Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers
Analysis by the AHIMA Policy and Government Relations Team
Consent for Use or Disclosures to Carry Out Treatment, Payment, or Health Care Operations
Standard: Consent Requirement
The Rule states (§164.506) that "a covered health care provider must obtain the individual’s consent, in accordance with this [Rule], prior to using or disclosing PHI to carry out treatment, payment, or health care operations," with two exceptions:
- A covered healthcare provider may, without consent, use or disclose PHI to carry out treatment, payment, or healthcare operations, if:
- It has an indirect treatment relationship (§164.501) with the individual; or
- It created or received the PHI in the course of providing healthcare to an individual who is an inmate.
- A covered healthcare provider may, without consent, use or disclose PHI created or received under the following conditions to carry out treatment payment or healthcare operations:
- In emergency treatment situations, if the covered healthcare provider attempts to obtain such consent as soon as reasonably practicable after the delivery of such treatment;
- If the covered healthcare provider is required by law to treat the individual, and the covered healthcare provider attempts to obtain such consent, but is unable to obtain such consent; or
- If a covered healthcare provider attempts to obtain such consent from the individual, but is unable to obtain such consent due to substantial barriers to communication with the individual, and the covered healthcare provider determines, in the exercise of professional judgment, that the individual’s consent to receive treatment is clearly inferred from the circumstances.
- A covered health provider that fails to obtain such consent…must document its attempt to obtain consent and the reason why consent was not obtained.
- If a covered entity is not required to obtain consent…it may obtain an individual’s consent for the covered entity’s own use or disclosure of PHI to carry out treatment, payment, or healthcare operations, provided that such consent meets the requirements of this [Rule].
- Except as provided in the requirements for joint consent, a consent obtained by a covered entity under this section is not effective to permit another covered entity to use or disclose PHI.
Specifications: General requirements
- A covered healthcare provider may condition treatment on the provision of a consent by the individual.
- A health plan may condition enrollment in the health plan on the provision of a consent by the individual, under this section, sought in conjunction with such enrollment.
- A consent under this section may not be combined in a single document with the notice required by the Rule’s Notice of Privacy for Protected Health Information.
- A consent for use or disclosure may be combined with other types of written permission from the individual (for example, an informed consent for treatment or a consent to assignment of benefits) if the consent is visually and organizationally separate from such other written legal permission, and is separately signed by the individual and dated.
- A consent for use or disclosure may be combined with a research authorization.
- An individual may revoke a consent under this section at any time, except to the extent that the covered entity has taken action in reliance thereon. Such revocation must be in writing.
- A covered entity must document and retain any signed consent under the Rule’s Documentation requirements.
Specifications: Content Requirements
A consent must be in plain language and:
- Inform the individual that PHI may be used and disclosed to carry out treatment, payment, or healthcare operations;
- Refer the individual to the notice required by the Rule’s Notice of Privacy Practices for Protected Health Information for a more complete description of such uses and disclosures and state that the individual has the right to review the notice prior to signing the consent;
- If the covered entity has reserved the right to change its privacy practices that are described in the notice in accordance with the Rule’s Notice of Privacy Practices for Protected Health Information, state that the terms of its notice may change and describe how the individual may obtain a revised notice;
- State that:
- The individual has the right to request that the covered entity restrict how PHI is used or disclosed to carry out treatment, payment, or healthcare operations;
- The covered entity is not required to agree to requested restrictions; and
- If the covered entity agrees to a requested restriction, the restriction is binding on the covered entity.
- State that the individual has the right to revoke the consent in writing except to the extent that the covered entity has taken action in reliance thereon; and
- Be signed by the individual and dated.
Specification: Defective Consents
There is no consent under this section [of the Rule], if the document submitted has any of the following defects:
- The consent lacks an element as required above and as applicable; or
- The consent has been revoked.
Standard: Resolving Conflicting Consents and Authorizations
- If a covered entity has obtained a consent [as specified here] and receives any other authorization or written legal permission from the individual for a disclosure of PHI to carry out treatment, payment, or healthcare operations, the covered entity may disclose such PHI only in accordance with the more restrictive consent, authorization, or other written legal permission from the individual.
- A covered entity may attempt to resolve a conflict between a consent and an authorization or other written legal permission from the individual by:
- Obtaining a new consent from the individual…for the disclosure to carry out treatment, payment, or healthcare operations; or
- Communicating orally or in writing with the individual in order to determine the individual’s preference in resolving the conflict. The covered entity must document the individual’s preference and may only disclose PHI in accordance with the individual’s preference.
Standard: Joint Consents
Covered entities that participate in an organized healthcare arrangement and that have a joint notice under the Rule’s Notice of Privacy Practices for Protected Health Information section, may comply with this section by a joint consent.
Specifications: Requirements for Joint Consents
A joint consent must:
- Include the name or other specific identification of the covered entities, or classes of covered entities, to which the joint consent applies; and
- Meet the requirements of this section, except that the statements required may be altered to reflect the fact that the consent covers more than one covered entity.
If an individual revokes a joint consent, the covered entity that receives the revocation must inform the other entities covered by the joint consent of the revocation as soon as practicable. Go to next section, Uses and Disclosures for Which an Authorization Is Required.
Go to previous section, Uses and Disclosures: Organizational Requirements.
Go to document index.