[Please label comments about this section with the subject: “Notice of information practices”]
We are proposing that individuals have a right to an adequate notice of the information practices of covered plans and providers. The notice would be intended to inform individuals about what is done with their protected health information and about any rights they may have with respect to that information. Federal agencies must adhere to a similar notice requirement pursuant to the Privacy Act of 1974 (5 U.S.C. 552a(e)(3)).
We are not proposing that business partners (including health care clearinghouses) be required to develop a notice of information practices because, under this proposed rule, they would be bound by the information practices of the health plan or health care provider with whom they are contracting.
We considered requiring covered plans or providers to obtain a signed copy of the notice form (or some other signed indication of receipt) when they give the form to individuals. There are advantages to including such a requirement. A signed acknowledgment would provide evidence that the notice form has been provided to the individual. Further, the request to the individual to formally acknowledgment receipt would highlight the importance of the notice, providing additional encouragement for the individual to read it and ask questions about its content.
We are concerned, however, that requiring a signed acknowledgment would significantly increase the administrative and paperwork burden of this provision. We also are unsure of the best way for health plans to obtain a signed acknowledgment because plans often do not have face-to-face contact with enrollees. It may be possible to collect an acknowledgment at initial enrollment, for example by adding an additional acknowledgment to the enrollment form, but it is less clear how to obtain it when the form is revised. We solicit comment on whether we should require a signed acknowledgment. Comments that address the relative advantages and burdens of such a provision would be most useful. We also solicit comment on the best way to obtain signed acknowledgments from health plans if such a provision is included in the final rule. We also solicit comments on other strategies, not involving signed acknowledgments, to ensure that individuals are effectively informed about the information practices of covered plans or providers.
We are proposing that covered plans and providers be permitted to change their policies and procedures at any time. Before implementing a change in policies and procedures, the covered plan or provider must revise its notice accordingly. However, where the covered plan or provider determines that a compelling reason exists to take an action that violates its notice, it may do so only if it documents the reason supporting the action and revises its notice within 30 days of taking such action. The distribution requirements that would apply when the notice has been materially revised are discussed in detail below.
In § 164.512, we propose the categories of information that would be required in each notice of information practices, the specific types of information that would have to be included in each category, and general guidance as to the presentation of written materials. A sample notice is provided in the Appendix to this preamble. This sample notice is provided as an example of how the policies of a specific covered health care provider could be presented in a notice. Each covered health plan and health care provider would be required to create a notice that complies with the requirements of this proposed rule and reflects its own unique information practices. It does not indicate all possible information practices or all issues that could be addressed in the notice. Covered plans and providers may want to include significantly more detail, such as the business hours during which an individual could review their records or its standard time frame for responding to requests to review records; entities could choose to list all types of mandatory disclosures.
In a separate section of this proposed rule, we would require covered plans or providers to develop and document policies and procedures relating to use, disclosure, and access to protected health information. See proposed § 164.520. We intend for the documentation of policies and procedures to be a tool for educating the entity’s personnel about the its policies and procedures. In addition, the documentation would be the primary source of information for the notice of information practices. We intend for the notice be a tool for educating individuals served by the covered plan or provider about the information practices of that entity. The information contained in the notice would not be as comprehensive as the documentation, but rather provide a clear and concise summary of relevant policies and procedures.
We considered prescribing specific language that each covered plan or provider would include in its notice. The advantages of this approach would be that the recipient would get exactly the same information from each covered plan or provider in the same format, and that it would be convenient for covered plans or providers to use a uniform model notice.
There are, however, several disadvantages to this approach. First, and most important, no model notice could fully capture the information practices of every covered plan or provider. Large entities will have different information practices than small entities. Some health care providers, for example academic teaching hospitals, may routinely disclose identifiable health information for research purposes. Other health care providers may rarely or never make such disclosures. To be useful to individuals, each entity’s notice of information practices should reflect its unique privacy practices.
Another disadvantage of prescribing specific language is that it would limit each covered plan or provider’s ability to distinguish itself in the area of privacy protections. We believe that if information on privacy protections were readily available, individuals might compare and select plans or providers based on their information practices. In addition, a uniform model notice could easily become outdated. As new communication methods or technologies are introduced, the content of the notices might need to reflect those changes.
