HIPAA Privacy Regulations: General Rules for Uses and Disclosures of Protected Health Information -- Use and Disclosure for Treatment, Payment and Health Care Operations - § 164.502(a)
As Contained in the HHS HIPAA Privacy Rules
HHS Guidance: Incidental Uses and Disclosures
HHS Regulations as Amended January 2013 |
(a) Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.
(1) Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:
(i) To the individual;
(ii) For treatment, payment, or health care operations, as permitted by and in compliance with §164.506;
(iii) Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure;
(iv) Except for uses and disclosures prohibited under §164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under §164.508;
(v) Pursuant to an agreement under, or as otherwise permitted by, §164.510; and
(vi) As permitted by and in compliance with this section, §164.512, §164.514(e), (f), or (g).
(2) Covered entities: Required disclosures. A covered entity is required to disclose protected health information:
(i) To an individual, when requested under, and required by §164.524 or §164.528; and
(ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subchapter.
(3) Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.
(4) Business associates: Required uses and disclosures. A business associate is required to disclose protected health information:
(i) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the business associate's compliance with this subchapter.
(ii) To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under §164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information.
(5) Prohibited uses and disclosures.
(i) Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan:
(A) Except as provided in paragraph (a)(5)(i)(B) of this section:
(1) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);
(2) The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);
(3) The application of any pre-existing condition exclusion under the plan, coverage, or policy; and
(4) Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.
(B) Underwriting purposes does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.
(ii) Sale of protected health information:
(A) Except pursuant to and in compliance with §164.508(a)(4), a covered entity or business associate may not sell protected health information.
(B) For purposes of this paragraph, sale of protected health information means:
(1) Except as provided in paragraph (a)(5)(ii)(B)(2) of this section, a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.
(2) Sale of protected health information does not include a disclosure of protected health information:
(i) For public health purposes pursuant to §164.512(b) or §164.514(e);
(ii) For research purposes pursuant to §164.512(i) or §164.514(e), where the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes;
(iii) For treatment and payment purposes pursuant to §164.506(a);
(iv) For the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph (6)(iv) of the definition of health care operations and pursuant to §164.506(a);
(v) To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor, pursuant to §§164.502(e) and 164.504(e), and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities;
(vi) To an individual, when requested under §164.524 or §164.528;
(vii) Required by law as permitted under §164.512(a); and
(viii) For any other purpose permitted by and in accordance with the applicable requirements of this subpart, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.
HHS Description of and Commentary From the January 2013 Amendments |
Business Associates
Before the HITECH Act, the Privacy Rule did not govern business associates directly. However, section 13404 of the HITECH Act makes specific requirements of the Privacy Rule applicable to business associates, and creates direct liability for noncompliance by business associates with regard to those Privacy Rule requirements.
Specifically, section 13404(a) of the HITECH Act creates direct liability for uses and disclosures of protected health information by business associates that do not comply with its business associate contract or other arrangement under the Privacy Rule.
Additionally, section 13404(a) applies the other privacy requirements of the HITECH Act directly to business associates just as they apply to covered entities. Section 13404(b) applies the provision of § 164.504(e)(1)(ii) regarding knowledge of a pattern of activity or practice that constitutes a material breach or violation of a contract to business associates. Finally, section 13404(c) applies the HIPAA civil and criminal penalties to business associates. We discuss the modifications to the Privacy Rule pursuant to paragraphs (a) and (b) of section 13404 of the HITECH Act below.
We address the modifications made to the Enforcement Rule by section 13404(c) regarding the application of penalties to violations by business associates above in the discussion of the changes to the Enforcement Rule.
We note that we have not added references to “business associate” to all provisions of the Privacy Rule that address uses and disclosures by covered entities. Such additions to the Privacy Rule are unnecessary, as a business associate generally may only use or disclose protected health information in the same manner as a covered entity. Therefore, any Privacy Rule limitation on how a covered entity may use or disclose protected health information automatically extends to a business associate.
Proposed Rule
We proposed to modify § 164.502(a) of the Privacy Rule containing the general rules for uses and disclosures of protected health information to address the permitted and required uses and disclosures of protected health information by business associates.
First, we proposed to modify § 164.502(a) to provide that a business associate, like a covered entity, may not use or disclose protected health information except as permitted or required by the Privacy Rule or the Enforcement Rule. Second, we proposed to add new provisions at § 164.502(a)(4) and (5) to specify the permitted and required uses and disclosures of protected health information by business associates.
In accordance with section 13404(a) of the HITECH Act, we proposed in § 164.502(a)(4) to allow business associates to use or disclose protected health information only as permitted or required by their business associate contracts or other arrangements pursuant to § 164.504(e) or as required by law. Any other use or disclosure would violate the Privacy Rule. Proposed § 164.502(a)(4) also provided that a business associate would not be permitted to use or disclose protected health information in a manner that would violate the Privacy Rule if done by the covered entity, except that the business associate would be permitted to use or disclose protected health information for the proper management and administration of the business associate and to provide data aggregation services for the covered entity, as specified at § 164.504(e)(2)(i)(A) and (B), if such uses and disclosures are permitted by its business associate contract or other arrangement.
In § 164.502(a)(5), we proposed to require that a business associate disclose protected health information either: (1) when required by the Secretary under Subpart C of Part 160 to investigate or determine the business associate’s compliance with this subchapter; or (2) to the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations under § 164.524(c)(2)(ii) and (3)(ii), as modified, with respect to an individual’s request for an electronic copy of protected health information. Section 13405(e) of the HITECH Act requires covered entities that maintain protected health information in an electronic health record to provide an individual, or the individual’s designee, with a copy of such information in an electronic format, if the individual so chooses. We proposed to include a similar direct requirement on business associates in § 164.502(a)(5), as section 13404(a) of the HITECH Act also applies section 13405(e) to business associates.
We also proposed a conforming change to revise the titles of § 164.502(a)(1) and (a)(2) to make clear that these provisions setting out permitted uses and disclosures of protected health information apply only to covered entities, as well as a technical change to § 164.502(a)(2)(ii) to replace the term “subpart” with “subchapter” to make clear that a covered entity is required to disclose protected health information to the Secretary as needed to determine compliance with any of the HIPAA Rules and not just the Privacy Rule.
