Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.520 - Notice of Privacy Practices for Protected Health Information

We proposed to establish a right for individuals to receive adequate notice of how covered health care providers and health plans use and disclose protected health information, and of the individual's rights with respect to that information.

In the final regulation, we retain the general right for individuals to receive and the requirement for covered entities to produce a notice of privacy practices, with significant modifications to the content and distribution requirements.

We also modify the requirements with respect to certain covered entities. First, in § 164.500(b)(2), we clarify that a health care clearinghouse that creates or receives protected health information other than as a business associate of a covered entity must produce a notice. If a health care clearinghouse creates or receives protected health information only as a business associate of other covered entities, it is not required to produce a notice.

Second, in § 164.520(a)(2), we clarify the notice requirements with respect to group health plans. Individuals who receive health benefits under a group health plan other than through insurance are entitled to a notice from the group health plan; self-insured group health plans must maintain a notice that meets the requirements of this section and must provide the notice in accordance with the requirements of § 164.520(c). At a minimum, the self-insured group health plan's notice must describe the group health plan's privacy practices with respect to the protected health information it creates or receives through its self-insured arrangements. For example, if a group health plan maintains both fully-insured and self-insured arrangements, the group health plan must, at a minimum, maintain and provide a notice that describes its privacy practices with respect to protected health information it creates or receives through the self-insured arrangements. This notice would be distributed to all participants in the self-insured arrangements (in accordance with § 164.520(c)(1)) and would also be available on request to other persons, including participants in the fully-insured arrangements.

Individuals who receive health benefits under a group health plan through an insurance contract (i.e., a fully-insured group health plan) are entitled to a notice from the issuer or HMO through which they receive their health benefits. The health insurance issuer or HMO must maintain and provide the notice in accordance with § 164.520(c)(1). In addition, some fully-insured group health plans are required to maintain and provide a notice of the group health plan's privacy practices. If a group health plan provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and the group health plan creates or receives protected health information in addition to summary information (as defined in § 164.504(a)) and information about individuals' enrollment in or disenrollment from a health insurance issuer or HMO offered by the group health plan, the group health plan must maintain a notice that meets the requirements of this section and must provide the notice upon request of any person. The group health plan is not required to meet the other distribution requirements of § 164.520(c)(1). Individuals enrolled in such group health plans have the right to notice of the health insurance issuer or HMO's privacy practices and, on request, to notice of the group health plan's privacy practices. If the group health plan, however, provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and the only protected health information the group health plan creates or receives is summary information (as defined in § 164.504(a)) and information about individuals' enrollment in or disenrollment from a health insurance issuer or HMO offered by the group health plan, the group health plan is not required to maintain or provide a notice under this section. In this case, the individuals enrolled in the group health plan would receive notice of the health insurance issuer or HMO's privacy practices, but would not be entitled to notice of the group health plan's privacy practices.

Third, in § 164.520(a)(3), we clarify that inmates do not have a right to notice under this section and a correctional institution that is a covered entity is not required to produce a notice. No person, including a current or former inmate, has the right to notice of such a covered entity's privacy practices.

We proposed to require the notice to be written in plain language and contain each of the following elements: a description of the uses and disclosures expected to be made without individual authorization; statements that other uses and disclosures would be made only with the individual's authorization and that the individual could revoke such authorization; descriptions of the rights to request restrictions, inspect and copy protected health information, amend or correct protected health information, and receive an accounting of disclosures of protected health information; statements about the entity's legal requirements to protect privacy, provide notice, and adhere to the notice; a statement about how individuals would be informed of changes to the entity's policies and procedures; instructions on how to make complaints with the entity or Secretary; the name and telephone number of a contact person or office; and the date the notice was produced. We provided a model notice of information policies and procedures for covered health care providers.

In § 164.520(b), and immediately below in this preamble, we describe the notice content requirements for the final rule. As described in detail, below, we make substantial changes to the uses and disclosures of protected health information that must be described in the notice. Unlike the proposed rule, we do not include a model notice. We intend to develop further guidance on notice requirements prior to the compliance date of this rule. In this section of the final rule, we also refer to the covered entity's privacy "practices," rather than its "policies and procedures." The purpose of this change in vocabulary is to clarify that a covered entity's "policies and procedures" is a detailed documentation of all of the entity's privacy practices as required under this rule, not just those described in the notice. For example, we require covered entities to have policies and procedures implementing the requirements for "minimum necessary" uses and disclosures of protected health information, but these policies and procedures need not be reflected in the entity's notice. Similarly, we require covered entities to have policies and procedures for assuring individuals access to protected health information about them. While such policies and procedures will need to include documentation of the designated record sets subject to access, who is authorized to determine when information will be withheld from an individual, and similar details, the notice need only explain generally that individuals have the right to inspect and copy information about them, and tell individuals how to exercise that right.

