What
the statutes mean
Chiropractors and their staff face major
changes in their practices as a result of the new HIPAA privacy rules. The rules
will require most health care providers, insurance companies, hospitals, and the
businesses that serve these entities to make significant modifications to their
software and office practices to insure the privacy of their patients is completely
protected.
Who does this rule apply to?It applies to all health
care providers that send or receive any patient claim or information by electronic
means, including the Intranet. Because the rules also apply to insurance companies
and claims clearinghouses, a chiropractor may be required to conform to HIPAA
even if he/she does not transmit any data electronically.
Why are these
rules necessary?
Health care information does not have the same type
of protection as other types of confidential information such as your banking
records. As a result, many health care providers, hospitals and insurance companies
have revealed their patient’s health care information without obtaining the
permission of their patients. These rules are designed to insure that doctors,
hospitals and insurance companies give out patient information only after the
patient has specifically authorized it. In addition, it will require software
changes to insure privacy when records are transmitted electronically and, to
restrict staff members that do not have legitimate job responsibilities from having
access to patient files or health information.
What is the implementation
date for these rules?
The electronic transmission portion of the rule
goes into effect in September of 2002. The administrative portion of the rule
is effective in February of 2003.
If a billing service prepares my billing,
will I have to comply with these rules?
Yes. Both the provider and the
billing service must comply.
Can I rely on my software vendor to automatically
comply with the law?
No. Since software vendors do not have direct access
to patient health information, they do not have to comply with the law. This means
that some software vendors may find the law too cumbersome to deal with. If that
is the case, the doctor will have to obtain new software that is compliant with
the electronic submission standards set under the law.
Can an insurance
or managed care company force me to comply with these rules even if I do not transmit
any claim data or patient information electronically?
If a managed care
or insurance company requires that you transmit patient data or claims electronically,
you will be required to follow all of these rules. Some managed care companies
will automatically require you to be HIPAA compliant so they protect themselves
against potential lawsuits over privacy. Those insurers or managed care companies
that do not require immediate compliance will likely do so in the future as they
allow electronic transmission of claims or health care information.
Why
is the government insisting on these rules?
The government believes
that doctors and insurance companies have not done enough to respect the confidentiality
of patients’ health care information. These rules now make it the responsibility
of all of those involved in the health care industry to bend over backwards to
protect a patient’s right to privacy.
I understand what it
means to send a claim electronically, but what types of other information is included
under this rule?
If a chiropractor, insurer, or managed care company
sends any of the following information, they must fully comply with the HIPAA
rules.(1) Health care claims.
(2) Health care records.
(3) Health care
payment and remittance advice.
(4) Coordination of benefits.
(5) Health
care claim status.
(6) Enrollment and disenrollment in a health plan.
(7)
Eligibility for a health plan.
(8) Health plan premium payments.
(9) Referral
certification and authorization.
(10) First report of injury.
Our
state already has privacy laws. Do the HIPAA rules preempt them?
When
the HIPAA rules are stricter than state law, HIPAA preempts state law. In some
instances our state law provides more protection than HIPAA. In those cases, you
must follow the state law.
Can we simplify the rules by using a consent
form where the patient gives “blanket permission” to do anything we
want with their records?
No. The law is very specific about what must
be included in your consent form.
What if I decide to take my chances
and not comply?
The law calls for severe civil and criminal penalties,
including fines up to $250,000 and imprisonment of up to 10 years. The law gives
the government the right to audit you at any time to insure your practice is in
compliance. The burden is on the doctor to prove they are complying with the law.
However, a bigger concern may be a disgruntled patient. The privacy laws will
get a good deal of publicity when they go into effect. A dissatisfied patient
may decide to bring a lawsuit over violations of their privacy as an easy means
of expressing their displeasure with the care they received.
Are chiropractors
that do IME’s for an insurance company or the state covered by these rules?
Yes.
In
general, how do these rules alter the way a doctor and his/her staff use patient
health care information?
Before HIPAA there were state laws but no federal
controls on how a doctor used a patient’s health care information. If something
was not forbidden under state or federal law, a doctor was allowed to use patient
health care information in any way they chose. Under HIPPA, a chiropractor may
not use patient information for any purpose except that which is permitted by
the rules.
How may doctors or their staff use or disclose health care
information?
Doctors and their staff are only allowed to use protected
health information or to disclose that information in the following ways:
1)
To the patient.
2) In compliance with a properly formatted consent form to
carry out treatment, to obtain payment, or to properly run their practice.
3)
To law enforcement officials with proper authorizations.
4) For advertising
and marketing purposes only when the proper special consents have been obtained.
Must
I put restrictions on the health care information my staff has access to?
Depending
on the job responsibilities of a staff person, the answer may be yes. The law
requires you to make reasonable efforts to limit a staff person’s access
to the minimum health information necessary to do their job. For example, if you
had a chiropractic assistant whose job responsibilities were limited to scheduling
patients and moving patients between the waiting room, the dressing room and the
various treatment rooms; you must design ways to limit their access to patient’s
clinical records since they have no valid reason to see them. If some of your
clinical records are kept on a computer to which all staff members have access,
you would be required to work with your software vendor to limit access to some
parts of the patient files.
Any staff person that has a legitimate need
for patient information must have access to it. However, the determination of
who should have access is based on the staff person’s job description. If
they work with all parts of the patient’s record, they must have access to
it. If their job does not require them to have access to certain types of information,
their access to that information must be limited.
Our current practice
is to send all of the clinical documentation in a patient’s file whenever
we receive a request from an insurance company. Will HIPAA require a change in
our practices?
Yes. Under the “minimum necessary standard”,
HIPPA requires you to send the minimum amount of clinical information necessary
to accomplish the intended purpose. For example, to obtain payment of a claim
you could reasonably send all of the clinical documentation since the onset of
the current problem. However, you could not send records for care rendered previous
to the onset of the current problem unless requested to do so by the insurance
company and the release was authorized by the patient.
We always have
new patients sign a consent to release records. Once they sign this release will
that cover us forever?
No. Consent forms must be limited in their duration
If
I refer a patient to another health care provider am I limited in the clinical
information I can provide to that doctor?
No. You may send all of the
clinical information in your file without limitation. The law is not intended
to interfere in any way with the treatment of a patient.
The WCA occasionally
asks us to provide examples of problems that patients are having with insurance
companies. Are we still allowed to send the WCA this information?
As
part of its training classes the WCA gives attendees “model” consent
forms. One of these forms authorizes health care information to be sent to the
WCA under certain conditions. If you do not use the WCA’s “model”
consent form, the patient’s permission will have to be obtained prior to
sending us the information or patient identifying information will have to be
“blacked out” before it is sent.
How does HIPAA affect contracts
that I have with my associate/s?
As the employer of your associate,
the government wants to make sure you have fully informed the associate of their
responsibilities under HIPPA. To ensure you have done so, there are specific requirements
for your associate contracts.
1) Your contract must state the circumstances
under which the associate is allowed to release protected patient information.
2) Your contract may not authorize the associate to use patient information
in a manner that would violate these rules.
3) The contract may permit the
associate to use protected health information for the proper management and administration
of the practice.
4) The contract may permit your associate to provide you with
the data necessary to run the overall practice.
5) Your associate may not use
or further disclose patient information beyond what is allowed by your contract
or required by law.
6) Your associate must use appropriate safeguards to prevent
the use or disclosure of patient information unless it is specifically allowed
in the contract.
7) Your associate must tell you when information is disclosed
in an inappropriate manner as soon as he or she becomes aware of it.
8) Your
associate must make health care information available to public health or law
enforcement authorities when requested to do so in accordance with the rules.
9)
Your contract must have specific provisions for the return or destruction of protected
patient information at the termination of the contract.
10) Your contract must
have a provision that authorizes termination of the contract by you, if you determine
that the associate has violated a material term of the contract.
You are
personally subject to criminal or civil penalties if you find out that your associate
is repeatedly violating these rules and you failed to take reasonable steps to
stop the violations or terminate the contract.
When must I obtain a patient’s
permission to release protected health information?
You must obtain
the patient’s consent prior to treating the patient or submitting a claim
on the patient’s behalf.
What if there is an emergency and the patient
is not capable of giving their consent?
You may treat the individual
as long as you obtain consent as soon as reasonably practicable after the treatment.
If you do not obtain the consent of the patient before treatment, you must document
the reason why consent was not obtained.
What happens if a patient refuses
to sign the consent form required by HIPAA?
You may refuse to provide
the patient with treatment.
Can I combine this consent form with my informed
consent for treatment or assignment of benefits form?
You may combine
your “Consent for Use or Disclosure” with other consent forms as long
as the “Consent for Use or Disclosure” is visually and organizationally
separate from the other consents and is separately signed and dated by the individual.
My patient signed my “Consent for Use or Disclosure” form
and then, a few weeks later, wanted to withdraw his consent. Can he do this?
A
patient may withdraw their consent at any time as long as they do so in writing.
If you have already used their consent form to send records or claim forms, you
have nothing to worry about because a consent cannot be retroactively withdrawn.
This will rarely happen. But when it does you will not be able to file insurance
claims for the individual. The amount they owe you for care will have to be paid
at the time of service unless you have made other arrangements.
Can I
copy the language of the statute and use that for my consent form?
Unfortunately
the language of the statutes cannot be used verbatim because the statute requires
the consent form be in plain language. It is a shame the federal government did
not impose the same requirement on itself to help simplify the understanding of
the HIPAA rules. If you attend the WCA training course, you will be provided you
with a “model” consent form. If you choose to develop the form yourself,
we would advise you to have an attorney review the form so it complies with all
of the HIPPA requirement including the “plain language” requirement.
What
information must be included in my “Consent to Use and Disclose Form?
All
of the following points of information must be explained to the patient in “plain
language”
You must inform the patient that:
(1) their health records
may be used for treatment purposes.
(2) their health records may be used for
billing purposes.
(3) their health records may be used internally as part
of your health care operations
(4) they have the right to thoroughly review
the notice before signing it.
(5) you reserve the right to change your privacy
practices and explain how the patient may obtain a copy of any changes to your
policy.
(6) they have the right to request that you restrict how their health
records are used. You must also inform the patient that if they make this request,
you do not have to agree with their request. If you agree with their request,
the restriction is binding on you.
(7) they have the right to revoke their
consent as long as they do so in writing. You must also inform them if you have
already used their consent, such as sending clinical records to an insurance company
to obtain payment for a claim, that their consent cannot be revoked retroactively.
(8)
except in an emergency, the consent must be signed and dated before treatment
can be rendered.
In addition the consent must also contain the following
elements written in “plain language”:
1) A specific description of
the information you will use or disclose.
2) The name of the individuals authorized
to use or disclose your information.
3) The name or other specific identification
of the person or insurance company(s) to whom you may disclose information.
4)
An expiration date or an expiration event for the consent.
5) A statement of
the patient’s right to revoke their consent in writing along with the exceptions
to the right to revoke. As part of this statement you must include a description
of how the patient would go about revoking their consent.
6) A statement that
information disclosed may be re-disclosed by the person or organization that receives
it and will no longer be protected by the rule.
7) The signature of the patient
and date; and if the authorization is signed by a personal representative of the
patient, a description of the representative’s authority to act for the patient.
You
must provide the patient with a copy of their signed consent/authorization.
I
prepared my own consent or authorization forms and now realize there are mistakes
in the form. What do I do?
According to the HIPAA rules, if any element
of the form has not been drafted properly, the consent form “does not exist”.
Obviously, having an invalid consent form leaves you open to the possibility of
penalties if you are audited. If you discover an error, you should fix your consent
form as soon as possible and then, have each patient sign a new form before they
receive their next treatment. If they have completed their course of treatment
but the claims are still open with the insurance company, you would have to have
the new consent form signed before protected health information was sent to the
insurance company.
A consent or patient authorization form is not valid
if any of the information described in the preceding question is missing or incomplete
and/or:
1) The consent has expired.
2) You or your staff know the consent
has been revoked.
3) You or your staff know that any of the material information
in the consent/authorization is false.
We are using the WCA’s “model”
consent form. Today in the mail we received a different consent form signed by
the patient for another provider. In this consent form the patient had listed
some restrictions on the use of his health information. Do I have a choice as
to which consent form I follow?
The first thing to remember is that
“consent” forms will look different from company to company. The forms
may be called “consent” forms or authorizations, disclosure notices,
privacy agreements, or legal permission. HIPAA rules give you the following choices
when you receive conflicting consent forms. You may follow the consent that has
the most restrictive language. You may obtain a new consent form from the patient
in which they clarify their intentions. Or, you may discuss the patient’s
intention with them. If you choose this last option you must document the patient’s
decision in their records.
How long must I keep the patient’s consent/authorization
in my records.
You must keep the patient’s consent/ authorization
in your records for six years from the date it was last in effect or used. Please
note, this could be substantially longer than the seven year records requirement
the state has for clinical documentation because the clinical documentation requirement
is seven years from the date the documentation was created whereas this requirement
is six years from the date it is last used or in effect.
I would like
to do advertising/marketing in which I use the name of a patient. What type of
consent/authorization form must my patient sign?
All of the following
points of information must be explained to the patient in “plain language”.
You
must inform the patient that:
1) their health records may be used for treatment
purposes.
2) their health records may be used for billing purposes.
3)
their health records may be used internally as part of your health care operations
4)
they have the right to thoroughly review the notice before signing it.
5) you
reserve the right to change your privacy practices and explain how the patient
may obtain a copy of any changes to your policy.
6) they have the right to
request that you restrict how their health records are used. You must also inform
the patient that if they make this request, you do not have to agree with their
request. If you do agree, the restriction is binding on you.
7) They have the
right to revoke their consent as long as they do so in writing. You must also
inform them that if you have already used their consent, such as sending clinical
records to an insurance company to obtain payment for a claim, their consent cannot
be revoked retroactively.
8) Except in an emergency, the consent must be signed
and dated before treatment can be rendered.
In addition, the consent must
also contain the following elements written in “plain language”:
1)
A specific description of the information you will use or disclose.
2) The
name of the individuals authorized to use or disclose your information.
3)
The name or other specific identification of the person or insurance company(s)
to whom you may disclose information.
4) An expiration date or an expiration
event for the consent.
5) A statement of the patient’s right to revoke
their consent in writing along with the exceptions to the right to revoke. As
part of this statement you must include a description of how the patient would
go about revoking their consent.
6) A statement that information that is disclosed
may be re-disclosed by the person or organization that receives it and will no
longer be protected by the rule.
7) The signature of the patient and the date;
and if the authorization is signed by a personal representative of the patient,
a description of such representative’s authority to act for the patient.
8)
A statement that you will not refuse to take care of the patient, or refuse to
process their claims if they do not agree to let their name be used in your advertising
or marketing.
9) A description of each advertisement or marketing piece in
which their name will appear.
10) A statement that the patient may inspect
or copy the health information to be used or disclosed and refuse to sign the
consent/authorization
11) A statement that you expect to receive direct or
indirect compensation from the use of their name.
You must provide the patient
with a copy of their signed consent/authorization.
I would like to either
send marketing information for specific products to my patients or sell the names
of my patients to another business. What type of consent/authorization form must
my patient sign?
All of the following points of information must be
explained to the patient in “plain language”.
You must inform the
patient that:
1) their health records may be used for treatment purposes.
2)
their health records may be used for billing purposes.
3) their health records
may be used internally as part of your health care operations.
4) they have
the right to thoroughly review the notice before signing it.
5) you reserve
the right to change your privacy practices and explain how the patient may obtain
a copy of any changes to your policy.
6) they have the right to request that
you restrict how their health records are used. You must also inform the patient
that if they make this request, you do not have to agree with their request. If
you do agree, the restriction is binding on you.
7) They have the right to
revoke their consent as long as they do so in writing. You must also inform them
that if you have already used their consent, such as sending clinical records
to an insurance company to obtain payment for a claim, their consent cannot be
revoked retroactively.
8) Except in an emergency, the consent must be signed
and dated before treatment can be rendered.
In addition, the consent must
also contain the following elements written in “plain language”:
1)
A specific description of the information you will use or disclose.
2) The
name of the individuals authorized to use or disclose your information.
3)
The name or other specific identification of the person or insurance company(s)
to whom you may disclose information.
4) An expiration date or an expiration
event for the consent.
5) A statement of the patient’s right to revoke
their consent in writing along with the exceptions to the right to revoke. As
part of this statement, you must include a description of how the patient would
go about revoking their consent.
6) A statement that information disclosed
may be re-disclosed by the person or organization that receives it and will no
longer be protected by the rule.
7) The signature of the patient and the date;
and if the authorization is signed by a personal representative of the patient,
a description of such representative’s authority to act for the patient.
8)
A statement that you will not refuse to take care of the patient, or refuse to
process their claims if they do not agree to let their name be used in your advertising
or marketing.
9) A description of how their health information will be used
by each company to whom it is sold.
10) A statement that the patient may inspect
or copy the health information to be used or disclosed and refuse to sign the
consent/authorization.
11) A statement that you expect to receive direct or
indirect compensation from the use of their name.
You must provide the patient
with a copy of their signed consent/authorization.
I need to obtain records
from another chiropractor, other health care provider, or a hospital. What type
of consent/authorization form must my patient sign?
All of the following
points of information must be explained to the patient in “plain language”
You
must inform the patient that:
1) their health records may be used for treatment
purposes.
2) their health records may be used for billing purposes.
3)
their health records may be used internally as part of your health care operations
4)
they have the right to thoroughly review the notice before signing it.
5) you
reserve the right to change your privacy practices and explain how the patient
may obtain a copy of any changes to your policy.
6) they have the right to
request that you restrict how their health records are used. You must also inform
the patient that if they make this request, you do not have to agree with their
request. If you do agree, the restriction is binding on you.
7) They have the
right to revoke their consent as long as they do so in writing. You must also
inform them that if you have already used their consent, such as sending clinical
records to an insurance company to obtain payment for a claim, that their consent
cannot be revoked retroactively.
8) Except in an emergency, the consent must
be signed and dated before treatment can be rendered.
In addition the consent
must also contain the following elements written in “plain language”:
1)
A specific description of the information you will use or disclose.
2) The
name of the individuals authorized to use or disclose your information.
3)
The name or other specific identification of the person or insurance company(s)
to whom you may disclose information.
4) An expiration date or an expiration
event for the consent.
5) A statement of the patient’s right to revoke
their consent in writing along with the exceptions to the right to revoke. As
part of this statement, you must include a description of how the patient would
go about revoking their consent.
6) A statement that information disclosed
may be re-disclosed by the person or organization that receives it and will no
longer be protected by the rule.
7) The signature of the patient and date;
and if the authorization is signed by a personal representative of the patient,
a description of the representative’s authority to act for the patient.
8)
A description of each purpose for the consent/authorization
9) A statement
that you will not refuse to treat the individual or refuse to process their claims
if they refuse to sign the consent/authorization.
10) A statement that the
patient may refuse to sign the consent/authorization.
You must provide the
patient with a copy of their signed consent/authorization.
Are there
any situations where I do not need the consent/authorization to release a patient’s
health information?
You do not need the patient’s permission to
release the patient’s health information:
• when the disclosure
is required by law.
• to a public health authority that collects
information for the purpose of preventing or controlling disease, injury, or disability.
This type of data collection most often pertains to the medical profession; however,
there could be instances in the future when chiropractic data might be solicited.
•
to a public health authority that receives reports of child abuse or neglect.
•
to an employer or a worker’s compensation carrier to evaluate whether the
individual has a work-related illness or injury. For example, Wisconsin’s
worker’s compensation laws require the release of all patient health care
information that is reasonably related to the patient’s area of injury. You
do not have to obtain the patient’s consent to release this information.
However, if you release information to the employer or worker’s compensation
carrier you must provide written notice to the patient that you are disclosing
protected health information to the employer. You can either give a copy of this
notice to the patient at the time you provide care to them or, if you are providing
care at the worksite of the employer, you may post the notice in a prominent place
at the place you provide the care.
• to a social service or protective
agency authorized to receive reports about an individual you reasonably believe
to be a victim of abuse, neglect, or domestic violence to the extent law requires
the disclosure. You may only disclose the portions of the patient file that are
relevant to the abuse. If you make this report to a social service or protective
agency you must promptly inform the patient unless in your professional judgment
you believe informing the individual would place the individual at risk of serious
harm.
If our office wants to participate in a study or research project
where our records are requested and we do not have the permission of some or all
of the patients to release protected health information, what information must
we remove from the records before we can participate in the study or research
project?
All of the following information must be removed from the records:
(A)
Patient names.
(B) All address information except for the first three digits
of the patient’s zip code as long as the geographic area of the three digits
zip code area contains at least 20,000 people. For major metropolitan areas this
is never a problem. For doctors in rural areas, a quick call to the post office
will tell you this information.
(C) All dates except the year or service (e.g.
birth date, initial date of service, discharge date)
(D) Telephone numbers.
(E)
Fax numbers.
(F) Electronic mail addresses.
(G) Social security numbers.
(H)
Record numbers.
(I) Health plan beneficiary numbers.
(J) Account numbers.
(K)
Certificate/license numbers.
(L) Vehicle identifiers and serial numbers, including
license plate numbers.
(M) Device identifiers and serial numbers.
(N) Web
Universal Resource Locators (URLs).
(O) Internet Protocol (IP) address numbers.
(P)
Biometric identifiers, including finger and voice prints.
(Q) Full face photographic
images and any comparable images.
(R) Any other unique identifying number,
characteristic, or code.
What limits must I place on my staff’s
access to a patient’s health care information?
You must make reasonable
efforts to limit the access of each person to the information they need to do
their job. A CA that does front desk work limited to scheduling and assisting
patients to treatment rooms does not need access to a patient’s clinical
documentation. The law says that you must limit access to those portions of your
computer system that might have patient data and limit access to the areas where
hard copies of patient records are stored.
To insure compliance with this
section of the law, each employee should have a job description that clearly states
his or her responsibilities. A responsible person should be able to infer why
a CA needs access to the patient’s health care records based on their job
responsibilities.
What steps must we take to make sure that we are not
releasing more information than is necessary when records are requested by an
insurance company, an attorney, or another third party?
You are allowed
to assume that any request by an insurance company meets the “minimum necessary”
criteria in the law. However, you must be sensitive to overly broad requests made
by attorneys. When any attorney requests “the entire patient file” you
should ask for their written justification for records that are not reasonably
related to the area of the patient’s injury. Before records are sent that
are not reasonably related to the patient’s area of injury, written consent
from the patient should be obtained.
Each office must have written criteria
(or a protocol) covering:
- How to determine what information
is reasonably related to a patient’s injury.
- How to delete information
that should not be sent.
- How to respond to overly broad requests for patient
information
- How to document the fact that patient information was sent to
a third party.
- How long to keep the above documentation.
The
job description for all individuals that have the responsibility for sending out
patient information should state they must follow this procedure or protocol before
records are released.
If I send a newsletter to my patients that includes
paid advertising, what does the law require me to do?
In any newsletter
or communication that includes paid advertising you must:
• Clearly
identify your practice with its name, address and telephone number.
•
Prominently state the fact that you will receive direct or indirect remuneration
for running the ad. Direct remuneration is a payment you receive. Indirect remuneration
is anything of value such as products, services, discounts, or offsetting advertising
you receive in exchange for running the ad.
If I send a brochure, or
any marketing information to my patients that includes paid advertising in which
I am marketing a product or service, what does the law require me to do?
The
rules are stricter for sending brochures or other marketing materials than they
are for newsletters. In any brochure or marketing information that includes paid
advertising you must:
• Clearly identify yourself or your practice
with your name or the practice name, address and telephone number.
•
Prominently state the fact that you will receive direct or indirect remuneration
for running the ad. Direct remuneration is a payment you receive. Indirect remuneration
is anything of value such as products, services, discounts, or offsetting advertising
you receive in exchange for running the ad.
• Give instructions
as to how a person can opt out of receiving future communications.
If you
used protected health information to target the communication to patients based
on their health status or condition:
• You must make a determination
prior to mailing the marketing information that the product or service being marketed
may be beneficial to the health of the type or class of individual targeted.
•
The communication must explain why the individual has been targeted and how the
product or service relates to the health of the patient.
• You
must make reasonable efforts to ensure that individuals who decide to opt out
of receiving future marketing communications are not sent any further communications.
What
must I do to make sure that the person requesting protected health information
is entitled to receive it?
Prior to sending or revealing protected health
information you are required to verify the identity of a person requesting the
information and that the person has the authority to make the request if you do
not know the individual. This portion of the law would seem to eliminate a verbal
request for records except when you have had a prior working relationship with
the individual. Written requests for records should have the insurance company
name, address, and telephone number as part of the request. In addition the request
should have the job title of the person making the request for patient records.
As long as there is nothing unusual about the request, you are not required to
further investigate the credentials of the person making the request.
What
information can our patients expect to receive from their insurance companies,
self insured plans or HMOs?
Your patients have the right to notification
every time their health information is used or disclosed by their insurance company,
self insured plan or HMO. Patients will receive a lot of information regarding
their privacy rights. Should they have questions they bring to you, please do
not hesitate to ask for help with their questions.
What specific elements
must be in the privacy notice that we provide to patients?
The first
thing to remember is that your patients have a right to adequate notice every
time you use or disclose protected health information. They must also be informed,
in writing, that they have rights related to their health information and you
have specific legal duties with respect to that protected information.
Required
elements of the notice
You must provide a notice to each patient written
in plain language that contains the following required elements.
1) Header.
The notice must contain the following statement as a header or otherwise prominently
displayed: “THIS NOTICE DESCRIBES HOW CHIROPRACTIC AND MEDICAL INFORMATION
ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.”
