[Code of Federal Regulations] [Title 45, Volume 1] [Revised as of October 1, 2002] From the U.S. Government Printing Office via GPO Access [CITE: 45CFR164.508] [Page 702-707] TITLE 45--PUBLIC WELFARE AND HUMAN SERVICES PART 164--SECURITY AND PRIVACY--Table of Contents Subpart E--Privacy of Individually Identifiable Health Information Sec. 164.508 Uses and disclosures for which an authorization is required. (a) Standard: Authorizations for uses and disclosures. (1) Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. (2) Authorization required: psychotherapy notes. Notwithstanding any other provision of this subpart, other than transition provisions provided for in Sec. 164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: (i) To carry out the following treatment, payment, or health care operations, consistent with consent requirements in Sec. 164.506: (A) Use by originator of the psychotherapy notes for treatment; (B) Use or disclosure by the covered entity in training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or (C) Use or disclosure by the covered entity to defend a legal action or other proceeding brought by the individual; and (ii) A use or disclosure that is required by Sec. 164.502(a)(2)(ii) or permitted by Sec. 164.512(a); Sec. 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; Sec. 164.512(g)(1); or Sec. 164.512(j)(1)(i). (b) Implementation specifications: General requirements--(1) Valid authorizations. (i) A valid authorization is a document that contains the elements listed in paragraph (c) and, as applicable, paragraph (d), (e), or (f) of this section. (ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional [[Page 703]] elements or information are not be inconsistent with the elements required by this section. (2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects: (i) The expiration date has passed or the expiration event is known by the covered entity to have occurred; (ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c), (d), (e), or (f) of this section, if applicable; (iii) The authorization is known by the covered entity to have been revoked; (iv) The authorization lacks an element required by paragraph (c), (d), (e), or (f) of this section, if applicable; (v) The authorization violates paragraph (b)(3) of this section, if applicable; (vi) Any material information in the authorization is known by the covered entity to be false. (3) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: (i) An authorization for the use or disclosure of protected health information created for research that includes treatment of the individual may be combined as permitted by Sec. 164.506(b)(4)(ii) or paragraph (f) of this section; (ii) An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes; (iii) An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations. (4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except: (i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization under paragraph (f) of this section; (ii) A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if: (A) The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and (B) The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; (iii) A health plan may condition payment of a claim for specified benefits on provision of an authorization under paragraph (e) of this section, if: (A) The disclosure is necessary to determine payment of such claim; and (B) The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; and (iv) A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party. (5) Revocation of authorizations. An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that: (i) The covered entity has taken action in reliance thereon; or (ii) If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy. (6) Documentation. A covered entity must document and retain any signed authorization under this section as required by Sec. 164.530(j). [[Page 704]] (c) Implementation specifications: Core elements and requirements. (1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion; (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure; (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure; (iv) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure; (v) A statement of the individual's right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization; (vi) A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by this rule; (vii) Signature of the individual and date; and (viii) If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual. (2) Plain language requirement. The authorization must be written in plain language. (d) Implementation specifications: Authorizations requested by a covered entity for its own uses and disclosures. If an authorization is requested by a covered entity for its own use or disclosure of protected health information that it maintains, the covered entity must comply with the following requirements. (1) Required elements. The authorization for the uses or disclosures described in this paragraph must, in addition to meeting the requirements of paragraph (c) of this section, contain the following elements: (i) For any authorization to which the prohibition on conditioning in paragraph (b)(4) of this section applies, a statement that the covered entity will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual's providing authorization for the requested use or disclosure; (ii) A description of each purpose of the requested use or disclosure; (iii) A statement that the individual may: (A) Inspect or copy the protected health information to be used or disclosed as provided in Sec. 164.524; and (B) Refuse to sign the authorization; and (iv) If use or disclosure of the requested information will result in direct or indirect remuneration to the covered entity from a third party, a statement that such remuneration will result. (2) Copy to the individual. A covered entity must provide the individual with a copy of the signed authorization. (e) Implementation specifications: Authorizations requested by a covered entity for disclosures by others. If an authorization is requested by a covered entity for another covered entity to disclose protected health information to the covered entity requesting the authorization to carry out treatment, payment, or health care operations, the covered entity requesting the authorization must comply with the following requirements. (1) Required elements. The authorization for the disclosures described in this paragraph must, in addition to meeting the requirements of paragraph (c) of this section, contain the following elements: (i) A description of each purpose of the requested disclosure; (ii) Except for an authorization on which payment