization. A few commenters urged the Department to keep the plain language requirement as a core element of a valid authorization. Under the December 2000 Rule, the plain language requirement was not a requisite for a valid authorization. Nevertheless, under both the December 2000 Rule and the final modifications, authorizations must be written in plain language. The fact that the plain language requirement is not a core element does not diminish its importance or effect, and the failure to meet this requirement is a violation of the Rule.
Finally, under § 164.508(c)(4), covered entities who seek an authorization are required to provide the individual with a copy of the signed authorization form.
2. Research Authorizations.
The Department agrees with the commenters that supported the NPRM’s proposed simplification of authorizations for research uses and disclosures of protected health information and, therefore, adopts the modifications to these provisions as proposed in the NPRM. The final Rule requires a single set of authorization requirements for all uses and disclosures, including those for research purposes, and permits an authorization for the use or disclosure of protected health information to be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research.
In addition, in response to commenters’ concerns that the Rule would prohibit important uses and disclosures of protected health information after the termination of a research project, the final Rule eliminates the requirement for an expiration date for all uses and disclosures of protected health information for research purposes, not only for the creation and maintenance of a research database or repository. The Department agrees that the line between research repositories and databases in particular, and research data collection in general, is sometimes arbitrary and unclear. If the authorization for research uses and disclosures of protected health information does not have an expiration date, the final Rule at § 164.508(c)(1)(v), requires that this fact be stated on the authorization form. Patients continue to control whether protected health information about them may be used or disclosed for research, since the authorization must include an expiration date or event, or a statement that the authorization will have no expiration date. In addition, patients will be permitted to revoke their authorization at any time during the research project, except as specified under § 164.508(b)(5). However, the Department notes that researchers may choose to include, and covered entities may choose to require, an expiration date when appropriate.
Although the final Rule does not modify the revocation provision at § 164.508(b)(5), in response to commenters’ concerns, the Department clarifies that this provision permits covered entities to continue using and disclosing protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. An individual may not revoke an authorization to the extent the covered entity has acted in reliance on the authorization. For research uses and disclosures, this reliance exception at § 164.508(b)(5)(i) permits the continued use and disclosure of protected health information already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study. For example, the reliance exception would permit the continued use and disclosure of protected health information to account for a subject’s withdrawal from the research study, as necessary to incorporate the information as part of a marketing application submitted to the FDA, to conduct investigations of scientific misconduct, or to report adverse events. However, the reliance exception would not permit a covered entity to continue disclosing additional protected health information to a researcher or to use for its own research purposes information not already gathered at the time an individual withdraws his or her authorization. The Department believes that this clarification of the Rule will minimize the negative effects on research caused by participant withdrawal and will allow for important continued uses and disclosures to occur, while maintaining privacy protections for research subjects.
| HHS Response to Comments Received - Published With the August 2002 Revisions General Requirements for Authorization - § 164.508(b) |
Note: The HHS Response to Comments is the same as for § 164.508(a).
1. Restructuring Authorization.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.
There was overwhelming support for the proposed modifications. Overall, supporters were of the opinion that the consolidation and simplification would promote efficiency, simplify compliance, and reduce confusion. Many commenters claimed the changes would eliminate barriers to quality health care. Some commenters claimed the proposed modifications would make the authorization process easier for both providers and individuals, and one commenter said they would make authorizations easier to read and understand. A number of commenters stated the changes would not have adverse consequences for individuals, and one commenter noted the proposal would preserve the opportunity for individuals to give a meaningful authorization.
However, some of the proponents suggested the Department go further to ease the administrative burden of obtaining authorizations. Some urged the Department to eliminate some of the required elements which they perceived as unnecessary to protect privacy, while others suggested that covered entities should decide which elements were relevant in a given situation. Some commenters urged the Department to retain the exception to the prohibition on conditioning payment of a claim on obtaining an authorization. These commenters expressed fear that the voluntary consent process and/or the right to request restrictions on uses and disclosures for treatment, payment, or health care operations might prevent covered entities from disclosing protected health information needed for payment purposes, or providers may be reluctant to cooperate in disclosures for payment purposes based on inadequately drafted notices.
Comments were divided on the proposed requirement to disclose remuneration in marketing authorizations. Recommendations ranged from requiring the disclosure of remuneration on all authorizations, to eliminating the requirement all together.
