Federal Register /Vol. 65, No. 250/Thursday, …Federal Register/Vol. 65, No. 250/Thursday, December 28, 2000/Rules and Regulations82511 prohibited under 164.502(a)(1) from using or

82511Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

prohibited under § 164.502(a)(1) fromusing or disclosing protected healthinformation for the purpose(s) includedin the consent. A covered entity thatseeks a consent must adhere to theindividual’s decision.

In § 164.506(a)(5), we specify that aconsent obtained by one covered entityis not effective to permit anothercovered entity to use or discloseprotected health information, unless theconsent is a joint consent. See§ 164.506(f) and the correspondingpreamble discussion below regardingjoint consents. A consent provides theindividual’s permission only for thecovered entity that obtains the consentto use or disclose protected healthinformation for treatment, payment, andhealth care operations. A consent underthis section does not operate toauthorize another covered entity to useor disclose protected healthinformation, except where the othercovered entity is operating as a businessassociate. We note that, where a coveredentity is acting as a business associateof another covered entity, the businessassociate covered entity is acting for oron behalf of the principal coveredentity, and its actions for or on behalfof the principal covered entity areauthorized by the consent obtained bythe principal covered entity. Thus,under this section, a health plan canobtain a consent that permits the healthplan and its business associates to useand disclose protected healthinformation that the health plan and itsbusiness associates create or receive.That consent cannot, however, permitanother covered entity (that is not abusiness associate) to disclose protectedhealth information to the health plan orto any other person.

If a covered entity wants to obtain theindividual’s permission for anothercovered entity to disclose protectedhealth information to it for treatment,payment, or health care operationspurposes, it must seek an authorizationin accordance with § 164.508(e). Forexample, when a covered provider asksthe individual for written permission toobtain the individual’s medical recordfrom another provider for treatmentpurposes, it must do so with anauthorization, not a consent. Since thepermission is for disclosure of protectedhealth information by another person, aconsent may not be used.

Section 164.506(b)—Consent GeneralRequirements

In the final rule, we permit a coveredhealth care provider to condition theprovision of treatment on the receipt ofthe individual’s consent for the coveredprovider to use and disclose protected

health information to carry outtreatment, payment, and health careoperations. Covered providers mayrefuse to treat individuals who do notconsent to uses and disclosures for thesepurposes. See § 164.506(b)(1). We notethat there are exceptions to the consentrequirements for covered health careproviders that are required by law totreat individuals. See § 164.506(a)(3),described above.

Similarly, in the final rule, we permithealth plans to condition anindividual’s enrollment in the healthplan on the receipt of the individual’sconsent for the health plan to use anddisclose protected health information tocarry out treatment, payment, andhealth care operations, if the consent issought in conjunction with theenrollment process. If the health planseeks the individual’s consent outside ofthe enrollment process, the health planmay not condition any services onobtaining such consent.

Under § 164.520, covered entitiesmust produce a notice of privacypractices. A consent may not becombined in a single document with thenotice of privacy practices. See§ 164.506(b)(3).

Under § 164.506(b)(4), consents foruses and disclosures of protected healthinformation to carry out treatment,payment, and health care operationsmay be combined in a single documentcovering all three types of activities andmay be combined with other types oflegal permission from the individual.For example, a consent to use ordisclose protected health informationunder this rule may be combined withan informed consent to receivetreatment, a consent to assign paymentof benefits to a provider, or narrowlytailored consents required under statelaw for the use or disclosure of specifictypes of protected health information(e.g., state laws requiring specificconsent for any sharing of informationrelated to HIV/AIDS).

Within a single consent document,the consent for use and disclosure ofprotected health information required orpermitted under this rule must bevisually and organizationally separatefrom the other consents orauthorizations and must be separatelysigned by the individual and dated.

Where research includes treatment ofthe individual, a consent under this rulemay be combined with the authorizationfor the use or disclosure of protectedhealth information created for theresearch, in accordance with§ 164.508(f). (This is the only case inwhich an authorization under § 164.508of this rule may be combined with aconsent under § 164.506 of this rule. See

§ 164.508(b)(3).) The covered entity thatis creating protected health informationfor the research may elect to combinethe consent required under this sectionwith the research-related authorizationrequired under § 164.508(f). Forexample, a covered health care providerthat provides health care to anindividual for research purposes and fornon-research purposes must obtain aconsent under this section for all of theprotected health information itmaintains. In addition, it must obtain anauthorization in accordance with§ 164.508(f) which describes how it willuse and disclose the protected healthinformation it creates for the researchfor purposes of treatment, payment, andhealth care operations. Section164.506(b)(4) permits the covered entityto satisfy these two requirements with asingle document. See § 164.508(f) andthe corresponding preamble discussionfor a more detailed description ofresearch authorization requirements.

Under § 164.506(b)(5), individualsmay revoke a consent in writing at anytime, except to the extent that thecovered entity has taken action inreliance on the consent. Upon receipt ofthe written revocation, the coveredentity must stop processing theinformation for use or disclosure, exceptto the extent that it has taken action inreliance on the consent. A coveredhealth care provider may refuse, underthis rule, to continue to treat anindividual that revokes his or herconsent. A health plan may disenroll anindividual that revokes a consent thatwas sought in conjunction with theindividual’s enrollment in the healthplan.

Covered entities must document andretain any signed consent as required by§ 164.530(j).

Section 164.506(c)—Consent ContentRequirements

Under § 164.506(c), the consent mustbe written in plain language. See thepreamble discussion regarding notice ofprivacy practices for a description ofplain language requirements. We do notprovide a model consent in this rule.We will provide further guidance ondrafting consent documents prior to thecompliance date.

Under § 164.506(c)(1), the consentmust inform the individual thatprotected health information may beused and disclosed by the coveredentity to carry out treatment, payment,or health care operations. The coveredentity must determine which of theseelements (use and/or disclosure;treatment, payment, and/or health careoperations) to include in the consent

VerDate 11<MAY>2000 19:16 Dec 27, 2000 Jkt 194001 PO 00000 Frm 00051 Fmt 4701 Sfmt 4700 E:\FR\FM\28DER2.SGM pfrm08 PsN: 28DER2

82512 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

document, as appropriate for thecovered entity’s practices.

For covered health care providers thatare required to obtain consent, therequirement applies only to the extentthe covered provider uses or disclosesprotected health information. Forexample, if all of a covered provider’shealth care operations are conducted bymembers of the covered provider’s ownworkforce, the covered provider maychoose to obtain consent only for uses,not disclosures, of protected healthinformation to carry out health careoperations. If an individual pays out ofpocket for all services received from thecovered provider and the provider willnot disclose any information about thepatient to a third party payor, theprovider may choose not to obtain theindividual’s consent to discloseinformation for payment purposes. Inorder for a covered provider to be ableto use and disclose information for allthree purposes, however, all threepurposes must be included in theconsent.

Under §§ 164.506(c)(2) and (3), theconsent must refer the individual to thecovered entity’s notice for additionalinformation about the uses anddisclosures of information described inthe consent. The consent must alsoindicate that the individual has the rightto review the notice prior to signing theconsent. If the covered entity hasreserved the right to change its privacypractices in accordance with§ 164.520(b)(1)(v)(C), the consent mustindicate that the terms of the notice maychange and must describe how theindividual may obtain a revised notice.See § 164.520 and the correspondingpreamble discussion regarding noticerequirements.

Under § 164.506(c)(4), the consentmust inform individuals that they havethe right to request restrictions on usesand disclosures of protected healthinformation for treatment, payment, andhealth care operations purposes. It mustalso state that the covered entity is notrequired to agree to an individual’srequest, but that if the covered entitydoes agree to the request, the restrictionis binding on the covered entity. See§ 164.522(a) regarding the right torequest restrictions.

Under § 164.506(c)(5), the consentmust indicate that the individual hasthe right to revoke the consent inwriting, except to the extent that thecovered entity has taken action inreliance on the consent.

Under § 164.506(c)(6), the consentmust include the individual’s signatureand the date of signature. Once weadopt the standards for electronicsignature, another of the required

administrative simplification standardswe are required to adopt under HIPAA,an electronic signature that meets thosestandards will be sufficient under thisrule. We do not require any verificationof the individual’s identity orauthentication of the individual’ssignature. We expect covered healthcare providers that are required toobtain consent to employ the same levelof scrutiny to these signatures as they doto the signature obtained on a documentregarding the individual’s consent toundergo treatment by the provider.

Section 164.506(d)—Defective ConsentsUnder § 164.506(d), there is no

‘‘consent’’ within the meaning of therule if the completed document lacks arequired element or if the individual hasrevoked the consent in accordance with§ 164.506(b)(5).

Section 164.506(e)—ResolvingConflicting Consents andAuthorizations

Situations may arise where a coveredentity that has obtained the individual’sconsent for the covered entity to use ordisclose protected health information tocarry out treatment, payment, or healthcare operations is asked to discloseprotected health information pursuantto another written legal permission fromthe individual, such as an authorization,that was obtained by another person.Under § 164.506(e), when the terms of acovered entity’s consent conflict withthe terms of another written legalpermission from the individual to use ordisclose protected health information(such as a consent obtained under statelaw by another covered entity or anauthorization), the covered entity mustadhere to the more restrictive document.By conflict, we mean that the consentand authorization containinconsistencies. In implementing thissection, we note that the consent underthis section references the noticeprovided to the individual and theindividual’s right to request restrictions.In determining whether the coveredentity’s consent conflicts with anotherwritten legal permission provided bythe individual, the covered entity mustconsider any limitations on its uses ordisclosures resulting from the noticeprovided to the individual or fromrestrictions to which it has agreed. Forexample, a covered nursing home mayelect to ask the patient to sign anauthorization for the patient’s coveredprimary care physician to forward thepatient’s medical records to the nursinghome. The physician may havepreviously obtained the individual’sconsent for disclosure for treatmentpurposes. If the authorization obtained

by the nursing home grants permissionfor the physician to disclose particulartypes of information, such as geneticinformation, but the consent obtainedby the physician excludes suchinformation or the physician has agreedto a restriction on that type ofinformation, the physician may notdisclose that information. The physicianmust adhere to the more restrictivewritten legal permission from theindividual.

When a conflict between a consentand another written legal permissionfrom the individual exists, as describedabove, the covered entity may attempt toresolve the conflict with the individualby either obtaining a new consent fromthe individual or by having a discussionor otherwise communicating with theindividual to determine the individual’spreference regarding the use ordisclosure. If the individual’s preferenceis communicated orally, the coveredentity must document the individual’spreference and act in accordance withthat preference. In the exampledescribed above, the primary carephysician could ask the patient to signa new consent that would permit thedisclosure of the genetic information.Alternatively, the physician could askthe patient whether the patient intendedfor the genetic information to bedisclosed to the nursing home. If thepatient confirms that he or she intendedfor the genetic information to be shared,the physician can document that fact(e.g., by making a notation in themedical record) and disclose theinformation to the nursing home.

We believe covered entities will rarelybe faced with conflicts betweenconsents and other written legalpermission from the individual for usesand disclosures to carry out treatment,payment, and health care operations.Under § 164.506(a)(5), we specify that aconsent only permits the covered entitythat obtains the consent to use ordisclose protected health information. Aconsent obtained by one covered entityis not effective to permit anotherdifferent covered entity to use ordisclose protected health information.Conflicting consents obtained bycovered entities, therefore, are notpossible. We expect authorizations thatpermit another covered entity to use anddisclose protected health informationfor treatment, payment, and health careoperations purposes will rarely benecessary, because we expect coveredentities that maintain protected healthinformation to obtain consents thatpermit them to make anticipated usesand disclosures for these purposes.Nevertheless, covered entities arepermitted under § 164.508(e) to obtain



authorization for another covered entityto use or disclose protected healthinformation to carry out treatment,payment, and health care operations.We recognize these authorizations maybe useful to demonstrate an individual’sintent and relationship to the intendedrecipient of the information. Forexample, these authorizations may beuseful in situations where a health planwants to obtain information from oneprovider in order to determine paymentof a claim for services provided by adifferent provider (e.g., informationfrom a primary care physician that isnecessary to determine payment ofservices provided by a specialist) orwhere an individual’s new physicianwants to obtain the individual’s medicalrecords from prior physicians. Otherpersons not covered by this rule mayalso seek authorizations and state lawmay require written permission forspecific types of information, such asinformation related to HIV/AIDS or tomental health. Because an individualmay sign conflicting documents overtime, we clarify that the covered entitymaintaining the protected healthinformation to be used or disclosedmust adhere to the more restrictivepermission the individual has granted,unless the covered entity resolves theconflict with the individual.

Section 164.506(f)—Joint ConsentsCovered entities that participate in an

organized health care arrangement andthat develop a joint notice under§ 164.520(d) may develop a jointconsent in which the individualconsents to the uses and disclosures ofprotected health information by each ofthe covered entities in the arrangementto carry out treatment, payment, and/orhealth care operations. The jointconsent must identify with reasonablespecificity the covered entities, or classof covered entities, to which the jointconsent applies and must otherwisemeet the consent requirements. If anindividual revokes a joint consent, thecovered entity that receives therevocation must inform the otherentities covered by the joint consent ofthe revocation as soon as practicable.

If any one of the covered entitiesincluded in the joint consent obtains theindividual’s consent, as required above,the consent requirement is met for all ofthe other covered entities to which theconsent applies. For example, a coveredhospital and the clinical laboratory andemergency departments with which itparticipates in an organized health carearrangement may produce a joint noticeand obtain a joint consent. If thecovered hospital obtains theindividual’s joint consent upon

admission, and some time later theindividual is readmitted through theassociated emergency department, theemergency department’s consentrequirement will already have been met.These joint consents are the only typeof consent by which one covered entitycan obtain the individual’s permissionfor another covered entity to use ordisclose protected health information tocarry out treatment, payment, or healthcare operations.

Effect of Consent

These consents, as well as theauthorizations described in § 164.508,should not be construed to waive,directly or indirectly, any privilegegranted under federal, state, or local lawor procedure. Consents obtained underthis regulation are not appropriate forthe disposition of more technical andlegal proceedings and may not comportwith procedures and standards offederal, state, or local judicial practice.For example, state courts and otherdecision-making bodies may choose toexamine more closely the circumstancesand propriety of such consent and mayadopt more protective standards forapplication in their proceedings. In thejudicial setting, as in the legislative andexecutive settings, states may providefor greater protection of privacy.Additionally, both the Congress and theSecretary have established a generalapproach to protecting from explicitpreemption state laws that are moreprotective of privacy than theprotections set forth in this regulation.

Section 164.508—Uses and Disclosuresfor Which an Authorization Is Required

Section 164.508(a)—Standard

We proposed to require coveredentities to obtain the individual’sauthorization for all uses anddisclosures of protected healthinformation not otherwise permitted orrequired under the proposed rule. Usesand disclosures that would have beenpermitted without individualauthorization included uses anddisclosures for national prioritypurposes such as public health, lawenforcement, and research (seeproposed § 164.510) and uses anddisclosures of protected healthinformation, other than psychotherapynotes and research informationunrelated to treatment, for purposes oftreatment, payment, and health careoperations (see proposed § 164.506). Wealso proposed to require covered entitiesto disclose protected health informationto the individual for inspection andcopying (see proposed § 164.514) and tothe Secretary as required for

enforcement of the rule (see proposed§ 164.522). Individual authorizationwould not have been required for theseuses and disclosures.

We proposed to require coveredentities to obtain the individual’sauthorization for all other uses anddisclosures of protected healthinformation. Under proposed§ 164.508(a), uses and disclosures thatwould have required individualauthorization included, but were notlimited to, the following:

• Use for marketing of health andnon-health items and services by thecovered entity;

• Disclosure by sale, rental, or barter;• Use and disclosure to non-health

related divisions of the covered entity,e.g., for use in marketing life or casualtyinsurance or banking services;

• Disclosure, prior to an individual’senrollment in a health plan, to thehealth plan or health care provider formaking eligibility or enrollmentdeterminations relating to theindividual or for underwriting or riskrating determinations;

• Disclosure to an employer for use inemployment determinations; and

• Use or disclosure for fundraising.In the preamble to the proposed rule,

we stated that covered entities would bebound by the terms of authorizations.Uses or disclosures by the coveredentity for purposes inconsistent with thestatements made in the authorizationwould have constituted a violation ofthe rule.

In the final rule, under § 164.508(a),as in the proposed rule, covered entitiesmust have authorization fromindividuals before using or disclosingprotected health information for anypurpose not otherwise permitted orrequired by this rule. Specifically,except for psychotherapy notes (seebelow), covered entities are not requiredto obtain the individual’s authorizationto use or disclose protected healthinformation to carry out treatment,payment, and health care operations.(Covered entities may, however, berequired to obtain the individual’sconsent for these uses and disclosures.See the preamble regarding § 164.506 fora discussion of ‘‘consent’’ versus‘‘authorization’’.) We also do not requirecovered entities to obtain theindividual’s authorization for uses anddisclosures of protected healthinformation permitted under §§ 164.510or 164.512, for disclosures to theindividual, or for required disclosures tothe Secretary under subpart C of part160 of this subchapter for enforcementof this rule.

In the final rule, we clarify thatcovered entities are bound by the



statements provided on theauthorization; use or disclosure by thecovered entity for purposes inconsistentwith the statements made in theauthorization constitutes a violation ofthis rule.

Unlike the proposed rule, we do notinclude in the regulation examples ofthe types of uses and disclosures thatrequire individual authorization. Weeliminated two examples from theproposed list due to potential confusionas to our intent: disclosure by sale,rental, or barter and use and disclosureto non-health related divisions of thecovered entity. We recognize thatcovered entities sometimes make thesetypes of uses and disclosures forpurposes that are permitted under therule without authorization. Forexample, a covered health care providermay sell its accounts receivable to acollection agency for payment purposesand a health plan may discloseprotected health information to its lifeinsurance component for paymentpurposes. We do not intend to requireauthorization for uses and disclosuresmade by sale, rental, or barter or fordisclosures made to non-health relateddivisions of the covered entity, if thoseuses or disclosures could otherwise bemade without authorization under thisrule. As with any other use ordisclosure, however, uses anddisclosures of protected healthinformation for these purposes dorequire authorization if they are nototherwise permitted under the rule.

We also eliminated the remainingproposed examples from the final ruledue to concern that these examplesmight be misinterpreted as anexhaustive list of all of the uses anddisclosures that require individualauthorization. We discuss the exampleshere, however, to clarify the interactionof the authorization requirements andthe provisions of the rule that permituses and disclosures withoutauthorization and/or with consent. Usesand disclosures for which coveredentities must have the individual’sauthorization include, but are notlimited to, the following activities.

Marketing

As in the proposed rule, coveredentities must obtain the individual’sauthorization before using or disclosingprotected health information formarketing purposes. In the final rule, weadd a new definition of marketing (see§ 164.501). For more detail on whatactivities constitute marketing, see§ 164.501, definition of ‘‘marketing,’’and § 164.514(e).

Pre-Enrollment Underwriting

As in the proposed rule, coveredentities must obtain the individual’sauthorization to use or discloseprotected health information for thepurpose of making eligibility orenrollment determinations relating to anindividual or for underwriting or riskrating determinations, prior to theindividual’s enrollment in a health plan(that is, for purposes of pre-enrollmentunderwriting). For example, if anindividual applies for new coveragewith a health plan in the non-groupmarket and the health plan wants toreview protected health informationfrom the individual’s covered healthcare providers before extending an offerof coverage, the individual first mustauthorize the covered providers to sharethe information with the health plan. Ifthe individual applies for renewal ofexisting coverage, however, the healthplan would not need to obtain anauthorization to review its existingclaims records about that individual,because this activity would come withinthe definition of health care operationsand be permissible. We also note thatunder § 164.504(f), a group health planand a health insurance issuer thatprovides benefits with respect to agroup health plan are permitted incertain circumstances to disclosesummary health information to the plansponsor for the purpose of obtainingpremium bids. Because thesedisclosures fall within the definition ofhealth care operations, they do notrequire authorization.

Employment Determinations

As in the proposed rule, coveredentities must obtain the individual’sauthorization to use or discloseprotected health information foremployment determinations. Forexample, a covered health care providermust obtain the individual’sauthorization to disclose the results of apre-employment physical to theindividual’s employer. The final ruleprovides that a covered entity maycondition the provision of health carethat is solely for the purpose of creatingprotected health information fordisclosure to a third party on theprovision of authorization for thedisclosure of the information to thethird party.

Fundraising

Under the proposed regulation, wewould have required authorizationbefore a covered entity could have usedor disclosed protected healthinformation for fundraising. In the finalrule, we narrow the circumstances

under which covered entities mustobtain the individual’s authorization touse or disclose protected healthinformation for fundraising purposes.As provided in § 164.514(f) anddescribed in detail in the correspondingpreamble, authorization is not requiredwhen a covered entity uses or disclosesdemographic information andinformation about the dates of healthcare provided to an individual for thepurpose of raising funds for its ownbenefit, nor when it discloses suchinformation to an institutionally relatedfoundation to raise funds for thecovered entity.

Any use or disclosure for fundraisingpurposes that does not meet therequirements of § 164.514(f) and doesnot fall within the definition of healthcare operations (see § 164.501), requiresauthorization. Specifically, coveredentities must obtain the individual’sauthorization to use or discloseprotected health information to raisefunds for any entity other than thecovered entity. For example, a coveredentity must have the individual’sauthorization to use protected healthinformation about the individual tosolicit funds for a non-profitorganization that engages in research,education, and awareness efforts abouta particular disease.

Psychotherapy NotesIn the NPRM, we proposed different

rules with respect to psychotherapynotes than we proposed with respect toall other protected health information.The proposed rule would have requiredcovered entities to obtain anauthorization for any use or disclosureof psychotherapy notes to carry outtreatment, payment, or health careoperations, unless the use was by theperson who created the psychotherapynotes. With respect to all otherprotected health information, weproposed to prohibit covered entitiesfrom requiring authorization for usesand disclosures for these purposes.

We significantly revise our approachto psychotherapy notes in the final rule.With a few exceptions, covered entitiesmust obtain the individual’sauthorization to use or disclosepsychotherapy notes to carry outtreatment, payment, or health careoperations. A covered entity mustobtain the individual’s consent, but notan authorization, for the person whocreated the psychotherapy notes to usethe notes to carry out treatment and forthe covered entity to use or disclosepsychotherapy notes for conductingtraining programs in which students,trainees, or practitioners in mentalhealth learn under supervision to



practice or improve their skills in group,joint, family, or individual counseling.A covered entity may also usepsychotherapy notes to defend a legalaction or other proceeding brought bythe individual pursuant to a consent,without a specific authorization. Wenote that, while this provision allowsdisclosure of these records to thecovered entity’s attorney to defendagainst the action or proceeding,disclosure to others in the course of ajudicial or administrative proceeding isgoverned by § 164.512(e). This specialprovision is necessary becausedisclosure of protected healthinformation for purposes of legalrepresentatives may be made under thegeneral consent as part of ‘‘health careoperations.’’ Because we require anauthorization for disclosure ofpsychotherapy notes for ‘‘health careoperations,’’ an exception is needed toallow covered entities to use protectedhealth information about an individualto defend themselves against an actionthreatened or brought by that individualwithout asking that individual forauthorization to do so. Otherwise, aconsent under § 164.506 is not sufficientfor the use or disclosure ofpsychotherapy notes to carry outtreatment, payment, or health careoperations. Authorization is required.We anticipate these authorizations willrarely be necessary, sincepsychotherapy notes do not includeinformation that covered entitiestypically need for treatment, payment,or other types of health care operations.

In the NPRM, we proposed to permitcovered entities to use and disclosepsychotherapy notes for all otherpurposes permitted or required underthe rule without authorization. In thefinal rule, we specify a more limited setof uses and disclosures ofpsychotherapy notes that coveredentities are permitted to make withoutauthorization. An authorization is notrequired for use or disclosure ofpsychotherapy notes when required forenforcement purposes, in accordancewith subpart C of part 160 of thissubchapter; when mandated by law, inaccordance with § 164.512(a); whenneeded for oversight of the health careprovider who created the psychotherapynotes, in accordance with § 164.512(d);when needed by a coroner or medicalexaminer, in accordance with§ 164.512(g)(1); or when needed to averta serious and imminent threat to healthor safety, in accordance with§ 164.512(j)(1)(i). We also providetransition provisions in § 164.532regarding the effect of express legal

permission obtained from an individualprior to the compliance date of this rule.