2) Uses and disclosures. The notice
must contain:
(A) A description, including at least one example, of
the types of uses and disclosures that you are permitted to make for each of the
following purposes: treatment, payment and health care operations.
(B) A description
of each of the other purposes for which you are permitted or required to use or
disclose protected health information without the individual’s written consent
or authorization.
(C) If a use or disclosure for any purpose is prohibited
or materially limited by other applicable law, the description of such use or
disclosure must reflect the more stringent law as defined in Sec. 160.202 of this
subchapter.
(D) For each purpose, the description must include sufficient detail
to place the patient on notice of the uses and disclosures that are permitted
or required by this law.
(E) A statement that other uses and disclosures will
be made only with the patient’s written authorization and that the patient
may revoke such authorization as detailed below.
3) Separate statements
for certain uses or disclosures. If you intend to engage in any of the following
activities, your description must include a separate statement for each activity
that you may provide.
(A) You may contact the patient to provide
appointment reminders or information about treatment alternatives or other health-related
benefits and services that may be of interest to the patient;
(B) If you work
for a hospital or other organization that raises funds for research or other purposes
you may contact the patient to raise funds for that purpose.
(C) If you are
a member of a group health plan, health insurance issuer or HMO, that you may
disclose protected health information to the sponsor of the plan.
4)
Patients rights. The notice must contain a statement of the patient’s rights
with respect to protected health information and a brief description of how the
patient may exercise these rights, as follows:
(A) The right to
request restrictions on the use and disclosures of their protected health information,
including a statement that you are not required to agree to a requested restriction
(B)
The right to receive confidential communications of protected health information.
(C)
The right to inspect and copy protected health information.
(D) The right to
amend protected health information.
(E) The right to receive an accounting
of disclosures of protected health information.
(F) The right of a patient,
including a patient who has agreed to receive the notice electronically, to obtain
a paper copy of the notice from you upon request.
5) Your duties. The
notice must contain:
(A) A statement that you are required by law
to maintain the privacy of protected health information and to provide patients
with notice of your legal duties and privacy practices with respect to protected
health information.
(B) A statement that you are required to abide by the terms
of the notice currently in effect.
(C) A statement that you reserve the right
to change the terms of your notice and to make the new notice provisions effective
for all protected health information that you maintain. The statement must also
describe how you will provide patients with a revised notice.
6) Complaints.
The notice must contain a statement that the patient may complain to you and to
the Secretary of Health and Human Services if they believe their privacy rights
have been violated. The statement must contain a brief description of how the
patient may file a complaint with you, and a statement that the patient will not
be retaliated against for filing a complaint.
7) Contact. The notice must
contain the name, or title, and telephone number of a person to contact for further
information.
8) Effective date. The notice must contain the date on which
the notice is first in effect, which may not be earlier than the date on which
the notice is printed or otherwise published.
Optional elements.
In
addition to the information listed above, if you elect to limit the use or disclosure,
you are permitted to make, you may describe your more limited uses or disclosures
in your notice, provided that you may not include a limitation affecting your
right to make a use or disclosure required by law. Before you are allowed to apply
a change to your more limited use and/or disclosure policy, you must first insure
that you have complied with all of the requirements that have been previously
listed in this question.
When must we revise our notice?
You
must promptly revise and distribute your notice whenever there is a material change
- in the way you use or disclose protected health information
-
in the patient’s rights.
- in your legal duties.
- in other privacy
practices stated in your original notice.
Except when required
by law, a material change to any term of your notice may not be implemented prior
to the effective date of the notice in which the material change is reflected.
When
must health plans give notices to their patients?
They must make the
notice available on request to any person and to their subscribers on the following
schedule:
(a) No later than the initial date the compliance law becomes
effective for everyone enrolled in the plan at that time.
(b) After that date,
at the time of enrollment for new enrollees.
(c) Within 60 days of a material
revision to the notice, to individuals then covered by the plan.
(d) No less
frequently than once every three years. The health plan must notify their subscribers
then covered by the plan of the availability of the notice and how to obtain the
notice.
When must I provide notices to my patients?
You
must provide the privacy notice no later than the date you first provide treatment
to the patient after February 26, 2003. In addition, you must have the notice
available in your office so patients may take a copy with them. The notice should
be posted in a clear and prominent location where it is reasonable to expect patients
seeking care from you to be able to read the notice. Whenever you revise your
notice, you must make the notice available upon request on or after the effective
date of the revision and follow the same procedures as required for the original
notice.
If you maintain a web site that provides information about your
services, you must prominently post your notice on the web site and make the notice
available electronically through the web site. You may provide the notice to a
patient by e-mail, if the patient agrees to electronic notice and the agreement
has not been withdrawn. If you know the e-mail transmission has failed, a paper
copy of the notice must be provided to the patient. If the first service delivery
to a patient is delivered electronically, you must provide electronic notice automatically
and contemporaneously in response to the patient’s first request for service.
The patient who is the recipient of electronic notice retains the right to obtain
a paper copy of the notice from you upon request.
Can a patient put restrictions
on their consent to release their health information?
Yes. By law you
must permit your patients to request that you not send information to certain
parties or that you limit the type of information sent to another party. This
restriction can apply to treatment, payment, or the operation of your practice.
You are not required to agree to their restrictions and, if you did not, you would
release them from your care. Any restrictions you agree to must be in writing.
If
you agree to the restriction, you may not use or disclose the information that
is part of the restriction. If the patient is in need of emergency treatment and
the restricted protected health information is needed, you may use the restricted
protected health information, or may disclose such information to another health
care provider, to provide such treatment to the individual. If you use the restricted
information for emergency treatment, you must request that the person to whom
the information was disclosed does not further use or disclose the information.
A patient cannot require you to ignore requests for information you are required
to give by law.
What must we do to terminate our agreement to a disclosure
restriction?
You may terminate your agreement to a restriction, if
(a)
The patient agrees to or requests the termination in writing;
(b) The patient
orally agrees to the termination and the oral agreement is documented; or
(c)
You inform the patient you are terminating your agreement to the restriction.
This type of termination is only effective with respect to protected health information
created or received after you have informed the patient.
Some patients
request that we send information to a location other than their home. Are we required
to do so?
Yes. You must accommodate reasonable requests by patients
to receive communications about their health records from you by alternative means
or at alternative locations. You may require patients to make their requests in
writing. You may not require an explanation from the patient as to why they need
the information sent to a different location.
What rights do my patients
have to see information in their file?
A patient has the right to inspect
and obtain a copy of their file for as long as you maintain the protected health
information. You must permit a patient to request that they be allowed to inspect
or copy their file. You may require patients to make requests for access in writing,
provided you informed patients of this requirement.
This law requires you
to give the patient access to their records no later than 30 days after receipt
of the request. However, the chiropractic examining board expects records to be
turned over to the patient “as soon as possible” which generally means
within a day or two if not sooner unless there is a good reason why you are unable
to do so. If you are unable to produce the records within 30 days you may extend
the time by no more than 30 days provided you give the patient a written explanation
as to why the delay is necessary. You may have only one extension.
Do
my patients have the right to request that their information be given to them
in a special format?
Yes. You must provide the patient with access to
their protected health information in the form or format requested by the patient,
if it is readily producible in that form or format. If it is not, you must produce
it in a readable hard copy form or in a form or format that you and the patient
agree to.
You may provide the patient with a summary of the protected health
information requested, in lieu of providing access to the protected health information
or you may provide an explanation of the protected health information to which
access has been provided, if the patient agrees in advance to such a summary or
explanation; and the patient agrees in advance to the fees imposed, if any, by
you for the summary.
May we charge a fee for the records we provide
to our patients?
If a patient requests a copy of their records or
agrees to a summary of the records, you may impose a reasonable, cost-based fee,
provided that the fee includes only the cost of:
• Copying, including
the cost of supplies and labor of copying the file
• Postage, when the
patient has requested the copies be mailed; and
• Preparing a summary
of the file if agreed to by the patient
What documentation is required
on the records that are available for inspection or copying by my patients?
You must document the following and retain the documentation for 6 years:
(1)
The designated record sets that are subject to access by individuals; and
(2)
The titles of the persons responsible for receiving and processing requests for
access by patients.
Does a patient have the right to make changes to
their records?
A patient has the right to have you amend their records
as long as you have the records in your files. You may deny a patient’s request
for an amendment if you determine that the record that is the subject of the request:
-
was not created by you, unless the patient provides a reasonable basis to believe
that the originator of protected health information is no longer available to
act on the requested amendment.
- is not part of their records.
- in your
view is accurate and complete. This last point prevents a patient from being able
to compel you to put false clinical information into their file.
You must
permit a patient to request that you amend their records. You may require patients
to make requests for amendments in writing and to provide a reason to support
a requested amendment, provided that you inform your patients in advance of this
requirement.
You must act on the patient’s request for
an amendment no later than 60 days after receipt of such a request. If you deny
the request, you must give the patient a written explanation for your denial within
60 days. If you are unable to act on the amendment within 60 days, you may extend
the time by no more than 30 days, provided that within 60 days you give the patient
a written statement of the reasons for the delay and the date by which you will
complete your action on the request. You may only have one 30 day extension.
If you accept the requested amendment, in whole or in part, you must comply
with the following requirements.
(1) You must make the appropriate amendment
to the patient’s records by, at a minimum, identifying the records that are
affected by the amendment and appending or otherwise providing a link to the location
of the amendment.
(2) You must timely inform the patient that the amendment
is accepted and obtain the patient’s identification of and agreement to have
you notify the relevant persons with which the amendment needs to be shared.
(3)
You must make reasonable efforts to inform and provide the amendment within a
reasonable time to:
(a) Persons identified by the patient as having received
records needing the amendment; and
(b) Persons, including business associates,
that you know may have relied or could rely on the previous information to the
detriment of the patient.
What are my responsibilities if I deny a
patient’s request to amend their records?
If you deny a patient’s
request for an amendment, in whole or in part, you must comply with the following
requirements.
(1) You must provide the patient with a timely, written
denial. The denial must use plain language and contain:
(a)
The basis for the denial
(b) The patient’s right to submit a written statement
disagreeing with the denial and how the patient may file this statement;
(c)
A statement that, if the patient does not submit a statement of disagreement,
the patient may request that you provide the patients request for amendment and
the denial with any future disclosures of their records that are the subject of
the amendment; and
(d) A description of how the patient may complain to you
or the Secretary of Health and Human Services.
(e) The name, or title, and
telephone number of the contact person in your office.
(2)
You must permit the patient to submit to you a written statement disagreeing with
the denial of all or part of a requested amendment and the basis of such disagreement.
You may reasonably limit the length of a statement of disagreement.
(3)
You may prepare a written rebuttal to the patient’s statement of disagreement.
Whenever such a rebuttal is prepared, you must provide a copy to the patient.
(4)
You must, as appropriate, identify the records that are in dispute and append
or link the record to the patient’s request for an amendment and your rebuttal,
if any.
(5) If the patient has submitted a statement of disagreement, you
must include the statement or an accurate summary of the statement every time
the records that are in disagreement are disclosed. If the patient has not submitted
a written statement of disagreement, you must include the patient’s request
for an amendment and its denial, or an accurate summary of the information, with
any subsequent disclosure of the patient’s records if the patient has requested
that you do so.
What if an insurance company or another provider notifies
us that there is an amendment to the patient’s file. Must we amend our file?
Yes.
If you are informed by an insurance company or another health care provider of
an amendment to a patient’s records, you must make the appropriate amendment
as described above.
What are my responsibilities for documenting the
individual that has responsibility for receiving or processing requests for amendments
by my patients?
You must document the titles of the persons or offices
responsible for receiving and processing requests for amendments by patients and
retain the documentation for six years.
What rights do my patients have
to know to whom their records have been sent?
A patient has a right
to receive an accounting of disclosures of their protected health information
made by you in the six years prior to the date on which the accounting is requested,
except for disclosures that occurred prior to February 26, 2003.
You must
provide the patient with a written accounting that meets the following requirements.
(1) The accounting must include disclosures of protected health information
that occurred during the six years prior to the date of the request for an accounting,
including disclosures to or by your business associates.
(2) The accounting
must include for each disclosure:
a) The date of the disclosure;
b)
The name of the entity or person who received the protected health information
and, if known, the address of such entity or person;
c) A brief description
of the protected health information disclosed; and
d) A brief statement of
the purpose of the disclosure that reasonably informs the individual of the basis
for the disclosure; or, in lieu of such statement:
-
A copy of the patient’s written authorization; or
- A copy of a written
request for a disclosure.
(3)
If, during the period covered by the accounting, you have made multiple disclosures
of protected health information to the same person or entity for a single purpose,
the accounting may, with respect to such multiple disclosures, provide:
a)
The information required for the first disclosure during the accounting period;
b)
The frequency, or number of the disclosures made during the accounting period;
and
c) The date of the last such disclosure during the accounting period.
You must act on the patient’s request for an accounting no later than
60 days after receipt of such a request. If you are unable to provide the accounting
within 60 days, you may extend the time to provide the accounting by no more than
30 days, provided that within 60 days you provide the patient with a written statement
of the reasons for the delay and the date by which you will provide the accounting.
You are only allowed one 30 day extension.
May I charge a patient when
they ask me for an accounting of where their records have been sent?
You
must provide the first accounting to a patient in any 12 month period without
charge. You may impose a reasonable, cost-based fee for each subsequent request
by the same patient within a 12 month period, provided you inform the patient
in advance of the fee and provide the patient with an opportunity to withdraw
or modify their request in order to avoid or reduce the fee.
What documentation
must I keep when I give a patient an accounting of where their records have been
sent?
You must document the following and retain the documentation for
six years:
• The information required to be included in an accounting;
•
The information you provided to the patient; and
• The titles of the persons
or offices responsible for receiving and processing requests for an accounting
by individuals.
Must there be a person in charge of our privacy policies
and procedures?
You must designate a person to be responsible for the
development and implementation of the policies and procedures for your practice.
In addition, you must designate a contact person or office who is responsible
for receiving complaints and who is able to provide further information about
matters covered by your privacy notice. You must document the names of the person/s
that are selected for these jobs and keep the documentation for 6 years.
What
members of my staff are required to have privacy training?
Any staff
person that has a job responsibility which is covered by the HIPAA privacy laws
is required to be trained on the elements of the law that affect them. This training
can be accomplished by attending a WCA program, having a member of your staff
attend a WCA program and then having that person teach the other members of your
staff, or, downloading the rules and completing the training yourself.
When
must staff training be completed?
You must provide training as follows:
•
To each member of your staff no later than February 26, 2003
• To each
new member of your staff within a reasonable period of time after they join your
staff.
• To each member of your staff whose functions are affected by
a material change in your policies or procedures within a reasonable period of
time after the material change becomes effective.
You are required to document
when each member of your staff has been trained and to keep that documentation
for six years.
What internal protections do I have to provide for patient
records within my office?
You must have appropriate administrative,
technical, and physical safeguards to protect the privacy of your patient’s
records. You are required to reasonably safeguard your patient records from any
intentional or unintentional use or disclosure that is in violation of the law.
Depending on the design and/or operation of your practice, this could require
you to make changes to your office layout and/or computer systems.
•
If you adjust patients in a setting that is not completely private, you would
be required to provide complete privacy unless the patient signed an appropriate
consent form.
• If members of your staff have job responsibilities
that do not require them to have access to a patient’s clinical records,
you would have to have software capable of denying access to the clinical portions
of a patient’s records.
• Sign in sheets that are kept at
the reception area that have the name of more than one patient are not allowed.
All sign in sheets would have to be unique to a particular patient. If a sign
in sheet is used at your office, you may use a separate sheet of paper for each
day of service and file them together by date or, you may keep a sign in sheet
in the patient’s file.
• If you currently place your patient’s
records in a receptacle outside a treatment room in which the receptacle is open
to other patients that may happen to be passing by, you will have to eliminate
the receptacle or design changes so the information is only accessible to authorized
personnel.
• Access to the storage areas in which patient records
are stored will have to be controlled in a manner so that only authorized individuals
have access. Doors or filing cabinets will have to be secured against patients
and staff members that do not have job responsibilities that require them to have
access to clinical records.
• Policies and procedures will have
to be written so that all staff individuals understand the privacy requirements
of their jobs. This will include prohibiting employees from attempting to access
patient information that is not part of their job responsibilities and keeping
patient records secure when they are in their work areas.
• Testimonial
books, children’s photos, and “thank you” sign boards that list
patient names would have to be eliminated unless patients give specific authorization
that their names can be used.
• Work areas that are open to patients
and/or small children must be secured so that unauthorized personnel do not have
intentional or unintentional access to patient records.
What must I do
when a patient complains about any of my policies or procedures?
You
must provide a process for your patients to make complaints concerning your policies
and/or procedures or to complain that you are not following your policies and/or
procedures. You must document every complaint that you receive and how you responded
to the complaint. The law does not require you to take any specific action to
the complaint, merely that you respond in some way. If the patient sues you for
a violation of this law, or you are audited for compliance with this law, your
complaint file will be subpoenaed as evidence.
What are my responsibilities
if an employee does not follow our privacy policies and/or procedures?
You
are required to have and use disciplinary policies against an employee that violates
your privacy policies or procedures. Your disciplinary actions could include:
¨ warnings (oral)
¨ reprimands (written)
¨
probation
¨ demotion
¨ temporary suspension
¨ discharge of
employment
¨ restitution of damages
¨ referral for criminal prosecution.
Any disciplinary action taken against an employee must
be documented in the employment file of the staff person. The file should contain
specific information including:
¨ the date of incident
¨
the name of the reporting party
¨ the name of the person responsible for
taking action
¨ follow-up action taken.
What are
my obligations if I find that our privacy policies and/or procedures are not being
followed?
In addition to the disciplinary action described in the preceding
question, you must also, to the extent practicable, mitigate any harmful effect
that has been caused by the violation.
I am very upset because one of
my staff or a patient reported me for violating the privacy law. What action may
I take against the employee?
The law is very specific that you may not
intimidate, threaten, coerce, discriminate against, or take other retaliatory
action against an employee or patient that:
1) Reports a privacy
violation.
2) Testifies against you.
3) Assists in an investigation or a
compliance review.
4) Opposes any act or practice that they, in good faith,
believe violates the privacy laws.
You may not require your
staff or patients to waive their rights in order to work for you, receive benefits,
or to receive increases in compensation.
There are a lot of references
made to policies and procedures. Must we have written policies and procedures
describing our employees responsibilities under the privacy laws?
Yes.
Written policies and procedures are required so your staff is fully informed about
their responsibilities.
The policies and procedures may be written or kept
on a computer. The policies and procedures must be reasonably designed for your
size practice and the type of management that you have over your staff. While
the law does not specifically require a certain type of policy or procedure, it
specifically states that you can not use a poorly designed policy or procedure
as an excuse for violating the law.
Your are required to change your policies
and procedures whenever there is a change in the law or you find it is necessary
for compliance with the law. You should keep your original policies and procedures
and any changes in your file for six years.
If there is a change in the
law that is significant, you must change your privacy notice as well as your policies
and procedures.
If I have a patient at the time the law takes effect
that refuses to sign their privacy consent form, but I do have their consent to
release records that they had previously signed, can I still continue to send
their records to the insurance company or to another health care provider?
Yes.
You may continue to use that consent form until the patient has reached the end
of treatment for that injury.
Electronic Transactions
Who
is covered by privacy laws?
All health care providers that send health
care transactions by electronic transmission, including the Internet are covered
by the privacy laws. Transactions include:
(1) Health care
claims or equivalent encounter information.
(2) Health care payment and remittance
advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5)
Enrollment and disenrollment in a health plan.
(6) Eligibility for a health
plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9)
First report of injury.
(10) Health claims attachments.
(11) Other transactions
that the Secretary may prescribe by regulation.
All of the
following health plans are also covered by the law.
• A
group health plan
• A health insurance issuer
• An HMO
•
Part A or Part B of the Medicare program
• The Medicaid program
•
An issuer of a Medicare supplemental policy
• An issuer of a long-term
care policy
• An employee welfare benefit plan
• The health care
program for active military personnel
• The veterans health care program
•
CHAMPUS
• The Indian Health Service program.
• The Federal Employees
Health Benefit Program.
• An approved State child health plan
•
The Medicare + Choice program
• Any other individual or group plan, or
combination of individual or group plans, that provides or pays for the cost of
health care.
Health care clearinghouses are also covered by
the plan. A health care clearinghouse is a public or private business, including
billing services and re-pricing companies, that processes patient information
from a nonstandard to a standard format.
Must my software vendor change
my software to comply with the HIPAA privacy laws?
No. Software vendors
are not covered by the law. One of the reasons why the WCA is offering training
well in advance of the implementation date is to allow chiropractors to either
work with their software vendors to make the changes necessary to their systems
or, to find a new software vendor to assist them in making their systems compliant.
Unfortunately, the law does not permit you to use as the excuse that your software
vendor was uncooperative.
By what date must I comply with the electronic
standards portion of the rule?
You, or your clearinghouse, must comply
with the electronic portion of the privacy laws no later than October 16, 2002.
What
practical changes will I see in the way we do our billing as a result of the electronic
standards?
Offices that are using a current version of the CPT and HCPCS
manuals should not have to change any of their billing practices. All of the changes
will occur to the software code and claims should be able to be imputed without
any procedural changes. Offices not using a current version of the CPT or HCPCS
code books may obtain them from the AMA at (800) 621-8335.
Where can
my software company get a copy of the implementation specifications?
The
implementation specifications for ASC X12N standards may be obtained from the
Washington Publishing Company, PMB 161, 5284 Randolph Road, Rockville, MD, 20852-2116;
telephone 301-949-9740; and FAX: 301-949-9742. They are also available through
the Washington Publishing Company on the Internet at http://www.wpc-edi.com.
If
I am part of a managed care company for which I directly enter my claims data
on their website or with their software, am I responsible for making sure the
software is compliant?
No. The managed care company would have the responsibility
for compliance. It is possible that the software may change as a result of the
privacy requirements. If so, your staff would have to be re-trained as to how
to use the software.
If I use a billing service or clearinghouse am I
responsible for making sure their software is compliant?
Yes. If you
choose to use a billing service or clearinghouse to process your claims, you must
require them to comply with all elements of the law.
I have converted
my software as required by the law. I work with a health plan that will pay me
at a higher reimbursement rate if I continue to send in my claims using the “old
way”. Can they do this?
It is against the law for an insurance
company or managed care plan to offer you an incentive of any kind to bill your
claims in a way that does not comply with the law.
A health plan may not
delay or reject a transaction, or attempt to adversely affect you or the transaction,
because the transaction is a “standard transaction.”
I do not
have a fax or a computer in my office. Must I comply with the HIPAA privacy laws?
Technically,
no. However, you must still comply with Wisconsin’s privacy laws. In addition,
some managed care plans may require you to comply with the HIPAA privacy laws
as a condition to stay on their managed care panel. If they make this a requirement
of their plan, your option is to comply or leave the panel.
What resources
are the billing and coding standards based on?
The billing and coding
standards are:
International Classification of Diseases, 9th Edition, Clinical
Modification, Volume 3 Procedures (including The Official ICD-9-CM Guidelines
for Coding and Reporting), as maintained and distributed by HHS..
National
Drug Codes (NDC), as maintained and distributed by HHS, in collaboration with
drug manufacturers, for drugs and biologics.
The combination of Health Care
Financing Administration Common Procedure Coding System (HCPCS), as maintained
and distributed by HHS, and Current Procedural Terminology, Fourth Edition (CPT-4),
as maintained and distributed by the American Medical Association, for physician
services and other health care services.
We mail all of our claims and
clinical documentation. All we use the Internet for is to check on the status
of a patient’s claim. Are we covered under the HIPAA privacy laws?
Yes.
If you inquire about the status of a health care claim using electronic means
or you are sent e-mail about the status of a claim, you are covered by the law.
Once covered by the law you must comply with all elements of the law.
We
mail all of our claims and clinical documentation. However, we are paid electronically.
Are we covered under the HIPAA privacy laws?
Yes. If a payment is made
electronically to your bank account you are covered by the law. Once covered by
the law you must comply with all elements of the law.
We mail all of
our claims and clinical documentation. However, we send inquiries about a patient’s
benefits electronically. Are we covered under the HIPAA privacy laws?
Yes.
If you obtain benefits information or receive EOBs electronically, you are covered
by the law. Once covered by the law you must comply with all elements of the law.
Statute
excerpts
§ 160.101 Statutory basis and purpose.
The requirements
of this subchapter implement sections 1171 through 1179 of the Social Security
Act (the Act), as added by section 262 of Public Law 104-191, and section 264
of Public Law 104-191.
§ 160.102 Applicability.
(a)
Except as otherwise provided, the standards, requirements, and implementation
specifications adopted under this subchapter apply to the following entities:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health
care provider who transmits any health information in electronic form in connection
with a transaction covered by this subchapter.
(b) To the extent required
under section 201(a)(5) of the Health Insurance Portability Act of 1996, (Pub.
L. 104-191), nothing in this subchapter shall be construed to diminish the authority
of any Inspector General, including such authority as provided in the Inspector
General Act of 1978, as amended (5 U.S.C. App.).
§ 160.103 Definitions.
Except as otherwise provided, the following definitions apply to this subchapter:
Act means the Social Security Act.
ANSI stands for the American National
Standards Institute.