Response to Other Public Comments.
Comment: A number of commenters specifically expressed support of the proposed authorization requirement for marketing, and urged the Department to adopt the requirement. However, one commenter claimed that requiring authorizations for marketing would reduce hospitals’ ability to market their programs and services effectively in order to compete in the marketplace, and that obtaining, storing, and maintaining marketing authorizations would be too burdensome.
Response: In light of the support in the comments, the Department has adopted the proposed requirement for an authorization before a covered entity may use or disclose protected health information for marketing. However, the commenter is mistaken that this requirement will interfere with a hospital’s ability to promote its own program and services within the community. First, such broad-based marketing is likely taking place without resort to protected health information, through dissemination of information about the hospital through community-wide mailing lists. Second, under the Privacy Rule, a communication is not marketing if a covered entity is describing its own products and services. Therefore, nothing in the Rule will inhibit a hospital from competing in the marketplace by communicating about its programs and services.
Comment: One commenter suggested that authorizations for marketing should clearly indicate that they are comprehensive and may contain sensitive protected health information.
Response: The Department treats all individually identifiable health information as sensitive and equally deserving of protections under the Privacy Rule. The Rule requires all authorizations to contain the specified core elements to ensure individuals are given the information they need to make an informed decision. One of the core elements for all authorizations is a clear description of the information that is authorized to be used or disclosed in specific and meaningful terms. The authorization process provides the individual with the opportunity to ask questions, negotiate how their information will be used and disclosed, and ultimately to control whether these uses and disclosures will be made.
Comment: Several commenters urged the Department to retain the existing structure of the implementation specifications, whereby the notification statements about the individual’s right to revoke and the potential for redisclosure are “core elements.” It was argued that this information is essential to an informed decision. One of the commenters claimed that moving them out of the core elements and only requiring a statement adequate to put the person on notice of the information would increase uncertainty, and that these two elements are too important to risk inadequate explanation.
Response: The Department agrees that the required notification statements are essential information that a person needs in order to make an informed decision about authorizing the use or disclosure of protected health information. Individuals need to know what rights they have with respect to an authorization, and how they can exercise those rights. However, separating the core elements and notification statements into two different subparagraphs does not diminish the importance or effect of the notification statements. The Department clarifies that both the core elements and the notification statements are required, and both must be included for an authorization to be valid.
Comment: Several commenters urged the Department to eliminate unnecessary authorization contents. They argued the test should be whether the person needs the information to protect his or her privacy, and cited the disclosure of remuneration by a third party as an example of unnecessary content, alleging that the disclosure of remuneration is not relevant to protecting privacy. One commenter suggested that covered entities should be given the flexibility to decide which contents are applicable in a given situation.
Response: The Department believes the core elements are all essential information. Individuals need to know this information to make an informed decision about giving the authorization to use or disclose their protected health information. Therefore, the Department believes all of the core elements are necessary content in all situations. The Department does not agree that the remuneration statement required on an authorization for uses and disclosures of an individual’s protected health information for marketing purposes is not relevant to protecting privacy. Individuals exercise control over the privacy of their protected health information by either giving or denying an authorization, and remuneration from a third party to the covered entity for obtaining an authorization for marketing is an important factor in making that choice.
Comment: One commenter suggested that covered entities should not be required to state on an authorization a person’s authority to act on an individual’s behalf, and they should be trusted to require such identification or proof of legal authority when the authorization is signed. The commenter stated that this requirement only increases administrative burden for covered entities.
Response: The Department does not agree. The authorization requirement is intended to give individuals some control over uses and disclosures of protected health information that are not otherwise permitted or required by the Rule. Therefore, the Rule requires that covered entities verify and document a person’s authority to sign an authorization on an individual’s behalf, since that person is exercising the individual’s control of the information. Furthermore, the Department understands that it is a current industry standard to verify and document a person’s authority to sign any legal permission on another person’s behalf. Thus, the requirement should not result in any undue administrative burden for covered entities.
Comment: One commenter suggested that the Department should require authorizations to include a complete list of entities that will use and share the information, and that the individual should be notified periodically of any changes to the list so that the individual can provide written authorization for the changes.
Response: It may not always be feasible or practical for covered entities to include a comprehensive list of persons authorized to use and share the information disclosed pursuant to an authorization. However, individuals may discuss this option with covered entities, and they may refuse to sign an authorization that does not meet their expectations. Also, subject to certain limitations, individuals may revoke an authorization at any time.