A covered entity that adopts and follows the notice content and distribution requirements described below will have provided adequate notice. However, the requirements for the content of the notice are not intended to be exclusive. As with the rest of the rule, we specify minimum requirements, not best practices. Covered entities may want to include more detail. We note that all federal agencies must still comply with the Privacy Act of 1974. This means that federal agencies that are covered entities or have covered health care components must comply with the notice requirements of the Privacy Act as well as those included in this rule.

In addition, covered entities may want or be required to produce more than one notice in order to satisfy the notice content requirements under this rule. For example, a covered entity that conducts business in multiple states with different laws regarding the uses and disclosures that the covered entity is permitted to make without authorization may be required to produce a different notice for each state. A covered entity that conducts business both as part of an organized health care arrangement or affiliated covered entity and as an independent enterprise (e.g., a physician who sees patients through an on-call arrangement with a hospital and through an independent private practice) may want to adopt different privacy practices with respect to each line of business; such a covered entity would be required to produce a different notice describing the practices for each line of business. Covered entities must produce notices that accurately describe the privacy practices that are relevant to the individuals receiving the notice.

Required Elements

Plain Language

As in the proposed rule, we require the notice to be written in plain language. A covered entity can satisfy the plain language requirement if it makes a reasonable effort to: organize material to serve the needs of the reader; write short sentences in the active voice, using "you" and other pronouns; use common, everyday words in sentences; and divide material into short sections.

We do not require particular formatting specifications, such as easy-to-read design features (e.g., lists, tables, graphics, contrasting colors, and white space), type face, and font size. However, the purpose of the notice is to inform the recipients about their rights and how protected health information collected about them may be used or disclosed. Recipients who cannot understand the covered entity's notice will miss important information about their rights under this rule and about how the covered entity is protecting health information about them. One of the goals of this rule is to create an environment of open communication and transparency with respect to the use and disclosure of protected health information. A lack of clarity in the notice could undermine this goal and create misunderstandings. Covered entities have an incentive to make their notice statements clear and concise. We believe that the more understandable the notice is, the more confidence the public will have in the covered entity's commitment to protecting the privacy of health information.

It is important that the content of the notice be communicated to all recipients and therefore we encourage the covered entity to consider alternative means of communicating with certain populations. We note that any covered entity that is a recipient of federal financial assistance is generally obligated under Title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients' service areas. Specifically, this Title VI obligation provides that, where a significant number or proportion of the population eligible to be served or likely to be directly affected by a federally assisted program needs service or information in a language other than English in order to be effectively informed of or participate in the program, the recipient shall take reasonable steps, considering the scope of the program and the size and concentration of such population, to provide information in languages appropriate to such persons. For covered entities not subject to Title VI, the Title VI standards provide helpful guidance for effectively communicating the content of their notices to non-English speaking populations.

We also encourage covered entities to be attentive to the needs of individuals who cannot read. For example, an employee of the covered entity could read the notice to individuals upon request or the notice could be incorporated into a video presentation that is played in the waiting area.

Header

Unlike the proposed rule, covered entities must include prominent and specific language in the notice that indicates the importance of the notice. This is the only specific language we require covered entities to include in the notice. The header must read, "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."

Uses and Disclosures

We proposed to require covered entities to describe in plain language the uses and disclosures of protected health information, and the covered entity's policies and procedures with respect to such uses and disclosures, that the health plan or covered provider expected to make without individual authorization. The covered provider or health plan would have had to distinguish between those uses and disclosures required by law and those permitted but not required by law.

We also proposed to require covered health care providers and health plans to state in the notice that all other uses and disclosures would be made only with the individual's authorization and that such authorization could be revoked. The notice would also have been required to state that the individual could request restrictions on certain uses and disclosures and that the covered entity would not be required to agree to such a request.

We significantly modify these requirements in the final rule. Covered entities must describe all uses and disclosures of protected health information that they are permitted or required to make under this rule without authorization, including those uses and disclosures subject to the consent requirements under § 164.506. If other applicable law prohibits or materially limits the covered entity's ability to make any uses or disclosures that would otherwise be permitted under the rule, the covered entity must describe only the uses and disclosures permitted under the more stringent law.

