Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.502 - General Rules for Uses and Disclosures of Protected Health Information

As a general rule, we proposed in the NPRM to prohibit covered entities from using or disclosing protected health information except as authorized by the individual who is the subject of such information or as explicitly permitted by the rule. The proposed rule explicitly would have permitted covered entities to use or disclose an individual's protected health information without authorization for treatment, payment, and health care operations. The proposal would not have restricted to whom disclosures could be made for the purposes of treatment, payment, or operations. The proposal would have allowed disclosure of the protected health information of one individual for the treatment or payment of another, as appropriate. We also proposed to prohibit covered entities from seeking individual authorization for uses and disclosures for treatment, payment, and health care operations unless required by state or other applicable law.

We proposed two exceptions to this general rule which prohibited covered entities from using or disclosing research information unrelated to treatment or psychotherapy notes for treatment, payment, or health care operations purposes unless a specific authorization was obtained from the subject of the information. In addition, we proposed that a covered entity be prohibited from conditioning treatment, enrollment in a health plan or payment decisions on a requirement that the individual provide a specific authorization for the disclosure of these two types of information (see proposed § 164.508(a)(3)(iii)).

We also proposed to permit covered entities to use or disclose an individual's protected health information for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners. In addition, the proposal would have permitted covered entities to use and disclose protected health information when required to do so by other law or pursuant to an authorization from the individual allowing them to use or disclose the information for purposes other than treatment, payment or health care operations.

We proposed to require covered entities to disclose protected health information for only two purposes: to permit individuals to inspect and copy protected health information about themselves and for enforcement of the rule.

We proposed not to require covered entities to vary the level of protection accorded to protected health information based on the sensitivity of such information. In addition, we proposed to require that each affected entity assess its own needs and devise, implement, and maintain appropriate privacy policies, procedures, and documentation to address its business requirements.

In the final rule, the general standard remains that covered entities may use or disclose protected health information only as permitted or required by this rule. However, we make significant changes to the conditions under which uses and disclosures are permitted.

We revise the application of the general standard to require covered health care providers who have a direct treatment relationship with an individual to obtain a general "consent" from the individual in order to use or disclose protected health information about the individual for treatment, payment and health care operations (for details on who must obtain such consents and the requirements they must meet, see § 164.506). These consents are intended to accommodate both the covered provider's need to use or disclose protected health information for treatment, payment, and health care operations, and also the individual's interest in understanding and acquiescing to such uses and disclosures. In general, other covered entities are permitted to use and disclose protected health information to carry out treatment, payment, or health care operations (as defined in this rule) without obtaining such consent, as in the proposed rule. Covered entities must, as under the proposed rule, obtain the individual's "authorization" in order to use or disclose psychotherapy notes for most purposes: see § 164.508(a)(2) for exceptions to this rule. We delete the proposed special treatment of "research information unrelated to treatment."

We revise the application of the general standard to require all covered entities to obtain the individual's verbal "agreement" before using or disclosing protected health information for facility directories, to persons assisting in the individual's care, and for other purposes described in § 164.510. Unlike "consent" and "authorization," verbal agreement may be informal and implied from the circumstances (for details on who must obtain such agreements and the requirements they must meet, see § 164.510). Verbal agreements are intended to accommodate situations where it is neither appropriate to remove from the individual the ability to control the protected health information nor appropriate to require formal, written permission to share such information. For the most part, these provisions reflect current practices.

As under the proposed rule, we permit covered entities to use or disclose protected health information without the individual's consent, authorization or agreement for specified public policy purposes, in compliance with the requirements in § 164.512.

We permit covered entities to disclose protected health information to the individual who is the subject of that information without any condition. We note that this may include disclosures to "personal representatives" of individuals as provided by § 164.502(g).

We permit a covered entity to use or disclose protected health information for other lawful purposes if the entity obtains a written "authorization" from the individual, consistent with the provisions of § 164.508. Unlike "consents," these "authorizations" are specific and detailed. (For details on who must obtain such authorizations and the requirements they must meet, see § 164.508.) They are intended to provide the individuals with concrete information about, and control over, the uses and disclosures of protected health information about themselves.

The final rule retains the provision that requires a covered entity to disclose protected health information only in two instances: when individuals request access to information about themselves, and when disclosures are compelled by the Secretary for compliance and enforcement purposes.

Finally, § 164.502(a)(1) also requires covered entities to use or disclose protected health information in compliance with the other provisions of § 164.502, for example, consistent with the minimum necessary standard, to create de-identified information, or to a personal representative of an individual. These provisions are described below.

We note that a covered entity may use or disclose protected health information as permitted by and in accordance with a provision of this rule, regardless of whether that use or disclosure fails to meet the requirements for use or disclosure under another provision of this rule.

