NRPM: Standards for Privacy of Individually Identifiable Health Information. ii. Disclosures likely to cause harm to another individual.


We propose that covered plans and providers be permitted to deny a request for inspection or copying if the information requested is about another person (other than a health care provider) and a licensed health care professional has determined that inspection or copying is reasonably likely to cause substantial harm to that other person. We believe that it is rare that information about one person would be maintained within the health records of another without one or both of their knowledge. On some occasions when health information about one person is relevant to the care of another, a physician may incorporate it into the latter's record, such as information from group therapy sessions and illnesses with a genetic component. In some instances the information could be shared without harm, or may already be known to the individual. There may, however, be situations where disclosure could harm the other person, such as by implicitly revealing facts about past sexual behavior, nonpaternity, or similarly sensitive information. This provision would permit withholding of information in such cases.

We believe that this determination should be based on the existing standards and ethics in the medical profession. We are soliciting comments on whether the determination under this provision should be limited to health care professionals who have an existing relationship with the person who is expected to be harmed as a result of the inspection or copying.

Information about a third party may appear in an individual's records unbeknownst to the individual. In such cases if the individual chooses to exercise her right to inspect her protected health information, the covered plan or provider providing her access would be making an unauthorized disclosure unless the third party has provided a written authorization. We considered requiring that access to such information be denied because the third party had not provided an authorization. We considered proposing that the covered plan or provider would be required to deny an individual’s request for access to any information about another person, unless there was a potential for harm to the individual who would be denied. This would have been the only instance where we would require that access be denied as a general rule. We recognized that such requirements would ultimately require covered plans and providers to review every piece of protected health information before permitting inspection and copying to determine if information about another person was included and whether the requester would be harmed without such information. We concluded that this would impose a significant burden on covered plans and providers. We seek comment on whether and how often individual health records contain identifiable information about other persons, and current practice relating to the handling of such information in response to individual requests for access.