Business associate:
(1) Except as provided in paragraph
(2) of this definition, business associate means, with respect to a covered entity,
a person who:
(i) On behalf of such covered entity or of an organized health
care arrangement (as defined in § 164.501 of this subchapter) in which the
covered entity participates, but other than in the capacity of a member of the
workforce of such covered entity or arrangement, performs, or assists in the performance
of:
(A) A function or activity involving the use or disclosure of individually
identifiable health information, including claims processing or administration,
data analysis, processing or administration, utilization review, quality assurance,
billing, benefit management, practice management, and repricing; or
(B) Any
other function or activity regulated by this subchapter; or
(ii) Provides,
other than in the capacity of a member of the workforce of such covered entity,
legal, actuarial, accounting, consulting, data aggregation (as defined in §
164.501 of this subchapter), management, administrative, accreditation, or financial
services to or for such covered entity, or to or for an organized health care
arrangement in which the covered entity participates, where the provision of the
service involves the disclosure of individually identifiable health information
from such covered entity or arrangement, or from another business associate of
such covered entity or arrangement, to the person.
(2) A covered entity participating
in an organized health care arrangement that performs a function or activity as
described by paragraph (1)(i) of this definition for or on behalf of such organized
health care arrangement, or that provides a service as described in paragraph
(1)(ii) of this definition to or for such organized health care arrangement, does
not, simply through the performance of such function or activity or the provision
of such service, become a business associate of other covered entities participating
in such organized health care arrangement.
(3) A covered entity may be a business
associate of another covered entity.
Compliance date means the date by which
a covered entity must comply with a standard, implementation specification, requirement,
or modification adopted under this subchapter.
Covered entity means:
(1)
A health plan.
(2) A health care clearinghouse.
(3) A health care provider
who transmits any health information in electronic form in connection with a transaction
covered by this subchapter.
Group health plan (also see definition of health
plan in this section) means an employee welfare benefit plan (as defined in section
3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C.
1002(1)), including insured and self-insured plans, to the extent that the plan
provides medical care (as defined in section 2791(a)(2) of the Public Health Service
Act (PHS Act), 42 U.S.C. 300gg-91(a)(2)), including items and services paid for
as medical care, to employees or their dependents directly or through insurance,
reimbursement, or otherwise, that:
(1) Has 50 or more participants (as defined
in section 3(7) of ERISA, 29 U.S.C. 1002(7)); or
(2) Is administered by an
entity other than the employer that established and maintains the plan.
HCFA
stands for Health Care Financing Administration within the Department of Health
and Human Services.
HHS stands for the Department of Health and Human Services.
Health
care means care, services, or supplies related to the health of an individual.
Health care includes, but is not limited to, the following:
(1) Preventive,
diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and
counseling, service, assessment, or procedure with respect to the physical or
mental condition, or functional status, of an individual or that affects the structure
or function of the body; and
(2) Sale or dispensing of a drug, device, equipment,
or other item in accordance with a prescription.
Health care clearinghouse
means a public or private entity, including a billing service, repricing company,
community health management information system or community health information
system, and “value-added” networks and switches, that does either of
the following functions:
(1) Processes or facilitates the processing of health
information received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard transaction.
(2) Receives a standard transaction from another entity and processes or facilitates
the processing of health information into nonstandard format or nonstandard data
content for the receiving entity.
Health care provider means a provider of
services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider
of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C.
1395x(s)), and any other person or organization who furnishes, bills, or is paid
for health care in the normal course of business.
Health information means
any information, whether oral or recorded in any form or medium, that:
(1)
Is created or received by a health care provider, health plan, public health authority,
employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition
of an individual; the provision of health care to an individual; or the past,
present, or future payment for the provision of health care to an individual.
Health insurance issuer (as defined in section 2791(b)(2) of the PHS Act,
42 U.S.C. 300gg-91(b)(2) and used in the definition of health plan in this section)
means an insurance company, insurance service, or insurance organization (including
an HMO) that is licensed to engage in the business of insurance in a State and
is subject to State law that regulates insurance. Such term does not include a
group health plan.
Health maintenance organization (HMO) (as defined in section
2791(b)(3) of the PHS Act, 42 U.S.C. 300gg-91(b)(3) and used in the definition
of health plan in this section) means a federally qualified HMO, an organization
recognized as an HMO under State law, or a similar organization regulated for
solvency under State law in the same manner and to the same extent as such an
HMO.
Health plan means an individual or group plan that provides, or pays
the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42
U.S.C. 300gg- 91(a)(2)).
(1) Health plan includes the following, singly or
in combination:
(i) A group health plan, as defined in this section.
(ii)
A health insurance issuer, as defined in this section.
(iii) An HMO, as defined
in this section.
(iv) Part A or Part B of the Medicare program under title
XVIII of the Act.
(v) The Medicaid program under title XIX of the Act, 42
U.S.C. 1396, et seq.
(vi) An issuer of a Medicare supplemental policy (as
defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).
(vii) An
issuer of a long-term care policy, excluding a nursing home fixed- indemnity policy.
(viii) An employee welfare benefit plan or any other arrangement that is established
or maintained for the purpose of offering or providing health benefits to the
employees of two or more employers.
(ix) The health care program for active
military personnel under title 10 of the United States Code.
(x) The veterans
health care program under 38 U.S.C. chapter 17.
(xi) The Civilian Health and
Medical Program of the Uniformed Services (CHAMPUS)(as defined in 10 U.S.C. 1072(4)).
(xii) The Indian Health Service program under the Indian Health Care Improvement
Act, 25 U.S.C. 1601, et seq.
(xiii) The Federal Employees Health Benefits
Program under 5 U.S.C. 8902, et seq.
(xiv) An approved State child health
plan under title XXI of the Act, providing benefits for child health assistance
that meet the requirements of section 2103 of the Act, 42 U.S.C. 1397, et seq.
(xv) The Medicare + Choice program under Part C of title XVIII of the Act,
42 U.S.C. 1395w-21 through 1395w-28.
(xvi) A high risk pool that is a mechanism
established under State law to provide health insurance coverage or comparable
coverage to eligible individuals.
(xvii) Any other individual or group plan,
or combination of individual or group plans, that provides or pays for the cost
of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).
(2) Health plan excludes:
(i) Any policy, plan, or program to the extent
that it provides, or pays for the cost of, excepted benefits that are listed in
section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and
(ii) A government-funded
program (other than one listed in paragraph (1)(i)- (xvi)of this definition):
(A) Whose principal purpose is other than providing, or paying the cost of,
health care; or
(B) Whose principal activity is:
(1) The direct provision
of health care to persons; or
(2) The making of grants to fund the direct
provision of health care to persons.
Implementation specification means specific
requirements or instructions for implementing a standard.
Modify or modification
refers to a change adopted by the Secretary, through regulation, to a standard
or an implementation specification.
Secretary means the Secretary of Health
and Human Services or any other officer or employee of HHS to whom the authority
involved has been delegated.
Small health plan means a health plan with annual
receipts of $5 million or less.
Standard means a rule, condition, or requirement:
(1) Describing the following information for products, systems, services or
practices:
(i) Classification of components.
(ii) Specification of materials,
performance, or operations; or
(iii) Delineation of procedures; or
(2)
With respect to the privacy of individually identifiable health information.
Standard
setting organization (SSO) means an organization accredited by the American National
Standards Institute that develops and maintains standards for information transactions
or data elements, or any other standard that is necessary for, or will facilitate
the implementation of, this part.
State refers to one of the following:
(1)
For a health plan established or regulated by Federal law, State has the meaning
set forth in the applicable section of the United States Code for such health
plan.
(2) For all other purposes, State means any of the several States, the
District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, and
Guam.
Trading partner agreement means an agreement related to the exchange
of information in electronic transactions, whether the agreement is distinct or
part of a larger agreement, between each party to the agreement. (For example,
a trading partner agreement may specify, among other things, the duties and responsibilities
of each party to the agreement in conducting a standard transaction.)
Transaction
means the transmission of information between two parties to carry out financial
or administrative activities related to health care. It includes the following
types of information transmissions:
(1) Health care claims or equivalent encounter
information.
(2) Health care payment and remittance advice.
(3) Coordination
of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment
in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium
payments.
(8) Referral certification and authorization.
(9) First report
of injury.
(10) Health claims attachments.
(11) Other transactions that
the Secretary may prescribe by regulation.
Workforce means employees, volunteers,
trainees, and other persons whose conduct, in the performance of work for a covered
entity, is under the direct control of such entity, whether or not they are paid
by the covered entity.
§ 160.104 Modifications.
(a) Except as provided
in paragraph (b) of this section, the Secretary may adopt a modification to a
standard or implementation specification adopted under this subchapter no more
frequently than once every 12 months.
(b) The Secretary may adopt a modification
at any time during the first year after the standard or implementation specification
is initially adopted, if the Secretary determines that the modification is necessary
to permit compliance with the standard or implementation specification.
(c)
The Secretary will establish the compliance date for any standard or implementation
specification modified under this section.
(1) The compliance date for a modification
is no earlier than 180 days after the effective date of the final rule in which
the Secretary adopts the modification.
(2) The Secretary may consider the
extent of the modification and the time needed to comply with the modification
in determining the compliance date for the modification.
(3) The Secretary
may extend the compliance date for small health plans, as the Secretary determines
is appropriate.
Subpart B - Preemption of State Law
§160.201 Applicability.
The provisions of this subpart implement section 1178 of the Act, as added
by section 262 of Public Law 104-191.
§ 160.202 Definitions.
For
purposes of this subpart, the following terms have the following meanings:
Contrary,
when used to compare a provision of State law to a standard, requirement, or implementation
specification adopted under this subchapter, means:
(1) A covered entity would
find it impossible to comply with both the State and federal requirements; or
(2) The provision of State law stands as an obstacle to the accomplishment
and execution of the full purposes and objectives of part C of title XI of the
Act or section 264 of Pub. L. 104-191, as applicable.
More stringent means,
in the context of a comparison of a provision of State law and a standard, requirement,
or implementation specification adopted under subpart E of part 164 of this subchapter,
a State law that meets one or more of the following criteria:
(1) With respect
to a use or disclosure, the law prohibits or restricts a use or disclosure in
circumstances under which such use or disclosure otherwise would be permitted
under this subchapter, except if the disclosure is:
(i) Required by the Secretary
in connection with determining whether a covered entity is in compliance with
this subchapter; or
(ii) To the individual who is the subject of the individually
identifiable health information.
(2) With respect to the rights of an individual
who is the subject of the individually identifiable health information of access
to or amendment of individually identifiable health information, permits greater
rights of access or amendment, as applicable; provided that, nothing in this subchapter
may be construed to preempt any State law to the extent that it authorizes or
prohibits disclosure of protected health information about a minor to a parent,
guardian, or person acting in loco parentis of such minor.
(3) With respect
to information to be provided to an individual who is the subject of the individually
identifiable health information about a use, a disclosure, rights, and remedies,
provides the greater amount of information.
(4) With respect to the form or
substance of an authorization or consent for use or disclosure of individually
identifiable health information, provides requirements that narrow the scope or
duration, increase the privacy protections afforded (such as by expanding the
criteria for), or reduce the coercive effect of the circumstances surrounding
the authorization or consent, as applicable.
(5) With respect to recordkeeping
or requirements relating to accounting of disclosures, provides for the retention
or reporting of more detailed information or for a longer duration.
(6) With
respect to any other matter, provides greater privacy protection for the individual
who is the subject of the individually identifiable health information.
Relates
to the privacy of individually identifiable health information means, with respect
to a State law, that the State law has the specific purpose of protecting the
privacy of health information or affects the privacy of health information in
a direct, clear, and substantial way.
State law means a constitution, statute,
regulation, rule, common law, or other State action having the force and effect
of law.
§ 160.203 General rule and exceptions.
A standard, requirement,
or implementation specification adopted under this subchapter that is contrary
to a provision of State law preempts the provision of State law. This general
rule applies, except if one or more of the following conditions is met:
(a)
A determination is made by the Secretary under § 160.204 that the provision
of State law:
(1) Is necessary:
(i) To prevent fraud and abuse related
to the provision of or payment for health care;
(ii) To ensure appropriate
State regulation of insurance and health plans to the extent expressly authorized
by statute or regulation;
(iii) For State reporting on health care delivery
or costs; or
(iv) For purposes of serving a compelling need related to public
health, safety, or welfare, and, if a standard, requirement, or implementation
specification under part 164 of this subchapter is at issue, if the Secretary
determines that the intrusion into privacy is warranted when balanced against
the need to be served; or
(2) Has as its principal purpose the regulation
of the manufacture, registration, distribution, dispensing, or other control of
any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled
substance by State law.
(b) The provision of State law relates to the privacy
of health information and is more stringent than a standard, requirement, or implementation
specification adopted under subpart E of part 164 of this subchapter.
(c)
The provision of State law, including State procedures established under such
law, as applicable, provides for the reporting of disease or injury, child abuse,
birth, or death, or for the conduct of public health surveillance, investigation,
or intervention.
(d) The provision of State law requires a health plan to
report, or to provide access to, information for the purpose of management audits,
financial audits, program monitoring and evaluation, or the licensure or certification
of facilities or individuals.
§ 160.204 Process for requesting exception
determinations.
(a) A request to except a provision of State law from preemption
under § 160.203(a) may be submitted to the Secretary. A request by a State
must be submitted through its chief elected official, or his or her designee.
The request must be in writing and include the following information:
(1)
The State law for which the exception is requested;
(2) The particular standard,
requirement, or implementation specification for which the exception is requested;
(3) The part of the standard or other provision that will not be implemented
based on the exception or the additional data to be collected based on the exception,
as appropriate;
(4) How health care providers, health plans, and other entities
would be affected by the exception;
(5) The reasons why the State law should
not be preempted by the federal standard, requirement, or implementation specification,
including how the State law meets one or more of the criteria at § 160.203(a);
and
(6) Any other information the Secretary may request in order to make the
determination.
(b) Requests for exception under this section must be submitted
to the Secretary at an address that will be published in the Federal Register.
Until the Secretary’s determination is made, the standard, requirement, or
implementation specification under this subchapter remains in effect.
(c)
The Secretary’s determination under this section will be made on the basis
of the extent to which the information provided and other factors demonstrate
that one or more of the criteria at § 160.203(a) has been met.
§
160.205 Duration of effectiveness of exception determinations.
An exception
granted under this subpart remains in effect until:
(a) Either the State law
or the federal standard, requirement, or implementation specification that provided
the basis for the exception is materially changed such that the ground for the
exception no longer exists; or
(b) The Secretary revokes the exception, based
on a determination that the ground supporting the need for the exception no longer
exists.
Subpart C - Compliance and Enforcement
§ 160.300 Applicability.
This subpart applies to actions by the Secretary, covered entities, and others
with respect to ascertaining the compliance by covered entities with and the enforcement
of the applicable requirements of this part 160 and the applicable standards,
requirements, and implementation specifications of subpart E of part 164 of this
subchapter.
§ 160.302 Definitions.
As used in this subpart, terms
defined in § 164.501 of this subchapter have the same meanings given to them
in that section.
§ 160.304 Principles for achieving compliance.
(a)
Cooperation. The Secretary will, to the extent practicable, seek the cooperation
of covered entities in obtaining compliance with the applicable requirements of
this part 160 and the applicable standards, requirements, and implementation specifications
of subpart E of part 164 of this subchapter.
(b) Assistance. The Secretary
may provide technical assistance to covered entities to help them comply voluntarily
with the applicable requirements of this part 160 or the applicable standards,
requirements, and implementation specifications of subpart E of part 164 of this
subchapter.
§ 160.306 Complaints to the Secretary.
(a) Right to file
a complaint. A person who believes a covered entity is not complying with the
applicable requirements of this part 160 or the applicable standards, requirements,
and implementation specifications of subpart E of part 164 of this subchapter
may file a complaint with the Secretary.
(b) Requirements for filing complaints.
Complaints under this section must meet the following requirements:
(1) A
complaint must be filed in writing, either on paper or electronically.
(2)
A complaint must name the entity that is the subject of the complaint and describe
the acts or omissions believed to be in violation of the applicable requirements
of this part 160 or the applicable standards, requirements, and implementation
specifications of subpart E of part 164 of this subchapter.
(3) A complaint
must be filed within 180 days of when the complainant knew or should have known
that the act or omission complained of occurred, unless this time limit is waived
by the Secretary for good cause shown.
(4) The Secretary may prescribe additional
procedures for the filing of complaints, as well as the place and manner of filing,
by notice in the Federal Register.
(c) Investigation. The Secretary may investigate
complaints filed under this section. Such investigation may include a review of
the pertinent policies, procedures, or practices of the covered entity and of
the circumstances regarding any alleged acts or omissions concerning compliance.
§ 160.308 Compliance reviews.
The Secretary may conduct compliance
reviews to determine whether covered entities are complying with the applicable
requirements of this part 160 and the applicable standards, requirements, and
implementation specifications of subpart E of part 164 of this subchapter.
§
160.310 Responsibilities of covered entities.
(a) Provide records and compliance
reports. A covered entity must keep such records and submit such compliance reports,
in such time and manner and containing such information, as the Secretary may
determine to be necessary to enable the Secretary to ascertain whether the covered
entity has complied or is complying with the applicable requirements of this part
160 and the applicable standards, requirements, and implementation specifications
of subpart E of part 164 of this subchapter.
(b) Cooperate with complaint
investigations and compliance reviews. A covered entity must cooperate with the
Secretary, if the Secretary undertakes an investigation or compliance review of
the policies, procedures, or practices of a covered entity to determine whether
it is complying with the applicable requirements of this part 160 and the standards,
requirements, and implementation specifications of subpart E of part 164 of this
subchapter.
(c) Permit access to information.
(1) A covered entity must
permit access by the Secretary during normal business hours to its facilities,
books, records, accounts, and other sources of information, including protected
health information, that are pertinent to ascertaining compliance with the applicable
requirements of this part 160 and the applicable standards, requirements, and
implementation specifications of subpart E of part 164 of this subchapter. If
the Secretary determines that exigent circumstances exist, such as when documents
may be hidden or destroyed, a covered entity must permit access by the Secretary
at any time and without notice.
(2) If any information required of a covered
entity under this section is in the exclusive possession of any other agency,
institution, or person and the other agency, institution, or person fails or refuses
to furnish the information, the covered entity must so certify and set forth what
efforts it has made to obtain the information.
(3) Protected health information
obtained by the Secretary in connection with an investigation or compliance review
under this subpart will not be disclosed by the Secretary, except if necessary
for ascertaining or enforcing compliance with the applicable requirements of this
part 160 and the applicable standards, requirements, and implementation specifications
of subpart E of part 164 of this subchapter, or if otherwise required by law.
§ 160.312 Secretarial action regarding complaints and compliance reviews.
(a) Resolution where noncompliance is indicated.
(1) If an investigation
pursuant to § 160.306 or a compliance review pursuant to § 160.308 indicates
a failure to comply, the Secretary will so inform the covered entity and, if the
matter arose from a complaint, the complainant, in writing and attempt to resolve
the matter by informal means whenever possible.
(2) If the Secretary finds
the covered entity is not in compliance and determines that the matter cannot
be resolved by informal means, the Secretary may issue to the covered entity and,
if the matter arose from a complaint, to the complainant written findings documenting
the non-compliance.
(b) Resolution when no violation is found. If, after an
investigation or compliance review, the Secretary determines that further action
is not warranted, the Secretary will so inform the covered entity and, if the
matter arose from a complaint, the complainant in writing.
2. A new Part
164 is added to read as follows:
PART 164 – SECURITY AND PRIVACY
Subpart
A – General Provisions
164.102 Statutory basis.
164.104 Applicability.
164.106 Relationship to other parts.
Subparts B-D – [Reserved]
Subpart
E – Privacy of Individually Identifiable Health Information
164.500 Applicability.
164.501 Definitions.
164.502 Uses and disclosures of protected health
information: general rules.
164.504 Uses and disclosures: organizational requirements.
164.506 Consent for uses or disclosures to carry out treatment, payment, and
health care operations
164.508 Uses and disclosures for which an authorization
is required.
164.510 Uses and disclosures requiring an opportunity for the
individual to agree or to object.
164.512 Uses and disclosures for which consent,
an authorization, or opportunity to agree or object is not required.
164.514
Other requirements relating to uses and disclosures of protected health information.
164.520 Notice of privacy practices for protected health information.
164.522
Rights to request privacy protection for protected health information.
164.524
Access of individuals to protected health information.
164.526 Amendment of
protected health information.
164.528 Accounting of disclosures of protected
health information.
164.530 Administrative requirements.
164.532 Transition
requirements.
164.534 Compliance dates for initial implementation of the privacy
standards.
Authority: 42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L. 104-191,
110 Stat. 2033- 2034(42 U.S.C. 1320(d-2(note)).
Subpart A—General Provisions
§ 164.102 Statutory basis.
The provisions of this part are adopted
pursuant to the Secretary’s authority to prescribe standards, requirements,
and implementation standards under part C of title XI of the Act and section 264
of Public Law 104-191.
§ 164.104 Applicability.
Except as otherwise
provided, the provisions of this part apply to covered entities: health plans,
health care clearinghouses, and health care providers who transmit health information
in electronic form in connection with any transaction referred to in section 1173(a)(1)
of the Act.
§ 164.106 Relationship to other parts.
In complying with
the requirements of this part, covered entities are required to comply with the
applicable provisions of parts 160 and 162 of this subchapter.
Subpart B-D—[Reserved]
Subpart E - Privacy of Individually Identifiable Health Information
§
164.500 Applicability.
(a) Except as otherwise provided herein, the standards,
requirements, and implementation specifications of this subpart apply to covered
entities with respect to protected health information.
(b) Health care clearinghouses
must comply with the standards, requirements, and implementation specifications
as follows:
(1) When a health care clearinghouse creates or receives protected
health information as a business associate of another covered entity, the clearinghouse
must comply with:
(i) Section 164.500 relating to applicability;
(ii)
Section 164.501 relating to definitions;
(iii) Section 164.502 relating to
uses and disclosures of protected health information, except that a clearinghouse
is prohibited from using or disclosing protected health information other than
as permitted in the business associate contract under which it created or received
the protected health information;
(iv) Section 164.504 relating to the organizational
requirements for covered entities, including the designation of health care components
of a covered entity;
(v) Section 164.512 relating to uses and disclosures
for which consent, individual authorization or an opportunity to agree or object
is not required, except that a clearinghouse is prohibited from using or disclosing
protected health information other than as permitted in the business associate
contract under which it created or received the protected health information;
(vi) Section 164.532 relating to transition requirements; and
(vii) Section
164.534 relating to compliance dates for initial implementation of the privacy
standards.
(2) When a health care clearinghouse creates or receives protected
health information other than as a business associate of a covered entity, the
clearinghouse must comply with all of the standards, requirements, and implementation
specifications of this subpart.
(c) The standards, requirements, and implementation
specifications of this subpart do not apply to the Department of Defense or to
any other federal agency, or non- governmental organization acting on its behalf,
when providing health care to overseas foreign national beneficiaries.
§
164.501 Definitions.
As used in this subpart, the following terms have the
following meanings:
Correctional institution means any penal or correctional
facility, jail, reformatory, detention center, work farm, halfway house, or residential
community program center operated by, or under contract to, the United States,
a State, a territory, a political subdivision of a State or territory, or an Indian
tribe, for the confinement or rehabilitation of persons charged with or convicted
of a criminal offense or other persons held in lawful custody. Other persons held
in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained
awaiting deportation, persons committed to mental institutions through the criminal
justice system, witnesses, or others awaiting charges or trial.
Covered functions
means those functions of a covered entity the performance of which makes the entity
a health plan, health care provider, or health care clearinghouse.
Data aggregation
means, with respect to protected health information created or received by a business
associate in its capacity as the business associate of a covered entity, the combining
of such protected health information by the business associate with the protected
health information received by the business associate in its capacity as a business
associate of another covered entity, to permit data analyses that relate to the
health care operations of the respective covered entities.
Designated record
set means:
(1) A group of records maintained by or for a covered entity that
is:
(i) The medical records and billing records about individuals maintained
by or for a covered health care provider;
(ii) The enrollment, payment, claims
adjudication, and case or medical management record systems maintained by or for
a health plan; or
(iii) Used, in whole or in part, by or for the covered entity
to make decisions about individuals.
(2) For purposes of this paragraph, the
term record means any item, collection, or grouping of information that includes
protected health information and is maintained, collected, used, or disseminated
by or for a covered entity.
Direct treatment relationship means a treatment
relationship between an individual and a health care provider that is not an indirect
treatment relationship.
Disclosure means the release, transfer, provision
of access to, or divulging in any other manner of information outside the entity
holding the information.
Health care operations means any of the following
activities of the covered entity to the extent that the activities are related
to covered functions, and any of the following activities of an organized health
care arrangement in which the covered entity participates:
(1) Conducting
quality assessment and improvement activities, including outcomes evaluation and
development of clinical guidelines, provided that the obtaining of generalizable
knowledge is not the primary purpose of any studies resulting from such activities;
population-based activities relating to improving health or reducing health care
costs, protocol development, case management and care coordination, contacting
of health care providers and patients with information about treatment alternatives;
and related functions that do not include treatment;
(2) Reviewing the competence
or qualifications of health care professionals, evaluating practitioner and provider
performance, health plan performance, conducting training programs in which students,
trainees, or practitioners in areas of health care learn under supervision to
practice or improve their skills as health care providers, training of non-health
care professionals, accreditation, certification, licensing, or credentialing
activities;
(3) Underwriting, premium rating, and other activities relating
to the creation, renewal or replacement of a contract of health insurance or health
benefits, and ceding, securing, or placing a contract for reinsurance of risk
relating to claims for health care (including stop-loss insurance and excess of
loss insurance), provided that the requirements of § 164.514(g) are met,
if applicable;
(4) Conducting or arranging for medical review, legal services,
and auditing functions, including fraud and abuse detection and compliance programs;
(5) Business planning and development, such as conducting cost-management
and planning-related analyses related to managing and operating the entity, including
formulary development and administration, development or improvement of methods
of payment or coverage policies; and
(6) Business management and general administrative
activities of the entity, including, but not limited to:
(i) Management activities
relating to implementation of and compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for policy
holders, plan sponsors, or other customers, provided that protected health information
is not disclosed to such policy holder, plan sponsor, or customer.
