NRPM: Standards for Privacy of Individually Identifiable Health Information. 6. Permissible uses and disclosures for purposes other than treatment, payment and health care operations.


Individually identifiable health information is needed to support certain national priority activities, such as reducing health care fraud, improving the quality of treatment through research, protecting the public health, and responding to emergency situations. In many cases, the need to obtain authorization for use of health information would create significant obstacles in efforts to fight crime, understand disease, and protect public health. We examined the many uses that the health professions, related industries, and the government make of health information and we are aware of the concerns of privacy and consumer advocates about these uses.

After balancing privacy and other social values, we are proposing rules that would permit use or disclosure of health information without individual authorization for the following national priority activities and activities that allow the health care system to operate smoothly:

  • Oversight of the health care system
  • Public health functions
  • Research
  • Judicial and administrative proceedings
  • Law enforcement
  • Emergency circumstances
  • To provide information to next-of-kin
  • For identification of the body of a deceased person, or the cause of death
  • For government health data systems
  • For facility patient directories
  • To banks, to process health care payments and premiums
  • For management of active duty military and other special classes of individuals
  • Where other law requires such disclosure and no other category of permissible disclosures would allow the disclosure

The rule would specify conditions that would need to be met in order for the use or disclosure of protected health information to be permitted for each of these purposes. (See § 164.514) We have proposed conditions tailored to the need for each type of use or disclosure, and to the types of organizations involved in each such activity. These uses and disclosures, and the conditions under which they may occur, are discussed in section II. F of this preamble.

The uses and disclosures that would be permitted under proposed rule would be just that – permissible. Thus, for disclosures that are not compelled by other law, providers and payers would be free to disclose or not, according to their own policies and ethical principles. We propose these rules as a basic set of legal controls, but ethics and professional practice may dictate more guarded disclosure policies. At the same time, nothing in this rule would provide authority for a covered entity to restrict or refuse to make a disclosure mandated by other law.