[Code of Federal Regulations] [Title 45, Volume 1] [Revised as of October 1, 2002] From the U.S. Government Printing Office via GPO Access [CITE: 45CFR164.532] [Page 738-740] TITLE 45--PUBLIC WELFARE AND HUMAN SERVICES PART 164--SECURITY AND PRIVACY--Table of Contents Subpart E--Privacy of Individually Identifiable Health Information Sec. 164.532 Transition provisions. (a) Standard: Effect of prior consents and authorizations. Notwithstanding other sections of this subpart, a covered entity may continue to use or disclose protected health information pursuant to a consent, authorization, or other express legal permission obtained from an individual permitting the use or disclosure of protected health information that does not comply with Secs. 164.506 or 164.508 of this subpart consistent with paragraph (b) of this section. (b) Implementation specification: Requirements for retaining effectiveness of prior consents and authorizations. Notwithstanding other sections of this subpart, the following provisions apply to use or disclosure by a covered entity of protected health information pursuant to a consent, authorization, or other express legal permission obtained from an individual permitting the use or disclosure of protected health information, if the consent, authorization, or other express legal permission was obtained from an individual before the applicable compliance date of this subpart and does not comply with Secs. 164.506 or 164.508 of this subpart. (1) If the consent, authorization, or other express legal permission obtained from an individual permits a use or disclosure for purposes of carrying out treatment, payment, or health care operations, the covered entity may, with respect to protected health information that it created or received before the applicable compliance date of this subpart and to which the consent, authorization, or other express legal permission obtained from an individual applies, use or disclose such information for purposes of carrying out treatment, payment, or health care operations, provided that: (i) The covered entity does not make any use or disclosure that is expressly excluded from the a consent, authorization, or other express legal permission obtained from an individual; and (ii) The covered entity complies with all limitations placed by the consent, authorization, or other express legal permission obtained from an individual. (2) If the consent, authorization, or other express legal permission obtained from an individual specifically permits a use or disclosure for a purpose other than to carry out treatment, payment, or health care operations, the covered entity may, with respect to protected health information that it created or received before the applicable compliance date of this subpart and to which the consent, authorization, or other express legal permission obtained from an individual applies, make such use or disclosure, provided that: (i) The covered entity does not make any use or disclosure that is expressly excluded from the consent, authorization, or other express legal permission obtained from an individual; and (ii) The covered entity complies with all limitations placed by the consent, authorization, or other express legal permission obtained from an individual. (3) In the case of a consent, authorization, or other express legal permission obtained from an individual that identifies a specific research project that includes treatment of individuals: (i) If the consent, authorization, or other express legal permission obtained from an individual specifically permits a use or disclosure for purposes of the project, the covered entity may, with respect to protected health information that it created or received either before or after the applicable compliance date of this subpart and to which the consent or authorization applies, make such use or disclosure for purposes of that project, provided that the covered entity complies with all limitations placed by the consent, authorization, or other express legal permission obtained from an individual. (ii) If the consent, authorization, or other express legal permission obtained [[Page 739]] from an individual is a general consent to participate in the project, and a covered entity is conducting or participating in the research, such covered entity may, with respect to protected health information that it created or received as part of the project before or after the applicable compliance date of this subpart, make a use or disclosure for purposes of that project, provided that the covered entity complies with all limitations placed by the consent, authorization, or other express legal permission obtained from an individual. (4) If, after the applicable compliance date of this subpart, a covered entity agrees to a restriction requested by an individual under Sec. 164.522(a), a subsequent use or disclosure of protected health information that is subject to the restriction based on a consent, authorization, or other express legal permission obtained from an individual as given effect by paragraph (b) of this section, must comply with such restriction. Effective Date Note: At 67 FR 53272, Aug. 14, 2002, Sec. 164.532 was revised, effective Oct. 15, 2002. For the convenience of the user, the revised text is set forth as follows: Sec. 164.532 Transition provisions. (a) Standard: Effect of prior authorizations. Notwithstanding Secs. 164.508 and 164.512(i), a covered entity may use or disclose protected health information, consistent with paragraphs (b) and (c) of this section, pursuant to an authorization or other express legal permission obtained from an individual permitting the use or disclosure of protected health information, informed consent of the individual to participate in research, or a waiver of informed consent by an IRB. (b) Implementation specification: Effect of prior authorization for purposes other than research. Notwithstanding any provisions in Sec. 164.508, a covered entity may use or disclose protected health information that it created or received prior to the applicable compliance date of this subpart pursuant to an authorization or other express legal permission obtained from an individual prior to the applicable compliance date of this subpart, provided that the authorization or other express legal permission specifically permits such use or disclosure and there is no agreed-to restriction in accordance with Sec. 164.522(a). (c) Implementation specification: Effect of prior permission for research. Notwithstanding any provisions in Secs. 164.508 and 164.512(i), a covered entity may, to the extent allowed by one of the following permissions, use or disclose, for research, protected health information that it created or received either before or after the applicable compliance date of this subpart, provided that there is no agreed-to restriction in accordance with Sec. 164.522(a), and the covered entity has obtained, prior to the applicable compliance date, either: (1) An authorization or other express legal permission from an individual to use or disclose protected health information for the research; (2) The informed consent of the individual to participate in the research; or (3) A waiver, by an IRB, of informed consent for the research, in accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d), 15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d), 24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 97.116(d), 38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 690.116(d), or 49 CFR 11.116(d), provided that a covered entity must obtain authorization in accordance with Sec. 164.508 if, after the compliance date, informed consent is sought from an individual participating in the research. (d) Standard: Effect of prior contracts or other arrangements with business associates. Notwithstanding any other provisions of this subpart, a covered entity, other than a small health plan, may disclose protected health information to a business associate and may allow a business associate to create, receive, or use protected health information on its behalf pursuant to a written contract or other written arrangement with such business associate that does not comply with Secs. 164.502(e) and 164.504(e) consistent with the requirements, and only for such time, set forth in paragraph (e) of this section. (e) Implementation specification: Deemed compliance--(1) Qualification. Notwithstanding other sections of this subpart, a covered entity, other than a small health plan, is deemed to be in compliance with the documentation and contract requirements of Secs. 164.502(e) and 164.504(e), with respect to a particular business associate relationship, for the time period set forth in paragraph (e)(2) of this section, if: (i) Prior to October 15, 2002, such covered entity has entered into and is operating pursuant to a written contract or other written arrangement with a business associate for such business associate to perform functions or activities or provide services that make the entity a business associate; and (ii) The contract or other arrangement is not renewed or modified from October 15, 2002, until the compliance date set forth in Sec. 164.534. (2) Limited deemed compliance period. A prior contract or other arrangement that meets the qualification requirements in paragraph (e) of this section, shall be deemed compliant until the earlier of: [[Page 740]] (i) The date such contract or other arrangement is renewed or modified on or after the compliance date set forth in Sec. 164.534; or (ii) April 14, 2004. (3) Covered entity responsibilities. Nothing in this section shall alter the requirements of a covered entity to comply with part 160, subpart C of this subchapter and Secs. 164.524, 164.526, 164.528, and 164.530(f) with respect to protected health information held by a business associate.