(iii) Resolution
of internal grievances;
(iv) Due diligence in connection with the sale or
transfer of assets to a potential successor in interest, if the potential successor
in interest is a covered entity or, following completion of the sale or transfer,
will become a covered entity; and
(v) Consistent with the applicable requirements
of § 164.514, creating de- identified health information, fundraising for
the benefit of the covered entity, and marketing for which an individual authorization
is not required as described in § 164.514(e)(2).
Health oversight agency
means an agency or authority of the United States, a State, a territory, a political
subdivision of a State or territory, or an Indian tribe, or a person or entity
acting under a grant of authority from or contract with such public agency, including
the employees or agents of such public agency or its contractors or persons or
entities to whom it has granted authority, that is authorized by law to oversee
the health care system (whether public or private) or government programs in which
health information is necessary to determine eligibility or compliance, or to
enforce civil rights laws for which health information is relevant.
Indirect
treatment relationship means a relationship between an individual and a health
care provider in which:
(1) The health care provider delivers health care
to the individual based on the orders of another health care provider; and
(2)
The health care provider typically provides services or products, or reports the
diagnosis or results associated with the health care, directly to another health
care provider, who provides the services or products or reports to the individual.
Individual means the person who is the subject of protected health information.
Individually identifiable health information is information that is a subset
of health information, including demographic information collected from an individual,
and:
(1) Is created or received by a health care provider, health plan, employer,
or health care clearinghouse; and
(2) Relates to the past, present, or future
physical or mental health or condition of an individual; the provision of health
care to an individual; or the past, present, or future payment for the provision
of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information
can be used to identify the individual.
Inmate means a person incarcerated
in or otherwise confined to a correctional institution.
Law enforcement official
means an officer or employee of any agency or authority of the United States,
a State, a territory, a political subdivision of a State or territory, or an Indian
tribe, who is empowered by law to:
(1) Investigate or conduct an official
inquiry into a potential violation of law; or
(2) Prosecute or otherwise conduct
a criminal, civil, or administrative proceeding arising from an alleged violation
of law.
Marketing means to make a communication about a product or service
a purpose of which is to encourage recipients of the communication to purchase
or use the product or service.
(1) Marketing does not include communications
that meet the requirements of paragraph (2) of this definition and that are made
by a covered entity:
(i) For the purpose of describing the entities participating
in a health care provider network or health plan network, or for the purpose of
describing if and the extent to which a product or service (or payment for such
product or service) is provided by a covered entity or included in a plan of benefits;
or
(ii) That are tailored to the circumstances of a particular individual
and the communications are:
(A) Made by a health care provider to an individual
as part of the treatment of the individual, and for the purpose of furthering
the treatment of that individual; or
(B) Made by a health care provider or
health plan to an individual in the course of managing the treatment of that individual,
or for the purpose of directing or recommending to that individual alternative
treatments, therapies, health care providers, or settings of care.
(2) A communication
described in paragraph (1) of this definition is not included in marketing if:
(i) The communication is made orally; or
(ii) The communication is in
writing and the covered entity does not receive direct or indirect remuneration
from a third party for making the communication.
Organized health care arrangement
means:
(1) A clinically integrated care setting in which individuals typically
receive health care from more than one health care provider;
(2) An organized
system of health care in which more than one covered entity participates, and
in which the participating covered entities:
(i) Hold themselves out to the
public as participating in a joint arrangement; and
(ii) Participate in joint
activities that include at least one of the following:
(A) Utilization review,
in which health care decisions by participating covered entities are reviewed
by other participating covered entities or by a third party on their behalf;
(B)
Quality assessment and improvement activities, in which treatment provided by
participating covered entities is assessed by other participating covered entities
or by a third party on their behalf; or
(C) Payment activities, if the financial
risk for delivering health care is shared, in part or in whole, by participating
covered entities through the joint arrangement and if protected health information
created or received by a covered entity is reviewed by other participating covered
entities or by a third party on their behalf for the purpose of administering
the sharing of financial risk.
(3) A group health plan and a health insurance
issuer or HMO with respect to such group health plan, but only with respect to
protected health information created or received by such health insurance issuer
or HMO that relates to individuals who are or who have been participants or beneficiaries
in such group health plan;
(4) A group health plan and one or more other group
health plans each of which are maintained by the same plan sponsor; or
(5)
The group health plans described in paragraph (4) of this definition and health
insurance issuers or HMOs with respect to such group health plans, but only with
respect to protected health information created or received by such health insurance
issuers or HMOs that relates to individuals who are or have been participants
or beneficiaries in any of such group health plans.
Payment means:
(1)
The activities undertaken by:
(i) A health plan to obtain premiums or to determine
or fulfill its responsibility for coverage and provision of benefits under the
health plan; or
(ii) A covered health care provider or health plan to obtain
or provide reimbursement for the provision of health care; and
(2) The activities
in paragraph (1) of this definition relate to the individual to whom health care
is provided and include, but are not limited to:
(i) Determinations of eligibility
or coverage (including coordination of benefits or the determination of cost sharing
amounts), and adjudication or subrogation of health benefit claims;
(ii) Risk
adjusting amounts due based on enrollee health status and demographic characteristics;
(iii) Billing, claims management, collection activities, obtaining payment
under a contract for reinsurance (including stop-loss insurance and excess of
loss insurance), and related health care data processing;
(iv) Review of health
care services with respect to medical necessity, coverage under a health plan,
appropriateness of care, or justification of charges;
(v) Utilization review
activities, including precertification and preauthorization of services, concurrent
and retrospective review of services; and
(vi) Disclosure to consumer reporting
agencies of any of the following protected health information relating to collection
of premiums or reimbursement:
(A) Name and address;
(B) Date of birth;
(C) Social security number;
(D) Payment history;
(E) Account number;
and
(F) Name and address of the health care provider and/or health plan.
Plan
sponsor is defined as defined at section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B).
Protected
health information means individually identifiable health information:
(1)
Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted
by electronic media;
(ii) Maintained in any medium described in the definition
of electronic media at § 162.103 of this subchapter; or
(iii) Transmitted
or maintained in any other form or medium.
(2) Protected health information
excludes individually identifiable health information in:
(i) Education records
covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C.
1232g; and
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).
Public
health authority means an agency or authority of the United States, a State, a
territory, a political subdivision of a State or territory, or an Indian tribe,
or a person or entity acting under a grant of authority from or contract with
such public agency, including the employees or agents of such public agency or
its contractors or persons or entities to whom it has granted authority, that
is responsible for public health matters as part of its official mandate.
Required
by law means a mandate contained in law that compels a covered entity to make
a use or disclosure of protected health information and that is enforceable in
a court of law. Required by law includes, but is not limited to, court orders
and court- ordered warrants; subpoenas or summons issued by a court, grand jury,
a governmental or tribal inspector general, or an administrative body authorized
to require the production of information; a civil or an authorized investigative
demand; Medicare conditions of participation with respect to health care providers
participating in the program; and statutes or regulations that require the production
of information, including statutes or regulations that require such information
if payment is sought under a government program providing public benefits.
Research
means a systematic investigation, including research development, testing, and
evaluation, designed to develop or contribute to generalizable knowledge.
Treatment
means the provision, coordination, or management of health care and related services
by one or more health care providers, including the coordination or management
of health care by a health care provider with a third party; consultation between
health care providers relating to a patient; or the referral of a patient for
health care from one health care provider to another.
Use means, with respect
to individually identifiable health information, the sharing, employment, application,
utilization, examination, or analysis of such information within an entity that
maintains such information.
§ 164.502 Uses and disclosures of protected
health information: general rules.
(a) Standard. A covered entity may not
use or disclose protected health information, except as permitted or required
by this subpart or by subpart C of part 160 of this subchapter.
(1) Permitted
uses and disclosures. A covered entity is permitted to use or disclose protected
health information as follows:
(i) To the individual;
(ii) Pursuant to
and in compliance with a consent that complies with § 164.506, to carry out
treatment, payment, or health care operations;
(iii) Without consent, if consent
is not required under § 164.506(a) and has not been sought under § 164.506(a)(4),
to carry out treatment, payment, or health care operations, except with respect
to psychotherapy notes;
(iv) Pursuant to and in compliance with an authorization
that complies with § 164.508;
(v) Pursuant to an agreement under, or
as otherwise permitted by, § 164.510; and
(vi) As permitted by and in
compliance with this section, § 164.512, or § 164.514(e), (f), and (g).
(2) Required disclosures. A covered entity is required to disclose protected
health information:
(i) To an individual, when requested under, and as required
by §§ 164.524 or 164.528; and
(ii) When required by the Secretary
under subpart C of part 160 of this subchapter to investigate or determine the
covered entity’s compliance with this subpart.
(b) Standard: minimum
necessary.
(1) Minimum necessary applies. When using or disclosing protected
health information or when requesting protected health information from another
covered entity, a covered entity must make reasonable efforts to limit protected
health information to the minimum necessary to accomplish the intended purpose
of the use, disclosure, or request.
(2) Minimum necessary does not apply.
This requirement does not apply to:
(i) Disclosures to or requests by a health
care provider for treatment;
(ii) Uses or disclosures made to the individual,
as permitted under paragraph (a)(1)(i) of this section, as required by paragraph
(a)(2)(i) of this section, or pursuant to an authorization under § 164.508,
except for authorizations requested by the covered entity under § 164.508(d),
(e), or (f);
(iii) Disclosures made to the Secretary in accordance with subpart
C of part 160 of this subchapter;
(iv) Uses or disclosures that are required
by law, as described by § 164.512(a); and
(v) Uses or disclosures that
are required for compliance with applicable requirements of this subchapter.
(c)
Standard: uses and disclosures of protected health information subject to an agreed
upon restriction. A covered entity that has agreed to a restriction pursuant to
§ 164.522(a)(1) may not use or disclose the protected health information
covered by the restriction in violation of such restriction, except as otherwise
provided in § 164.522(a).
(d) Standard: uses and disclosures of de-identified
protected health information.
(1) Uses and disclosures to create de-identified
information. A covered entity may use protected health information to create information
that is not individually identifiable health information or disclose protected
health information only to a business associate for such purpose, whether or not
the de-identified information is to be used by the covered entity.
(2) Uses
and disclosures of de-identified information. Health information that meets the
standard and implementation specifications for de-identification under §
164.514(a) and (b) is considered not to be individually identifiable health information,
i.e., de-identified. The requirements of this subpart do not apply to information
that has been de-identified in accordance with the applicable requirements of
§ 164.514, provided that:
(i) Disclosure of a code or other means of
record identification designed to enable coded or otherwise de-identified information
to be re-identified constitutes disclosure of protected health information; and
(ii) If de-identified information is re-identified, a covered entity may use
or disclose such re-identified information only as permitted or required by this
subpart.
(e)(1) Standard: disclosures to business associates.
(i) A covered
entity may disclose protected health information to a business associate and may
allow a business associate to create or receive protected health information on
its behalf, if the covered entity obtains satisfactory assurance that the business
associate will appropriately safeguard the information.
(ii) This standard
does not apply:
(A) With respect to disclosures by a covered entity to a health
care provider concerning the treatment of the individual;
(B) With respect
to disclosures by a group health plan or a health insurance issuer or HMO with
respect to a group health plan to the plan sponsor, to the extent that the requirements
of § 164.504(f) apply and are met; or
(C) With respect to uses or disclosures
by a health plan that is a government program providing public benefits, if eligibility
for, or enrollment in, the health plan is determined by an agency other than the
agency administering the health plan, or if the protected health information used
to determine enrollment or eligibility in the health plan is collected by an agency
other than the agency administering the health plan, and such activity is authorized
by law, with respect to the collection and sharing of individually identifiable
health information for the performance of such functions by the health plan and
the agency other than the agency administering the health plan.
(iii) A covered
entity that violates the satisfactory assurances it provided as a business associate
of another covered entity will be in noncompliance with the standards, implementation
specifications, and requirements of this paragraph and § 164.504(e).
(2)
Implementation specification: documentation. A covered entity must document the
satisfactory assurances required by paragraph (e)(1) of this section through a
written contract or other written agreement or arrangement with the business associate
that meets the applicable requirements of § 164.504(e).
(f) Standard:
deceased individuals. A covered entity must comply with the requirements of this
subpart with respect to the protected health information of a deceased individual.
(g)(1) Standard: personal representatives. As specified in this paragraph,
a covered entity must, except as provided in paragraphs (g)(3) and (g)(5) of this
section, treat a personal representative as the individual for purposes of this
subchapter.
(2) Implementation specification: adults and emancipated minors.
If under applicable law a person has authority to act on behalf of an individual
who is an adult or an emancipated minor in making decisions related to health
care, a covered entity must treat such person as a personal representative under
this subchapter, with respect to protected health information relevant to such
personal representation.
(3) Implementation specification: unemancipated minors.
If under applicable law a parent, guardian, or other person acting in loco parentis
has authority to act on behalf of an individual who is an unemancipated minor
in making decisions related to health care, a covered entity must treat such person
as a personal representative under this subchapter, with respect to protected
health information relevant to such personal representation, except that such
person may not be a personal representative of an unemancipated minor, and the
minor has the authority to act as an individual, with respect to protected health
information pertaining to a health care service, if:
(i) The minor consents
to such health care service; no other consent to such health care service is required
by law, regardless of whether the consent of another person has also been obtained;
and the minor has not requested that such person be treated as the personal representative;
(ii) The minor may lawfully obtain such health care service without the consent
of a parent, guardian, or other person acting in loco parentis, and the minor,
a court, or another person authorized by law consents to such health care service;
or
(iii) A parent, guardian, or other person acting in loco parentis assents
to an agreement of confidentiality between a covered health care provider and
the minor with respect to such health care service.
(4) Implementation specification:
deceased individuals. If under applicable law an executor, administrator, or other
person has authority to act on behalf of a deceased individual or of the individual’s
estate, a covered entity must treat such person as a personal representative under
this subchapter, with respect to protected health information relevant to such
personal representation.
(5) Implementation specification: abuse, neglect,
endangerment situations. Notwithstanding a State law or any requirement of this
paragraph to the contrary, a covered entity may elect not to treat a person as
the personal representative of an individual if:
(i) The covered entity has
a reasonable belief that:
(A) The individual has been or may be subjected
to domestic violence, abuse, or neglect by such person; or
(B) Treating such
person as the personal representative could endanger the individual; and
(ii)
The covered entity, in the exercise of professional judgment, decides that it
is not in the best interest of the individual to treat the person as the individual’s
personal representative.
(h) Standard: confidential communications. A covered
health care provider or health plan must comply with the applicable requirements
of § 164.522(b) in communicating protected health information.
(i) Standard:
uses and disclosures consistent with notice. A covered entity that is required
by § 164.520 to have a notice may not use or disclose protected health information
in a manner inconsistent with such notice. A covered entity that is required by
§ 164.520(b)(1)(iii) to include a specific statement in its notice if it
intends to engage in an activity listed in § 164.520(b)(1)(iii)(A)-(C), may
not use or disclose protected health information for such activities, unless the
required statement is included in the notice.
(j) Standard: disclosures by
whistleblowers and workforce member crime victims.
(1) Disclosures by whistleblowers.
A covered entity is not considered to have violated the requirements of this subpart
if a member of its workforce or a business associate discloses protected health
information, provided that:
(i) The workforce member or business associate
believes in good faith that the covered entity has engaged in conduct that is
unlawful or otherwise violates professional or clinical standards, or that the
care, services, or conditions provided by the covered entity potentially endangers
one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized by law
to investigate or otherwise oversee the relevant conduct or conditions of the
covered entity or to an appropriate health care accreditation organization for
the purpose of reporting the allegation of failure to meet professional standards
or misconduct by the covered entity; or
(B) An attorney retained by or on
behalf of the workforce member or business associate for the purpose of determining
the legal options of the workforce member or business associate with regard to
the conduct described in paragraph (j)(1)(i) of this section.
(2) Disclosures
by workforce members who are victims of a crime. A covered entity is not considered
to have violated the requirements of this subpart if a member of its workforce
who is the victim of a criminal act discloses protected health information to
a law enforcement official, provided that:
(i) The protected health information
disclosed is about the suspected perpetrator of the criminal act; and
(ii)
The protected health information disclosed is limited to the information listed
in § 164.512(f)(2)(i).
§ 164.504 Uses and disclosures: organizational
requirements.
(a) Definitions. As used in this section:
Common control
exists if an entity has the power, directly or indirectly, significantly to influence
or direct the actions or policies of another entity.
Common ownership exists
if an entity or entities possess an ownership or equity interest of 5 percent
or more in another entity.
Health care component has the following meaning:
(1) Components of a covered entity that perform covered functions are part
of the health care component.
(2) Another component of the covered entity
is part of the entity’s health care component to the extent that:
(i)
It performs, with respect to a component that performs covered functions, activities
that would make such other component a business associate of the component that
performs covered functions if the two components were separate legal entities;
and
(ii) The activities involve the use or disclosure of protected health
information that such other component creates or receives from or on behalf of
the component that performs covered functions.
Hybrid entity means a single
legal entity that is a covered entity and whose covered functions are not its
primary functions.
Plan administration functions means administration functions
performed by the plan sponsor of a group health plan on behalf of the group health
plan and excludes functions performed by the plan sponsor in connection with any
other benefit or benefit plan of the plan sponsor.
Summary health information
means information, that may be individually identifiable health information, and:
(1) That summarizes the claims history, claims expenses, or type of claims
experienced by individuals for whom a plan sponsor has provided health benefits
under a group health plan; and
(2) From which the information described at
§ 164.514(b)(2)(i) has been deleted, except that the geographic information
described in § 164.514(b)(2)(i)(B) need only be aggregated to the level of
a five digit zip code.
(b) Standard: health care component. If a covered entity
is a hybrid entity, the requirements of this subpart, other than the requirements
of this section, apply only to the health care component(s) of the entity, as
specified in this section.
(c)(1) Implementation specification: application
of other provisions. In applying a provision of this subpart, other than this
section, to a hybrid entity:
(i) A reference in such provision to a “covered
entity” refers to a health care component of the covered entity;
(ii)
A reference in such provision to a “health plan,” “covered health
care provider,” or “health care clearinghouse” refers to a health
care component of the covered entity if such health care component performs the
functions of a health plan, covered health care provider, or health care clearinghouse,
as applicable; and
(iii) A reference in such provision to “protected
health information” refers to protected health information that is created
or received by or on behalf of the health care component of the covered entity.
(2) Implementation specifications: safeguard requirements. The covered entity
that is a hybrid entity must ensure that a health care component of the entity
complies with the applicable requirements of this subpart. In particular, and
without limiting this requirement, such covered entity must ensure that:
(i)
Its health care component does not disclose protected health information to another
component of the covered entity in circumstances in which this subpart would prohibit
such disclosure if the health care component and the other component were separate
and distinct legal entities;
(ii) A component that is described by paragraph
(2)(i) of the definition of health care component in this section does not use
or disclose protected health information that is within paragraph (2)(ii) of such
definition for purposes of its activities other than those described by paragraph
(2)(i) of such definition in a way prohibited by this subpart; and
(iii) If
a person performs duties for both the health care component in the capacity of
a member of the workforce of such component and for another component of the entity
in the same capacity with respect to that component, such workforce member must
not use or disclose protected health information created or received in the course
of or incident to the member’s work for the health care component in a way
prohibited by this subpart.
(3) Implementation specifications: responsibilities
of the covered entity. A covered entity that is a hybrid entity has the following
responsibilities:
(i) For purposes of subpart C of part 160 of this subchapter,
pertaining to compliance and enforcement, the covered entity has the responsibility
to comply with this subpart.
(ii) The covered entity has the responsibility
for complying with § 164.530(i), pertaining to the implementation of policies
and procedures to ensure compliance with this subpart, including the safeguard
requirements in paragraph (c)(2) of this section.
(iii) The covered entity
is responsible for designating the components that are part of one or more health
care components of the covered entity and documenting the designation as required
by § 164.530(j).
(d)(1) Standard: affiliated covered entities. Legally
separate covered entities that are affiliated may designate themselves as a single
covered entity for purposes of this subpart.
(2) Implementation specifications:
requirements for designation of an affiliated covered entity.
(i) Legally
separate covered entities may designate themselves (including any health care
component of such covered entity) as a single affiliated covered entity, for purposes
of this subpart, if all of the covered entities designated are under common ownership
or control.
(ii) The designation of an affiliated covered entity must be documented
and the documentation maintained as required by § 164.530(j).
(3) Implementation
specifications: safeguard requirements. An affiliated covered entity must ensure
that:
(i) The affiliated covered entity’s use and disclosure of protected
health information comply with the applicable requirements of this subpart; and
(ii) If the affiliated covered entity combines the functions of a health plan,
health care provider, or health care clearinghouse, the affiliated covered entity
complies with paragraph (g) of this section.
(e)(1) Standard: business associate
contracts.
(i) The contract or other arrangement between the covered entity
and the business associate required by § 164.502(e)(2) must meet the requirements
of paragraph (e)(2) or (e)(3) of this section, as applicable.
(ii) A covered
entity is not in compliance with the standards in § 164.502(e) and paragraph
(e) of this section, if the covered entity knew of a pattern of activity or practice
of the business associate that constituted a material breach or violation of the
business associate’s obligation under the contract or other arrangement,
unless the covered entity took reasonable steps to cure the breach or end the
violation, as applicable, and, if such steps were unsuccessful:
(A) Terminated
the contract or arrangement, if feasible; or
(B) If termination is not feasible,
reported the problem to the Secretary.
(2) Implementation specifications:
business associate contracts. A contract between the covered entity and a business
associate must:
(i) Establish the permitted and required uses and disclosures
of such information by the business associate. The contract may not authorize
the business associate to use or further disclose the information in a manner
that would violate the requirements of this subpart, if done by the covered entity,
except that:
(A) The contract may permit the business associate to use and
disclose protected health information for the proper management and administration
of the business associate, as provided in paragraph (e)(4) of this section; and
(B) The contract may permit the business associate to provide data aggregation
services relating to the health care operations of the covered entity.
(ii)
Provide that the business associate will:
(A) Not use or further disclose
the information other than as permitted or required by the contract or as required
by law;
(B) Use appropriate safeguards to prevent use or disclosure of the
information other than as provided for by its contract;
(C) Report to the
covered entity any use or disclosure of the information not provided for by its
contract of which it becomes aware;
(D) Ensure that any agents, including
a subcontractor, to whom it provides protected health information received from,
or created or received by the business associate on behalf of, the covered entity
agrees to the same restrictions and conditions that apply to the business associate
with respect to such information;
(E) Make available protected health information
in accordance with § 164.524;
(F) Make available protected health information
for amendment and incorporate any amendments to protected health information in
accordance with §164.526;
(G) Make available the information required
to provide an accounting of disclosures in accordance with § 164.528;
(H)
Make its internal practices, books, and records relating to the use and disclosure
of protected health information received from, or created or received by the business
associate on behalf of, the covered entity available to the Secretary for purposes
of determining the covered entity’s compliance with this subpart; and
(I)
At termination of the contract, if feasible, return or destroy all protected health
information received from, or created or received by the business associate on
behalf of, the covered entity that the business associate still maintains in any
form and retain no copies of such information or, if such return or destruction
is not feasible, extend the protections of the contract to the information and
limit further uses and disclosures to those purposes that make the return or destruction
of the information infeasible.
(iii) Authorize termination of the contract
by the covered entity, if the covered entity determines that the business associate
has violated a material term of the contract.
(3) Implementation specifications:
other arrangements.
(i) If a covered entity and its business associate are
both governmental entities:
(A) The covered entity may comply with paragraph
(e) of this section by entering into a memorandum of understanding with the business
associate that contains terms that accomplish the objectives of paragraph (e)(2)
of this section.
(B) The covered entity may comply with paragraph (e) of this
section, if other law (including regulations adopted by the covered entity or
its business associate) contains requirements applicable to the business associate
that accomplish the objectives of paragraph (e)(2) of this section.
(ii) If
a business associate is required by law to perform a function or activity on behalf
of a covered entity or to provide a service described in the definition of business
associate in § 160.103 of this subchapter to a covered entity, such covered
entity may disclose protected health information to the business associate to
the extent necessary to comply with the legal mandate without meeting the requirements
of this paragraph (e), provided that the covered entity attempts in good faith
to obtain satisfactory assurances as required by paragraph (e)(3)(i) of this section,
and, if such attempt fails, documents the attempt and the reasons that such assurances
cannot be obtained.
(iii) The covered entity may omit from its other arrangements
the termination authorization required by paragraph (e)(2)(iii) of this section,
if such authorization is inconsistent with the statutory obligations of the covered
entity or its business associate.
(4) Implementation specifications: other
requirements for contracts and other arrangements.
(i) The contract or other
arrangement between the covered entity and the business associate may permit the
business associate to use the information received by the business associate in
its capacity as a business associate to the covered entity, if necessary:
(A)
For the proper management and administration of the business associate; or
(B)
To carry out the legal responsibilities of the business associate.
