NRPM: Standards for Privacy of Individually Identifiable Health Information. C. General rules. (§ 164.506)


The purpose of our proposal is to define and limit the circumstances in which an individual’s protected heath information could be used or disclosed by covered entities. As discussed above, we are proposing to make the use and exchange of protected health information relatively easy for health care purposes and more difficult for purposes other than health care.

As a general rule, we are proposing that protected health information not be used or disclosed by covered entities except as authorized by the individual who is the subject of such information or as explicitly provided this rule. Under this proposal, most uses and disclosures of an individual’s protected health information would not require explicit authorization by the individual, but would be restricted by the provisions of the rule. Covered entities would be able to use or disclose an individual’s protected health information without authorization for treatment, payment and health care operations. See proposed § 164.506(a)(1)(i). Covered entities also would be permitted to use or disclose an individual’s protected health information for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners. Covered entities would be permitted by this rule to use and disclose protected health information when required to do so by other law, such as a mandatory reporting requirement under State law or pursuant to a search warrant. See proposed § 164.510. Covered entities would be required by this rule to disclose protected health information for only two purposes: to permit individuals to inspect and copy protected health information about them (see proposed § 164.514) and for enforcement of this rule (see proposed § 164.522(e)).

The proposed rule generally would not require covered entities to vary the level of protection of protected health information based on the sensitivity of such information. We believe that all protected health information should have effective protection from inappropriate use and disclosure by covered entities, and except for limited classes of information that are not needed for treatment and payment purposes, we have not provided additional protection to protected health information that might be considered particularly sensitive. We would note that the proposed rule would not preempt provisions of other applicable laws that provide additional privacy protection to certain classes of protected health information. We understand, however, that there are medical conditions and treatments that individuals may believe are particularly sensitive, or which could be the basis of stigma or discrimination. We invite comment on whether this rule should provide for additional protection for such information. We would appreciate comment that discusses how such information should be identified and the types of steps that covered entities could take to provide such additional protection. We also invite comment on how such provisions could be enforced.

Covered entities of all types and sizes would be required to comply with the proposed privacy standards outlined below. The proposed standards would not impose particular mechanisms or procedures that covered entities must adopt to implement the standards. Instead, we would require that each affected entity assess its own needs and devise, implement, and maintain appropriate privacy policies, procedures, and documentation to address its business requirements. How each privacy standard would be satisfied would be business decisions that each entity would have to make. This allows the privacy standards to establish a stable baseline, yet remain flexible enough to take advantage of developments and methods for protecting privacy that will evolve over time.

Because the privacy standards would need to be implemented by all covered entities, from the smallest provider to the largest, multi-state health plan, a single approach to implementing these standards would be neither economically feasible nor effective in safeguarding health information privacy. For example, in a small physician practice, the office manager might be designated to serve as the privacy official as one of many duties (see proposed § 164.518(a)) whereas at a large health plan, the privacy official may constitute a full time position and have the regular support and advice of a privacy staff or board.

Similarly, a large enterprise may make frequent electronic disclosures of similar data. In such a case, the enterprise would be expected to remove identifiers or to limit the data fields that are disclosed to fit the purpose of the disclosure. The process would be documented and perhaps even automated. A solo physician’s office, however, would not be expected to have the same capabilities to limit the amount of information disclosed, although, in the cases of disclosures involving a small number of records, such an office could be expected to hide identifiers or to limit disclosures to certain pages of the medical record that are relevant to the purpose of the disclosure.

In taking this approach, we intend to strike a balance between the need to maintain the confidentiality of protected health information and the economic cost of doing so. Health care entities must consider both aspects in devising their solutions. This approach is similar to the approach we proposed in the Notice of Proposed Rulemaking for the administrative simplification security and electronic signature standards.