NRPM: Standards for Privacy of Individually Identifiable Health Information. b. Health care operations.


We considered the extent to which the covered entities might benefit from further guidance on the types of activities that appropriately would be considered health care operations. The term is defined in proposed § 164.504. In the debates that have surrounded privacy legislation before the Congress, there has been substantial discussion of the definition of health care operations, with some parties advocating for a very broad definition and others advocating a more restrictive approach.

Given the lack of consensus over the extent of the activities that could be encompassed within the term health care operations, we determined that it would be helpful to identify activities that, in our opinion, are sufficiently unrelated to the treatment and payment functions to require a individual to authorize use of his or her information. We want to make clear that these activities would not be prohibited, and do not dispute that many of these activities are indeed beneficial to both individuals and the institutions involved. Nonetheless, they are not necessary for the key functions of treatment and payment and therefore would require the authorization of the individual before his/her information could be used. These activities would include but would not be limited to:

  • the use of protected health information for marketing of health and non-health items and services;
  • the disclosure of protected health information for sale, rent or barter;
  • the use of protected health information by a non-health related divisions of the same corporation, e.g., for use in marketing or underwriting life or casualty insurance, or in banking services;
  • the disclosure, by sale or otherwise, of protected health information to a plan or provider for making eligibility or enrollment determinations, or for underwriting or risk rating determinations, prior to the individual’s enrollment in the plan;
  • the disclosure of information to an employer for use in employment determinations; and
  • the use or disclosure of information for fund raising purposes.

We invite comments on the activities within the proposed definitions of “treatment,” “payment,” and “health care operations,” as well as the activities proposed to be excluded from these definitions.