(ii) The
contract or other arrangement between the covered entity and the business associate
may permit the business associate to disclose the information received by the
business associate in its capacity as a business associate for the purposes described
in paragraph (e)(4)(i) of this section, if:
(A) The disclosure is required
by law; or
(B)(1) The business associate obtains reasonable assurances from
the person to whom the information is disclosed that it will be held confidentially
and used or further disclosed only as required by law or for the purpose for which
it was disclosed to the person; and
(2) The person notifies the business associate
of any instances of which it is aware in which the confidentiality of the information
has been breached.
(f)(1)Standard: requirements for group health plans.
(i)
Except as provided under paragraph (f)(1)(ii) of this section or as otherwise
authorized under § 164.508, a group health plan, in order to disclose protected
health information to the plan sponsor or to provide for or permit the disclosure
of protected health information to the plan sponsor by a health insurance issuer
or HMO with respect to the group health plan, must ensure that the plan documents
restrict uses and discloses of such information by the plan sponsor consistent
with the requirements of this subpart.
(ii) The group health plan, or a health
insurance issuer or HMO with respect to the group health plan, may disclose summary
health information to the plan sponsor, if the plan sponsor requests the summary
health information for the purpose of :
(A) Obtaining premium bids from health
plans for providing health insurance coverage under the group health plan; or
(B) Modifying, amending, or terminating the group health plan.
(2) Implementation
specifications: requirements for plan documents. The plan documents of the group
health plan must be amended to incorporate provisions to:
(i) Establish the
permitted and required uses and disclosures of such information by the plan sponsor,
provided that such permitted and required uses and disclosures may not be inconsistent
with this subpart.
(ii) Provide that the group health plan will disclose protected
health information to the plan sponsor only upon receipt of a certification by
the plan sponsor that the plan documents have been amended to incorporate the
following provisions and that the plan sponsor agrees to:
(A) Not use or further
disclose the information other than as permitted or required by the plan documents
or as required by law;
(B) Ensure that any agents, including a subcontractor,
to whom it provides protected health information received from the group health
plan agree to the same restrictions and conditions that apply to the plan sponsor
with respect to such information;
(C) Not use or disclose the information
for employment-related actions and decisions or in connection with any other benefit
or employee benefit plan of the plan sponsor;
(D) Report to the group health
plan any use or disclosure of the information that is inconsistent with the uses
or disclosures provided for of which it becomes aware;
(E) Make available
protected health information in accordance with § 164.524;
(F) Make available
protected health information for amendment and incorporate any amendments to protected
health information in accordance with §164.526;
(G) Make available the
information required to provide an accounting of disclosures in accordance with
§ 164.528;
(H) Make its internal practices, books, and records relating
to the use and disclosure of protected health information received from the group
health plan available to the Secretary for purposes of determining compliance
by the group health plan with this subpart;
(I) If feasible, return or destroy
all protected health information received from the group health plan that the
sponsor still maintains in any form and retain no copies of such information when
no longer needed for the purpose for which disclosure was made, except that, if
such return or destruction is not feasible, limit further uses and disclosures
to those purposes that make the return or destruction of the information infeasible;
and
(J) Ensure that the adequate separation required in paragraph (f)(2)(iii)
of this section is established.
(iii) Provide for adequate separation between
the group health plan and the plan sponsor. The plan documents must:
(A) Describe
those employees or classes of employees or other persons under the control of
the plan sponsor to be given access to the protected health information to be
disclosed, provided that any employee or person who receives protected health
information relating to payment under, health care operations of, or other matters
pertaining to the group health plan in the ordinary course of business must be
included in such description;
(B) Restrict the access to and use by such employees
and other persons described in paragraph (f)(2)(iii)(A) of this section to the
plan administration functions that the plan sponsor performs for the group health
plan; and
(C) Provide an effective mechanism for resolving any issues of noncompliance
by persons described in paragraph (f)(2)(iii)(A) of this section with the plan
document provisions required by this paragraph.
(3) Implementation specifications:
uses and disclosures. A group health plan may:
(i) Disclose protected health
information to a plan sponsor to carry out plan administration functions that
the plan sponsor performs only consistent with the provisions of paragraph (f)(2)
of this section;
(ii) Not permit a health insurance issuer or HMO with respect
to the group health plan to disclose protected health information to the plan
sponsor except as permitted by this paragraph;
(iii) Not disclose and may
not permit a health insurance issuer or HMO to disclose protected health information
to a plan sponsor as otherwise permitted by this paragraph unless a statement
required by § 164.520(b)(1)(iii)(C) is included in the appropriate notice;
and
(iv) Not disclose protected health information to the plan sponsor for
the purpose of employment-related actions or decisions or in connection with any
other benefit or employee benefit plan of the plan sponsor.
(g) Standard:
requirements for a covered entity with multiple covered functions.
(1) A covered
entity that performs multiple covered functions that would make the entity any
combination of a health plan, a covered health care provider, and a health care
clearinghouse, must comply with the standards, requirements, and implementation
specifications of this subpart, as applicable to the health plan, health care
provider, or health care clearinghouse covered functions performed.
(2) A
covered entity that performs multiple covered functions may use or disclose the
protected health information of individuals who receive the covered entity’s
health plan or health care provider services, but not both, only for purposes
related to the appropriate function being performed.
§ 164.506 Consent
for uses or disclosures to carry out treatment, payment, or health care operations.
(a) Standard: consent requirement.
(1) Except as provided in paragraph
(a)(2) or (a)(3) of this section, a covered health care provider must obtain the
individual’s consent, in accordance with this section, prior to using or
disclosing protected health information to carry out treatment, payment, or health
care operations.
(2) A covered health care provider may, without consent,
use or disclose protected health information to carry out treatment, payment,
or health care operations, if:
(i) The covered health care provider has an
indirect treatment relationship with the individual; or
(ii) The covered health
care provider created or received the protected health information in the course
of providing health care to an individual who is an inmate.
(3)(i) A covered
health care provider may, without prior consent, use or disclose protected health
information created or received under paragraph (a)(3)(i)(A)-(C) of this section
to carry out treatment, payment, or health care operations:
(A) In emergency
treatment situations, if the covered health care provider attempts to obtain such
consent as soon as reasonably practicable after the delivery of such treatment;
(B) If the covered health care provider is required by law to treat the individual,
and the covered health care provider attempts to obtain such consent but is unable
to obtain such consent; or
(C) If a covered health care provider attempts
to obtain such consent from the individual but is unable to obtain such consent
due to substantial barriers to communicating with the individual, and the covered
health care provider determines, in the exercise of professional judgment, that
the individual’s consent to receive treatment is clearly inferred from the
circumstances.
(ii) A covered health care provider that fails to obtain such
consent in accordance with paragraph (a)(3)(i) of this section must document its
attempt to obtain consent and the reason why consent was not obtained.
(4)
If a covered entity is not required to obtain consent by paragraph (a)(1) of this
section, it may obtain an individual’s consent for the covered entity’s
own use or disclosure of protected health information to carry out treatment,
payment, or health care operations, provided that such consent meets the requirements
of this section.
(5) Except as provided in paragraph (f)(1) of this section,
a consent obtained by a covered entity under this section is not effective to
permit another covered entity to use or disclose protected health information.
(b) Implementation specifications: general requirements.
(1) A covered
health care provider may condition treatment on the provision by the individual
of a consent under this section.
(2) A health plan may condition enrollment
in the health plan on the provision by the individual of a consent under this
section sought in conjunction with such enrollment.
(3) A consent under this
section may not be combined in a single document with the notice required by §
164.520.
(4)(i) A consent for use or disclosure may be combined with other
types of written legal permission from the individual (e.g., an informed consent
for treatment or a consent to assignment of benefits), if the consent under this
section:
(A) Is visually and organizationally separate from such other written
legal permission; and
(B) Is separately signed by the individual and dated.
(ii) A consent for use or disclosure may be combined with a research authorization
under § 164.508(f).
(5) An individual may revoke a consent under this
section at any time, except to the extent that the covered entity has taken action
in reliance thereon. Such revocation must be in writing.
(6) A covered entity
must document and retain any signed consent under this section as required by
§ 164.530(j).
(c) Implementation specifications: content requirements.
A consent under this section must be in plain language and:
(1) Inform the
individual that protected health information may be used and disclosed to carry
out treatment, payment, or health care operations;
(2) Refer the individual
to the notice required by § 164.520 for a more complete description of such
uses and disclosures and state that the individual has the right to review the
notice prior to signing the consent;
(3) If the covered entity has reserved
the right to change its privacy practices that are described in the notice in
accordance with § 164.520(b)(1)(v)(C), state that the terms of its notice
may change and describe how the individual may obtain a revised notice;
(4)
State that:
(i) The individual has the right to request that the covered entity
restrict how protected health information is used or disclosed to carry out treatment,
payment, or health care operations;
(ii) The covered entity is not required
to agree to requested restrictions; and
(iii) If the covered entity agrees
to a requested restriction, the restriction is binding on the covered entity;
(5) State that the individual has the right to revoke the consent in writing,
except to the extent that the covered entity has taken action in reliance thereon;
and
(6) Be signed by the individual and dated.
(d) Implementation specifications:
defective consents. There is no consent under this section, if the document submitted
has any of the following defects:
(1) The consent lacks an element required
by paragraph (c) of this section, as applicable; or
(2) The consent has been
revoked in accordance with paragraph (b)(5) of this section.
(e) Standard:
resolving conflicting consents and authorizations.
(1) If a covered entity
has obtained a consent under this section and receives any other authorization
or written legal permission from the individual for a disclosure of protected
health information to carry out treatment, payment, or health care operations,
the covered entity may disclose such protected health information only in accordance
with the more restrictive consent, authorization, or other written legal permission
from the individual.
(2) A covered entity may attempt to resolve a conflict
between a consent and an authorization or other written legal permission from
the individual described in paragraph (e)(1) of this section by:
(i) Obtaining
a new consent from the individual under this section for the disclosure to carry
out treatment, payment, or health care operations; or
(ii) Communicating orally
or in writing with the individual in order to determine the individual’s
preference in resolving the conflict. The covered entity must document the individual’s
preference and may only disclose protected health information in accordance with
the individual’s preference.
(f)(1) Standard: joint consents. Covered
entities that participate in an organized health care arrangement and that have
a joint notice under § 164.520(d) may comply with this section by a joint
consent.
(2) Implementation specifications: requirements for joint consents.
(i) A joint consent must:
(A) Include the name or other specific identification
of the covered entities, or classes of covered entities, to which the joint consent
applies; and
(B) Meet the requirements of this section, except that the statements
required by this section may be altered to reflect the fact that the consent covers
more than one covered entity.
(ii) If an individual revokes a joint consent,
the covered entity that receives the revocation must inform the other entities
covered by the joint consent of the revocation as soon as practicable.
§164.508
Uses and disclosures for which an authorization is required.
(a) Standard:
authorizations for uses and disclosures.
(1) Authorization required: general
rule. Except as otherwise permitted or required by this subchapter, a covered
entity may not use or disclose protected health information without an authorization
that is valid under this section. When a covered entity obtains or receives a
valid authorization for its use or disclosure of protected health information,
such use or disclosure must be consistent with such authorization.
(2) Authorization
required: psychotherapy notes. Notwithstanding any other provision of this subpart,
other than transition provisions provided for in § 164.532, a covered entity
must obtain an authorization for any use or disclosure of psychotherapy notes
(b) Implementation specifications: general requirements.
1) Valid authorizations.
(i) A valid authorization is a document that contains the elements listed
in paragraph (c) and, as applicable, paragraph (d), (e), or (f) of this section.
(ii) A valid authorization may contain elements or information in addition
to the elements required by this section, provided that such additional elements
or information are not be inconsistent with the elements required by this section.
(2) Defective authorizations. An authorization is not valid, if the document
submitted has any of the following defects:
(i) The expiration date has passed
or the expiration event is known by the covered entity to have occurred;
(ii)
The authorization has not been filled out completely, with respect to an element
described by paragraph (c), (d), (e), or (f) of this section, if applicable;
(iii)
The authorization is known by the covered entity to have been revoked;
(iv)
The authorization lacks an element required by paragraph (c), (d), (e), or (f)
of this section, if applicable;
(v) The authorization violates paragraph (b)(3)
of this section, if applicable;
(vi) Any material information in the authorization
is known by the covered entity to be false.
(3) Compound authorizations. An
authorization for use or disclosure of protected health information may not be
combined with any other document to create a compound authorization.
(4) Prohibition
on conditioning of authorizations. A covered entity may not condition the provision
to an individual of treatment, payment, enrollment in the health plan, or eligibility
for benefits on the provision of an authorization, except:
(i) A covered health
care provider may condition the provision of research-related treatment on provision
of an authorization under paragraph (f) of this section;
(ii) A health plan
may condition enrollment in the health plan or eligibility for benefits on provision
of an authorization requested by the health plan prior to an individual’s
enrollment in the health plan, if:
(A) The authorization sought is for the
health plan’s eligibility or enrollment determinations relating to the individual
or for its underwriting or risk rating determinations; and
(B) The authorization
is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of
this section;
(iii) A health plan may condition payment of a claim for specified
benefits on provision of an authorization under paragraph (e) of this section,
if:
(A) The disclosure is necessary to determine payment of such claim; and
(B) The authorization is not for a use or disclosure of psychotherapy notes
under paragraph (a)(2) of this section; and
(iv) A covered entity may condition
the provision of health care that is solely for the purpose of creating protected
health information for disclosure to a third party on provision of an authorization
for the disclosure of the protected health information to such third party.
(5)
Revocation of authorizations. An individual may revoke an authorization provided
under this section at any time, provided that the revocation is in writing, except
to the extent that:
(i) The covered entity has taken action in reliance thereon;
or
(ii) If the authorization was obtained as a condition of obtaining insurance
coverage, other law provides the insurer with the right to contest a claim under
the policy.
(6) Documentation. A covered entity must document and retain any
signed authorization under this section as required by § 164.530(j).
(c)
Implementation specifications: core elements and requirements.
(1) Core elements.
A valid authorization under this section must contain at least the following elements:
(i) A description of the information to be used or disclosed that identifies
the information in a specific and meaningful fashion;
(ii) The name or other
specific identification of the person(s), or class of persons, authorized to make
the requested use or disclosure;
(iii) The name or other specific identification
of the person(s), or class of persons, to whom the covered entity may make the
requested use or disclosure;
(iv) An expiration date or an expiration event
that relates to the individual or the purpose of the use or disclosure;
(v)
A statement of the individual’s right to revoke the authorization in writing
and the exceptions to the right to revoke, together with a description of how
the individual may revoke the authorization;
(vi) A statement that information
used or disclosed pursuant to the authorization may be subject to redisclosure
by the recipient and no longer be protected by this rule;
(vii) Signature
of the individual and date; and
(viii) If the authorization is signed by a
personal representative of the individual, a description of such representative’s
authority to act for the individual.
(2) Plain language requirement. The authorization
must be written in plain language.
(d) Implementation specifications: authorizations
requested by a covered entity for its own uses and disclosures. If an authorization
is requested by a covered entity for its own use or disclosure of protected health
information that it maintains, the covered entity must comply with the following
requirements.
(1) Required elements. The authorization for the uses or disclosures
described in this paragraph must, in addition to meeting the requirements of paragraph
(c) of this section, contain the following elements:
(i) For any authorization
to which the prohibition on conditioning in paragraph (b)(4) of this section applies,
a statement that the covered entity will not condition treatment, payment, enrollment
in the health plan, or eligibility for benefits on the individual’s providing
authorization for the requested use or disclosure;
(ii) A description of each
purpose of the requested use or disclosure;
(iii) A statement that the individual
may:
(A) Inspect or copy the protected health information to be used or disclosed
as provided in § 164.524; and
(B) Refuse to sign the authorization; and
(iv) If use or disclosure of the requested information will result in direct
or indirect remuneration to the covered entity from a third party, a statement
that such remuneration will result.
(2) Copy to the individual. A covered
entity must provide the individual with a copy of the signed authorization.
(e)
Implementation specifications: authorizations requested by a covered entity for
disclosures by others. If an authorization is requested by a covered entity for
another covered entity to disclose protected health information to the covered
entity requesting the authorization to carry out treatment, payment, or health
care operations, the covered entity requesting the authorization must comply with
the following requirements.
(1) Required elements. The authorization for the
disclosures described in this paragraph must, in addition to meeting the requirements
of paragraph (c) of this section, contain the following elements:
(i) A description
of each purpose of the requested disclosure;
(ii) Except for an authorization
on which payment may be conditioned under paragraph (b)(4)(iii) of this section,
a statement that the covered entity will not condition treatment, payment, enrollment
in the health plan, or eligibility for benefits on the individual’s providing
authorization for the requested use or disclosure; and
(iii) A statement that
the individual may refuse to sign the authorization.
(2) Copy to the individual.
A covered entity must provide the individual with a copy of the signed authorization.
(f) Implementation specifications: authorizations for uses and disclosures
of protected health information created for research that includes treatment of
the individual.
(1) Required elements. Except as otherwise permitted by §
164.512(i), a covered entity that creates protected health information for the
purpose, in whole or in part, of research that includes treatment of individuals
must obtain an authorization for the use or disclosure of such information. Such
authorization must:
(i) For uses and disclosures not otherwise permitted or
required under this subpart, meet the requirements of paragraphs (c) and (d) of
this section; and
(ii) Contain:
(A) A description of the extent to which
such protected health information will be used or disclosed to carry out treatment,
payment, or health care operations;
(B) A description of any protected health
information that will not be used or disclosed for purposes permitted in accordance
with §§ 164.510 and 164.512, provided that the covered entity may not
include a limitation affecting its right to make a use or disclosure that is required
by law or permitted by § 164.512(j)(1)(i); and
(C) If the covered entity
has obtained or intends to obtain the individual’s consent under § 164.506,
or has provided or intends to provide the individual with a notice under §
164.520, the authorization must refer to that consent or notice, as applicable,
and state that the statements made pursuant to this section are binding.
(2)
Optional procedure. An authorization under this paragraph may be in the same document
as:
(i) A consent to participate in the research;
(ii) A consent to use
or disclose protected health information to carry out treatment, payment, or health
care operations under § 164.506; or
(iii) A notice of privacy practices
under § 164.520.
§ 164.510 Uses and disclosures requiring an opportunity
for the individual to agree or to object.
A covered entity may use or disclose
protected health information without the written consent or authorization of the
individual as described by §§ 164.506 and 164.508, respectively, provided
that the individual is informed in advance of the use or disclosure and has the
opportunity to agree to or prohibit or restrict the disclosure in accordance with
the applicable requirements of this section. The covered entity may orally inform
the individual of and obtain the individual’s oral agreement or objection
to a use or disclosure permitted by this section.
(a) Standard: use and disclosure
for facility directories.
(1) Permitted uses and disclosure. Except when an
objection is expressed in accordance with paragraphs (a)(2) or (3) of this section,
a covered health care provider may:
(i) Use the following protected health
information to maintain a directory of individuals in its facility:
(A) The
individual’s name;
(B) The individual’s location in the covered
health care provider’s facility;
(C) The individual’s condition
described in general terms that does not communicate specific medical information
about the individual; and
(D) The individual’s religious affiliation;
and
(ii) Disclose for directory purposes such information:
(A) To members
of the clergy; or
(B) Except for religious affiliation, to other persons who
ask for the individual by name.
(2) Opportunity to object. A covered health
care provider must inform an individual of the protected health information that
it may include in a directory and the persons to whom it may disclose such information
(including disclosures to clergy of information regarding religious affiliation)
and provide the individual with the opportunity to restrict or prohibit some or
all of the uses or disclosures permitted by paragraph (a)(1) of this section.
(3) Emergency circumstances.
(i) If the opportunity to object to uses
or disclosures required by paragraph (a)(2) of this section cannot practicably
be provided because of the individual’s incapacity or an emergency treatment
circumstance, a covered health care provider may use or disclose some or all of
the protected health information permitted by paragraph (a)(1) of this section
for the facility’s directory, if such disclosure is:
(A) Consistent with
a prior expressed preference of the individual, if any, that is known to the covered
health care provider; and
(B) In the individual’s best interest as determined
by the covered health care provider, in the exercise of professional judgment.
(ii) The covered health care provider must inform the individual and provide
an opportunity to object to uses or disclosures for directory purposes as required
by paragraph (a)(2) of this section when it becomes practicable to do so.
(b)
Standard: uses and disclosures for involvement in the individual’s care and
notification purposes.
(1) Permitted uses and disclosures.
(i) A covered
entity may, in accordance with paragraphs (b)(2) or (3) of this section, disclose
to a family member, other relative, or a close personal friend of the individual,
or any other person identified by the individual, the protected health information
directly relevant to such person’s involvement with the individual’s
care or payment related to the individual’s health care.
(ii) A covered
entity may use or disclose protected health information to notify, or assist in
the notification of (including identifying or locating), a family member, a personal
representative of the individual, or another person responsible for the care of
the individual of the individual’s location, general condition, or death.
Any such use or disclosure of protected health information for such notification
purposes must be in accordance with paragraphs (b)(2), (3), or (4) of this section,
as applicable.
(2) Uses and disclosures with the individual present. If the
individual is present for, or otherwise available prior to, a use or disclosure
permitted by paragraph (b)(1) of this section and has the capacity to make health
care decisions, the covered entity may use or disclose the protected health information
if it:
(i) Obtains the individual’s agreement;
(ii) Provides the
individual with the opportunity to object to the disclosure, and the individual
does not express an objection; or
(iii) Reasonably infers from the circumstances,
based the exercise of professional judgment, that the individual does not object
to the disclosure.
(3) Limited uses and disclosures when the individual is
not present. If the individual is not present for, or the opportunity to agree
or object to the use or disclosure cannot practicably be provided because of the
individual’s incapacity or an emergency circumstance, the covered entity
may, in the exercise of professional judgment, determine whether the disclosure
is in the best interests of the individual and, if so, disclose only the protected
health information that is directly relevant to the person’s involvement
with the individual’s health care. A covered entity may use professional
judgment and its experience with common practice to make reasonable inferences
of the individual’s best interest in allowing a person to act on behalf of
the individual to pick up filled prescriptions, medical supplies, X-rays, or other
similar forms of protected health information.
(4) Use and disclosures for
disaster relief purposes. A covered entity may use or disclose protected health
information to a public or private entity authorized by law or by its charter
to assist in disaster relief efforts, for the purpose of coordinating with such
entities the uses or disclosures permitted by paragraph (b)(1)(ii) of this section.
The requirements in paragraphs (b)(2) and (3) of this section apply to such uses
and disclosure to the extent that the covered entity, in the exercise of professional
judgment, determines that the requirements do not interfere with the ability to
respond to the emergency circumstances.
§ 164.512 Uses and disclosures
for which consent, an authorization, or opportunity to agree or object is not
required.
A covered entity may use or disclose protected health information
without the written consent or authorization of the individual as described in
§§ 164.506 and 164.508, respectively, or the opportunity for the individual
to agree or object as described in § 164.510, in the situations covered by
this section, subject to the applicable requirements of this section. When the
covered entity is required by this section to inform the individual of, or when
the individual may agree to, a use or disclosure permitted by this section, the
covered entity’s information and the individual’s agreement may be given
orally.
(a) Standard: uses and disclosures required by law.
(1) A covered
entity may use or disclose protected health information to the extent that such
use or disclosure is required by law and the use or disclosure complies with and
is limited to the relevant requirements of such law.
(2) A covered entity
must meet the requirements described in paragraph (c), (e), or (f) of this section
for uses or disclosures required by law.
(b) Standard: uses and disclosures
for public health activities.
(1) Permitted disclosures. A covered entity
may disclose protected health information for the public health activities and
purposes described in this paragraph to:
(i) A public health authority that
is authorized by law to collect or receive such information for the purpose of
preventing or controlling disease, injury, or disability, including, but not limited
to, the reporting of disease, injury, vital events such as birth or death, and
the conduct of public health surveillance, public health investigations, and public
health interventions; or, at the direction of a public health authority, to an
official of a foreign government agency that is acting in collaboration with a
public health authority;
(ii) A public health authority or other appropriate
government authority authorized by law to receive reports of child abuse or neglect;
(iii) A person subject to the jurisdiction of the Food and Drug Administration:
(A) To report adverse events (or similar reports with respect to food or dietary
supplements), product defects or problems (including problems with the use or
labeling of a product), or biological product deviations if the disclosure is
made to the person required or directed to report such information to the Food
and Drug Administration;
(B) To track products if the disclosure is made to
a person required or directed by the Food and Drug Administration to track the
product;
(C) To enable product recalls, repairs, or replacement (including
locating and notifying individuals who have received products of product recalls,
withdrawals, or other problems); or
(D) To conduct post marketing surveillance
to comply with requirements or at the direction of the Food and Drug Administration;
(iv) A person who may have been exposed to a communicable disease or may otherwise
be at risk of contracting or spreading a disease or condition, if the covered
entity or public health authority is authorized by law to notify such person as
necessary in the conduct of a public health intervention or investigation; or
(v) An employer, about an individual who is a member of the workforce of the
employer, if:
(A) The covered entity is a covered health care provider who
is a member of the workforce of such employer or who provides a health care to
the individual at the request of the employer:
(1) To conduct an evaluation
relating to medical surveillance of the workplace; or
(2) To evaluate whether
the individual has a work-related illness or injury;
(B) The protected health
information that is disclosed consists of findings concerning a work-related illness
or injury or a workplace-related medical surveillance;
(C) The employer needs
such findings in order to comply with its obligations, under 29 CFR parts 1904
through 1928, 30 CFR parts 50 through 90, or under state law having a similar
purpose, to record such illness or injury or to carry out responsibilities for
workplace medical surveillance;
(D) The covered health care provider provides
written notice to the individual that protected health information relating to
the medical surveillance of the workplace and work-related illnesses and injuries
is disclosed to the employer:
(1) By giving a copy of the notice to the individual
at the time the health care is provided; or
(2) If the health care is provided
on the work site of the employer, by posting the notice in a prominent place at
the location where the health care is provided.