Section 164.508(b)—ImplementationSpecifications for Authorizations

Valid and Defective Authorizations

We proposed to require a minimumset of elements for authorizationsrequested by the individual and anadditional set of elements forauthorizations requested by a coveredentity. We would have permittedcovered entities to use and discloseprotected health information pursuantto authorizations containing theapplicable required elements. We wouldhave prohibited covered entities fromacting on an authorization if thesubmitted document had any of thefollowing defects:

• The expiration date had passed;• The form had not been filled out

completely;• The covered entity knew the

authorization had been revoked;• The completed form lacked a

required element; or• The covered entity knew the

information on the form was false.In § 164.508(b)(1) of the final rule, we

specify that an authorization containingthe applicable required elements (asdescribed below) is a validauthorization. We clarify that a validauthorization may contain additional,non-required elements, provided thatthese elements are not inconsistent withthe required elements. Covered entitiesare not required to use or discloseprotected health information pursuantto a valid authorization. Our intent is toclarify that a covered entity that uses ordiscloses protected health informationpursuant to an authorization meetingthe applicable requirements will be incompliance with this rule.

We retain the provision prohibitingcovered entities from acting on anauthorization if the submitted documenthad any of the listed defects, with a fewchanges. First, in § 164.508(c)(1)(iv) wespecify that an authorization may expireupon a certain event or on a specificdate. For example, a valid authorizationmay state that it expires uponacceptance or rejection of an applicationfor insurance or upon the termination ofemployment (for example, in anauthorization for disclosure of protectedhealth information for fitness-for-dutypurposes) or similar event. Theexpiration event must, however, berelated to the individual or the purposeof the use or disclosure. Anauthorization that purported to expireon the date when the stock marketreached a specified level would not bevalid. Under § 164.508(b)(2)(i), if the

expiration event is known by thecovered entity to have occurred, theauthorization is defective. Second, weclarify that certain compoundauthorizations, as described below, aredefective. We also clarify thatauthorizations that are not completelyfilled out with respect to the requiredelements are defective. Finally, weclarify that an authorization withinformation that the covered entityknows to be false is defective only if theinformation is material.

As under the proposed regulation, anauthorization that the covered entityknows has been revoked is not a validauthorization. We note that, although anauthorization must be revoked inwriting, the covered entity may notalways ‘‘know’’ that an authorizationhas been revoked. The writing requiredfor an individual to revoke anauthorization may not always trigger the‘‘knowledge’’ required for a coveredentity to consider an authorizationdefective. Conversely, a copy of thewritten revocation is not required beforea provider ‘‘knows’’ that anauthorization has been revoked.

Many authorizations will be obtainedby persons other than the coveredentity. If the individual revokes anauthorization by writing to that otherperson, and neither the individual northe other person informs the coveredentity of the revocation, the coveredentity will not ‘‘know’’ that theauthorization has been revoked. Forexample, a government agency mayobtain an individual’s authorization for‘‘all providers who have seen theindividual in the past year’’ to discloseprotected health information to theagency for purposes of determiningeligibility for benefits. The individualmay revoke the authorization by writingto the government agency requestingsuch revocation. We cannot require theagency to inform all covered entities towhom it has presented the authorizationthat the authorization has been revoked.If a covered entity does not know of therevocation, the covered entity will notviolate this rule by acting pursuant tothe authorization. At the same time, ifthe individual does inform the coveredentity of the revocation, even orally, thecovered entity ‘‘knows’’ that theauthorization has been revoked and canno longer treat the authorization as validunder this rule. Thus, in this example,if the individual tells a covered entitythat the individual has revoked theauthorization, the covered entity‘‘knows’’ of the revocation and mustconsider the authorization defectiveunder § 164.508(b)(2).



Compound Authorizations

Except for authorizations requested inconnection with a clinical trial, weproposed to prohibit covered entitiesfrom combining an authorization for useor disclosure of protected healthinformation for purposes other thantreatment, payment, or health careoperations with an authorization orconsent for treatment (e.g., an informedconsent to receive care) or payment(e.g., an assignment of benefits).

We clarify the prohibition oncompound authorizations in the finalrule. Other than as described below,§ 164.508(b)(3) prohibits a coveredentity from acting on an authorizationrequired under this rule that iscombined with any other document,including any other written legalpermission from the individual. Forexample, an authorization under thisrule may not be combined with aconsent for use or disclosure ofprotected health information under§ 164.506, with the notice of privacypractices under § 164.520, with anyother form of written legal permissionfor the use or disclosure of protectedhealth information, with an informedconsent to participate in research, orwith any other form of consent orauthorization for treatment or payment.

There are three exceptions to thisprohibition. First, under § 164.508(f)(described in more detail, below), anauthorization for the use or disclosure ofprotected health information created forresearch that includes treatment of theindividual may be combined with aconsent for the use or disclosure of thatprotected health information to carryout treatment, payment, or health careoperations under § 164.506 and withother documents as provided in§ 164.508(f). Second, authorizations forthe use or disclosure of psychotherapynotes for multiple purposes may becombined in a single document, butmay not be combined withauthorizations for the use or disclosureof other protected health information.Third, authorizations for the use ordisclosure of protected healthinformation other than psychotherapynotes may be combined, provided thatthe covered entity has not conditionedthe provision of treatment, payment,enrollment, or eligibility on obtainingthe authorization. If a covered entityconditions any of these services onobtaining an authorization from theindividual, as permitted in§ 164.508(b)(4) and described below, thecovered entity must not combine theauthorization with any other document.

The following are examples of validcompound authorizations: an

authorization for the disclosure ofinformation created for clinical researchcombined with a consent for the use ordisclosure of other protected healthinformation to carry out treatment,payment, and health care operations,and the informed consent to participatein the clinical research; an authorizationfor disclosure of psychotherapy notesfor both treatment and researchpurposes; and an authorization for thedisclosure of the individual’sdemographic information for bothmarketing and fundraising purposes.Examples of invalid compoundauthorizations include: an authorizationfor the disclosure of protected healthinformation for treatment, for research,and for determining payment of a claimfor benefits, when the covered entitywill refuse to pay the claim if theindividual does not sign theauthorization; or an authorization forthe disclosure of psychotherapy notescombined with an authorization todisclose any other protected healthinformation.

Prohibition on Conditioning Treatment,Payment, Eligibility, or Enrollment

We proposed to prohibit coveredentities from conditioning treatment orpayment on the provision by theindividual of an authorization, exceptwhen the authorization was requestedin connection with a clinical trial. In thecase of authorization for use ordisclosure of psychotherapy notes orresearch information unrelated totreatment, we proposed to prohibitcovered entities from conditioningtreatment, payment, or enrollment in ahealth plan on obtaining such anauthorization.

We retain this basic approach butrefine its application in the final rule. Inaddition to the general prohibition onconditioning treatment and payment,covered entities are also prohibited(with certain exceptions describedbelow) from conditioning eligibility forbenefits or enrollment in a health planon obtaining an authorization. Thisprohibition extends to allauthorizations, not just authorizationsfor use or disclosure of psychotherapynotes. This prohibition is intended toprevent covered entities from coercingindividuals into signing anauthorization for a use or disclosure thatis not necessary to carry out the primaryservices that the covered entity providesto the individual. For example, a healthcare provider could not refuse to treatan individual because the individualrefused to authorize a disclosure to apharmaceutical manufacturer for thepurpose of marketing a new product.

We clarify the proposed researchexception to this prohibition. Coveredentities seeking authorization inaccordance with § 164.508(f) to use ordisclose protected health informationcreated for the purpose of research thatincludes treatment of the individual,including clinical trials, may conditionthe research-related treatment on theindividual’s authorization. Permittinguse of protected health information ispart of the decision to receive carethrough a clinical trial, and health careproviders conducting such trials shouldbe able to condition research-relatedtreatment on the individual’swillingness to authorize the use ordisclosure of his or her protected healthinformation for research associated withthe trial.

In addition, we permit health plans tocondition eligibility for benefits andenrollment in the health plan on theindividual’s authorization for the use ordisclosure of protected healthinformation for purposes of eligibility orenrollment determinations relating tothe individual or for its underwriting orrisk-rating determinations. We alsopermit health plans to conditionpayment of a claim for specified benefitson the individual’s authorization for thedisclosure of information maintained byanother covered entity to the healthplan, if the disclosure is necessary todetermine payment of the claim. Theseexceptions do not apply, however, toauthorization for the use or disclosure ofpsychotherapy notes. Health plans maynot condition payment, eligibility, orenrollment on the receipt of anauthorization for the use or disclosure ofpsychotherapy notes, even if the healthplan intends to use the information forunderwriting or payment purposes.

Finally, when a covered entityprovides treatment for the sole purposeof providing information to a thirdparty, the covered entity may conditionthe treatment on the receipt of anauthorization to use or discloseprotected health information related tothat treatment. For example, a coveredhealth care provider may have acontract with an employer to providefitness-for-duty exams to the employer’semployees. The provider may refuse toconduct the exam if an individualrefuses to authorize the provider todisclose the results of the exam to theemployer. Similarly, a covered healthcare provider may have a contract witha life insurer to provide pre-enrollmentphysicals to applicants for life insurancecoverage. The provider may refuse toconduct the physical if an individualrefuses to authorize the provider todisclose the results of the physical tothe life insurer.



Revocation of Authorizations

We proposed to allow individuals torevoke an authorization at any time,except to the extent that the coveredentity had taken action in reliance onthe authorization.

We retain this provision, but specifythat the individual must revoke theauthorization in writing. When anindividual revokes an authorization, acovered entity that knows of suchrevocation must stop making uses anddisclosures pursuant to theauthorization to the greatest extentpractical. A covered entity maycontinue to use and disclose protectedhealth information in accordance withthe authorization only to the extent thecovered entity has taken action inreliance on the authorization. Forexample, a covered entity is notrequired to retrieve information that ithas already disclosed in accordancewith the authorization. (See above fordiscussion of how written revocation ofan authorization and knowledge of thatrevocation may differ.)

We also include an additionalexception. Under § 164.508(b)(5),individuals do not have the right torevoke an authorization if theauthorization was obtained as acondition of obtaining insurancecoverage and other applicable lawprovides the insurer that obtained theauthorization with the right to contest aclaim under the policy. We intend thisexception to permit insurers to obtainnecessary protected health informationduring contestability periods under statelaw. For example, an individual maynot revoke an authorization for thedisclosure of protected healthinformation to a life insurer for thepurpose of investigating materialmisrepresentation if the individual’spolicy is still subject to thecontestability period.

Documentation

In the final rule, we clarify that acovered entity must document andretain any signed authorization asrequired by § 164.530(j) (see below).

Section 164.508(c)—Core Elements andRequirements

We proposed to require authorizationsrequested by individuals to contain aminimum set of elements: a descriptionof the information to be used ordisclosed; the name of the coveredentity, or class of entities or persons,authorized to make the use ordisclosure; the name or types ofrecipient(s) of the information; anexpiration date; the individual’ssignature and date of signature; if signed

by a representative, a description of therepresentative’s authority orrelationship to the individual; astatement regarding the individual’sright to revoke the authorization; and astatement that the information may nolonger be protected by the federalprivacy law. We proposed a modelauthorization form that entities couldhave used to satisfy the authorizationrequirements. If the model form was notused, we proposed to require coveredentities to use authorization formswritten in plain language.

We modify the proposed approach, byeliminating the distinction betweenauthorizations requested by theindividuals and authorizationsrequested by others. Instead, weprescribe a minimum set of elements forauthorizations and certain additionalelements when the authorization isrequested by a covered entity for its ownuse or disclosure of protected healthinformation it maintains or for receipt ofprotected health information fromanother covered entity to carry outtreatment, payment, or health careoperations.

The core elements are required for allauthorizations, not just authorizationsrequested by individuals. Individualsseek disclosure of protected healthinformation about them to others inmany circumstances, such as whenapplying for life or disability insurance,when government agencies conductsuitability investigations, and in seekingcertain job assignments when healthstatus is relevant. Another commoninstance is tort litigation, when anindividual’s attorney needs individuallyidentifiable health information toevaluate an injury claim and asks theindividual to authorize disclosure ofrecords relating to the injury to theattorney. In each of these situations, theindividual may go directly to thecovered entity and ask it to send therelevant information to the intendedrecipient. Alternatively, the intendedrecipient may ask the individual tocomplete a form, which the recipientwill submit to the covered entity on theindividual’s behalf, that authorizes thecovered entity to disclose theinformation. Whether the authorizationis submitted to the covered entity by theindividual or by another person on theindividual’s behalf, the covered entitymaintaining protected healthinformation may not use or disclose itpursuant to an authorization unless theauthorization meets the followingrequirements.

First, the authorization must includea description of the information to beused or disclosed, with sufficientspecificity to allow the covered entity to

know which information theauthorization references. For example,the authorization may include adescription of ‘‘laboratory results fromJuly 1998’’ or ‘‘all laboratory results’’ or‘‘results of MRI performed in July1998.’’ The covered entity can then useor disclose that information and onlythat information. If the covered entitydoes not understand what informationis covered by the authorization, the useor disclosure is not permitted unless thecovered entity clarifies the request.

There are no limitations on theinformation that can be authorized fordisclosure. If an individual wishes toauthorize a covered entity to disclosehis or her entire medical record, theauthorization can so specify. In order forthe covered entity to disclose the entiremedical record, the authorization mustbe specific enough to ensure that theindividual has a clear understandingthat the entire record will be disclosed.For example, if the Social SecurityAdministration seeks authorization forrelease of all health information tofacilitate the processing of benefitapplications, then the description on theauthorization form must specify ‘‘allhealth information’’ or the equivalent.

In some instances, a covered entitymay be reluctant to undertake the effortto review the record and select portionsrelevant to the request (or redactportions not relevant). In suchcircumstances, covered entities mayprovide the entire record to theindividual, who may then redact andrelease the more limited information tothe requestor. This rule does not requirea covered entity to disclose informationpursuant to an individual’sauthorization.

Second, the authorization mustinclude the name or other specificidentification of the person(s) or class ofpersons that are authorized to use ordisclose the protected healthinformation. If an authorization permitsa class of covered entities to discloseinformation to an authorized person, theclass must be stated with sufficientspecificity so that a covered entitypresented with the authorization willknow with reasonable certainty that theindividual intended the covered entityto release protected health information.For example, a covered licensed nursepractitioner presented with anauthorization for ‘‘all physicians’’ todisclose protected health informationcould not know with reasonablecertainty that the individual intendedfor the practitioner to be included in theauthorization.

Third, the authorization must includethe name or other specific identificationof the person(s) or class of persons to



whom the covered entity is authorizedto make the use or disclosure. Theauthorization must identify thesepersons with sufficient specificity toreasonably permit a covered entityresponding to the authorization toidentify the authorized user or recipientof the protected health information.Often, individuals provideauthorizations to third parties, whopresent them to one or more coveredentities. For example, an authorizationcould be completed by an individualand given to a government agency,authorizing the agency to receivemedical information from any healthcare provider that has treated theindividual within a defined period oftime. Such an authorization ispermissible (subject to the otherrequirements of this part) if itsufficiently identifies the governmententity that is authorized to receive thedisclosed protected health information.

Fourth, the authorization must statean expiration date or event. Thisexpiration date or event must either bea specific date (e.g., January 1, 2001), aspecific time period (e.g., one year fromthe date of signature), or an eventdirectly relevant to the individual or thepurpose of the use or disclosure (e.g., forthe duration of the individual’senrollment with the health plan that isauthorized to make the use ordisclosure). We note that the expirationdate or event is subject to otherwiseapplicable and more stringent law. Forexample, the National Association ofInsurance Commissioners’ InsuranceInformation and Privacy ProtectionModel Act, adopted in at least fifteenstates, specifies that authorizationssigned for the purpose of collectinginformation in connection with anapplication for a life, health, ordisability insurance policy arepermitted to remain valid for no longerthan thirty months. In those states, thelongest such an authorization mayremain in effect is therefore thirtymonths, regardless of the expirationdate or event indicated on the form.

Fifth, the authorization must state thatthe individual has the right to revoke anauthorization in writing, except to theextent that action has been taken inreliance on the authorization or, ifapplicable, during a contestabilityperiod. The authorization must includeinstructions on how the individual mayrevoke the authorization. For example,the person obtaining the authorizationfrom the individual can include anaddress where the individual can senda written request for revocation.

Sixth, the authorization must informthe individual that, when theinformation is used or disclosed

pursuant to the authorization, it may besubject to re-disclosure by the recipientand may no longer be protected by thisrule.

Seventh, the authorization mustinclude the individual’s signature andthe date of the signature. Once we adoptthe standards for electronic signature,another of the required administrativesimplification standards we are requiredto adopt under HIPAA, an electronicsignature that meets those standardswill be sufficient under this rule. We donot require verification of theindividual’s identity or authenticationof the individual’s signature.

Finally, if the authorization is signedby a personal representative of theindividual, the representative mustindicate his or her authority to act forthe individual.

As in the proposed rule, theauthorization must be written in plainlanguage. See the preamble discussionregarding notice of privacy practices(§ 164.520) for a discussion of the plainlanguage requirement. We do notprovide a model authorization in thisrule. We will provide further guidanceon this issue prior to the compliancedate.

Section 164.508(d)—AuthorizationsRequested by a Covered Entity for ItsOwn Uses and Disclosures

We proposed to require coveredentities to include additional elementsin authorizations initiated by thecovered entity. Before a covered entitycould use or disclose protected healthinformation of an individual pursuant toa request the covered entity made, weproposed to require the entity to obtainan authorization containing theminimum elements described above andthe following additional elements:except for authorizations requested forclinical trials, a statement that the entitywill not condition treatment or paymenton the individual’s authorization; adescription of the purpose of therequested use or disclosure; a statementthat the individual may inspect or copythe information to be used or disclosedand may refuse to sign theauthorization; and, if the use ordisclosure of the requested informationwill result in financial gain to the entity,a statement that such gain will result.

We additionally proposed to requirecovered entities, when requesting anindividual’s authorization, to requestonly the minimum amount ofinformation necessary to accomplish thepurpose for which the request wasmade. We also proposed to requirecovered entities to provide theindividual with a copy of the executedauthorization.

We retain the proposed approach, butapply these additional requirementswhen the covered entity requests theindividual’s authorization for theentity’s own use or disclosure ofprotected health informationmaintained by the covered entity itself.For example, a health plan may askindividuals to authorize the plan todisclose protected health information toa subsidiary to market life insurance tothe individual. A pharmaceuticalcompany may also ask a coveredprovider to recruit patients for drugresearch; if the covered provider askspatients to sign an authorization for theprovider to disclose protected healthinformation to the pharmaceuticalcompany for this research, this is alsoan authorization requested by a coveredentity for disclosure of protected healthinformation maintained by the coveredentity. When covered entities initiatethe authorization by asking individualsto authorize the entity to use or discloseprotected health information that theentity maintains, the authorization mustinclude all of the elements requiredabove as well as several additionalelements.

Authorizations requested by coveredentities for the covered entity’s own useor disclosure of protected healthinformation must state, as applicableunder § 164.508(b)(4), that the coveredentity will not condition treatment,payment, enrollment, or eligibility onthe individual’s authorization for theuse or disclosure. For example, if ahealth plan asks an individual to sign anauthorization for the health plan todisclose protected health information toa non-profit advocacy group for theadvocacy group’s fundraising purposes,the authorization must contain astatement that the health plan will notcondition treatment, payment,enrollment in the health plan, oreligibility for benefits on the individualproviding the authorization.

Authorizations requested by coveredentities for their own uses anddisclosures of protected healthinformation must also identify eachpurpose for which the information is tobe used or disclosed. The requiredstatement of purpose(s) must provideindividuals with the facts they need tomake an informed decision whether toallow release of the information. Weprohibit the use of broad or blanketauthorizations requesting the use ordisclosure of protected healthinformation for a wide range ofunspecified purposes. Both theinformation that is to be used ordisclosed and the specific purpose(s) forsuch uses or disclosures must be statedin the authorization.



Authorizations requested by coveredentities for their own uses anddisclosures must also advise individualsof certain rights available to them underthis rule. The authorization must statethat the individual may inspect or copythe information to be used or disclosedas provided in § 164.524 regardingaccess for inspection and copying andthat the individual may refuse to signthe authorization.

We alter the proposed requirementswith respect to authorizations for whichthe covered entity will receive financialgain. When the covered entity initiatesthe authorization and the covered entitywill receive direct or indirectremuneration from a third party (ratherthan financial gain, as proposed) inexchange for using or disclosing theprotected health information, theauthorization must include a statementthat such remuneration will result. Forexample, a health plan may wish to sellor rent its enrollee mailing list or apharmaceutical company may offer acovered provider a discount on itsproducts if the provider obtainsauthorization to disclose thedemographic information of patientswith certain diagnoses so that thecompany can market new drugs to themdirectly. In each case, the covered entitymust obtain the individual’sauthorization, and the authorizationmust include a statement that thecovered entity will receiveremuneration.

In § 164.508(d)(2), we continue torequire a covered entity that requests anauthorization for its own use ordisclosure of protected healthinformation to provide the individualwith a copy of the signed authorization.While we eliminate from this sectionthe provision requiring covered entitiesto obtain authorization for use ordisclosure of the minimum necessaryprotected health information,§ 164.514(d)(4) requires covered entitiesto request only the minimum necessaryprotected health information toaccomplish the purpose for which therequest is made. This requirementapplies to these authorizations, as wellas other requests.

Section 164.508(e)—AuthorizationsRequested by a Covered Entity forDisclosures by Others

In the proposed rule, we would haveprohibited all covered entities fromrequiring the individual’s written legalpermission (as proposed, an‘‘authorization’’) for the use ordisclosure of protected healthinformation to carry out treatment,payment, or health care operations. Wegenerally eliminate this prohibition in

the final rule, except to specify that aconsent obtained by one covered entityis not effective to permit anothercovered entity to use or discloseprotected health information. See§ 164.506(a)(5) and the correspondingpreamble discussion.

In the final rule, if a covered entityseeks the individual’s written legalpermission to obtain protected healthinformation about the individual fromanother covered entity for any purpose,it must obtain the individual’sauthorization for the covered entity thatmaintains the protected healthinformation to make the disclosure. Ifthe authorization is for the purpose ofobtaining protected health informationfor purposes other than treatment,payment, or health care operations, theauthorization need only contain the coreelements required by § 164.508(c) anddescribed above.

If the authorization, however, is forthe purpose of obtaining protectedhealth information to carry outtreatment, payment, or health careoperations, the authorization must meetthe requirements of § 164.508(e). Weexpect such authorizations will rarelybe necessary, because we expectcovered entities that maintain protectedhealth information to obtain consentsthat permit them to make anticipateduses and disclosures for these purposes.An authorization obtained by anothercovered entity that authorizes thecovered entity maintaining theprotected health information to make adisclosure for the same purpose,therefore, would be unnecessary.

We recognize, however, that theseauthorizations may be useful todemonstrate an individual’s intent andrelationship to the intended recipient ofthe information when the intent orrelationship is not already clear. Forexample, a long term care insurer mayneed information from an individual’shealth care providers about theindividual’s ability to perform activitiesof daily living in order to determinepayment of a long term care claim. Theproviders that hold the information maynot be providing the long term care andmay not, therefore, be aware of theindividual’s coverage under the policyor that the individual is receiving longterm care services. An authorizationobtained by the long term care insurerwill help to demonstrate these facts tothe providers holding the information,which will make them more confidentthat the individual intends for theinformation to be shared. Similarly, aninsurer with subrogation obligationsmay need health information from theenrollee’s providers to assess orprosecute the claim. A patient’s new

physician may also need medicalrecords from the patient’s priorproviders in order to treat the patient.Without an authorization thatdemonstrates the patient’s intent for theinformation to be shared, the coveredentity that maintains the protectedhealth information may be reluctant toprovide the information, even if thatcovered entity’s consent permits suchdisclosure to occur.

These authorizations may also beuseful to accomplish clinicalcoordination and integration amongcovered entities that do not meet thedefinitions of affiliated covered entitiesor organized health care arrangements.For example, safety-net providers thatparticipate in the Community AccessProgram (CAP) may not qualify asorganized health care arrangements butmay want to share protected healthinformation with each other in order todevelop and expand integrated systemsof care for uninsured people. Anauthorization under this section wouldpermit such providers to receiveprotected health information from otherCAP participants to engage in suchactivities.

Because of such concerns, we permita covered entity to request theindividual’s authorization to obtainprotected health information fromanother covered entity to carry outtreatment, payment, and health careoperations. In these situations, theauthorization must contain the coreelements described above and must alsodescribe each purpose of the requesteddisclosure.

With one exception, the authorizationmust also indicate that the authorizationis voluntary. It must state that theindividual may refuse to sign theauthorization and that the coveredentity requesting the authorization willnot condition the provision oftreatment, payment, enrollment in thehealth plan, or eligibility for benefits onobtaining the individual’s authorization.If the authorization is for a disclosure ofinformation that is necessary todetermine payment of a claim forspecified benefits, however, the healthplan requesting the authorization maycondition the payment of the claim onobtaining the authorization from theindividual. See § 164.508(b)(4)(iii). Inthis case, the authorization does nothave to state that the health plan willnot condition payment on obtaining theauthorization.

