Proposed Standards for Privacy of Individually Identifiable Health Information. General rules

08/21/1999

We propose that covered entities be prohibited from using or disclosing health information except: as authorized by the patient, or as explicitly permitted by the regulation. The regulation would permit use and disclosure of health information without authorization for purposes of health care treatment, payment and operations, and for specified national policy activities under conditions tailored for each type of such permitted use or disclosure.

  • The amount of information to be used or disclosed would be restricted to the minimum amount necessary to accomplish the relevant purpose, taking into consideration practical and technological limitations.
    • There would be exceptions for situations in which assessment of what is minimally necessary is appropriately made by someone other than the covered entity (e.g., such as when an individual authorizes a use or disclosure of information, or when the disclosure is mandatory under another law).
    • We would allow covered entities to rely on requests by certain public agencies in determining the minimum necessary information for certain disclosures.
    • Under the principle of minimum necessary use, if an entity consists of several different components, the entity would be required to create barriers between components so that information is not used or shared inappropriately.
  • To encourage covered entities to strip identifiers from health information when it is possible to do so, we would permitted a covered entity to use and disclose such de- identified information in any way, provided that:
    • it does not disclose the key or other mechanism that would enable the information to be re-identified, and
    • it has no reason to believe that such use or disclosure will result in the use or disclosure of protected health information (e.g., because the recipient has the means to re-identify the information).
  • We would treat the key to coded identifiers the same as the information to which it pertains. A covered entity could use or disclose a key only as it could use or disclose the underlying information.
  • We would permit covered entities to disclose protected health information to persons they hire to perform functions on their behalf, where such information is needed for that function. These ?business partners” would include contractors such as lawyers, auditors, consultants, health care clearinghouses, and billing firms, but not members of the covered entity’s workforce.
  • Except where the business partner is providing a treatment consultation or referral, we would require covered entities to enter into contracts with their business partners and would require the contracts to include terms to ensure that the protected health information disclosed to a business partner remains confidential. Business partners would not be permitted to use or disclose protected health information in ways that would not be permitted of the covered entity itself. We use the contract as a tool for protecting information, because the HIPAA does not provide legislative authority for the rule to reach many such business partners directly.
  • The uses and disclosures permitted by this rule would be exactly that -- permitted, not required. For disclosures not compelled by other law, providers and payers would be free to disclose or not, according to their own policies and principles. At the same time, nothing in this rule would provide authority for a covered entity to refuse to make a disclosure mandated by other law.
  • Only two disclosures would be required by this proposed rule: disclosure to the subject individual pursuant to the individual’s request to inspect and copy health information about him or her, and certain disclosures for the purposes of enforcing the rule.
  • Health information covered by the proposed rule generally would remain protected for two years after the death of the subject of the information, subject to certain exceptions.