(2) Permitted uses. If the
covered entity also is a public health authority, the covered entity is permitted
to use protected health information in all cases in which it is permitted to disclose
such information for public health activities under paragraph (b)(1) of this section.
(c) Standard: disclosures about victims of abuse, neglect or domestic violence.
(1) Permitted disclosures. Except for reports of child abuse or neglect permitted
by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected
health information about an individual whom the covered entity reasonably believes
to be a victim of abuse, neglect, or domestic violence to a government authority,
including a social service or protective services agency, authorized by law to
receive reports of such abuse, neglect, or domestic violence:
(i) To the extent
the disclosure is required by law and the disclosure complies with and is limited
to the relevant requirements of such law;
(ii) If the individual agrees to
the disclosure; or
(iii) To the extent the disclosure is expressly authorized
by statute or regulation and:
(A) The covered entity, in the exercise of professional
judgment, believes the disclosure is necessary to prevent serious harm to the
individual or other potential victims; or
(B) If the individual is unable
to agree because of incapacity, a law enforcement or other public official authorized
to receive the report represents that the protected health information for which
disclosure is sought is not intended to be used against the individual and that
an immediate enforcement activity that depends upon the disclosure would be materially
and adversely affected by waiting until the individual is able to agree to the
disclosure.
(2) Informing the individual. A covered entity that makes a disclosure
permitted by paragraph (c)(1) of this section must promptly inform the individual
that such a report has been or will be made, except if:
(i) The covered entity,
in the exercise of professional judgment, believes informing the individual would
place the individual at risk of serious harm; or
(ii) The covered entity would
be informing a personal representative, and the covered entity reasonably believes
the personal representative is responsible for the abuse, neglect, or other injury,
and that informing such person would not be in the best interests of the individual
as determined by the covered entity, in the exercise of professional judgment.
(d) Standard: uses and disclosures for health oversight activities.
(1)
Permitted disclosures. A covered entity may disclose protected health information
to a health oversight agency for oversight activities authorized by law, including
audits; civil, administrative, or criminal investigations; inspections; licensure
or disciplinary actions; civil, administrative, or criminal proceedings or actions;
or other activities necessary for appropriate oversight of:
(i) The health
care system;
(ii) Government benefit programs for which health information
is relevant to beneficiary eligibility;
(iii) Entities subject to government
regulatory programs for which health information is necessary for determining
compliance with program standards; or
(iv) Entities subject to civil rights
laws for which health information is necessary for determining compliance.
(2)
Exception to health oversight activities. For the purpose of the disclosures permitted
by paragraph (d)(1) of this section, a health oversight activity does not include
an investigation or other activity in which the individual is the subject of the
investigation or activity and such investigation or other activity does not arise
out of and is not directly related to:
(i) The receipt of health care;
(ii)
A claim for public benefits related to health; or
(iii) Qualification for,
or receipt of, public benefits or services when a patient’s health is integral
to the claim for public benefits or services.
(3) Joint activities or investigations.
Nothwithstanding paragraph (d)(2) of this section, if a health oversight activity
or investigation is conducted in conjunction with an oversight activity or investigation
relating to a claim for public benefits not related to health, the joint activity
or investigation is considered a health oversight activity for purposes of paragraph
(d) of this section.
(4) Permitted uses. If a covered entity also is a health
oversight agency, the covered entity may use protected health information for
health oversight activities as permitted by paragraph (d) of this section.
(e)
Standard: disclosures for judicial and administrative proceedings.
(1) Permitted
disclosures. A covered entity may disclose protected health information in the
course of any judicial or administrative proceeding:
(i) In response to an
order of a court or administrative tribunal, provided that the covered entity
discloses only the protected health information expressly authorized by such order;
or
(ii) In response to a subpoena, discovery request, or other lawful process,
that is not accompanied by an order of a court or administrative tribunal, if:
(A) The covered entity receives satisfactory assurance, as described in paragraph
(e)(1)(iii) of this section, from the party seeking the information that reasonable
efforts have been made by such party to ensure that the individual who is the
subject of the protected health information that has been requested has been given
notice of the request; or
(B) The covered entity receives satisfactory assurance,
as described in paragraph (e)(1)(iv) of this section, from the party seeking the
information that reasonable efforts have been made by such party to secure a qualified
protective order that meets the requirements of paragraph (e)(1)(v) of this section.
(iii) For the purposes of paragraph (e)(1)(ii)(A) of this section, a covered
entity receives satisfactory assurances from a party seeking protecting health
information if the covered entity receives from such party a written statement
and accompanying documentation demonstrating that:
(A) The party requesting
such information has made a good faith attempt to provide written notice to the
individual (or, if the individual’s location is unknown, to mail a notice
to the individual’s last known address);
(B) The notice included sufficient
information about the litigation or proceeding in which the protected health information
is requested to permit the individual to raise an objection to the court or administrative
tribunal; and
(C) The time for the individual to raise objections to the court
or administrative tribunal has elapsed, and:
(1) No objections were filed;
or
(2) All objections filed by the individual have been resolved by the court
or the administrative tribunal and the disclosures being sought are consistent
with such resolution.
(iv) For the purposes of paragraph (e)(1)(ii)(B) of
this section, a covered entity receives satisfactory assurances from a party seeking
protected health information, if the covered entity receives from such party a
written statement and accompanying documentation demonstrating that:
(A) The
parties to the dispute giving rise to the request for information have agreed
to a qualified protective order and have presented it to the court or administrative
tribunal with jurisdiction over the dispute; or
(B) The party seeking the
protected health information has requested a qualified protective order from such
court or administrative tribunal.
(v) For purposes of paragraph (e)(1) of
this section, a qualified protective order means, with respect to protected health
information requested under paragraph (e)(1)(ii) of this section, an order of
a court or of an administrative tribunal or a stipulation by the parties to the
litigation or administrative proceeding that:
(A) Prohibits the parties from
using or disclosing the protected health information for any purpose other than
the litigation or proceeding for which such information was requested; and
(B)
Requires the return to the covered entity or destruction of the protected health
information (including all copies made) at the end of the litigation or proceeding.
(vi) Nothwithstanding paragraph (e)(1)(ii) of this section, a covered entity
may disclose protected health information in response to lawful process described
in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance
under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes
reasonable efforts to provide notice to the individual sufficient to meet the
requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective
order sufficient to meet the requirements of paragraph (e)(1)(iv) of this section.
(2) Other uses and disclosures under this section. The provisions of this
paragraph do not supersede other provisions of this section that otherwise permit
or restrict uses or disclosures of protected health information.
(f) Standard:
disclosures for law enforcement purposes. A covered entity may disclose protected
health information for a law enforcement purpose to a law enforcement official
if the conditions in paragraphs (f)(1) through (f)(6) of this section are met,
as applicable.
(1) Permitted disclosures: pursuant to process and as otherwise
required by law. A covered entity may disclose protected health information:
(i)
As required by law including laws that require the reporting of certain types
of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii)
or (c)(1)(i) of this section; or
(ii) In compliance with and as limited by
the relevant requirements of:
(A) A court order or court-ordered warrant,
or a subpoena or summons issued by a judicial officer;
(B) A grand jury subpoena;
or
(C) An administrative request, including an administrative subpoena or
summons, a civil or an authorized investigative demand, or similar process authorized
under law, provided that:
(1) The information sought is relevant and material
to a legitimate law enforcement inquiry;
(2) The request is specific and limited
in scope to the extent reasonably practicable in light of the purpose for which
the information is sought; and
(3) De-identified information could not reasonably
be used.
(2) Permitted disclosures: limited information for identification
and location purposes. Except for disclosures required by law as permitted by
paragraph (f)(1) of this section, a covered entity may disclose protected health
information in response to a law enforcement official’s request for such
information for the purpose of identifying or locating a suspect, fugitive, material
witness, or missing person, provided that:
(i) The covered entity may disclose
only the following information:
(A) Name and address;
(B) Date and place
of birth;
(C) Social security number;
(D) ABO blood type and rh factor;
(E) Type of injury;
(F) Date and time of treatment;
(G) Date and time
of death, if applicable; and
(H) A description of distinguishing physical
characteristics, including height, weight, gender, race, hair and eye color, presence
or absence of facial hair (beard or moustache), scars, and tattoos.
(ii) Except
as permitted by paragraph (f)(2)(i) of this section, the covered entity may not
disclose for the purposes of identification or location under paragraph (f)(2)
of this section any protected health information related to the individual’s
DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids
or tissue.
(3) Permitted disclosure: victims of a crime. Except for disclosures
required by law as permitted by paragraph (f)(1) of this section, a covered entity
may disclose protected health information in response to a law enforcement official’s
request for such information about an individual who is or is suspected to be
a victim of a crime, other than disclosures that are subject to paragraph (b)
or (c) of this section, if:
(ii) The individual agrees to the disclosure;
or
(iii) The covered entity is unable to obtain the individual’s agreement
because of incapacity or other emergency circumstance, provided that:
(A)
The law enforcement official represents that such information is needed to determine
whether a violation of law by a person other than the victim has occurred, and
such information is not intended to be used against the victim;
(B) The law
enforcement official represents that immediate law enforcement activity that depends
upon the disclosure would be materially and adversely affected by waiting until
the individual is able to agree to the disclosure; and
(C) The disclosure
is in the best interests of the individual as determined by the covered entity,
in the exercise of professional judgment.
(4) Permitted disclosure: decedents.
A covered entity may disclose protected health information about an individual
who has died to a law enforcement official for the purpose of alerting law enforcement
of the death of the individual if the covered entity has a suspicion that such
death may have resulted from criminal conduct.
(5) Permitted disclosure: crime
on premises. A covered entity may disclose to a law enforcement official protected
health information that the covered entity believes in good faith constitutes
evidence of criminal conduct that occurred on the premises of the covered entity.
(6) Permitted disclosure: reporting crime in emergencies.
(i) A covered
health care provider providing emergency health care in response to a medical
emergency, other than such emergency on the premises of the covered health care
provider, may disclose protected health information to a law enforcement official
if such disclosure appears necessary to alert law enforcement to:
(A) The
commission and nature of a crime;
(B) The location of such crime or of the
victim(s) of such crime; and
(C) The identity, description, and location of
the perpetrator of such crime.
(ii) If a covered health care provider believes
that the medical emergency described in paragraph (f)(6)(i) of this section is
the result of abuse, neglect, or domestic violence of the individual in need of
emergency health care, paragraph (f)(6)(i) of this section does not apply and
any disclosure to a law enforcement official for law enforcement purposes is subject
to paragraph (c) of this section.
(g) Standard: uses and disclosures about
decedents.
(1) Coroners and medical examiners. A covered entity may disclose
protected health information to a coroner or medical examiner for the purpose
of identifying a deceased person, determining a cause of death, or other duties
as authorized by law. A covered entity that also performs the duties of a coroner
or medical examiner may use protected health information for the purposes described
in this paragraph.
(2) Funeral directors. A covered entity may disclose protected
health information to funeral directors, consistent with applicable law, as necessary
to carry out their duties with respect to the decedent. If necessary for funeral
directors carry out their duties, the covered entity may disclose the protected
health information prior to, and in reasonable anticipation of, the individual’s
death.
(h) Standard: uses and disclosures for cadaveric organ, eye or tissue
donation purposes. A covered entity may use or disclose protected health information
to organ procurement organizations or other entities engaged in the procurement,
banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose
of facilitating organ, eye or tissue donation and transplantation.
(i) Standard:
uses and disclosures for research purposes.
(1) Permitted uses and disclosures.
A covered entity may use or disclose protected health information for research,
regardless of the source of funding of the research, provided that:
(i) Board
approval of a waiver of authorization. The covered entity obtains documentation
that an alteration to or waiver, in whole or in part, of the individual authorization
required by §164.508 for use or disclosure of protected health information
has been approved by either:
(A) An Institutional Review Board (IRB), established
in accordance with 7 CFR 1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107,
16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107,
32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45
CFR 690.107, or 49 CFR 11.107; or
(B) A privacy board that:
(1) Has members
with varying backgrounds and appropriate professional competency as necessary
to review the effect of the research protocol on the individual’s privacy
rights and related interests;
(2) Includes at least one member who is not
affiliated with the covered entity, not affiliated with any entity conducting
or sponsoring the research, and not related to any person who is affiliated with
any of such entities; and
(3) Does not have any member participating in a
review of any project in which the member has a conflict of interest.
(ii)
Reviews preparatory to research. The covered entity obtains from the researcher
representations that:
(A) Use or disclosure is sought solely to review protected
health information as necessary to prepare a research protocol or for similar
purposes preparatory to research;
(B) No protected health information is to
be removed from the covered entity by the researcher in the course of the review;
and
(C) The protected health information for which use or access is sought
is necessary for the research purposes.
(iii) Research on decedent’s
information. The covered entity obtains from the researcher:
(A) Representation
that the use or disclosure is sought is solely for research on the protected health
information of decedents;
(B) Documentation, at the request of the covered
entity, of the death of such individuals; and
(C) Representation that the
protected health information for which use or disclosure is sought is necessary
for the research purposes.
(2) Documentation of waiver approval. For a use
or disclosure to be permitted based on documentation of approval of an alteration
or waiver, under paragraph (i)(1)(i) of this section, the documentation must include
all of the following:
(i) Identification and date of action. A statement identifying
the IRB or privacy board and the date on which the alteration or waiver of authorization
was approved;
(ii) Waiver criteria. A statement that the IRB or privacy board
has determined that the alteration or waiver, in whole or in part, of authorization
satisfies the following criteria:
(A) The use or disclosure of protected health
information involves no more than minimal risk to the individuals;
(B) The
alteration or waiver will not adversely affect the privacy rights and the welfare
of the individuals;
(C) The research could not practicably be conducted without
the alteration or waiver;
(D) The research could not practicably be conducted
without access to and use of the protected health information;
(E) The privacy
risks to individuals whose protected health information is to be used or disclosed
are reasonable in relation to the anticipated benefits if any to the individuals,
and the importance of the knowledge that may reasonably be expected to result
from the research;
(F) There is an adequate plan to protect the identifiers
from improper use and disclosure;
(G) There is an adequate plan to destroy
the identifiers at the earliest opportunity consistent with conduct of the research,
unless there is a health or research justification for retaining the identifiers,
or such retention is otherwise required by law; and
(H) There are adequate
written assurances that the protected health information will not be reused or
disclosed to any other person or entity, except as required by law, for authorized
oversight of the research project, or for other research for which the use or
disclosure of protected health information would be permitted by this subpart.
(iii) Protected health information needed. A brief description of the protected
health information for which use or access has been determined to be necessary
by the IRB or privacy board has determined, pursuant to paragraph (i)(2)(ii)(D)
of this section;
(iv) Review and approval procedures. A statement that the
alteration or waiver of authorization has been reviewed and approved under either
normal or expedited review procedures, as follows:
(A) An IRB must follow
the requirements of the Common Rule, including the normal review procedures (7
CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR
1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b),
32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR
46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures
(7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110,
21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34
CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45 CFR 690.110, or 49
CFR 11.110);
(B) A privacy board must review the proposed research at convened
meetings at which a majority of the privacy board members are present, including
at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2)
of this section, and the alteration or waiver of authorization must be approved
by the majority of the privacy board members present at the meeting, unless the
privacy board elects to use an expedited review procedure in accordance with paragraph
(i)(2)(iv)(C) of this section;
(C) A privacy board may use an expedited review
procedure if the research involves no more than minimal risk to the privacy of
the individuals who are the subject of the protected health information for which
use or disclosure is being sought. If the privacy board elects to use an expedited
review procedure, the review and approval of the alteration or waiver of authorization
may be carried out by the chair of the privacy board, or by one or more members
of the privacy board as designated by the chair; and
(v) Required signature.
The documentation of the alteration or waiver of authorization must be signed
by the chair or other member, as designated by the chair, of the IRB or the privacy
board, as applicable.
(j) Standard: uses and disclosures to avert a serious
threat to health or safety.
(1) Permitted disclosures. A covered entity may,
consistent with applicable law and standards of ethical conduct, use or disclose
protected health information, if the covered entity, in good faith, believes the
use or disclosure:
(i)(A) Is necessary to prevent or lessen a serious and
imminent threat to the health or safety of a person or the public; and
(B)
Is to a person or persons reasonably able to prevent or lessen the threat, including
the target of the threat; or
(ii) Is necessary for law enforcement authorities
to identify or apprehend an individual:
(A) Because of a statement by an individual
admitting participation in a violent crime that the covered entity reasonably
believes may have caused serious physical harm to the victim; or
(B) Where
it appears from all the circumstances that the individual has escaped from a correctional
institution or from lawful custody, as those terms are defined in § 164.501.
(2) Use or disclosure not permitted.. A use or disclosure pursuant to paragraph
(j)(1)(ii)(A) of this section may not be made if the information described in
paragraph (j)(1)(ii)(A) of this section is learned by the covered entity:
(i)
In the course of treatment to affect the propensity to commit the criminal conduct
that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of this section,
or counseling or therapy; or
(ii) Through a request by the individual to initiate
or to be referred for the treatment, counseling, or therapy described in paragraph
(j)(2)(i) of this section.
(3) Limit on information that may be disclosed.
A disclosure made pursuant to paragraph (j)(1)(ii)(A) of this section shall contain
only the statement described in paragraph (j)(1)(ii)(A) of this section and the
protected health information described in paragraph (f)(2)(i) of this section.
(4) Presumption of good faith belief. A covered entity that uses or discloses
protected health information pursuant to paragraph (j)(1) of this section is presumed
to have acted in good faith with regard to a belief described in paragraph (j)(1)(i)
or (ii) of this section, if the belief is based upon the covered entity’s
actual knowledge or in reliance on a credible representation by a person with
apparent knowledge or authority.
(k) Standard: uses and disclosures for specialized
government functions.
(1) Military and veterans activities.
(i) Armed
Forces personnel. A covered entity may use and disclose the protected health information
of individuals who are Armed Forces personnel for activities deemed necessary
by appropriate military command authorities to assure the proper execution of
the military mission, if the appropriate military authority has published by notice
in the Federal Register the following information:
(A) Appropriate military
command authorities; and
(B) The purposes for which the protected health information
may be used or disclosed.
(ii) Separation or discharge from military service.
A covered entity that is a component of the Departments of Defense or Transportation
may disclose to the Department of Veterans Affairs (DVA) the protected health
information of an individual who is a member of the Armed Forces upon the separation
or discharge of the individual from military service for the purpose of a determination
by DVA of the individual’s eligibility for or entitlement to benefits under
laws administered by the Secretary of Veterans Affairs.
(iii) Veterans. A
covered entity that is a component of the Department of Veterans Affairs may use
and disclose protected health information to components of the Department that
determine eligibility for or entitlement to, or that provide, benefits under the
laws administered by the Secretary of Veterans Affairs.
(iv) Foreign military
personnel. A covered entity may use and disclose the protected health information
of individuals who are foreign military personnel to their appropriate foreign
military authority for the same purposes for which uses and disclosures are permitted
for Armed Forces personnel under the notice published in the Federal Register
pursuant to paragraph (k)(1)(i) of this section.
(2) National security and
intelligence activities. A covered entity may disclose protected health information
to authorized federal officials for the conduct of lawful intelligence, counter-intelligence,
and other national security activities authorized by the National Security Act
(50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333).
(3) Protective services for the President and others. A covered entity may
disclose protected health information to authorized federal officials for the
provision of protective services to the President or other persons authorized
by 18 U.S.C. 3056, or to foreign heads of state or other persons authorized by
22 U.S.C. 2709(a)(3), or to for the conduct of investigations authorized by 18
U.S.C. 871 and 879.
(4) Medical suitability determinations. A covered entity
that is a component of the Department of State may use protected health information
to make medical suitability determinations and may disclose whether or not the
individual was determined to be medically suitable to the officials in the Department
of State who need access to such information for the following purposes:
(i)
For the purpose of a required security clearance conducted pursuant to Executive
Orders 10450 and 12698;
(ii) As necessary to determine worldwide availability
or availability for mandatory service abroad under sections 101(a)(4) and 504
of the Foreign Service Act; or
(iii) For a family to accompany a Foreign Service
member abroad, consistent with section 101(b)(5) and 904 of the Foreign Service
Act.
(5) Correctional institutions and other law enforcement custodial situations.
(i) Permitted disclosures. A covered entity may disclose to a correctional
institution or a law enforcement official having lawful custody of an inmate or
other individual protected health information about such inmate or individual,
if the correctional institution or such law enforcement official represents that
such protected health information is necessary for:
(A) The provision of health
care to such individuals;
(B) The health and safety of such individual or
other inmates;
(C) The health and safety of the officers or employees of or
others at the correctional institution;
(D) The health and safety of such
individuals and officers or other persons responsible for the transporting of
inmates or their transfer from one institution, facility, or setting to another;
(E) Law enforcement on the premises of the correctional institution; and
(F)
The administration and maintenance of the safety, security, and good order of
the correctional institution.
(ii) Permitted uses. A covered entity that is
a correctional institution may use protected health information of individuals
who are inmates for any purpose for which such protected health information may
be disclosed.
(iii) No application after release. For the purposes of this
provision, an individual is no longer an inmate when released on parole, probation,
supervised release, or otherwise is no longer in lawful custody.
(6) Covered
entities that are government programs providing public benefits.
(i) A health
plan that is a government program providing public benefits may disclose protected
health information relating to eligibility for or enrollment in the health plan
to another agency administering a government program providing public benefits
if the sharing of eligibility or enrollment information among such government
agencies or the maintenance of such information in a single or combined data system
accessible to all such government agencies is required or expressly authorized
by statute or regulation.
(ii) A covered entity that is a government agency
administering a government program providing public benefits may disclose protected
health information relating to the program to another covered entity that is a
government agency administering a government program providing public benefits
if the programs serve the same or similar populations and the disclosure of protected
health information is necessary to coordinate the covered functions of such programs
or to improve administration and management relating to the covered functions
of such programs.
(l) Standard: disclosures for workers’ compensation.
A covered entity may disclose protected health information as authorized by and
to the extent necessary to comply with laws relating to workers’ compensation
or other similar programs, established by law, that provide benefits for work-related
injuries or illness without regard to fault.
§ 164.514 Other requirements
relating to uses and disclosures of protected health information.
(a) Standard:
de-identification of protected health information. Health information that does
not identify an individual and with respect to which there is no reasonable basis
to believe that the information can be used to identify an individual is not individually
identifiable health information.
(b) Implementation specifications: requirements
for de-identification of protected health information. A covered entity may determine
that health information is not individually identifiable health information only
if:
(1) A person with appropriate knowledge of and experience with generally
accepted statistical and scientific principles and methods for rendering information
not individually identifiable:
(i) Applying such principles and methods, determines
that the risk is very small that the information could be used, alone or in combination
with other reasonably available information, by an anticipated recipient to identify
an individual who is a subject of the information; and
(ii) Documents the
methods and results of the analysis that justify such determination; or
(2)(i)
The following identifiers of the individual or of relatives, employers, or household
members of the individual, are removed:
(A) Names;
(B) All geographic
subdivisions smaller than a State, including street address, city, county, precinct,
zip code, and their equivalent geocodes, except for the initial three digits of
a zip code if, according to the current publicly available data from the Bureau
of the Census:
(1) The geographic unit formed by combining all zip codes with
the same three initial digits contains more than 20,000 people; and
(2) The
initial three digits of a zip code for all such geographic units containing 20,000
or fewer people is changed to 000.
(C) All elements of dates (except year)
for dates directly related to an individual, including birth date, admission date,
discharge date, date of death; and all ages over 89 and all elements of dates
(including year) indicative of such age, except that such ages and elements may
be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security
numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle
identifiers and serial numbers, including license plate numbers;
(M) Device
identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers,
including finger and voice prints;
(Q) Full face photographic images and any
comparable images; and
(R) Any other unique identifying number, characteristic,
or code; and
(ii) The covered entity does not have actual knowledge that the
information could be used alone or in combination with other information to identify
an individual who is a subject of the information.
(c) Implementation specifications:
re-identification. A covered entity may assign a code or other means of record
identification to allow information de-identified under this section to be re-identified
by the covered entity, provided that:
(1) Derivation. The code or other means
of record identification is not derived from or related to information about the
individual and is not otherwise capable of being translated so as to identify
the individual; and
(2) Security. The covered entity does not use or disclose
the code or other means of record identification for any other purpose, and does
not disclose the mechanism for re-identification.
(d)(1) Standard: minimum
necessary requirements. A covered entity must reasonably ensure that the standards,
requirements, and implementation specifications of § 164.502(b) and this
section relating to a request for or the use and disclosure of the minimum necessary
protected health information are met.
(2) Implementation specifications: minimum
necessary uses of protected health information.
(i) A covered entity must
identify:
(A) Those persons or classes of persons, as appropriate, in its
workforce who need access to protected health information to carry out their duties;
and
(B) For each such person or class of persons, the category or categories
of protected health information to which access is needed and any conditions appropriate
to such access.
(ii) A covered entity must make reasonable efforts to limit
the access of such persons or classes identified in paragraph (d)(2)(i)(A) of
this section to protected health information consistent with paragraph (d)(2)(i)(B)
of this section.
(3) Implementation specification: minimum necessary disclosures
of protected health information.
