Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.514 - Other Procedural Requirements Relating to Uses and Disclosures of Protected Health Information

In § 164.506(d) of the NPRM, we proposed that the privacy standards would apply to "individually identifiable health information," and not to information that does not identify the subject individual. The statute defines individually identifiable health information as certain health information:

(i) Which identifies the individual, or

(ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

As we pointed out in the NPRM, difficulties arise because, even after removing obvious identifiers (e.g., name, social security number, address), there is always some probability or risk that any information about an individual can be attributed to that individual.

The NPRM proposed two alternative methods for determining when sufficient identifying information has been removed from a record to render the information de-identified and thus not subject to the rule. First, the NPRM proposed the establishment of a "safe harbor": if all of a list of 19 specified items of information had been removed, and the covered entity had no reason to believe that the remaining information could be used to identify the subject of the information (alone or in combination with other information), the covered entity would have been presumed to have created de-identified information. Second, the NPRM proposed an alternative method so that covered entities with sufficient statistical experience and expertise could remove or encrypt a combination of information different from the enumerated list, using commonly accepted scientific and statistical standards for disclosure avoidance. Such covered entities would have been able to include information from the enumerated list of 19 items if they (1) believed that the probability of re-identification was very low, and (2) removed additional information if they had a reasonable basis to believe that the resulting information could be used to re-identify someone.

We proposed that covered entities and their business partners be permitted to use protected health information to create de-identified health information using either of these two methods. Covered entities would have been permitted to further use and disclose such de-identified information in any way, provided that they did not disclose the key or other mechanism that would have enabled the information to be re-identified, and provided that they reasonably believed that such use or disclosure of de-identified information would not have resulted in the use or disclosure of protected health information.

A number of examples were provided of how valuable such de-identified information would be for various purposes. We expressed the hope that covered entities, their business partners, and others would make greater use of de-identified health information than they do today, when it is sufficient for the purpose, and that such practice would reduce the burden and the confidentiality concerns that result from the use of individually identifiable health information for some of these purposes.

In §§ 164.514(a)-(c) of this final rule, we make several modifications to the provisions for de-identification. First, we explicitly adopt the statutory standard as the basic regulatory standard for whether health information is individually identifiable health information under this rule. Information is not individually identifiable under this rule if it does not identify the individual, or if the covered entity has no reasonable basis to believe it can be used to identify the individual. Second, in the implementation specifications we reformulate the two ways in which a covered entity can demonstrate that it has met the standard.

One way a covered entity may demonstrate that it has met the standard is if a person with appropriate knowledge and experience applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable makes a determination that the risk is very small that the information could be used, either by itself or in combination with other available information, by anticipated recipients to identify a subject of the information. The covered entity must also document the analysis and results that justify the determination. We provide guidance regarding this standard in our responses to the comments we received on this provision.

We also include an alternate, safe harbor, method by which covered entities can demonstrate compliance with the standard. Under the safe harbor, a covered entity is considered to have met the standard if it has removed all of a list of enumerated identifiers, and if the covered entity has no actual knowledge that the information could be used alone or in combination to identify a subject of the information. We note that in the NPRM, we had proposed that to meet the safe harbor, a covered entity must have "no reason to believe" that the information remained identifiable after the enumerated identifiers were removed. In the final rule, we have changed the standard to one of actual knowledge in order to provide greater certainty to covered entities using the safe harbor approach.

In the safe harbor, we explicitly allow age and some geographic location information to be included in the de-identified information, but all dates directly related to the subject of the information must be removed or limited to the year, and zip codes must be removed or aggregated (in the form of most 3-digit zip codes) to include at least 20,000 people. Extreme ages of 90 and over must be aggregated to a category of 90+ to avoid identification of very old individuals. Other demographic information, such as gender, race, ethnicity, and marital status are not included in the list of identifiers that must be removed.

The intent of the safe harbor is to provide a means to produce some de-identified information that could be used for many purposes with a very small risk of privacy violation. The safe harbor is intended to involve a minimum of burden and convey a maximum of certainty that the rules have been met by interpreting the statutory "reasonable basis to believe that the information can be used to identify the individual" to produce an easily followed, cook book approach.