Covered entities must separately describe each purpose for which they are permitted to use or disclose protected health information under this rule without authorization, and must do so in sufficient detail to place the individual on notice of those uses and disclosures. With respect to uses and disclosures to carry out treatment, payment, and health care operations, the description must include at least one example of the types of uses and disclosures that the covered entity is permitted to make. This requirement is intended to inform individuals of all the uses and disclosures that the covered entity is legally required or permitted to make under applicable law, even if the covered entity does not anticipate actually making such uses and disclosures. We do not require covered entities to distinguish in their notices between those uses and disclosures required by law and those permitted but not required by law.

Unlike the proposed rule, we additionally require covered entities that wish to contact individuals for any of the following activities to list these activities in the notice: providing appointment reminders, describing or recommending treatment alternatives, providing information about health-related benefits and services that may be of interest to the individual, or soliciting funds to benefit the covered entity. If the covered entity does not include these statements in its notice, it is prohibited from using or disclosing protected health information for these activities without authorization. See § 164.502(i).

In addition, if a group health plan, or a health insurance issuer or HMO with respect to a group health plan, wants the option to disclose protected health information to a group health plan sponsor without authorization as permitted under § 164.504(f), the group health plan, health insurance issuer or HMO must describe that practice in its notice.

As in the proposed rule, the notice must state that all other uses and disclosures will be made only with the individual's authorization and that the individual has the right to revoke such authorization.

We anticipate this requirement will lead to significant standardization of the notice. This language could be the same for every covered entity of a particular type within a state, territory, or other locale. We encourage states, state professional associations, and other organizations to develop model language to assist covered entities in preparing their notices.

Individual Rights

As in the proposed rule, covered entities must describe individuals' rights under the rule and how individuals may exercise those rights with respect to the covered entity. Covered entities must describe each of the following rights, as provided under the rule: the right to request restrictions on certain uses and disclosures, including a statement that the covered entity is not required to agree to a requested restriction (§ 164.522(a)); the right to receive confidential communications of protected health information (§ 164.522(b)); the right to inspect and copy protected health information (§ 164.524); the right to amend protected health information (§ 164.526); and the right to an accounting of disclosures of protected health information (§ 164.528). We additionally require the notice to describe the right of an individual, including an individual that has agreed to receive the notice electronically, to obtain a paper copy of the notice upon request.

Covered Entity's Duties

As in the proposed rule, covered entities must state in the notice that they are required by law to maintain the privacy of protected health information, to provide a notice of their legal duties and privacy practices, and to abide by the terms of the notice currently in effect. In the final rule, we additionally require the covered entity, if it wishes to reserve the right to change its privacy practices and apply the revised practices to protected health information previously created or received, to make a statement to that effect and describe how it will provide individuals with a revised notice. (See below for a more detailed discussion of a covered entity's responsibilities when it changes its privacy practices.)

Complaints

As in the proposed rule, a covered entity's notice must inform individuals about how they can lodge complaints with the covered entity if they believe their privacy rights have been violated. See § 164.530(d) and the corresponding preamble discussion for the requirements on covered entities for receiving complaints. The notice must also state that individuals may file complaints with the Secretary. In the final rule, we additionally require the notice to include a statement that the individual will not suffer retaliation for filing a complaint.

Contact

As in the proposed rule, the notice must identify a point of contact where the individual can obtain additional information about any of the matters identified in the notice.

Effective Date

The notice must include the date the notice went into effect, rather than the proposed requirement to include the date the notice was produced. The effective date cannot be earlier than the date on which the notice was first printed or otherwise published. Covered entities may wish to highlight or otherwise emphasize any material modifications that it has made, in order to help the individual recognize such changes.

Optional Elements

As described above, we proposed to require covered entities to describe the uses and disclosures of protected health information that the covered entity in fact expected to make without the individual's authorization. We did not specify any optional elements.

While the final rule requires covered entities to describe all of the types of uses and disclosures permitted or required by law (not just those that the covered entity intends to make), we also permit and encourage covered entities to include optional elements that describe the actual, more limited, uses and disclosures they intend to make without authorization. We anticipate that some covered entities will want to distinguish themselves on the basis of their more stringent privacy practices. For example, covered health care providers who routinely treat patients with particularly sensitive conditions may wish to assure their patients that, even though the law permits them to disclose information for a wide array of purposes, the covered health care provider will only disclose information in very specific circumstances, as required by law, and to avert a serious and imminent threat to health or safety. A covered entity may not include statements in the notice that purport to limit the entity's ability to make uses or disclosures that are required by law or necessary to avert a serious and imminent threat to health or safety.

As described above, if the covered entity wishes to reserve the right to change its privacy practices with respect to the more limited uses and disclosures and apply the revised practices to protected health information previously created or received, it must make a statement to that effect and describe how it will provide individuals with a revised notice. (See below for a more detailed discussion of a covered entity's responsibilities when it changes its privacy practices.)

