Comment: Many commenters supported the proposal to require covered entities to produce a notice of information practices. They stated that such notice would improve individuals' understanding of how their information may be used and disclosed and would help to build trust between individuals and covered entities. A few comments, however, argued that the notice requirement would be administratively burdensome and expensive without providing significant benefit to individuals.
Response: We retain the requirement for covered health care providers and health plans to produce a notice of information practices. We additionally require health care clearinghouses that create or receive protected health information other than as a business associate of another covered entity to produce a notice. We believe the notice will provide individuals with a clearer understanding of how their information may be used and disclosed and is essential to inform individuals of their privacy rights. The notice will focus individuals on privacy issues, and prompt individuals to have discussions about privacy issues with their health plans, health care providers, and other persons.
The importance of providing individuals with notice of the uses and disclosures of their information and of their rights with respect to that information is well supported by industry groups, and is recognized in current state and federal law. The July 1977 Report of the Privacy Protection Study Commission recommended that "each medical-care provider be required to notify an individual on whom it maintains a medical record of the disclosures that may be made of information in the record without the individual's express authorization." 23 The Commission also recommended that "an insurance institution... notify [an applicant or principal insured] as to: ... the types of parties to whom and circumstances under which information about the individual may be disclosed without his authorization, and the types of information that may be disclosed; [and] ... the procedures whereby the individual may correct, amend, delete, or dispute any resulting record about himself." (24) The Privacy Act (5 U.S.C. 552a) requires government agencies to provide notice of the routine uses of information the agency collects and the rights individuals have with respect to that information. In its report "Best Principles for Health Privacy," the Health Privacy Working Group stated, "Individuals should be given notice about the use and disclosure of their health information and their rights with regard to that information." (25) The National Association of Insurance Commissioners' Health Information Privacy Model Act requires carriers to provide a written notice of health information policies, standards, and procedures, including a description of the uses and disclosures prohibited and permitted by the Act, the procedures for authorizing and limiting disclosures and for revoking authorizations, and the procedures for accessing and amending protected health information.
Some states require additional notice. For example, Hawaii requires health care providers and health plans, among others, to produce a notice of confidentiality practices, including a description of the individual's privacy rights and a description of the uses and disclosures of protected health information permitted under state law without the individual's authorization. (HRS section 323C-13)
Today, health plan hand books and evidences of coverage include some of what is required to be in the notice. Industry and standard-setting organizations have also developed notice requirements. The National Committee for Quality Assurance accreditation guidelines state that an accredited managed care organization "communicates to prospective members its policies and practices regarding the collection, use, and disclosure of medical information [and]... informs members... of its policies and procedures on... allowing members access to their medical records." (26) Standards of the American Society for Testing and Materials state, "Organizations and individuals who collect, process, handle, or maintain health information should provide individuals and the public with a notice of information practices." They recommend that the notice include, among other elements, "a description of the rights of individuals, including the right to inspect and copy information and the right to seek amendments [and] a description of the types of uses and disclosures that are permitted or required by law without the individual's authorization." (27) We build on this well-established principle in this final rule.
Comment: We received many comments on the model notice provided in the proposed rule. Some commenters argued that patients seeing similar documents would be less likely to become disoriented when examining a new notice. Other commenters, however, opposed the inclusion of a model notice or expressed concern about particular language included in the model. They maintained that a uniform model notice would never capture the varying practices of covered entities. Many commenters opposed requirements for a particular format or specific language in the notice. They stated that covered entities should be afforded maximum flexibility in fashioning their notices. Other commenters requested inclusion of specific language as a header to indicate the importance of the notice. A few commenters recommended specific formatting requirements, such as font size or type.
Response: On the whole, we found commenters' arguments for flexibility in the regulation more persuasive than those arguing for more standardization. We agree that a uniform notice would not capture the wide variation in information practices across covered entities. We therefore do not include a model notice in the final rule, and do not require inclusion of specific language in the notice (except for a standard header). We also do not require particular formatting. We do, however, require the notice to be written in plain language. (See above for guidance on writing documents in plain language.) We also agree with commenters that the notice should contain a standard header to draw the individual's attention to the notice and facilitate the individual's ability to recognize the notice across covered entities.
