[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2001]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.508]
[Page 698-701]
TITLE 45--PUBLIC WELFARE
SUBTITLE A--DEPARTMENT OF HEALTH
AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY--Table of Contents
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.508 Uses and disclosures for which an authorization is required.
(a) Standard: Authorizations for uses and disclosures. (1)
Authorization required: General rule. Except as otherwise permitted or
required by this subchapter, a covered entity may not use or disclose
protected health information without an authorization that is valid
under this section. When a covered entity obtains or receives a valid
authorization for its use or disclosure of protected health information,
such use or disclosure must be consistent with such authorization.
(2) Authorization required: psychotherapy notes. Notwithstanding any
other provision of this subpart, other than transition provisions
provided for in Sec. 164.532, a covered entity must obtain an
authorization for any use or disclosure of psychotherapy notes, except:
(i) To carry out the following treatment, payment, or health care
operations, consistent with consent requirements in Sec. 164.506:
(A) Use by originator of the psychotherapy notes for treatment;
(B) Use or disclosure by the covered entity in training programs in
which students, trainees, or practitioners in mental health learn under
supervision to practice or improve their skills in group, joint, family,
or individual counseling; or
(C) Use or disclosure by the covered entity to defend a legal action
or other proceeding brought by the individual; and
(ii) A use or disclosure that is required by Sec. 164.502(a)(2)(ii)
or permitted by Sec. 164.512(a); Sec. 164.512(d) with respect to the
oversight of the originator of the psychotherapy notes;
Sec. 164.512(g)(1); or Sec. 164.512(j)(1)(i).
(b) Implementation specifications: General requirements--(1) Valid
authorizations.
(i) A valid authorization is a document that contains the elements
listed in paragraph (c) and, as applicable, paragraph (d), (e), or (f)
of this section.
(ii) A valid authorization may contain elements or information in
addition to the elements required by this section, provided that such
additional elements or information are not be inconsistent with the
elements required by this section.
(2) Defective authorizations. An authorization is not valid, if the
document submitted has any of the following defects:
(i) The expiration date has passed or the expiration event is known
by the covered entity to have occurred;
(ii) The authorization has not been filled out completely, with
respect to an element described by paragraph (c), (d), (e), or (f) of
this section, if applicable;
[[Page 699]]
(iii) The authorization is known by the covered entity to have been
revoked;
(iv) The authorization lacks an element required by paragraph (c),
(d), (e), or (f) of this section, if applicable;
(v) The authorization violates paragraph (b)(3) of this section, if
applicable;
(vi) Any material information in the authorization is known by the
covered entity to be false.
(3) Compound authorizations. An authorization for use or disclosure
of protected health information may not be combined with any other
document to create a compound authorization, except as follows:
(i) An authorization for the use or disclosure of protected health
information created for research that includes treatment of the
individual may be combined as permitted by Sec. 164.506(b)(4)(ii) or
paragraph (f) of this section;
(ii) An authorization for a use or disclosure of psychotherapy notes
may only be combined with another authorization for a use or disclosure
of psychotherapy notes;
(iii) An authorization under this section, other than an
authorization for a use or disclosure of psychotherapy notes may be
combined with any other such authorization under this section, except
when a covered entity has conditioned the provision of treatment,
payment, enrollment in the health plan, or eligibility for benefits
under paragraph (b)(4) of this section on the provision of one of the
authorizations.
(4) Prohibition on conditioning of authorizations. A covered entity
may not condition the provision to an individual of treatment, payment,
enrollment in the health plan, or eligibility for benefits on the
provision of an authorization, except:
(i) A covered health care provider may condition the provision of
research-related treatment on provision of an authorization under
paragraph (f) of this section;
(ii) A health plan may condition enrollment in the health plan or
eligibility for benefits on provision of an authorization requested by
the health plan prior to an individual's enrollment in the health plan,
if:
(A) The authorization sought is for the health plan's eligibility or
enrollment determinations relating to the individual or for its
underwriting or risk rating determinations; and
(B) The authorization is not for a use or disclosure of
psychotherapy notes under paragraph (a)(2) of this section;
(iii) A health plan may condition payment of a claim for specified
benefits on provision of an authorization under paragraph (e) of this
section, if:
(A) The disclosure is necessary to determine payment of such claim;
and
(B) The authorization is not for a use or disclosure of
psychotherapy notes under paragraph (a)(2) of this section; and
(iv) A covered entity may condition the provision of health care
that is solely for the purpose of creating protected health information
for disclosure to a third party on provision of an authorization for the
disclosure of the protected health information to such third party.
(5) Revocation of authorizations. An individual may revoke an
authorization provided under this section at any time, provided that the
revocation is in writing, except to the extent that:
(i) The covered entity has taken action in reliance thereon; or
(ii) If the authorization was obtained as a condition of obtaining
insurance coverage, other law provides the insurer with the right to
contest a claim under the policy.