The covered entity requesting theauthorization must provide theindividual with a copy of the signedauthorization. We note that the coveredentity requesting the authorization isalso subject to the requirements in



§ 164.514 to request only the minimumnecessary information needed for thepurpose of the authorization.

We additionally note that, when thecovered entity that maintains theprotected health information hasalready obtained a consent fordisclosure of protected healthinformation to carry out treatment,payment, and/or health care operationsunder § 164.506, and that consentconflicts with an authorization obtainedby another covered entity under§ 164.508(e), the covered entitymaintaining the protected healthinformation is bound by the morerestrictive document. See § 164.506(e)and the corresponding preamblediscussion for further explanation.

Section 164.508(f)—Authorizations forUses and Disclosures of ProtectedHealth Information Created for Researchthat Includes Treatment of Individuals

In the proposed rule, we would haverequired individual authorization forany use or disclosure of researchinformation unrelated to treatment. Inthe final rule, we eliminate the specialrules for this category of informationand, instead, require covered entities toobtain an authorization for the use ordisclosure of protected healthinformation the covered entity createsfor the purpose of research that includestreatment of individuals, except asotherwise permitted by § 164.512(i).

The intent of this provision is topermit covered entities that conductresearch involving treatment to bindthemselves to a more limited scope ofuses and disclosures of researchinformation than they would otherwisebe permitted to make with non-researchinformation. Rather than creating asingle definition of ‘‘researchinformation,’’ we allow covered entitiesthe flexibility to define that subset ofprotected health information they createduring clinical research that is notnecessary for treatment, payment, orhealth care operations and that thecovered entity will use or discloseunder more limited circumstances thanit uses or discloses other protectedhealth information. In designing theirauthorizations, we expect coveredentities to be mindful of the often highlysensitive nature of research informationand the impact of individuals’ privacyconcerns on their willingness toparticipate in research.

Covered entities seeking authorizationto use or disclose protected healthinformation they create for the purposeof research that includes treatment ofindividuals, including clinical trials,must include in the authorization (inaddition to the applicable elements

required above) a description of theextent to which some or all of theprotected health information created forthe research will also be used ordisclosed for purposes of treatment,payment, and health care operations.For example, if the covered entityintends to seek reimbursement from theindividual’s health plan for the routinecosts of care associated with theresearch protocol, it must explain in theauthorization the types of informationthat it will provide to the health plan forthis purpose. This information, and thecircumstances under which disclosureswill be made for treatment, payment,and health care operations, may be morelimited than the information andcircumstances described in the coveredentity’s general consent and notice ofprivacy practices. To the extent thecovered entity limits itself to a subset ofuses or disclosures that are otherwisepermissible under the rule and thecovered entity’s consent and notice, thecovered entity is bound by thestatements made in the research-relatedauthorization. In these circumstances,the authorization must indicate that theauthorization, not the general consentand notice, controls.

If the covered entity’s primaryinteraction with the individual isthrough the research, the covered entitymay combine the general consent fortreatment, payment, and health careoperations required under § 164.506with this research authorization andneed not obtain an additional consentunder § 164.506. If the entity hasalready obtained, or intends to obtain, aseparate consent as required under§ 164.506, the research authorizationmust refer to that consent and state thatthe practices described in the research-related authorization are binding on thecovered entity as to the informationcovered by the research-relatedauthorization. The research-relatedauthorization may also be combined inthe same document as the informedconsent for participation in the research.This is an exception to the general rulein § 164.508(b)(3) that an authorizationunder this section may not be combinedwith any other document (see above).

The covered entity must also includein the authorization a description of theextent to which it will not use ordisclose the protected healthinformation it obtains in connectionwith the research protocol for purposesthat are permitted without individualauthorization under this rule (under§§ 164.510 and 164.512). To the extentthat the entity limits itself to a subset ofuses or disclosures that are otherwisepermissible under the rule and theentity’s notice, the entity is bound by

the statements made in the researchauthorization. In these circumstances,the authorization must indicate that theauthorization, not the notice, controls.The covered entity may not, however,purport to preclude itself from makinguses or disclosures that are required bylaw or that are necessary to avert aserious and imminent threat to health orsafety.

In some instances, the covered entitymay wish to make a use or disclosureof the research information that it didnot include in its general consent ornotice or for which authorization isrequired under this rule. To the extentthe entity includes uses or disclosuresin the research authorization that areotherwise not permissible under therule and the entity’s consent and noticeof information practices, the entity mustinclude all of the elements required by§§ 164.508(c) and (d) in the research-related authorization. The coveredentity is bound by these statements.

Research that involves the delivery oftreatment to participants sometimesrelies on existing health information,such as to determine eligibility for thetrial. We note that under§ 164.508(b)(3)(iii), the covered entitymay combine the research-relatedauthorization required under§ 164.508(f) with any otherauthorization for the use or disclosure ofprotected health information (other thanpsychotherapy notes), provided that thecovered entity does not condition theprovision of treatment on the individualsigning the authorization. For example,a covered health care provider that hada treatment relationship with anindividual prior to the individual’senrollment in a clinical trial, but that isnow providing research-relatedtreatment to the individual, may elect torequest a compound authorization fromthe individual: an authorization under§ 164.508(d) for the provider to use theprotected health information it createdprior to the initiation of the researchthat involves treatment, combined withan authorization under § 164.508(f)regarding use and disclosure ofprotected health information thecovered provider will create for thepurpose of the clinical trial. Thiscompound authorization would bevalid, provided the covered providerdid not condition the research-relatedtreatment on obtaining the authorizationrequired under § 164.508(f), aspermitted in § 164.508(b)(4)(i).

However, we anticipate that coveredentities will almost always, if notalways, condition the provision ofresearch-related treatment on theindividual signing the authorizationunder § 164.508(f) for the covered



entity’s use or disclosure of protectedhealth information created for theresearch. Therefore, we expect that thevast majority of covered providers whowish to use or disclose protected healthinformation about an individual thatwill be created for research thatincludes treatment and wish to useexisting protected health informationabout that individual for the researchthat includes treatment, will be requiredto obtain two authorizations from theindividual: (1) an authorization for theuse and disclosure of protected healthinformation to be created for theresearch that involves treatment of theindividual (as required under§ 164.508(f)), and (2) an authorizationfor the use of existing protected healthinformation for the research thatincludes treatment of the individual (asrequired under § 164.508(d)).

Effect of Authorization

As noted in the discussion aboutconsents in the preamble to § 164.506,authorizations under this rule shouldnot be construed to waive, directly orindirectly, any privilege granted underfederal, state, or local laws orprocedures.

Section 164.510—Uses and DisclosuresRequiring an Opportunity for theIndividual To Agree or To Object

Introduction

Section 164.510 of the NPRMproposed the uses and disclosures ofprotected health information thatcovered entities could make forpurposes other than treatment, payment,or health care operations and for whichan individual authorization would nothave been required. These allowableuses and disclosures were designed topermit and promote key national healthcare priorities, and to promote thesmooth operation of the health caresystem. In each of these areas, theproposal permitted, but would not haverequired, covered entities to use ordisclose protected health information.

We proposed to require coveredentities to obtain the individual’s oralagreement before making a disclosure toa health care facility’s directory or to theindividual’s next-of-kin or to anotherperson involved in the individual’shealth care. Because there is anexpectation in these two areas thatindividuals will have some input into acovered entity’s decision to use ordisclose protected health information,we decided to place disclosures tohealth facility directories and to personsinvolved in an individual’s care in aseparate section. In the final rule,requirements regarding disclosure of

protected health information for facilitydirectories and to others involved in anindividual’s care are included in§ 164.510(a) and § 164.510(b),respectively. In the final rule, weinclude in § 164.510(b) provisions toaddress a type of disclosure notaddressed in the NPRM: disclosures toentities providing relief and assistancein disasters such as floods, fires, andterrorist attacks. Requirements for mostof the remaining categories ofdisclosures addressed in proposed§ 164.510 of the NPRM are included ina new § 164.512 of the final rule, asdiscussed below.

Section 164.510 of the final ruleaddresses situations in which theinteraction between the covered entityand the individual is relatively informaland agreements are made orally,without written authorizations for useor disclosure. In general, under the finalrule, to disclose or use protected healthinformation for these purposes, coveredentities must inform individuals inadvance and must provide a meaningfulopportunity for the individual toprevent or restrict the disclosure. Inexceptional circumstances, where eventhis informal discussion cannotpracticably take place, covered entitiesare permitted to make decisionsregarding disclosure or use based on theexercise of professional judgment ofwhat is in the individual’s best interest.

Section 164.510(a)—Use and Disclosurefor Facility Directories

The NPRM proposed to allow coveredhealth care providers to disclosethrough an inpatient facility’s directorya patient’s name, location in the facility,and general health condition, providedthat the individual had agreed to thedisclosure. The NPRM would haveallowed this agreement to be oral.Pursuant to the NPRM, when makingdecisions about incapacitatedindividuals, a covered health careprovider could have disclosed suchinformation at the entity’s discretionand consistent with good medicalpractice and any prior expressions ofpatient preference of which the coveredentity was aware.

The preamble to the NPRM listedseveral factors that we encouragedcovered entities to take into accountwhen making decisions about whetherto include an incapacitated patient’sinformation in the directory. Thesefactors included: (1) Whether disclosingthat an individual is in the facility couldreasonably cause harm or danger to theindividual (e.g., if it appeared that anunconscious patient had been abusedand disclosing the information couldgive the attacker sufficient information

to seek out the person and repeat theabuse); (2) whether disclosing apatient’s location within a facilityimplicitly would give information aboutthe patient’s condition (e.g., whether apatient’s room number revealed that heor she was in a psychiatric ward); (3)whether it was necessary or appropriateto give information about patient statusto family or friends (e.g., if givinginformation to a family member aboutan unconscious patient could help aphysician administer appropriatemedications); and (4) whether anindividual had, prior to becomingincapacitated, expressed a preferencenot to be included in the directory. Thepreamble stated that if a covered entitylearned of such a preference, it wouldbe required to act in accordance withthe preference.

The preamble to the NPRM said thatwhen individuals entered a facility inan incapacitated state and subsequentlygained the ability to make their owndecisions, health facilities should askthem within a reasonable time periodfor permission to include theirinformation in the facility’s directory.

In the final rule, we change theNPRM’s opt-in authorizationrequirement to an opt-out approach forinclusion of patient information in ahealth care facility’s directory. The finalrule allows covered health careproviders—which in this case are healthcare facilities—to include patientinformation in their directory only if: (1)They inform incoming patients of theirpolicies regarding the directory; (2) theygive patients a meaningful opportunityto opt out of the directory listing or torestrict some or all of the uses anddisclosures that can be included in thedirectory; and (3) the patient does notobject to being included in thedirectory. A patient must be allowed, forexample, to have his or her name andcondition included in the directorywhile not having his or her religiousaffiliation included. The facility’s noticeand the individual’s opt-out orrestriction may be oral.

Under the final rule, subject to theindividual’s right to object, or knownprior expressed preferences, a coveredhealth care provider may disclose thefollowing information to persons whoinquire about the individual by name:(1) The individual’s general condition interms that do not communicate specificmedical information about theindividual (e.g., fair, critical, stable,etc.); and (2) location in the facility.This approach represents a slightchange to the NPRM, which did notrequire members of the general public toask for a patient by name in order toobtain directory information and which,



in fact, would have allowed coveredentities to disclose the individual’sname as part of directory information.

Under the final rule, we also establishprovisions for disclosure of directoryinformation to clergy that are slightlydifferent from those which apply fordisclosure to the general public. Subjectto the individual’s right to object orrestrict the disclosure, the final rulepermits a covered entity to disclose toa member of the clergy: (1) Theindividual’s name; (2) the individual’sgeneral condition in terms that do notcommunicate specific medicalinformation about the individual; (3) theindividual’s location in the facility; and(4) the individual’s religious affiliation.A disclosure of directory informationmay be made to members of the clergyeven if they do not inquire about anindividual by name. We note that therule in no way requires a covered healthcare provider to inquire about thereligious affiliation of an individual, normust individuals supply thatinformation to the facility. Individualsare free to determine whether they wanttheir religious affiliation disclosed toclergy through facility directories.

We believe that allowing clergy toaccess patient information pursuant tothis section does not violate theEstablishment Clause of the FirstAmendment, which prohibits laws‘‘respecting an establishment ofreligion.’’ Courts traditionally turn tothe Lemon test when evaluating lawsthat might raise Establishment Clauseconcerns. A law does not violate theClause if it has a secular purpose, is notprimarily to advance religion, and doesnot cause excessive governmententanglement with religion. The privacyregulation passes this test because itspurpose is to protect the privacy ofindividuals—regardless of theirreligious affiliation—and it does notcause excessive governmententanglement.

More specifically, although thissection provides a special rule formembers of the clergy, it does so as anaccommodation to patients who seek toengage in religious conduct. Forexample, restricting the disclosure of anindividual’s religious affiliation, roomnumber, and health status to a priestcould cause significant delay that wouldinhibit the ability of a Catholic patientto obtain sacraments provided duringthe last rites. We believe thisaccommodation does not violate theEstablishment Clause, because it avoidsa government-imposed restriction on thedisclosure of information that coulddisproportionately affect the practice ofreligion. In that way, it is no differentfrom accommodations upheld by the

U.S. Supreme Court, such as exceptionsto laws banning the use of alcohol inreligious ceremonies.

The final rule expands thecircumstances under which health carefacilities can disclose specified healthinformation to the patient directorywithout the patient’s agreement. Besidesallowing such disclosures when patientsare incapacitated, as the NPRM wouldhave allowed, the final rule allows suchdisclosures in emergency treatmentcircumstances. For example, when apatient is conscious and capable ofmaking a decision, but is so seriouslyinjured that asking permission toinclude his or her information in thedirectory would delay treatment suchthat the patient’s health would bejeopardized, health facilities can makedecisions about including the patient’sinformation in the directory accordingto the same rules that apply when thepatient is incapacitated. The final rulemodifies the NPRM requirements forcases in which an incapacitated patientis admitted to a health care facility.Whereas the NPRM would have allowedhealth care providers to disclose anincapacitated patient’s information tothe facility’s directory ‘‘at its discretionand consistent with good medicalpractice and any prior expressions ofpreference of which the covered entity[was] aware,’’ the final rule states thatin these situations (and in otheremergency treatment circumstances),covered health care providers mustmake the decision on whether toinclude the patient’s information in thefacility’s directory in accordance withprofessional judgment as to the patient’sbest interest. In addition, when makingdecisions involving incapacitatedpatients and patients in emergencysituations, covered health care providersmay decide to include some portions ofthe patient’s information (such as name)but not other information (such aslocation in the facility) in order toprotect patient interests.

As in the preamble to the NPRM, weencourage covered health care providersto take into account the four factorslisted above when making decisionsabout whether to include patientinformation in a health care facility’sdirectory when patients areincapacitated or are in an emergencytreatment circumstance. In addition, weretain the requirement stated in thepreamble of the NPRM that if a coveredhealth care provider learns of anincapacitated patient’s prior expressionof preference not to be included in afacility’s directory, the facility must notinclude the patient’s information in thedirectory. For cases involving patientsadmitted to a health care facility in an

incapacitated or emergency treatmentcircumstance who during the course oftheir stay become capable ofdecisionmaking, the final rule takes anapproach similar to that described in theNPRM. The final rule states that whenan individual who was incapacitated orin an emergency treatment circumstanceupon admission to an inpatient facilityand whose condition stabilizes suchthat he or she is capable ofdecisionmaking, a covered health careprovider must, when it becomespracticable, inform the individual aboutits policies regarding the facility’sdirectory and provide the opportunity toobject to the use or disclosure ofprotected health information aboutthemselves for the directory.

Section 164.510(b)—Uses andDisclosures for Involvement in theIndividual’s Care and NotificationPurposes

In cases involving an individual withthe capacity to make health caredecisions, the NPRM would haveallowed covered entities to discloseprotected health information about theindividual to a next-of-kin, to otherfamily members, or to close personalfriends of the individual if theindividual had agreed orally to suchdisclosure. If such agreement could notpracticably or reasonably be obtained(e.g., when the individual wasincapacitated), the NPRM would haveallowed disclosure of protected healthinformation that was directly relevant tothe person’s involvement in theindividual’s health care, consistent withgood health professional practices andethics. The NPRM defined next-of-kin asdefined under state law.

Under the final rule, we specify thatcovered entities may disclose to aperson involved in the current healthcare of the individual (such as a familymember, other relative, close personalfriend, or any other person identified bythe individual) protected healthinformation directly related to theperson’s involvement in the currenthealth care of an individual or paymentrelated to the individual’s health care.Such persons involved in care and othercontact persons might include, forexample: blood relatives; spouses;roommates; boyfriends and girlfriends;domestic partners; neighbors; andcolleagues. Inclusion of this list isintended to be illustrative only, and itis not intended to change currentpractices with respect to: (1)Involvement of other persons inindividuals’ treatment decisions; (2)informal information-sharing amongindividuals involved in a person’s care;or (3) sharing of protected health



information to contact persons during adisaster. The final rule also includesnew language stating that coveredentities may use or disclose protectedhealth information to notify or assist innotification of family members, personalrepresentatives, or other personsresponsible for an individual’s care withrespect to an individual’s location,condition, or death. These provisionsallow, for example, covered entities tonotify a patient’s adult child that hisfather has suffered a stroke and to tellthe person that the father is in thehospital’s intensive care unit.

The final rule includes separateprovisions for situations in which theindividual is present and for when theindividual is not present at the time ofdisclosure. When the individual ispresent and has the capacity to make hisor her own decisions, a covered entitymay disclose protected healthinformation only if the covered entity:(1) Obtains the individual’s agreementto disclose to the third parties involvedin their care; (2) provides the individualwith an opportunity to object to suchdisclosure and the individual does notexpress an objection; or (3) reasonablyinfers from the circumstances, based onthe exercise of professional judgment,that the individual does not object to thedisclosure. Situations in which coveredproviders may infer an individual’sagreement to disclose protected healthinformation pursuant to option (3)include, for example, when a patientbrings a spouse into the doctor’s officewhen treatment is being discussed, andwhen a colleague or friend has broughtthe individual to the emergency roomfor treatment.

We proposed that when a coveredentity could not practicably obtain oralagreement to disclose protected healthinformation to next-of-kin, relatives, orthose with a close personal relationshipto the individual, the covered entitycould make such disclosures consistentwith good health professional practiceand ethics. In such instances, weproposed that covered entities coulddisclose only the minimum informationnecessary for the friend or relative toprovide the assistance he or she wasproviding. For example, health careproviders could not disclose to a friendor relative simply driving a patienthome from the hospital extensiveinformation about the patient’s surgeryor past medical history when the friendor relative had no need for thisinformation.

The final rule takes a similarapproach. Under the final rule, when anindividual is not present (for example,when a friend of a patient seeks to pickup the patient’s prescription at a

pharmacy) or when the opportunity toagree or object to the use or disclosurecannot practicably be provided due tothe individual’s incapacity or anemergency circumstance, coveredentities may, in the exercise ofprofessional judgment, determinewhether the disclosure is in theindividual’s best interests and if so,disclose only the protected healthinformation that is directly relevant tothe person’s involvement with theindividual’s health care. For example,this provision allows covered entities toinform relatives or others involved in apatient’s care, such as the person whoaccompanied the individual to theemergency room, that a patient hassuffered a heart attack and to provideupdates on the patient’s progress andprognosis when the patient isincapacitated and unable to makedecisions about such disclosures. Inaddition, this section allows coveredentities to disclose functionalinformation to individuals assisting in apatient’s care; for example, it allowshospital staff to give information abouta person’s mobility limitations to afriend driving the patient home from thehospital. It also allows covered entitiesto use professional judgment andexperience with common practice tomake reasonable inferences of theindividual’s best interest in allowing aperson to act on an individual’s behalfto pick up filled prescriptions, medicalsupplies, X-rays, or other similar formsof protected health information. Thus,under this provision, pharmacists mayrelease a prescription to a patient’sfriend who is picking up theprescription for him or her. Section164.510(b) is not intended to disruptmost covered entities’ current practicesor state law with respect to these typesof disclosures.

This provision is intended to allowdisclosures directly related to a patient’scurrent condition and should not beconstrued to allow, for example,disclosure of extensive informationabout the patient’s medical history thatis not relevant to the patient’s currentcondition and that could proveembarrassing to the patient. In addition,if a covered entity suspects that anincapacitated patient is a victim ofdomestic violence and that a personseeking information about the patientmay have abused the patient, coveredentities should not disclose informationto the suspected abuser if there is reasonto believe that such a disclosure couldcause the patient serious harm. In all ofthese situations regarding possibledisclosures of protected healthinformation about an patient who is not

present or is unable to agree to suchdisclosures due to incapacity or otheremergency circumstance, disclosuresshould be in accordance with theexercise of professional judgment as tothe patient’s best interest.

This section is not intended toprovide a loophole for avoiding therule’s other requirements, and it is notintended to allow disclosures to a broadrange of individuals, such as journalistswho may be curious about a celebrity’shealth status. Rather, it should beconstrued narrowly, to allowdisclosures to those with the closestrelationships with the patient, such asfamily members, in circumstances whena patient is unable to agree to disclosureof his or her protected healthinformation. Furthermore, when acovered entity cannot practicably obtainan individual’s agreement beforedisclosing protected health informationto a relative or to a person involved inthe individual’s care and is makingdecisions about such disclosuresconsistent with the exercise ofprofessional judgment regarding theindividual’s best interest, coveredentities must take into account whethersuch a disclosure is likely to put theindividual at risk of serious harm.

Like the NPRM, the final rule does notrequire covered entities to verify theidentity of relatives or other individualsinvolved in the individual’s care.Rather, the individual’s act of involvingthe other persons in his or her caresuffices as verification of their identity.For example, the fact that a personbrings a family member into the doctor’soffice when treatment information willbe discussed constitutes verification ofthe involved person’s identity forpurposes of this rule. Likewise, the factthat a friend arrives at a pharmacy andasks to pick up a specific prescriptionfor an individual effectively verifies thatthe friend is involved in the individual’scare, and the rule allows the pharmacistto give the filled prescription to thefriend.

We also clarify that the final rule doesnot allow covered entities to assumethat an individual’s agreement at onepoint in time to disclose protectedhealth information to a relative or toanother person assisting in theindividual’s care implies agreement todisclose protected health informationindefinitely in the future. We encouragethe exercise of professional judgment indetermining the scope of the person’sinvolvement in the individual’s careand the time period for which theindividual is agreeing to the otherperson’s involvement. For example, if afriend simply picks up a patient fromthe hospital but has played no other role



in the individual’s care, hospital staffshould not call the friend to disclose labtest results a month after the initialencounter with the friend. However, ifa patient routinely brings a spouse intothe doctor’s office when treatment isdiscussed, a physician can infer that thespouse is playing a long-term role in thepatient’s care, and the rule allowsdisclosure of protected healthinformation to the spouse consistentwith his or her role in the patient’s care,for example, discussion of treatmentoptions.

The NPRM did not specificallyaddress situations in which disasterrelief organizations may seek to obtainprotected health information fromcovered entities to help coordinate theindividual’s care, or to notify family orfriends of an individual’s location orgeneral condition in a disaster situation.In the final rule, we account for disastersituations in this paragraph.Specifically, we allow covered entitiesto use or disclose protected healthinformation without individualagreement to federal, state, or localgovernment agencies engaged in disasterrelief activities, as well as to privatedisaster relief or disaster assistanceorganizations (such as the Red Cross)authorized by law or by their charters toassist in disaster relief efforts, to allowthese organizations to carry out theirresponsibilities in a specific disastersituation. Covered entities may makethese disclosures to disaster relieforganizations, for example, so that theseorganizations can help family members,friends, or others involved in theindividual’s care to locate individualsaffected by a disaster and to informthem of the individual’s general healthcondition. This provision also allowsdisclosure of information to disasterrelief or disaster assistanceorganizations so that these organizationscan help individuals obtain neededmedical care for injuries or other healthconditions caused by a disaster.

We encourage disaster relieforganizations to protect the privacy ofindividual health information to theextent practicable in a disaster situation.However, we recognize that the natureof disaster situations often makes itimpossible or impracticable for disasterrelief organizations and covered entitiesto seek individual agreement orauthorization before disclosingprotected health information necessaryfor providing disaster relief. Thus, wenote that we do not intend to impededisaster relief organizations in theircritical mission to save lives and reuniteloved ones and friends in disastersituations.