Overview of Public Comments
Several commenters expressed concern about the increased liability for business associates under the rule and requested clarification on when business associate liability for impermissible uses and disclosures would attach. Several commenters asked for clarification as to what a business associate is directly liable for under the Privacy Rule, and some expressed specific confusion regarding the liability of business associates for the provision of e-access under the rule.
Final Rule
The final rule adopts the proposed modifications to § 164.502(a). The provisions specifying a business associate’s permitted and required uses and disclosures of protected health information are renumbered from § 164.502(a)(4) and (a)(5), as proposed, to § 164.502(a)(3) and (a)(4), as § 164.502(a)(5) of the final rule now includes provisions to address prohibited uses and disclosures. Section § 164.502(a)(5) is discussed below in the sections describing the prohibitions on the sale of protected health information and the use or disclosure of genetic information for underwriting purposes.
In response to specific comments asking for clarification regarding when business associate liability would attach, we provide the following. As we discussed above, the final rule provides that a business associate is a person who performs functions or activities on behalf of, or certain services for, a covered entity or another business associate that involve the use or disclosure of protected health information. The final rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.
Liability also does not depend on the type of protected health information that a business associate creates, receives, maintains, or transmits on behalf of a covered entity or another business associate, or on the type of entity performing the function or service, except to the extent the entity falls within one of the exceptions at paragraph 4 of the definition of business associate. First, protected health information created, received, maintained, or transmitted by a business associate may not necessarily include diagnosis specific information, such as information about the treatment of an individual, and may be limited to demographic or other information not indicative of the type of health care services provided to an individual. If the information is tied to a covered entity, then it is protected health information by definition since it is indicative that the individual received health care services or benefits from the covered entity, and therefore it must be protected by the business associate in accordance with the HIPAA Rules and its business associate agreement. Second, the definition of business associate is contingent on the fact that the business associate performs certain activities or functions on behalf of, or provides certain services to, a covered entity or another business associate that involve the use or disclosure of protected health information. Therefore, any person, defined in the HIPAA Rules as a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private, who performs these functions or activities or services is a business associate for purposes of the HIPAA Rules, regardless of whether such person has other professional or privilege-based duties or responsibilities.
Finally, while we understand commenters’ concerns about the increased liability for business associates under the HIPAA Rules, such direct liability for violations of certain HIPAA provisions is expressly provided for by the HITECH Act.
In response to comments requesting clarification on with which HIPAA provisions a business associate is directly liable for compliance, we provide the following. Business associates are directly liable under the HIPAA Rules for impermissible uses and disclosures,4 for a failure to provide breach notification to the covered entity,5 for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement),6 for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules,7 for a failure to provide an accounting of disclosures,8 and for a failure to comply with the requirements of the Security Rule.9 Business associates remain contractually liable for other requirements of the business associate agreement (see below for a discussion of the business associate agreement provisions).
With respect to a business associate’s direct liability for a failure to provide access to a copy of electronic protected health information, business associates are liable for providing electronic access in accordance with their business associate agreements.
Therefore, business associates may provide electronic access directly to individuals or their designees, or may provide the electronic protected health information to the covered entity (which then provides the electronic access to individuals or their designees). As with many other provisions in the HIPAA Rules, the Department leaves the details to the contracting parties, and is concerned only that access is provided to the individual, not with which party provides the access.
Definition of “Underwriting Purposes”
Proposed Rule
Section 105 of GINA provides that the term “underwriting purposes” means, with respect to a group health plan, health insurance coverage, or Medicare supplemental policy: (A) rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy; (B) the computation of premium or contribution amounts under the plan, coverage, or policy; (C) the application of any pre-existing condition exclusion under the plan, coverage, or policy; and (D) other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.
The Department proposed to adopt GINA’s statutory definition of “underwriting purposes” in § 164.501 of the Privacy Rule, but also proposed to include certain clarifications for consistency with the regulations promulgated to implement the nondiscrimination provisions in sections 101 through 103 of GINA.
In particular, the Department proposed to include a parenthetical to explain that the rules for, or determination of eligibility for, or determination of, benefits under the plan include changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program. The proposed rule also included a parenthetical to make clear that the computation of premium or contribution amounts under the plan, coverage, or policy includes discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program. Finally, we proposed a provision within the definition to clarify that “underwriting purposes” does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.
Overview of Public Comments
About ten commenters addressed the proposed definition of “underwriting purposes.” Four commenters generally supported the proposed definition. Other commenters expressed concern with the definition’s inclusion of discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment (HRA) or participating in a wellness program.
These commenters were concerned that prohibiting the use of genetic information, particularly family health history, for such purposes would have a detrimental impact on wellness and disease management programs. One commenter was concerned that the definition would prohibit dental insurance plans from offering preventive prognostic features to enrollees as part of the plan that test for susceptibility to dental decay and periodontal diseases. Enrollees that test positive would be provided with additional plan benefits as a supplement to the standard benefits to cover more aggressive preventive services. Finally, a few commenters were concerned that the broad definition of “underwriting purposes” would preclude plans from using HRAs and offering wellness programs even if no genetic information is requested or used. For example, one commenter was concerned that the definition would prohibit the use of “personal habit” information, such as information about smoking, or alcohol or drug use.
Final Rule
The final rule adopts the proposed definition of “underwriting purposes” but moves the definition to within the underwriting prohibition at § 164.502(a)(5)(i). This makes clear that the definition applies only for purposes of the prohibition on a health plan’s use or disclosure of genetic information for underwriting purposes. As discussed more fully below with respect to the definition of “health care operations,” we move the definition of “underwriting purposes” and retain the term “underwriting” within the definition of “health care operations” in response to several public comments expressing concern that the proposed rule would no longer allow health plans to use or disclose any protected health information (i.e., even non-genetic information) for underwriting.
The adopted definition is consistent with the definition promulgated in the interim final regulations to implement sections 101-103 of GINA and with which compliance is already required by most health plans. We decline to exclude wellness programs and the use of HRAs from the definition because, as discussed in the interim final regulations issued by DOL, Treasury, and HHS, GINA Title I does not include an exception for wellness programs. However, we emphasize that health plans may continue to provide incentives for completing HRAs and participating in wellness programs in manners that do not involve the use or disclosure of genetic information. For example, “personal habit” information about an individual, such as smoking status and alcohol and drug use, is not genetic information and thus, may be used by health plans for underwriting purposes.
