§164.508(a)(1) Authorization required: General rule.
Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.
§164.508(a)(2) Authorization required: Psychotherapy notes.
(i) Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except:
(i) To carry out the following treatment, payment, or health care operations:
(A) Use by the originator of the psychotherapy notes for treatment;
(B) Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or
(C) Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and
(ii) A use or disclosure that is required by § 164.502(a)(2)(ii) or permitted by § 164.512(a); § 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; § 164.512(g)(1); or § 164.512(j)(1)(i).
§164.508(a)(3) Authorization required: Marketing.
(i)Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of:
(A) A face-to-face communication made by a covered entity to an individual; or (B) a promotional gift of nominal value provided by the covered entity.
(ii) If the marketing involves financial remuneration, as defined in paragraph (3) of the definition of marketing at § 164.501, to the covered entity from a third party, the authorization must state that such remuneration is involved.
§164.508(a)(4) Authorization required: Sale of protected health information.
(i) Notwithstanding any provision of this subpart, other than the transition provisions in § 164.532, a covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information, as defined in § 164.501 of this subpart.
(ii) Such authorization must state that the disclosure will result in remuneration to the covered entity.
§164.508(b)(1) Valid authorizations.
(i) A valid authorization is a document that meets the requirements in paragraphs (a)(3)(ii), (a)(4)(ii), (c)(1), and (c)(2) of this section, as applicable.
(ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided, that such additional elements or information are not inconsistent with the elements required by this section.
§164.508(b)(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:
(i) The expiration data has passed or the expiration event is known by the covered entity to have occurred;
(ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable;
(iii) The authorization is known by the covered entity to have been revoked;
(iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable;
(v) Any material information in the authorization is known by the covered entity to be false.
Audit Inquiry
Obtain and review against the established performance criterion the policies and procedures for obtaining a valid authorization as required by the standard:
-Documentation of covered entity policy and procedures
-Documentation that a standard covered entity authorization, if any, is valid
Obtain and evaluate a sample of authorizations obtained to permit disclosures for consistency with the established performance criterion and entity-established policies and procedures.
For providers only: obtain and review all relevant patient intake forms for both inpatient and outpatient services, including consent and authorization forms, if any, to assess whether the provider’s practice is to use a consent when an authorization would be required for any use or disclosure of information pursuant to the consent.