NRPM: Standards for Privacy of Individually Identifiable Health Information. a. General rule for treatment, payment, and health care operations.


We are not proposing to require individual authorizations of uses and disclosures for health care and related purposes, although such authorizations are routinely gathered today as a condition of obtaining health care or enrolling in a health plan. Although many current disclosures of health information are made pursuant to individual authorizations, these authorizations provide individuals with little actual control over their health information. When an individual is required to sign a blanket authorization at the point of receiving care or enrolling for coverage, that consent is often not voluntary because the individual must sign the form as a condition of treatment or payment for treatment. Individuals are also often asked to sign broad authorizations but are provided little or no information about how their health information may be or will in fact be used. Individuals cannot make a truly informed decision without knowing all the possible uses, disclosures and re-disclosures to which their information will be subject. In addition, since the authorization usually precedes creation of the record, the individual cannot predict all the information the record may contain and therefore cannot make an informed decision as to what would be released.

Our proposal is intended to make the exchange of protected health information relatively easy for health care purposes and more difficult for purposes other than health care. For individuals, health care treatment and payment are the core functions of the health care system. This is what they expect their health information will be used for when they seek medical care and present their proof of insurance to the provider. Consistent with this expectation, we considered requiring a separate individual authorization for every use or disclosure of information but rejected such an approach because it would not be realistic in an increasingly integrated health care system. For example, a requirement for separate patient authorization for each routine referral could impair care, by delaying consultation and referral, as well as payment.

We therefore propose that covered entities be permitted to use and disclose protected health information without individual authorization for treatment and payment purposes, and for related purposes that we have defined as health care operations. For example, health care providers could maintain and refer to a medical record, disclose information to other providers or persons as necessary for consultation about diagnosis or treatment, and disclose information as part of referrals to other providers. Health care providers also could use a patient’s protected health information for payment purposes such as submitting a claim to a payer. In addition, they could use a patient’s protected health information for health care operations, such as use for an internal quality oversight review. We would note that, in the case of an individual where the provider has agreed to restrictions on use or disclosure of the patient’s protected health information, the provider is bound by such restrictions as provided in § 164.506(c).

Similarly, health plans could use an enrollee’s protected health information for payment purposes, such as reviewing and paying health claims that have been submitted to it, pre- admission screening of a request for hospitalization, or post-claim audits of health care providers. Health plans also could use an enrollee’s protected health information for health care operations, such as reviewing the utilization patterns or outcome performance of providers participating in their network.

Further, as described in more detail below, health care providers and health plans would not need individual authorization to provide protected health information to a business partner for treatment, payment or health care operations functions if the other requirements for disclosing to business partners are met. See proposed § 164.506(e).

We intend that the right to use and disclose protected health information be interpreted to apply for treatment and payment of all individuals. For example, in the course of providing care to a patient, a physician could wish to examine the records of other patients with similar conditions. Likewise, a physician could consult the records of several people in the same family or living in the same household to assist in diagnosis of conditions that could be contagious or that could arise from a common environmental factor. A health plan or a provider could use the protected health information of a number of enrollees to develop treatment protocols, practice guidelines, or to assess quality of care. All of these uses would be permitted under this proposed rule.

Our proposal would not restrict to whom disclosures could be made for treatment, payment or operations. For example, covered entities could make disclosures to non-covered entities for payment purposes, such as a disclosure to a workers compensation carrier for coordination of benefits purposes. We note, however, that when disclosures are made to non- covered entities, the ability of this proposed rule to protect the confidentiality of the information ends. This points to the need for passage of more comprehensive privacy legislation that would permit the restrictions on use and disclosure to follow the information beyond covered entities.

We also propose to prohibit covered entities from seeking individual authorization for uses and disclosures for treatment, payment and health care operations unless required by State or other applicable law. As discussed above in this section, such authorizations could not provide meaningful privacy protections or individual control and could in fact cultivate in individuals erroneous understandings of their rights and protections.

The general approach that we are proposing is not new. Some existing State health confidentiality laws permit disclosures without individual authorization to other health care providers treating the individual, and the Uniform Health-Care Information Act permits disclosure “to a person who is providing health-care to the patient” (9 part I, U.L.A. 475, 2-104 (1988 and Supp. 1998)). We believe that this approach would be the most realistic way to protect individual confidentiality in an increasingly data-driven, electronic and integrated health care system. We recognize, however, that particularly given the limited scope of the authority that we have under this proposed rule to reach some significant actors in the health care system, that other approaches could be of interest. We invite comments on whether other approaches to protecting individuals’ health information would be more effective.