Comment: Many commenters requested that additional protections be placed on sensitive information, including information regarding HIV/AIDS, sexually transmitted diseases, mental health, substance abuse, reproductive health, and genetics. Many requested that we ensure the regulation adequately protects victims of domestic violence. They asserted that the concern for discrimination or stigma resulting from disclosure of sensitive health information could dissuade a person from seeking needed treatment. Some commenters noted that many state laws provide additional protections for various types of information. They requested that we develop federal standards to have consistent rules regarding the protection of sensitive information to achieve the goals of cost savings and patient protection. Others requested that we require patient consent or special authorization before certain types of sensitive information was disclosed, even for treatment, payment, and health care operations, and some thought we should require a separate request for each disclosure. Some commenters requested that the right to request restrictions be replaced with a requirement for an authorization for specific types of sensitive information. There were recommendations that we require covered entities to develop internal policies to address sensitive information.
Other commenters argued that sensitive information should not be segregated from the record because it may limit a future provider's access to information necessary for treatment of the individual and it could further stigmatize a patient by labeling him or her as someone with sensitive health care issues. These commenters further maintained that segregation of particular types of information could negatively affect analysis of community needs, research, and would lead to higher costs of health care delivery.
Response: We generally do not differentiate among types of protected health information, because all health information is sensitive. The level of sensitivity varies not only with the type of information, but also with the individual and the particular situation faced by the individual. This is demonstrated by the different types of information that commenters singled out as meriting special protection, and in the great variation among state laws in defining and protecting sensitive information. Most states have a law providing heightened protection for some type of health information. However, even though most states have considered the issue of sensitive information, the variation among states in the type of information that is specially protected and the requirements for permissible disclosure of such information demonstrates that there is no national consensus.
Where, as in this case, most states have acted and there is no predominant rule that emerges from the state experience with this issue, we have decided to let state law predominate. The final rule only provides a floor of protection for health information and does not preempt state laws that provider greater protection than the rule. Where states have decided to treat certain information as more sensitive than other information, we do not preempt those laws.
To address the variation in the sensitivity of protected health information without defining specially sensitive information, we incorporate opportunities for individuals and covered entities to address specific sensitivities and concerns about uses and disclosures of certain protected health information that the patient and provider believe are particularly sensitive, as follows:
- Covered entities are required to provide individuals with notice of their privacy practices and give individuals the opportunity to request restrictions of the use and disclosure of protected health information by the covered entity. (See § 164.522(a) regarding right to request restrictions.)
- Individuals have the right to request, and in some cases require, that communications from the covered entity to them be made to an alternative address or by an alternative means than the covered entity would otherwise use. (See § 164.522(b) regarding confidential communications.)
- Covered entities have the opportunity to decide not to treat a person as a personal representative when the covered entity has a reasonable belief that an individual has been subjected to domestic violence, abuse, or neglect by such person or that treating such person as a personal representative could endanger the individual. (See § 164.502(g)(5) regarding personal representatives.)
- Covered entities may deny access to protected health information when there are concerns that the access may result in varying levels of harm. (See § 164.524(a)(3) regarding denial of access.)
- Covered health care providers may, in some circumstances and consistent with any known prior preferences of the individual, exercise professional judgment in the individual's best interest to not disclose directory information. (See § 164.510(a) regarding directory information.)
- Covered entities may, in some circumstances, exercise professional judgment in the individual's best interest to limit disclosure to persons assisting in the individual's care. (See § 164.510(b) regarding persons assisting in the individual's care.)
This approach allows for state law and personal variation in this area.
The only type of protected health information that we treat with heightened protection is psychotherapy notes. We provide a different level of protection because they are unique types of protected health information that typically are not used or required for treatment, payment, or health care operations other than by the mental health professional that created the notes. (See § 164.508(a)(2) regarding psychotherapy notes.)