NRPM: Standards for Privacy of Individually Identifiable Health Information. b. Application to records containing protected and unprotected health information.


Once transmitted or maintained electronically, protected health information is often mixed with unprotected health information in the same record. For example, under the proposed rules, information from a medical record that is electronically transmitted by a provider to a health plan and then returned to the original record would become protected health information, even though the rest of the information contained in the paper record may not be subject to these privacy rules.

We reiterate that under the proposed rule, the protections would apply to the information itself, not to the particular record in which it is contained or transmitted. Therefore, an entity could not maintain duplicate records and only apply the protections to the information contained in the record that is electronically maintained or transmitted. For example, once an individual’s name and diagnostic code is transmitted electronically between covered entities (or business partners), that information must be protected by both the transmitting and receiving entities in every record, written, electronic or other, in which it appears.

We recognize that this approach may require some additional administrative attention to mixed records (records containing protected and unprotected health information) to ensure that the handling of protected health information conforms with these regulations. We considered ways to limit application of these protections to avoid such potential administrative concerns. However, these regulations would have little effect if not applicable to otherwise protected health information simply because it was combined with unprotected health information – any information could be lawfully disclosed simply by including some additional information. Likewise, these regulations would have no meaning if entities could then avoid applying the protections merely by maintaining separate duplicate records. A way to limit these rules to avoid application to mixed information without sacrificing basic protections is not apparent.

Unlike the potential issues inherent in the protection of oral information, there may be relatively simple ways to reduce possible confusion in protecting mixed records. The risk of inappropriate use or disclosure of protected health information in a mixed record can be eliminated simply by handling all information in mixed records as if it were protected. It also may be possible to develop a “watermark” analogous to a copyright label, designating which written information is protected. We welcome comments on how best to protect information in mixed records, without creating unnecessary administrative burdens.

Finally, we recognize that these rules may create awkward boundaries and enforcement ambiguities, and seek comment on how best to reduce these ambiguities while maintaining the basic protections mandated by the statute.