NRPM: Standards for Privacy of Individually Identifiable Health Information. i. Uses and disclosures of protected health information.


In proposed § 164.512, we would require each covered plan and provider to include in the notice an explanation of how it uses and discloses protected health information. The explanation must be provided in sufficient detail as to put the individual on notice of the uses and disclosures expected to be made of his or her protected health information. As explained above in section II.C.5, covered plans and providers may only use and disclose protected health information for purposes stated in this notice.

This section of the notice might be as simple as a statement that information will be used and disclosed for treatment, payment, administrative purposes, and quality assurance. If the entity will be using or disclosing the information for other purposes, the notice must include a brief explanation. For example, some entities might include a statement that protected health information will be used for clinician education and disclosed for research purposes. We are soliciting comment on the level of detail that should be required in describing the uses and disclosures, specifically with respect to uses and disclosures for health care operations.

In addition we would require that notices distinguish between those uses and disclosures the entity makes that are required by law and those that are permitted but not required by law. By distinguishing between uses and disclosures that an entity is required to make those that the entity is choosing to make, the notice would provide the individual with a clearer understanding of the entity’s privacy practices.

For uses and disclosures required by law, the notice need only list the categories of disclosures that are authorized by law, and note that it complies with such requirements. This language could be the same for every covered entity within a State, territory or other locale. We encourage states, state professional associations, and other organizations to develop model language to assist covered plans or providers in preparing this section of the notice.

For each type of permissible use or disclosure that the entity makes (e.g., research, public health, and next-of-kin), the notice would include a brief statement explaining the entity’s policy with respect to that type of disclosure. For example, if all relevant laws permit health care providers to disclose protected health information to public health without individual authorization, the entity would need to develop policies and procedures regarding when and how it will make such disclosures. The entity would then document those policies and procedures as required by § 164.520 and the notice would include a statement of these policies. For example, the notice might state “we will disclose your protected health information to public health authorities upon request.”

We considered requiring the notice to include not only a discussion the actual disclosure practices of the covered entity, but also a listing or discussion of all additional disclosures that are authorized by law. We considered this approach because, under this proposed rule, covered plans or providers would be permitted to change their information practices at any time, and therefore individuals would not be able to rely on the entity’s current policies alone to understand how their protected health information may be used in the future. We recognize that in order to be fully informed, individuals need to understand when their information could be disclosed.

We rejected this approach because we were concerned that a notice with such a large amount of information could be burdensome to both the individuals receiving the notices and the entities required to prepare and distribute them. There are a substantial number of required and permitted disclosures under State or other applicable law, and this rule generally would permit them to be made.

Alternatively, we considered requiring that the notice include all of the types of permissible disclosures under this rule (e.g., public health, research, next-of-kin). We rejected that approach for two reasons. First, we felt that providing people with notice of the intended or likely disclosures of their protected health information was more useful than describing all of the potential types of disclosures. Second, in many States and localities, different laws may affect the permissible disclosures that an entity may make, in which case a notice only discussing permissible disclosures under the federal rule would be misleading. While it would be possible to require covered plans or providers to develop notices that discuss or list disclosures that would be permissible under this rule and other law, we were concerned that such a notice may be very complicated because of the need to discuss the interplay of federal, State or other law for each type of permissible disclosure. We invite comments on the best approach to provide most useful information to the individuals without overburdening either covered plans or providers or the recipients of the notices.

In § 164.520, we are proposing to require all covered entities to develop and document policies and procedures for the use of protected health information. The notice would simply summarize those documented policies and procedures and therefore would entail little additional burden.