Further, DOL has issued guidance which makes clear that health plans may continue to collect family health history through the use of HRAs that are not tied to any reward.
In addition, the definition of “underwriting purposes” includes an exception for determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy. Thus, to the extent that an individual is seeking a particular benefit under the plan and the health plan needs genetic information to determine the medical appropriateness of providing the benefit to the individual, the plan may use or disclose the minimum necessary genetic information to determine the medical appropriateness of providing the benefit. For example, if a health plan covers yearly mammograms for individuals under age 40 only in cases where the individual can demonstrate she is at increased risk for breast cancer, the plan can ask an individual under age 40 to provide the results of a genetic test or family health history and use such information to determine medical appropriateness prior to paying a claim for the mammogram. The medical appropriateness exception would also cover situations where a dental plan requires the results of a genetic test prior to offering a supplemental benefit for more aggressive preventive services to the extent the individual seeks such a benefit.
For example, a dental plan may provide information to all of its enrollees about how to take advantage of such a benefit, and when an enrollee contacts the plan about obtaining the benefit, may require the individual to take and provide the results of a genetic test to determine the medical appropriateness of providing the supplemental benefit to the individual.
Genetic Information Nondiscrimination Act
Proposed Rule
Section 105 of GINA requires HHS to modify the Privacy Rule to prohibit “a covered entity that is a group health plan, health insurance issuer that issues health insurance coverage, or issuer of a medicare [sic] supplemental policy” from using or disclosing genetic information for underwriting purposes. Section 105 of GINA provides that the terms “group health plan” and “health insurance coverage” have the meanings given such terms under section 2791 of the Public Health Service Act (PHSA) (42 U.S.C. 300gg–91), and that the term “medicare [sic] supplemental policy” has the meaning given such term in section 1882(g) of the Social Security Act. In addition, the term “health insurance issuer,” as defined at 42 U.S.C. 300gg–91, includes a health maintenance organization (HMO).
These four types of entities (i.e., group health plans, health insurance issuers, and health maintenance organizations, as defined in the PHSA, as well as issuers of Medicare supplemental policies), correspond to the types of covered entities listed at subparagraphs (i) through (iii) and (vi) of paragraph (1) of the definition of “health plan” at § 160.103 in the HIPAA Privacy Rule, issued under HIPAA’s Administrative Simplification provisions. These also are the entities to which HIPAA’s nondiscrimination provisions apply and to which the nondiscrimination provisions of GINA Title I were directed.
However, in addition to these four types of entities, the HIPAA Privacy Rule also includes a number of other entities within the definition of “health plan”: (1) long-term care policies (excluding nursing home fixed-indemnity policies); (2) employee welfare benefit plans or other arrangements that are established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers (to the extent that they are not group health plans or health insurance issuers); (3) high risk pools that are mechanisms established under State law to provide health insurance coverage or comparable coverage to eligible individuals; (4) certain public benefit programs, such as Medicare Part A and B, Medicaid, the military and veterans’ health care programs, the Indian Health Service program, and others; as well as (5) any other individual or group plan, or combination of individual or group plans that provides or pays for the cost of medical care (as the term “medical care” is defined in section 2791(a)(2) of the PHSA, 42 U.S.C. 300gg–91(a)(2)). This last category includes, for example, certain “excepted benefits” plans described at 42 U.S.C. 300gg–91(c)(2), such as limited scope dental or vision benefits plans. See the definition of “health plan” at § 160.103.
In the NPRM, the Department, using both its authority under GINA as well as its broad authority under HIPAA, proposed to apply the prohibition on using and disclosing protected health information that is genetic information for underwriting to all health plans that are subject to the Privacy Rule, rather than solely to the plans GINA explicitly requires be subject to the prohibition. As explained in the proposed rule, the HIPAA Administrative Simplification provisions provide the Secretary with broad authority to craft privacy standards that uniformly apply to all health plans, regardless of whether such health plans are governed by other portions of the HIPAA statute. In addition, the Department indicated in the proposed rule that nothing in GINA explicitly or implicitly curtails this broad authority of the Secretary to promulgate privacy standards for any and all health plans that are governed by the HIPAA Administrative Simplification provisions.
Under the Privacy Rule, and consistent with HIPAA, an individual’s privacy interests and rights with respect to the use and disclosure of protected health information are protected uniformly without regard to the type of health plan that holds the information. Thus, under the Privacy Rule, individuals can expect and benefit from privacy protections that do not diminish based on the type of health plan from which they obtain health coverage. In developing the proposed rule, the Department believed that individuals’ interests in uniform protection under the Privacy Rule against the use or disclosure of their genetic information for underwriting purposes would outweigh any adverse impact on health plans that are not covered by GINA, particularly since it was not expected that all of the health plans subject to the Privacy Rule use or disclose protected health information that is genetic information for underwriting (or even perform underwriting generally, in the case of some of the public benefit plans). For these reasons, the Department proposed to apply the prohibition on using or disclosing protected health information that is genetic information for underwriting purposes to all health plans that are HIPAA covered entities.
Overview of Public Comments
The Department received comments both in support of and against the proposed application of the prohibition on using or disclosing genetic information for underwriting purposes to all health plans covered by the Privacy Rule. Several commenters agreed that the extension of the proposed requirements to all health plans is an appropriate exercise of the Secretary’s discretion under HIPAA and is necessary to protect the privacy interests of all individuals without regard to the type of health plan holding individuals’ health information, and stated that such an extension would further encourage individuals to take advantage of genetic services. In addition, one commenter in support of the proposal indicated that sixteen States also regulate the use of genetic information in disability insurance, and ten States regulate its use in long-term care insurance, and it is expected that these numbers will continue to increase. The commenter stated that as States move forward in this area it was appropriate for the Federal government to do so as well. However, this and one other commenter, while generally in support of extending the prohibition on using or disclosing genetic information for underwriting to all health plans, also recommended that the Department monitor the impact of such a prohibition on long-term care insurers.
A few commenters did not support the Department’s proposal and argued that the prohibition against using or disclosing genetic information for underwriting purposes in the Privacy Rule should apply only to those plans to which GINA expressly applies.
Commenters argued that applying the prohibition beyond the health plans identified in GINA was contrary to GINA and its intent.
