NRPM: Standards for Privacy of Individually Identifiable Health Information. 9. Uses and disclosures permitted without individual authorization. (§ 164.510)


This section describes uses and disclosures of protected health information that covered entities could make for purposes other than treatment, payment, and health care operations without individual authorization, and the conditions under which such uses and disclosures could be made. We propose to allow covered entities to use or disclose protected health information without individual authorization for such purposes if the use or disclosure would comply with the applicable requirements of this section.

Covered entities could need to reevaluate and modify their operating procedures to comply with the proposed rule’s prohibition on disclosing individually identifiable health information without patient authorization for any purpose other than treatment, payment, health care operations, or those situations explicitly identified as permissible disclosures under this proposed rule. Many entities could already do this. Entities that do not do this would need to alter information management systems and implement administrative policies and procedures to prevent inappropriate disclosures. Entities would also have to determine whether or not an authorization is necessary for each disclosure beyond treatment, payment, and health care operations that is not explicitly defined as a permissible disclosure under this proposed rule. It should be noted that the minimum necessary principle is an important component of the costs related to any disclosure. We expect that there would be significant initial and ongoing costs.

If an entity chooses to disclose protected health information without authorization from individuals, there would be a number of new provisions that it would have to comply with. For example, if a disclosure is to researchers outside of the organization, the entity must obtain written documentation indicating that the research has been approved by an institutional review board (IRB) or equivalent process by a privacy board. This requirement is associated with ongoing administrative costs. We note that any such costs are optional unless other requirements (state laws, mandatory reporting systems, etc.) mandate these disclosures. In order to minimize the burden of these costs for mandatory disclosures, we have tried to apply as few business partner requirements as possible in areas where these mandatory disclosures are possible. However, in cases where the disclosure is optional, entities would have higher costs if they choose to use these disclosures. We expect that entities would consider these costs before making any such disclosure and determine if the benefits to their business of disclosure are greater than the costs related to making the disclosure. Additionally, other than the new requirements for disclosures for research, most of the disclosures are simply recognizing current practices and would not require large new costs.

We considered permitting uses and disclosures only where law affirmatively requires the covered entity to use or disclose protected health information. However, because the activities described below are so important to the population as a whole, we decided to permit a covered entity to use or disclose information to promote those activities even when such activities are not legally mandated. In some cases, however, we would permit a use or disclosure only when such use or disclosure is authorized by other law. The requirements for verification of legal authority are discussed in section II.G.3.

Disclosures that are required by current law would only require minimal additional costs to entities. The only cost directly attributable to this proposed requirement would be the additional cost of noting these disclosures on the accounting of uses and disclosures.

However, disclosures required by this proposed regulation should be considered new costs. These mandatory disclosures would be extremely rare. For example, we expect that the Department would limit the number of compliance audits conducted. In these cases, some of the more expensive activities, including the minimum necessary principle and determining whether or not to make the disclosure, would not be applicable.

We would restrict the discussion of discretionary disclosures to the general principles behind such disclosures rather than a detailed description of each allowable disclosure. More elaborate discussion of options for individual classes of disclosures can be found in the preamble. These disclosures are optional disclosures and therefore, any costs related to making these disclosures would incur optional costs. We do not have a complete understanding of how often these disclosures are currently made, nor do we understand what procedures are currently in place. We also do not understand how often these disclosures would be made given the new costs associated with such disclosures. Note that the degree of new costs imposed if an entity opts to use a disclosure varies dramatically depending on the type of disclosure. For example, a disclosure of directory information in a hospital would probably not involve significant additional costs, while research that is not subject to the common could would have significant new costs involved. These disclosures, and thus these costs, are optional under this proposed rule. While they may be mandated under other law, such mandated disclosures are already being made, so there would be no additional costs. In this case there are only marginal new costs related to these disclosures.