Comment: One commenter asked for clarification that a health plan may not condition a provider’s participation in the health plan on seeking authorization for the disclosure of psychotherapy notes, arguing that this practice would coerce providers to request, and patients to provide, an authorization to disclose psychotherapy notes.
Response: The Privacy Rule does not permit a health plan to condition enrollment, eligibility for benefits, or payment of a claim on obtaining the individual’s authorization to use or disclose psychotherapy notes. Nor may a health care provider condition treatment on an authorization for the use or disclosure of psychotherapy notes. In a situation such as the one described by the commenter, the Department would look closely at whether the health plan was attempting to accomplish indirectly that which the Rule prohibits. These prohibitions are to ensure that the individual’s permission is wholly voluntary and informed with regard to such an authorization. To meet these standards, in the circumstances set forth in the comment, the Department would expect the provider subject to such a requirement by the health plan to explain to the individual in very clear terms that, while the provider is required to ask, the individual remains free to refuse to authorize the disclosure and that such refusal will have no effect on either the provision of treatment or the individual’s coverage under, and payment of claims by, the health plan.
Comment: A few commenters suggested the Department should allow covered entities to combine an authorization with other documents, such as the notice acknowledgment, claiming it would reduce administrative burden and paperwork, as well as reduce patient confusion and waiting times, without compromising privacy protections.
Response: The Department disagrees that combining an authorization with other documents, such as the notice acknowledgment, would be less confusing for individuals. To the contrary, the Department believes that combining unrelated documents would be more confusing. However, the Rule does permit an authorization to be combined with other authorizations so long as the provision of treatment, payment, enrollment in a health plan or eligibility for benefits is not conditioned on obtaining any of the authorizations, and the authorization is not for the use or disclosure of psychotherapy notes.
Also, authorizations must contain the same information, whether it is a separate document or combined with another document; and the individual must be given the opportunity to read and discuss that information. Combining an authorization with routine paperwork diminishes individuals’ ability to make a considered and informed judgment to permit the use or disclosure of their medical information for some other purpose.
Comment: One commenter stated that the requirement for covered entities to use only authorizations that are valid under the Rule must be an unintended result of the Rule, because covered entities would have to use only valid authorizations when requesting information from non-covered entities. The commenter did not believe the Department intended this requirement to apply with respect to non-covered entities, and gave the example of dental health plans obtaining protected health information in connection with paper claims submitted by dental offices. The commenter requested clarification that health plans may continue to use authorization forms currently in use for all claims submitted by non-covered entities.
Response: The commenter misapprehends the Rule’s requirements. The requirements apply to uses and disclosure of protected health information by covered entities. In the example provided, where a health plan is requesting additional information in support of a claim for payment by a non-covered health care provider, the health plan is not required to use an authorization. The plan does not need the individual’s authorization to use protected health information for payment purposes, and the non-covered health care provider is not subject to any of the Rule’s requirements. Therefore, the exchange of information may occur as it does today. The Department notes that, based on the modifications regarding consent adopted in this rulemaking, neither a consent nor an authorization would be required in this example even if the health care provider was also a covered entity.
Comment: Several commenters urged the Department to add a transition provision to permit hospitals to use protected health information in already existing databases for marketing and outreach to the communities they serve. Commenters claimed that these databases are important assets that would take many years to rebuild, and hospitals may not have an already existing authorization or other express legal permission for such use of the information. They contended that, without a transition provision, these databases would become useless under the Rule. Commenters suggested the Department should adopt an “opt out” provision that would allow continued use of these databases to initially communicate with the persons listed in the database; at that time, they could obtain authorization for future communications, thus providing a smooth transition.
Response: Covered entities are provided a two-year period in which to come into compliance with the Privacy Rule. One of the purposes of the compliance period is to allow covered entities sufficient time to undertake actions such as those described in the comment (obtaining the legal permissions that would permit databases to continue to operate after the compliance date). An additional transition period for these activities has not been justified by the commenters. However, the Department notes that a covered entity is permitted to use the information in a database for communications that are either excepted from or that do not meet the definition of “marketing” in § 164.501, without individual authorization. For example, a hospital may use protected health information in an existing database to distribute information about the services it provides, or to distribute a newsletter with general health or wellness information that does not promote a particular product or service.