Certain commenters expressed particular disagreement and concern with applying the prohibition on the use of genetic information for underwriting to long-term care insurers. One commenter argued that there was clear Congressional intent in the legislative history of GINA to exempt “excepted benefits,” particularly long-term care insurance, from any prohibitions under GINA and thus, the Privacy Rule should not apply the prohibition on underwriting with genetic information to issuers of long term care policies. The commenter also argued that the GINA prohibition should not apply to long-term care insurers because long-term care plans have different characteristics from other health plans and applying the GINA prohibition to long-term care insurers would jeopardize the ability of long-term care insurers to adequately underwrite and thus, the viability of the long-term care insurance market. The commenter explained that this would be due to the fact that when underwriting, long term care insurers look to determine an individual’s probability of needing long-term care in the future and diagnosis of a particular condition is not the only way this may be determined and in some cases may not even be relevant to such a determination. The Department also heard similar concerns about the potential negative impact of an underwriting prohibition on the economic viability of the long-term market, from certain members of Congress who wrote to the Secretary on this issue, as well as from certain outside parties during fact finding meetings held by the Department.
Final Rule
he final rule adopts the approach of the proposed rule to apply the prohibition on using or disclosing protected health information that is genetic information for underwriting purposes to all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply, except with regard to issuers of long term care policies.
We continue to disagree with the commenters that stated such an extension would conflict with GINA and is outside the scope of our authority. As explained more fully in the proposed rule, the Department has broad authority under HIPAA to regulate a health plan’s uses and disclosures of protected health information, including genetic information, to protect an individual’s privacy interests. See 74 FR 51698, 51699-51700. It does not follow that by exempting “excepted benefits” from the prohibitions under GINA that Congress intended to restrict the Department’s broad authority under HIPAA. Further, there is no conflict with GINA in extending the same privacy protections outlined in GINA to those health plans that are not covered by GINA but are otherwise covered by the HIPAA Privacy Rule. GINA and section 264 of HIPAA are not irreconcilably inconsistent but rather operate concurrently without conflict.
Lastly, GINA did not override HIPAA, and did not displace the Department’s authority to prohibit uses and disclosures of genetic information that GINA does not otherwise prohibit. Therefore, nothing in GINA explicitly or implicitly curtails the broad authority of the Secretary to promulgate privacy standards for any and all health plans that are governed by the HIPAA Administrative Simplification provisions.
We also continue to believe that individuals have a strong privacy interest in not having their genetic information used in an adverse manner for underwriting purposes and to believe that this privacy interest outweighs any adverse impact on most health plans covered by the Privacy Rule. With respect to most health plans not subject to GINA, the public comment did not indicate that a prohibition on using genetic information for underwriting would have significant adverse impacts on the viability of these plans. Nor did the public comment generally provide information showing that these health plans actually use or disclose protected health information that is genetic information for underwriting, or plan to do so in the future (or even perform underwriting generally, in the case of some of the public benefit plans).
However, as indicated above, the Department did hear from a number of sources about the potential adverse impact a prohibition on using genetic information for underwriting would have on the ability of a long-term care insurer to effectively underwrite and thus, on the viability of the long-term care insurance market generally. The Department recognizes the importance of long-term care insurance coverage and the need to ensure its continued availability. The Department also acknowledges that, at this time, it does not have the information necessary to more precisely and carefully measure the extent of such an impact on the long-term market in order to appropriately balance an individual’s privacy interests with such an impact. Thus, this final rule excludes longterm care plans from the underwriting prohibition.
While we exempt long-term care plans from the underwriting prohibition in this final rule, we continue to believe an individual has a strong privacy interest in the way his or her genetic information is used for the underwriting of long-term care insurance. At the current time, however, we do not have sufficient information to determine the proper balance between the individual’s privacy interests and the industry’s concerns about the cost effects of excluding genetic information. For that reason, we are looking into ways to obtain further information on this issue, such as through a study by the National Association of Insurance Commissioners (NAIC) on the tension between the use of genetic information for underwriting and the associated privacy concerns in the context of their model long-term care rules. Based on the information the Department may obtain, the Department will reassess how best to move forward in this area in the future. Long-term care plans, while not subject to the underwriting prohibition, continue to be bound by the Privacy Rule, as are all other covered health plans, to protect genetic information from improper uses and disclosures, and to only use or disclose genetic information as required or expressly permitted by the Rule, or as otherwise authorized by the individual who is the subject of the genetic information.
Prohibition
Proposed Rule
To implement section 105 of GINA, the Department proposed a new prohibition on health plans using or disclosing protected health information that is genetic information for underwriting purposes at § 164.502(a)(3). We made clear that such a provision would operate notwithstanding the other provisions in the Privacy Rule permitting uses and disclosures, and proposed a conforming change to § 164.502(a)(1)(iv) to clarify further that an authorization could not be used to permit a use or disclosure of genetic information for underwriting purposes.
Overview of Public Comments
Some commenters expressly supported the proposed modification to the Privacy Rule to include the prohibition, and the proposed clarification that an authorization cannot be used to otherwise permit a prohibited use or disclosure of genetic information. One commenter suggested adding the examples from the preamble to the regulatory text, as well as language to the regulatory text to clarify that the prohibition applies to genetic information obtained by a health plan prior to the passage of GINA.
Final Rule
The final rule adopts the proposed prohibition on a health plan’s use or disclosure of genetic information for underwriting purposes, except with regard to health plans that are issuers of long term care policies, as explained above in section VI.C.1 regarding to which plans the final rule applies. This prohibition, located in this final rule at § 164.502(a)(5), applies to all genetic information from the compliance date of these modifications forward, regardless of when or where the genetic information originated.
We do not believe a clarification of this fact in the regulatory text is necessary.
Consistent with Sec. 101(a) of the statute, this prohibition should not be construed to limit the ability of a health plan to adjust premiums or contribution amounts for a group health plan based on the manifestation of a disease or disorder of an individual enrolled in the plan, even though a health plan cannot use the manifestation of a disease or disorder in one individual as genetic information about other group members and to further increase the premium for the plan. Similarly, for the individual health insurance market, a health plan is not prohibited from establishing rules for eligibility for an individual to enroll in coverage or from adjusting premium or contribution amounts for an individual based on the manifestation of a disease or disorder in that individual or in a family member of such individual where such family member is covered under the individual’s policy, even though the health plan cannot use the manifestation of a disease or disorder in one individual as genetic information about other individuals to further increase premiums or contribution amounts for those other individuals.