Covered entities may use codes and similar means of marking records so that they may be linked or later re-identified, if the code does not contain information about the subject of the information (for example, the code may not be a derivative of the individual's social security number), and if the covered entity does not use or disclose the code for any other purpose. The covered entity is also prohibited from disclosing the mechanism for re-identification, such as tables, algorithms, or other tools that could be used to link the code with the subject of the information.

Language to clarify that covered entities may contract with business associates to perform the de-identification has been added to the section on business associates.

The proposed rule required a covered entity to make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure (proposed § 164.506(b)).

The proposed minimum necessary standard did not apply to uses or disclosures that were made by covered entities at the request of the individual, either to allow the individual access to protected health information about him or her or pursuant to an authorization initiated by the individual. The requirement also did not apply to uses and disclosures made: pursuant to the compliance and enforcement provisions of the rule; as required by law and permitted by the regulation without individual authorization; by a covered health care provider to a health plan, when the information was requested for audit and related purposes. Finally, the standard did not apply to the HIPAA administrative simplification transactions.

The proposed implementation specifications would have required a covered entity to have procedures to: (i) identify appropriate persons within the entity to determine what information should be used or disclosed consistent with the minimum necessary standard; (ii) ensure that those persons make the minimum necessary determinations, when required; and (iii) within the limits of the entity's technological capabilities, provide for the making of such determinations individually. The proposal allowed a covered entity, when making disclosures to public officials that were permitted without individual authorization but not required by other law, to reasonably rely on the representations of such officials that the information requested was the minimum necessary for the stated purpose(s).

The preamble provided further guidance. The preamble explained that covered entities could not have general policies of approving all requests (or all requests of a particular type) without carefully considering certain criteria (see "Criteria," below) as well as other information specific to the request. The minimum necessary determination would have needed to be consistent with and directly related to the purpose of the use or disclosure. Where there was ambiguity regarding the information to be used or disclosed, the preamble directed covered entities to interpret the "minimum necessary" standard to "require" the covered entity to make some effort to limit the amount of protected health information used/disclosed.

The proposal would have required the minimum necessary determination to take into consideration the ability of a covered entity to delimit the amount of information used or disclosed. The preamble noted that these determinations would have to be made under a reasonableness standard: covered entities would be required to make reasonable efforts and to incur reasonable expense to limit the use or disclosure. The "reasonableness" of limiting particular uses or disclosures was to be determined based on the following factors (which were not included in the regulatory text):

a. The extent to which the use or disclosure would extend the number of persons with access to the protected health information.

b. The likelihood that further uses or disclosures of the protected health information could occur.

c. The amount of protected health information that would be used or disclosed.

d. The importance of the use or disclosure.

e. The potential to achieve substantially the same purpose with de-identified information. For disclosures, each covered entity would have been required to have policies for determining when protected health information must be stripped of identifiers.

f. The technology available to limit the amount of protected health information used/disclosed.

g. The cost of limiting the use/disclosure.

h. Any other factors that the covered entity believed were relevant to the determination.

The proposal shifted the "minimum necessary" burden off of covered providers when they were being audited by a health plan. The preamble explained that the duty would have been shifted to the payor to request the minimum necessary information for the audit purpose, although the regulatory text did not include such a requirement. Outside of the audit context, the preamble stated that a health plan would be required, when requesting a disclosure, to limit its requests to the information required to achieve the purpose of the request; the regulation text did not include this requirement.

The preamble stated that disclosure of an entire medical record, in response to a request for something other than the entire medical record, would presumptively violate the minimum necessary standard.

This final rule significantly modifies the proposed requirements for implementing the minimum necessary standard. For all uses and many disclosures and requests for disclosures from other covered entities, we require covered entities to implement policies and procedures for "minimum necessary" uses and disclosures. Implementation of such policies and procedures is required in lieu of making the "minimum necessary" determination for each separate use or disclosure as discussed in the proposal. Disclosures to or requests by a health care provider for treatment purposes are not subject to the standard (see § 164.502).

Specifically (and as further described below), the proposed requirement for individual review of all uses of protected health information is replaced with a requirement for covered entities to implement policies and procedures that restrict access and uses based on the specific roles of members of the covered entity's workforce. Routine disclosures also are not subject to individual review; instead, covered entities must implement policies and procedures to limit the protected health information in routine disclosures to the minimum necessary to achieve the purpose of that type of disclosure. The proposed exclusion of disclosures to health plans for audit purposes is deleted and replaced with a general requirement that covered entities must limit requests to other covered entities for individually identifiable health information to what is reasonably necessary for the use or disclosure intended. The other exclusions from the standard are unchanged from the proposed rule (e.g., for individuals' access to information about themselves, pursuant to an authorization initiated by the individual, for enforcement of this rule, as required by law).

