October 2, 2006
Dear Human Resources Director:
I am sorry for the delay in addressing your question. The HIPAA regulations are an absurdly convoluted mess; it took awhile to get through them and the case law on their consent provisions. As I told you on the phone, I like to be able to support my answers with chapter and verse.
Your question is: Can the city obtain the voluntary consent of its employees to provide to it certain medical information, for the purpose of providing information to medical care providers in cases of emergencies?
The answer is yes. But as I read the appropriate HIPAA rules, and as the U.S. Court of Appeals for the Third Circuit interpret them, the city is not required to obtain the consent of its employees to provide their medical information to emergency health care providers, but the rules do make such consent permissive on the part of the city.
It appears to me that the answer to your question is controlled by 45 CFR 164.506, entitled “Uses and disclosures to carry out treatment, payment, or health care operations.”
45 CFR 164.502, entitled “Uses and disclosure of protected health information: general rules,” provides in subsection (a) that:
(a) Standard: A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this chapter.
(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:
(i) To the individual;
(ii) for treatment, payment, or health care operations, as permitted by and in compliance with § 164.506; [Emphasis is mine.]
Nowhere in 45 CFR 165.502 is it required that the disclosure of health care information done under 45 CFR 165.506 have the consent of the subject of the information. Indeed, 45 CFR 165.506 on its face indicates that the consent of the subject of the information is not required:
45 CFR 165.506 contains the following pertinent rules:
Subsection (a) provides that:
(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) and (3), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart.
Subsection (b) provides that:
(b) Standard: Consent for uses and disclosures permitted.
(1) A covered entity may [emphasis is mine] obtain consent of the individual use or disclose protected health information to carry out treatment, payment, or health care operations.
(2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under § 164.508, is required or when another condition must be met for such use or disclosure, to be permissible under this subpart.
Subsection (c) provides that:
(c) Implementation specification: Treatment, payment, or health care operations.
(1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.
(2) A covered entity may use or disclose protected health information for treatment activities of a health care provider. [Emphasis is mine.]
MTAS did a publication in December 2002, on HIPAA Standards For Privacy of Individually Identifiable Health Information. That publication says with respect to 45 CFR 164.506, that:
A covered health care provider must obtain the individual’s consent prior to using or disclosing PHI to carry out treatment, payment, or health care operations (45 C.F.R. 164.506(a)(1). [Page 5, bottom left column]
I have reviewed 45 CFR Part 160 and 164, and the appropriate other regulations cited therein, and all the case law in the United States, with respect to the application of the HIPAA rules governing the conditions under which medical information on employees can be released with or without the employee’s consent, including 45 CFR 164.506(a)(1). It appears to me that HIPAA Standards for Privacy.... is wrong about consent being required under 45 CFR 164.506.
45 CFR 164.506 mentions the necessity for obtaining consent of the individual when it is necessary under 45 CFR 164.508. However, 45 CFR 164.508 requires consent in cases of some uses of psychotherapy notes, marketing of the health care information, and research, none of which apply to medical information disclosures under 45 CFR 164.506.
The U.S. Court of Appeals for the Third Circuit in Citizens for Health v. Leavitt, 428 F.2d 167 (3rd. Cir. 2005) extensively analyzed the disclosure application of 45 C.F.R. 164.506, and concluded that it permits, but does not require, a covered entity to obtain an individual’s consent before it provided the medical information in what it calls “routine uses.” The Court traces the development of the medical information privacy rule from the Original Rule to the present Amended Rule. The Court points back to the U.S. District Courts detailed discussion of the history of the modification of the Original Rule in Citizens for Health v. Thompson, 2004 WL 753356 (E.D. Pa. April 2, 2004). The Original Rule required consent for disclosure of medical information in all but a few instances, and the U.S. District Court said that after the Original Rule was published, it drew such fire from health care practitioners that the Secretary of Health, Education and Welfare solicited additional comments on that rule, and even subsequently proposed an amendment to the consent requirement, which ultimately became the present Amended Rule. “According to the Secretary,” said the U.S. District Court:
....many covered entities were concerned about, or had experienced significant practical problems, with, the delivery of timely health care under the Original rule. Pharmacists, for example, were concerned that they would be unable to fill prescriptions, search for potential drug interactions, determine eligibility or verify coverage before an individual arrived to pick up a prescription if the individual had not already provided consent. Hospitals would not have been able to use information from referring doctors to schedule and prepare procedures before the patient arrived there. Emergency medical providers were concerned that attempting to seek consent prior to treatment in some situations was inconsistent with appropriate emergency care. [Emphasis is mine.] The requirement that they seek consent as soon as reasonably practicable after an emergency greatly increased their administrative burden and could be viewed as harassment by the individuals. For the most part, these commenters supported recision of the consent requirement. Id., at 53, 209. [at 7]
The U.S. Court of Appeals for the Third Circuit compared the Original and the Amended Rules:
The Amended Rule departs from the Original Rule in one crucial respect. Where the Original rule required covered entities to seek individual consent to use or disclose health information in all but the narrowest of circumstances, the Amended rule allows such uses and disclosures without patient consent for “treatment, payment, and health care operations”–so-called “routine uses.”Id. §§ 164-501 (providing routine use exception). “Health care operations,” the broadest category under the routine use exception, refers to a range of management functions of covered entities, including quality assessment, practitioners evaluation, student training programs, insurance rating, auditing services and business planning and development. Id. § 164.501. The rule allows individuals the right to request restrictions on uses and disclosures of protected health insurance information and to enter into agreements with covered entities regarding such restrictions, but does not require covered entities to abide by such requests or to agree to any restrictions. Id. § 164.522(a). The rule also permits, but does not require, covered entities to design and implement a consent process for routine uses and disclosures. [Emphasis is mine.] Id. § 164.502; see also Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 53, 182, 53, 211 (Aug. 14, 2002). [At 174]
Under 45 CFR 164.506, a city is not required to obtain the consent of its employees to give their medical information to emergency health care providers, but it is entitled to obtain their consent for that purpose. There is no consent form prescribed by 45 CFR 164.506; in fact, it appears that the city can design its own. But I would recommend that the city should use a consent form that generally tracks the one prescribed by 45 CFR 164.508, even though the consent form prescribed there applies only to the types of medical information the rule covers.
I have enclosed a copy of HIPAA Standards for Privacy ...., and of both 45 CFR 164.506 and 45 CFR 164.508, the latter of which is useful to developing a consent form. I will be glad to help you further with any questions you have about them.
Sidney D. Hemsley
Senior Law Consultant