We believe that post-publication guidance will be a more effective mechanism for helping covered entities design their notices than the regulation itself. After the rule is published, we can provide guidance on notice content and format tailored to different types of health plans and providers. We believe such specially designed guidance will be more useful that a one-size-fits-all model notice we might publish with this regulation.
Comment: Commenters suggested that the rule should require that the notice regarding privacy practices include specific provisions related to health information of unemancipated minors.
Response: Although we agree that minors and their parents should be made aware of practices related to confidentiality of protected health information of unemancipated minors, we do not require covered entities that treat minors or use their protected health information to include provisions in their notice that are not required of other covered entities. In general, the content of notice requirements in § 164.520(b) do not vary based on the status of the individual being served. We have decided to maintain consistency by declining to prescribe specific notice requirements for minors. The rule does permit a covered entity to provide individuals with notice of its policies and procedures with respect to anticipated uses and disclosures of protected health information (§ 164.520(b)(2)), and providers are encouraged to do so.
Comment: Some commenters argued that covered entities should not be required to distinguish between those uses and disclosures that are required by law and those that are permitted by law without authorization, because these distinctions may not always be clear and will vary across jurisdictions. Some commenters maintained that simply stating that the covered entity would make all disclosures required by law would be sufficient. Other comments suggested that covered entities should be able to produce very broadly stated notices so that repeated revisions and mailings of those revisions would not be necessary.
Response: While we believe that covered entities have an independent duty to understand the laws to which they are subject, we also recognize that it could be difficult to convey such legal distinctions clearly and concisely in a notice. We therefore eliminate the proposed requirement for covered entities to distinguish between those uses and disclosures that are required by and those that are permitted by law. We instead require that covered entities describe each purpose for which they are permitted or required to use or disclose protected health information under this rule and other applicable law without individual consent or authorization. Specifically, covered entities must describe the types of uses and disclosures they are permitted to make for treatment, payment, and health care operations. They must also describe each of the purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual's written consent or authorization (even if they do not plan to make a permissive use or disclosure). We believe this requirement provides individuals with sufficient information to understand how information about them can be used and disclosed and to prompt them to ask for additional information to obtain a clearer understanding, while minimizing covered entities' burden.
A notice that stated only that the covered entity would make all disclosures required by law, as suggested by some of these commenters, would fail to inform individuals of the uses and disclosures of information about them that are permitted, but not required, by law. We clarify that each and every disclosure required by law need not be listed on the notice. Rather, the covered entity can include a general statement that disclosures required by law will be made.
Comment: Some comments argued that the covered entity should not have to provide notice about uses and disclosures that are permitted under the rule without authorization. Other comments suggested that the notice should inform individuals about all of the uses and disclosures that may be made, with or without the individual's authorization.
Response: When the individual's permission is not required for uses and disclosures of information, we believe providing the required notice is the most effective means of ensuring that individuals are aware of how information about them may be shared. The notice need not describe uses and disclosures for which the individual's permission is required, because the individual will be informed of these at the time permission to use or disclose the information is requested.
We additionally require covered entities, even those required to obtain the individual's consent for use and disclosure of protected health information for treatment, payment, and health care operations, to describe those uses and disclosures in their notice. (See § 164.506 and the corresponding preamble discussion regarding consent requirements.) We require these uses and disclosures to be described in the notice in part in order to reduce the administrative burden on covered providers that are required to obtain consent. Rather than obtaining a new consent each time the covered provider's information policies and procedures are materially revised, covered providers may revise and redistribute their notice. We also expect that the description of how information may be used to carry out treatment, payment, and health care operations in the notice will be more detailed than in the more general consent document.
Comment: Some commenters argued that covered entities should not be required to provide notice of the right to request restrictions, because doing so would be burdensome to the covered entity and distracting to the individual; because individuals have the right whether they are informed of such right or not; and because the requirement would be unlikely to improve patient care.