The proposed rule required a covered entity to make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure (proposed § 164.506(b)). This final rule significantly modifies the proposed requirements for implementing the minimum necessary standard. In the final rule, § 164.502(b) contains the basic standard and § 164.514 describes the requirements for implementing the standard. Therefore we discuss all aspects of the minimum necessary standard and specific requirements below in the discussion of § 164.514(d).

The proposed rule would have required that covered health care providers permit individuals to request restrictions of uses and disclosures of protected health information and would have prohibited covered providers from using or disclosing protected health information in violation of any agreed-to restriction.

The final rule retains an individual's right to request restrictions on uses or disclosures for treatment, payment or health care operations and prohibits a covered entity from using or disclosing protected health information in a way that is inconsistent with an agreed upon restriction between the covered entity and the individual, but makes some changes to this right. Most significantly, under the final rule individuals have the right to request restrictions of all covered entities. This standard is set forth in § 164.522. Details about the changes to the standard are explained in the preamble discussion to § 164.522.

In proposed § 164.506(d) of the NPRM, we proposed to permit use of protected health information for the purpose of creating de-identified information and we provided detailed mechanisms for doing so.

In § 164.502(d) of the final rule, we permit a covered entity to use protected health information to create de-identified information, whether or not the de-identified information is to be used by the covered entity. We clarify that de-identified information created in accordance with our procedures (which have been moved to § 164.514(a)) is not subject to the requirements of these privacy rules unless it is re-identified. Disclosure of a key or mechanism that could be used to re-identify such information is also defined to be disclosure of protected health information. See the preamble to § 164.514(a) for further discussion.

In the proposed rule, other than for purposes of consultation or referral for treatment, we would have allowed a covered entity to disclose protected health information to a business partner only pursuant to a written contract that would, among other specified provisions, limit the business partner's uses and disclosures of protected health information to those permitted by the contract, and would impose certain security, inspection and reporting requirements on the business partner. We proposed to define the term "business partner" to mean, with respect to a covered entity, a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity.

In the final rule, we change the term "business partner" to "business associate" and in the definition clarify the full range of circumstances in which a person is acting as a business associate of a covered entity. (See definition of "business associate" in § 160.103.) These changes mean that § 164.502(e) requires a business associate contract (or other arrangement, as applicable) not only when the covered entity discloses protected health information to a business associate, but also when the business associate creates or receives protected health information on behalf of the covered entity.

In the final rule, we modify the proposed standard and implementation specifications for business associates in a number of significant ways. These modifications are explained in the preamble discussion of § 164.504(e).

We proposed to extend privacy protections to the protected health information of a deceased individual for two years following the date of death. During the two-year time frame, we proposed in the definition of "individual" that the right to control the deceased individual's protected health information would be held by an executor or administrator, or other person (e.g., next of kin) authorized under applicable law to act on behalf of the decedent's estate. The only proposed exception to this standard allowed for uses and disclosures of a decedent's protected health information for research purposes without the authorization of a legal representative and without the Institutional Review Board (IRB) or privacy board approval required (in proposed § 164.510(j)) for most other uses and disclosures for research.

In the final rule (§ 164.502(f)), we modify the standard to extend protection of protected health information about deceased individuals for as long as the covered entity maintains the information. We retain the exception for uses and disclosures for research purposes, now part of § 164.512(i), but also require that the covered entity take certain verification measures prior to release of the decedent's protected health information for such purposes (see §§ 164.514(h) and 164.512(i)(1)(iii)).

We remove from the definition of "individual" the provision related to deceased persons. Instead, we create a standard for "personal representatives" (§ 164.502(g), see discussion below) that requires a covered entity to treat a personal representative of an individual as the individual in certain circumstances, i.e., allows the representative to exercise the rights of the individual. With respect to deceased individuals, the final rule describes when a covered entity must allow a person who otherwise is permitted under applicable law to act with respect to the interest of the decedent or on behalf of the decedent's estate, to make decisions regarding the decedent's protected health information.

The final rule also adds a provision to § 164.512(g), that permits covered entities to disclose protected health information to a funeral director, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. Such disclosures are permitted both after death and in reasonable anticipation of death.

In the proposed rule we defined "individual" to include certain persons who were authorized to act on behalf of the person who is the subject of the protected health information. For adults and emancipated minors, the NPRM provided that "individual" includes a legal representative to the extent to which applicable law permits such legal representative to exercise the individual's rights in such contexts. With respect to unemancipated minors, we proposed that the definition of "individual" include a parent, guardian, or person acting in loco parentis, (hereinafter referred to as "parent") except when an unemancipated minor obtained health care services without the consent of, or notification to, a parent. Under the proposed rule, if a minor obtained health care services under these conditions, the minor would have had the exclusive rights of an individual with respect to the protected health information related to such health care services.