To illustrate how the prohibition operates, we reiterate the following examples (but for the reasons explained above, decline to include them in the regulatory text). If a health insurance issuer, with respect to an employer-sponsored group health plan, uses an individual’s family medical history or the results of genetic tests maintained in the group health plan’s claims experience information to adjust the plan’s blended, aggregate premium rate for the upcoming year, the issuer would be using protected health information that is genetic information for underwriting purposes in violation of § 164.502(a)(5)(i). Similarly, if a group health plan uses family medical history provided by an individual incidental to the collection of other information on a health risk assessment to grant a premium reduction to the individual, the group health plan would be using genetic information for underwriting purposes in violation of § 164.502(a)(5)(i).
The prohibition is limited to health plans. A health care provider may use or disclose genetic information as it sees fit for treatment of an individual. If a covered entity, such as an HMO, acts as both a health plan and health care provider, it may use genetic information for purposes of treatment, to determine the medical appropriateness of a benefit, and as otherwise permitted by the Privacy Rule, but may not use such genetic information for underwriting purposes. Such covered entities, in particular, should ensure that appropriate staff members are trained on the permissible and impermissible uses of genetic information.
HHS Description of and Commentary From the August 2002 Revisions |
December 2000 Privacy Rule. The December 2000 Rule did not explicitly address incidental uses and disclosures of protected health information. Rather, the Privacy Rule generally requires covered entities to make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. See § 164.502(b).
Additionally, § 164.530(c) of the Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that violates the Rule.
Protected health information includes individually identifiable health information (with limited exceptions) in any form, including information transmitted orally, or in written or electronic form. See the definition of "protected health information" at § 164.501.
March 2002 NPRM. After publication of the Privacy Rule, the Department received a number of concerns and questions as to whether the Privacy Rule's restrictions on uses and disclosures will prohibit covered entities from engaging in certain common and essential health care communications and practices in use today. In particular, concern was expressed that the Privacy Rule establishes absolute, strict standards that would not allow for the incidental or unintentional disclosures that could occur as a by-product of engaging in these health care communications and practices. It was argued that the Privacy Rule would, in effect, prohibit such practices and, therefore, impede many activities and communications essential to effective and timely treatment of patients.
For example, some expressed concern that health care providers could no longer engage in confidential conversations with other providers or with patients, if there is a possibility that they could be overheard. Similarly, others questioned whether they would be prohibited from using sign-in sheets in waiting rooms or maintaining patient charts at bedside, or whether they would need to isolate X-ray lightboards or destroy empty prescription vials. These concerns seemed to stem from a perception that covered entities are required to prevent any incidental disclosure such as those that may occur when a visiting family member or other person not authorized to access protected health information happens to walk by medical equipment or other material containing individually identifiable health information, or when individuals in a waiting room sign their name on a log sheet and glimpse the names of other patients.
The Department, in its July 6 guidance, clarified that the Privacy Rule is not intended to impede customary and necessary health care communications or practices, nor to require that all risk of incidental use or disclosure be eliminated to satisfy its standards. The guidance promised that the Department would propose modifications to the Privacy Rule to clarify that such communications and practices may continue, if reasonable safeguards are taken to minimize the chance of incidental disclosure to others.
Accordingly, the Department proposed to modify the Privacy Rule to add a new provision at § 164.502(a)(1)(iii) which would explicitly permit certain incidental uses and disclosures that occur as a result of a use or disclosure otherwise permitted by the Privacy Rule. The proposal described an incidental use or disclosure as a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a by-product of an otherwise permitted use or disclosure. The Department proposed that an incidental use or disclosure be permissible only to the extent that the covered entity had applied reasonable safeguards as required by § 164.530(c), and implemented the minimum necessary standard, where applicable, as required by §§ 164.502(b) and 164.514(d).
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.
The Department received many comments on its proposal to permit certain incidental uses and disclosures, the majority of which expressed strong support for the proposal. Many of these commenters indicated that such a policy would help to ensure that essential health care communications and practices are not chilled by the Privacy Rule. A few commenters opposed the Department's proposal to permit certain incidental uses and disclosures, one of whom asserted that the burden on medical staff to take precautions not to be overheard is minimal compared to the potential harm to patients if incidental disclosures were to be considered permissible.
Final Modifications. In response to the overwhelming support of commenters on this proposal, the Department adopts the proposed provision at § 164.502(a)(1)(iii), explicitly permitting certain incidental uses and disclosures that occur as a by-product of a use or disclosure otherwise permitted under the Privacy Rule. As in the proposal, an incidental use or disclosure is permissible only to the extent that the covered entity has applied reasonable safeguards as required by § 164.530(c), and implemented the minimum necessary standard, where applicable, as required by §§ 164.502(b) and 164.514(d). The Department continues to believe, as was stated in the proposed Rule, that so long as reasonable safeguards are employed, the burden of impeding such communications is not outweighed by any benefits that may accrue to individuals' privacy interests.
However, an incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is not a permissible use or disclosure and, therefore, is a violation of the Privacy Rule. For example, a hospital that permits an employee to have unimpeded access to patients' medical records, where such access is not necessary for the employee to do her job, is not applying the minimum necessary standard and, therefore, any incidental use or disclosure that results from this practice would be an unlawful use or disclosure under the Privacy Rule.
In response to the few comments that opposed the proposal to permit certain incidental uses and disclosures, the Department reiterates that the Privacy Rule must not impede essential health care communications and practices. Prohibiting all incidental uses and disclosures would have a chilling effect on normal and important communications among providers, and between providers and their patients, and, therefore, would negatively affect individuals' access to quality health care. The Department does not intend with this provision to obviate the need for medical staff to take precautions to avoid being overheard, but rather, will only allow incidental uses and disclosures where appropriate precautions have been taken.
The Department clarifies, in response to a comment, that this provision applies, subject to reasonable safeguards and the minimum necessary standard, to an incidental use or disclosure that occurs as a result of any permissible use or disclosure under the Privacy Rule made to any person, and not just to incidental uses and disclosures resulting from treatment communications or only to communications among health care providers or other medical staff. For example, a provider may instruct an administrative staff member to bill a patient for a particular procedure, and may be overheard by one or more persons in the waiting room. Assuming that the provider made reasonable efforts to avoid being overheard and reasonably limited the information shared, an incidental disclosure resulting from such conversation is permissible under the Rule.