Response: We disagree. We believe that the ability of an individual to request restrictions is an important privacy right and that informing people of their rights improves their ability to exercise those rights. We do not believe that adding a sentence to the notice is burdensome to covered entities.
Comment: We received comments supporting inclusion of a contact point in the notice, so that individuals will not be forced to make multiple calls to find someone who can assist them with the issues in the notice.
Response: We retain the requirement, but clarify that the title of the contact person is sufficient. A person's name is not required.
Comment: Some commenters argued that we could facilitate compliance by requiring the notice to include the proposed requirement that covered entities use and disclose only the minimum necessary protected health information.
Response: We do not agree that adding such a requirement would strengthen the notice. The purpose of the notice is to inform individuals of their privacy rights, and of the purposes for which protected health information about them may be used or disclosed. Informing individuals that covered entities may use and disclose only the minimum necessary protected health information for a purpose would not increase individuals' understanding of their rights or the purposes for which information may be used or disclosed.
Comment: A few commenters supported allowing covered entities to apply changes in their information practices to protected health information obtained prior to the change. They argued that requiring different protections for information obtained at different times would be inefficient and extremely difficult to administer. Some comments supported requiring covered entities to state in the notice that the information policies and procedures are subject to change.
Response: We agree. In the final rule, we provide a mechanism by which covered entities may revise their privacy practices and apply those revisions to protected health information they already maintain. We permit, but do not require, covered entities to reserve the right to change their practices and apply the revised practices to information previously created or obtained. If a covered entity wishes to reserve this right, it must make a statement to that effect in its notice. If it does not make such a statement, the covered entity may still revise its privacy practices, but it may apply the revised practices only to protected health information created or obtained after the effective date of the notice in which the revised practices are reflected. See § 164.530(i) and the corresponding preamble discussion of requirements regarding changes to information policies and procedures.
Comment: Some commenters requested clarification of the term "material changes" so that entities will be comfortable that they act properly after making changes to their information practices. Some comments stated that entities should notify individuals whenever a new category of disclosures to be made without authorization is created.
Response: The concept of "material change" appears in other notice laws, such as the ERISA requirements for summary plan descriptions. We therefore retain the "materiality" condition for revision of notices, and encourage covered entities to draw on the concept as it has developed through those other laws. We agree that the addition of a new category of use or disclosure of health information that may be made without authorization would likely qualify as a material change.
Comment: We proposed to permit covered entities to implement revised policies and procedures without first revising the notice if a compelling reason existed to do so. Some commenters objected to this proposal because they were concerned that the "compelling reason" exception would give covered entities broad discretion to engage in post hoc violations of its own information practices.
Response: We agree and eliminate this provision. Covered entities may not implement revised information policies and procedures before properly documenting the revisions and updating their notice. See § 164.530(i). Because in the final rule we require the notice to include all disclosures that may be made, not only those the covered entity intends to make, we no longer need this provision to accommodate emergencies.
Comment: Some comments suggested that we require covered entities to maintain a log of all past notices, with changes from the previous notice highlighted. They further suggested we require covered entities to post this log on their web sites.
Response: In accordance with § 164.530(j)(2), a covered entity must retain for six years a copy of each notice it issues. We do not require highlighting of changes to the notice or posting of prior notices, due to the associated administrative burdens and the complexity such a requirement would build into the notice over time. We encourage covered entities, however, to make such materials available upon request.
Comment: Several commenters requested clarification about when, relative to the compliance date, covered entities are required to produce their notice. One commenter suggested that covered entities be allowed a period not less than 180 days after adoption of the final rule to develop and distribute the notice. Other comments requested that the notice compliance date be consistent with other HIPAA regulations.
Response: We require covered entities to have a notice available upon request as of the compliance date of this rule (or the compliance date of the covered entity if such date is later). See § 164.534 and the corresponding preamble discussion of the compliance date.
Comment: Some commenters suggested that covered entities, particularly covered health care providers, should be required to discuss the notice with individuals. They argued that posting a notice or otherwise providing the notice in writing may not achieve the goal of informing individuals of how their information will be handled, because some individuals may not be literate or able to function at the reading level used in the notice. Others argued that entities should have the flexibility to choose alternative modes of communicating the information in the notice, including voice disclosure. In contrast, some commenters were concerned that requirements to provide the notice in plain language or in languages other than English would be overly burdensome.