(6) Documentation. A covered entity must document and retain any
signed authorization under this section as required by Sec. 164.530(j).
(c) Implementation specifications: Core elements and requirements.
(1) Core elements. A valid authorization under this section must contain
at least the following elements:
(i) A description of the information to be used or disclosed that
identifies the information in a specific and meaningful fashion;
(ii) The name or other specific identification of the person(s), or
class of persons, authorized to make the requested use or disclosure;
(iii) The name or other specific identification of the person(s), or
class of persons, to whom the covered entity
[[Page 700]]
may make the requested use or disclosure;
(iv) An expiration date or an expiration event that relates to the
individual or the purpose of the use or disclosure;
(v) A statement of the individual's right to revoke the
authorization in writing and the exceptions to the right to revoke,
together with a description of how the individual may revoke the
authorization;
(vi) A statement that information used or disclosed pursuant to the
authorization may be subject to redisclosure by the recipient and no
longer be protected by this rule;
(vii) Signature of the individual and date; and
(viii) If the authorization is signed by a personal representative
of the individual, a description of such representative's authority to
act for the individual.
(2) Plain language requirement. The authorization must be written in
plain language.
(d) Implementation specifications: Authorizations requested by a
covered entity for its own uses and disclosures. If an authorization is
requested by a covered entity for its own use or disclosure of protected
health information that it maintains, the covered entity must comply
with the following requirements.
(1) Required elements. The authorization for the uses or disclosures
described in this paragraph must, in addition to meeting the
requirements of paragraph (c) of this section, contain the following
elements:
(i) For any authorization to which the prohibition on conditioning
in paragraph (b)(4) of this section applies, a statement that the
covered entity will not condition treatment, payment, enrollment in the
health plan, or eligibility for benefits on the individual's providing
authorization for the requested use or disclosure;
(ii) A description of each purpose of the requested use or
disclosure;
(iii) A statement that the individual may:
(A) Inspect or copy the protected health information to be used or
disclosed as provided in Sec. 164.524; and
(B) Refuse to sign the authorization; and
(iv) If use or disclosure of the requested information will result
in direct or indirect remuneration to the covered entity from a third
party, a statement that such remuneration will result.
(2) Copy to the individual. A covered entity must provide the
individual with a copy of the signed authorization.
(e) Implementation specifications: Authorizations requested by a
covered entity for disclosures by others. If an authorization is
requested by a covered entity for another covered entity to disclose
protected health information to the covered entity requesting the
authorization to carry out treatment, payment, or health care
operations, the covered entity requesting the authorization must comply
with the following requirements.
(1) Required elements. The authorization for the disclosures
described in this paragraph must, in addition to meeting the
requirements of paragraph (c) of this section, contain the following
elements:
(i) A description of each purpose of the requested disclosure;
(ii) Except for an authorization on which payment may be conditioned
under paragraph (b)(4)(iii) of this section, a statement that the
covered entity will not condition treatment, payment, enrollment in the
health plan, or eligibility for benefits on the individual's providing
authorization for the requested use or disclosure; and
(iii) A statement that the individual may refuse to sign the
authorization.
(2) Copy to the individual. A covered entity must provide the
individual with a copy of the signed authorization.
(f) Implementation specifications: Authorizations for uses and
disclosures of protected health information created for research that
includes treatment of the individual--(1) Required elements. Except as
otherwise permitted by Sec. 164.512(i), a covered entity that creates
protected health information for the purpose, in whole or in part, of
research that includes treatment of individuals must obtain an
authorization for the use or
[[Page 701]]
disclosure of such information. Such authorization must:
(i) For uses and disclosures not otherwise permitted or required
under this subpart, meet the requirements of paragraphs (c) and (d) of
this section; and
(ii) Contain:
(A) A description of the extent to which such protected health
information will be used or disclosed to carry out treatment, payment,
or health care operations;
(B) A description of any protected health information that will not
be used or disclosed for purposes permitted in accordance with
Secs. 164.510 and 164.512, provided that the covered entity may not
include a limitation affecting its right to make a use or disclosure
that is required by law or permitted by Sec. 164.512(j)(1)(i); and
(C) If the covered entity has obtained or intends to obtain the
individual's consent under Sec. 164.506, or has provided or intends to
provide the individual with a notice under Sec. 164.520, the
authorization must refer to that consent or notice, as applicable, and
state that the statements made pursuant to this section are binding.
(2) Optional procedure. An authorization under this paragraph may be
in the same document as:
(i) A consent to participate in the research;
(ii) A consent to use or disclose protected health information to
carry out treatment, payment, or health care operations under
Sec. 164.506; or
(iii) A notice of privacy practices under Sec. 164.520.