Section 164.512—Uses and Disclosuresfor Which Consent, an Authorization,or Opportunity To Agree or Object IsNot Required

IntroductionThe final rule’s requirements

regarding disclosures for directoryinformation and to family members orothers involved in an individual’s careare in a section separate from thatcovering disclosures allowed for othernational priority purposes. In the finalrule, we place most of the otherdisclosures for national prioritypurposes in a new § 164.512.

As in the NPRM, in § 164.512 of thefinal rule, we allow covered entities tomake these national priority uses anddisclosures without individualauthorization. As in the NPRM, theseuses and disclosures are discretionary.Covered entities are free to decidewhether or not to use or discloseprotected health information for any orall of the permitted categories. However,as in the NPRM, nothing in the finalrule provides authority for a coveredentity to restrict or refuse to make a useor disclosure mandated by other law.

The new § 164.512 includesparagraphs on: Uses and disclosuresrequired by law; uses and disclosuresfor public health activities; disclosuresabout victims of abuse, neglect, ordomestic violence; uses and disclosuresfor health oversight activities;disclosures for judicial andadministrative proceedings; disclosuresfor law enforcement purposes; uses anddisclosures about decedents; uses anddisclosures for cadaveric donation oforgans, eyes, or tissues; uses anddisclosures for research purposes; usesand disclosures to avert a serious threatto health or safety (which we had called‘‘emergency circumstances’’ in theNPRM); uses and disclosures forspecialized government functions(referred to as ‘‘specialized classes’’ inthe NPRM); and disclosures to complywith workers’ compensation laws.

Section 164.512(c) in the final rule,which addresses uses and disclosuresregarding adult victims of abuse, neglectand domestic violence, is new, althoughit incorporates some provisions fromproposed § 164.510 of the NPRM. In thefinal rule we also eliminate proposed§ 164.510(g) on government health datasystems and proposed § 164.510(i) onbanking and payment processes. Thesechanges are discussed below.

Approach to Use of Protected HealthInformation

Proposed § 164.510 of the NPRMincluded specific subparagraphsaddressing uses of protected health

information by covered entities thatwere also public health agencies, healthoversight agencies, government entitiesconducting judicial or administrativeproceedings, or government heath datasystems. Such covered entities coulduse protected health information in allinstances for which they could disclosethe information for these purposes. Inthe final rule, as discussed below, weretain this language in the paragraphson public health activities and healthoversight. However, we eliminate thisclause with respect to uses of protectedhealth information for judicial andadministrative proceedings, because weno longer believe that there would beany situations in which a covered entitywould also be a judicial oradministrative tribunal. Proposed§ 164.510(e) of the NPRM, regardingdisclosure of protected healthinformation to coroners, did not includesuch a provision. In the final rule wehave added it because we believe thereare situations in which a covered entity,for example, a public hospitalconducting post-mortem investigations,may need to use protected healthinformation for the same purposes forwhich it would have disclosed theinformation to a coroner.

While the right to request restrictionsunder § 164.522 and the consentsrequired under § 164.506 do not applyto the use and disclosure of protectedhealth information under § 164.512, wedo not intend to preempt any state orother restrictions, or any right to enforcesuch agreements or consents underother law.

We note that a covered entity may useor disclose protected health informationas permitted by and in accordance withone of the paragraphs of § 164.512,regardless of whether that use ordisclosure fails to meet the requirementsfor use or disclosure under a differentparagraph in § 164.512 or elsewhere inthe rule.

Verification for Disclosures Under§ 164.512

In § 164.510(a) of the NPRM, weproposed that covered entities verify theidentity and authority of persons towhom they made disclosure under thesection. In the final rule, we generallyhave retained the proposedrequirements. Verification requirementsare discussed in § 164.514 of the finalrule.

Section 164.512(a)—Uses andDisclosures Required by Law

In the NPRM we would have allowedcovered entities to use or discloseprotected health information withoutindividual authorization where such use



or disclosure was required by other law,as long as the use or disclosure met allrelevant requirements of such law.However, a legally mandated use ordisclosure which fell into one or moreof the national priority purposesexpressly identified in proposed§ 164.510 of the NPRM would have beensubject to the terms and conditionsspecified by the applicable paragraph ofproposed § 164.510. Thus, a disclosurerequired by law would have beenallowed only to the extent it was nototherwise prohibited or restricted byanother provision in proposed§ 164.510. For example, mandatoryreporting to law enforcement officialswould not have been allowed unlesssuch disclosures conformed to therequirements of proposed § 164.510(f) ofthe NPRM, on uses and disclosures forlaw enforcement purposes. Asexplained in the NPRM, this provisionwas not intended to obstruct access toinformation deemed important enoughby federal, state or other governmentauthorities to require it by law.

In § 164.512(a) of the final rule, weretain the proposed approach, and wepermit covered entities to comply withlaws requiring the use or disclosure ofprotected health information, providedthe use or disclosure meets and islimited to the relevant requirements ofsuch other laws. To more clearlyaddress where the substantive andprocedural requirements of otherprovisions in this section apply, wehave deleted the general sentence fromthe NPRM which stated that theprovision ‘‘does not apply to uses ordisclosures that are covered byparagraphs (b) through (m)’’ of proposed§ 164.510. Instead, in § 164.512 (a)(2) welist the specific paragraphs that haveadditional requirements with whichcovered entities must comply. They aredisclosures about victims of abuse,neglect or domestic violence(§ 164.512(c)), for judicial andadministrative proceedings(§ 164.512(e)), and for law enforcementpurposes (§ 164.512(f)). We include anew definition of ‘‘required by law.’’See § 164.501. We clarify that therequirements provided for in§ 164.514(h) relating to verificationapply to disclosures under thisparagraph. Those provisions requirecovered entities to verify the identityand authority of persons to whom theymake disclosures. We note that theminimum necessary requirements of§ 164.514(d) do not apply to disclosuresmade under this paragraph.

We note that this rule does not affectwhat is required by other law, nor doesit compel a covered entity to make a useor disclosure of protected health

information required by the legaldemands or reporting requirementslisted in the definition of ‘‘required bylaw.’’ Covered entities will not besanctioned under this rule forresponding in good faith to such legalprocess and reporting requirements.However, nothing in this rule affects,either by expanding or contracting, acovered entity’s right to challenge suchprocess or reporting requirements underother laws. The only disclosures ofprotected health information compelledby this rule are disclosures to anindividual (or the personalrepresentative of an individual) or to theSecretary for the purposes of enforcingthis rule.

Uses and disclosures permitted underthis paragraph must be limited to theprotected health information necessaryto meet the requirements of the law thatcompels the use or disclosure. Forexample, disclosures pursuant to anadministrative subpoena are limited tothe protected health informationauthorized to be disclosed on the face ofthe subpoena.

Section 164.512(b)—Uses andDisclosures for Public Health Activities

The NPRM would have allowedcovered entities to disclose protectedhealth information without individualauthorization to: (1) A public healthauthority authorized by law to collect orreceive such information for thepurpose of preventing or controllingdisease, injury, or disability, including,but not limited to, the reporting ofdisease, injury, vital events such as birthor death, and the conduct of publichealth surveillance, public healthinvestigations, and public healthinterventions; (2) a public healthauthority or other appropriate authorityauthorized by law to receive reports ofchild abuse or neglect; (3) a person orentity other than a governmentalauthority that could demonstrate ordemonstrated that it was acting tocomply with requirements or directionof a public health authority; or (4) aperson who may have been exposed toa communicable disease or mayotherwise be at risk of contracting orspreading a disease or condition andwas authorized by law to be notified asnecessary in the conduct of a publichealth intervention or investigation.

In the final rule, we broaden the scopeof permissible disclosures pursuant toitem (1) listed above. We narrow thescope of disclosures permissible underitem (3) of this list, and we add languageto clarify the scope of permissibledisclosures with respect to item (4) onthe list. We broaden the scope ofallowable disclosures regarding item (1)

by allowing covered entities to discloseprotected health information not only toU.S. public health authorities but also,at the direction of a public healthauthority, to an official of a foreigngovernment agency that is acting incollaboration with a public healthauthority. For example, we allowcovered entities to disclose protectedhealth information to a foreigngovernment agency that is collaboratingwith the Centers for Disease Control andPrevention to limit the spread ofinfectious disease.

We narrow the conditions underwhich covered entities may discloseprotected health information to non-government entities. We allow coveredentities to disclose protected healthinformation to a person subject to theFDA’s jurisdiction, for the followingactivities: to report adverse events (orsimilar reports with respect to food ordietary supplements), product defects orproblems, or biological productdeviations, if the disclosure is made tothe person required or directed to reportsuch information to the FDA; to trackproducts if the disclosure is made to aperson required or directed by the FDAto track the product; to enable productrecalls, repairs, or replacement,including locating and notifyingindividuals who have received productsregarding product recalls, withdrawals,or other problems; or to conduct post-marketing surveillance to comply withrequirements or at the direction of theFDA.

The terms included in§ 164.512(b)(iii) are intended to haveboth their commonly understoodmeanings, as well as any specializedmeanings, pursuant to the Food, Drug,and Cosmetic Act (21 U.S.C. 321 et seq.)or the Public Health Service Act (42U.S.C. 201 et seq.). For example, ‘‘post-marketing surveillance’’ is intended tomean activities related to determiningthe safety or effectiveness of a productafter it has been approved and is incommercial distribution, as well ascertain Phase IV (post-approval)commitments by pharmaceuticalcompanies. With respect to devices,‘‘post-marketing surveillance’’ can beconstrued to refer to requirements ofsection 522 of the Food, Drug, andCosmetic Act regarding certainimplanted, life-sustaining, or life-supporting devices. The term ‘‘track’’includes, for example, tracking devicesunder section 519(e) of the Food, Drug,and Cosmetic Act, units of blood orother blood products, as well as trace-backs of contaminated food.

In § 164.512(b)(iii), the term‘‘required’’ refers to requirements instatute, regulation, order, or other



legally binding authority exercised bythe FDA. The term ‘‘directed,’’ as usedin this section, includes other officialagency communications such asguidance documents.

We note that under this provision, acovered entity may disclose protectedhealth information to a non-governmental organization withoutindividual authorization for inclusion ina private data base or registry only if thedisclosure is otherwise for one of thepurposes described in this provision(e.g., for tracking products pursuant toFDA direction or requirements, for post-marketing surveillance to comply withFDA requirements or direction.)

To make a disclosure that is not forone of these activities, covered entitiesmust obtain individual authorization ormust meet the requirements of anotherprovision of this rule. For example,covered entities may disclose protectedhealth information to employers forinclusion in a workplace surveillancedatabase only: with individualauthorization; if the disclosure isrequired by law; if the disclosure meetsthe requirements of § 164.512(b)(v); or ifthe disclosure meets the conditions ofanother provision of this regulation,such as § 154.512(i) relating to research.Similarly, if a pharmaceutical companyseeks to create a registry containingprotected health information aboutindividuals who had taken a drug thatthe pharmaceutical company haddeveloped, covered entities maydisclose protected health informationwithout authorization to thepharmaceutical company pursuant toFDA requirements or direction. If thepharmaceutical company’s registry isnot for any of these purposes, coveredentities may disclose protected healthinformation to it only with patientauthorization, if required by law, or ifdisclosure meets the conditions ofanother provision of this rule.

The final rule continues to permitcovered entities to disclose protectedhealth information without individualauthorization directly to public healthauthorities, such as the Food and DrugAdministration, the Occupational Safetyand Health Administration, the Centersfor Disease Control and Prevention, aswell as state and local public healthdepartments, for public health purposesas specified in the NPRM.

The final rule retains the NPRMprovision allowing covered entities todisclose protected health information topublic health authorities or otherappropriate government authoritiesauthorized by law to receive reports ofchild abuse or neglect. In addition, weclarify the NPRM’s provision regardingdisclosure of protected health

information to persons who may havebeen exposed to a communicabledisease or who may otherwise be at riskof contracting or spreading a disease orcondition. Under the final rule, coveredentities may disclose protected healthinformation to such individuals whenthe covered entity or public healthauthority is authorized by law to notifythese individuals as necessary in theconduct of a public health interventionor investigation.

In addition, as in the NPRM, underthe final rule, a covered entity that isacting as a public health authority—forexample, a public hospital conductinginfectious disease surveillance in itsrole as an arm of the public healthdepartment—may use protected healthinformation in all cases for which it isallowed to disclose such information forpublic health activities as describedabove.

The proposed rule did not contain aspecific provision relating to disclosuresby covered health care providers toemployers concerning work-relatedinjuries or illnesses or workplacemedical surveillance. Under theproposed rule, a covered entity wouldhave been permitted to discloseprotected health information withoutindividual authorization for publichealth purposes to private person if theperson could demonstrate that it wasacting to comply with requirements orat the direction of a public healthauthority.

As discussed above, in the final rulewe narrow the scope of this paragraphas it applies to disclosures to personsother than public health authorities. Toensure that covered health careproviders may make disclosures ofprotected health information withoutindividual authorization to employerswhen appropriate under federal andstate laws addressing work-relatedinjuries and illnesses or workplacemedical surveillance, we include a newprovision in the final rule. Theprovision permits covered health careproviders who provide health care as aworkforce member of or at the requestof an employer to disclose to thatemployer protected health informationconcerning work-related injuries orillnesses or workplace medicalsurveillance in situations where theemployer has a duty under theOccupational Safety and Health Act, theFederal Mine Safety and Health Act, orunder a similar state law, to keeprecords on or act on such information.For example, OSHA regulations in 29CFR part 1904 require employers torecord work-related injuries andillnesses if medical treatment isnecessary; MSHA regulations at 30 CFR

part 50 require mine operators to reportinjuries and illnesses experienced byminers. Similarly, OSHA rules requireemployers to monitor employees’exposure to certain substances and toremove employees from exposure whentoxic thresholds have been met. Toobtain the relevant health informationnecessary to determine whether aninjury or illness should be recorded, orwhether an employee must be medicallyremoved from exposure at work,employers must refer employees tohealth care providers for examinationand testing.

OSHA and MSHA rules do notimpose duties directly upon health careproviders to disclose health informationpertaining to recordkeeping and medicalmonitoring requirements to employers.Rather, these rules operate on thepresumption that health care providerswho provide services at the request ofan employer will be able to disclose tothe employer work-related healthinformation necessary for the employerto fulfill its compliance obligations.This new provision permits coveredentities to make disclosures necessaryfor the effective functioning of OSHAand MSHA requirements, or those ofsimilar state laws, by permitting ahealth care provider to make disclosureswithout the authorization of theindividual concerning work-relatedinjuries or illnesses or workplacemedical surveillance in situations wherethe employer has a duty under OSHAand MSHA requirements, or under asimilar state laws, to keep records on oract on such information.

We require health care providers whomake disclosures to employers underthis provision to provide notice toindividuals that it discloses protectedhealth information to employers relatingto the medical surveillance of theworkplace and work-related illnessesand injuries. The notice required underthis provision is separate from thenotice required under § 164.520. Thenotice required under this provisionmay be met giving a copy of the noticeto the individual at the time it providesthe health care services, or, if the healthcare services are provided on the worksite of the employer, by posting thenotice in a prominent place at thelocation where the health care servicesare provided.

This provision applies only when acovered health care provider provideshealth care services as a workforcemember of or at the request of anemployer and for the purposesdiscussed above. The provision does notaffect the application of this rule toother health care provided to



individuals or to their relationship withhealth care providers that they select.

Section 164.512(c)—Disclosures AboutVictims of Abuse, Neglect or DomesticViolence

The NPRM included two provisionsrelated to disclosures about personswho are victims of abuse. In the NPRM,we would have allowed covered entitiesto report child abuse to a public healthauthority or other appropriate authorityauthorized by law to receive reports ofchild abuse or neglect. In addition,under proposed § 164.510(f)(3) of theNPRM, we would have allowed coveredentities to disclose protected healthinformation about a victim of a crime,abuse or other harm to a lawenforcement official under certaincircumstances. The NPRM recognizedthat most, if not all, states had laws thatmandated reporting of child abuse orneglect to the appropriate authorities.Moreover, HIPAA expressly carved outstate laws on child abuse and neglectfrom preemption or any otherinterference. The NPRM furtheracknowledged that most, but not all,states had laws mandating the reportingof abuse, neglect or exploitation of theelderly or other vulnerable adults. Wedid not intend to impede reporting incompliance with these laws.

The final rule includes a newparagraph, § 164.512(c), which allowscovered entities to report protectedhealth information to specifiedauthorities in abuse situations otherthan those involving child abuse andneglect. In the final rule, disclosures ofprotected health information related tochild abuse continues to be addressed inthe paragraph allowing disclosure forpublic health activities (§ 164.512(b)), asdescribed above. Because HIPAAaddresses child abuse specifically inconnection with a state’s public healthactivities, we believe it would not beappropriate to include child abuse-related disclosures in this separateparagraph on abuse. State laws continueto apply with respect to child abuse,and the final rule does not in any wayinterfere with a covered entity’s abilityto comply with these laws.

In the final rule, we addressdisclosures about other victims of abuse,neglect and domestic violence in§ 164.512(c) rather than in the lawenforcement paragraph. Section164.512(c) establishes conditions fordisclosure of protected healthinformation in cases involving domesticviolence other than child abuse (e.g.,spousal abuse), as well as thoseinvolving abuse or neglect (e.g., abuse ofnursing home residents or residents offacilities for the mentally retarded). This

paragraph addresses reports to lawenforcement as well as to otherauthorized public officials. Theprovisions of this paragraph supersedethe provisions of § 164.512(a) and§ 164.512(f)(1)(i) to the extent that thoseprovisions address the subject matter ofthis paragraph.

Under the circumstances describedbelow, the final rule allows coveredentities to disclose protected healthinformation about an individual whomthe covered entity reasonably believes tobe a victim of abuse, neglect, ordomestic violence. In this paragraph,references to ‘‘individual’’ should beconstrued to mean the individualbelieved to be the victim. The ruleallows such disclosure to anygovernmental authority authorized bylaw to receive reports of such abuse,neglect, or domestic violence. Theseentities may include, for example, adultprotective or social services agencies,state survey and certification agencies,ombudsmen for the aging or those inlong-term care facilities, and lawenforcement or oversight.

The final rule specifies threecircumstances in which disclosures ofprotected health information is allowedin order to report abuse, neglect ordomestic violence. First, this paragraphallows disclosure of protected healthinformation related to abuse if requiredby law and the disclosure complies withand is limited to the relevantrequirements of such law. As discussedbelow, the final rule requires coveredentities that make such disclosurespursuant to a state’s mandatoryreporting law to inform the individualof the report.

Second, this paragraph allowscovered entities to disclose protectedhealth information related to abuse ifthe individual has agrees to suchdisclosure. When considering thepossibility of disclosing protectedhealth information in an abuse situationpursuant to this section, we encouragecovered entities to seek the individual’sagreement whenever possible.

Third, this paragraph allows coveredentities to disclose protected healthinformation about an individual withoutthe individual’s agreement if thedisclosure is expressly authorized bystatute or regulation and either: (1) Thecovered entity, in the exercise of itsprofessional judgment, believes that thedisclosure is necessary to preventserious harm to the individual or toother potential victims; or (2) if theindividual is unable to agree due toincapacity, a law enforcement or otherpublic official authorized to receivedthe report represents that the protectedhealth information for which disclosure

is sought is not intended to be usedagainst the individual, and that animmediate enforcement activity thatdepends on the disclosure would bematerially and adversely affected bywaiting until the individual is able toagree to the disclosure.

We emphasize that disclosure underthis third part of the paragraph also maybe made only if it is expresslyauthorized by statute or regulation. Weuse this formulation, rather than thebroader ‘‘required by law,’’ because ofthe heightened privacy and safetyconcerns in these situations. We believeit appropriate to defer to other publicdeterminations regarding reporting ofthis information only where a legislativeor executive body has determined thereporting to be of sufficient importanceto warrant enactment of a law orpromulgation of a regulation. Law andregulations reflect a clear decision toauthorize the particular disclosure ofprotected health information, and reflectgreater public accountability (e.g.,through the required public commentprocess or because enacted by electedrepresentatives).

For example, a Wisconsin law (Wis.Stat § 46.90(4)) states that any personmay report to a county agency or stateofficial that he or she believes that abuseor neglect has occurred. Pursuant to§ 164.512(c)(1)(iii), a covered entity maymake a report only if the specific typeor subject matter of the report (e.g.,abuse or neglect of the elderly) isincluded in the law authorizing thereport, and such a disclosure may onlybe made to a public authorityspecifically identified in the lawauthorizing the report. Furthermore, wenote that disclosures under this part ofthe paragraph are further limited to twocircumstances. In the first case, acovered entity, in the exercise ofprofessional judgment, must believe thatthe disclosure is necessary to preventserious harm to the individual or toother potential victims. The second caseaddresses situations in which anindividual who is a victim of abuse,neglect or domestic violence is unableto agree due to incapacity and a lawenforcement or other public officialauthorized to receive the reportrepresents that the protected healthinformation for which disclosure issought is not intended to be usedagainst the individual and that animmediate law enforcement activity thatdepends on the disclosure would bematerially and adversely affected bywaiting until the individual if able toagree to the disclosure. We note that, inthis second case, a covered entity mayexercise discretion, consistent withprofessional judgment as to the patient’s



best interest, in deciding whether tomake the requested disclosure.

The rules governing disclosure in thisthird set of circumstances are differentfrom those governing disclosurespursuant to § 164.512(f)(3) regardingdisclosure to law enforcement aboutvictims of crime and other harm. Webelieve that in abuse situations—to agreater extent than in situationsinvolving crime victims in general—there is clear potential for abusers tocause further serious harm to the victimor to others, such as other familymembers in a household or otherresidents of a nursing home. Theprovisions allowing reporting of abusewhen authorized by state law, asdescribed above, are consistent withprinciples articulated by the AMA’sCouncil on Ethical and Judicial Affairs,which state that when reporting abuse isvoluntary under state law, it is justifiedwhen necessary to prevent serious harmto a patient. Through the provisions of§ 164.512(c), we recognize the uniquecircumstances surrounding abuse anddomestic violence, and we seek toprovide an appropriate balance betweenindividual privacy interests andimportant societal interests such aspreventing serious harm to otherindividuals. We note that here we arerelying on covered entities, in theexercise of professional judgment, todetermine what is in the best interestsof the patient.

Finally, we require covered entities toinform the individual in all of thesituations described above that thecovered entity has disclosed protectedhealth information to report abuse,neglect, or domestic violence. We allowcovered entities to provide thisinformation orally. We do not requirewritten notification, nor do weencourage it, due to the sensitivity ofabuse situations and the potential forthe abuser to cause further harm to theindividual if, for example, a coveredentity sends written notification to thehome of the individual and the abuser.Whenever possible, covered entitiesshould inform the individual at thesame time that they determine abuse hasoccurred and decide that the abuseshould be reported. In cases involvingpatient incapacity, we encouragecovered entities to inform the individualof such disclosures as soon as it ispracticable to do so.

The rule provides two exceptions tothe requirement to inform the victimabout a report to a governmentauthority, one based on concern forfuture harm and one based on pastharm. First, a covered entity need notinform the victim if the covered entity,in the exercise of professional judgment,

believes that informing the individualwould place the individual at risk ofserious harm. We believe that thisexception is necessary to address thepotential for future harm, eitherphysical or emotional, that theindividual may face from knowing thatthe report has been made. Second, acovered entity may choose not to meetthe requirement for informing thevictim, if the covered entity actuallywould be informing a personalrepresentative (such as a parent of aminor) and the covered entityreasonably believes that such person isresponsible for the abuse, neglect, orother injury that has already occurredand that informing that person wouldnot be in the individual’s best interests.

Section 164.512(d)—Uses andDisclosures for Health OversightActivities

Under § 164.510(c) of the NPRM, weproposed to permit covered entities todisclose protected health information tohealth oversight agencies for oversightactivities authorized by law, includingaudit, investigation, inspection, civil,criminal, or administrative proceedingor action, or other activity necessary forappropriate oversight of: (i) the healthcare system; (ii) government benefitprograms for which health informationis relevant to beneficiary eligibility; or(iii) government regulatory programs forwhich health information is necessaryfor determining compliance withprogram standards.

In § 164.512(d) of the final rule, wemodify the proposed language toinclude civil and criminalinvestigations. In describing ‘‘otheractivities necessary for oversight’’ ofparticular entities, we add the phrase‘‘entities subject to civil rights laws forwhich health information is necessaryfor determining compliance.’’ Inaddition, in the final rule, we add‘‘licensure or disciplinary actions’’ tothe list of oversight activities authorizedby law for which covered entities maydisclose protected health information tohealth oversight agencies. The NPRM’sdefinition of ‘‘health oversight agency’’(in proposed § 164.504) included thisphrase, but it was inadvertentlyexcluded from the regulation text atproposed § 164.510(c). We make thischange in the regulation text of the finalrule to conform to the NPRM’sdefinition of health oversight agencyand to reflect the full range of activitiesfor which we intend to allow coveredentities to disclose protected healthinformation to health oversightagencies.