Response: We require covered entities to write the notice in plain language so that the average reader will be able to understand the notice. We encourage, but do not require, covered entities to consider alternative means of communicating with certain populations. We note that any covered entity that is a recipient of federal financial assistance is generally obligated under Title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients' service areas. While we believe the notice will prompt individuals to initiate discussions with their health plans and health care providers about the use and disclosure of health information, we believe this should be a matter left to each individual and that requiring covered entities to initiate discussions with each individual would be overly burdensome.
Comment: Some commenters suggested that covered entities, particularly health plans, should be permitted to distribute their notice in a newsletter or other communication with individuals.
Response: We agree, so long as the notice is sufficiently separate from other important documents. We therefore prohibit covered entities from combining the notice in a single document with either a consent (§ 164.506) or an authorization (§ 164.508), but do not otherwise prohibit covered entities from including the notice in or with other documents the covered entity shares with individuals.
Comment: Some comments suggested that covered entities should not be required to respond to requests for the notice from the general public. These comments indicated that the requirement would place an undue burden on covered entities without benefitting individuals.
Response: We proposed that the notice be publicly available so that individuals may use the notice to compare covered entities' privacy practices and to select a health plan or health care provider accordingly. We therefore retain the proposed requirement for covered entities to provide the notice to any person who requests a copy, including members of the general public.
Comment: Many commenters argued that the distribution requirements for health plans should be less burdensome. Some suggested requiring distribution upon material revision, but not every three years. Some suggested that health plans should only be required to distribute their notice annually or upon re-enrollment. Some suggested that health plans should only have to distribute their notice upon initial enrollment, not re-enrollment. Other commenters supported the proposed approach.
Response: We agree that the notice distribution requirements for health plans can be less burdensome than in the NPRM while still being effective. In the final rule, we reduce health plans' distribution burden in several ways. First, we require health plans to remind individuals every three years of the availability of the notice and of how to obtain a copy of the notice, rather than requiring the notice to be distributed every three years as proposed. Second, we clarify that health plans only have to distribute the notice to new enrollees on enrollment, not to current members of the health plan upon re-enrollment. Third, we specifically allow all covered entities to distribute the notice electronically in accordance with § 164.520(c)(3).
We retain the requirement for health plans to distribute the notice within 60 days of a material revision. We believe the revised distribution requirements will ensure that individuals are adequately informed of health plans' information practices and any changes to those procedures, without unduly burdening health plans.
Comment: Many commenters argued that health plans should not be required to distribute their notice to every person covered by the plan. They argued that distributing the notice to every family member would be unnecessarily duplicative, costly, and difficult to administer. They suggested that health plans only be required to distribute the notice to the primary participant or to each household with one or more insured individuals.
Response: We agree, and clarify in the final rule that a health plan may satisfy the distribution requirement by providing the notice to the named insured on behalf of the dependents of that named insured. For example, a group health plan may satisfy its notice requirement by providing a single notice to each covered employee of the plan sponsor. We do not require the group health plan to distribute the notice to each covered employee and to each covered dependent of those employees.
Comment: Many comments requested clarification about health plans' ability to distribute the notice via other entities. Some commenters suggested that group health plans should be able to satisfy the distribution requirement by providing copies of the notice to plan sponsors for delivery to employees. Others requested clarification that covered health care providers are only required to distribute their own notice and that health plans should be prohibited from using their affiliated providers to distribute the health plan's notice.
Response: We require health plans to distribute their notice to individuals covered by the health plan. Health plans may elect to hire or otherwise arrange for others, including group health plan sponsors and health care providers affiliated with the health plan, to carry out this distribution. We require covered providers to distribute only their own notices, and neither require nor prohibit health plans and health care providers from devising whatever arrangements they find suitable to meet the requirements of this rule. However, if a covered entity arranges for another person or entity to distribute the covered entity's notice on its behalf and individuals do not receive such notice, the covered entity would be in violation of the rule.