(i) For any type of disclosure that it makes
on a routine and recurring basis, a covered entity must implement policies and
procedures (which may be standard protocols) that limit the protected health information
disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
(ii) For all other disclosures, a covered entity must:
(A) Develop criteria
designed to limit the protected health information disclosed to the information
reasonably necessary to accomplish the purpose for which disclosure is sought;
and
(B) Review requests for disclosure on an individual basis in accordance
with such criteria.
(iii) A covered entity may rely, if such reliance is reasonable
under the circumstances, on a requested disclosure as the minimum necessary for
the stated purpose when:
(A) Making disclosures to public officials that are
permitted under § 164.512, if the public official represents that the information
requested is the minimum necessary for the stated purpose(s);
(B) The information
is requested by another covered entity;
(C) The information is requested by
a professional who is a member of its workforce or is a business associate of
the covered entity for the purpose of providing professional services to the covered
entity, if the professional represents that the information requested is the minimum
necessary for the stated purpose(s); or
(D) Documentation or representations
that comply with the applicable requirements of § 164.512(i) have been provided
by a person requesting the information for research purposes.
(4) Implementation
specifications: minimum necessary requests for protected health information.
(i)
A covered entity must limit any request for protected health information to that
which is reasonably necessary to accomplish the purpose for which the request
is made, when requesting such information from other covered entities.
(ii)
For a request that is made on a routine and recurring basis, a covered entity
must implement policies and procedures (which may be standard protocols) that
limit the protected health information requested to the amount reasonably necessary
to accomplish the purpose for which the request is made.
(iii) For all other
requests, a covered entity must review the request on an individual basis to determine
that the protected health information sought is limited to the information reasonably
necessary to accomplish the purpose for which the request is made.
(5) Implementation
specification: other content requirement. For all uses, disclosures, or requests
to which the requirements in paragraph (d) of this section apply, a covered entity
may not use, discloses or request an entire medical record, except when the entire
medical record is specifically justified as the amount that is reasonably necessary
to accomplish the purpose of the use, disclosure, or request.
(e)(1) Standard:
uses and disclosures of protected health information for marketing. A covered
entity may not use or disclose protected health information for marketing without
an authorization that meets the applicable requirements of § 164.508, except
as provided for by paragraph (e)(2) of this section.
(2) Implementation specifications:
requirements relating to marketing. (i) A covered entity is not required to obtain
an authorization under § 164.508 when it uses or discloses protected health
information to make a marketing communication to an individual that:
(A) Occurs
in a face-to-face encounter with the individual;
(B) Concerns products or
services of nominal value; or
(C) Concerns the health-related products and
services of the covered entity or of a third party and the communication meets
the applicable conditions in paragraph (e)(3) of this section.
(ii) A covered
entity may disclose protected health information for purposes of such communications
only to a business associate that assists the covered entity with such communications.
(3) Implementation specifications: requirements for certain marketing communications.
For a marketing communication to qualify under paragraph (e)(2)(i) of this section,
the following conditions must be met:
(i) The communication must:
(A)
Identify the covered entity as the party making the communication;
(B) If
the covered entity has received or will receive direct or indirect remuneration
for making the communication, prominently state that fact; and
(C) Except
when the communication is contained in a newsletter or similar type of general
communication device that the covered entity distributes to a broad cross-section
of patients, enrollees, or other broad groups of individuals, contain instructions
describing how the individual may opt out of receiving future such communications.
(ii) If the covered entity uses or discloses protected health information
to target the communication to individuals based on their health status or condition:
(A) The covered entity must make a determination prior to making the communication
that the product or service being marketed may be beneficial to the health of
the type or class of individual targeted; and
(B) The communication must explain
why the individual has been targeted and how the product or service relates to
the health of the individual.
(iii) The covered entity must make reasonable
efforts to ensure that individuals who decide to opt out of receiving future marketing
communications, under paragraph (e)(3)(i)(C) of this section, are not sent such
communications.
(f)(1) Standard: uses and disclosures for fundraising. A covered
entity may use, or disclose to a business associate or to an institutionally related
foundation, the following protected health information for the purpose of raising
funds for its own benefit, without an authorization meeting the requirements of
§ 164.508:
(i) Demographic information relating to an individual; and
(ii) Dates of health care provided to an individual.
(2) Implementation
specifications: fundraising requirements.
(i) The covered entity may not use
or disclose protected health information for fundraising purposes as otherwise
permitted by paragraph (f)(1) of this section unless a statement required by §
164.520(b)(1)(iii)(B) is included in the covered entity’s notice;
(ii)
The covered entity must include in any fundraising materials it sends to an individual
under this paragraph a description of how the individual may opt out of receiving
any further fundraising communications.
(iii) The covered entity must make
reasonable efforts to ensure that individuals who decide to opt out of receiving
future fundraising communications are not sent such communications.
(g) Standard:
uses and disclosures for underwriting and related purposes. If a health plan receives
protected heath information for the purpose of underwriting, premium rating, or
other activities relating to the creation, renewal, or replacement of a contract
of health insurance or health benefits, and if such health insurance or health
benefits are not placed with the health plan, such health plan may not use or
disclose such protected health information for any other purpose, except as may
be required by law.
(h)(1) Standard: verification requirements. Prior to any
disclosure permitted by this subpart, a covered entity must:
(i) Except with
respect to disclosures under § 164.510, verify the identity of a person requesting
protected health information and the authority of any such person to have access
to protected health information under this subpart, if the identity or any such
authority of such person is not known to the covered entity; and
(ii) Obtain
any documentation, statements, or representations, whether oral or written, from
the person requesting the protected health information when such documentation,
statement, or representation is a condition of the disclosure under this subpart.
(2) Implementation specifications: verification.
(i) Conditions on disclosures.
If a disclosure is conditioned by this subpart on particular documentation, statements,
or representations from the person requesting the protected health information,
a covered entity may rely, if such reliance is reasonable under the circumstances,
on documentation, statements, or representations that, on their face, meet the
applicable requirements.
(A) The conditions in § 164.512(f)(1)(ii)(C)
may be satisfied by the administrative subpoena or similar process or by a separate
written statement that, on its face, demonstrates that the applicable requirements
have been met.
(B) The documentation required by § 164.512(i)(2) may
be satisfied by one or more written statements, provided that each is appropriately
dated and signed in accordance with § 164.512(i)(2)(i) and (v).
(ii)
Identity of public officials. A covered entity may rely, if such reliance is reasonable
under the circumstances, on any of the following to verify identity when the disclosure
of protected health information is to a public official or a person acting on
behalf of the public official:
(A) If the request is made in person, presentation
of an agency identification badge, other official credentials, or other proof
of government status;
(B) If the request is in writing, the request is on
the appropriate government letterhead; or
(C) If the disclosure is to a person
acting on behalf of a public official, a written statement on appropriate government
letterhead that the person is acting under the government’s authority or
other evidence or documentation of agency, such as a contract for services, memorandum
of understanding, or purchase order, that establishes that the person is acting
on behalf of the public official.
(iii) Authority of public officials. A covered
entity may rely, if such reliance is reasonable under the circumstances, on any
of the following to verify authority when the disclosure of protected health information
is to a public official or a person acting on behalf of the public official:
(A)
A written statement of the legal authority under which the information is requested,
or, if a written statement would be impracticable, an oral statement of such legal
authority;
(B) If a request is made pursuant to legal process, warrant, subpoena,
order, or other legal process issued by a grand jury or a judicial or administrative
tribunal is presumed to constitute legal authority.
(iv) Exercise of professional
judgment. The verification requirements of this paragraph are met if the covered
entity relies on the exercise of professional judgment in making a use or disclosure
in accordance with § 164.510 or acts on a good faith belief in making a disclosure
in accordance with § 164.512(j).
§ 164.520 Notice of privacy practices
for protected health information.
(a) Standard: notice of privacy practices.
(1) Right to notice. Except as provided by paragraph (a)(2) or (3) of this
section, an individual has a right to adequate notice of the uses and disclosures
of protected health information that may be made by the covered entity, and of
the individual’s rights and the covered entity’s legal duties with respect
to protected health information.
(2) Exception for group health plans.
(i)
An individual enrolled in a group health plan has a right to notice:
(A) From
the group health plan, if, and to the extent that, such an individual does not
receive health benefits under the group health plan through an insurance contract
with a health insurance issuer or HMO; or
(B) From the health insurance issuer
or HMO with respect to the group health plan though which such individuals receive
their health benefits under the group health plan.
(ii) A group health plan
that provides health benefits solely through an insurance contract with a health
insurance issuer or HMO, and that creates or receives protected health information
in addition to summary health information as defined in § 164.504(a) or information
on whether the individual is participating in the group health plan, or is enrolled
in or has disenrolled from a health insurance issuer or HMO offered by the plan,
must:
(A) Maintain a notice under this section; and
(B) Provide such notice
upon request to any person. The provisions of paragraph (c)(1) of this section
do not apply to such group health plan.
(iii) A group health plan that provides
health benefits solely through an insurance contract with a health insurance issuer
or HMO, and does not create or receive protected health information other than
summary health information as defined in § 164.504(a) or information on whether
an individual is participating in the group health plan, or is enrolled in or
has disenrolled from a health insurance issuer or HMO offered by the plan, is
not required to maintain or provide a notice under this section.
(3) Exception
for inmates. An inmate does not have a right to notice under this section, and
the requirements of this section do not apply to a correctional institution that
is a covered entity.
(b) Implementation specifications: content of notice.
(1) Required elements. The covered entity must provide a notice that is written
in plain language and that contains the elements required by this paragraph.
(i)
Header. The notice must contain the following statement as a header or otherwise
prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT
YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.”
(ii) Uses and disclosures. The notice must
contain:
(A) A description, including at least one example, of the types of
uses and disclosures that the covered entity is permitted by this subpart to make
for each of the following purposes: treatment, payment, and health care operations.
(B) A description of each of the other purposes for which the covered entity
is permitted or required by this subpart to use or disclose protected health information
without the individual’s written consent or authorization.
(C) If a use
or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of
this section is prohibited or materially limited by other applicable law, the
description of such use or disclosure must reflect the more stringent law as defined
in § 160.202.
(D) For each purpose described in paragraph (b)(1)(ii)(A)
or (B) of this section, the description must include sufficient detail to place
the individual on notice of the uses and disclosures that are permitted or required
by this subpart and other applicable law.
(E) A statement that other uses
and disclosures will be made only with the individual’s written authorization
and that the individual may revoke such authorization as provided by § 164.508(b)(5).
(iii) Separate statements for certain uses or disclosures. If the covered
entity intends to engage in any of the following activities, the description required
by paragraph (b)(1)(ii)(A) of this section must include a separate statement,
as applicable, that:
(A) The covered entity may contact the individual to
provide appointment reminders or information about treatment alternatives or other
heath-related benefits and services that may be of interest to the individual;
(B) The covered entity may contact the individual to raise funds for the covered
entity; or
(C) A group health plan, or a health insurance issuer or HMO with
respect to a group health plan, may disclose protected health information to the
sponsor of the plan.
(iv) Individual rights. The notice must contain a statement
of the individual’s rights with respect to protected health information and
a brief description of how the individual may exercise these rights, as follows:
(A) The right to request restrictions on certain uses and disclosures of protected
health information as provided by § 164.522(a), including a statement that
the covered entity is not required to agree to a requested restriction;
(B)
The right to receive confidential communications of protected health information
as provided by § 164.522(b), as applicable;
(C) The right to inspect
and copy protected health information as provided by § 164.524;
(D) The
right to amend protected health information as provided by § 164.526;
(E)
The right to receive an accounting of disclosures of protected health information
as provided by § 164.528; and
(F) The right of an individual, including
an individual who has agreed to receive the notice electronically in accordance
with paragraph (c)(3) of this section, to obtain a paper copy of the notice from
the covered entity upon request.
(v) Covered entity’s duties. The notice
must contain:
(A) A statement that the covered entity is required by law to
maintain the privacy of protected health information and to provide individuals
with notice of its legal duties and privacy practices with respect to protected
health information;
(B) A statement that the covered entity is required to
abide by the terms of the notice currently in effect; and
(C) For the covered
entity to apply a change in a privacy practice that is described in the notice
to protected health information that the covered entity created or received prior
to issuing a revised notice, in accordance with § 164.530(i)(2)(ii), a statement
that it reserves the right to change the terms of its notice and to make the new
notice provisions effective for all protected health information that it maintains.
The statement must also describe how it will provide individuals with a revised
notice.
(vi) Complaints. The notice must contain a statement that individuals
may complain to the covered entity and to the Secretary if they believe their
privacy rights have been violated, a brief description of how the individual may
file a complaint with the covered entity, and a statement that the individual
will not be retaliated against for filing a complaint.
(vii) Contact. The
notice must contain the name, or title, and telephone number of a person or office
to contact for further information as required by § 164.530(a)(1)(ii).
(viii)
Effective date. The notice must contain the date on which the notice is first
in effect, which may not be earlier than the date on which the notice is printed
or otherwise published.
(2) Optional elements.
(i) In addition to the
information required by paragraph (b)(1) of this section, if a covered entity
elects to limit the uses or disclosures that it is permitted to make under this
subpart, the covered entity may describe its more limited uses or disclosures
in its notice, provided that the covered entity may not include in its notice
a limitation affecting its right to make a use or disclosure that is required
by law or permitted by § 164.512(j)(1)(i).
(ii) For the covered entity
to apply a change in its more limited uses and disclosures to protected health
information created or received prior to issuing a revised notice, in accordance
with § 164.530(i)(2)(ii), the notice must include the statements required
by paragraph (b)(1)(v)(C) of this section.
(3) Revisions to the notice. The
covered entity must promptly revise and distribute its notice whenever there is
a material change to the uses or disclosures, the individual’s rights, the
covered entity’s legal duties, or other privacy practices stated in the notice.
Except when required by law, a material change to any term of the notice may not
be implemented prior to the effective date of the notice in which such material
change is reflected.
(c) Implementation specifications: provision of notice.
A covered entity must make the notice required by this section available on request
to any person and to individuals as specified in paragraphs (c)(1) through (c)(4)
of this section, as applicable.
(1) Specific requirements for health plans.
(i) A health plan must provide notice:
(A) No later than the compliance
date for the health plan, to individuals then covered by the plan;
(B) Thereafter,
at the time of enrollment, to individuals who are new enrollees; and
(C) Within
60 days of a material revision to the notice, to individuals then covered by the
plan.
(ii) No less frequently than once every three years, the health plan
must notify individuals then covered by the plan of the availability of the notice
and how to obtain the notice.
(iii) The health plan satisfies the requirements
of paragraph (c)(1) of this section if notice is provided to the named insured
of a policy under which coverage is provided to the named insured and one or more
dependents.
(iv) If a health plan has more than one notice, it satisfies the
requirements of paragraph (c)(1) of this section by providing the notice that
is relevant to the individual or other person requesting the notice.
(2) Specific
requirements for certain covered health care providers. A covered health care
provider that has a direct treatment relationship with an individual must:
(i)
Provide the notice no later than the date of the first service delivery, including
service delivered electronically, to such individual after the compliance date
for the covered health care provider;
(ii) If the covered health care provider
maintains a physical service delivery site:
(A) Have the notice available
at the service delivery site for individuals to request to take with them; and
(B) Post the notice in a clear and prominent location where it is reasonable
to expect individuals seeking service from the covered health care provider to
be able to read the notice; and
(iii) Whenever the notice is revised, make
the notice available upon request on or after the effective date of the revision
and promptly comply with the requirements of paragraph (c)(2)(ii) of this section,
if applicable.
(3) Specific requirements for electronic notice.
(i) A
covered entity that maintains a web site that provides information about the covered
entity’s customer services or benefits must prominently post its notice on
the web site and make the notice available electronically through the web site.
(ii) A covered entity may provide the notice required by this section to an
individual by e-mail, if the individual agrees to electronic notice and such agreement
has not been withdrawn. If the covered entity knows that the e-mail transmission
has failed, a paper copy of the notice must be provided to the individual. Provision
of electronic notice by the covered entity will satisfy the provision requirements
of paragraph (c) of this section when timely made in accordance with paragraph
(c)(1) or (2) of this section.
(iii) For purposes of paragraph (c)(2)(i) of
this section, if the first service delivery to an individual is delivered electronically,
the covered health care provider must provide electronic notice automatically
and contemporaneously in response to the individual’s first request for service.
(iv) The individual who is the recipient of electronic notice retains the
right to obtain a paper copy of the notice from a covered entity upon request.
(d) Implementation specifications: joint notice by separate covered entities.
Covered entities that participate in organized health care arrangements may comply
with this section by a joint notice, provided that:
(1) The covered entities
participating in the organized health care arrangement agree to abide by the terms
of the notice with respect to protected health information created or received
by the covered entity as part of its participation in the organized health care
arrangement;
(2) The joint notice meets the implementation specifications
in paragraph (b) of this section, except that the statements required by this
section may be altered to reflect the fact that the notice covers more than one
covered entity; and
(i) Describes with reasonable specificity the covered
entities, or class of entities, to which the joint notice applies;
(ii) Describes
with reasonable specificity the service delivery sites, or classes of service
delivery sites, to which the joint notice applies; and
(iii) If applicable,
states that the covered entities participating in the organized health care arrangement
will share protected health information with each other, as necessary to carry
out treatment, payment, or health care operations relating to the organized health
care arrangement.
(3) The covered entities included in the joint notice must
provide the notice to individuals in accordance with the applicable implementation
specifications of paragraph (c) of this section. Provision of the joint notice
to an individual by any one of the covered entities included in the joint notice
will satisfy the provision requirement of paragraph (c) of this section with respect
to all others covered by the joint notice.
(e) Implementation specifications:
documentation. A covered entity must document compliance with the notice requirements
by retaining copies of the notices issued by the covered entity as required by
§ 164.530(j).
§ 164.522 Rights to request privacy protection for
protected health information.
(a)(1) Standard: right of an individual to request
restriction of uses and disclosures.
(i) A covered entity must permit an individual
to request that the covered entity restrict:
(A) Uses or disclosures of protected
health information about the individual to carry out treatment, payment, or health
care operations; and
(B) Disclosures permitted under § 164.510(b).
(ii)
A covered entity is not required to agree to a restriction.
(iii) A covered
entity that agrees to a restriction under paragraph (a)(1)(i) of this section
may not use or disclose protected health information in violation of such restriction,
except that, if the individual who requested the restriction is in need of emergency
treatment and the restricted protected health information is needed to provide
the emergency treatment, the covered entity may use the restricted protected health
information, or may disclose such information to a health care provider, to provide
such treatment to the individual.
(iv) If restricted protected health information
is disclosed to a health care provider for emergency treatment under paragraph
(a)(1)(iii) of this section, the covered entity must request that such health
care provider not further use or disclose the information.
(v) A restriction
agreed to by a covered entity under paragraph (a) of this section, is not effective
under this subpart to prevent uses or disclosures permitted or required under
§§ 164.502(a)(2)(i), 164.510(a) or 164.512.
(2) Implementation specifications:
terminating a restriction. A covered entity may terminate its agreement to a restriction,
if :
(i) The individual agrees to or requests the termination in writing;
(ii) The individual orally agrees to the termination and the oral agreement
is documented; or
(iii) The covered entity informs the individual that it
is terminating its agreement to a restriction, except that such termination is
only effective with respect to protected health information created or received
after it has so informed the individual.
(3) Implementation specification:
documentation. A covered entity that agrees to a restriction must document the
restriction in accordance with § 164.530(j).
(b)(1) Standard: confidential
communications requirements.
(i) A covered health care provider must permit
individuals to request and must accommodate reasonable requests by individuals
to receive communications of protected health information from the covered health
care provider by alternative means or at alternative locations.
(ii) A health
plan must permit individuals to request and must accommodate reasonable requests
by individuals to receive communications of protected health information from
the health plan by alternative means or at alternative locations, if the individual
clearly states that the disclosure of all or part of that information could endanger
the individual,
(2) Implementation specifications: conditions on providing
confidential communications.
(i) A covered entity may require the individual
to make a request for a confidential communication described in paragraph (b)(1)
of this section in writing.
(ii) A covered entity may condition the provision
of a reasonable accommodation on:
(A) When appropriate, information as to
how payment, if any, will be handled; and
(B) Specification of an alternative
address or other method of contact.
(iii) A covered health care provider may
not require an explanation from the individual as to the basis for the request
as a condition of providing communications on a confidential basis.
(iv) A
health plan may require that a request contain a statement that disclosure of
all or part of the information to which the request pertains could endanger the
individual.
§ 164.524 Access of individuals to protected health information.
(a) Standard: access to protected health information.
(1) Right of access.
Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an
individual has a right of access to inspect and obtain a copy of protected health
information about the individual in a designated record set, for as long as the
protected health information is maintained in the designated record set, except
for:
(i) Psychotherapy notes;
(ii) Information compiled in reasonable
anticipation of, or for use in, a civil, criminal, or administrative action or
proceeding; and
(iii) Protected health information maintained by a covered
entity that is:
(A) Subject to the Clinical Laboratory Improvements Amendments
of 1988, 42 U.S.C. 263a, to the extent the provision of access to the individual
would be prohibited by law; or
(B) Exempt from the Clinical Laboratory Improvements
Amendments of 1988, pursuant to 42 CFR 493.3(a)(2).
(2) Unreviewable grounds
for denial. A covered entity may deny an individual access without providing the
individual an opportunity for review, in the following circumstances.
(i)
The protected health information is excepted from the right of access by paragraph
(a)(1) of this section.
(ii) A covered entity that is a correctional institution
or a covered health care provider acting under the direction of the correctional
institution may deny, in whole or in part, an inmate’s request to obtain
a copy of protected health information, if obtaining such copy would jeopardize
the health, safety, security, custody, or rehabilitation of the individual or
of other inmates, or the safety of any officer, employee, or other person at the
correctional institution or responsible for the transporting of the inmate.
(iii)
An individual’s access to protected health information created or obtained
by a covered health care provider in the course of research that includes treatment
may be temporarily suspended for as long as the research is in progress, provided
that the individual has agreed to the denial of access when consenting to participate
in the research that includes treatment, and the covered health care provider
has informed the individual that the right of access will be reinstated upon completion
of the research.
(iv) An individual’s access to protected health information
that is contained in records that are subject to the Privacy Act, 5 U.S.C. §
552a, may be denied, if the denial of access under the Privacy Act would meet
the requirements of that law.
(v) An individual’s access may be denied
if the protected health information was obtained from someone other than a health
care provider under a promise of confidentiality and the access requested would
be reasonably likely to reveal the source of the information.
(3) Reviewable
grounds for denial. A covered entity may deny an individual access, provided that
the individual is given a right to have such denials reviewed, as required by
paragraph (a)(4) of this section, in the following circumstances:
(i) A licensed
health care professional has determined, in the exercise of professional judgment,
that the access requested is reasonably likely to endanger the life or physical
safety of the individual or another person;
(ii) The protected health information
makes reference to another person (unless such other person is a health care provider)
and a licensed health care professional has determined, in the exercise of professional
judgment, that the access requested is reasonably likely to cause substantial
harm to such other person; or
(iii) The request for access is made by the
individual’s personal representative and a licensed health care professional
has determined, in the exercise of professional judgment, that the provision of
access to such personal representative is reasonably likely to cause substantial
harm to the individual or another person.
(4) Review of a denial of access.
If access is denied on a ground permitted under paragraph (a)(3) of this section,
the individual has the right to have the denial reviewed by a licensed health
care professional who is designated by the covered entity to act as a reviewing
official and who did not participate in the original decision to deny. The covered
entity must provide or deny access in accordance with the determination of the
reviewing official under paragraph (d)(4) of this section.
(b) Implementation
specifications: requests for access and timely action.
(1) Individual’s
request for access. The covered entity must permit an individual to request access
to inspect or to obtain a copy of the protected health information about the individual
that is maintained in a designated record set. The covered entity may require
individuals to make requests for access in writing, provided that it informs individuals
of such a requirement.
(2) Timely action by the covered entity.
(i) Except
as provided in paragraph (b)(2)(ii) of this section, the covered entity must act
on a request for access no later than 30 days after receipt of the request as
follows.
(A) If the covered entity grants the request, in whole or in part,
it must inform the individual of the acceptance of the request and provide the
access requested, in accordance with paragraph (c) of this section.
(B) If
the covered entity denies the request, in whole or in part, it must provide the
individual with a written denial, in accordance with paragraph (d) of this section.
(ii) If the request for access is for protected health information that is
not maintained or accessible to the covered entity on-site, the covered entity
must take an action required by paragraph (b)(2)(i) of this section by no later
than 60 days from the receipt of such a request.
(iii) If the covered entity
is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this
section within the time required by paragraph (b)(2)(i) or (ii) of this section,
as applicable, the covered entity may extend the time for such actions by no more
than 30 days, provided that:
(A) The covered entity, within the time limit
set by paragraph (b)(2)(i) or (ii) of this section, as applicable, provides the
individual with a written statement of the reasons for the delay and the date
by which the covered entity will complete its action on the request; and
(B)
The covered entity may have only one such extension of time for action on a request
for access.
(c) Implementation specifications: provision of access. If the
covered entity provides an individual with access, in whole or in part, to protected
health information, the covered entity must comply with the following requirements.
(1) Providing the access requested. The covered entity must provide the access
requested by individuals, including inspection or obtaining a copy, or both, of
the protected health information about them in designated record sets. If the
same protected health information that is the subject of a request for access
is maintained in more than one designated record set or at more than one location,
the covered entity need only produce the protected health information once in
response to a request for access.
(2) Form of access requested.
