NRPM: Standards for Privacy of Individually Identifiable Health Information. 2. General rules.


The purpose of our proposal is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by others. We are proposing to make the use and exchange of protected health information relatively easy for health care purposes, and more difficult for purposes other than health care.

Covered entities would be prohibited from using or disclosing protected health information except as provided in the proposed rule. Under the rule, covered entities could use or disclose protected health information with individual authorization, as provided in proposed § 164.508. Covered entities could use or disclose protected health information without authorization for treatment, payment and health care operations, as provided in § 164.506(a). (The terms “treatment,” “payment” and “health care operations” are defined in proposed § 164.504). Covered entities also would be permitted to use or disclose a patient’s protected health information without authorization for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners, as provided in proposed § 164.510. Covered entities would be permitted to use and disclose protected health information when required to do so by other law, such as mandatory reporting under state law or pursuant to a search warrant.

Covered entities would be required by this rule to disclose protected health information for only two purposes: to permit individuals to inspect and copy protected health information about them, pursuant to proposed § 164.514, and for enforcement of this rule pursuant to proposed § 164.522.

Under our proposal, most uses and disclosures of an individual’s protected health information would not require explicit authorization by the individual, but would be restricted by the provisions of the rule. As discussed in section II.C. of this preamble, we propose to substitute regulatory protections for the pro forma authorizations that are used today. The rules would create a sphere of privacy protection that includes covered entities who engage in treatment or payment, and the business partners they hire to assist them. While written consent for these activities would not be required, new restrictions on both internal uses and external disclosures would be put in place to protect the information.

Our proposal is based on the principle that a combination of strict limits on how plans and providers can use and disclose identifiable health information, adequate notice to patients about how such information will be used, and patients’ rights to inspect, copy and amend protected health information about them, will provide patients with better privacy protection and more effective control over the dissemination of their information than alternative approaches to patient protection and control.

A central aspect of this proposal is the principle of “minimum necessary” disclosure. (See proposed § 164.506(a)). With certain exceptions, permitted uses and disclosures of protected health information would be restricted to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed, taking into consideration practical and technological limitations (including the size and nature of the covered entity’s business) and costs. While we recognize that there are legitimate uses of protected health information for which patient authorization should not be required, the privilege of this access carries with it an obligation to safeguard the information. Covered entities would be required to take steps to limit the amount of protected health information used or disclosed to the information necessary to meet the purpose of the use or disclosure. These policies could include limiting access to the information to a subset of employees who need to use the information in the course of their work, and limiting the amount of information disclosed from a record to the information needed by the recipient to fulfill the purpose of the disclosure.

We propose that individuals be able to request that a covered entity restrict the protected health information that results from that encounter (with the exception of encounters for emergency treatment) from further use or disclosure for treatment, payment, and health care operations. (See proposed § 164.506(c)). Covered entities would not be required to agree to restrictions requested by individuals; the rule would only enforce a restriction that has been agreed to by the covered entity and the individual.

Today’s health care system is a complex business involving multiple individuals and organizations engaging in a variety of commercial relationships. An individual’s privacy should not be compromised when a covered entity engages in such normal business relationships. To accomplish this result, the rule would, with narrow exceptions, require covered entities to ensure that the business partners with which they share protected health information understand -- through contract requirements – that they are subject to standards regarding use and disclosure of protected health information and agree to abide by such rules. (See proposed § 164.506(e)). Other than for purposes of treatment consultation or referral, we would require a contract to exist between the covered entity and the business partner that would, among other specified provisions, limit the business partner’s uses and disclosures of protected health information to those permitted by the contract and would impose certain security, inspection and reporting requirements on the business partner.

We do not intend to interfere with business relationships in the health care industry, but rather to ensure that the privacy of the information shared in these relationships is protected. Business partners would not be permitted to use or disclose protected health information in ways that would not be permitted by the covered entity itself.