|
§164.508
Uses and disclosures for which an authorization is required.
(a)
Standard: authorizations for uses and disclosures. (1) Authorization required:
general rule. Except as otherwise permitted or required by this subchapter, a
covered entity may not use or disclose protected health information without an
authorization that is valid under this section. When a covered entity obtains or
receives a valid authorization for its use or disclosure of
protected health information, such
use or disclosure must be consistent with such authorization.
(2)
Authorization required: psychotherapy
notes. Notwithstanding any other provision
of this subpart, other than transition provisions provided for in § 164.532, a
covered entity must obtain an authorization for any use or disclosure of
psychotherapy notes, except:
(i)
To carry out the following treatment, payment, or health care
operations,
consistent with consent requirements in § 164.506:
(A)
Use by originator of the psychotherapy notes for
treatment;
(B)
Use or disclosure by the covered entity in training programs in which students,
trainees, or practitioners in mental health learn under supervision to practice
or improve their skills in group, joint, family, or individual counseling; or
(C)
Use or disclosure by the covered entity to defend a legal action or other
proceeding brought by the individual; and
(ii)
A use or disclosure that is required by § 164.502(a)(2)(ii) or permitted by §
164.512(a); § 164.512(d) with respect to the oversight of the originator of the
psychotherapy notes; § 164.512(g)(1); or § 164.512(j)(1)(i).
(b)
Implementation specifications: general requirements. (1) Valid authorizations.
(i)
A valid authorization is a document that contains the elements listed in
paragraph (c) and, as applicable, paragraph (d), (e), or (f) of this section.
(ii)
A valid authorization may contain elements or information in addition to the
elements required by this section, provided that such additional elements or
information are not be inconsistent with the elements required by this section.
(2)
Defective authorizations. An authorization is not valid, if the document
submitted has any of the following defects:
(i)
The expiration date has passed or the expiration event is known by the covered
entity to have occurred;
(ii)
The authorization has not been filled out completely, with respect to an element
described by paragraph (c), (d), (e), or (f) of this section, if applicable;
(iii)
The authorization is known by the covered entity to have been revoked;
(iv)
The authorization lacks an element required by paragraph (c), (d), (e), or (f)
of this section, if applicable;
(v)
The authorization violates paragraph (b)(3) of this section, if applicable;
(vi)
Any material information in the authorization is known by the covered entity to
be false.
(3)
Compound authorizations. An authorization for use or disclosure of
protected
health information may not be combined with any other document to create a
compound authorization, except as follows:
(i)
An authorization for the use or disclosure of
protected health information
created for research that includes treatment of the individual may be combined
as permitted by § 164.506(b)(4)(ii) or paragraph (f) of this section;
(ii)
An authorization for a use or disclosure of
psychotherapy notes may only be
combined with another authorization for a use or disclosure of
psychotherapy notes;
(iii)
An authorization under this section, other than an authorization for a use or
disclosure of psychotherapy notes may be combined with any other such
authorization under this section, except when a covered entity has conditioned
the provision of treatment, payment, enrollment in the
health plan, or
eligibility for benefits under paragraph (b)(4) of this section on the provision
of one of the authorizations.
(4)
Prohibition on conditioning of authorizations. A covered entity may not
condition the provision to an individual of
treatment,
payment, enrollment in
the health plan, or eligibility for benefits on the provision of an
authorization, except:
(i)
A covered health care provider may condition the provision of research-related
treatment on provision of an authorization under paragraph (f) of this section;
(ii)
A health plan may condition enrollment in the
health plan or eligibility for
benefits on provision of an authorization requested by the health plan prior to
an individual's enrollment in the health
plan, if:
(A)
The authorization sought is for the health plan’s eligibility or enrollment
determinations relating to the individual or for its underwriting or risk rating
determinations; and
(B)
The authorization is not for a use or disclosure of
psychotherapy notes under
paragraph (a)(2) of this section;
(iii)
A health plan may condition payment of a claim for specified benefits on
provision of an authorization under paragraph (e) of this section, if:
(A)
The disclosure is necessary to determine payment of such claim; and
(B)
The authorization is not for a use or disclosure of
psychotherapy notes under
paragraph (a)(2) of this section; and
(iv)
A covered entity may condition the provision of
health care that is solely for
the purpose of creating protected health information for disclosure to a third
party on provision of an authorization for the disclosure of the
protected
health information to such third party.
(5)
Revocation of authorizations. An individual may revoke an authorization provided
under this section at any time, provided that the revocation is in writing,
except to the extent that:
(i)
The covered entity has taken action in reliance thereon; or
(ii)
If the authorization was obtained as a condition of obtaining insurance
coverage, other law provides the insurer with the right to contest a claim under
the policy.