The language of the basic "standard" itself is largely unchanged; covered entities must make reasonable efforts to use or disclose or to request from another covered entity, only the minimum amount of protected health information required to achieve the purpose of a particular use or disclosure. We delete the word "all" from the "reasonable efforts" that covered entities must take in making a "minimum necessary" determination. The implementation specifications are significantly modified, and differ based on whether the activity is a use or disclosure.

Similarly, a "minimum necessary" disclosure for oversight purposes in accordance with § 164.512(d) could include large numbers of records to allow oversight agencies to perform statistical analyses to identify deviations in payment or billing patterns, and other data analyses.

Uses of Protected Health Information

A covered entity must implement policies and procedures to identify the persons or classes of persons in the entity's workforce who need access to protected health information to carry out their duties, the category or categories of protected health information to which such persons or classes need access, and the conditions, as appropriate, that would apply to such access. Covered entities must also implement policies and procedures to limit access to only the identified persons, and only to the identified protected health information. The policies and procedures must be based on reasonable determinations regarding the persons or classes of persons who require protected health information, and the nature of the health information they require, consistent with their job responsibilities.

For example, a hospital could implement a policy that permitted nurses access to all protected health information of patients in their ward while they are on duty. A health plan could permit its underwriting analysts unrestricted access to aggregate claims information for rate setting purposes, but require documented approval from its department manager to obtain specific identifiable claims records of a member for the purpose of determining the cause of unexpected claims that could influence renewal premium rate setting.

The "minimum necessary"standard is intended to reflect and be consistent with, not override, professional judgment and standards. For example, we expect that covered entities will implement policies that allow persons involved in treatment to have access to the entire record, as needed.

Disclosures of Protected Health Information

For any type of disclosure that is made on a routine, recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that permit only the disclosure of the minimum protected health information reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. Instead, under § 164.514(d)(3), these policies and procedures must identify the types of protected health information to be disclosed, the types of persons who would receive the protected health information, and the conditions that would apply for such access. We recognize that specific disclosures within a type may vary, and require that the policies address what is the norm for the type of disclosure involved. For example, a covered entity may decide to participate in research studies and therefore establish a protocol to minimize the information released for such purposes, e.g., by requiring researchers requesting disclosure of data contained in paper-based records to review the paper records on-site and to abstract only the information relevant to the research. Covered entities must develop policies and procedures (which may be standard protocols) to apply to disclosures to routinely hired types of business associates. For instance, a standard protocol could describe the subset of information that may be disclosed to medical transcription services.

For non-routine disclosures, a covered entity must develop reasonable criteria for determining, and limiting disclosure to, only the minimum amount of protected health information necessary to accomplish the purpose of the disclosure. They also must establish and implement procedures for reviewing such requests for disclosures on an individual basis in accordance with these criteria.

Disclosures to health care providers for treatment purposes are not subject to these requirements.

Covered entities' policies and procedures must provide that disclosure of an entire medical record will not be made except pursuant to policies which specifically justify why the entire medical record is needed. For instance, disclosure of all protected health information to an accreditation group would not necessarily violate the regulation, because the entire record may be the "minimum necessary" for its purpose; covered entities may establish policies allowing for and justifying such a disclosure. Disclosure of the entire medical record absent such documented justification is a presumptive violation of this rule.

Requests for Protected Health Information

For requests for protected health information from other covered entities made on a routine, recurring basis, the requesting covered entities' policies and procedures may establish standard protocols describing what information is reasonably necessary for the purposes and limiting their requests to only that information, in lieu of making this determination individually for each request. For all other requests, the policies and procedures must provide for review of the requests on an individualized basis. A request by a covered entity may be made in order to obtain information that will subsequently be disclosed to a third party, for example, to obtain information that will then be disclosed to a business associate for quality assessment purposes; such requests are subject to this requirement.