A covered plan or provider that adopts and follows the notice content and distribution requirements described below, we would presume, for the purposes of compliance, that the plan or provider has provided adequate notice. However, the proposed requirements for the content of the notice are not intended to be exclusive. Covered plans or providers could include additional information and additional detail, beyond that required. In particular, all federal agencies must still comply with the Privacy Act of 1974. For federal agencies that are covered plans or providers, this would mean that the notice must comply with the notice requirements provided in the Privacy Act as well as those included in this proposed rule.
In proposed § 164.512, we would require each covered plan and provider to include in the notice an explanation of how it uses and discloses protected health information. The explanation must be provided in sufficient detail as to put the individual on notice of the uses and disclosures expected to be made of his or her protected health information. As explained above in section II.C.5, covered plans and providers may only use and disclose protected health information for purposes stated in this notice.
This section of the notice might be as simple as a statement that information will be used and disclosed for treatment, payment, administrative purposes, and quality assurance. If the entity will be using or disclosing the information for other purposes, the notice must include a brief explanation. For example, some entities might include a statement that protected health information will be used for clinician education and disclosed for research purposes. We are soliciting comment on the level of detail that should be required in describing the uses and disclosures, specifically with respect to uses and disclosures for health care operations.
In addition we would require that notices distinguish between those uses and disclosures the entity makes that are required by law and those that are permitted but not required by law. By distinguishing between uses and disclosures that an entity is required to make those that the entity is choosing to make, the notice would provide the individual with a clearer understanding of the entity’s privacy practices.
For uses and disclosures required by law, the notice need only list the categories of disclosures that are authorized by law, and note that it complies with such requirements. This language could be the same for every covered entity within a State, territory or other locale. We encourage states, state professional associations, and other organizations to develop model language to assist covered plans or providers in preparing this section of the notice.
For each type of permissible use or disclosure that the entity makes (e.g., research, public health, and next-of-kin), the notice would include a brief statement explaining the entity’s policy with respect to that type of disclosure. For example, if all relevant laws permit health care providers to disclose protected health information to public health without individual authorization, the entity would need to develop policies and procedures regarding when and how it will make such disclosures. The entity would then document those policies and procedures as required by § 164.520 and the notice would include a statement of these policies. For example, the notice might state “we will disclose your protected health information to public health authorities upon request.”
We considered requiring the notice to include not only a discussion the actual disclosure practices of the covered entity, but also a listing or discussion of all additional disclosures that are authorized by law. We considered this approach because, under this proposed rule, covered plans or providers would be permitted to change their information practices at any time, and therefore individuals would not be able to rely on the entity’s current policies alone to understand how their protected health information may be used in the future. We recognize that in order to be fully informed, individuals need to understand when their information could be disclosed.
We rejected this approach because we were concerned that a notice with such a large amount of information could be burdensome to both the individuals receiving the notices and the entities required to prepare and distribute them. There are a substantial number of required and permitted disclosures under State or other applicable law, and this rule generally would permit them to be made.
Alternatively, we considered requiring that the notice include all of the types of permissible disclosures under this rule (e.g., public health, research, next-of-kin). We rejected that approach for two reasons. First, we felt that providing people with notice of the intended or likely disclosures of their protected health information was more useful than describing all of the potential types of disclosures. Second, in many States and localities, different laws may affect the permissible disclosures that an entity may make, in which case a notice only discussing permissible disclosures under the federal rule would be misleading. While it would be possible to require covered plans or providers to develop notices that discuss or list disclosures that would be permissible under this rule and other law, we were concerned that such a notice may be very complicated because of the need to discuss the interplay of federal, State or other law for each type of permissible disclosure. We invite comments on the best approach to provide most useful information to the individuals without overburdening either covered plans or providers or the recipients of the notices.
In § 164.520, we are proposing to require all covered entities to develop and document policies and procedures for the use of protected health information. The notice would simply summarize those documented policies and procedures and therefore would entail little additional burden.