The NPRM would have allowed, butwould not have required, covered

entities to disclose protected healthinformation to public oversight agenciesand to private entities acting undergrant of authority from or under contractwith oversight agencies for oversightpurposes without individualauthorization for health oversightactivities authorized by law. When acovered entity was also an oversightagency, it also would have beenpermitted to use protected healthinformation in all cases in which itwould have been allowed to disclosesuch information for health oversightpurposes. The NPRM would not haveestablished any new administrative orjudicial process prior to disclosure forhealth oversight, nor would it havepermitted disclosures forbidden byother law. The proposed rule also wouldnot have created any new right of accessto health records by oversight agencies,and it could not have been used asauthority to obtain records nototherwise legally available to theoversight agency.

The final rule retains this approach tohealth oversight. As in the NPRM, thefinal rule provides that when a coveredentity is also an oversight agency, it isallowed to use protected healthinformation in all cases in which it isallowed to disclose such information forhealth oversight purposes. For example,if a state insurance department is actingas a health plan in operating the state’sMedicaid managed care program, thefinal rule allows the insurancedepartment to use protected healthinformation in all cases for which theplan can disclose the protected healthinformation for health oversightpurposes. For example, the stateinsurance department in its capacity asthe state Medicaid managed care plancan use protected health information inthe process of investigating anddisciplining a state Medicaid providerfor attempting to defraud the Medicaidsystem. As in the NPRM, the final ruledoes not establish any newadministrative or judicial process priorto disclosure for health oversight, nordoes it prohibit covered entities frommaking any disclosures for healthoversight that are otherwise required bylaw. Like the NPRM, it does not createany new right of access to health recordsby oversight agencies and it cannot beused as authority to obtain records nototherwise legally available to theoversight agency.

Overlap Between Law Enforcement andOversight

Under the NPRM, the proposeddefinitions of law enforcement andoversight, and the rules governingdisclosures for these purposes



overlapped. Specifically, this overlapoccurred because: (1) The NPRMpreamble, but not the NPRM regulationtext, indicated that agencies conductingboth oversight and law enforcementactivities would be subject to theoversight requirements whenconducting oversight activities; and (2)the NPRM addressed some disclosuresfor investigations of health care fraud inthe law enforcement paragraph(proposed § 164.510(f)(5)(i)), whilehealth care fraud investigations arecentral to the purpose of health careoversight agencies (covered underproposed § 164.510(c)). In the final rule,we make substantial changes to theseprovisions, in an attempt to preventconfusion.

In § 164.512(d)(2), we include explicitdecision rules indicating when aninvestigation is considered lawenforcement and when an investigationis considered oversight under thisregulation. An investigation or activityis not considered health oversight forpurposes of this rule if: (1) Theindividual is the subject of theinvestigation or activity; and (2) Theinvestigation or activity does not ariseout of and is not directly related to: (a)The receipt of health care; (b) a claim forpublic benefits related to health; or (c)qualification for, or receipt of publicbenefits or services where a patient’shealth is integral to the claim forbenefits or services. In such cases,where the individual is the subject ofthe investigation and the investigationdoes not relate to issues (a) through (c),the rules regarding disclosure for lawenforcement purposes (see § 164.512(f))apply. For the purposes of this rule, weintend for investigations regardingissues (a) through (c) above to meaninvestigations of health care fraud.

Where the individual is not thesubject of the activity or investigation,or where the investigation or activityrelates to the subject matter in (a)through (c) of the preceding sentence, acovered entity may make a disclosurepursuant to § 164.512(d)(1). Forexample, when the U.S. Department ofLabor’s Pension and Welfare BenefitsAdministration (PWBA) needs toanalyze protected health informationabout health plan enrollees in order toconduct an audit or investigation of thehealth plan (i.e., the enrollees are notsubjects of the investigation) toinvestigate potential fraud by the plan,the health plan may disclose protectedhealth information to the PWBA underthe health oversight rules. These rulesand distinctions are discussed in greaterdetail in our responses to comments.

To clarify further that health oversightdisclosure rules apply generally in

health care fraud investigations (subjectto the exception described above), in thefinal rule, we eliminate proposed§ 164.510(f)(5)(i), which would haveestablished requirements for disclosurerelated to health care fraud for lawenforcement purposes. All disclosuresof protected health information thatwould have been permitted underproposed § 164.510(f)(5)(i) are permittedunder § 164.512(d).

In the final rule, we add new language(§ 164.512(d)(3)) to address situations inwhich health oversight activities areconducted in conjunction with aninvestigation regarding a claim forpublic benefits not related to health(e.g., claims for Food Stamps). In suchsituations, for example, when a stateMedicaid agency is working with theFood Stamps program to investigatesuspected fraud involving Medicaid andFood Stamps, covered entities maydisclose protected health information tothe entities conducting the jointinvestigation under the health oversightprovisions of the rule.

In the proposed rule, the definitionsof ‘‘law enforcement proceeding’’ and‘‘oversight activity’’ both included thephrase ‘‘criminal, civil, oradministrative proceeding.’’ For reasonsexplained below, the final rule retainsthis phrase in both definitions. The finalrule does not attempt to distinguishbetween these activities based on theagency undertaking them or theapplicable enforcement procedures.Rather, as described above, the final rulecarves out certain activities which mustalways be considered law enforcementfor purposes of disclosure of protectedhealth information under this rule.

Additional Considerations

We note that covered entities arepermitted to initiate disclosures that arepermitted under this paragraph. Forexample, a covered entity could discloseprotected health information in thecourse of reporting suspected healthcare fraud to a health oversight agency.

We delete language in the NPRM thatwould have allowed disclosure underthis section only to law enforcementofficials conducting or supervising aninvestigation, official inquiry, or acriminal, civil or administrativeproceeding authorized by law. In someinstances, a disclosure by a coveredentity under this section will initiatesuch an investigation or proceeding, butit will not already be ongoing at the timethe disclosure is made.

Section 164.512(e)—Disclosures andUses for Judicial and AdministrativeProceedings

Section 164.512(e) addresses when acovered entity is permitted to discloseprotected health information inresponse to requests for protected healthinformation that are made in the courseof judicial and administrativeproceedings—for example, when a non-party health care provider receives asubpoena (under Federal Rule of CivilProcedure Rule 45 or similar provision)for medical records from a party to a lawsuit. In the NPRM we would haveallowed covered entities to discloseprotected health information in thecourse of any judicial or administrativeproceeding: (1) In response to an orderof a court or administrative tribunal; or(2) where an individual was a party tothe proceeding and his or her medicalcondition or history was at issue and thedisclosure was pursuant to lawfulprocess or otherwise authorized by law.Under the NPRM, if the request fordisclosure of protected healthinformation was accompanied by acourt order, a covered entity could havedisclosed that protected healthinformation which the court orderauthorized to be disclosed. If the requestfor disclosure of protected healthinformation were not accompanied by acourt order, covered entities could nothave disclosed the informationrequested unless a request authorized bylaw had been made by the agencyrequesting the information or by legalcounsel representing a party tolitigation, with a written statementcertifying that the protected healthinformation requested concerned alitigant to the proceeding and that thehealth condition of the litigant was atissue at the proceeding.

In § 164.512(e) of the final rule, wepermit covered entities to discloseprotected health information in ajudicial or administrative proceeding ifthe request for such protected healthinformation is made through orpursuant to an order from a court oradministrative tribunal or in response toa subpoena or discovery request from, orother lawful process by a party to theproceeding. When a request is madepursuant to an order from a court oradministrative tribunal, a covered entitymay disclose the information requestedwithout additional process. Forexample, a subpoena issued by a courtconstitutes a disclosure which isrequired by law as defined in this rule,and nothing in this rule is intended tointerfere with the ability of the coveredentity to comply with such subpoena.



However, absent an order of, or asubpoena issued by, a court oradministrative tribunal, a covered entitymay respond to a subpoena or discoveryrequest from, or other lawful process by,a party to the proceeding only if thecovered entity obtains either: (1)Satisfactory assurances that reasonableefforts have been made to give theindividual whose information has beenrequested notice of the request; or (2)satisfactory assurances that the partyseeking such information has madereasonable efforts to secure a protectiveorder that will guard the confidentialityof the information. In meeting the firsttest, a covered entity is considered tohave received satisfactory assurancesfrom the party seeking the informationif that party demonstrates that it hasmade a good faith effort (such as bysending a notice to the individual’s lastknown address) to provide writtennotice to the individual whoseinformation is the subject of the request,that the written notice includedsufficient information about theproceeding to permit the individual toraise an objection, and that the time forthe individual to raise objections to thecourt or administrative tribunal haselapsed and no objections were filed orany objections filed by the individualhave been resolved.

Unless required to do so by other law,the covered entity is not required toexplain the procedures (if any) availablefor the individual to object to thedisclosure. Under the rule, theindividual exercises the right to objectbefore the court or other body havingjurisdiction over the proceeding, andnot to the covered entity. The provisionsin this paragraph are not intended todisrupt current practice whereby anindividual who is a party to aproceeding and has put his or hermedical condition at issue will notprevail without consenting to theproduction of his or her protectedhealth information. In such cases, wepresume that parties will have amplenotice and an opportunity to object inthe context of the proceeding in whichthe individual is a party.

As described above, in this paragraphwe also permit a covered entity todisclose protected health information inresponse to a subpoena, discoveryrequest, or other lawful process if thecovered entity receives satisfactoryassurances that the party seeking theinformation has made reasonable effortsto seek a qualified protective order thatwould protect the privacy of theinformation. A ‘‘qualified protectiveorder’’ means an order of a court or ofan administrative tribunal or astipulation that: (1) Prohibits the parties

from using or disclosing the protectedhealth information for any purposeother than the litigation or proceedingfor which the records are requested; and(2) requires the return to the coveredentity or destruction of the protectedhealth information (including all copiesmade) at the end of the litigation orproceeding. Satisfactory assurances ofreasonable efforts to secure a qualifiedprotective order are a statement anddocumentation that the parties to thedispute have agreed to a protectiveorder and that it has been submitted tothe court or administrative tribunal withjurisdiction, or that the party seekingthe protected health information hasrequested a qualified protective orderfrom such court or tribunal. Weencourage the development of ‘‘model’’protective orders that will facilitateadherence with this subpart.

In the final rule we also permit thecovered entity itself to satisfy therequirement to make reasonable effortsto notify the individual whoseinformation has been requested or toseek a qualified protective order. Weintend this to be a permissible activityfor covered entities: we do not requirecovered entities to undertake theseefforts in response to a subpoena,discovery request, or similar process(other than an order from a court oradministrative tribunal). If a coveredentity receives such a request withoutreceiving the satisfactory assurancesdescribed above from the partyrequesting the information, the coveredentity is free to object to the disclosureand is not required to undertake thereasonable efforts itself.

We clarify that the provisions of thisparagraph do not supersede orotherwise invalidate other provisions ofthis rule that permit uses anddisclosures of protected healthinformation. For example, the fact thatprotected health information is thesubject of a matter before a court ortribunal does not prevent its disclosureunder another provision of the rule,such as §§ 164.512(b), 164.512(d), or164.512(f), even if a public agency’smethod of requesting the information ispursuant to an administrativeproceeding. For example, where apublic agency commences a disciplinaryaction against a health professional, andrequests protected health information aspart of its investigation, the disclosuremade be made to the agency underparagraph (d) of this section (relating tohealth oversight) even if the method ofmaking the request is through theproceeding. As with any request fordisclosure under this section, thecovered entity will need to verify theauthority under which the request is

being made, and we expect that publicagencies will identify their authoritywhen making such requests. We notethat covered entities may reasonablyrely on assertions of authority made bygovernment agencies.


Where a disclosure made pursuant tothis paragraph is required by law, suchas in the case of an order from a courtor administrative tribunal, the minimumnecessary requirements in § 164.514(d)do not apply to disclosures made underthis paragraph. A covered entity makinga disclosure under this paragraph,however, may of course disclose onlythat protected health information that iswithin the scope of the permitteddisclosure. For instance, in response toan order of a court or administrativetribunal, the covered entity maydisclose only the protected healthinformation that is expressly authorizedby such an order. Where a disclosure isnot considered under this rule to berequired by law, the minimumnecessary requirements apply, and thecovered entity must make reasonableefforts to limit the information disclosedto that which is reasonably necessary tofulfill the request. A covered entity isnot required to second guess the scopeor purpose of the request, or take actionto resist the request because they believethat it is over broad. In complying withthe request, however, the covered entitymust make reasonable efforts not todisclose more information than isrequested. For example, a covered entitymay not provide a party free access toits medical records under the theorythat the party can identify theinformation necessary for the request. Insome instances, it may be appropriatefor a covered entity, presented with arelatively broad discovery request, topermit access to a relatively largeamount of information in order for aparty to identify the relevantinformation. This is permissible as longas the covered entity makes reasonableefforts to circumscribe the access asappropriate.

The NPRM indicated that when acovered entity was itself a governmentagency, the covered entity could useprotected health information in all casesin which it would have been allowed todisclose such information in the courseof any judicial or administrativeproceeding. As explained above, thefinal rule does not include thisprovision.



Section 164.512(f)—Disclosure for LawEnforcement Purposes

Disclosures Pursuant to Process and asOtherwise Required by Law

In the NPRM we would have allowedcovered entities to disclose protectedhealth information without individualauthorization as required by other law.However, as explained above, if alegally mandated use or disclosure fellinto one or more of the national prioritypurposes expressly identified in otherparagraphs of proposed § 164.510, thedisclosure would have been subject tothe terms and conditions specified bythe applicable paragraph of proposed§ 164.510. For example, mandatoryreporting to law enforcement officialswould not have been allowed unlesssuch disclosures conformed to therequirements of proposed § 164.510(f) ofthe NPRM. Proposed § 164.510(f) didnot explicitly recognize disclosuresrequired by other laws, and it would nothave permitted covered entities tocomply with some state and othermandatory reporting laws that requirecovered entities to disclose protectedhealth information to law enforcementofficials, such as the reporting of gunshot wounds, stab wounds, and/or burninjuries.

We did not intend to preemptgenerally state and other mandatoryreporting laws, and in § 164.512(f)(1)(i)of the final rule, we explicitly permitcovered entities to disclose protectedhealth information for law enforcementpurposes as required by other law. Thisprovision permits covered entities tocomply with these state and other laws.Under this provision, to the extent thata mandatory reporting law falls underthe provisions of § 164.512(c)(1)(i)regarding reporting of abuse, neglect, ordomestic violence, the requirements ofthose provisions supersede.

In the final rule, we specify thatcovered entities may disclose protectedhealth information pursuant to thisprovision in compliance with and aslimited by the relevant requirements oflegal process or other law. In the NPRM,for the purposes of this portion of thelaw enforcement paragraph, weproposed to define ‘‘law enforcementinquiry or proceeding’’ as aninvestigation or official proceedinginquiring into a violation of or failure tocomply with law; or a criminal, civil oradministrative proceeding arising from aviolation of or failure to comply withlaw. In the final rule, we do not includethis definition in § 164.512(f), because itis redundant with the definition of ‘‘lawenforcement official’’ in § 164.501.

Proposed § 164.510(f)(1) of the NPRMwould have authorized disclosure of

protected health information to a lawenforcement official conducting orsupervising a law enforcement inquiryor proceeding authorized by lawpursuant to process, under threecircumstances.

First, we proposed to permit suchdisclosures pursuant to a warrant,subpoena, or other order issued by ajudicial officer that documented afinding by the officer. The NPRM didnot specify requirements for the natureof the finding. In the final rule, weeliminate the requirement for a‘‘finding,’’ and we make changes to thelist of orders in response to whichcovered entities may disclose under thisprovision. Under the final rule, coveredentities may disclose protected healthinformation in compliance with and aslimited by relevant requirements of: acourt order or court-ordered warrant, ora subpoena or summons issued by ajudicial officer. We made this change tothe list to conform to the definition of‘‘required by law’’ in § 164.501.

Second, we proposed to permit suchdisclosures pursuant to a state or federalgrand jury subpoena. In the final rule,we leave this provision of the NPRMunchanged.

Third, we proposed to permit suchdisclosures pursuant to anadministrative request, including anadministrative subpoena or summons, acivil investigative demand, or similarprocess, under somewhat stricterstandards than exist today for suchdisclosures. We proposed to permit acovered entity to disclose protectedhealth information pursuant to anadministrative request only if therequest met three conditions, as follows:(i) The information sought was relevantand material to a legitimate lawenforcement inquiry; (ii) the request wasas specific and narrowly drawn asreasonably practicable; and (iii) de-identified information could notreasonably have been used to meet thepurpose of the request.

The final rules generally adopts thisprovision of the NPRM. In the final rule,we modify the list of orders in responseto which covered entities may discloseprotected health information, to includeadministrative subpoenas or summons,civil or authorized investigativedemands, or similar process authorizedby law. We made this change to the listto conform with the definition of‘‘required by law’’ in § 164.501. Inaddition, we slightly modify the secondof the three conditions under whichcovered entities may respond to suchrequests, to allow disclosure if therequest is specific and is limited inscope to the extent reasonably

practicable in light of the purpose forwhich the information is sought.

Limited Information for Identificationand Location Purposes

The NPRM would have allowedcovered entities to disclose ‘‘limitedidentifying information’’ for purposes ofidentifying a suspect, fugitive, materialwitness, or missing person, in responseto a law enforcement request. Weproposed to define ‘‘limited identifyinginformation’’ as (i) name; (ii) address;(iii) Social Security number; (iv) date ofbirth; (v) place of birth; (vi) type ofinjury or other distinguishingcharacteristic; and (vii) date and time oftreatment.

The final rules generally adopts thisprovision of the NPRM with a fewmodifications. In the final rule, weexpand the circumstances under whichlimited information about suspects,fugitives, material witnesses, andmissing persons may be disclosed, toinclude not only cases in which lawenforcement officials are seeking toidentify such individuals, but also casesin which law enforcement officials areseeking to locate such individuals. Inaddition, the final rule modifies the listof data elements that may be disclosedunder this provision, in several ways.We expand the list of elements that maybe disclosed under these circumstances,to include ABO blood type and Rhfactor, as well as date and time of death,if applicable. We remove ‘‘otherdistinguishing characteristic’’ from thelist of items that may be disclosed forthe location and identification purposesdescribed in this paragraph, and insteadallow covered entities to disclose onlya description of distinguishing physicalcharacteristics, such as scars andtattoos, height, weight, gender, race, hairand eye color, and the presence orabsence of facial hair such as a beard ormoustache. In addition, in the final rule,protected health information associatedwith the following cannot be disclosedpursuant to § 164.512(f)(2): DNA dataand analyses; dental records; or typing,samples or analyses of tissues or bodilyfluids other than blood (e.g., saliva). Ifa covered entity discloses additionalinformation under this provision, thecovered entity will be out of complianceand subject to sanction.

We clarify our intent not to allowcovered entities to initiate disclosures oflimited identifying information to lawenforcement in the absence of a lawenforcement request; a covered entitymay disclose protected healthinformation under this provision only inresponse to a request from lawenforcement. We allow a ‘‘lawenforcement official’s request’’ to be



made orally or in writing, and we intendfor it to include requests by a personacting on behalf of law enforcement, forexample, requests by a mediaorganization making a television orradio announcement seeking thepublic’s assistance in identifying asuspect. Such a request also mayinclude a ‘‘Wanted’’ poster and similarpostings.

Disclosure About a Victim of CrimeThe NPRM would have allowed

covered entities to disclose protectedhealth information about a victim of acrime, abuse or other harm to a lawenforcement official, if the lawenforcement official represented that: (i)The information was needed todetermine whether a violation of law bya person other than the victim hadoccurred; and (ii) immediate lawenforcement activity that depended onobtaining the information may havebeen necessary.

The final rule modifies the conditionsunder which covered entities candisclose protected health informationabout victims. In addition, as discussedabove, the final rule includes a new§ 164.512(c), which establishesconditions for disclosure of protectedhealth information about victims ofabuse, neglect or domestic violence. Inaddition, as discussed above, we haveadded § 164.512(f)(1)(i) to thisparagraph to explicitly recognize that insome cases, covered entities’ disclosureof protected health information ismandated by state or other law. Therule’s requirements for disclosure insituations not covered under mandatoryreporting laws are different from therule’s provisions regarding disclosurepursuant to a mandatory reporting law.

The final rule requires coveredentities to obtain individual agreementas a condition of disclosing theprotected health information aboutvictims to law enforcement, unless thedisclosure is permitted under§ 164.512(b) or (c) or § 164.512(f)(1)above. The required agreement may beobtained orally, and does not need tomeet the requirements of § 164.508 ofthis rule (regarding authorizations). Therule waives the requirement forindividual agreement if the victim isunable to agree due to incapacity orother emergency circumstance and: (1)The law enforcement official representsthat the protected health information isneeded to determine whether a violationof law by a person other than the victimhas occurred and the information is notintended to be used against the victim;(2) the law enforcement officialrepresents that immediate lawenforcement activity that depends on

such disclosure would be materially andadversely affected by waiting until theindividual is able to agree to thedisclosure; and (3) the covered entity, inthe exercise of professional judgment,determines that the disclosure is in theindividual’s best interests. We intendthat assessing the individual’s bestinterests includes taking into accountany further risk of harm to theindividual. This provision does notallow covered entities to initiatedisclosures of protected healthinformation to law enforcement; thedisclosure must be in response to arequest from law enforcement.

We do not intend to create a new legalduty on the part of covered entities withrespect to the safety of their patients.Rather, we intend to ensure that coveredentities can continue to exercise theirprofessional judgment in thesecircumstances, on a case-by-case basis,as they do today.

In some cases, a victim may also bea fugitive or suspect. For example, anindividual may receive a gunshotwound during a robbery and seektreatment in a hospital emergency room.In such cases, when law enforcementofficials are requesting protected healthinformation because the individual is asuspect (and thus the information maybe used against the individual), coveredentities may disclose the protectedhealth information pursuant to§ 164.512(f)(2) regarding suspects andnot pursuant to § 164.512(f)(3) regardingvictims. Thus, in these situations,covered entities may disclose only thelimited identifying information listed in§ 164.512(f)(2)—not all of the protectedhealth information that may bedisclosed under § 164.512(f)(3).

The proposed rule did not addresswhether a covered entity could discloseprotected health information to a lawenforcement official to alert the officialof the individual’s death.

Disclosures About DecedentsIn the final rule, we add a new

provision § 164.512(f)(4) in which wepermit covered entities to discloseprotected health information about anindividual who has died to a lawenforcement official for the purpose ofalerting law enforcement of the death ifthe covered entity has a suspicion thatsuch death may have resulted fromcriminal conduct. In such circumstancesconsent of the individual is notavailable and it may be difficult todetermine the identity of a personalrepresentative and gain consent fordisclosure of protected healthinformation. Permitting disclosures inthis circumstance will permit lawenforcement officials to begin their

investigation into the death morerapidly, increasingly the likelihood ofsuccess.

Intelligence and National SecurityActivities

Section 164.510(f)(4) of the NPRMwould have allowed covered entities todisclose protected health information toa law enforcement official withoutindividual authorization for the conductof lawful intelligence activitiesconducted pursuant to the NationalSecurity Act of 1947 (50 U.S.C. 401 etseq.) or in connection with providingprotective services to the President orother individuals pursuant to section3056 of title 18, United States Code. Inthe final rule, we move provisionsregarding disclosures of protectedhealth information for intelligence andprotective services activities to§ 164.512(k) regarding uses anddisclosures for specialized governmentfunctions.

Criminal Conduct on the Premises of aCovered Entity

The NPRM would have allowedcovered entities on their own initiativeto disclose to law enforcement officialsprotected health information that thecovered entity believed in good faithconstituted evidence of criminalconduct that arose out of and wasdirectly related to: (A) The receipt ofhealth care or payment for health care,including a fraudulent claim for healthcare; (B) qualification for or receipt ofbenefits, payments, or services based ona fraudulent statement or materialmisrepresentation of the health of theindividual; that occurred on the coveredentity’s premises or was witnessed by amember of the covered entity’sworkforce.