Revisions to the Notice

We proposed to require a covered entity to adhere to the terms of its notice, and would have permitted it to change its information policies and procedures at any time. We would have required covered health care providers and health plans to update the notice to reflect material changes to the information policies and procedures described in the notice. Changes to the notice would have applied to all protected health information held by the covered entity, including information collected under prior notices. That is, we would not have require covered entities to segregate their records according to the notice in effect at the time the record was created. We proposed to prohibit covered entities from implementing a change to an information policy or procedure described in the notice until the notice was updated to reflect the change, unless a compelling reason existed to make a use or disclosure or take other action that the notice would not have permitted. In these situations, we proposed to require covered entities to document the compelling reason and, within 30 days of the use, disclosure, or other action, change its notice to permit the action.

As in the proposed rule, covered entities are required to adhere to the terms of the notice currently in effect. See § 164.502(i). When a covered entity materially changes any of the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices described in its notice, it must promptly revise its notice accordingly. See § 164.520(b)(3). (Pursuant to § 164.530(i), it must also revise its policies and procedures.) Except when required by law, a material change to any term in the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. In the final rule, however, we revise the circumstances under and extent to which the covered entity may revise the practices stated in the notice and apply the new practices to protected health information it created or received under prior notice.

Under § 164.530(i), a covered entity that wishes to change its practices over time without segregating its records according to the notice in effect at the time the records were created must reserve the right to do so in its notice. For example, a covered hospital that states in its notice that it will only make public health disclosures required by law, and that does not reserve the right to change this practice, is prohibited from making any discretionary public health disclosures of protected health information created or received during the effective period of that notice. If the covered hospital wishes at some point in the future to make discretionary disclosures for public health purposes, it must revise its notice to so state, and must segregate its records so that protected health information created or received under the prior notice is not disclosed for discretionary public health purposes. This hospital may then make discretionary public health disclosures of protected health information created or received after the effective date of the revised notice.

If a second covered hospital states in its notice that it will only make public health disclosures required by law, but does reserve the right to change its practices, it is prohibited from making any discretionary public health disclosures of protected health information created or received during the effective period of that notice. If this hospital wishes at some point in the future to make discretionary disclosures for public health purposes, it must revise its notice to so state, but need not segregate its records. As of the effective date of the revised notice, it may disclose any protected health information, including information created or received under the prior notice, for discretionary public health purposes.

Section 164.530(i) and the corresponding discussion in this preamble describes requirements for revision of a covered entity's privacy policies and procedures, including the privacy practices reflected in its notice.

As in the proposed rule, all covered entities that are required to produce a notice must provide the notice upon request of any person. The requestor does not have to be a current patient or enrollee. We intend the notice to be a public document that people can use in choosing between covered entities.

For health plans, we proposed to require health plans to distribute the notice to individuals covered by the health plan as of the compliance date; after the compliance date, at enrollment in the health plan; after enrollment, within 60 days of a material revision to the content of the notice; and no less frequently than once every three years.

As in the proposed rule, under the final rule health plans must provide the notice to all health plan enrollees as of the compliance date. After the compliance date, health plans must provide the notice to all new enrollees at the time of enrollment and to all enrollees within 60 days of a material revision to the notice. Of course, the term "enrollees" includes participants and beneficiaries in group health plans.

Unlike the proposed rule, we do not require health plans to distribute the notice every three years. Instead, health plans must notify enrollees no less than once every three years about the availability of the notice and how to obtain a copy.

We also clarify that, in each of these circumstances, if a named insured and one or more dependents are covered by the same policy, the health plan can satisfy the distribution requirement with respect to the dependents by sending a single copy of the notice to the named insured. For example, if an employee of a firm and her three dependents are all covered under a single health plan policy, that health plan can satisfy the initial distribution requirement by sending a single copy of the notice to the employee rather than sending four copies, each addressed to a different member of the family.

We further clarify that if a health plan has more than one notice, it satisfies its distribution requirement by providing the notice that is relevant to the individual or other person requesting the notice. For example, a health insurance issuer may have contracts with two different group health plans. One contract specifies that the issuer may use and disclose protected health information about the participants in the group health plan for research purposes without authorization (subject to the requirements of this rule) and one contract specifies that the issuer must always obtain authorizations for these uses and disclosures. The issuer accordingly develops two notices reflecting these different practices and satisfies its distribution requirements by providing the relevant notice to the relevant group health plan participants.

