A covered entity must obtain written authorization from the patient for any use or disclosure that is not permitted or required under the HIPAA Privacy Rule. However, the Privacy Rule prohibits providers from conditioning treatment or payment upon providing written authorization. According to the U.S. Department of Health and Human Services, "examples of disclosures that would require an individual's authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes."
Summary of the HIPAA Privacy Rule: Authorized Uses and Disclosures - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003). This site provides a summary of the HIPAA Privacy Rule.
E-mail the HealthIT e-mail box: firstname.lastname@example.org