In the final rule, we modify thisprovision substantially, by eliminatinglanguage allowing disclosures alreadypermitted in other sections of theregulation. The proposed provisionoverlapped with other sections of theNPRM, in particular proposed§ 164.510(c) regarding disclosure forhealth oversight activities. In the finalregulation, we clarify that this provisionapplies only to disclosures to lawenforcement officials of protected healthinformation that the covered entitybelieves in good faith constitutesevidence of a crime committed on thepremises. We eliminate proposed§ 164.510(f)(5)(i) regarding health carefraud from the law enforcement section,because all disclosures that would havebeen allowed under that provision areallowed under § 164.512(d) of the finalrule (health oversight). Similarly, in thefinal rule, we eliminate proposed



§ 164.510(f)(5)(iii) on disclosure ofprotected health information to lawenforcement officials regarding criminalactivity witnessed by a member of ahealth plan workforce. All disclosuresthat would have been permitted by thatprovision are included in§ 164.512(f)(5), which allows disclosureof information to report a crimecommitted on the covered entity’spremises, and by § 164.502, whichprovides that a covered entity is not inviolation of the rule when a member ofits workforce or person working for abusiness associate uses or disclosesprotected health information whileacting as a ‘‘whistle blower.’’ Thus,§ 164.512(f)(5) allows covered entities todisclose health information only on thegood faith belief that it constitutesevidence of a crime on their premises.The preamble to the NPRM said that ifthe covered entity disclosed protectedhealth information in good faith but waswrong in its belief that the informationwas evidence of a violation of law, thecovered entity would not be subject tosanction under this regulation. The finalrule retains this approach.

Reporting Crime in EmergenciesThe proposed rule did not address

disclosures by emergency medicalpersonnel to a law enforcement officialintended to alert law enforcement aboutthe commission of a crime. Because theprovisions of proposed rule werelimited to individually identifiablehealth information that was reduced toelectronic form, many communicationsthat occur between emergency medicalpersonnel and law enforcement officialsat the scene of a crime would not havebeen covered by the proposedprovisions.

In the final rule we include a newprovision § 164.512(f)(6) that addresses‘‘911’’ calls for emergency medicaltechnicians as well as other emergencyhealth care in response to a medicalemergency. The final rule permits acovered health care provider providingemergency health care in response to amedical emergency, other than suchemergency on the premises of thecovered health care provider, to discloseprotected health information to a lawenforcement official if such disclosureappears necessary to alert lawenforcement to (1) the commission andnature of a crime, (2) the location ofsuch crime or of the victim(s) of suchcrime, and (3) the identity, description,and location of the perpetrator of suchcrime. A disclosure is not permittedunder this section if health careprovider believes that the medicalemergency is the result of abuse,neglect, or domestic violence of the

individual in need of emergency healthcare. In such cases, disclosures to lawenforcement would be governed byparagraph (c) of this section.

This added provision recognizes thespecial role of emergency medicaltechnicians and other providers whorespond to medical emergencies. Inemergencies, emergency medicalpersonnel often arrive on the scenebefore or at the same time as policeofficers, firefighters, and otheremergency response personnel. In thesecases, providers may be in the bestposition, and sometimes be the onlyones in the position, to alert lawenforcement about criminal activity. Forinstance, providers may be the firstpersons aware that an individual hasbeen the victim of a battery or anattempted murder. They may also be inthe position to report in real time,through use of radio or othermechanism, information that mayimmediately contribute to theapprehension of a perpetrator of acrime.

We note that disclosure under thisprovision is at the discretion of thehealth care provider. Disclosures insome instances may be governed morestrictly, such as by applicable ethicalstandards and state and local laws.

Finally, the NPRM also included aproposed § 164.510(f)(5), whichduplicated proposed § 164.510(f)(3). Thefinal rule does not include thisduplicate provision.

Additional ConsiderationsAs stated in the NPRM, this paragraph

is not intended to limit or preclude acovered entity from asserting any lawfuldefense or otherwise contesting thenature or scope of the process when theprocedural rules governing theproceeding so allow. At the same time,it is not intended to create a basis forappealing to federal court concerning arequest by state law enforcementofficials. Each covered entity willcontinue to have available legalprocedures applicable in theappropriate jurisdiction to contest suchrequests where warranted.

As was the case with the NPRM, thisrule does not create any new affirmativerequirement for disclosure of protectedhealth information. Similarly, thissection is not intended to limit acovered entity from disclosing protectedhealth information to law enforcementofficials where other sections of the rulepermit such disclosure, e.g., aspermitted by § 164.512(j) to avert animminent threat to health or safety, forhealth oversight activities, to coronersor medical examiners, and in othercircumstances permitted by the rule. For

additional provisions permittingcovered entities to disclose protectedhealth information to law enforcementofficials, see § 164.512(j)(1)(i) and (ii).

Under the NPRM and under the finalrule, to obtain protected healthinformation, law enforcement officialsmust comply with whatever other law isapplicable. In certain circumstances,while this provision could authorize acovered entity to disclose protectedhealth information to law enforcementofficials, there could be additionalapplicable statutes or rules that furthergovern the specific disclosure. If thepreemption provisions of this regulationdo not apply, the covered entity mustcomply with the requirements orlimitations established by such otherlaw, regulation or judicial precedent.See §§ 160.201 through 160.205. Forexample, if state law permits disclosureonly after compulsory process withcourt review, a provider or payor is notallowed to disclose information to statelaw enforcement officials unless theofficials have complied with thatrequirement. Similarly, disclosure ofsubstance abuse patient records subjectto, 42 U.S.C. 290dd–2, and theimplementing regulations, 42 CFR part2, continue to be governed by thoseprovisions.

In some instances, disclosure ofprotected health information to lawenforcement officials will be compelledby other law, for example, bycompulsory judicial process orcompulsory reporting laws (such aslaws requiring reporting of wounds fromviolent crimes, suspected child abuse,or suspected theft of controlledsubstances). As discussed above,disclosure of protected healthinformation under such othermandatory law is permitted under§ 164.512(a).

In the responses to comments weclarify that items such as cells andtissues are not protected healthinformation, but that analyses of themis. The same treatment would be givenother physical items, such as clothing,weapons, or a bloody knife. We note,however, that while these items are notprotected health information and maybe disclosed, some communications thatcould accompany the disclosure will beprotected health information under therule. For example, if a person providescells to a researcher, and tells theresearcher that these are an identifiedindividual’s cancer cells, thataccompanying statement is protectedhealth information about thatindividual. Similarly, if a personprovides a bullet to law enforcement,and tells law enforcement that the bulletwas extracted from an identified



individual, the person has disclosed thefact that the individual was treated fora wound, and the additional statementis a disclosure of protected healthinformation.

To be able to make the additionalstatement accompanying the provisionof the bullet, a covered entity must lookto the rule to find a provision underwhich a disclosure may be made to lawenforcement. Section 164.512(f) of therule addresses disclosures for lawenforcement purposes. Under§ 164.512(f)(1), the additional statementmay be disclosed to a law enforcementofficial if required by law or withappropriate process. Under§ 164.512(f)(2), we permit coveredentities to disclose limited identifyinginformation without legal process inresponse to a request from a lawenforcement official for the purpose ofidentifying or locating a suspect,fugitive, material witness, or missingperson. Thus, in the case of bulletdescribed above, the covered entitymay, in response to a law enforcementrequest, provide the extracted bullet andsuch additional limited identifyinginformation as is permitted under§ 164.512(f)(2).

Section 164.512(g)—Uses andDisclosures About Decedents

In the NPRM we proposed to allowcovered entities to disclose protectedhealth information without individualauthorization to coroners and medicalexaminers, consistent with applicablelaw, for identification of a deceasedperson or to determine cause of death.

In § 164.512(g) of the final rule, wepermit covered entities to discloseprotected health information tocoroners, medical examiners, andfuneral directors as part of a newparagraph on disclosures related todeath. The final rule retains the NPRMapproach regarding disclosure ofprotected health information to coronersand medical examiners, and it allowsthe information disclosed to coronersand medical examiners to includeidentifying information about otherpersons that may be included in theindividual’s medical record. Redactionof such names is not required prior todisclosing the individual’s record tocoroners or medical examiners. Sincecovered entities may also perform dutiesof a coroner or medical examiner, wherea covered entity is itself a coroner ormedical examiner, the final rule permitsthe covered entity to use protectedhealth information in all cases in whichit is permitted to disclose suchinformation for its duties as a coroner ormedical examiner.

Section 164.512(g) allows coveredentities to disclose protected healthinformation to funeral directors,consistent with applicable law, asnecessary to carry out their duties withrespect to a decedent. For example, therule allows hospitals to disclose tofuneral directors the fact that anindividual has donated an organ ortissue, because this information hasimplications for funeral home staffduties associated with embalming.When necessary for funeral directors tocarry out their duties, covered entitiesmay disclose protected healthinformation prior to and in reasonableanticipation of the individual’s death.

Whereas the NPRM did not addressthe issue of disclosure of psychotherapynotes without individual authorizationto coroners and medical examiners, thefinal rule allows such disclosures.

The NPRM did not include inproposed § 164.510(e) language statingthat where a covered entity was itself acoroner or medical examiner, it coulduse protected health information for thepurposes of engaging in a coroner’s ora medical examiner’s activities. Thefinal rule includes such language toaddress situations such as where apublic hospital performs medicalexaminer functions. In such cases, thehospital’s on-staff coroners can useprotected health information whileconducting post-mortem investigations,and other hospital staff can analyze anyinformation associated with theseinvestigations, for example, as part ofthe process of determining the cause ofthe individual’s death.

Section 164.512(h)—Uses andDisclosures for Cadaveric Donation ofOrgans, Eyes, or Tissues

In the NPRM we proposed to includethe procurement or banking of blood,sperm, organs, or any other tissue foradministration to patients in thedefinition of ‘‘health care’’ (described inproposed § 160.103). The NPRM’sproposed approach did not differentiatebetween situations in which the donorwas competent to consent to thedonation—for example, when anindividual is donating blood, sperm, akidney, or a liver or lung lobe—andsituations in which the donor wasdeceased, for example, when cadavericorgans and tissues were being donated.We also proposed to allow use anddisclosure of protected healthinformation for treatment withoutconsent.

In the final rule, we take a differentapproach. In § 164.512(h), we permitcovered entities to disclose protectedhealth information without individualauthorization to organ procurement

organizations or other entities engagedin the procurement, banking, ortransplantation of cadaveric organs,eyes, or tissue for donation andtransplantation. This provision isintended to address situations in whichan individual has not previouslyindicated whether he or she seeks todonate organs, eyes, or tissues (andtherefore authorized release of protectedhealth information for this purpose). Insuch situations, this provision isintended to allow covered entities toinitiate contact with organ and tissuedonation and transplantationorganizations to facilitatetransplantation of cadaveric organs,eyes, and tissues.

Disclosures and Uses for GovernmentHealth Data Systems

In the NPRM we proposed to permitcovered entities to disclose protectedhealth information to a governmentagency, or to a private entity acting onbehalf of a government agency, forinclusion in a government health datasystem collecting health data foranalysis in support of policy, planning,regulatory, or management functionsauthorized by law. The NPRM statedthat when a covered entity was itself agovernment agency collecting healthdata for these functions, it could useprotected health information in all casesfor which it was permitted to disclosesuch information to government healthdata systems.

In the final rule, we eliminate theprovision that would have allowedcovered entities to disclose protectedhealth information to government healthdata systems without authorization.Thus, under the final rule, coveredentities cannot disclose protected healthinformation without authorization togovernment health data systems—or toprivate health data systems—unless thedisclosure is permissible under anotherprovision of the rule.

Disclosures for Payment ProcessesIn the NPRM we proposed to permit

covered entities to disclose, inconnection with routine bankingactivities or payment by debit, credit, orother payment card, or other paymentmeans, the minimum amount ofprotected health information necessaryto complete a banking or paymentactivity to financial institutions or toentities acting on behalf of financialinstitutions to authorize, process, clear,settle, bill, transfer, reconcile, or collectpayments for financial institutions.

The preamble to the NPRM clarifiedthe proposed rule’s intent regardingdisclosure of diagnostic and treatmentinformation along with payment



information to financial institutions.The preamble to the proposed rule saidthat diagnostic and treatmentinformation never was necessary toprocess a payment transaction. Thepreamble said we believed that in mostcases, the permitted disclosure wouldinclude only: (1) The name and addressof the account holder; (2) the name andaddress of the payor or provider; (3) theamount of the charge for health services;(4) the date on which health serviceswere rendered; (5) the expiration datefor the payment mechanism, ifapplicable; and (6) the individual’ssignature. The preamble noted that theproposed regulation text did not includean exclusive list of information thatcould lawfully be disclosed to processpayments, and it solicited comments onwhether more elements would beneeded for banking and paymenttransactions and on whether including aspecific list of protected healthinformation that could be disclosed wasan appropriate approach.

The preamble also noted that undersection 1179 of HIPAA, certain activitiesof financial institutions were exemptfrom this rule, to the extent that theseactivities constituted authorizing,processing, clearing, settling, billing,transferring, reconciling, or collectingpayments for health care or health planpremiums.

In the final rule, we eliminate theNPRM’s provision on ‘‘banking andpayment processes.’’ All disclosuresthat would have been allowed pursuantto proposed § 164.510(i) are allowedunder § 164.502(a) of the final rule,regarding disclosure for paymentpurposes.

Section 164.512(i)—Uses andDisclosures for Research Purposes

The NPRM would have permittedcovered entities to use and discloseprotected health information forresearch—regardless of fundingsource—without individualauthorization, provided that the coveredentity obtained documentation of thefollowing:

(1) A waiver, in whole or in part, ofauthorization for the use or disclosure ofprotected health information wasapproved by an Institutional ReviewBoard (IRB) or a privacy board that wascomposed as stipulated in the proposedrule;

(2) The date of approval of the waiver,in whole or in part, of authorization byan IRB or privacy board;

(3) The IRB or privacy board haddetermined that the waiver, in whole orin part satisfied the following criteria:

(i) The use or disclosure of protectedhealth information involves no morethan minimal risk to the subjects;

(ii) The waiver will not adverselyaffect the rights and welfare of thesubjects;

(iii) The research could notpracticably be conducted without thewaiver;

(iv) Whenever appropriate, thesubjects will be provided withadditional pertinent information afterparticipation;

(v) The research could not practicablybe conducted without access to and useof the protected health information;

(vi) The research is of sufficientimportance so as to outweigh theintrusion of the privacy of theindividual whose information is subjectto the disclosure;

(vii) There is an adequate plan toprotect the identifiers from improperuse and disclosure; and

(viii) There is an adequate plan todestroy the identifiers at the earliestopportunity consistent with the conductof the research, unless there is a healthor research justification for retaining theidentifiers; and

(4) The written documentation wassigned by the chair of, as applicable, theIRB or the privacy board.

The NPRM also proposed that IRBsand privacy boards be permitted toadopt procedures for ‘‘expeditedreview’’ similar to those provided in theCommon Rule (Common Rule§ ll.110) for records research thatinvolved no more than minimal risk.However, this provision for expeditedreview was not included in theproposed regulation text.

The board that would determinewhether the research protocol met theeight specified criteria for waiving thepatient authorization requirements(described above), could have been anIRB constituted as required by theCommon Rule, or a privacy board,whose proposed composition isdescribed below. The NPRM proposedno requirements for the location orsponsorship of the IRB or privacy board.Under the NPRM, the covered entitycould have created such a board andcould have relied on it to reviewresearch proposals for uses anddisclosures of protected healthinformation for research. A coveredentity also could have relied on thenecessary documentation from anoutside researcher’s own university IRBor privacy board. In addition, a coveredentity could have engaged the servicesof an outside IRB or privacy board toobtain the necessary documentation.

Absent documentation that therequirements described above had been

met, the NPRM would have requiredindividuals’ authorization for the use ordisclosure of protected healthinformation for research, pursuant to theauthorization requirements in proposed§ 164.508. For research conducted withpatient authorization, documentation ofIRB or privacy board approval wouldnot have been required.

The final rule retains the NPRM’sproposed framework for permitting usesand disclosures of protected healthinformation for research purposes,although we are making severalimportant changes for the final rule.These changes are discussed below:

Documentation Requirements of IRB orPrivacy Board Approval of Waiver

The final rule retains thesedocumentation requirements, butmodifies some of them and includes twoadditional documentation requirements.The final rule’s modifications to theNPRM’s proposed documentationrequirements are described first,followed by a description of the threedocumentation requirements added inthe final rule.

The final rule makes the followingmodifications to the NPRM’s proposeddocumentation requirements for thewaiver of individual authorization:

1. IRB and privacy boardmembership. The NPRM stipulated thatto meet the requirements of proposed§ 164.510(j), the documentation wouldneed to indicate that the IRB had beencomposed as required by the CommonRule (§ ll.107), and the privacy boardhad been composed as follows: ‘‘(A) Hasmembers with varying backgrounds andappropriate professional competency asnecessary to review the researchprotocol; (B) Includes at least onemember who is not affiliated with theentity conducting the research, orrelated to a person who is affiliated withsuch entity; and (C) Does not have anymember participating in a review of anyproject in which the member has aconflict of interest’’ (§ 164.510(j)(1)(ii)).

The final rule modifies the first of therequirements for the composition of aprivacy board to focus on the effect ofthe research protocol on the individual’sprivacy rights and related interests.Therefore, under the final rule, therequired documentation must indicatethat the privacy board has memberswith varying backgrounds andappropriate professional competency asnecessary to review the effect of theresearch protocol on the individual’sprivacy rights and related interests.

In addition, the final rule furtherrestricts the NPRM’s proposedrequirement that the privacy boardinclude at least one member who was



not affiliated with the entity conductingthe research, or related to a person whois affiliated with such entity. Under thefinal rule, the board must include atleast one member who is not affiliatedwith the covered entity, not affiliatedwith any entity conducting orsponsoring the research, and not relatedto any person who is affiliated withsuch entities.

The other documentationrequirements for the composition of anIRB and privacy board remain the same.

2. Waiver of authorization criteria.The NPRM proposed to prohibit the useor disclosure of protected healthinformation for research withoutindividual authorization as stipulated inproposed § 164.508 unless the coveredentity had documentation indicatingthat an IRB or privacy board haddetermined that the following waivercriteria had been met:

(i) The use or disclosure of protectedhealth information involves no morethan minimal risk to the subjects;

(ii) The waiver will not adverselyaffect the rights and welfare of thesubjects;

(iii) The research could notpracticably be conducted without thewaiver;

(iv) Whenever appropriate, thesubjects will be provided withadditional pertinent information afterparticipation;

(v) The research could not bepracticably be conducted without accessto and use of the protected healthinformation;

(vi) The research is of sufficientimportance so as to outweigh theintrusion of the privacy of theindividual whose information is subjectto the disclosure;

(vii) There is an adequate plan toprotect the identifiers from improperuse and disclosure; and

(viii) There is an adequate plan todestroy the identifiers at the earliestopportunity consistent with the conductof the research, unless there is a healthor research justification for retaining theidentifiers.

The final rule continues to permit thedocumentation of IRB or privacy boardapproval of a waiver of an authorizationas required by § 164.508, to indicate thatonly some or all of the § 164.508authorization requirements have beenwaived. In addition, the final ruleclarifies that the documentation of IRBor privacy board approval may indicatethat the authorization requirementshave been altered. Also, for all of theproposed waiver of authorizationcriteria that used the term ‘‘subject,’’ wereplace this term with the term‘‘individual’’ in the final rule.

In addition, the final rule (1)eliminates proposed waiver criterion iv,(2) modifies proposed waiver criteria ii,iii, vi, and viii, and (3) adds a waivercriterion.

Proposed waiver criterion ii (waivercriterion § 164.512(i)(2)(ii)(B) in thefinal rule) is revised as follows to focusmore narrowly on the privacy interestsof individuals, and to clarify that it alsopertains to alterations of individualauthorization: ‘‘the alteration or waiverwill not adversely affect the privacyrights and the welfare of theindividuals.’’ Under criterion§ 164.512(i)(2)(ii)(B), the question iswhether the alteration or waiver ofindividual authorization wouldadversely affect the privacy rights andthe welfare of individuals, not whetherthe research project itself wouldadversely affect the privacy rights or thewelfare of individuals.

Proposed waiver criterion iii (waivercriterion § 164.512(i)(2)(ii)(C) in thefinal rule) is revised as follows to clarifythat it also pertains to alterations ofindividual authorization: ‘‘the researchcould not practicably be conductedwithout the alteration or waiver.’’

Proposed waiver criterion vi (waivercriterion § 164.512(i)(2)(ii)(E) in thefinal rule) is revised as follows to bemore consistent with one of theCommon Rule’s requirements for theapproval of human subjects research(Common Rule, § ll.111(a)(2)): ‘‘theprivacy risks to individuals whoseprotected health information is to beused or disclosed are reasonable inrelation to anticipated benefits if any toindividuals, and the importance of theknowledge that may reasonably beexpected to result from the research.’’Under criterion § 164.512(i)(2)(ii)(E), thequestion is whether the risks to anindividual’s privacy from participatingin the research are reasonable in relationto the anticipated benefits from theresearch. This criterion is unlike waivercriterion § 164.512(i)(2)(ii)(B) in that itfocuses on the privacy risks and benefitsof the research project more broadly, noton the waiver of individualauthorization.

Proposed waiver criterion viii (waivercriterion § 164.512(i)(2)(ii)(G) in thefinal rule) is revised as follows: ‘‘thereis an adequate plan to destroy theidentifiers at the earliest opportunityconsistent with the conduct of theresearch, unless there is a health orresearch justification for retaining theidentifiers, or such retention isotherwise required by law.’’

In addition, the final rule includesanother waiver criterion: waivercriterion § 164.512(i)(2)(ii)(H). TheNPRM proposed no restriction on a

researcher’s further use or disclosure ofprotected health information that hadbeen received under proposed§ 164.510(j). The final rule requires thatthe covered entity obtain writtenagreement from the person or entityreceiving protected health informationunder § 164.512(i) not to re-use ordisclose protected health information toany other person or entity, except: (1)As required by law, (2) for authorizedoversight of the research project, or (3)for other research for which the use ordisclosure of protected healthinformation would be permitted by thissubpart. For instance, in assessingwhether this criterion has been met, weencourage IRBs and privacy boards toobtain adequate assurances that theprotected health information will not bedisclosed to an individual’s employerfor employment decisions without theindividual’s authorization.

3. Required signature. The rulebroadens the types of individuals whoare permitted to sign the requireddocumentation of IRB or privacy boardapproval. The final rule requires thedocumentation of the alteration orwaiver of authorization to be signed by(1) the chair of, as applicable, the IRBor the privacy board, or (2) a member ofthe IRB or privacy board, as applicable,who is designated by the chair to signthe documentation.

Furthermore, the final rule makes thefollowing three additions to theproposed documentation requirementsfor the alteration or waiver ofauthorization:

1. Identification of the IRB or privacyboard. The NPRM did not propose thatthe documentation of waiver include astatement identifying the IRB or privacyboard that approved the waiver ofauthorization. In the final rule werequire that such a statement beincluded in the documentation ofalteration or waiver of individualauthorization. By this requirement wemean that the name of the IRB orprivacy board must be included in suchdocumentation, not the names ofindividual members of the board.

2. Description of protected healthinformation approved for use ordisclosure. The NPRM did not proposethat the documentation of waiverinclude a description of the protectedhealth information that the IRB orprivacy board had approved for use ordisclosure without individualauthorization. In considering waiver ofauthorization criterion§ 164.512(i)(2)(ii)(D), we expect the IRBor privacy board to consider the amountof information that is minimally neededfor the study. The final rule requiresthat the documentation of IRB or



privacy board approval of the alterationor waiver of authorization describe theprotected health information for whichuse or access has been determined to benecessary for the research by the IRB orprivacy board. For example, if the IRBor privacy board approves only the useor disclosure of certain informationfrom patients’ medical records, and notpatients’ entire medical record, thismust be stated on the documentcertifying IRB or privacy boardapproval.

3. Review and approval procedures.The NPRM would not have requireddocumentation of IRBs’ or privacyboards’ review and approvalprocedures. In the final rule, thedocumentation of the alteration orwaiver of authorization must state thatthe alteration or waiver has beenreviewed and approved by: (1) an IRBthat has followed the votingrequirements stipulated in the CommonRule (§ ll.108(b)), or the expeditedreview procedures as stipulated in§ ll.110(b); or (2) a privacy board thathas reviewed the proposed research atconvened meetings at which a majorityof the privacy board members arepresent, including at least one memberwho is not affiliated with the coveredentity, not affiliated with any entityconducting or sponsoring the research,and not related to any person who isaffiliated with any such entities, and thealteration or waiver of authorization isapproved by the majority of privacyboard members present at the meeting,unless an expedited review procedure isused.