We proposed to require covered health care providers with face-to-face contact with individuals to provide the notice to all such individuals at the first service delivery to the individual during the one year period after the compliance date. After this one year period, covered providers with face-to-face contact with individuals would have been required to distribute the notice to all new patients at the first service delivery. Covered providers without face-to-face contact with individuals would have been required to provide the notice in a reasonable period of time following first service delivery.

We proposed to require all covered providers to post the notice in a clear and prominent location where it would be reasonable to expect individuals seeking services from the covered provider to be able to read the notice. We would have required revisions to be posted promptly.

In the final rule, we vary the distribution requirements according to whether the covered health care provider has a direct treatment relationship with an individual, rather than whether the covered health care provider has face-to-face contact with an individual. See § 164.501 and the corresponding discussion in this preamble regarding the definition of indirect treatment relationship.

Covered health care providers that have direct treatment relationships with individuals must provide the notice to such individuals as of the first service delivery after the compliance date. This requirement applies whether the first service is delivered electronically or in person. Covered providers may satisfy this requirement by sending the notice to all of their patients at once, by giving the notice to each patient as he or she comes into the provider's office or facility or contacts the provider electronically, or by some combination of these approaches. Covered providers that maintain a physical service delivery site must prominently post the notice where it is reasonable to expect individuals seeking service from the provider to be able to read the notice. The notice must also be available on site for individuals to take on request. In the event of a revision to the notice, the covered provider must promptly post the revision and make it available on site.

Covered health care providers that have indirect treatment relationships with individuals are only required to produce the notice upon request, as described above.

The proposed rule was silent regarding electronic distribution of the notice. Under the final rule, a covered entity that maintains a web site describing the services and benefits it offers must make its privacy notice prominently available through the site.

A covered entity may satisfy the applicable distribution requirements described above by providing the notice to the individual electronically, if the individual agrees to receiving materials from the covered entity electronically and the individual has not withdrawn his or her agreement. If the covered entity knows that the electronic transmission has failed, the covered entity must provide a paper copy of the notice to the individual.

If an individual's first service delivery from a covered provider occurs electronically, the covered provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service. For example, the first time an individual requests to fill a prescription through a covered internet pharmacy, the pharmacy must automatically and contemporaneously provide the individual with the pharmacy's notice of privacy practices. An individual that receives a covered entity's notice electronically retains the right to request a paper copy of the notice as described above. This right must be described in the notice.

We note that the Electronic Signatures in Global and National Commerce Act (Pub. L. 106-229) may apply to documents required under this rule to be provided in writing. We do not intend to affect the application of that law to documents required under this rule.

The proposed rule was silent regarding the ability of legally separate covered entities to produce a single notice.

In the final rule, we allow covered entities that participate in an organized health care arrangement to comply with this section by producing a single notice that describes their combined privacy practices. See § 164.501 and the corresponding preamble discussion regarding the definition of organized health care arrangement. (We note that, under § 164.504(d), covered entities that are under common ownership or control may designate themselves as a single affiliated covered entity. Joint notice requirements do not apply to such entities. Single affiliated covered entities must produce a single notice, consistent with the requirements described above for any other covered entity. Covered entities under common ownership or control that elect not to designate themselves as a single affiliated covered entity, however, may elect to produce a joint notice if they meet the definition of an organized health care arrangement.)

The joint notice must meet all of the requirements described above. The covered entities must agree to abide by the terms of the notice with respect to protected health information created or received by the covered entities as part of their participation in the organized health care arrangement. In addition, the joint notice must reasonably identify the covered entities, or class of covered entities, to which the joint notice applies and the service delivery sites, or classes of service delivery sites, to which the joint notice applies. If the covered entities participating in the organized health care arrangement will share protected health information with each other as necessary to carry out treatment, payment, or health care operations relating to the arrangement, that fact must be stated in the notice.

Typical examples where this policy may be useful are health care facilities where physicians and other providers who have offices elsewhere also provide services at the facility (e.g. hospital staff privileges, physicians visiting their patients at a residential facility). In these cases, a single notice may cover both the physician and the facility, if the above conditions are met. The physician is required to have a separate notice covering the privacy practices at the physician's office if those practices are different than the practices described in the joint notice.

If any one of the covered entities included in the joint notice distributes the notice to an individual, as required above, the distribution requirement is met for all of the covered entities included in the joint notice.

As in the proposed rule, we establish documentation requirements for covered entities subject to this provision. In the final rule, we specify that covered entities must retain copies of the notice(s) they issue in accordance with § 164.530(j). See § 164.530(j) and the corresponding preamble discussion for further description of the documentation requirements.