2. Research Authorizations.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.
The vast majority of commenters were very supportive of the proposed revisions to the Rule’s provisions for research authorizations. However, the Department did hear from several commenters that the Privacy Rule’s requirement for an expiration date or event should be eliminated for all research uses and disclosures of protected health information, not just for uses and disclosures for the creation or maintenance of a research database or repository, as was proposed in the NPRM. These commenters were concerned that the Privacy Rule would prohibit important uses and disclosures of protected health information after the termination of a research project, such as the reporting of research results to the Food and Drug Administration (FDA) for an FDA investigational new drug application, unless the covered entity obtained another patient authorization. In addition, several of these commenters cited confusion in defining repositories and databases. Some of these commenters stated that an individual who authorizes information to be used for an indeterminate time most likely expects and intends for the information to be used and disclosed if needed well into the future, regardless of whether or not the research involves the use or disclosure of protected health information for the creation or maintenance of a database or repository.
Several commenters responded to the Department’s request for comments on how to appropriately limit uses and disclosures following revocation of an authorization, while preserving the integrity of the research. The NPRM attempted to clarify that “even though a revocation will prevent a covered entity from further disclosing protected health information for research purposes, the exception to this requirement is intended to allow for certain continued uses of information as appropriate to preserve the integrity of the research study.” However, the NPRM further stated that “if covered entities were permitted to continue using or disclosing protected health information for the research project even after an individual had revoked his or her authorization, this would undermine the primary objective of the authorization requirements to be a voluntary, informed choice of the individual.” Several commenters were concerned and confused by the NPRM’s statements. In particular, the Department received comments urging that the regulation permit covered entities to use and disclose research data already obtained, even after an individual has withdrawn his or her authorization. These commenters suggested that once a subject has authorized the use and disclosure of protected health information for research and the covered entity has relied on the authorization, the covered entity must retain the ability to use or disclose the subject’s pre-withdrawal information for purposes consistent with the overall research. One commenter argued that it would be inadequate for the reliance exception at § 164.508(b)(5) to be interpreted to permit continued uses of the individual’s information as appropriate only to account for an individual’s withdrawal from the study. In this commenter’s opinion, most research would call for the continued use of protected health information obtained prior to an individual’s revocation of their authorization to safeguard statistical validity and truly to preserve the integrity of human research.
Response to Other Public Comments.
Comment: In opposition to the March 2002 NPRM, one commenter suggested prohibiting the combining of authorization forms with an informed consent when the covered entity disclosing the protected health information is not otherwise participating in research. The commenter argued that the NPRM would allow covered entities to receive more information than necessary to fulfill a patient’s authorization request, such as information about the particular type or purpose of the study itself, and could, thereby, violate the patient’s privacy.
Response: The Department acknowledges the concern raised by these commenters; however, prohibiting the combination of authorization forms with an informed consent reduces the flexibility proposed in the March 2002 NPRM. Since the final modifications permit, but do not require, such combining of forms, the Department has decided to leave it to the discretion of researchers or the IRBs to determine whether the combining of authorization forms and consent forms for research would be appropriate for a particular research study.
Comment: Some commenters supported retaining the December 2000 Privacy Rule requirement that a description of the extent to which protected health information will be used or disclosed for treatment, payment, or health care operations be included in an authorization to use or disclose protected health information for a research study that includes treatment of individuals. These commenters argued that an individual’s ability to make informed decisions requires that he or she know how research information will and will not be used and disclosed.
Response: The Department agrees with the majority of the commenters who were in support of the March 2002 NPRM proposal to eliminate the additional authorization requirements for research that includes treatment, and has adopted these proposed modifications in the final Rule. Retaining the distinction between research that involves treatment and research that does not would require overly subjective decisions without providing commensurate privacy protections for individuals. However, the Department notes that it may sometimes be advisable for authorization forms to include a statement regarding how protected health information obtained for a research study will be used and disclosed for treatment, payment, and health care operations, if such information would assist individuals in making informed decisions about whether or not to provide their authorization for a research study.
Comment: One commenter argued that expiration dates should be included on authorizations and that extensions should be required for all research uses and disclosures made after the expiration date or event has passed.