For documentation of IRB approvalthat used an expedited reviewprocedure, the covered entity mustensure that the documentation indicatesthat the IRB followed the expeditedreview requirements of the CommonRule (§ ll.110). For documentation ofprivacy board approval that used anexpedited review procedure, thecovered entity must ensure that thedocumentation indicates that theprivacy board met the expedited reviewrequirements of the privacy rule. In thefinal rule, a privacy board may use anexpedited review procedure if theresearch involves no more than minimalrisk to the privacy of the individualswho are the subject of the protectedhealth information for which disclosureis being sought. If a privacy board electsto use an expedited review procedure,the review and approval of thealteration or waiver of authorizationmay be carried out by the chair of theprivacy board, or by one or moremembers of the privacy board asdesignated by the chair. Use of theexpedited review mechanism permits

review by a single member of the IRB orprivacy board, but continues to requirethat the covered entity obtaindocumentation that all of the specifiedwaiver criteria have been met.

Reviews Preparatory to Research

Under the NPRM, if a covered entityused or disclosed protected healthinformation for research, but theresearcher did not record the protectedhealth information in a manner thatpersons could be identified, such anactivity would have constituted aresearch use or disclosure that wouldhave been subject to either theindividual authorization requirementsof proposed § 164.508 or thedocumentation of the waiver ofauthorization requirements of proposed§ 164.510(j).

The final rule permits the use anddisclosure of protected healthinformation for research withoutrequiring authorization ordocumentation of the alteration orwaiver of authorization, if the researchis conducted in such a manner that onlyde-identified protected healthinformation is recorded by theresearchers and the protected healthinformation is not removed from thepremises of the covered entity. For suchuses and disclosures of protected healthinformation, the final rule requires thatthe covered entity obtain from theresearcher representations that use ordisclosure is sought solely to reviewprotected health information asnecessary to prepare a research protocolor for similar purposes preparatory toresearch, no protected healthinformation is to be removed from thecovered entity by the researcher in thecourse of the review, and the protectedhealth information for which use oraccess is sought is necessary for theresearch purposes. The intent of thisprovision is to permit covered entities touse and disclose protected healthinformation to assist in the developmentof a research hypothesis and aid in therecruitment of research participants. Weunderstand that researchers sometimesrequire access to protected healthinformation to develop a researchprotocol, and to determine whether aspecific covered entity has protectedhealth information of prospectiveresearch participants that would meetthe eligibility criteria for enrollmentinto a research study. Therefore, thisprovision permits covered entities touse and disclose protected healthinformation for these preliminaryresearch activities without individualauthorization and withoutdocumentation that an IRB or privacy

board has altered or waived individualauthorization.

Research on Protected HealthInformation of the Deceased

The NPRM would have permitted theuse and disclosure of protected healthinformation of deceased persons forresearch without the authorization of alegal representative, and without therequirement for written documentationof IRB or privacy board approval inproposed § 164.510(j). In the final rule,we retain the exception for uses anddisclosures for research purposes but inaddition require that the covered entitytake certain protective measures prior torelease of the decedent’s protectedhealth information for such purposes.Specifically, the final rule requires thatthe covered entity obtain representationthat the use or disclosure is soughtsolely for research on the protectedhealth information of decedent, andrepresentation that the protected healthinformation for which use or disclosureis sought is necessary for the researchpurposes. In addition, the final ruleallows covered entities to request fromthe researcher documentation of thedeath of the individuals about whomprotected health information is beingsought.

Good Faith RelianceThe final rule clarifies that covered

entities are allowed to rely on the IRB’sor privacy board’s representation thatthe research proposal meets thedocumentation requirements of§ 164.512(i)(1)(i) and the minimumnecessary requirements of § 164.514.

In addition, when using or disclosingprotected health information for reviewspreparatory to research(§ 164.512(i)(1)(ii)) or for research solelyon the protected health information ofdecedents (§ 164.512)(1)(iii)), the finalrule clarifies that the covered entity mayrely on the requesting researcher’srepresentation that the purpose of therequest is for one of these two purpose,and that the request meets the minimumnecessary requirements of § 164.514.Therefore, the covered entity has notviolated the rule if the requestingresearcher misrepresents his or herintended use of the protected healthinformation to the covered entity.

Additional Research Provisions

Research Including TreatmentTo the extent that a researcher

provided treatment to persons as part ofa research study, the NPRM would havecovered such researchers as health careproviders for purposes of that treatment,and required that the researcher complywith all of the provisions of the rule that



would be applicable to health careproviders. The final rule retains thisrequirement.

Individual Access to ResearchInformation

Under proposed § 164.514, the NPRMwould have applied the proposedprovision regarding individuals’ accessto records to research that includes thedelivery of treatment. The NPRMproposed an exception to individuals’right to access protected healthinformation for clinical trials, where (1)protected health information wasobtained by a covered entity in thecourse of clinical trial, (2) the individualagreed to the denial of access whenconsenting to participate in the trial (ifthe individual’s consent to participatewas obtained), and (3) the trial was stillin progress.

Section 164.524 of the final ruleretains this exception to access forresearch that includes treatment. Inaddition, the final rule requires thatparticipants in such research beinformed that their right of access toprotected health information about themwill be reinstated once the research iscomplete.

Obtaining the Individual’sAuthorization for Research

The NPRM would have requiredcovered entities obtaining individuals’authorization for the use or disclosure ofinformation for research to comply withthe requirements applicable toindividual authorization for the releaseof protected health information(proposed § 164.508(a)(2)). If anindividual had initiated the use ordisclosure of his/her protected healthinformation for research, or any otherpurpose, the covered entity would havebeen required to obtain a completedauthorization for the use or disclosure ofprotected health information asproposed in § 164.508(c).

The final rule retains theserequirements for research conductedwith authorization, as required by§ 164.508. In addition, for the use anddisclosure of protected healthinformation created by a covered entityfor the purpose, in whole or in part, ofresearch that includes treatment of theindividual, the covered entity mustmeet the requirements of § 164.508(f).

Interaction with the Common RuleThe NPRM stated that the proposed

rule would not override the CommonRule. Where both the NPRM and theCommon Rule would have applied toresearch conducted by the coveredentity—either with or withoutindividuals’ authorization—both sets of

regulations would have needed to befollowed. This statement remains true inthe final rule. In addition, we clarifythat FDA’s human subjects regulationsmust also be followed if applicable.

Section 164.512(j)—Uses andDisclosures to Avert a Serious Threat toHealth or Safety

In the NPRM we proposed to allowcovered entities to use or discloseprotected health information withoutindividual authorization—consistentwith applicable law and ethicsstandards—based on a reasonable beliefthat use or disclosure of the protectedhealth information was necessary toprevent or lessen a serious andimminent threat to health or safety of anindividual or of the public. Pursuant tothe NPRM, covered entities could haveused or disclosed protected healthinformation in these emergencycircumstances to a person or personsreasonably able to prevent or lessen thethreat, including the target of the threat.The NPRM stated that covered entitiesthat made disclosures in thesecircumstances were presumed to haveacted under a reasonable belief if thedisclosure was made in good faith,based on credible representation by aperson with apparent knowledge orauthority. The NPRM did not includeverification requirements specific to thisparagraph.

In § 164.512(j) of the final rule, weretain the NPRM’s approach to uses anddisclosures made to prevent or lessenserious and imminent threats to healthor safety, as well as its languageregarding the presumption of good faith.We also clarify that: (1) Rules governingthese situations, which the NPRMreferred to as ‘‘emergencycircumstances,’’ are not intended toapply to emergency care treatment, suchas health care delivery in a hospitalemergency room; and (2) the‘‘presumption of good faith belief’’ isintended to apply only to this provisionand not to all disclosures permittedwithout individual authorization. Thefinal rule allows covered entities to useor disclose protected health informationwithout an authorization on their owninitiative in these circumstances, whennecessary to prevent or lessen a seriousand imminent threat, consistent withother applicable ethical or legalstandards.

The rule’s approach is consistent withthe ‘‘duty to warn’’ third persons at risk,which has been established throughcase law. In Tarasoff v. Regents of theUniversity of California (17 Cal. 3d 425(1976)), the Supreme Court of Californiafound that when a therapist’s patienthad made credible threats against the

physical safety of a specific person, thetherapist had an obligation to usereasonable care to protect the intendedvictim of his patient against danger,including warning the victim of thedanger. Many states have adopted,through either statutory or case law,versions of the Tarasoff duty to warn.The rule is not intended to create a dutyto warn or disclose. Rather, it permitsdisclosure to avert a serious andimminent threat to health or safetyconsistent with other applicable legal orethical standards. If disclosure in thesecircumstances is prohibited by statelaw, this rule would not allow thedisclosure.

As indicated above, in somesituations (for example, when a personis both a fugitive and a victim and thuscovered entities could discloseprotected health information pursuanteither to § 164.512(f)(2) regardingfugitives or to § 164.512(f)(3)establishing conditions for disclosureabout victims), more than one section ofthis rule potentially could apply withrespect to a covered entity’s potentialdisclosure of protected healthinformation. Similarly, in situationsinvolving a serious and imminent threatto public health or safety, lawenforcement officials may be seekingprotected health information fromcovered entities to locate a fugitive. Inthe final rule, we clarify that if asituation fits one section of the rule (forexample, § 164.512(j) on serious andimminent threats to health or safety),covered entities may disclose protectedhealth information pursuant to thatsection, regardless of whether thedisclosure also could be made pursuantto another section (e.g., § 164.512(f)),regarding disclosure to law enforcementofficials).

The proposed rule did not addresssituations in which covered entitiescould make disclosures to lawenforcement officials about oralstatements admitting participation inviolent conduct or about escapees.

In the final rule we permit, but do notrequire, covered entities to use ordisclose protected health information,consistent with applicable law andstandards of ethical conduct, in specificsituations in which the covered entity,in good faith, believes the use ordisclosure is necessary to permit lawenforcement authorities to identify orapprehend an individual. Underparagraph (j)(1)(ii)(A) of this section, acovered entity may take such actionbecause of a statement by an individualadmitting participation in a violentcrime that the covered entity reasonablybelieves may have resulted in seriousphysical harm to the victim. The



protected health information that isdisclosed in this case is limited to thestatement and to the protected healthinformation included under the limitedidentifying and location information in§ 164.512(f)(2), such as name, address,and type of injury. Under paragraph(j)(1)(ii)(B) of this section, a coveredentity may take such action where itappears from all the circumstances thatthe individual has escaped from acorrectional institution or from lawfulcustody.

A disclosure may not be made underparagraph (j)(1)(ii)(A) for a statementadmitting participation in a violentcrime if the covered entity learns theinformation in the course of counselingor therapy. Similarly, such a disclosureis not permitted if the covered entitylearns the information in the course oftreatment to affect the propensity tocommit the violent crimes that aredescribed in the individual’s statements.We do not intend to discourageindividuals from speaking accurately inthe course of counseling or therapysessions, or to discourage othertreatment that specifically seeks toreduce the likelihood that someone whohas acted violently in the past will doso again in the future. This prohibitionon disclosure is triggered once anindividual has made a request to initiateor be referred to such treatment,therapy, or counseling.

The provision permitting use anddisclosure has been added in light of thebroadened definition in the final rule ofprotected health information. Under theNPRM, protected health informationmeant individually identifiable healthinformation that is or has beenelectronically transmitted orelectronically maintained by a coveredentity. Under the final rule, protectedhealth information includes informationtransmitted by electronic media as wellas such information transmitted ormaintained in any other form ormedium. The new definition includesoral statements to covered entities aswell as individually identifiable healthinformation transmitted ‘‘in any otherform.’’

The definition of protected healthinformation, for instance, would nowapply to a statement by a patient that isoverheard by a hospital security guardin a waiting room. Such a statementwould have been outside the scope ofthe proposed rule (unless it wasmemorialized in an electronic record),but is within the scope of the final rule.For the example with the hospitalguard, the new provision permittingdisclosure of a statement by anindividual admitting participation in aviolent crime would have the same

effect as the proposed rule—thestatement could be disclosed to lawenforcement, so long as the otheraspects of the regulation are followed.Similarly, where it appears from all thecircumstances that the individual hasescaped from prison, the expandeddefinition of protected healthinformation should not prevent thecovered entity from deciding to reportthis information to law enforcement.

The disclosures that covered entitiesmay elect to make under this paragraphare entirely at their discretion. Thesedisclosures to law enforcement are inaddition to other disclosure provisionsin the rule. For example, underparagraph § 164.512(f)(2) of this section,a covered entity may disclose limitedcategories of protected healthinformation in response to a requestfrom a law enforcement official for thepurpose of identifying or locating asuspect, fugitive, material witness, ormissing person. Paragraph§ 164.512(f)(1) of this section permits acovered entity to make disclosures thatare required by other laws, such as statemandatory reporting laws, or arerequired by legal process such as courtorders or grand jury subpoena.

Section 164.512(k)—Uses andDisclosures for Specialized GovernmentFunctions

Application to Military Services

In the NPRM we would havepermitted a covered entity providinghealth care to Armed Forces personnelto use and disclose protected healthinformation for activities deemednecessary by appropriate militarycommand authorities to assure theproper execution of the militarymission, where the appropriate militaryauthority had published by notice in theFederal Register (In the NPRM, weproposed that the Department ofDefense would publish this FederalRegister notice in the future.) The finalrule takes a similar approach whilemaking some modifications to theNPRM. One modification concerns theinformation that will be required in theFederal Register notice. The NPRMwould have required a listing of (i)appropriate military commandauthorities; (ii) the circumstances forwhich use or disclosure withoutindividual authorization would berequired; and (iii) activities for whichsuch use or disclosure would occur inorder to assure proper execution of themilitary mission. In the final rule, weeliminate the third category and alsoslightly modify language in the secondcategory to read: ‘‘the purposes for

which the protected health informationmay be used or disclosed.’’

An additional modification concernsthe rule’s application to foreign militaryand diplomatic personnel. The NPRMwould have excluded foreign diplomaticand military personnel, as well as theirdependents, from the proposeddefinition of ‘‘individual,’’ therebyexcluding any protected healthinformation created about thesepersonnel from the NPRM’s privacyprotections. Foreign military anddiplomatic personnel affected by thisprovision include, for example, alliedmilitary personnel who are in theUnited States for training. The final ruleapplies a more limited exemption toforeign military personnel only (Foreigndiplomatic personnel will have thesame protections granted to all otherindividuals under the rule). Under thefinal rule, foreign military personnel arenot excluded from the definition of‘‘individual.’’ Covered entities will beable to use and disclose protected healthinformation of foreign militarypersonnel to their appropriate foreignmilitary authority for the same purposesfor which uses and disclosures arepermitted for U.S. Armed Forcespersonnel under the notice to bepublished in the Federal Register.Foreign military personnel do have thesame rights of access, notice, right torequest privacy protection, copying,amendment, and accounting as do otherindividuals pursuant to §§ 164.520–164.526 (sections on access, notice, rightto request privacy protection forprotected health information,amendment, inspection, copying) of therule.

The NPRM likewise would haveexempted overseas foreign nationalbeneficiaries from the proposed rule’srequirements by excluding them fromthe definition of ‘‘individual.’’ Underthe final rule, these beneficiaries nolonger are exempt from the definition of‘‘individual.’’ However, the rule’sprovisions do not apply to theindividually identifiable healthinformation of overseas foreignnationals who receive care provided bythe Department of Defense, other federalagencies, or by non-governmentalorganizations incident to U.S. sponsoredmissions or operations.

The final rule includes a newprovision to address separation ordischarge from military service. Thepreamble to the NPRM noted that uponcompletion of individuals’ militaryservice, DOD and the Department ofTransportation routinely transfer entiremilitary service records, includingprotected health information to theDepartment of Veterans Affairs so that



the file can be retrieved quickly if theindividuals or their dependents applyfor veterans benefits. The NPRM wouldhave required consent for such transfers.The final rule no longer requiresconsent in such situations. Thus, underthe final rule, a covered entity that is acomponent of DOD or the Department ofTransportation may disclose to DVA theprotected health information of anArmed Forces member upon separationor discharge from military service forthe purpose of a determination by DVAof the individual’s eligibility for orentitlement to benefits under lawsadministered by the Secretary ofVeterans Affairs.

Department of Veterans AffairsUnder the NPRM, a covered entity

that is a component of the Departmentof Veterans Affairs could have used anddisclosed protected health informationto other components of the Departmentthat determine eligibility for, orentitlement to, or that provide benefitsunder the laws administered by theSecretary of Veterans Affairs. In thefinal rule, we retain this approach.

Application to Intelligence CommunityThe NPRM would have provided an

exemption from its proposedrequirements to the intelligencecommunity. As defined in section 4 ofthe National Security Act, 50 U.S.C.401a, the intelligence communityincludes: the Office of the Director ofCentral Intelligence Agency; the Officeof the Deputy Director of CentralIntelligence; the National IntelligenceCouncil and other such offices as theDirector may designate; the CentralIntelligence Agency; the NationalSecurity Agency; the DefenseIntelligence Agency; the NationalImagery and Mapping Agency ; theNational Reconnaissance Office; otheroffices within the DOD for the collectionof specialized national intelligencethrough reconnaissance programs; theintelligence elements of the Army, theNavy, the Air Force, the Marine Corps,the Federal Bureau of Investigation, theDepartment of the Treasury, and theDepartment of Energy; the Bureau ofIntelligence and Research of theDepartment of State; and such otherelements of any other department oragency as may be designated by thePresident, or designated jointly by theDirector of Central Intelligence and thehead of the department or agencyconcerned, as an element of theintelligence community. It would haveallowed a covered entity to use withoutindividual authorization protectedhealth information of employees of theintelligence community, and of their

dependents, if such dependents werebeing considered for posting abroad.The final rule does not include such anexemption. Rather, the final rule doesnot except intelligence communityemployees and their dependents fromthe general rule requiring anauthorization in order for protectedhealth information to be used anddisclosed.

National Security and IntelligenceActivities

The NPRM included a provision, in§ 164.510(f)—Disclosure for LawEnforcement Purposes—that wouldallow covered entities to discloseprotected health information withoutconsent for the conduct of lawfulintelligence activities under theNational Security Act, and inconnection with providing protectiveservices to the President or to foreignheads of state pursuant to 18 U.S.C.3056 and 22 U.S.C. 2709(a)(3)respectively. The final rule preservesthese exemptions, with slightmodifications, but moves them fromproposed § 164.510(f) to § 164.512(k). Italso divides this area into twoparagraphs—one called ‘‘NationalSecurity and Intelligence Activities’’and the second called ‘‘Protectiveservices for the President and Others.’’

The final rule, with modifications,allows a covered entity to discloseprotected health information to anauthorized federal official for theconduct of lawful intelligence, counter-intelligence, and other national securityactivities authorized by the NationalSecurity Act and implementingauthority (e.g., Executive Order 1233).The references to ‘‘counter-intelligenceand other national security activities’’are new to the final rule. The referenceto ‘‘implementing authority (e.g.Executive Order 12333)’’ is also new.The final rule also adds specificity tothe provision on protective services. Itstates that a covered entity may discloseprotected health information toauthorized federal officials for theprovision of protective services to thePresident or other persons as authorizedby 18 U.S.C. 3056, or to foreign headsof state or other persons as authorizedby 22 U.S.C. 2709(a)(3), or for theconduct of investigations authorized by18 U.S.C. 871 and 879.

Application to the State DepartmentThe final rule creates a narrower

exemption for Department of State foruses and disclosures of protected healthinformation (1) for purposes of arequired security clearance conductedpursuant to Executive Orders 10450 and12698; (2) as necessary to meet the

requirements of determining worldwideavailability or availability for mandatoryservice abroad under Sections 101(a)(4)and 504 of the Foreign Service Act; and(3) for a family member to accompanya Foreign Service Officer abroad,consistent with Section 101(b)(5) and904 of the Foreign Service Act.

Regarding security clearances,nothing prevents any employer fromrequiring that individuals provideauthorization for the purpose ofobtaining a security clearance. For theDepartment of State, however, the finalrule provides a limited exemption thatallows a component of the Departmentof State without an authorization to (1)use protected health information tomake medical suitability determinationsand (2) to disclose whether or not theindividual was determined to bemedically suitable to authorizedofficials in the Department of State forthe purpose of a security clearanceinvestigation conducted pursuant toExecutive Order 10450 and 12698.

Sections 101(a)(4) and 504 of theForeign Service Act require that ForeignService members be available to serve inassignments throughout the world. Thefinal rule permits disclosures to officialswho need protected health informationto determine availability for dutyworldwide.

Section 101(b)(5) of the ForeignService Act requires the Department ofState to mitigate the impact ofhardships, disruptions, and otherunusual conditions on families ofForeign Service Officers. Section 904requires the Department to establish ahealth care program to promote andmaintain the physical and mental healthof Foreign Service member familymembers. The final rule permitsdisclosure of protected healthinformation to officials who needprotected health information for afamily member to accompany a ForeignService member abroad.

This exemption does not permit thedisclosure of specific medicalconditions, diagnoses, or other specificmedical information. It permits only thedisclosure of the limited informationneeded to determine whether theindividual should be granted a securityclearance or whether the ForeignService member of his or her familymembers should be posted to a certainoverseas assignment.

Application to Correctional FacilitiesThe NPRM would have excluded the

individually identifiable healthinformation of correctional facilityinmates and detention facility detaineesfrom the definition of protected healthinformation. Thus, none of the NPRM’s



proposed privacy protections wouldhave applied to correctional facilityinmates or to detention facilitydetainees while they were in thesefacilities or after they had been released.

The final rule takes a differentapproach. First, to clarify that we arereferring to individuals who areincarcerated in correctional facilitiesthat are part of the criminal justicesystem or in the lawful custody of a lawenforcement official—and not toindividuals who are ‘‘detained’’ for non-criminal reasons, for example, inpsychiatric institutions—§ 164.512(k)covers disclosure of protected healthinformation to correctional institutionsor law enforcement officials having suchlawful custody. In addition, where acovered health care provider is also ahealth care component of a correctionalinstitution, the final rule permits thecovered entity to use protected healthinformation in all cases in which it ispermitted to disclose such information.

We define correctional institution asdefined pursuant to 42 U.S.C.13725(b)(1), as a ‘‘prison, jail,reformatory, work farm, detentioncenter, or halfway house, or any othersimilar institution designed for theconfinement or rehabilitation ofcriminal offenders.’’ The rules regardingdisclosure and use of protected healthinformation specified in § 164.512(k)cover individuals who are intransitional homes, and other facilitiesin which they are required by law toremain for correctional reasons andfrom which they are not allowed toleave. This section also coversindividuals who are confined topsychiatric institutions for correctionalreasons and who are not allowed toleave; however, it does not apply todisclosure of information aboutindividuals in psychiatric institutionsfor treatment purposes only, who arenot there due to a crime or under amandate from the criminal justicesystem. The disclosure rules describedin this section do not cover release ofprotected health information aboutindividuals in pretrial release,probation, or on parole, such personsare not considered to be incarcerated ina correctional facility.

As described in § 164.512(k),correctional facility inmates’individually identifiable healthinformation is not excluded from thedefinition of protected healthinformation. When individuals arereleased from correctional facilities,they will have the same privacy rightsthat apply to all other individuals underthis rule.

Section 164.512(k) of the final rulestates that while individuals are in a

correctional facility or in the lawfulcustody of a law enforcement official,covered entities (for example, theprison’s clinic) can use or discloseprotected health information aboutthese individuals without authorizationto the correctional facility or the lawenforcement official having custody asnecessary for: (1) The provision ofhealth care to such individuals; (2) thehealth and safety of such individual orother inmates; (3) the health and safetyof the officers of employees of or othersat the correctional institution; and (4)the health and safety of suchindividuals and officers or other personsresponsible for the transporting ofinmates or their transfer from oneinstitution or facility to another; (5) lawenforcement on the premises of thecorrectional institution; and (6) theadministration and maintenance of thesafety, security, and good order of thecorrectional institution. This section isintended to allow, for example, aprison’s doctor to disclose to a vandriver transporting a criminal that theindividual is a diabetic and frequentlyhas seizures, as well as informationabout the appropriate action to take ifthe individual has a seizure while he orshe is being transported.

We permit covered entities to discloseprotected health information aboutthese individuals if the correctionalinstitution or law enforcement officialrepresents that the protected healthinformation is necessary for thesepurposes. Under 164.514(h), a coveredentity may reasonably rely on therepresentation of such public officials.

Application to Public Benefits ProgramsRequired to Share EligibilityInformation

We create a new provision for coveredentities that are a government programproviding public benefits. Thisprovision allows the followingdisclosures of protected healthinformation.

First, where other law requires orexpressly authorizes informationrelating to the eligibility for, orenrollment in more than one publicprogram to be shared among such publicprograms and/or maintained in a singleor combined data system, a publicagency that is administering a healthplan may maintain such a data base andmay disclose information relating tosuch eligibility or enrollment in thehealth plan to the extent authorized bysuch other law.

