NRPM: Standards for Privacy of Individually Identifiable Health Information. § 164.506 General standards and implementation specifications for uses and disclosures of protected health information.


Given that the burden associated with the following information collection requirements will differ significantly, by the type and size of plan or provider, we are explicitly soliciting comment on the burden associated with the following requirements:

  • Except for disclosures of protected health information by a covered entity that is a health care provider to another health care provider for treatment purposes, section 160.204(e) would requires a covered entity to maintain documentation demonstrating that they have entered into a contract that meets the requirements of this part with each of their business partners;
  • A covered entity would have to make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure;
  • A covered entity could use protected health information to create de-identified information if the individually identifiable information has been removed, coded, encrypted, or otherwise eliminated or concealed.