October 2, 2006
Dear Human Resources Director:
I am sorry for the delay in addressing your question. The HIPPA regulations are an
absurdly convoluted mess; it took a while to get through them and the case law on their consent
provisions. As I told you on the phone, I like to be able to support my answers with chapter and
verse.
Your question is: Can the city obtain the voluntary consent of its employees to provide to
it certain medical information, for the purpose of providing information to medical care providers
in cases of emergencies?
The answer is yes. But as I read the appropriate HIPPA rules, and as the U.S. Court of
Appeals for the Third Circuit interpret them, the city is not required to obtain the consent of its
employees to provide their medical information to emergency health care providers, but the rules
do make such consent permissive on the part of the city.
It appears to me that the answer to your question is controlled by 45 CFR 164.506,
entitled AUses and disclosures to carry out treatment, payment, or health care operations.@
45 CFR 164.502, entitled AUses and disclosure of protected health information: general rules,@
provides in subsection (a) that:
(a) Standard: A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart
or by subpart C of part 160 of this chapter.
(1) Permitted uses and disclosures. A covered entity is permitted
to use or disclose protected health information as follows:
(i) To the individual;
(ii) for treatment, payment, or health care operations, as permitted
by and in compliance with ' 164.506; [Emphasis is mine.]
******************************************************
Nowhere in 45 CFR 165.502 is it required that the disclosure of health care information
October 2, 2006
Page 2
done under 45 CFR 165.506 have the consent of the subject of the information. Indeed, 45 CFR
165.506 on its face indicates that the consent of the subject of the information is not required:
45 CFR 165.506 contains the following pertinent rules:
Subsection (a) provides that:
(a) Standard: Permitted uses and disclosures. Except with respect
to uses or disclosures that require an authorization under '
164.508(a)(2) and (3), a covered entity may use or disclose
protected health information for treatment, payment, or health care
operations as set forth in paragraph (c) of this section, provided
that such use or disclosure is consistent with other applicable
requirements of this subpart.
Subsection (b) provides that:
(b) Standard: Consent for uses and disclosures permitted.
(1) A covered entity may [emphasis is mine] obtain consent of the
individual use or disclose protected health information to carry out
treatment, payment, or health care operations.
(2) Consent, under paragraph (b) of this section, shall not be
effective to permit a use or disclosure of protected health
information when an authorization, under ' 164.508, is required or
when another condition must be met for such use or disclosure, to
be permissible under this subpart.
Subsection (c) provides that:
(c) Implementation specification: Treatment, payment, or health
care operations.
(1) A covered entity may use or disclose protected health
information for its own treatment, payment, or health care
operations.
(2) A covered entity may use or disclose protected health
information for treatment activities of a health care provider.
October 2, 2006
Page 3
[Emphasis is mine.]
******************************************************
MTAS did a publication in December 2002, on HIPPA Standards For Privacy of
Individually Identifiable Health Information. That publication says with respect to 45 CFR
164.506, that:
A covered health care provider must obtain the individual=s
consent prior to using or disclosing PHI to carry out treatment,
payment, or health care operations (45 C.F.R. 164.506(a)(1). [Page
5, bottom left column]
I have reviewed 45 CFR Part 160 and 164, and the appropriate other regulations cited
therein, and all the case law in the United States, with respect to the application of the HIPPA
rules governing the conditions under which medical information on employees can be released
with or without the employee=s consent, including 45 CFR 164.506(a)(1). It appears to me that
HIPPA Standards for Privacy.... is wrong about consent being required under 45 CFR 164.506.
45 CFR 164.506 mentions the necessity for obtaining consent of the individual when it is
necessary under 45 CFR 164.508. However, 45 CFR 164.508 requires consent in cases of some
uses of psychotherapy notes, marketing of the health care information, and research, none of
which apply to medical information disclosures under 45 CFR 164.506.
The U.S. Court of Appeals for the Third Circuit in Citizens for Health v. Leavitt, 428
F.2d 167 (3rd. Cir. 2005) extensively analyzed the disclosure application of 45 C.F.R. 164.506,
and concluded that it permits, but does not require, a covered entity to obtain an individual=s
consent before it provided the medical information in what it calls Aroutine uses.@ The Court
traces the development of the medical information privacy rule from the Original Rule to the
present Amended Rule. The Court points back to the U.S. District Courts detailed discussion of
the history of the modification of the Original Rule in Citizens for Health v. Thompson, 2004
WL 753356 (E.D. Pa. April 2, 2004). The Original Rule required consent for disclosure of
medical information in all but a few instances, and the U.S. District Court said that after the
Original Rule was published, it drew such fire from health care practitioners that the Secretary of
Health, Education and Welfare solicited additional comments on that rule, and even subsequently
proposed an amendment to the consent requirement, which ultimately became the present
Amended Rule. AAccording to the Secretary,@ said the U.S. District Court:
....many covered entities were concerned about, or had experienced
significant practical problems, with, the delivery of timely health
October 2, 2006
Page 4
care under the Original rule. Pharmacists, for example, were
concerned that they would be unable to fill prescriptions, search for
potential drug interactions, determine eligibility or verify coverage
before an individual arrived to pick up a prescription if the
individual had not already provided consent. Hospitals would not
have been able to use information from referring doctors to
schedule and prepare procedures before the patient arrived there.
Emergency medical providers were concerned that attempting to
seek consent prior to treatment in some situations was inconsistent
with appropriate emergency care. [Emphasis is mine.] The
requirement that they seek consent as soon as reasonably
practicable after an emergency greatly increased their
administrative burden and could be viewed as harassment by the
individuals. For the most part, these commenters supported
recision of the consent requirement. Id., at 53, 209. [at 7]
The U.S. Court of Appeals for the Third Circuit compared the Original and the Amended
Rules:
The Amended Rule departs from the Original Rule in one crucial
respect. Where the Original rule required covered entities to seek
individual consent to use or disclose health information in all but
the narrowest of circumstances, the Amended rule allows such uses
and disclosures without patient consent for Atreatment, payment,
and health care operations@Bso-called Aroutine uses.@Id. '' 164501 (providing routine use exception). AHealth care operations,@
the broadest category under the routine use exception, refers to a
range of management functions of covered entities, including
quality assessment, practitioners evaluation, student training
programs, insurance rating, auditing services and business planning
and development. Id. ' 164.501. The rule allows individuals the
right to request restrictions on uses and disclosures of protected
health insurance information and to enter into agreements with
covered entities regarding such restrictions, but does not require
covered entities to abide by such requests or to agree to any
restrictions. Id. ' 164.522(a). The rule also permits, but does not
require, covered entities to design and implement a consent
process for routine uses and disclosures. [Emphasis is mine.] Id.
' 164.502; see also Standards for Privacy of Individually
Identifiable Health Information, 67 Fed. Reg. 53, 182, 53, 211
October 2, 2006
Page 5
(Aug. 14, 2002). [At 174]
Under 45 CFR 164.506, a city is not required to obtain the consent of its employees to
give their medical information to emergency health care providers, but it is entitled to obtain
their consent for that purpose. There is no consent form prescribed by 45 CFR 164.506; in fact,
it appears that the city can design its own. But I would recommend that the city should use a
consent form that generally tracks the one prescribed by 45 CFR 164.508, even though the
consent form prescribed there applies only to the types of medical information the rule covers.
I have enclosed a copy of HIPPA Standards for Privacy...., and of both 45 CFR
164.506 and 45 CFR 164.508, the latter of which is useful to developing a consent form. I will
be glad to help you further with any questions you have about them.
Sincerely,
Sidney D. Hemsley
Senior Law Consultant
SDH/