In the final rule, the definition of "individual" is limited to the subject of the protected health information, which includes unemancipated minors and other individuals who may lack capacity to act on their own behalf. We remove from the definition of "individual" the provisions regarding legal representatives. The circumstances in which a representative must be treated as an individual for purposes of this rule are addressed in a separate standard titled "personal representatives." (§ 164.502(g)). The standard regarding personal representatives incorporates some changes to the proposed provisions regarding legal representatives. In general, under the final regulation, the "personal representatives" provisions are directed at the more formal representatives, while § 164.510(b) addresses situations in which persons are informally acting on behalf of an individual.

With respect to adults or emancipated minors, we clarify that a covered entity must treat a person as a personal representative of an individual if such person is, under applicable law, authorized to act on behalf of the individual in making decisions related to health care. This includes a court-appointed guardian and a person with a power of attorney, as set forth in the NPRM, but may also include other persons. The authority of a personal representative under this rule is limited: the representative must be treated as the individual only to the extent that protected health information is relevant to the matters on which the personal representative is authorized to represent the individual. For example, if a person's authority to make health care decisions for an individual is limited to decisions regarding treatment for cancer, such person is a personal representative and must be treated as the individual with respect to protected health information related to the cancer treatment of the individual. Such a person is not the personal representative of the individual with respect to all protected health information about the individual, and therefore, a covered entity may not disclose protected health information that is not relevant to the cancer treatment to the person, unless otherwise permitted under the rule. We intend this provision to apply to persons empowered under state or other law to make health related decisions for an individual, whether or not the instrument or law granting such authority specifically addresses health information.

In addition, we clarify that with respect to an unemancipated minor, if under applicable law a parent may act on behalf of an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this rule with respect to protected health information relevant to such personal representation, with three exceptions. Under the general rule, in most circumstances the minor would not have the capacity to act as the individual, and the parent would be able to exercise rights and authorities on behalf of the minor. Under the exceptions to the rule on personal representatives of unemancipated minors, the minor, and not the parent, would be treated as the individual and able to exercise the rights and authorities of an individual under the rule. These exceptions occur if: (1) the minor consents to a health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative; (2) the minor may lawfully obtain such health care service without the consent of a parent, and the minor, a court, or another person authorized by law consents to such health care service; or (3) a parent assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service. We note that the definition of health care includes services, but we use "health care service" in this provision to clarify that the scope of the rights of minors under this rule is limited to the protected health information related to a particular service.

Under this provision, we do not provide a minor with the authority to act under the rule unless the state has given them the ability to obtain health care without consent of a parent, or the parent has assented. In addition, we defer to state law where the state authorizes or prohibits disclosure of protected health information to a parent. See part 160, subpart B, Preemption of State Law. This rule does not affect parental notification laws that permit or require disclosure of protected health information to a parent. However, the rights of a minor under this rule are not otherwise affected by such notification.

In the final rule, the provision regarding personal representatives of deceased individuals has been changed to clarify the provision. The policy has not changed substantively from the NPRM.

Finally, we added a provision in the final rule to permit covered entities to elect not to treat a person as a personal representative in abusive situations. Under this provision, a covered entity need not treat a person as a personal representative of an individual if the covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative and the covered entity has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person, or that treating such person as the personal representative could endanger the individual.

Section 164.502(g) requires a covered entity to treat a person that meets the requirements of a personal representative as the individual (with the exceptions described above). We note that disclosure of protected health information to a personal representative is mandatory under this rule only if disclosure to the individual is mandatory. Disclosure to the individual is mandatory only under §§ 164.524 and 164.528. Further, as noted above, the personal representative's rights are limited by the scope of its authority under other law. Thus, this provision does not constitute a general grant of authority to personal representatives.

We make disclosure to personal representatives mandatory to ensure that an individual's rights under §§ 164.524 and 164.528 are preserved even when individuals are incapacitated or otherwise unable to act for themselves to the same degree as other individuals. If the covered entity were to have the discretion to recognize a personal representative as the individual, there could be situations in which no one could invoke an individual's rights under these sections.

We continue to allow covered entities to use their discretion to disclose certain protected health information to family members, relatives, close friends, and other persons assisting in the care of an individual, in accordance with § 164.510(b). We recognize that many health care decisions take place on an informal basis, and we permit disclosures in certain circumstance to permit this practice to continue. Health care providers may continue to use their discretion to address these informal situations.