In the proposal, the Department did not address whether or not incidental disclosures would need to be included in the accounting of disclosures required by § 164.528. However, one commenter urged the Department to exclude incidental disclosures from the accounting. The Department agrees with this commenter and clarifies that covered entities are not required to include incidental disclosures in an accounting of disclosures provided to the individual pursuant to § 164.528. The Department does not believe such a requirement would be practicable; in many instances, the covered entity may not know that an incidental disclosure occurred. To make this policy clear, the Department includes an explicit exception for such disclosures to the accounting standard at §164.528(a)(1).
Response to Other Public Comments.
Comment: One commenter expressed concern that the requirement reasonably to safeguard protected health information would be problematic because any unintended use or disclosure could arguably demonstrate a failure to "reasonably safeguard." This commenter requested that the Department either delete the language in § 164.530(c)(2)(ii) or modify the language to make clear that the fact that an incidental use or disclosure occurs does not imply that safeguards were not reasonable.
Response: The Department clarifies that the fact that an incidental use or disclosure occurs does not by itself imply that safeguards were not reasonable. However, the Department does not believe that a modification to the proposed language is necessary to express this intent. The language proposed and now adopted at § 164.530(c)(2)(ii) requires only that the covered entity reasonably safeguard protected health information to limit incidental uses or disclosures, not that the covered entity prevent all incidental uses and disclosures. Thus, the Department expects that incidental uses and disclosures will occur and permits such uses and disclosures to the extent the covered entity has in place reasonable safeguards and has applied the minimum necessary standard, where applicable.
Comment: Another commenter requested that the Department clarify its proposal to assure that unintended disclosures will not result in civil penalties.
Response: The Department's authority to impose civil monetary penalties on violations of the Privacy Rule is defined in HIPAA. Specifically, HIPAA added section 1176 to the Social Security Act, which prescribes the Secretary's authority to impose civil monetary penalties. Therefore, in the case of a violation of a disclosure provision in the Privacy Rule, a penalty may not be imposed, among other things, if the person liable for the penalty did not know and, by exercising reasonable diligence would not have known, that such person violated the provision. HIPAA also provides for criminal penalties under certain circumstances, but the Department of Justice, not this Department, has authority for criminal penalties.
Comment: One commenter requested that the Department clarify how covered entities should implement technical and physical safeguards when they do not yet know what safeguards the final Security Rule will require.
Response>: Each covered entity should assess the nature of the protected health information it holds, and the nature and scope of its business, and implement safeguards that are reasonable for its particular circumstances. There should be no potential for conflict between the safeguards required by the Privacy Rule and the final Security Rule standards, for several reasons. First, while the Privacy Rule applies to protected health information in all forms, the Security Rule will apply only to electronic health information systems that maintain or transmit individually identifiable health information. Thus, all safeguards for protected health information in oral, written, or other non-electronic forms will be unaffected by the Security Rule. Second, in preparing the final Security Rule, the Department is working to ensure the Security Rule requirements for electronic information systems work "hand in glove" with any relevant requirements in the Privacy Rule, including § 164.530.
Comment: One commenter argued that while this new provision is helpful, it does not alleviate covered entities' concerns that routine practices, often beneficial for treatment, will be prohibited by the Privacy Rule. This commenter stated that, for example, specialists provide certain types of therapy to patients in a group setting, and, in some cases, where family members are also present.
Response: The Department reiterates that the Privacy Rule is not intended to impede common health care communications and practices that are essential in providing health care to the individual. Further, the Privacy Rule's new provision permitting certain incidental uses and disclosures is intended to increase covered entities' confidence that such practices can continue even where an incidental use or disclosure may occur, provided that the covered entity has taken reasonable precautions to safeguard and limit the protected health information disclosed. For example, this provision should alleviate concerns that common practices, such as the use of sign-in sheets and calling out names in waiting rooms will not violate the Rule, so long as the information disclosed is appropriately limited. With regard to the commenters' specific example, disclosure of protected health information in a group therapy setting would be a treatment disclosure, a nd thus permissible without individual authorization. Further, § 164.510(b) generally permits a covered entity to disclose protected health information to a family member or other person involved in the individual's care. In fact, this section specifically provides that, where the individual is present during a disclosure, the covered entity may disclose protected health information if it is reasonable to infer from the circumstances that the individual does not object to the disclosure. Absent countervailing circumstances, the individual's agreement to participate in group therapy or family discussions is a good basis for such a reasonable inference. As such disclosures are permissible disclosures in and of themselves, they would not be incidental disclosures.
Comment: Some commenters, while in support of permitting incidental uses and disclosures, requested that the Department provide additional guidance in this area by providing additional examples of permitted incidental uses and disclosures and/or clarifying what would constitute "reasonable safeguards."
Response: The reasonable safeguards and minimum necessary standards are flexible and adaptable to the specific business needs and circumstances of the covered entity. Given the discretion covered entities have in implementing these standards, it is difficult for the Department to provide specific guidance in this area that is generally applicable to many covered entities. However, the Department intends to provide future guidance through frequently asked questions or other materials in response to specific scenarios that are raised by industry.
HHS Description from Original Rulemaking General Rules for Uses and Disclosures of Protected Health Information: Use and Disclosure for Treatment, Payment and Health Care Operations |
As a general rule, we proposed in the NPRM to prohibit covered entities from using or disclosing protected health information except as authorized by the individual who is the subject of such information or as explicitly permitted by the rule. The proposed rule explicitly would have permitted covered entities to use or disclose an individual's protected health information without authorization for treatment, payment, and health care operations. The proposal would not have restricted to whom disclosures could be made for the purposes of treatment, payment, or operations. The proposal would have allowed disclosure of the protected health information of one individual for the treatment or payment of another, as appropriate. We also proposed to prohibit covered entities from seeking individual authorization for uses and disclosures for treatment, payment, and health care operations unless required by state or other applicable law.