may be conditioned under paragraph (b)(4)(iii) of this section, a statement that the covered entity will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual's providing authorization for the requested use or disclosure; and (iii) A statement that the individual may refuse to sign the authorization. [[Page 705]] (2) Copy to the individual. A covered entity must provide the individual with a copy of the signed authorization. (f) Implementation specifications: Authorizations for uses and disclosures of protected health information created for research that includes treatment of the individual--(1) Required elements. Except as otherwise permitted by Sec. 164.512(i), a covered entity that creates protected health information for the purpose, in whole or in part, of research that includes treatment of individuals must obtain an authorization for the use or disclosure of such information. Such authorization must: (i) For uses and disclosures not otherwise permitted or required under this subpart, meet the requirements of paragraphs (c) and (d) of this section; and (ii) Contain: (A) A description of the extent to which such protected health information will be used or disclosed to carry out treatment, payment, or health care operations; (B) A description of any protected health information that will not be used or disclosed for purposes permitted in accordance with Secs. 164.510 and 164.512, provided that the covered entity may not include a limitation affecting its right to make a use or disclosure that is required by law or permitted by Sec. 164.512(j)(1)(i); and (C) If the covered entity has obtained or intends to obtain the individual's consent under Sec. 164.506, or has provided or intends to provide the individual with a notice under Sec. 164.520, the authorization must refer to that consent or notice, as applicable, and state that the statements made pursuant to this section are binding. (2) Optional procedure. An authorization under this paragraph may be in the same document as: (i) A consent to participate in the research; (ii) A consent to use or disclose protected health information to carry out treatment, payment, or health care operations under Sec. 164.506; or (iii) A notice of privacy practices under Sec. 164.520. Effective Date Note: At 67 FR 53268, Aug. 14, 2002, Sec. 164.508 was revised, effective Oct. 15, 2002. For the convenience of the user, the revised text is set forth as follows: Sec. 164.508 Uses and disclosures for which an authorization is required. (a) Standard: authorizations for uses and disclosures.--(1) Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. (2) Authorization required: psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in Sec. 164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: (i) To carry out the following treatment, payment, or health care operations: (A) Use by the originator of the psychotherapy notes for treatment; (B) Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or (C) Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and (ii) A use or disclosure that is required by Sec. 164.502(a)(2)(ii) or permitted by Sec. 164.512(a); Sec. 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; Sec. 164.512(g)(1); or Sec. 164.512(j)(1)(i). (3) Authorization required: Marketing. (i) Notwithstanding any provision of this subpart, other than the transition provisions in Sec. 164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of: (A) A face-to-face communication made by a covered entity to an individual; or (B) A promotional gift of nominal value provided by the covered entity. (ii) If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. (b) Implementation specifications: general requirements.--(1) Valid authorizations. (i) A valid authorization is a document that meets the requirements in paragraphs (a)(3)(ii), (c)(1), and (c)(2) of this section, as applicable. (ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section. [[Page 706]] (2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects: (i) The expiration date has passed or the expiration event is known by the covered entity to have occurred; (ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable; (iii) The authorization is known by the covered entity to have been revoked; (iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable; (v) Any material information in the authorization is known by the covered entity to be false. (3) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: (i) An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of protected health information for such research or a consent to participate in such research; (ii) An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes; (iii) An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes, may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations. (4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except: (i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research under this section; (ii) A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if: (A) The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and (B) The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; and (iii) A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party. (5) Revocation of authorizations. An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that: (i) The covered entity has taken action in reliance thereon; or (ii) If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself. (6) Documentation. A covered entity must document and retain any signed authorization under this section as required by Sec. 164.530(j). (c) Implementation specifications: Core elements and requirements.-- (1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (iv) A description of each purpose of the requested use or disclosure. The statement ``at the request of the individual'' is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement ``end of the research study,'' ``none,'' or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. (2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: [[Page 707]] (i) The individual's right to revoke the authorization in writing, and either: (A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or (B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by Sec. 164.520, a reference to the covered entity's notice. (ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either: (A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or (B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization. (iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart. (3) Plain language requirement. The authorization must be written in plain language. (4) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.