Comment: Some comments stated that covered providers without direct patient contact, such as clinical laboratories, might not have sufficient patient contact information to be able to mail the notice. They suggested we require or allow such providers to form agreements with referring providers or other entities to distribute notices on their behalf or to include their practices in the referring entity's own notice.
Response: We agree with commenters' concerns about the potential administrative and financial burdens of requiring covered providers that have indirect treatment relationships with individuals, such as clinical laboratories, to distribute the notice. Therefore, we require these covered providers to provide the notice only upon request. In addition, these covered providers may elect to reach agreements with other entities distribute their notice on their behalf, or to participate in an organized health care arrangement that produces a joint notice. See § 164.520(d) and the corresponding preamble discussion of joint notice requirements.
Comment: Some commenters requested that covered health care providers be permitted to distribute their notice prior to an individual's initial visit so that patients could review the information in advance of the visit. They suggested that distribution in advance would reduce the amount of time covered health care providers' staff would have to spend explaining the notice to patients in the office. Other comments argued that providers should distribute their notice to patients at the time the individual visits the provider, because providers lack the administrative infrastructure necessary to develop and distribute mass communications and generally have difficulty identifying active patients.
Response: In the final rule, we clarify that covered providers with direct treatment relationships must provide the notice to patients no later than the first service delivery to the patient after the compliance date. For the reasons identified by these commenters, we do not require covered providers to send their notice to the patient in advance of the patient's visit. We do not prohibit distribution in advance, but only require distribution to the patient as of the time of the visit. We believe this flexibility will allow each covered provider to develop procedures that best meet its and its patients' needs.
Comment: Some comments suggested that covered providers should be required to distribute the notice as of the compliance date. They noted that if the covered provider waited to distribute the notice until first service delivery, it would be possible (pursuant to the rule) for a use or disclosure to be made without the individual's authorization, but before the individual receives the notice.
Response: Because health care providers generally lack the administrative infrastructure necessary to develop and distribute mass communications and generally have difficulty identifying active patients, we do not require covered providers to distribute the notice until the first service delivery after the compliance date. We acknowledge that this policy allows uses and disclosure of health information without individuals' consent or authorization before the individual receives the notice. We require covered entities, including covered providers, to have the notice available upon request as of the compliance date of the rule. Individuals may request a copy of the notice from their provider at any time.
Comment: Many commenters were concerned with the requirement that covered providers post their notice. Some commenters suggested that covered hospital-based providers should be able to satisfy the distribution requirements by posting their notice in multiple locations at the hospital, rather than handing the notice to patients - particularly with respect to distribution after material revisions have been made. Some additionally suggested that these covered providers should have copies of the notice available on site. Some commenters emphasized that the notice must be clear and conspicuous to give individuals meaningful and effective notice of their rights. Other commenters noted that posting the notice will not inform former patients who no longer see the provider.
Response: We clarify in the final rule that the requirement to post a notice does not substitute for the requirement to give individuals a notice or make notices available upon request. Covered providers with direct treatment relationships, including covered hospitals, must give a copy of the notice to the individual as of first service delivery after the compliance date. After giving the individual a copy of the notice as of that first visit, the covered provider has no other obligation to actively distribute the notice. We believe it is unnecessarily burdensome to require covered providers to mail the notice to all current and former patients each time the notice is revised, because unlike health plans, providers may have a difficult time identifying active patients. All individuals, including those who no longer see the covered provider, have the right to receive a copy of the notice on request.
If the covered provider maintains a physical delivery site, it must also post the notice (including revisions to the notice) in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered provider to be able to read the notice. The covered provider must also have the notice available on site for individuals to be able to request and take with them.
Comment: Some comments requested clarification about the distribution requirements for a covered entity that is a health plan and a covered health care provider.
Response: Under § 164.504(g), discussed above, covered entities that conduct multiple types of covered functions, such as the kind of entities described in the above comments, are required to comply with the provisions applicable to a particular type of health care function when acting in that capacity. Thus, in the example described above, the covered entity is required by § 164.504(g) to follow the requirements for health plans with respect to its actions as a health plan and to follow the requirements for health care providers with respect to its actions as a health care provider.