Covered entities' policies and procedures must provide that requests for an entire medical record will not be made except pursuant to policies which specifically justify why the entire medical record is needed. For instance, a health plan's request for all protected health information from an applicant for insurance would not necessarily violate the regulation, because the entire record may be the "minimum necessary" for its purpose. Covered entities may establish policies allowing for and justifying such a request. A request for the entire medical record absent such documented justification is a presumptive violation of this rule.

Reasonable Reliance

A covered entity may reasonably rely on the assertion of a requesting covered entity that it is requesting the minimum protected health information necessary for the stated purpose. A covered entity may also rely on the assertions of a professional (such as attorneys and accountants) who is a member of its workforce or its business associate regarding what protected health information he or she needs in order to provide professional services to the covered entity when such person represents that the information requested is the minimum necessary. As we proposed in the NPRM, covered entities making disclosures to public officials that are permitted under § 164.512 may rely on the representation of a public official that the information requested is the minimum necessary.

Uses and Disclosures for Research

In making a minimum necessary determination regarding the use or disclosure of protected health information for research purposes, a covered entity may reasonably rely on documentation from an IRB or privacy board describing the protected health information needed for research and consistent with the requirements of § 164.512(i), "Uses and Disclosures for Research Purposes." A covered entity may also reasonably rely on a representation made by the requestor that the information is necessary to prepare a research protocol or for research on decedents. The covered entity must ensure that the representation or documentation of IRB or privacy board approval it obtains from a researcher describes with sufficient specificity the protected health information necessary for the research. Covered entities must use or disclose such protected health information in a manner that minimizes the scope of the use or disclosure.

Standards for Electronic Transactions

We clarify that under § 164.502(b)(2)(v), covered entities are not required to apply the minimum necessary standard to the required or situational data elements specified in the implementation guides for HIPAA administrative simplification standard transactions in the Transactions Rule. The standard does apply for uses or disclosures in standard transactions that are made at the option of the covered entity.

The proposed rule required a covered entity to make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure (proposed § 164.506(b)).

The proposed minimum necessary standard did not apply to uses or disclosures that were made by covered entities at the request of the individual, either to allow the individual access to protected health information about him or her or pursuant to an authorization initiated by the individual. The requirement also did not apply to uses and disclosures made: pursuant to the compliance and enforcement provisions of the rule; as required by law and permitted by the regulation without individual authorization; by a covered health care provider to a health plan, when the information was requested for audit and related purposes. Finally, the standard did not apply to the HIPAA administrative simplification transactions.

The proposed implementation specifications would have required a covered entity to have procedures to: (i) identify appropriate persons within the entity to determine what information should be used or disclosed consistent with the minimum necessary standard; (ii) ensure that those persons make the minimum necessary determinations, when required; and (iii) within the limits of the entity's technological capabilities, provide for the making of such determinations individually. The proposal allowed a covered entity, when making disclosures to public officials that were permitted without individual authorization but not required by other law, to reasonably rely on the representations of such officials that the information requested was the minimum necessary for the stated purpose(s).

The preamble provided further guidance. The preamble explained that covered entities could not have general policies of approving all requests (or all requests of a particular type) without carefully considering certain criteria (see "Criteria," below) as well as other information specific to the request. The minimum necessary determination would have needed to be consistent with and directly related to the purpose of the use or disclosure. Where there was ambiguity regarding the information to be used or disclosed, the preamble directed covered entities to interpret the "minimum necessary" standard to "require" the covered entity to make some effort to limit the amount of protected health information used/disclosed.

The proposal would have required the minimum necessary determination to take into consideration the ability of a covered entity to delimit the amount of information used or disclosed. The preamble noted that these determinations would have to be made under a reasonableness standard: covered entities would be required to make reasonable efforts and to incur reasonable expense to limit the use or disclosure. The "reasonableness" of limiting particular uses or disclosures was to be determined based on the following factors (which were not included in the regulatory text):

a. The extent to which the use or disclosure would extend the number of persons with access to the protected health information.

b. The likelihood that further uses or disclosures of the protected health information could occur.

c. The amount of protected health information that would be used or disclosed.

d. The importance of the use or disclosure.

e. The potential to achieve substantially the same purpose with de-identified information. For disclosures, each covered entity would have been required to have policies for determining when protected health information must be stripped of identifiers.

f. The technology available to limit the amount of protected health information used/disclosed.

g. The cost of limiting the use/disclosure.

h. Any other factors that the covered entity believed were relevant to the determination.

The proposal shifted the "minimum necessary" burden off of covered providers when they were being audited by a health plan. The preamble explained that the duty would have been shifted to the payor to request the minimum necessary information for the audit purpose, although the regulatory text did not include such a requirement. Outside of the audit context, the preamble stated that a health plan would be required, when requesting a disclosure, to limit its requests to the information required to achieve the purpose of the request; the regulation text did not include this requirement.

The preamble stated that disclosure of an entire medical record, in response to a request for something other than the entire medical record, would presumptively violate the minimum necessary standard.

This final rule significantly modifies the proposed requirements for implementing the minimum necessary standard. For all uses and many disclosures and requests for disclosures from other covered entities, we require covered entities to implement policies and procedures for "minimum necessary" uses and disclosures. Implementation of such policies and procedures is required in lieu of making the "minimum necessary" determination for each separate use or disclosure as discussed in the proposal. Disclosures to or requests by a health care provider for treatment purposes are not subject to the standard (see § 164.502).

Specifically (and as further described below), the proposed requirement for individual review of all uses of protected health information is replaced with a requirement for covered entities to implement policies and procedures that restrict access and uses based on the specific roles of members of the covered entity's workforce. Routine disclosures also are not subject to individual review; instead, covered entities must implement policies and procedures to limit the protected health information in routine disclosures to the minimum necessary to achieve the purpose of that type of disclosure. The proposed exclusion of disclosures to health plans for audit purposes is deleted and replaced with a general requirement that covered entities must limit requests to other covered entities for individually identifiable health information to what is reasonably necessary for the use or disclosure intended. The other exclusions from the standard are unchanged from the proposed rule (e.g., for individuals' access to information about themselves, pursuant to an authorization initiated by the individual, for enforcement of this rule, as required by law).

The language of the basic "standard" itself is largely unchanged; covered entities must make reasonable efforts to use or disclose or to request from another covered entity, only the minimum amount of protected health information required to achieve the purpose of a particular use or disclosure. We delete the word "all" from the "reasonable efforts" that covered entities must take in making a "minimum necessary" determination. The implementation specifications are significantly modified, and differ based on whether the activity is a use or disclosure.

Similarly, a "minimum necessary" disclosure for oversight purposes in accordance with § 164.512(d) could include large numbers of records to allow oversight agencies to perform statistical analyses to identify deviations in payment or billing patterns, and other data analyses.

Uses of Protected Health Information

A covered entity must implement policies and procedures to identify the persons or classes of persons in the entity's workforce who need access to protected health information to carry out their duties, the category or categories of protected health information to which such persons or classes need access, and the conditions, as appropriate, that would apply to such access. Covered entities must also implement policies and procedures to limit access to only the identified persons, and only to the identified protected health information. The policies and procedures must be based on reasonable determinations regarding the persons or classes of persons who require protected health information, and the nature of the health information they require, consistent with their job responsibilities.

For example, a hospital could implement a policy that permitted nurses access to all protected health information of patients in their ward while they are on duty. A health plan could permit its underwriting analysts unrestricted access to aggregate claims information for rate setting purposes, but require documented approval from its department manager to obtain specific identifiable claims records of a member for the purpose of determining the cause of unexpected claims that could influence renewal premium rate setting.

The "minimum necessary"standard is intended to reflect and be consistent with, not override, professional judgment and standards. For example, we expect that covered entities will implement policies that allow persons involved in treatment to have access to the entire record, as needed.

Disclosures of Protected Health Information

For any type of disclosure that is made on a routine, recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that permit only the disclosure of the minimum protected health information reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. Instead, under § 164.514(d)(3), these policies and procedures must identify the types of protected health information to be disclosed, the types of persons who would receive the protected health information, and the conditions that would apply for such access. We recognize that specific disclosures within a type may vary, and require that the policies address what is the norm for the type of disclosure involved. For example, a covered entity may decide to participate in research studies and therefore establish a protocol to minimize the information released for such purposes, e.g., by requiring researchers requesting disclosure of data contained in paper-based records to review the paper records on-site and to abstract only the information relevant to the research. Covered entities must develop policies and procedures (which may be standard protocols) to apply to disclosures to routinely hired types of business associates. For instance, a standard protocol could describe the subset of information that may be disclosed to medical transcription services.

For non-routine disclosures, a covered entity must develop reasonable criteria for determining, and limiting disclosure to, only the minimum amount of protected health information necessary to accomplish the purpose of the disclosure. They also must establish and implement procedures for reviewing such requests for disclosures on an individual basis in accordance with these criteria.

Disclosures to health care providers for treatment purposes are not subject to these requirements.

Covered entities' policies and procedures must provide that disclosure of an entire medical record will not be made except pursuant to policies which specifically justify why the entire medical record is needed. For instance, disclosure of all protected health information to an accreditation group would not necessarily violate the regulation, because the entire record may be the "minimum necessary" for its purpose; covered entities may establish policies allowing for and justifying such a disclosure. Disclosure of the entire medical record absent such documented justification is a presumptive violation of this rule.

Requests for Protected Health Information

For requests for protected health information from other covered entities made on a routine, recurring basis, the requesting covered entities' policies and procedures may establish standard protocols describing what information is reasonably necessary for the purposes and limiting their requests to only that information, in lieu of making this determination individually for each request. For all other requests, the policies and procedures must provide for review of the requests on an individualized basis. A request by a covered entity may be made in order to obtain information that will subsequently be disclosed to a third party, for example, to obtain information that will then be disclosed to a business associate for quality assessment purposes; such requests are subject to this requirement.

Covered entities' policies and procedures must provide that requests for an entire medical record will not be made except pursuant to policies which specifically justify why the entire medical record is needed. For instance, a health plan's request for all protected health information from an applicant for insurance would not necessarily violate the regulation, because the entire record may be the "minimum necessary" for its purpose. Covered entities may establish policies allowing for and justifying such a request. A request for the entire medical record absent such documented justification is a presumptive violation of this rule.

Reasonable Reliance

A covered entity may reasonably rely on the assertion of a requesting covered entity that it is requesting the minimum protected health information necessary for the stated purpose. A covered entity may also rely on the assertions of a professional (such as attorneys and accountants) who is a member of its workforce or its business associate regarding what protected health information he or she needs in order to provide professional services to the covered entity when such person represents that the information requested is the minimum necessary. As we proposed in the NPRM, covered entities making disclosures to public officials that are permitted under § 164.512 may rely on the representation of a public official that the information requested is the minimum necessary.

Uses and Disclosures for Research

In making a minimum necessary determination regarding the use or disclosure of protected health information for research purposes, a covered entity may reasonably rely on documentation from an IRB or privacy board describing the protected health information needed for research and consistent with the requirements of § 164.512(i), "Uses and Disclosures for Research Purposes." A covered entity may also reasonably rely on a representation made by the requestor that the information is necessary to prepare a research protocol or for research on decedents. The covered entity must ensure that the representation or documentation of IRB or privacy board approval it obtains from a researcher describes with sufficient specificity the protected health information necessary for the research. Covered entities must use or disclose such protected health information in a manner that minimizes the scope of the use or disclosure.

Standards for Electronic Transactions

We clarify that under § 164.502(b)(2)(v), covered entities are not required to apply the minimum necessary standard to the required or situational data elements specified in the implementation guides for HIPAA administrative simplification standard transactions in the Transactions Rule. The standard does apply for uses or disclosures in standard transactions that are made at the option of the covered entity.

In the proposed rule, we would have required covered entities to obtain the individual's authorization in order to use or disclose protected health information to market health and non-health items and services.

We have made a number of changes in the final rule that relate to marketing. In the final rule, we retain the general rule that covered entities must obtain the individual's authorization before making uses or disclosures of protected health information for marketing. However, we add a new definition of "marketing" that clarifies that certain activities, such as communications made by a covered entity for the purpose of describing the products and services it provides, are not marketing. See § 164.501 and the associated preamble regarding the definition of marketing. In the final rule we also permit covered entities to use and disclose protected health information for certain marketing activities without individual authorization, subject to conditions enumerated at § 164.514(e).

First, § 164.514(e) permits a covered entity to use or disclose protected health information without individual authorization to make a marketing communication if the communication occurs in a face-to-face encounter with the individual. This provision would permit a covered entity to discuss any services and products, including those of a third-party, without restriction during a face-to-face communication. A covered entity also could give the individual sample products or other information in this setting.

Second, we permit a covered entity to use or disclose protected health information without individual authorization to make marketing communications involving products or services of only nominal value. This provision ensures that covered entities do not violate the rule when they distribute calendars, pens and other merchandise that generally promotes the covered entity.

Third, we permit a covered entity to use or disclose protected health information without individual authorization to make marketing communications about the health-related products or services of the covered entity or of a third party if the communication: (1) identifies the covered entity as the party making the communication; (2) to the extent that the covered entity receives direct or indirect remuneration from a third-party for making the communication, prominently states that fact; (3) except in the case of a general communication (such as a newsletter), contains instructions describing how the individual may opt-out of receiving future communications about health-related products and services; and (4) where protected health information is used to target the communication about a product or service to individuals based on their health status or health condition, explains why the individual has been targeted and how the product or service relates to the health of the individual. The final rule also requires a covered entity to make a determination, prior to using or disclosing protected health information to target a communication to individuals based on their health status or condition, that the product or service may be beneficial to the health of the type or class of individual targeted to receive the communication.

This third provision accommodates the needs of health care entities to be able to discuss their own health-related products and services, or those of third parties, as part of their everyday business and as part of promoting the health of their patients and enrollees. The provision is restricted to uses by covered entities or disclosures to their business associates pursuant to a contract that requires confidentiality, ensuring that protected health information is not distributed to third parties. To provide individuals with a better understanding of how their protected health information is being used for marketing, the provision requires that the communication identify that the covered entity is the source of the communication; a covered entity may not send out information about the product of a third party without disclosing to the individual where the communication originated. We also require covered entities to disclose any direct or indirect remuneration from third parties. This requirement permits individuals to better understand why they are receiving a communication, and to weigh the extent to which their information is being used to promote their health or to enrich the covered entity. Covered entities also are required to include in their communication (unless it is a general newsletter or similar device) how the individual may prevent further communications about health-related products and services. This provision enhances individuals' control over how their information is being used. Finally, where a covered entity targets communications to individuals on the basis of their health status or condition, we require that the entity make a determination that the product or service being communicated may be beneficial to the health of the type of individuals targeted, and that the communication to the targeted individuals explain why they have been targeted and how the product or service relates to their health. This final provision balances the advantages that accrue from health care entities informing their patients and enrollees of new or valuable health products with individuals' expectations that their protected health information will be used to promote their health.

We proposed in the NPRM to require covered entities to obtain authorization from an individual in order to use the individual's protected health information for fundraising activities.

As noted in § 164.501, in the final rule we define fundraising on behalf of a covered entity to be a health care operation. In § 164.514, we permit a covered entity to use protected health information without individual authorization for fundraising on behalf of itself, provided that it limits the information that it uses to demographic information about the individual and the dates that it has provided service to the individual (see the § 164.501 discussion of "health care operations"). In addition, we require fundraising materials to explain how the individual may opt out of any further fundraising communications, and covered entities are required to honor such requests. We permit a covered entity to disclose the limited protected health information to a business associate for fundraising on its own behalf. We also permit a covered entity to disclose the information to an institutionally related foundation.

By "institutionally related foundation," we mean a foundation that qualifies as a nonprofit charitable foundation under sec. 501(c)(3) of the Internal Revenue Code and that has in its charter statement of charitable purposes an explicit linkage to the covered entity. An institutionally related foundation may, as explicitly stated in its charter, support the covered entity as well as other covered entities or health care providers in its community. For example, a covered hospital may disclose for fundraising on its own behalf the specified protected health information to a nonprofit foundation established for the specific purpose of raising funds for the hospital or to a foundation that has as its mission the support of the members of a particular hospital chain that includes the covered hospital. The term does not include an organization with a general charitable purpose, such as to support research about or to provide treatment for certain diseases, that may give money to a covered entity, because its charitable purpose is not specific to the covered entity.

As described under the definition of "health care operations" (§ 164.501), protected health information may be used or disclosed for underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits. This final rule includes a requirement, not included in the NPRM, that health plans receiving such information for these purposes may not use or disclose it for any other purpose, except as may be required by law, if the insurance or benefits contract is not placed with the health plan.

Disclosure of Protected Health Information

We reorganize the provision regarding verification of identity of individuals requesting protected health information to improve clarity, but we retain the substance of requirements proposed in the NPRM in § 164.518(c), as follows.

The covered entity must establish and use written policies and procedures (which may be standard protocols) that are reasonably designed to verify the identity and authority of the requestor where the covered entity does not know the person requesting the protected health information. The knowledge of the person may take the form of a known place of business, address, phone or fax number, as well a known human being. Where documentation, statements or representations, whether oral or written, from the person requesting the protected health information is a condition of disclosure under this rule or other law, this verification must involve obtaining such documentation statement, or representation. In such a case, additional verification is only required where this regulation (or other law) requires additional proof of authority and identity.

The NPRM proposed that covered entities would be permitted to rely on the required documentation of IRB or privacy board approval to constitute sufficient verification that the person making the request was a researcher and that the research is authorized. The final rule retains this provision.

For most disclosures, verifying the authority for the request means taking reasonable steps to verify that the request is lawful under this regulation. Additional proof is required by other provisions of this regulation where the request is made pursuant to § 164.512 for national priority purposes. Where the person requesting the protected health information is a public official, covered entities must verify the identity of the requester by examination of reasonable evidence, such as a written statement of identity on agency letterhead, an identification badge, or similar proof of official status. Similarly, covered entities are required to verify the legal authority supporting the request by examination of reasonable evidence, such as a written request provided on agency letterhead that describes the legal authority for requesting the release. Where § 164.512 explicitly requires written evidence of legal process or other authority before a disclosure may be made, a public official's proof of identity and the official's oral statement that the request is authorized by law are not sufficient to constitute the required reasonable evidence of legal authority; under these provisions, only the required written evidence will suffice.

In some circumstances, a person or entity acting on behalf of a government agency may make a request for disclosure of protected health information under these subsections. For example, public health agencies may contract with a nonprofit agency to collect and analyze certain data. In such cases, the covered entity is required to verify the requestor's identity and authority through examination of reasonable documentation that the requestor is acting on behalf of the government agency. Reasonable evidence includes a written request provided on agency letterhead that describes the legal authority for requesting the release and states that the person or entity is acting under the agency's authority, or other documentation, including a contract, a memorandum of understanding, or purchase order that confirms that the requestor is acting on behalf of the government agency.

In some circumstances, identity or authority will be verified as part of meeting the underlying requirements for disclosure. For example, a disclosure under § 164.512(j)(1)(i) to avert an imminent threat to safety is lawful only if made in the good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and to a person reasonably able to prevent or lessen the threat. If these conditions are met, no further verification is needed. In such emergencies, the covered entity is not required to demand written proof that the person requesting the protected health information is legally authorized. Reasonable reliance on verbal representations are appropriate in such situations.

Similarly, disclosures permitted under § 164.510(a) for facility directories may be made to the general public; the covered entity's policies and procedures do not need to address verifying the identity and authority for these disclosures. In § 164.510(b) we do not require verification of identity for persons assisting in an individual's care or for notification purposes. For disclosures when the individual is not present, such as when a friend is picking up a prescription, we allow the covered entity to use professional judgment and experience with common practice to make reasonable inferences.

Under § 164.524, a covered entity is required to give individuals access to protected health information about them (under most circumstances). Under the general verification requirements of § 164.514(h), the covered entity is required to take reasonable steps to verify the identity of the individual making the request. We do not mandate particular identification requirements (e.g., drivers licence, photo ID), but rather leave this to the discretion of the covered entity. The covered entity must also establish and document procedures for verification of identity and authority of personal representatives, if not known to the entity. For example, a health care provider can require a copy of a power of attorney, or can ask questions to determine that an adult acting for a young child has the requisite relationship to the child.

In Subpart C of Part 160, we require disclosure to the Secretary for purposes of enforcing this regulation. When a covered entity is asked by the Secretary to disclose protected health information for compliance purposes, the covered entity must verify the same information that it is required to verify for any other law enforcement or oversight request for disclosure.

Use of Protected Health Information

The proposed rule's verification requirements applied to any person requesting protected health information, whether for a use or a disclosure. In the final regulation, the verification provisions apply only to disclosures of protected health information. The requirements in § 164.514(d), for implementation of policies and procedures for 'minimum necessary' uses of protected health information, are sufficient to ensure that only appropriate persons within a covered entity will have access to protected health information.