Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.522(b) - Confidential Communications Requirements


Comment: Several commenters requested that we add a new section to prevent disclosure of sensitive health care services to members of the patient's family through communications to the individual's home, such as appointment notices, confirmation or scheduling of appointments, or mailing a bill or explanation of benefits, by requiring covered entities to agree to correspond with the patient in another way. Some commenters stated that this is necessary in order to protect inadvertent disclosure of sensitive information and to protect victims of domestic violence from disclosure to an abuser. A few commenters suggested that a covered entity should be required to obtain an individual's authorization prior to communicating with the individual at the individual's home with respect to health care relating to sensitive subjects such as reproductive health, sexually transmissible diseases, substance abuse or mental health.

Response: We agree with commenters' concerns regarding covered entities' communications with individuals. We created a new provision, § 164.522(b), to address confidential communications by covered entities. This provision gives individuals the right to request that they receive communications from covered entities at an alternative address or by an alternative means, regardless of the nature of the protected health information involved. Covered providers are required to accommodate reasonable requests by individuals and may not require the individual to explain the basis for the request as a condition of accommodation. Health plans are required to accommodate reasonable requests by individuals as well; however, they may require the individual to provide a statement that disclosure of the information could endanger the individual, and they may condition the accommodation on the receipt of such statement.

Under the rule, we have required covered providers to accommodate requests for communications to alternative addresses or by alternative means, regardless of the reason, to limit risk of harm. Providers have more frequent one-on-one communications with patients, making the safety concerns from an inadvertent disclosure more substantial and the need for confidential communications more compelling. We have made the requirement for covered providers absolute and not contingent on the reason for the request because we wanted to make it relatively easy for victims of domestic violence, who face real safety concerns by disclosures of health information, to limit the potential for such disclosures.

The standard we created for health plans is different from the requirement for covered providers, in that we only require health plans to make requested accommodations for confidential communications when the individual asserts that disclosure could be dangerous to the individual. We address health plan requirements in this way because health plans are often issued to a family member (the employee), rather than to each individual member of a family, and therefore, health plans tend to communicate with the named insured rather than with individual family members. Requiring plans to accommodate a restriction for one individual could be administratively more difficult than it is for providers that regularly communicate with individuals. However, in the case of domestic violence or potential abuse, the level of harm that can result from a disclosure of protected health information tips the balance in favor of requiring such restriction to prevent inadvertent disclosure. We have adopted the policy recommended by the National Association of Insurance Commissioners in the Health Information Policy Model Act (1998) as this best reflects the balance of the appropriate level of regulation of the industry compared with the need to protect individuals from harm that may result from inadvertent disclosure of information. This policy is also consistent with recommendations made in the Family Violence Prevention Fund's publication "Health Privacy Principles for Protecting Victims of Domestic Violence" (October 2000). Of course, health plans may accommodate requests for confidential communications without requiring a statement that the individual would be in danger from disclosure of protected health information.

Comment: One commenter requested that we create a standard that all information from a health plan be sent to the patient and not the policyholder or subscriber.

Response: We require health plans to accommodate certain requests that information not be sent to a particular location or by particular means. A health plan must accommodate reasonable requests by individuals that protected health information about them be sent directly to them and not to a policyholder or subscriber, if the individual states that he or she may be in danger from disclosure of such information. We did not generally require health plans to send information to the patient and not the policyholder or subscriber because we believed it would be administratively burdensome and because the named insured may have a valid need for such information to manage payment and benefits.