NRPM: Standards for Privacy of Individually Identifiable Health Information. 7. Adherence to the notice of information practices. (§ 164.506(g))


In § 164.506(g), we are proposing that covered plans and providers be required to adhere to the statements reflected in the notice of information practices that would be required under proposed § 164.512. In binding covered plans and providers to their notices, we intend to create a system where open and accurate communication between entities and individuals would become necessary and routine. The corollary to this general rule is that the covered plan or provider would be permitted to modify its notice at any time.

The information practices reflected in the most recent notice would apply to all protected health information regardless of when the information was collected. For example, if information was collected during a period when the notice stated that no disclosures would be made to researchers, and the covered plan or provider later decided that it wanted to disclose information to researchers, the entity would then need to revise its notice. The entity would be permitted to disclose all of the information in its custody to researchers as long as the notice is revised and re-distributed as provided below in § 164.512. We considered permitting a covered entity to change its information practices only with respect to protected health information obtained after it revised its notice. Such a requirement would ensure individuals that the notice they received when they disclosed information to the covered entity would continue to apply to that information. We rejected that approach because compliance with such a standard would require covered entities to segregate or otherwise mark information to based on the information practices that were in effect at different times. Such an approach would make covered entities extremely reluctant to revise the information practices, and otherwise would be extremely burdensome to administer.

We are concerned that by requiring covered plans and providers to adhere to the practices reflected in their notice, we would encourage entities to create broad, general notices so that all possible uses, disclosures and other practices would be included. Such broad notices would not achieve the goals of open and accurate communication between entities and individuals. We welcome comments on this requirement and alternative proposals to achieve the same goals.