(a) Standard. A covered entity may not use or disclose an individual’s protected health information, except as otherwise permitted or required by this part or as required to comply with applicable requirements of this subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:
(i) Except for research information unrelated to treatment, to carry out treatment, payment, or health care operations;
(ii) Pursuant to an authorization by the individual that complies with § 164.508; or
(iii) As permitted by and in compliance with this section or § 164.510.
(2) Required disclosures. A covered entity is required to disclose protected health information:
(i) To an individual, when a request is made under § 164.514; or
(ii) When required by the Secretary under § 164.522 to investigate or determine the entity’s compliance with this part.
(b)(1) Standard: minimum necessary. A covered entity must make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure. This requirement does not apply to uses or disclosures that are:
(i) Made in accordance with §§ 164.508(a)(1), 164.514, or 164.522;
(ii) Required by law and permitted under § 164.510;
(iii) Required for compliance with applicable requirements of this subchapter; or
(iv) Made by a covered health care provider to a covered health plan, when the information is requested for audit and related purposes.
(2) Implementation specification: procedures. To comply with the standard in this paragraph, a covered entity must have procedures to:
(i) Identify appropriate persons within the entity to determine what information should be used or disclosed consistent with the minimum necessary standard;
(ii) Ensure that the persons identified under paragraph (b)(2)(i) of this section make the minimum necessary determinations, when required;
(iii) Within the limits of the entity’s technological capabilities, provide for the making of such determinations individually.
(3) Implementation specification: reliance. When making disclosures to public officials that are permitted under § 164.510 but not required by other law, a covered entity may reasonably rely on the representations of such officials that the information requested is the minimum necessary for the stated purpose(s).
(c)(1) Standard: right of an individual to restrict uses and disclosures.
(i) A covered entity that is a health care provider must permit individuals to request that uses or disclosures of protected health information for treatment, payment, or health care operations be restricted, and, if the requested restrictions are agreed to by the provider, not make uses or disclosures inconsistent with such restrictions.
(ii) This requirement does not apply:
(A) To uses or disclosures permitted under § 164.510;
(B) When the health care services provided are emergency services or the information is requested pursuant to § 164.510(k); and
(C) To disclosures to the Secretary pursuant to § 164.522.
(iii) A provider is not required to agree to a requested restriction.
(2) Implementation specifications. A covered entity must have procedures that:
(i) Provide individuals an opportunity to request a restriction on the uses and disclosures of their protected health information;
(ii) Provide that restrictions that are agreed to by the entity are reduced to writing or otherwise documented;
(iii) Enable the entity to honor such restrictions; and
(iv) Provide for the notification of others to whom such information is disclosed of such restriction.
(d)(1) Standard: use or disclosure of de-identified protected health information. The requirements of this subpart do not apply to protected health information that a covered entity has de-identified, provided, however, that:
(i) Disclosure of a key or other device designed to enable coded or otherwise de- identified information to be re-identified constitutes disclosure of protected health information; and
(ii) If a covered entity re-identifies de-identified information, it may use or disclose such re-identified information only in accordance with this subpart.
(2) Implementation specifications.
(i) A covered entity may use protected health information to create de-identified information by removing, coding, encrypting, or otherwise eliminating or concealing the information that makes such information individually identifiable.
(ii) Information is presumed not to be individually identifiable (de-identified), if:
(A) The following identifiers have been removed or otherwise concealed:
(2) Address, including street address, city, county, zip code, and equivalent geocodes;
(3) Names of relatives;
(4) Name of employers;
(5) Birth date;
(6) Telephone numbers;
(7) Fax numbers;
(8) Electronic mail addresses;
(9) Social security number;
(10) Medical record number;
(11) Health plan beneficiary number;
(12) Account number;
(13) Certificate/license number;
(14) Any vehicle or other device serial number;
(15) Web Universal Resource Locator (URL);
(16) Internet Protocol (IP) address number;
(17) Finger or voice prints;
(18) Photographic images; and
(19) Any other unique identifying number, characteristic, or code that the covered entity has reason to believe may be available to an anticipated recipient of the information; and
(B) The covered entity has no reason to believe that any anticipated recipient of such information could use the information, alone or in combination with other information, to identify an individual.
(iii) Notwithstanding paragraph (d)(2)(ii) of this section, entities with appropriate statistical experience and expertise may treat information as de-identified, if they include information listed in paragraph (d)(2)(ii) of this section and they determine that the probability of identifying individuals with such identifying information retained is very low, or may remove additional information, if they have a reasonable basis to believe such additional information could be used to identify an individual.
(e)(1) Standards: business partners.
(i) Except for disclosures of protected health information by a covered entity that is a health care provider to another health care provider for consultation or referral purposes, a covered entity may not disclose protected health information to a business partner without satisfactory assurance from the business partner that it will appropriately safeguard the information.
(ii) A covered entity must take reasonable steps to ensure that each business partner complies with the requirements of this subpart with respect to any task or other activity it performs on behalf of the entity, to the extent the covered entity would be required to comply with such requirements.
(2) Implementation specifications.
(i) For the purposes of this section, “satisfactory assurance” means a contract between the covered entity and the business partner to which such information is to be disclosed that establishes the permitted and required uses and disclosures of such information by the partner. The contract must provide that the business partner will:
(A) Not use or further disclose the information other than as permitted or required by the contract;
(B) Not use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity;
(C) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
(D) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;
(E) Ensure that any subcontractors or agents to whom it provides protected health information received from the covered entity agree to the same restrictions and conditions that apply to the business partner with respect to such information;
(F) Make available protected health information in accordance with § 164.514(a);
(G) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this subpart;
(H) At termination of the contract, return or destroy all protected health information received from the covered entity that the business partner still maintains in any form and retain no copies of such information; and
(I) Incorporate any amendments or corrections to protected health information when notified pursuant to § 164.516(c)(3).
(ii) The contract required by paragraph (e)(2)(i) of this section must:
(A) State that the individuals whose protected health information is disclosed under the contract are intended third party beneficiaries of the contract; and
(B) Authorize the covered entity to terminate the contract, if the covered entity determines that the business partner has violated a material term of the contract required by this paragraph.
(iii) A material breach by a business partner of its obligations under the contract required by paragraph (e)(2)(i) of this section will be considered to be noncompliance of the covered entity with the applicable requirements of this subpart, if the covered entity knew or reasonably should have known of such breach and failed to take reasonable steps to cure the breach or terminate the contract.
(f) Standard: deceased individuals. A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for two years following the death of such individual. This requirement does not apply to uses or disclosures for research purposes.
(g) Standard: uses and disclosures consistent with notice. Except as provided by § 164.520(g)(2), a covered entity that is required by § 164.512 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice.