We proposed to require the notice to be written in plain language and contain each of the following elements: a description of the uses and disclosures expected to be made without individual authorization; statements that other uses and disclosures would be made only with the individual's authorization and that the individual could revoke such authorization; descriptions of the rights to request restrictions, inspect and copy protected health information, amend or correct protected health information, and receive an accounting of disclosures of protected health information; statements about the entity's legal requirements to protect privacy, provide notice, and adhere to the notice; a statement about how individuals would be informed of changes to the entity's policies and procedures; instructions on how to make complaints with the entity or Secretary; the name and telephone number of a contact person or office; and the date the notice was produced. We provided a model notice of information policies and procedures for covered health care providers.
In § 164.520(b), and immediately below in this preamble, we describe the notice content requirements for the final rule. As described in detail, below, we make substantial changes to the uses and disclosures of protected health information that must be described in the notice. Unlike the proposed rule, we do not include a model notice. We intend to develop further guidance on notice requirements prior to the compliance date of this rule. In this section of the final rule, we also refer to the covered entity's privacy "practices," rather than its "policies and procedures." The purpose of this change in vocabulary is to clarify that a covered entity's "policies and procedures" is a detailed documentation of all of the entity's privacy practices as required under this rule, not just those described in the notice. For example, we require covered entities to have policies and procedures implementing the requirements for "minimum necessary" uses and disclosures of protected health information, but these policies and procedures need not be reflected in the entity's notice. Similarly, we require covered entities to have policies and procedures for assuring individuals access to protected health information about them. While such policies and procedures will need to include documentation of the designated record sets subject to access, who is authorized to determine when information will be withheld from an individual, and similar details, the notice need only explain generally that individuals have the right to inspect and copy information about them, and tell individuals how to exercise that right.
A covered entity that adopts and follows the notice content and distribution requirements described below will have provided adequate notice. However, the requirements for the content of the notice are not intended to be exclusive. As with the rest of the rule, we specify minimum requirements, not best practices. Covered entities may want to include more detail. We note that all federal agencies must still comply with the Privacy Act of 1974. This means that federal agencies that are covered entities or have covered health care components must comply with the notice requirements of the Privacy Act as well as those included in this rule.
In addition, covered entities may want or be required to produce more than one notice in order to satisfy the notice content requirements under this rule. For example, a covered entity that conducts business in multiple states with different laws regarding the uses and disclosures that the covered entity is permitted to make without authorization may be required to produce a different notice for each state. A covered entity that conducts business both as part of an organized health care arrangement or affiliated covered entity and as an independent enterprise (e.g., a physician who sees patients through an on-call arrangement with a hospital and through an independent private practice) may want to adopt different privacy practices with respect to each line of business; such a covered entity would be required to produce a different notice describing the practices for each line of business. Covered entities must produce notices that accurately describe the privacy practices that are relevant to the individuals receiving the notice.
As in the proposed rule, we require the notice to be written in plain language. A covered entity can satisfy the plain language requirement if it makes a reasonable effort to: organize material to serve the needs of the reader; write short sentences in the active voice, using "you" and other pronouns; use common, everyday words in sentences; and divide material into short sections.
We do not require particular formatting specifications, such as easy-to-read design features (e.g., lists, tables, graphics, contrasting colors, and white space), type face, and font size. However, the purpose of the notice is to inform the recipients about their rights and how protected health information collected about them may be used or disclosed. Recipients who cannot understand the covered entity's notice will miss important information about their rights under this rule and about how the covered entity is protecting health information about them. One of the goals of this rule is to create an environment of open communication and transparency with respect to the use and disclosure of protected health information. A lack of clarity in the notice could undermine this goal and create misunderstandings. Covered entities have an incentive to make their notice statements clear and concise. We believe that the more understandable the notice is, the more confidence the public will have in the covered entity's commitment to protecting the privacy of health information.
It is important that the content of the notice be communicated to all recipients and therefore we encourage the covered entity to consider alternative means of communicating with certain populations. We note that any covered entity that is a recipient of federal financial assistance is generally obligated under Title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients' service areas. Specifically, this Title VI obligation provides that, where a significant number or proportion of the population eligible to be served or likely to be directly affected by a federally assisted program needs service or information in a language other than English in order to be effectively informed of or participate in the program, the recipient shall take reasonable steps, considering the scope of the program and the size and concentration of such population, to provide information in languages appropriate to such persons. For covered entities not subject to Title VI, the Title VI standards provide helpful guidance for effectively communicating the content of their notices to non-English speaking populations.
We also encourage covered entities to be attentive to the needs of individuals who cannot read. For example, an employee of the covered entity could read the notice to individuals upon request or the notice could be incorporated into a video presentation that is played in the waiting area.
Unlike the proposed rule, covered entities must include prominent and specific language in the notice that indicates the importance of the notice. This is the only specific language we require covered entities to include in the notice. The header must read, "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
Uses and Disclosures
We proposed to require covered entities to describe in plain language the uses and disclosures of protected health information, and the covered entity's policies and procedures with respect to such uses and disclosures, that the health plan or covered provider expected to make without individual authorization. The covered provider or health plan would have had to distinguish between those uses and disclosures required by law and those permitted but not required by law.
We also proposed to require covered health care providers and health plans to state in the notice that all other uses and disclosures would be made only with the individual's authorization and that such authorization could be revoked. The notice would also have been required to state that the individual could request restrictions on certain uses and disclosures and that the covered entity would not be required to agree to such a request.
We significantly modify these requirements in the final rule. Covered entities must describe all uses and disclosures of protected health information that they are permitted or required to make under this rule without authorization, including those uses and disclosures subject to the consent requirements under § 164.506. If other applicable law prohibits or materially limits the covered entity's ability to make any uses or disclosures that would otherwise be permitted under the rule, the covered entity must describe only the uses and disclosures permitted under the more stringent law.
Covered entities must separately describe each purpose for which they are permitted to use or disclose protected health information under this rule without authorization, and must do so in sufficient detail to place the individual on notice of those uses and disclosures. With respect to uses and disclosures to carry out treatment, payment, and health care operations, the description must include at least one example of the types of uses and disclosures that the covered entity is permitted to make. This requirement is intended to inform individuals of all the uses and disclosures that the covered entity is legally required or permitted to make under applicable law, even if the covered entity does not anticipate actually making such uses and disclosures. We do not require covered entities to distinguish in their notices between those uses and disclosures required by law and those permitted but not required by law.
Unlike the proposed rule, we additionally require covered entities that wish to contact individuals for any of the following activities to list these activities in the notice: providing appointment reminders, describing or recommending treatment alternatives, providing information about health-related benefits and services that may be of interest to the individual, or soliciting funds to benefit the covered entity. If the covered entity does not include these statements in its notice, it is prohibited from using or disclosing protected health information for these activities without authorization. See § 164.502(i).
In addition, if a group health plan, or a health insurance issuer or HMO with respect to a group health plan, wants the option to disclose protected health information to a group health plan sponsor without authorization as permitted under § 164.504(f), the group health plan, health insurance issuer or HMO must describe that practice in its notice.
As in the proposed rule, the notice must state that all other uses and disclosures will be made only with the individual's authorization and that the individual has the right to revoke such authorization.
We anticipate this requirement will lead to significant standardization of the notice. This language could be the same for every covered entity of a particular type within a state, territory, or other locale. We encourage states, state professional associations, and other organizations to develop model language to assist covered entities in preparing their notices.
As in the proposed rule, covered entities must describe individuals' rights under the rule and how individuals may exercise those rights with respect to the covered entity. Covered entities must describe each of the following rights, as provided under the rule: the right to request restrictions on certain uses and disclosures, including a statement that the covered entity is not required to agree to a requested restriction (§ 164.522(a)); the right to receive confidential communications of protected health information (§ 164.522(b)); the right to inspect and copy protected health information (§ 164.524); the right to amend protected health information (§ 164.526); and the right to an accounting of disclosures of protected health information (§ 164.528). We additionally require the notice to describe the right of an individual, including an individual that has agreed to receive the notice electronically, to obtain a paper copy of the notice upon request.
Covered Entity's Duties
As in the proposed rule, covered entities must state in the notice that they are required by law to maintain the privacy of protected health information, to provide a notice of their legal duties and privacy practices, and to abide by the terms of the notice currently in effect. In the final rule, we additionally require the covered entity, if it wishes to reserve the right to change its privacy practices and apply the revised practices to protected health information previously created or received, to make a statement to that effect and describe how it will provide individuals with a revised notice. (See below for a more detailed discussion of a covered entity's responsibilities when it changes its privacy practices.)
As in the proposed rule, a covered entity's notice must inform individuals about how they can lodge complaints with the covered entity if they believe their privacy rights have been violated. See § 164.530(d) and the corresponding preamble discussion for the requirements on covered entities for receiving complaints. The notice must also state that individuals may file complaints with the Secretary. In the final rule, we additionally require the notice to include a statement that the individual will not suffer retaliation for filing a complaint.
As in the proposed rule, the notice must identify a point of contact where the individual can obtain additional information about any of the matters identified in the notice.
The notice must include the date the notice went into effect, rather than the proposed requirement to include the date the notice was produced. The effective date cannot be earlier than the date on which the notice was first printed or otherwise published. Covered entities may wish to highlight or otherwise emphasize any material modifications that it has made, in order to help the individual recognize such changes.
As described above, we proposed to require covered entities to describe the uses and disclosures of protected health information that the covered entity in fact expected to make without the individual's authorization. We did not specify any optional elements.
While the final rule requires covered entities to describe all of the types of uses and disclosures permitted or required by law (not just those that the covered entity intends to make), we also permit and encourage covered entities to include optional elements that describe the actual, more limited, uses and disclosures they intend to make without authorization. We anticipate that some covered entities will want to distinguish themselves on the basis of their more stringent privacy practices. For example, covered health care providers who routinely treat patients with particularly sensitive conditions may wish to assure their patients that, even though the law permits them to disclose information for a wide array of purposes, the covered health care provider will only disclose information in very specific circumstances, as required by law, and to avert a serious and imminent threat to health or safety. A covered entity may not include statements in the notice that purport to limit the entity's ability to make uses or disclosures that are required by law or necessary to avert a serious and imminent threat to health or safety.
As described above, if the covered entity wishes to reserve the right to change its privacy practices with respect to the more limited uses and disclosures and apply the revised practices to protected health information previously created or received, it must make a statement to that effect and describe how it will provide individuals with a revised notice. (See below for a more detailed discussion of a covered entity's responsibilities when it changes its privacy practices.)
Revisions to the Notice
We proposed to require a covered entity to adhere to the terms of its notice, and would have permitted it to change its information policies and procedures at any time. We would have required covered health care providers and health plans to update the notice to reflect material changes to the information policies and procedures described in the notice. Changes to the notice would have applied to all protected health information held by the covered entity, including information collected under prior notices. That is, we would not have require covered entities to segregate their records according to the notice in effect at the time the record was created. We proposed to prohibit covered entities from implementing a change to an information policy or procedure described in the notice until the notice was updated to reflect the change, unless a compelling reason existed to make a use or disclosure or take other action that the notice would not have permitted. In these situations, we proposed to require covered entities to document the compelling reason and, within 30 days of the use, disclosure, or other action, change its notice to permit the action.
As in the proposed rule, covered entities are required to adhere to the terms of the notice currently in effect. See § 164.502(i). When a covered entity materially changes any of the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices described in its notice, it must promptly revise its notice accordingly. See § 164.520(b)(3). (Pursuant to § 164.530(i), it must also revise its policies and procedures.) Except when required by law, a material change to any term in the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. In the final rule, however, we revise the circumstances under and extent to which the covered entity may revise the practices stated in the notice and apply the new practices to protected health information it created or received under prior notice.
Under § 164.530(i), a covered entity that wishes to change its practices over time without segregating its records according to the notice in effect at the time the records were created must reserve the right to do so in its notice. For example, a covered hospital that states in its notice that it will only make public health disclosures required by law, and that does not reserve the right to change this practice, is prohibited from making any discretionary public health disclosures of protected health information created or received during the effective period of that notice. If the covered hospital wishes at some point in the future to make discretionary disclosures for public health purposes, it must revise its notice to so state, and must segregate its records so that protected health information created or received under the prior notice is not disclosed for discretionary public health purposes. This hospital may then make discretionary public health disclosures of protected health information created or received after the effective date of the revised notice.
If a second covered hospital states in its notice that it will only make public health disclosures required by law, but does reserve the right to change its practices, it is prohibited from making any discretionary public health disclosures of protected health information created or received during the effective period of that notice. If this hospital wishes at some point in the future to make discretionary disclosures for public health purposes, it must revise its notice to so state, but need not segregate its records. As of the effective date of the revised notice, it may disclose any protected health information, including information created or received under the prior notice, for discretionary public health purposes.
Section 164.530(i) and the corresponding discussion in this preamble describes requirements for revision of a covered entity's privacy policies and procedures, including the privacy practices reflected in its notice.