NRPM: Standards for Privacy of Individually Identifiable Health Information. c. Content of the notice.


In § 164.512, we propose the categories of information that would be required in each notice of information practices, the specific types of information that would have to be included in each category, and general guidance as to the presentation of written materials. A sample notice is provided in the Appendix to this preamble. This sample notice is provided as an example of how the policies of a specific covered health care provider could be presented in a notice. Each covered health plan and health care provider would be required to create a notice that complies with the requirements of this proposed rule and reflects its own unique information practices. It does not indicate all possible information practices or all issues that could be addressed in the notice. Covered plans and providers may want to include significantly more detail, such as the business hours during which an individual could review their records or its standard time frame for responding to requests to review records; entities could choose to list all types of mandatory disclosures.

In a separate section of this proposed rule, we would require covered plans or providers to develop and document policies and procedures relating to use, disclosure, and access to protected health information. See proposed § 164.520. We intend for the documentation of policies and procedures to be a tool for educating the entity’s personnel about the its policies and procedures. In addition, the documentation would be the primary source of information for the notice of information practices. We intend for the notice be a tool for educating individuals served by the covered plan or provider about the information practices of that entity. The information contained in the notice would not be as comprehensive as the documentation, but rather provide a clear and concise summary of relevant policies and procedures.

We considered prescribing specific language that each covered plan or provider would include in its notice. The advantages of this approach would be that the recipient would get exactly the same information from each covered plan or provider in the same format, and that it would be convenient for covered plans or providers to use a uniform model notice.

There are, however, several disadvantages to this approach. First, and most important, no model notice could fully capture the information practices of every covered plan or provider. Large entities will have different information practices than small entities. Some health care providers, for example academic teaching hospitals, may routinely disclose identifiable health information for research purposes. Other health care providers may rarely or never make such disclosures. To be useful to individuals, each entity’s notice of information practices should reflect its unique privacy practices.

Another disadvantage of prescribing specific language is that it would limit each covered plan or provider’s ability to distinguish itself in the area of privacy protections. We believe that if information on privacy protections were readily available, individuals might compare and select plans or providers based on their information practices. In addition, a uniform model notice could easily become outdated. As new communication methods or technologies are introduced, the content of the notices might need to reflect those changes.

A covered plan or provider that adopts and follows the notice content and distribution requirements described below, we would presume, for the purposes of compliance, that the plan or provider has provided adequate notice. However, the proposed requirements for the content of the notice are not intended to be exclusive. Covered plans or providers could include additional information and additional detail, beyond that required. In particular, all federal agencies must still comply with the Privacy Act of 1974. For federal agencies that are covered plans or providers, this would mean that the notice must comply with the notice requirements provided in the Privacy Act as well as those included in this proposed rule.