NRPM: Standards for Privacy of Individually Identifiable Health Information. E. Uses and disclosures permitted without individual authorization. (§ 164.510)


This section describes uses and disclosures of protected health information that covered entities could make for purposes other than treatment, payment, and health care operations without individual authorization, and the conditions under which such uses and disclosures could be made. We propose to allow covered entities to use or disclose protected health information without individual authorization for such purposes if the use or disclosure would comply with the applicable requirements of this section.

These categories of allowable uses and disclosures are designed to permit and promote key national health care priorities, and to ensure that the health care system operates smoothly. For each of these categories, this rule would permit – but not require – the covered entity to use or disclose protected health information without the individual’s authorization. Some covered entities could conclude that the records they hold, or portions of them, should not be used or disclosed for one or more of these permitted purposes without individuals’ authorization (absent a law mandating such disclosure), even under the conditions imposed here. The proposed regulation is intended to reflect the importance of safeguarding individuals’ confidentiality, while also enabling important national priority activities that require protected health information.

We considered permitting uses and disclosures only where law affirmatively requires the covered entity to use or disclose protected health information. However, because the activities described below are so important to the population as a whole, we decided to permit a covered entity to use or disclose information to promote those activities even when such activities are not legally mandated. In some cases, however, we would permit a use or disclosure only when such use or disclosure is authorized by other law. The requirements for verification of legal authority are discussed in each relevant section.

Where another law forbids the use or disclosure of protected health information without the individual’s authorization, nothing in this section would permit such use or disclosure.

Other law may require use or disclosure of protected health information. If such a use or disclosure is not otherwise addressed in proposed § 164.510(b) through (m), we would in proposed § 164.510(n) permit covered entities to use or disclose protected health information without individual authorization pursuant to any law that mandates such use or disclosure. To be in compliance with this rule, the covered entity must meet the requirements of such other law requiring the use or disclosure. Similarly, nothing in this rule would provide authority for a covered entity to restrict or refuse to make a use or disclosure mandated by other law.

The HIPAA legislative authority generally does not bring the entities that receive disclosures pursuant to this section, including public health authorities, oversight and law enforcement agencies, researchers, and attorneys, under the jurisdiction of this proposed rule. We therefore generally cannot propose restrictions on the further use and disclosure of protected health information obtained by the recipients of these disclosures (unless the recipient is also a covered entity). We believe, however, that in most instances it is sound policy to restrict further uses and disclosures of such protected health information. For example, the Secretary’s Recommendations proposed that protected health information obtained by researchers not be further disclosed except for emergency circumstances, for a research project that meets certain conditions, and for oversight of research. We believe that federal legislation should include appropriate restrictions on further use and disclosure of protected health information received by entities for purposes such as those described in this section. We note that, under S.578 (introduced by Senator Jeffords), protected health information disclosed for oversight could not be used against the subject of the protected health information unless the action arises out of and is directly related to a health care fraud or a fraudulent claim for benefits, unless such use is judicially authorized.. We believe such safeguards strike the right balance between encouraging national priority oversight activities and protecting individuals’ privacy.

The provisions of this section contain requirements related to use and requirements related to disclosure, as appropriate to each of the purposes discussed. For many of these purposes, only requirements relating to disclosure are proposed because there are no appropriate internal uses for such a purpose. Examples include disclosures for next-of-kin and disclosures for banking and financial purposes.

For many of these permitted disclosures, we would require the covered entity to verify the identity of the requestor and his or her legal authority to make the request. Requirements for verifying the identity and authority of requests for information are further discussed in II.G, “Administrative Requirements.” As discussed in more detail in section II.G.3. of this preamble, the verification requirement would apply where the identity of the person making the request is not already known to the covered entity (e.g., where the disclosure is not part of a routine business transaction). We would ask health plans and health care providers to take reasonable steps to verify the identity of persons requesting protected health information, such as asking to see a badge or other proof of the identity of government officials, and would allow covered entities to rely on the statement of government officials and others regarding the legal authority for the activity. We would not require covered entities to make an independent inquiry into the legal authority behind requests for protected health information.

The provisions below would permit covered entities to use or disclose protected health information without individual authorization, pursuant to certain requirements. Although health care clearinghouses would be defined as covered entities under this rule, in most instances clearinghouses will be receiving and maintaining protected health information as the business partner of a covered health plan or provider. In such cases, proposed § 164.510(a)(2) provides that the clearinghouses that hold protected health information as business partners would not be permitted to make uses or disclosures otherwise permitted by this section unless such uses or disclosures also were permitted under the terms of the contract between the clearinghouse and the business partner.