We are proposing that the notice include several basic statements to inform the individual of their rights and interests with respect to protected health information. First, we propose to require the notice to inform individuals that the covered plan or provider will not use or disclose their protected health information for purposes not listed in the notice without the individual’s authorization. Individuals need to understand that they can authorize a disclosure of their protected health information and that the covered entity may request the individual to authorize a disclosure, and that such disclosures are subject to their control. The notice should also inform individuals that such authorizations can be revoked.
Second, we propose that the notice inform individuals that they have the right to request that the covered plan or provider restrict certain uses and disclosures of protected health information about them. The notice would also inform individuals that the covered plan or provider is not required to agree to such a request.
Third, we propose that the notice also inform individuals about their right of access to protected health information for inspection and copying and to an accounting of disclosures as provided in proposed §§ 164.514 and 164.515. In addition, the notice would inform individuals about their right to request an amendment or correction of protected health information as proposed in § 164.516. The notice would include brief descriptions of the procedures for submitting requests to the covered plan or provider.
Fourth, the notice would be required to include a statement that there are legal requirements that require the covered plan or provider to protect the privacy of its information, provide a notice of information practices, and abide by the terms of that notice. Individuals should be aware that there are government requirements in place to protect their privacy. Without this statement, individuals may not realize that covered plans or providers are required to take measures to protect their privacy, and may therefore be less interested in pursuing their rights or finding out more information.
Fifth, the notice would be required to include a statement that the entity may revise its policies and procedures with respect to uses or disclosures of protected health information at any time and that such a revision could result in additional uses or disclosures without the individual’s authorization. The notice also should inform the individual how a revised notice would be made available when material revisions in policies and procedures are made. For example, when a provider makes a material change to its notice, proposed § 164.512(e) would require the provider to post a new notice.
Finally, we propose that the notice inform individuals that they have the right to complain to the covered entity and to the Secretary if they believe that their privacy rights have been violated.
We propose that the notice be required to identify a contact person or office within the covered plan or provider to receive complaints, as provided in proposed § 164.518(a)(2), and to help the individual obtain further information on any of the issues identified in the notice. A specific person would not need to be named in the notice. It could be an office or general number where someone who can answer privacy questions or concerns can be reached.
In § 164.518(d), we are proposing that covered plans and providers permit individuals to submit complaints to the covered entity. We are proposing that the contact person identified in the notice be responsible for initially receiving such complaints. The contact person might or might not be responsible for processing and resolving complaints, but, if not, he or she would forward the complaints to the appropriate personnel or office. See discussion of the complaint process in section II.G.4, below.
In addition to receiving complaints, the contact person would be able to help the individual obtain further information on any of the issues identified in the notice. The contact person would be able to refer to the documented policies and procedures required by proposed § 164.520. We would not prescribe a formal method for responding to questions.
The administrative requirements section below, proposed § 164.518(a), would also require the entity to designate an official to develop policies for the use and disclosure of protected health information and to supervise personnel with respect to use and disclosure of protected health information. We would not require this official to also be the contact person. Depending on the size and structure of the entity, it might be appropriate to require one person to fill both roles.
We are proposing that covered plans and providers include the date that the notice was produced on the face of the notice. We would also encourage the provider to highlight or otherwise emphasize any changes to help the individual recognize such changes.
It is critical to the effectiveness of this proposed rule that individuals be given the notice often enough to remind them of their rights, but without overburdening covered plans or providers. We propose that all covered plans and providers would be required make their notice available to any individual upon request, regardless of whether the requestor is already a patient or enrollee. We believe that broad availability would encourage individuals or organizations to compare the privacy practices of plans or providers to assist in making enrollment or treatment choices. We also propose additional distribution requirements for updating notices, which would be different for health plans and health care providers. The requirements for health plans and health care providers are different because we recognize that they have contact with individuals at different points in time in the health care system.
We considered a variety of combinations of distribution practices for health plans and are proposing what we believe is the most reasonable approach. We would require health plans to distribute the notice by the effective date of the final rule, at enrollment, within 60 days of a material change to the plan’s information practices, and at least once every three years.
We considered requiring health plans to post the notice either in addition to or instead of distribution. Because most individuals rarely visit the office of their health plan, we do not believe that this would be an effective means of communication. We also considered either requiring distribution of the notice more or less frequently than every three years. As compared to most health care providers, we believe that health plans often are larger and have existing administrative systems to cost effectively provide notification to individuals. Three years was chosen as a compromise between the importance of reminding individuals of their plans’ information practices and the need to keep the burden health plans to the minimum necessary to achieve this objective. We are soliciting comment on whether requiring a notice every three years is reasonable for health plans.