In the NPRM, we did not directly address the issue of whether an individual could request that a covered entity restrict the manner in which it communicated with the individual. The NPRM did provide individuals with the right to request that health care providers restrict uses and disclosures of protected health information for treatment, payment and health operations, but providers were not required to agree to such a restriction.

In the final rule, we require covered providers to accommodate reasonable requests by patients about how the covered provider communicates with the individual. For example, an individual who does not want his or her family members to know about a certain treatment may request that the provider communicate with the individual at his or her place of employment, or to send communications to a designated address. Covered providers must accommodate the request unless it is unreasonable. Similarly, the final rule permits individuals to request that health plans communicate with them by alternative means, and the health plan must accommodate such a request if it is reasonable and the individual states that disclosure of the information could endanger the individual. The specific provisions relating to confidential communications are in § 164.522.

We proposed to prohibit covered entities from using or disclosing protected health information in a manner inconsistent with their notice of information practices. We retain this provision in the final rule. See § 164.520 regarding notice content and distribution requirements.

Disclosures by Whistleblowers

In § 164.518(c)(4) of the NPRM we addressed the issue of whistleblowers by proposing that a covered entity not be held in violation of this rule because a member of its workforce or a person associated with a business associate of the covered entity used or disclosed protected health information that such person believed was evidence of a civil or criminal violation, and any disclosure was: (1) made to relevant oversight agencies or law enforcement or (2) made to an attorney to allow the attorney to determine whether a violation of criminal or civil law had occurred or to assess the remedies or actions at law that may be available to the person disclosing the information.

We included an extensive discussion on how whistleblower actions can further the public interest, including reference to the need in some circumstances to utilize protected health information for this purpose as well as reference to the qui tam provisions of the Federal False Claims Act.

In the final rule we retitle the provision and include it in § 164.502 to reflect the fact that these disclosures are not made by the covered entity and therefore this material does not belong in the section on safeguarding information against disclosure.

We retain the basic concept in the NPRM of providing protection to a covered entity for the good faith whistleblower action of a member of its workforce or a business associate. We clarify that a whistleblower disclosure by an employee, subcontractor, or other person associated with a business associate is considered a whistleblower disclosure of the business associate under this provision. However, in the final rule, we modify the scope of circumstances under which a covered entity is protected in whistleblower situations. A covered entity is not in violation of the requirements of this rule when a member of its workforce or a business associate of the covered entity discloses protected health information to: (i) a health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity; (ii) an appropriate health care accreditation organization; or (iii) an attorney, for the purpose of determining his or her legal options with respect to whistle blowing. We delete disclosures to a law enforcement official.

We expand the scope of this section to cover disclosures of protected health information to an oversight or accreditation organization for the purpose of reporting breaches of professional standards or problems with quality of care. The covered entity will not be in violation of this rule, provided that the disclosing individual believes in good faith that the covered entity has engaged in conduct which is unlawful or otherwise violates professional or clinical standards, or that the care, services or conditions provided by the covered entity potentially endanger one or more patients, workers or the public. Since these provisions only relate to whistleblower actions in relation to the covered entity, disclosure of protected health information to expose malfeasant conduct by another person, such as knowledge gained during the course of treatment about an individual's illicit drug use, would not be protected activity.

We clarify that this section only applies to protection of a covered entity, based on the whistleblower action of a member of its workforce or business associates. Since the HIPAA legislation only applies to covered entities, not their workforces, it is beyond the scope of this rule to directly regulate the whistleblower actions of members of a covered entity's workforce.

In the NPRM, we had proposed to require covered entities to apply sanctions to members of its workforce who improperly disclose protected health information. In this final rule, we retain this requirement in § 164.530(e)(1) but modify the proposed provision on sanctions to clarify that the sanctions required under this rule do not apply to workforce members of a covered entity for whistleblower disclosures.

Disclosures by Workforce Members Who Are Crime Victims

The proposed rule did not address disclosures by workforce members who are victims of a crime. In the final rule, we clarify that a covered entity is not in violation of the rule when a workforce member of a covered entity who is the victim of a crime discloses protected health information to law enforcement officials about the suspected perpetrator of the crime. We limit the amount of protected health information that may be disclosed to the limited information for identification and location described in § 164.512(f)(2).

We note that this provision is similar to the provision in § 164.512(f)(5), which permits a covered entity to disclose protected health information to law enforcement that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. This provision differs in that it permits the disclosure even if the crime occurred somewhere other than on the premises of the covered entity. For example, if a hospital employee is the victim of an attack outside of the hospital, but spots the perpetrator sometime later when the perpetrator seeks medical care at the hospital, the workforce member who was attacked may notify law enforcement of the perpetrator's location and other identifying information. We do not permit, however, the disclosure of protected health information other than that described in § 164.512(f)(2).