Response: The Department disagrees. We have determined that an expiration date or event would not always be feasible or desirable for some research uses and disclosures of protected health information. By allowing for no expiration date, the final Rule permits without separate patient authorization important disclosures even after the “termination of the research project” that might otherwise be prohibited. However, the final Rule contains the requirement that the patient authorization specify if the authorization would not have an expiration date or event. Therefore, patients will have this information to make an informed decision about whether to sign the authorization.
Comment: Another commenter suggested permitting covered entities/researchers to continue using or disclosing protected health information even after a revocation of the initial authorization but only if an IRB or Privacy Board approved the continuation. This commenter argued that such review by an IRB or Privacy Board would protect privacy, while permitting continued uses and disclosures of protected health information for important purposes.
Response: As stated above, the Department agrees that it may sometimes be necessary to continue using and disclosing protected health information even after an individual has revoked his or her authorization in order to preserve the integrity of a research study. Therefore, the Department has clarified that the reliance exception at § 164.508(b)(5)(i) would permit the continued use and disclosure of protected health information already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study. A requirement for documentation of IRB or Privacy Board review and approval of the continued use or disclosure of protected health information after an individual’s authorization had been revoked could protect patient privacy. However, the Department believes that the additional burden on the IRB or Privacy Board could be substantial, and is not warranted at this time.
Comment: A commenter requested clarification that the “reliance exception” does not permit covered entities as researchers to continue analyzing data once an individual has revoked his or her authorization.
Response: As discussed above, the Department disagrees with this comment. Patient privacy must be balanced against other public goods, such as research and the risk of compromising such research projects if researchers could not continue to use such data. The Department determined that permitting continued uses and disclosures of protected health information already obtained to protect the integrity of research, even after an individual’s authorization has been revoked, would pose minimal privacy risk to individuals without compromising research.
Comment: Several commenters suggested permitting the proposed authorization requirement for a “description of each purpose of the requested use or disclosure” at § 164.508 to be sufficiently broad to encompass future unspecified research. These commenters argued that this option would reduce the burden for covered entities and researchers by permitting covered entities to use or disclose protected health information for re-analysis without having to obtain an additional authorization from the individual. Some discussed the possibility that burden for patients would also be reduced because they would not have to provide additional authorizations. These commenters also argued that such a provision would more directly align the Rule with the Common Rule, which permits broad informed consent for secondary studies if the IRB deems the original informed consent to be adequate.
Response: The Department disagrees with broadening the required “description of the purpose of the use or disclosure” because of the concern that patients would lack necessary information to make an informed decision. In addition, unlike the Common Rule, the Privacy Rule does not require IRB or Privacy Board review of research uses and disclosures made with individual authorization. Therefore, instead of IRBs or Privacy Boards reviewing the adequacy of existing patient authorizations, covered entities would be left to decide whether or not the initial authorization was broad enough to cover subsequent research analyses. Furthermore, it should be noted that patient authorization would not be required for such re-analysis if, with respect to the re-analysis, the covered entity obtains IRB or Privacy Board waiver of such authorization as required by § 164.512(i). For these reasons, the Department has decided to retain the requirement that each purpose of the requested use or disclosure described in the authorization form be research study specific. However, the Department understands that, in the past, some express legal permissions and informed consents have not been study-specific and sometimes authorize the use or disclosure of information for future unspecified research. Furthermore, some IRB-approved waivers of informed consent have been for future unspecified research. Therefore, the final Rule at § 164.532 permits covered entities to rely on an express legal permission, informed consent, or IRB-approved waiver of informed consent for future unspecified research, provided the legal permission, informed consent or IRB-approved waiver was obtained prior to the compliance date.
Comment: Several commenters suggested retaining the authorization element requiring a statement regarding “the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer protected by this Rule” but with one addition. This addition would state that “researchers could only use or disclose the protected health information for purposes approved by the IRB or as required by law or regulation.” These commenters argued that this would be clearer to participants and would prevent the misconception that their information would not be protected by any confidentiality standards.
Response: The Department recognizes the concern of the commenters seeking to supplement the requirement, but points out that, although the final Rule will not require this addition, it is permissible to include such a statement in the authorization. In addition, since the Privacy Rule does not require IRB or Privacy Board review of research uses and disclosures made with patient authorization, the Department determined that adding the commenters’ suggestion to the final Rule would be inappropriate. Section III.E.1. above provides further discussion of this provision.