(i) The
covered entity must provide the individual with access to the protected health
information in the form or format requested by the individual, if it is readily
producible in such form or format; or, if not, in a readable hard copy form or
such other form or format as agreed to by the covered entity and the individual.
(ii) The covered entity may provide the individual with a summary of the protected
health information requested, in lieu of providing access to the protected health
information or may provide an explanation of the protected health information
to which access has been provided, if:
(A) The individual agrees in advance
to such a summary or explanation; and
(B) The individual agrees in advance
to the fees imposed, if any, by the covered entity for such summary or explanation.
(3) Time and manner of access. The covered entity must provide the access
as requested by the individual in a timely manner as required by paragraph (b)(2)
of this section, including arranging with the individual for a convenient time
and place to inspect or obtain a copy of the protected health information, or
mailing the copy of the protected health information at the individual’s
request. The covered entity may discuss the scope, format, and other aspects of
the request for access with the individual as necessary to facilitate the timely
provision of access.
(4) Fees. If the individual requests a copy of the protected
health information or agrees to a summary or explanation of such information,
the covered entity may impose a reasonable, cost-based fee, provided that the
fee includes only the cost of:
(i) Copying, including the cost of supplies
for and labor of copying, the protected health information requested by the individual;
(ii) Postage, when the individual has requested the copy, or the summary or
explanation, be mailed; and
(iii) Preparing an explanation or summary of the
protected health information, if agreed to by the individual as required by paragraph
(c)(2)(ii) of this section.
(d) Implementation specifications: denial of access.
If the covered entity denies access, in whole or in part, to protected health
information, the covered entity must comply with the following requirements.
(1)
Making other information accessible. The covered entity must, to the extent possible,
give the individual access to any other protected health information requested,
after excluding the protected health information as to which the covered entity
has a ground to deny access.
(2) Denial. The covered entity must provide a
timely, written denial to the individual, in accordance with paragraph (b)(2)
of this section. The denial must be in plain language and contain:
(i) The
basis for the denial;
(ii) If applicable, a statement of the individual’s
review rights under paragraph (a)(4) of this section, including a description
of how the individual may exercise such review rights; and
(iii) A description
of how the individual may complain to the covered entity pursuant to the complaint
procedures in § 164.530(d) or to the Secretary pursuant to the procedures
in § 160.306. The description must include the name, or title, and telephone
number of the contact person or office designated in § 164.530(a)(1)(ii).
(3) Other responsibility. If the covered entity does not maintain the protected
health information that is the subject of the individual’s request for access,
and the covered entity knows where the requested information is maintained, the
covered entity must inform the individual where to direct the request for access.
(4) Review of denial requested. If the individual has requested a review of
a denial under paragraph (a)(4) of this section, the covered entity must designate
a licensed health care professional, who was not directly involved in the denial
to review the decision to deny access. The covered entity must promptly refer
a request for review to such designated reviewing official. The designated reviewing
official must determine, within a reasonable period of time, whether or not to
deny the access requested based on the standards in paragraph (a)(3) of this section.
The covered entity must promptly provide written notice to the individual of the
determination of the designated reviewing official and take other action as required
by this section to carry out the designated reviewing official’s determination.
(e) Implementation specification: documentation. A covered entity must document
the following and retain the documentation as required by § 164.530(j):
(1)
The designated record sets that are subject to access by individuals; and
(2)
The titles of the persons or offices responsible for receiving and processing
requests for access by individuals.
§ 164.526 Amendment of protected
health information.
(a) Standard: right to amend.
(1) Right to amend.
An individual has the right to have a covered entity amend protected health information
or a record about the individual in a designated record set for as long as the
protected health information is maintained in the designated record set.
(2)
Denial of amendment. A covered entity may deny an individual’s request for
amendment, if it determines that the protected health information or record that
is the subject of the request:
(i) Was not created by the covered entity,
unless the individual provides a reasonable basis to believe that the originator
of protected health information is no longer available to act on the requested
amendment;
(ii) Is not part of the designated record set;
(iii) Would
not be available for inspection under § 164.524; or
(iv) Is accurate
and complete.
(b) Implementation specifications: requests for amendment and
timely action.
(1) Individual’s request for amendment. The covered entity
must permit an individual to request that the covered entity amend the protected
health information maintained in the designated record set. The covered entity
may require individuals to make requests for amendment in writing and to provide
a reason to support a requested amendment, provided that it informs individuals
in advance of such requirements.
(2) Timely action by the covered entity.
(i) The covered entity must act on the individual’s request for an amendment
no later than 60 days after receipt of such a request, as follows.
(A) If
the covered entity grants the requested amendment, in whole or in part, it must
take the actions required by paragraphs (c)(1) and (2) of this section.
(B)
If the covered entity denies the requested amendment, in whole or in part, it
must provide the individual with a written denial, in accordance with paragraph
(d)(1) of this section.
(ii) If the covered entity is unable to act on the
amendment within the time required by paragraph (b)(2)(i) of this section, the
covered entity may extend the time for such action by no more than 30 days, provided
that:
(A) The covered entity, within the time limit set by paragraph (b)(2)(i)
of this section, provides the individual with a written statement of the reasons
for the delay and the date by which the covered entity will complete its action
on the request; and
(B) The covered entity may have only one such extension
of time for action on a request for an amendment.
(c) Implementation specifications:
accepting the amendment. If the covered entity accepts the requested amendment,
in whole or in part, the covered entity must comply with the following requirements.
(1) Making the amendment. The covered entity must make the appropriate amendment
to the protected health information or record that is the subject of the request
for amendment by, at a minimum, identifying the records in the designated record
set that are affected by the amendment and appending or otherwise providing a
link to the location of the amendment.
(2) Informing the individual. In accordance
with paragraph (b) of this section, the covered entity must timely inform the
individual that the amendment is accepted and obtain the individual’s identification
of and agreement to have the covered entity notify the relevant persons with which
the amendment needs to be shared in accordance with paragraph (c)(3) of this section.
(3) Informing others. The covered entity must make reasonable efforts to inform
and provide the amendment within a reasonable time to:
(i) Persons identified
by the individual as having received protected health information about the individual
and needing the amendment; and
(ii) Persons, including business associates,
that the covered entity knows have the protected health information that is the
subject of the amendment and that may have relied, or could foreseeably rely,
on such information to the detriment of the individual.
(d) Implementation
specifications: denying the amendment. If the covered entity denies the requested
amendment, in whole or in part, the covered entity must comply with the following
requirements.
(1) Denial. The covered entity must provide the individual with
a timely, written denial, in accordance with paragraph (b)(2) of this section.
The denial must use plain language and contain:
(i) The basis for the denial,
in accordance with paragraph (a)(2) of this section;
(ii) The individual’s
right to submit a written statement disagreeing with the denial and how the individual
may file such a statement;
(iii) A statement that, if the individual does
not submit a statement of disagreement, the individual may request that the covered
entity provide the individual’s request for amendment and the denial with
any future disclosures of the protected health information that is the subject
of the amendment; and
(iv) A description of how the individual may complain
to the covered entity pursuant to the complaint procedures established in §
164.530(d) or to the Secretary pursuant to the procedures established in §
160.306. The description must include the name, or title, and telephone number
of the contact person or office designated in §164.530(a)(1)(ii).
(2)
Statement of disagreement. The covered entity must permit the individual to submit
to the covered entity a written statement disagreeing with the denial of all or
part of a requested amendment and the basis of such disagreement. The covered
entity may reasonably limit the length of a statement of disagreement.
(3)
Rebuttal statement. The covered entity may prepare a written rebuttal to the individual’s
statement of disagreement. Whenever such a rebuttal is prepared, the covered entity
must provide a copy to the individual who submitted the statement of disagreement.
(4) Recordkeeping. The covered entity must, as appropriate, identify the record
or protected health information in the designated record set that is the subject
of the disputed amendment and append or otherwise link the individual’s request
for an amendment, the covered entity’s denial of the request, the individual’s
statement of disagreement, if any, and the covered entity’s rebuttal, if
any, to the designated record set.
(5) Future disclosures.
(i) If a statement
of disagreement has been submitted by the individual, the covered entity must
include the material appended in accordance with paragraph (d)(4) of this section,
or, at the election of the covered entity, an accurate summary of any such information,
with any subsequent disclosure of the protected health information to which the
disagreement relates.
(ii) If the individual has not submitted a written statement
of disagreement, the covered entity must include the individual’s request
for amendment and its denial, or an accurate summary of such information, with
any subsequent disclosure of the protected health information only if the individual
has requested such action in accordance with paragraph (d)(1)(iii) of this section.
(iii) When a subsequent disclosure described in paragraph (d)(5)(i) or (ii)
of this section is made using a standard transaction under part 162 of this subchapter
that does not permit the additional material to be included with the disclosure,
the covered entity may separately transmit the material required by paragraph
(d)(5)(i) or (ii) of this section, as applicable, to the recipient of the standard
transaction.
(e) Implementation specification: actions on notices of amendment.
A covered entity that is informed by another covered entity of an amendment to
an individual’s protected health information, in accordance with paragraph
(c)(3) of this section, must amend the protected health information in designated
record sets as provided by paragraph (c)(1) of this section.
(f) Implementation
specification: documentation. A covered entity must document the titles of the
persons or offices responsible for receiving and processing requests for amendments
by individuals and retain the documentation as required by § 164.530(j).
§ 164.528 Accounting of disclosures of protected health information.
(a) Standard: right to an accounting of disclosures of protected health information.
(1) An individual has a right to receive an accounting of disclosures of protected
health information made by a covered entity in the six years prior to the date
on which the accounting is requested, except for disclosures:
(i) To carry
out treatment, payment and health care operations as provided in § 164.502;
(ii) To individuals of protected health information about them as provided
in § 164.502;
(iii) For the facility’s directory or to persons involved
in the individual’s care or other notification purposes as provided in §
164.510;
(iv) For national security or intelligence purposes as provided in
§ 164.512(k)(2);
(v) To correctional institutions or law enforcement
officials as provided in § 164.512(k)(5); or
(vi) That occurred prior
to the compliance date for the covered entity.
(2)(i) The covered entity must
temporarily suspend an individual’s right to receive an accounting of disclosures
to a health oversight agency or law enforcement official, as provided in §
164.512(d) or (f), respectively, for the time specified by such agency or official,
if such agency or official provides the covered entity with a written statement
that such an accounting to the individual would be reasonably likely to impede
the agency’s activities and specifying the time for which such a suspension
is required.
(ii) If the agency or official statement in paragraph (a)(2)(i)
of this section is made orally, the covered entity must:
(A) Document the
statement, including the identity of the agency or official making the statement;
(B) Temporarily suspend the individual’s right to an accounting of disclosures
subject to the statement; and
(C) Limit the temporary suspension to no longer
than 30 days from the date of the oral statement, unless a written statement pursuant
to paragraph (a)(2)(i) of this section is submitted during that time.
(3)
An individual may request an accounting of disclosures for a period of time less
than six years from the date of the request.
(b) Implementation specifications:
content of the accounting. The covered entity must provide the individual with
a written accounting that meets the following requirements.
(1) Except as
otherwise provided by paragraph (a) of this section, the accounting must include
disclosures of protected health information that occurred during the six years
(or such shorter time period at the request of the individual as provided in paragraph
(a)(3) of this section) prior to the date of the request for an accounting, including
disclosures to or by business associates of the covered entity.
(2) The accounting
must include for each disclosure:
(i) The date of the disclosure;
(ii)
The name of the entity or person who received the protected health information
and, if known, the address of such entity or person;
(iii) A brief description
of the protected health information disclosed; and
(iv) A brief statement
of the purpose of the disclosure that reasonably informs the individual of the
basis for the disclosure; or, in lieu of such statement:
(A) A copy of the
individual’s written authorization pursuant to § 164.508; or
(B)
A copy of a written request for a disclosure under §§ 164.502(a)(2)(ii)
or 164.512, if any.
(3) If, during the period covered by the accounting, the
covered entity has made multiple disclosures of protected health information to
the same person or entity for a single purpose under §§ 164.502(a)(2)(ii)
or 164.512, or pursuant to a single authorization under § 164.508, the accounting
may, with respect to such multiple disclosures, provide:
(i) The information
required by paragraph (b)(2) of this section for the first disclosure during the
accounting period;
(ii) The frequency, periodicity, or number of the disclosures
made during the accounting period; and
(iii) The date of the last such disclosure
during the accounting period.
(c) Implementation specifications: provision
of the accounting.
(1) The covered entity must act on the individual’s
request for an accounting, no later than 60 days after receipt of such a request,
as follows.
(i) The covered entity must provide the individual with the accounting
requested; or
(ii) If the covered entity is unable to provide the accounting
within the time required by paragraph (c)(1) of this section, the covered entity
may extend the time to provide the accounting by no more than 30 days, provided
that:
(A) The covered entity, within the time limit set by paragraph (c)(1)
of this section, provides the individual with a written statement of the reasons
for the delay and the date by which the covered entity will provide the accounting;
and
(B) The covered entity may have only one such extension of time for action
on a request for an accounting.
(2) The covered entity must provide the first
accounting to an individual in any 12 month period without charge. The covered
entity may impose a reasonable, cost-based fee for each subsequent request for
an accounting by the same individual within the 12 month period, provided that
the covered entity informs the individual in advance of the fee and provides the
individual with an opportunity to withdraw or modify the request for a subsequent
accounting in order to avoid or reduce the fee.
(d) Implementation specification:
documentation. A covered entity must document the following and retain the documentation
as required by § 164.530(j):
(1) The information required to be included
in an accounting under paragraph (b) of this section for disclosures of protected
health information that are subject to an accounting under paragraph (a) of this
section;
(2) The written accounting that is provided to the individual under
this section; and
(3) The titles of the persons or offices responsible for
receiving and processing requests for an accounting by individuals.
§
164.530 Administrative requirements.
(a)(1) Standard: personnel designations.
(i) A covered entity must designate a privacy official who is responsible
for the development and implementation of the policies and procedures of the entity.
(ii) A covered entity must designate a contact person or office who is responsible
for receiving complaints under this section and who is able to provide further
information about matters covered by the notice required by § 164.520.
(2)
Implementation specification: personnel designations. A covered entity must document
the personnel designations in paragraph (a)(1) of this section as required by
paragraph (j) of this section.
(b)(1) Standard: training. A covered entity
must train all members of its workforce on the policies and procedures with respect
to protected health information required by this subpart, as necessary and appropriate
for the members of the workforce to carry out their function within the covered
entity.
(2) Implementation specifications: training.
(i) A covered entity
must provide training that meets the requirements of paragraph (b)(1) of this
section, as follows:
(A) To each member of the covered entity’s workforce
by no later than the compliance date for the covered entity;
(B) Thereafter,
to each new member of the workforce within a reasonable period of time after the
person joins the covered entity’s workforce; and
(C) To each member of
the covered entity’s workforce whose functions are affected by a material
change in the policies or procedures required by this subpart, within a reasonable
period of time after the material change becomes effective in accordance with
paragraph (i) of this section.
(ii) A covered entity must document that the
training as described in paragraph (b)(2)(i) of this section has been provided,
as required by paragraph (j) of this section.
(c)(1) Standard: safeguards.
A covered entity must have in place appropriate administrative, technical, and
physical safeguards to protect the privacy of protected health information.
(2)
Implementation specification: safeguards. A covered entity must reasonably safeguard
protected health information from any intentional or unintentional use or disclosure
that is in violation of the standards, implementation specifications or other
requirements of this subpart.
(d)(1) Standard: complaints to the covered entity.
A covered entity must provide a process for individuals to make complaints concerning
the covered entity’s policies and procedures required by this subpart or
its compliance with such policies and procedures or the requirements of this subpart.
(2) Implementation specification: documentation of complaints. As required
by paragraph (j) of this section, a covered entity must document all complaints
received, and their disposition, if any.
(e)(1) Standard: sanctions. A covered
entity must have and apply appropriate sanctions against members of its workforce
who fail to comply with the privacy policies and procedures of the covered entity
or the requirements of this subpart. This standard does not apply to a member
of the covered entity’s workforce with respect to actions that are covered
by and that meet the conditions of § 164.502(j) or paragraph (g)(2) of this
section.
(2) Implementation specification: documentation. As required by paragraph
(j) of this section, a covered entity must document the sanctions that are applied,
if any.
(f) Standard: mitigation. A covered entity must mitigate, to the extent
practicable, any harmful effect that is known to the covered entity of a use or
disclosure of protected health information in violation of its policies and procedures
or the requirements of this subpart by the covered entity or its business associate.
(g) Standard: refraining from intimidating or retaliatory acts. A covered
entity may not intimidate, threaten, coerce, discriminate against, or take other
retaliatory action against:
(1) Individuals. Any individual for the exercise
by the individual of any right under, or for participation by the individual in
any process established by this subpart, including the filing of a complaint under
this section;
(2) Individuals and others. Any individual or other person for:
(i) Filing of a complaint with the Secretary under subpart C of part 160 of
this subchapter;
(ii) Testifying, assisting, or participating in an investigation,
compliance review, proceeding, or hearing under Part C of Title XI; or
(iii)
Opposing any act or practice made unlawful by this subpart, provided the individual
or person has a good faith belief that the practice opposed is unlawful, and the
manner of the opposition is reasonable and does not involve a disclosure of protected
health information in violation of this subpart.
(h) Standard: waiver of rights.
A covered entity may not require individuals to waive their rights under §
160.306 of this subchapter or this subpart as a condition of the provision of
treatment, payment, enrollment in a health plan, or eligibility for benefits.
(i)(1) Standard: policies and procedures. A covered entity must implement
policies and procedures with respect to protected health information that are
designed to comply with the standards, implementation specifications, or other
requirements of this subpart. The policies and procedures must be reasonably designed,
taking into account the size of and the type of activities that relate to protected
health information undertaken by the covered entity, to ensure such compliance.
This standard is not to be construed to permit or excuse an action that violates
any other standard, implementation specification, or other requirement of this
subpart.
(2) Standard: changes to policies or procedures.
(i) A covered
entity must change its policies and procedures as necessary and appropriate to
comply with changes in the law, including the standards, requirements, and implementation
specifications of this subpart;
(ii) When a covered entity changes a privacy
practice that is stated in the notice described in § 164.520, and makes corresponding
changes to its policies and procedures, it may make the changes effective for
protected health information that it created or received prior to the effective
date of the notice revision, if the covered entity has, in accordance with §
164.520(b)(1)(v)(C), included in the notice a statement reserving its right to
make such a change in its privacy practices; or
(iii) A covered entity may
make any other changes to policies and procedures at any time, provided that the
changes are documented and implemented in accordance with paragraph (i)(5) of
this section.
(3) Implementation specification: changes in law. Whenever there
is a change in law that necessitates a change to the covered entity’s policies
or procedures, the covered entity must promptly document and implement the revised
policy or procedure. If the change in law materially affects the content of the
notice required by § 164.520, the covered entity must promptly make the appropriate
revisions to the notice in accordance with § 164.520(b)(3). Nothing in this
paragraph may be used by a covered entity to excuse a failure to comply with the
law.
(4) Implementation specifications: changes to privacy practices stated
in the notice.
(i) To implement a change as provided by paragraph (i)(2)(ii)
of this section, a covered entity must:
(A) Ensure that the policy or procedure,
as revised to reflect a change in the covered entity’s privacy practice as
stated in its notice, complies with the standards, requirements, and implementation
specifications of this subpart;
(B) Document the policy or procedure, as revised,
as required by paragraph (j) of this section; and
(C) Revise the notice as
required by § 164.520(b)(3) to state the changed practice and make the revised
notice available as required by § 164.520(c). The covered entity may not
implement a change to a policy or procedure prior to the effective date of the
revised notice.
(ii) If a covered entity has not reserved its right under
§ 164.520(b)(1)(v)(C) to change a privacy practice that is stated in the
notice, the covered entity is bound by the privacy practices as stated in the
notice with respect to protected health information created or received while
such notice is in effect. A covered entity may change a privacy practice that
is stated in the notice, and the related policies and procedures, without having
reserved the right to do so, provided that:
(A) Such change meets the implementation
the requirements in paragraphs (i)(4)(i)(A)-(C) of this section; and
(B) Such
change is effective only with respect to protected health information created
or received after the effective date of the notice.
(5) Implementation specification:
changes to other policies or procedures. A covered entity may change, at any time,
a policy or procedure that does not materially affect the content of the notice
required by § 164.520, provided that:
(i) The policy or procedure, as
revised, complies with the standards, requirements, and implementation specifications
of this subpart; and
(ii) Prior to the effective date of the change, the policy
or procedure, as revised, is documented as required by paragraph (j) of this section.
(j)(1) Standard: documentation. A covered entity must:
(i) Maintain the
policies and procedures provided for in paragraph (i) of this section in written
or electronic form;
(ii) If a communication is required by this subpart to
be in writing, maintain such writing, or an electronic copy, as documentation;
and
(iii) If an action, activity, or designation is required by this subpart
to be documented, maintain a written or electronic record of such action, activity,
or designation.
(2) Implementation specification: retention period. A covered
entity must retain the documentation required by paragraph (j)(1) of this section
for six years from the date of its creation or the date when it last was in effect,
whichever is later.
(k) Standard: group health plans.
(1) A group health
plan is not subject to the standards or implementation specifications in paragraphs
(a) through (f) and (i) of this section, to the extent that:
(i) The group
health plan provides health benefits solely through an insurance contract with
a health insurance issuer or an HMO; and
(ii) The group health plan does not
create or receive protected health information, except for:
(A) Summary health
information as defined in § 164.504(a); or
(B) Information on whether
the individual is participating in the group health plan, or is enrolled in or
has disenrolled from a health insurance issuer or HMO offered by the plan.
(2)
A group health plan described in paragraph (k)(1) of this section is subject to
the standard and implementation specification in paragraph (j) of this section
only with respect to plan documents amended in accordance with § 164.504(f).
§ 164.532 Transition provisions.
(a) Standard: effect of prior consents
and authorizations. Notwithstanding other sections of this subpart, a covered
entity may continue to use or disclose protected health information pursuant to
a consent, authorization, or other express legal permission obtained from an individual
permitting the use or disclosure of protected health information that does not
comply with §§ 164.506 or 164.508 of this subpart consistent with paragraph
(b) of this section.
(b) Implementation specification: requirements for retaining
effectiveness of prior consents and authorizations. Notwithstanding other sections
of this subpart, the following provisions apply to use or disclosure by a covered
entity of protected health information pursuant to a consent, authorization, or
other express legal permission obtained from an individual permitting the use
or disclosure of protected health information, if the consent, authorization,
or other express legal permission was obtained from an individual before the applicable
compliance date of this subpart and does not comply with §§ 164.506
or 164.508 of this subpart.
(1) If the consent, authorization, or other express
legal permission obtained from an individual permits a use or disclosure for purposes
of carrying out treatment, payment, or health care operations, the covered entity
may, with respect to protected health information that it created or received
before the applicable compliance date of this subpart and to which the consent,
authorization, or other express legal permission obtained from an individual applies,
use or disclose such information for purposes of carrying out treatment, payment,
or health care operations, provided that:
(i) The covered entity does may
not make any use or disclosure that is expressly excluded from the a consent,
authorization, or other express legal permission obtained from an individual;
and
(ii) The covered entity complies with all limitations placed by the consent,
authorization, or other express legal permission obtained from an individual.
(2) If the consent, authorization, or other express legal permission obtained
from an individual specifically permits a use or disclosure for a purpose other
than to carry out treatment, payment, or health care operations, the covered entity
may, with respect to protected health information that it created or received
before the applicable compliance date of this subpart and to which the consent,
authorization, or other express legal permission obtained from an individual applies,
make such use or disclosure, provided that:
(i) The covered entity does not
make any use or disclosure that is expressly excluded from the consent, authorization,
or other express legal permission obtained from an individual; and
(ii) The
covered entity complies with all limitations placed by the consent, authorization,
or other express legal permission obtained from an individual.
(3) In the
case of a consent, authorization, or other express legal permission obtained from
an individual that identifies a specific research project that includes treatment
of individuals:
(i) If the consent, authorization, or other express legal
permission obtained from an individual specifically permits a use or disclosure
for purposes of the project, the covered entity may, with respect to protected
health information that it created or received either before or after the applicable
compliance date of this subpart and to which the consent or authorization applies,
make such use or disclosure for purposes of that project, provided that the covered
entity complies with all limitations placed by the consent, authorization, or
other express legal permission obtained from an individual.
(ii) If the consent,
authorization, or other express legal permission obtained from an individual is
a general consent to participate in the project, and a covered entity is conducting
or participating in the research, such covered entity may, with respect to protected
health information that it created or received as part of the project before or
after the applicable compliance date of this subpart, make a use or disclosure
for purposes of that project, provided that the covered entity complies with all
limitations placed by the consent, authorization, or other express legal permission
obtained from an individual.
(4) If, after the applicable compliance date
of this subpart, a covered entity agrees to a restriction requested by an individual
under § 164.522(a), a subsequent use or disclosure of protected health information
that is subject to the restriction based on a consent, authorization, or other
express legal permission obtained from an individual as given effect by paragraph
(b) of this section, must comply with such restriction.
§ 164.534 Compliance
dates for initial implementation of the privacy standards.
(a) Health care
providers. A covered health care provider must comply with the applicable requirements
of this subpart no later than February 26, 2003.
(b) Health plans. A health
plan must comply with the applicable requirements of this subpart no later than
the following date, as applicable:
(1) Health plans other than small health
plans – February 26, 2003.
(2) Small health plans – February 26,
2004.
(c) Health care clearinghouses. A health care clearinghouse must comply
with the applicable requirements of this subpart no later than February 26, 2003.