We proposed two exceptions to this general rule which prohibited covered entities from using or disclosing research information unrelated to treatment or psychotherapy notes for treatment, payment, or health care operations purposes unless a specific authorization was obtained from the subject of the information. In addition, we proposed that a covered entity be prohibited from conditioning treatment, enrollment in a health plan or payment decisions on a requirement that the individual provide a specific authorization for the disclosure of these two types of information (see proposed § 164.508(a)(3)(iii)).
We also proposed to permit covered entities to use or disclose an individual's protected health information for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners. In addition, the proposal would have permitted covered entities to use and disclose protected health information when required to do so by other law or pursuant to an authorization from the individual allowing them to use or disclose the information for purposes other than treatment, payment or health care operations.
We proposed to require covered entities to disclose protected health information for only two purposes: to permit individuals to inspect and copy protected health information about themselves and for enforcement of the rule.
We proposed not to require covered entities to vary the level of protection accorded to protected health information based on the sensitivity of such information. In addition, we proposed to require that each affected entity assess its own needs and devise, implement, and maintain appropriate privacy policies, procedures, and documentation to address its business requirements.
In the final rule, the general standard remains that covered entities may use or disclose protected health information only as permitted or required by this rule. However, we make significant changes to the conditions under which uses and disclosures are permitted.
We revise the application of the general standard to require covered health care providers who have a direct treatment relationship with an individual to obtain a general “consent” from the individual in order to use or disclose protected health information about the individual for treatment, payment and health care operations (for details on who must obtain such consents and the requirements they must meet, see § 164.506). These consents are intended to accommodate both the covered provider's need to use or disclose protected health information for treatment, payment, and health care operations, and also the individual's interest in understanding and acquiescing to such uses and disclosures. In general, other covered entities are permitted to use and disclose protected health information to carry out treatment, payment, or health care operations (as defined in this rule) without obtaining such consent, as in the proposed rule. Covered entities must, as under the proposed rule, obtain the individual's “authorization” in order to use or disclose psychotherapy notes for most purposes: see § 164.508(a)(2) for exceptions to this rule. We delete the proposed special treatment of “research information unrelated to treatment.”
We revise the application of the general standard to require all covered entities to obtain the individual's verbal “agreement” before using or disclosing protected health information for facility directories, to persons assisting in the individual's care, and for other purposes described in § 164.510. Unlike “consent” and “authorization,” verbal agreement may be informal and implied from the circumstances (for details on who must obtain such agreements and the requirements they must meet, see § 164.510). Verbal agreements are intended to accommodate situations where it is neither appropriate to remove from the individual the ability to control the protected health information nor appropriate to require formal, written permission to share such information. For the most part, these provisions reflect current practices.
As under the proposed rule, we permit covered entities to use or disclose protected health information without the individual's consent, authorization or agreement for specified public policy purposes, in compliance with the requirements in § 164.512.
We permit covered entities to disclose protected health information to the individual who is the subject of that information without any condition. We note that this may include disclosures to “personal representatives” of individuals as provided by § 164.502(g).
We permit a covered entity to use or disclose protected health information for other lawful purposes if the entity obtains a written “authorization” from the individual, consistent with the provisions of § 164.508. Unlike “consents,” these “authorizations” are specific and detailed. (For details on who must obtain such authorizations and the requirements they must meet, see § 164.508.) They are intended to provide the individuals with concrete information about, and control over, the uses and disclosures of protected health information about themselves.
The final rule retains the provision that requires a covered entity to disclose protected health information only in two instances: when individuals request access to information about themselves, and when disclosures are compelled by the Secretary for compliance and enforcement purposes.
Finally, § 164.502(a)(1) also requires covered entities to use or disclose protected health information in compliance with the other provisions of § 164.502, for example, consistent with the minimum necessary standard, to create de-identified information, or to a personal representative of an individual. These provisions are described below.
We note that a covered entity may use or disclose protected health information as permitted by and in accordance with a provision of this rule, regardless of whether that use or disclosure fails to meet the requirements for use or disclosure under another provision of this rule.
HHS Response to Comments Received from Original Rulemaking General Rules for Uses and Disclosures of Protected Health Information: Use and Disclosure for Treatment, Payment and Health Care Operations |
Comment: A few commenters requested an exemption from the rule for the Social Security and Supplemental Security Income Disability Programs so that disability claimants can be served in a fair and timely manner. The commenters were concerned that the proposal would be narrowly interpreted, thereby impeding the release of medical records for the purposes of Social Security disability programs.
Another commenter similarly asked that a special provision be added to the proposal's general rule for uses and disclosures without authorization for treatment, payment, and health care operations purposes to authorize disclosure of all medical information from all sources to the Social Security Administration, including their contracted state agencies handling disability determinations.
Response: A complete exemption for disclosures for these programs is not necessary. Under current practice, the Social Security Administration obtains authorization from applicants for providers to release an individual's records to SSA for disability and other determinations. Thus, there is no reason to believe that an exemption from the authorization required by this rule is needed to allow these programs to function effectively. Further, such an exemption would reduce privacy protections from current levels. When this rule goes into effect, those authorizations will need to meet the requirements for authorization under § 164.508 of this rule.
We do, however, modify other provisions of the proposed rule to accommodate the special requirements of these programs. In particular, Social Security Disability and other federal programs, and public benefits programs run by the states, are authorized by law to share information for eligibility purposes. Where another public body has determined that the appropriate balance between need for efficient administration of public programs and public funds and individuals' privacy interests is to allow information sharing for these limited purposes, we do not upset that determination. Where the sharing of enrollment and eligibility information is required or expressly authorized by law, this rule permits such sharing of information for eligibility and enrollment purposes (see § 164.512(k)(6)(i)), and also excepts these arrangements from the requirements for business associate agreements (see § 164.502(e)(1)).
Comment: A few commenters asked that the rule be revised to authorize disclosures to clergy, for directory purposes, to organ and tissue procurement organizations, and to the American Red Cross without patient authorization.
Response: We agree and revise the final rule accordingly. The new policies and the rationale for these policies are found in §§ 164.510 and 164.512, and the corresponding preamble.
Comment: One commenter recommended that the rule apply only to the “disclosure” of protected health information by covered entities, rather than to both “use” and “disclosure.” The commenter stated that the application of the regulation to a covered entity's use of individually identifiable health information offers little benefit in terms of protecting protected health information, yet imposes costs and may hamper many legitimate activities, that fall outside the definition of treatment, payment or health care operations.
