Can a covered entity bypass obtaining an individual's authorization for a use or disclosure not permitted by the HIPAA Privacy Rule simply by informing individuals of the use or disclosure through it notice of privacy practices?
No. A covered entity’s notice is not a substitute for an individual’s authorization. Covered entities are required to obtain the individual’s written authorization for any use or disclosure of protected health information not permitted or required by the Privacy Rule. See 45 CFR 164.508. Simply including in the notice a description of such a use or disclosure does not obviate the need for the covered entity to obtain the individual’s prior written authorization, when that authorization is required by the Rule. Instead, the notice must reflect the uses and disclosures a covered entity may make without the individual’s authorization, as permitted by Privacy Rule, as well as state that any other uses or disclosures only will be made with the individual’s written authorization. See 45 CFR 164.520(b).