(a) Except as otherwise provided under this part, a QIO may not use or disclose a beneficiary's confidential information without an authorization from the beneficiary. The QIO's use or disclosure must be consistent with the authorization.

(b) A valid authorization is a document that contains the following:

(1) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

(2) The name or other specific identification of the QIO(s) and QIO point(s) of contact making the request to use or disclose the information.

(3) The name or other specific identification of the person(s), or class of persons, to whom the QIO(s) may disclose the information or allow the requested use.

(4) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of purpose.

(5) An expiration date or an expiration event that relates to the beneficiary or the purpose of the use or disclosure. The statement “end of the QIO research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of confidential information for QIO research, including for the creation and maintenance of a research database or research repository.

(6) Signature of the individual and date. If the authorization is signed by a beneficiary's representative, a description of such representative's authority to act for the beneficiary must also be provided.

(c) In addition to those items contained in paragraph (b) of this section, the authorization must contain statements adequate to place the individual on notice of all of the following:

(1) The individual's right to revoke the authorization in writing; and

(2) Any exceptions to the right to revoke and a description of how the individual may revoke the authorization;

(3) The ability or inability of the QIO to condition its review activities on the authorization, by stating either:

(i) That the QIO may not condition the review of complaints, appeals, or payment determinations, or any other QIO reviews or other tasks within the QIO's responsibility on whether the individual signs the authorization;

(ii) The consequences to the individual of a refusal to sign the authorization when the refusal will render the QIO unable to carry out an activity.

(4) The potential for information disclosed pursuant to the authorization to be subject to either appropriate or inappropriate redisclosure by a beneficiary, after which the information would no longer be protected by this subpart.

(d) The authorization must be written in plain language.

(e) If a QIO seeks an authorization from a beneficiary for a use or disclosure of confidential information, the QIO must provide the beneficiary with a copy of the signed authorization.

(f) A beneficiary may revoke an authorization provided under this section at any time, provided the revocation is in writing, except to the extent that the QIO has taken action in reliance upon the authorization.

[77 FR 68564, Nov. 15, 2012]


Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.