NRPM: Standards for Privacy of Individually Identifiable Health Information. 1. Uses and disclosures of protected health information.


We propose that covered entities be required to develop and document policies and procedures for how protected health information would be used and disclosed by the entity and its business partners. The documentation would include policies to ensure the entity is in compliance with the requirements for use and disclosure pursuant to an individual’s authorization. This would also include documentation of how the covered entity would comply with individual’s revocation of an authorization, as provided in proposed § 164.508(e). For example, upon receipt of a revocation, the entity may need to take steps to notify each business partner that is responsible for using or disclosing protected health information on behalf of the covered entity based on the individual’s authorization. Because the entity is ultimately responsible for the protected health information, it may want written confirmation from the business partner that it received notice of the revocation.

The covered entity would be required to include policies and procedures necessary to address disclosures required by applicable law. For example, the covered entity may want to include a list of the relevant reporting requirements such as those for abuse, neglect and communicable disease and its policies and procedures for complying with each requirement.

It would also include policies and procedures for uses and disclosures without the individual’s authorization, including uses and disclosures for treatment, payment and health care operations under § 164.506(a)(1)(i). The documentation should address all of the legally permissible uses and disclosures that the covered entity is reasonably likely to make and should clearly specify the policy of the entity with respect to each. For example, all covered plans and providers face a reasonable likelihood of a request for disclosure from a health oversight agency, so every covered plan and provider should develop and document policies and procedures for responding to such requests. However, a provider that only treats adults would not need to specify a policy with respect to state laws that authorize disclosure relating to measles in young children. In this latter case, the provider knows that he or she is not reasonably likely to make such a disclosure and therefore, could wait until he or she is presented with such a request before developing the necessary policies and procedures.

The documentation would include the entity’s policies and procedure for complying with the requirements of proposed § 164.506(e) for disclosing protected health information to business partners, including policies and procedures for monitoring the business partners, mitigating harm, and imposing sanctions where appropriate.

It would address the policies and procedures for implementation of the minimum necessary requirement as provided in proposed § 164.506(b). It would also include policies and procedures addressing the creation of de-identified information pursuant to § 164.506(d). For example, a plan could have a policy that requires employees to remove identifiers from protected health information for all internal cost, quality, or performance evaluations. The plan would document this policy and the procedures for removing the identifiers.