Comment: We received many comments about the ability of covered entities to distribute their notices electronically. Many commenters suggested that we permit covered entities to distribute the notice electronically, either via a web site or e-mail. They argued that covered entities are increasingly using electronic technology to communicate with patients and otherwise administer benefits. They also noted that other regulations permit similar documents, such as ERISA-required summary plan descriptions, to be delivered electronically. Some commenters suggested that electronic distribution should be permitted unless the individual specifically requests a hard copy or lacks electronic access. Some argued that entities should be able to choose a least-cost alternative that allows for periodic changes without excessive mailing costs. A few commenters suggested requiring covered entities to distribute notices electronically.
Response: We clarify in the final rule that covered entities may elect to distribute their notice electronically, provided the individual agrees to receiving the notice electronically and has not withdrawn such agreement. We do not require any particular form of agreement. For example, a covered provider could ask an individual at the time the individual requests a copy of the notice whether she prefers to receive it in hard copy or electronic form. A health plan could ask an individual applying for coverage to provide an e-mail address where the health plan can send the individual information. If the individual provides an e-mail address, the health plan can infer agreement to obtain information electronically.
An individual who has agreed to receive the notice electronically, however, retains the right to request a hard copy of the notice. This right must be described in the notice. In addition, if the covered entity knows that electronic transmission of the notice has failed, the covered entity must produce a hard copy of the notice. We believe this provision allows covered entities flexibility to provide the notice in the form that best meets their needs without compromising individuals' right to adequate notice of covered entities' information practices.
We note that covered entities may also be subject to the Electronic Signatures in Global and National Commerce Act. This rule is not intended to alter covered entities' requirements under that Act.
Comment: Some commenters were concerned that covered providers with "face-to-face" patient contact would have a competitive disadvantage against covered internet-based providers, because the face-to-face providers would be required to distribute the notice in hard copy while internet-based providers could satisfy the requirement by requiring review of the notice on the web site before processing an order. They suggested allowing face-to-face covered providers to satisfy the distribution requirement by asking patients to review the notice posted on site.
Response: We clarify in the final rule that covered health care providers that provide services to individuals over the internet have direct treatment relationships with those individuals. Covered internet-based providers, therefore, must distribute the notice at the first service delivery after the compliance date by automatically and contemporaneously providing the notice electronically in response to the individual's first request for service, provided the individual agrees to receiving the notice electronically.
Even though we require all covered entity web sites to post the entity's notice prominently, we note that such posting is not sufficient to meet the distribution requirements. A covered internet-based provider must send the notice electronically at the individual's first request for service, just as other covered providers with direct treatment relationships must give individuals a copy of the notice as of the first service delivery after the compliance date.
We do not intend to create competitive advantages among covered providers. A web-based and a non-web-based covered provider each have the same alternatives available for distribution of the notice. Both types of covered providers may provide either a paper copy or an electronic copy of the notice.
Comment: We received several comments suggesting that some covered entities should be exempted from the notice requirement or permitted to combine notices with other covered entities. Many comments argued that the notice requirement would be burdensome for hospital-based physicians and result in numerous, duplicative notices that would be meaningless or confusing to patients. Other comments suggested that multiple health plans offered through the same employer should be permitted to produce a single notice.
Response: We retain the requirement for all covered health care providers and health plans to produce a notice of information practices. Health care clearinghouses are required to produce a notice of information practices only to the extent the clearinghouse creates or receives protected health information other than as a business associate of a covered entity. See § 164.500(b)(2). Two other types of covered entities are not required to produce a notice: a correctional institution that is a covered entity and a group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs.
We clarify in § 164.504(d), however, that affiliated covered entities under common ownership or control may designate themselves as a single covered entity for purposes of this rule. An affiliated covered entity is only required to produce a single notice.
In addition, covered entities that participate in an organized health care arrangement - which could include hospitals and their associated physicians - may choose to produce a single, joint notice, if certain requirements are met. See § 164.501 and the corresponding preamble discussion of organized health care arrangements.
