In the NPRM we proposed to include the procurement or banking of blood, sperm, organs, or any other tissue for administration to patients in the definition of "health care" (described in proposed § 160.103). The NPRM's proposed approach did not differentiate between situations in which the donor was competent to consent to the donation - for example, when an individual is donating blood, sperm, a kidney, or a liver or lung lobe - and situations in which the donor was deceased, for example, when cadaveric organs and tissues were being donated. We also proposed to allow use and disclosure of protected health information for treatment without consent.
In the final rule, we take a different approach. In § 164.512(h), we permit covered entities to disclose protected health information without individual authorization to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for donation and transplantation. This provision is intended to address situations in which an individual has not previously indicated whether he or she seeks to donate organs, eyes, or tissues (and therefore authorized release of protected health information for this purpose). In such situations, this provision is intended to allow covered entities to initiate contact with organ and tissue donation and transplantation organizations to facilitate transplantation of cadaveric organs, eyes, and tissues.
Disclosures and Uses for Government Health Data Systems
In the NPRM we proposed to permit covered entities to disclose protected health information to a government agency, or to a private entity acting on behalf of a government agency, for inclusion in a government health data system collecting health data for analysis in support of policy, planning, regulatory, or management functions authorized by law. The NPRM stated that when a covered entity was itself a government agency collecting health data for these functions, it could use protected health information in all cases for which it was permitted to disclose such information to government health data systems.
In the final rule, we eliminate the provision that would have allowed covered entities to disclose protected health information to government health data systems without authorization. Thus, under the final rule, covered entities cannot disclose protected health information without authorization to government health data systems - or to private health data systems - unless the disclosure is permissible under another provision of the rule.
Disclosures for Payment Processes
In the NPRM we proposed to permit covered entities to disclose, in connection with routine banking activities or payment by debit, credit, or other payment card, or other payment means, the minimum amount of protected health information necessary to complete a banking or payment activity to financial institutions or to entities acting on behalf of financial institutions to authorize, process, clear, settle, bill, transfer, reconcile, or collect payments for financial institutions.
The preamble to the NPRM clarified the proposed rule's intent regarding disclosure of diagnostic and treatment information along with payment information to financial institutions. The preamble to the proposed rule said that diagnostic and treatment information never was necessary to process a payment transaction. The preamble said we believed that in most cases, the permitted disclosure would include only: (1) the name and address of the account holder; (2) the name and address of the payor or provider; (3) the amount of the charge for health services; (4) the date on which health services were rendered; (5) the expiration date for the payment mechanism, if applicable; and (6) the individual's signature. The preamble noted that the proposed regulation text did not include an exclusive list of information that could lawfully be disclosed to process payments, and it solicited comments on whether more elements would be needed for banking and payment transactions and on whether including a specific list of protected health information that could be disclosed was an appropriate approach.
The preamble also noted that under section 1179 of HIPAA, certain activities of financial institutions were exempt from this rule, to the extent that these activities constituted authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums.
In the final rule, we eliminate the NPRM's provision on "banking and payment processes." All disclosures that would have been allowed pursuant to proposed § 164.510(i) are allowed under § 164.502(a) of the final rule, regarding disclosure for payment purposes.