Another commenter similarly urged that the final regulation draw substantive distinctions between restrictions on the “use” of individually identifiable health information and on the “disclosure” of such information, with broader latitude for “uses” of such information. The commenter believed that internal “uses” of such information generally do not raise the same issues and concerns that a disclosure of that information might raise. It was argued that any concerns about the potential breadth of use of this information could be addressed through application of the “minimum necessary” standard. The commenter also argued that Congressional intent was that a “disclosure” of individually identifiable health information is potentially much more significant than a “use” of that information.
Response: We do not accept the commenter's broad recommendation to apply the regulation only to the “disclosure” of protected health information and not to “use” of such information. Section 264 charges the Secretary with promulgating standards that address, among other things, “the uses and disclosures” of individually identifiable health information. We also do not agree that applying the regulation to “use” offers little benefit to protecting protected health information. The potential exists for misuse of protected health information within entities. This potential is even greater when the covered entity also provides services or products outside its role as a health care provider, health plan, or health care clearinghouse for which “use” of protected health information offers economic benefit to the entity. For example, if this rule did not limit “uses” generally to treatment, payment and health care operations, a covered entity that also offered financial services could be able to use protected health information without authorization to market or make coverage or rate decisions for its financial services products. Without the minimum necessary standard for uses, a hospital would not be constrained from allowing their appointment scheduling clerks free access to medical records.
We agree, however, that it is appropriate to apply somewhat different requirements to uses and disclosures of protected health information permitted by this rule. We therefore modify the application of the minimum necessary standard to accomplish this. See the preamble to § 164.514 for a discussion of these changes.
Comment: A commenter argued that the development, implementation, and use of integrated computer-based patient medical record systems, which requires efficient information sharing, will likely be impeded by regulatory restrictions on the “use” of protected health information and by the minimum necessary standard.
Response: We have modified the proposed approach to regulating “uses” of protected health information within an entity, and believe our policy is compatible with the development and implementation of computer-based medical record systems. In fact, we drew part of the revised policy on “minimum necessary” use of protected health information from the role-based access approach used in several computer-based records systems today. These policies are described further in § 164.514.
Comment: One commenter asked that the general rules for uses and disclosures be amended to permit covered entities to disclose protected health information for purposes relating to property and casualty benefits. The commenter argued that the proposal could affect its ability to obtain protected health information from covered entities, thereby constricting the flow of medical information needed to administer property and casualty benefits, particularly in the workers' compensation context. It was stated that this could seriously impede property and casualty benefit providers' ability to conduct business in accordance with state law.
Response: We disagree that the rule should be expanded to permit all uses and disclosures that relate to property and casualty benefits. Such a broad provision is not in keeping with protecting the privacy of individuals. Although we generally lack the authority under HIPAA to regulate the practices of this industry, the final rule addresses when covered entities may disclose protected health information to property and casualty insures. We believe that the final rule permits property and casualty insurers to obtain the protected health information that they need to maintain their promises to their policyholders. For example, the rule permits a covered entity to use or disclose protected health information relating to an individual when authorized by the individual. Property and casualty insurers are free to obtain authorizations from individuals for release by covered entities of the health information that the insurers need to administer claims, and this rule does not affect their ability to condition payment on obtaining such an authorization from insured individuals. Property and casualty insurers providing payment on a third-party basis have an opportunity to obtain authorization from the individual and to condition payment on obtaining such authorization. The final rule also permits covered entities to make disclosures to obtain payment, whether from a health plan or from another person such as a property and casualty insurer. For example, where an automobile insurer is paying for medical benefits on a first-party basis, a health care provider may disclose protected health information to the insurer as part of a request for payment. We also include in the final rule a new provision that permits covered entities to use or disclose protected health information as authorized by workers' compensation or similar programs established by law addressing work-related injuries or illness. See § 164.512(l). These statutory programs establish channels of information sharing that are necessary to permit compensation of injured workers.
Comment: A few commenters suggested that the Department specify “prohibited” uses and disclosures rather than “permitted” uses and disclosures.
Response: We reject these commenters' because we believe that the best privacy protection in most instances is to require the individual's authorization for use or disclosure of information, and that the role of this rule is to specify those uses and disclosures for which the balance between the individuals' privacy interest and the public's interests dictates a different approach. The opposite approach would require us to anticipate the much larger set of all possible uses of information that do not implicate the public's interest, rather than to specify the public interests that merit regulatory protection.
Comment: A commenter recommended that the rule be revised to more strongly discourage the use of individually identifiable health information where de-identified information could be used.
Response: We agree that the use of de-identified information wherever possible is good privacy practice. We believe that by requiring covered entities to implement these privacy restrictions only with respect to individually identifiable health information, the final rule strongly encourages covered entities to use de-identified information as much as practicable.
Comment: One commenter recommended that when information from health records is provided to authorized external users, this information should be accompanied by a statement prohibiting use of the information for other than the stated purpose; prohibiting disclosure by the recipient to any other party without written authorization from the patient, or the patient's legal representative, unless such information is urgently needed for the patient's continuing care or otherwise required by law; and requiring destruction of the information after the stated need has been fulfilled.
Response: We agree that restricting other uses or re-disclosure of protected health information by a third party that may receive the information for treatment, payment, and health care operations purposes or other purposes permitted by rule would be ideal with regard to privacy protection. However, as described elsewhere in this preamble, once protected health information leaves a covered entity the Department no longer has jurisdiction under the statute to apply protections to the information. Since we would have no enforcement authority, the costs and burdens of requiring covered entities to produce and distribute such a statement to all recipients of protected heath information, including those with whom the covered entity has no on-going relationship, would outweigh any benefits to be gained from such a policy. Similarly, where protected health information is disclosed for routine treatment, payment and operations purposes, the sheer volume of these disclosures makes the burden of providing such a statement unacceptable. Appropriate protection for these disclosures requires law or regulation directly applicable to the recipient of the information, not further burden on the disclosing entity. Where, however, the recipient of protected health information is providing a service to or on behalf of the covered entity this balance changes. It is consistent with long-standing legal principles to hold the covered entity to a higher degree of responsibility for the actions of its agents and contractors. See § 164.504 for a discussion of the responsibilities of covered entities for the actions of their business associates with respect to protected health information.