We are proposing to require that covered health care providers provide a copy of the notice to every individual served at the time of first service delivery, that they post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the provider to be able to read the notice, and that copies be available on-site for individuals to take with them. In addition, we are proposing to require that covered health care providers provide a copy of the notice to individuals they are currently serving at their first instances of service delivery within a year of the effective date of the final rule.
We would not require health care providers to mail or otherwise disseminate their notices after giving the notice to individuals at the time of the first service delivery. Health care providers’ patient lists may include individuals they have not served in decades. It would be difficult for providers to distinguish between “active” patients, those who are seen rarely, and those who have moved to different providers. While some individuals will continue to be concerned with the information practices of providers who treated them in the distant past, overall the burden of an active distribution requirement would not be outweighed by improved individual control and privacy protection.
We recognize that some health care providers, such as clinical laboratories, pathologists and mail order pharmacies, do not have face-to-face contact with individuals during service delivery. Such providers would be required to provide the required notice in a reasonable period of time following first service delivery, through mail, electronic notice (i.e. e-mail), or other appropriate medium. For example, a web-based pharmacy could meet this distribution requirement by providing a prominent and conspicuous link to its notice on its home page and by requiring review of that notice before processing an order.
If a provider wishes to make a material change in the information practices addressed in the notice, it would be required to revise its notice in advance. After making the revision, the provider would be required to post the new notice promptly. We believe that this approach creates the minimum burden for health care providers consistent with giving individuals a clear source of accurate information.
We are proposing to apply a plain language requirement to notices developed by covered plans or providers under these proposed rules. A covered plan or provider could satisfy the plain language requirement if it made a reasonable effort to: organize material to serve the needs of the reader; write sentences in the active voice, use “you” and other pronouns; use common, everyday words in sentences; write in short sentences; and divide material into short sections.
We also considered proposing formatting specifications such as requiring the covered plan or provider to use easy-to-read design features (e.g., lists, tables, graphics, contrasting colors, and white space), type face, and font size in the notice. We are soliciting comment on whether these additional format specifications should be required.
The purpose of the notice proposed in the rules below is to tell the recipient how protected health information collected about them will be used. Recipients who cannot understand the entity’s notice would miss important information about their privacy rights and how the entity is protecting health information about them. One of the goals of this proposed rule is to create an environment of open communication and transparency with respect to the use and disclosure of protected health information. A lack of clarity in the notice could undermine this goal and create misunderstandings. Covered plans or providers have an incentive to make their notice statements clear and concise. We believe that the more understandable notices are, the more confidence the public will have in the entity’s commitment to protecting the privacy of health information.
It is important that the content of the notice be communicated to all recipients and therefore we would encourage the covered plan or provider to consider alternative means of communicating with certain populations. We note that any covered entity that is a recipient of federal financial assistance is generally obligated under title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients’ service areas. Specifically, this title VI obligation provides that, where a significant number or proportion of the population eligible to be served or likely to be directly affected by a federally assisted program need service or information in a language other than English in order to be effectively informed of or participate in the program, the recipient shall take reasonable steps, considering the scope of the program and the size and concentration of such population, to provide information in language appropriate to such persons. For entities not subject to title VI, the title VI standards provide helpful guidance for effectively communicating the content of their notices to non-English speaking populations.
We also would also encourage covered plans or providers to be attentive to the needs of individuals who cannot read. For example, an employee of the entity could read the notice to individuals upon request or the notice could be incorporated into a video presentation that is played in the waiting area.
The requirement of a printed notice should not be interpreted as a limitation. For example, if an individual who is requesting a notice from a covered plans or providers were to ask to receive the notice via e-mail, the requirements of this proposed rule could be met by providing the notice via e-mail. The proposed rule would not preclude the use of alternative forms of providing the notice and we would encourage covered plans or providers to use other forms of distribution, such as posting their privacy notices on their web sites. While this will not substitute for paper distribution when that is requested by an individual, it may reduce the number of requests for paper copies.