(6)
Documentation. A covered entity must document and retain any signed
authorization under this section as required by § 164.530(j).
(c)
Implementation specifications: core elements and requirements. (1) Core
elements. A valid authorization under this section must contain at least the
following elements:
(i)
A description of the information to be used or disclosed that identifies the
information in a specific and meaningful fashion;
(ii)
The name or other specific identification of the person(s), or class of persons,
authorized to make the requested use or disclosure;
(iii)
The name or other specific identification of the person(s), or class of persons,
to whom the covered entity may make the requested use or disclosure;
(iv)
An expiration date or an expiration event that relates to the individual or the
purpose of the use or disclosure;
(v)
A statement of the individual’s right to revoke the authorization in writing
and the exceptions to the right to revoke, together with a description of how
the individual may revoke the authorization;
(vi)
A statement that information used or disclosed pursuant to the authorization may
be subject to redisclosure by the recipient and no longer be protected by this
rule;
(vii)
Signature of the individual and date; and
(viii)
If the authorization is signed by a personal representative of the individual, a
description of such representative’s authority to act for the individual.
(2)
Plain language requirement. The authorization must be written in plain language.
(d)
Implementation specifications: authorizations requested by a covered entity for
its own uses and disclosures. If an authorization is requested by a covered
entity for its own use or disclosure of protected health information that it
maintains, the covered entity must comply with the following requirements.
(1)
Required elements. The authorization for the uses or disclosures described in
this paragraph must, in addition to meeting the requirements of paragraph (c) of
this section, contain the following elements:
(i)
For any authorization to which the prohibition on conditioning in paragraph
(b)(4) of this section applies, a statement that the covered entity will not
condition treatment, payment, enrollment in the
health plan, or eligibility for
benefits on the individual's providing authorization for the requested
use or disclosure;
(ii)
A description of each purpose of the requested use or disclosure;
(iii)
A statement that the individual may:
(A)
Inspect or copy the protected health information to be
used or disclosed as
provided in § 164.524; and
(B)
Refuse to sign the authorization; and
(iv)
If use or disclosure of the requested information will result in direct or
indirect remuneration to the covered entity from a third party, a statement that
such remuneration will result.
(2)
Copy to the individual. A covered entity must provide the
individual with a copy
of the signed authorization.
(e)
Implementation specifications: authorizations requested by a covered entity for
disclosures by others. If an authorization is requested by a covered entity for
another covered entity to disclose protected health information to the covered
entity requesting the authorization to carry out treatment, payment, or health
care operations, the covered entity requesting the authorization must comply
with the following requirements.
(1)
Required elements. The authorization for the disclosures described in this
paragraph must, in addition to meeting the requirements of paragraph (c) of this
section, contain the following elements:
(i)
A description of each purpose of the requested disclosure;
(ii)
Except for an authorization on which payment may be conditioned under paragraph
(b)(4)(iii) of this section, a statement that the covered entity will not
condition treatment, payment, enrollment in the
health plan, or eligibility for
benefits on the individual's providing authorization for the requested
use or disclosure; and
(iii)
A statement that the individual may refuse to sign the authorization.
(2)
Copy to the individual. A covered entity must provide the
individual with a copy
of the signed authorization.
(f)
Implementation specifications: authorizations for uses and disclosures of
protected health information created for research that includes
treatment of the
individual. (1) Required elements. Except as otherwise permitted by §
164.512(i), a covered entity that creates protected health information for the
purpose, in whole or in part, of research that includes
treatment of individuals
must obtain an authorization for the use or disclosure of such information. Such
authorization must:
(i)
For uses and disclosures not otherwise permitted or required under this subpart,
meet the requirements of paragraphs (c) and (d) of this section; and
(ii)
Contain:
(A)
A description of the extent to which such protected health information will be
used or disclosed to carry out treatment, payment, or health care
operations;
(B)
A description of any protected health information that will not be
used or
disclosed for purposes permitted in accordance with §§ 164.510 and 164.512,
provided that the covered entity may not include a limitation affecting its
right to make a use or disclosure that is required by law or permitted by §
164.512(j)(1)(i); and
(C)
If the covered entity has obtained or intends to obtain the individual’s
consent under § 164.506, or has provided or intends to provide the individual
with a notice under § 164.520, the authorization must refer to that consent or
notice, as applicable, and state that the statements made pursuant to this
section are binding.
(2)
Optional procedure. An authorization under this paragraph may be in the same
document as:
(i)
A consent to participate in the research;
(ii)
A consent to use or disclose protected health information to carry out
treatment, payment, or health care operations under § 164.506; or
(iii)
A notice of privacy practices under § 164.520.
|
