32 Journal of Regulatory Compliance Vol. I
As an illustration of the second rule, the hospital room number and general
condition of a patient (e.g., ‘good,’ ‘fair,’ ‘poor,’ ‘stable’) who has given his
or her permission or who has not expressed an objection may be disclosed to
a visitor who requests directory information about that patient. 64 Likewise, a
woman in labor who wishes her partner to be present for her labor and
delivery may orally give her permission for her health care providers to
involve her partner in her care. 65
The theory behind requiring at least oral permission for these information
uses and disclosures is that the patient has an interest in maintaining the
confidentiality of his or her PHI; however, the patient also may have an
interest in being visited in the hospital, in obtaining assistance with the
patient’s health care or payment for health care, and being assisted during a
disaster. In addition, the patient’s family also may have an interest in visiting
the patient in the hospital, assisting the patient with his or her health care and
financial needs, and obtaining assistance during a disaster. The required oral
permission reflects the individual’s interest in maintaining the confidentiality
of his or her health information but the lack of a requirement for a formal
written authorization reflects HHS’s desire to make it easy for the individual
to ask for or agree to receive help.
The third rule – a default rule – requires covered entities and BAs to obtain
the prior written authorization of the individual who is the subject of the PHI
before using or disclosing the individual’s PHI in any situation that does not
fit under the first or second rule. Stated another way, in the event that a
covered entity or BA would like to use or disclose PHI for a purpose that is
not treatment, payment, or health care operations, that does not fall within
one of twelve public benefit exceptions, that is not allowed with oral
permission or without an objection, and that is not otherwise permitted or
required by the Privacy Rule, the covered entity must obtain the prior written
authorization of the individual who is the subject of the information. 66
The Privacy Rule specifies the form of the authorization required by the
third rule, including certain elements and statements that are designed to
place the individual on notice of how the individual’s PHI will be used or
disclosed. 67 This high level of prior individual permission reflects the value
HHS places on an individual’s interest in maintaining the confidentiality of
his or her PHI compared to other societal interests that are far removed from
the core functions of covered entities and BAs, such as a health care
provider’s interest in selling the patient’s information to a tabloid magazine
or a health plan’s interest in disclosing the patient’s information to a
64. See id. § 164.510(a)( 1), ( 2).
65. See id. § 164.510(b)( 1)( i).
66. See id. § 164.508(a)( 1).
67. See id. § 164.508(c)( 1) and ( 2).