We clarify that each covered entity included in a joint notice must meet the applicable distribution requirements. If any one of the covered entities, however, provides the notice to a given individual, the distribution requirement with respect to that individual is met for all of the covered entities included in the joint notice. For example, a covered hospital and its attending physicians may elect to produce a joint notice. When an individual is first seen at the hospital, the hospital must provide the individual with a copy of the joint notice. Once the hospital has done so, the notice distribution requirement for all of the attending physicians that provide treatment to the individual at the hospital and that are included in the joint notice is satisfied.
Comment: We solicited and received comments on whether to require covered entities to obtain the individual's signature on the notice. Some commenters suggested that requiring a signature would convey the importance of the notice, would make it more likely that individuals read the notice, and could have some of the same benefits of a consent. They noted that at least one state already requires entities to make a reasonable effort to obtain a signed notice. Other comments noted that the signature would be useful for compliance and risk management purposes because it would document that the individual had received the notice.
The majority of commenters on this topic, however, argued that a signed acknowledgment would be administratively burdensome, inconsistent with the intent of the Administrative Simplification requirements of HIPAA, impossible to achieve for incapacitated individuals, difficult to achieve for covered entities that do not have direct contact with patients, inconsistent with other notice requirements under other laws, misleading to individuals who might interpret their signature as an agreement, inimical to the concept of permitting uses and disclosures without authorization, and an insufficient substitute for authorization.
Response: We agree with the majority of commenters and do not require covered entities to obtain the individual's signed acknowledgment of receipt of the notice. We believe that we satisfied most of the arguments in support of requiring a signature with the new policy requiring covered health care providers with direct treatment relationships to obtain a consent for uses and disclosures of protected health information to carry out treatment, payment, and health care operations. See § 164.506 and the corresponding preamble discussion of consent requirements. We note that this rule does not preempt other applicable laws that require a signed notice and does not prohibit a covered entity from requesting an individual to sign the notice.
Comment: Some commenters supported requiring covered entities to adhere to their privacy practices, as described in their notice. They argued that the notice is meaningless if a covered entity does not actually have to follow the practices contained in its notice. Other commenters were concerned that the rule would prevent a covered entity from using or disclosing protected health information in otherwise lawful and legitimate ways because of an intentional or inadvertent omission from its published notice. Some of these commenters suggested requiring the notice to include a description of some or all disclosures that are required or permitted by law. Some commenters stated that the adherence requirement should be eliminated because it would generally inhibit covered entities' ability to innovate and would be burdensome.
Response: We agree that the value of the notice would be significantly diminished absent a requirement that covered entities adhere to the statements they make in their notices. We therefore retain the requirement for covered entities to adhere to the terms of the notice. See § 164.502(i).
Many of these commenters' concerns regarding a covered entity's inability to use or disclose protected health information due to an intentional or inadvertent omission from the notice are addressed in our revisions to the proposed content requirements for the notice. Rather than require covered entities to describe only those uses and disclosures they anticipate making, as proposed, we require covered entities to describe all uses and disclosures they are required or permitted to make under the rule without the individual's consent or authorization. We permit a covered entity to provide a statement that it will disclose protected health information that is otherwise required by law, as permitted in § 164.512(a), without requiring them to list all state laws that may require disclosure. Because the notice must describe all legally permissible uses and disclosures, the notice will not generally preclude covered entities from making any uses or disclosures they could otherwise make without individual consent or authorization. This change will also ensure that individuals are aware of all possible uses and disclosures that may occur without their consent or authorization, regardless of the covered entity's current practices.
We encourage covered entities, however, to additionally describe the more limited uses and disclosures they actually anticipate making in order to give individuals a more accurate understanding of how information about them will be shared. We expect that certain covered entities will want to distinguish themselves on the basis of their privacy protections. We note that a covered entity that chooses to exercise this option must clearly state that, at a minimum, the covered entity may make disclosures that are required by law and that are necessary to avert a serious and imminent threat to health or safety.