Where another public entity hasdetermined that the appropriate balancebetween the need for efficientadministration of public programs andpublic funds and individuals’ privacy

interests is to allow information sharingfor these limited purposes, we do notupset that determination. For example,section 1137 of the Social Security Actrequires a variety of public programs,including the Social Security program,state medicaid programs, the food stampprogram, certain unemploymentcompensation programs, and others, toparticipate in a joint income andeligibility verification system. Similarly,section 222 of the Social Security Actrequires the Social SecurityAdministration to provide informationto certain state vocational rehabilitationprograms for eligibility purposes. Insome instances, it is a covered entitythat first collects or creates theinformation that is then disclosed forthese systems. We do not prohibit thosedisclosures.

This does not authorize these entitiesto share information for claimsdeterminations or ongoingadministration of these public programs.This provision is limited to the agenciesand activities described above.

Second, § 164.512(k)(6) permits acovered entity that is a governmentagency administering a governmentprogram providing public benefits todisclose protected health informationrelating to the program to anothercovered entity that is a governmentagency administering a governmentprogram providing public benefits if theprograms serve the same or similarpopulations and the disclosure ofprotected health information isnecessary to coordinate the coveredfunctions of such programs.

The second provision permits coveredentities that are government programproviding public benefits that serve thesame or similar populations to shareprotected health information for thepurposes of coordinating coveredfunctions of the programs and forgeneral management and administrationrelating to the covered functions of theprograms. Often, similar governmenthealth programs are administered bydifferent government agencies. Forexample, in some states, the Medicaidprogram and the State Children’s HealthInsurance Program are administered bydifferent agencies, although they servesimilar populations. Many statescoordinate eligibility for these twoprograms, and sometimes offer servicesthrough the same delivery systems andcontracts. This provision would permitthe covered entities administering theseprograms to share protected healthinformation of program participants tocoordinate enrollment and services andto generally improve the health careoperations of the programs. We note thatthis provision does not authorize the



agencies to use or disclose the protectedhealth information that is shared forpurposes other than as provided for inthis paragraph.

Section 164.512(l)—Disclosures ForWorkers’ Compensation

The NPRM did not contain specialprovisions permitting covered entities todisclose protected health informationfor the purpose of complying withworkers’ compensation and similarlaws. Under HIPAA, workers’compensation and certain other forms ofinsurance (such as automobile ordisability insurance) are ‘‘exceptedbenefits.’’ Insurance carriers thatprovide this coverage are not coveredentities even though they providecoverage for health care services. Tocarry out their insurance functions,these non-covered insurers typicallyseek individually identifiable healthinformation from covered health careproviders and group health plans. Indrafting the proposed rule, the Secretarywas faced with the challenge of tryingto carry out the statutory mandate ofsafeguarding the privacy of individuallyidentifiable health information byregulating the flow of such informationfrom covered entities while at the sametime respecting the Congressional intentto shield workers’ compensation carriersand other excepted benefit plans fromregulation as covered entities.

In the proposed rule we allowedcovered entities to disclose protectedhealth information without individualconsent for purposes of treatment,payment or health care operations—even when the disclosure was to a non-covered entity such as a workers’compensation carrier. In addition, weallowed protected health information tobe disclosed if required by state law forpurposes of determining eligibility forcoverage or fitness for duty. Theproposed rule also required thatwhenever a covered entity disclosedprotected health information to a non-covered entity, even though authorizedunder the rule, the individual who wasthe subject of the information must beinformed that the protected healthinformation was no longer subject toprivacy protections.

Like other disclosures under theproposed rule, the information providedto workers’ compensation carriers fortreatment, payment or health careoperations was subject to the minimumnecessary standard. However, to theextent that protected health informationwas disclosed to the carrier because itwas required by law, it was not subjectto the minimum necessary standard. Inaddition, individuals were entitled to anaccounting when protected health

information was disclosed for purposesother than treatment, payment or healthcare operations.

In the final rule, we include a newprovision in this section that clarifiesthe ability of covered entities to discloseprotected health information withoutauthorization to comply with workers’compensation and similar programsestablished by law that provide benefitsfor work-related illnesses or injurieswithout regard to fault. Although mostdisclosures for workers’ compensationwould be permissible under otherprovisions of this rule, particularly theprovisions that permit disclosures forpayment and as required by law, we areaware of the significant variabilityamong workers’ compensation andsimilar laws, and include this provisionto ensure that existing workers’compensation systems are not disruptedby this rule. We note that the minimumnecessary standard applies todisclosures under this paragraph.

Under this provision, a covered entitymay disclose protected healthinformation regarding an individual to aparty responsible for payment ofworkers’ compensation benefits to theindividual, and to an agency responsiblefor administering and/or adjudicatingthe individual’s claim for workers’compensation benefits. For purposes ofthis paragraph, workers’ compensationbenefits include benefits underprograms such as the Black LungBenefits Act, the federal Employees’Compensation Act, the Longshore andHarbor Workers’ Compensation Act, andthe Energy Employees’ OccupationalIllness Compensation Program Act.


We have included a generalauthorization for disclosures underworkers’ compensation systems to beconsistent with the intent of Congress,which defined workers’ compensationcarriers as excepted benefits underHIPAA. We recognize that there aresignificant privacy issues raised by howindividually identifiable healthinformation is used and disclosed inworkers’ compensation systems, andbelieve that states or the federalgovernment should enact standards thataddress those concerns.

Section 164.514—Other ProceduralRequirements Relating To Uses andDisclosures of Protected HealthInformation

Section 164.514(a)–(c)—De-identification

In § 164.506(d) of the NPRM, weproposed that the privacy standardswould apply to ‘‘individually

identifiable health information,’’ andnot to information that does not identifythe subject individual. The statutedefines individually identifiable healthinformation as certain healthinformation:

(i) Which identifies the individual, or(ii) With respect to which there is a

reasonable basis to believe that theinformation can be used to identify theindividual.

As we pointed out in the NPRM,difficulties arise because, even afterremoving obvious identifiers (e.g.,name, social security number, address),there is always some probability or riskthat any information about anindividual can be attributed to thatindividual.

The NPRM proposed two alternativemethods for determining whensufficient identifying information hasbeen removed from a record to renderthe information de-identified and thusnot subject to the rule. First, the NPRMproposed the establishment of a ‘‘safeharbor’’: if all of a list of 19 specifieditems of information had been removed,and the covered entity had no reason tobelieve that the remaining informationcould be used to identify the subject ofthe information (alone or incombination with other information),the covered entity would have beenpresumed to have created de-identifiedinformation. Second, the NPRMproposed an alternative method so thatcovered entities with sufficientstatistical experience and expertisecould remove or encrypt a combinationof information different from theenumerated list, using commonlyaccepted scientific and statisticalstandards for disclosure avoidance.Such covered entities would have beenable to include information from theenumerated list of 19 items if they (1)believed that the probability of re-identification was very low, and (2)removed additional information if theyhad a reasonable basis to believe thatthe resulting information could be usedto re-identify someone.

We proposed that covered entities andtheir business partners be permitted touse protected health information tocreate de-identified health informationusing either of these two methods.Covered entities would have beenpermitted to further use and disclosesuch de-identified information in anyway, provided that they did not disclosethe key or other mechanism that wouldhave enabled the information to be re-identified, and provided that theyreasonably believed that such use ordisclosure of de-identified informationwould not have resulted in the use or



disclosure of protected healthinformation.

A number of examples were providedof how valuable such de-identifiedinformation would be for variouspurposes. We expressed the hope thatcovered entities, their business partners,and others would make greater use ofde-identified health information thanthey do today, when it is sufficient forthe purpose, and that such practicewould reduce the burden and theconfidentiality concerns that result fromthe use of individually identifiablehealth information for some of thesepurposes.

In §§ 164.514(a)-(c) of this final rule,we make several modifications to theprovisions for de-identification. First,we explicitly adopt the statutorystandard as the basic regulatorystandard for whether health informationis individually identifiable healthinformation under this rule. Informationis not individually identifiable underthis rule if it does not identify theindividual, or if the covered entity hasno reasonable basis to believe it can beused to identify the individual. Second,in the implementation specifications wereformulate the two ways in which acovered entity can demonstrate that ithas met the standard.

One way a covered entity maydemonstrate that it has met the standardis if a person with appropriateknowledge and experience applyinggenerally accepted statistical andscientific principles and methods forrendering information not individuallyidentifiable makes a determination thatthe risk is very small that theinformation could be used, either byitself or in combination with otheravailable information, by anticipatedrecipients to identify a subject of theinformation. The covered entity mustalso document the analysis and resultsthat justify the determination. Weprovide guidance regarding thisstandard in our responses to thecomments we received on thisprovision.

We also include an alternate, safeharbor, method by which coveredentities can demonstrate compliancewith the standard. Under the safeharbor, a covered entity is considered tohave met the standard if it has removedall of a list of enumerated identifiers,and if the covered entity has no actualknowledge that the information couldbe used alone or in combination toidentify a subject of the information. Wenote that in the NPRM, we hadproposed that to meet the safe harbor, acovered entity must have ‘‘no reason tobelieve’’ that the information remainedidentifiable after the enumerated

identifiers were removed. In the finalrule, we have changed the standard toone of actual knowledge in order toprovide greater certainty to coveredentities using the safe harbor approach.

In the safe harbor, we explicitly allowage and some geographic locationinformation to be included in the de-identified information, but all datesdirectly related to the subject of theinformation must be removed or limitedto the year, and zip codes must beremoved or aggregated (in the form ofmost 3-digit zip codes) to include atleast 20,000 people. Extreme ages of 90and over must be aggregated to acategory of 90+ to avoid identification ofvery old individuals. Otherdemographic information, such asgender, race, ethnicity, and maritalstatus are not included in the list ofidentifiers that must be removed.

The intent of the safe harbor is toprovide a means to produce some de-identified information that could beused for many purposes with a verysmall risk of privacy violation. The safeharbor is intended to involve aminimum of burden and convey amaximum of certainty that the ruleshave been met by interpreting thestatutory ‘‘reasonable basis to believethat the information can be used toidentify the individual’’ to produce aneasily followed, cook book approach.

Covered entities may use codes andsimilar means of marking records so thatthey may be linked or later re-identified,if the code does not contain informationabout the subject of the information (forexample, the code may not be aderivative of the individual’s socialsecurity number), and if the coveredentity does not use or disclose the codefor any other purpose. The coveredentity is also prohibited from disclosingthe mechanism for re-identification,such as tables, algorithms, or other toolsthat could be used to link the code withthe subject of the information.

Language to clarify that coveredentities may contract with businessassociates to perform the de-identification has been added to thesection on business associates.

Section 164.514(d)—MinimumNecessary

The proposed rule required a coveredentity to make all reasonable efforts notto use or disclose more than theminimum amount of protected healthinformation necessary to accomplish theintended purpose of the use ordisclosure (proposed § 164.506(b)).

The proposed minimum necessarystandard did not apply to uses ordisclosures that were made by coveredentities at the request of the individual,

either to allow the individual access toprotected health information about himor her or pursuant to an authorizationinitiated by the individual. Therequirement also did not apply to usesand disclosures made: pursuant to thecompliance and enforcement provisionsof the rule; as required by law andpermitted by the regulation withoutindividual authorization; by a coveredhealth care provider to a health plan,when the information was requested foraudit and related purposes. Finally, thestandard did not apply to the HIPAAadministrative simplificationtransactions.

The proposed implementationspecifications would have required acovered entity to have procedures to: (i)Identify appropriate persons within theentity to determine what informationshould be used or disclosed consistentwith the minimum necessary standard;(ii) ensure that those persons make theminimum necessary determinations,when required; and (iii) within thelimits of the entity’s technologicalcapabilities, provide for the making ofsuch determinations individually. Theproposal allowed a covered entity, whenmaking disclosures to public officialsthat were permitted without individualauthorization but not required by otherlaw, to reasonably rely on therepresentations of such officials that theinformation requested was theminimum necessary for the statedpurpose(s).

The preamble provided furtherguidance. The preamble explained thatcovered entities could not have generalpolicies of approving all requests (or allrequests of a particular type) withoutcarefully considering certain criteria(see ‘‘Criteria,’’ below) as well as otherinformation specific to the request. Theminimum necessary determinationwould have needed to be consistentwith and directly related to the purposeof the use or disclosure. Where therewas ambiguity regarding theinformation to be used or disclosed, thepreamble directed covered entities tointerpret the ‘‘minimum necessary’’standard to ‘‘require’’ the covered entityto make some effort to limit the amountof protected health information used/disclosed.

The proposal would have required theminimum necessary determination totake into consideration the ability of acovered entity to delimit the amount ofinformation used or disclosed. Thepreamble noted that thesedeterminations would have to be madeunder a reasonableness standard:covered entities would be required tomake reasonable efforts and to incurreasonable expense to limit the use or



disclosure. The ‘‘reasonableness’’ oflimiting particular uses or disclosureswas to be determined based on thefollowing factors (which were notincluded in the regulatory text):

a. The extent to which the use ordisclosure would extend the number ofpersons with access to the protectedhealth information.

b. The likelihood that further uses ordisclosures of the protected healthinformation could occur.

c. The amount of protected healthinformation that would be used ordisclosed.

d. The importance of the use ordisclosure.

e. The potential to achievesubstantially the same purpose with de-identified information. For disclosures,each covered entity would have beenrequired to have policies fordetermining when protected healthinformation must be stripped ofidentifiers.

f. The technology available to limitthe amount of protected healthinformation used/disclosed.

g. The cost of limiting the use/disclosure.

h. Any other factors that the coveredentity believed were relevant to thedetermination.

The proposal shifted the ‘‘minimumnecessary’’ burden off of coveredproviders when they were being auditedby a health plan. The preambleexplained that the duty would havebeen shifted to the payor to request theminimum necessary information for theaudit purpose, although the regulatorytext did not include such a requirement.Outside of the audit context, thepreamble stated that a health planwould be required, when requesting adisclosure, to limit its requests to theinformation required to achieve thepurpose of the request; the regulationtext did not include this requirement.

The preamble stated that disclosure ofan entire medical record, in response toa request for something other than theentire medical record, wouldpresumptively violate the minimumnecessary standard.

This final rule significantly modifiesthe proposed requirements forimplementing the minimum necessarystandard. For all uses and manydisclosures and requests for disclosuresfrom other covered entities, we requirecovered entities to implement policiesand procedures for ‘‘minimumnecessary’’ uses and disclosures.Implementation of such policies andprocedures is required in lieu of makingthe ‘‘minimum necessary’’determination for each separate use ordisclosure as discussed in the proposal.

Disclosures to or requests by a healthcare provider for treatment purposes arenot subject to the standard (see§ 164.502).

Specifically (and as further describedbelow), the proposed requirement forindividual review of all uses ofprotected health information is replacedwith a requirement for covered entitiesto implement policies and proceduresthat restrict access and uses based onthe specific roles of members of thecovered entity’s workforce. Routinedisclosures also are not subject toindividual review; instead, coveredentities must implement policies andprocedures to limit the protected healthinformation in routine disclosures to theminimum necessary to achieve thepurpose of that type of disclosure. Theproposed exclusion of disclosures tohealth plans for audit purposes isdeleted and replaced with a generalrequirement that covered entities mustlimit requests to other covered entitiesfor individually identifiable healthinformation to what is reasonablynecessary for the use or disclosureintended. The other exclusions from thestandard are unchanged from theproposed rule (e.g., for individuals’access to information about themselves,pursuant to an authorization initiated bythe individual, for enforcement of thisrule, as required by law).

The language of the basic ‘‘standard’’itself is largely unchanged; coveredentities must make reasonable efforts touse or disclose or to request fromanother covered entity, only theminimum amount of protected healthinformation required to achieve thepurpose of a particular use ordisclosure. We delete the word ‘‘all’’from the ‘‘reasonable efforts’’ thatcovered entities must take in making a‘‘minimum necessary’’ determination.The implementation specifications aresignificantly modified, and differ basedon whether the activity is a use ordisclosure.

Similarly, a ‘‘minimum necessary’’disclosure for oversight purposes inaccordance with § 164.512(d) couldinclude large numbers of records toallow oversight agencies to performstatistical analyses to identify deviationsin payment or billing patterns, and otherdata analyses.

Uses of Protected Health InformationA covered entity must implement

policies and procedures to identify thepersons or classes of persons in theentity’s workforce who need access toprotected health information to carryout their duties, the category orcategories of protected healthinformation to which such persons or

classes need access, and the conditions,as appropriate, that would apply to suchaccess. Covered entities must alsoimplement policies and procedures tolimit access to only the identifiedpersons, and only to the identifiedprotected health information. Thepolicies and procedures must be basedon reasonable determinations regardingthe persons or classes of persons whorequire protected health information,and the nature of the health informationthey require, consistent with their jobresponsibilities.

For example, a hospital couldimplement a policy that permittednurses access to all protected healthinformation of patients in their wardwhile they are on duty. A health plancould permit its underwriting analystsunrestricted access to aggregate claimsinformation for rate setting purposes,but require documented approval fromits department manager to obtainspecific identifiable claims records of amember for the purpose of determiningthe cause of unexpected claims thatcould influence renewal premium ratesetting.

The ‘‘minimum necessary’’ standardis intended to reflect and be consistentwith, not override, professionaljudgment and standards. For example,we expect that covered entities willimplement policies that allow personsinvolved in treatment to have access tothe entire record, as needed.

Disclosures of Protected HealthInformation

For any type of disclosure that ismade on a routine, recurring basis, acovered entity must implement policiesand procedures (which may be standardprotocols) that permit only thedisclosure of the minimum protectedhealth information reasonably necessaryto achieve the purpose of the disclosure.Individual review of each disclosure isnot required. Instead, under§ 164.514(d)(3), these policies andprocedures must identify the types ofprotected health information to bedisclosed, the types of persons whowould receive the protected healthinformation, and the conditions thatwould apply for such access. Werecognize that specific disclosureswithin a type may vary, and require thatthe policies address what is the normfor the type of disclosure involved. Forexample, a covered entity may decide toparticipate in research studies andtherefore establish a protocol tominimize the information released forsuch purposes, e.g., by requiringresearchers requesting disclosure of datacontained in paper-based records toreview the paper records on-site and to



abstract only the information relevant tothe research. Covered entities mustdevelop policies and procedures (whichmay be standard protocols) to apply todisclosures to routinely hired types ofbusiness associates. For instance, astandard protocol could describe thesubset of information that may bedisclosed to medical transcriptionservices.

For non-routine disclosures, a coveredentity must develop reasonable criteriafor determining, and limiting disclosureto, only the minimum amount ofprotected health information necessaryto accomplish the purpose of thedisclosure. They also must establish andimplement procedures for reviewingsuch requests for disclosures on anindividual basis in accordance withthese criteria.

Disclosures to health care providersfor treatment purposes are not subject tothese requirements.

Covered entities’ policies andprocedures must provide that disclosureof an entire medical record will not bemade except pursuant to policies whichspecifically justify why the entiremedical record is needed. For instance,disclosure of all protected healthinformation to an accreditation groupwould not necessarily violate theregulation, because the entire recordmay be the ‘‘minimum necessary’’ for itspurpose; covered entities may establishpolicies allowing for and justifying sucha disclosure. Disclosure of the entiremedical record absent such documentedjustification is a presumptive violationof this rule.

Requests for Protected HealthInformation

For requests for protected healthinformation from other covered entitiesmade on a routine, recurring basis, therequesting covered entities’ policies andprocedures may establish standardprotocols describing what information isreasonably necessary for the purposesand limiting their requests to only thatinformation, in lieu of making thisdetermination individually for eachrequest. For all other requests, thepolicies and procedures must providefor review of the requests on anindividualized basis. A request by acovered entity may be made in order toobtain information that willsubsequently be disclosed to a thirdparty, for example, to obtaininformation that will then be disclosedto a business associate for qualityassessment purposes; such requests aresubject to this requirement.

Covered entities’ policies andprocedures must provide that requestsfor an entire medical record will not be

made except pursuant to policies whichspecifically justify why the entiremedical record is needed. For instance,a health plan’s request for all protectedhealth information from an applicant forinsurance would not necessarily violatethe regulation, because the entire recordmay be the ‘‘minimum necessary’’ for itspurpose. Covered entities may establishpolicies allowing for and justifying sucha request. A request for the entiremedical record absent such documentedjustification is a presumptive violationof this rule.

Reasonable RelianceA covered entity may reasonably rely

on the assertion of a requesting coveredentity that it is requesting the minimumprotected health information necessaryfor the stated purpose. A covered entitymay also rely on the assertions of aprofessional (such as attorneys andaccountants) who is a member of itsworkforce or its business associateregarding what protected healthinformation he or she needs in order toprovide professional services to thecovered entity when such personrepresents that the informationrequested is the minimum necessary. Aswe proposed in the NPRM, coveredentities making disclosures to publicofficials that are permitted under§ 164.512 may rely on the representationof a public official that the informationrequested is the minimum necessary.

Uses and Disclosures for ResearchIn making a minimum necessary

determination regarding the use ordisclosure of protected healthinformation for research purposes, acovered entity may reasonably rely ondocumentation from an IRB or privacyboard describing the protected healthinformation needed for research andconsistent with the requirements of§ 164.512(i), ‘‘Uses and Disclosures forResearch Purposes.’’ A covered entitymay also reasonably rely on arepresentation made by the requestorthat the information is necessary toprepare a research protocol or forresearch on decedents. The coveredentity must ensure that therepresentation or documentation of IRBor privacy board approval it obtainsfrom a researcher describes withsufficient specificity the protectedhealth information necessary for theresearch. Covered entities must use ordisclose such protected healthinformation in a manner that minimizesthe scope of the use or disclosure.

Standards for Electronic TransactionsWe clarify that under

§ 164.502(b)(2)(v), covered entities are

not required to apply the minimumnecessary standard to the required orsituational data elements specified inthe implementation guides for HIPAAadministrative simplification standardtransactions in the Transactions Rule.The standard does apply for uses ordisclosures in standard transactions thatare made at the option of the coveredentity.

Section 164.514(e)—MarketingIn the proposed rule, we would have

required covered entities to obtain theindividual’s authorization in order touse or disclose protected healthinformation to market health and non-health items and services.

We have made a number of changesin the final rule that relate to marketing.In the final rule, we retain the generalrule that covered entities must obtainthe individual’s authorization beforemaking uses or disclosures of protectedhealth information for marketing.However, we add a new definition of‘‘marketing’’ that clarifies that certainactivities, such as communicationsmade by a covered entity for thepurpose of describing the products andservices it provides, are not marketing.See § 164.501 and the associatedpreamble regarding the definition ofmarketing. In the final rule we alsopermit covered entities to use anddisclose protected health informationfor certain marketing activities withoutindividual authorization, subject toconditions enumerated at § 164.514(e).

First, § 164.514(e) permits a coveredentity to use or disclose protected healthinformation without individualauthorization to make a marketingcommunication if the communicationoccurs in a face-to-face encounter withthe individual. This provision wouldpermit a covered entity to discuss anyservices and products, including thoseof a third-party, without restrictionduring a face-to-face communication. Acovered entity also could give theindividual sample products or otherinformation in this setting.

Second, we permit a covered entity touse or disclose protected healthinformation without individualauthorization to make marketingcommunications involving products orservices of only nominal value. Thisprovision ensures that covered entitiesdo not violate the rule when theydistribute calendars, pens and othermerchandise that generally promotesthe covered entity.

Third, we permit a covered entity touse or disclose protected healthinformation without individualauthorization to make marketingcommunications about the health-



related products or services of thecovered entity or of a third party if thecommunication: (1) Identifies thecovered entity as the party making thecommunication; (2) to the extent thatthe covered entity receives direct orindirect remuneration from a third-partyfor making the communication,prominently states that fact; (3) exceptin the case of a general communication(such as a newsletter), containsinstructions describing how theindividual may opt-out of receivingfuture communications about health-related products and services; and (4)where protected health information isused to target the communication abouta product or service to individualsbased on their health status or healthcondition, explains why the individualhas been targeted and how the productor service relates to the health of theindividual. The final rule also requiresa covered entity to make adetermination, prior to using ordisclosing protected health informationto target a communication toindividuals based on their health statusor condition, that the product or servicemay be beneficial to the health of thetype or class of individual targeted toreceive the communication.

This third provision accommodatesthe needs of health care entities to beable to discuss their own health-relatedproducts and services, or those of thirdparties, as part of their everydaybusiness and as part of promoting thehealth of their patients and enrollees.The provision is restricted to uses bycovered entities or disclosures to theirbusiness associates pursuant to acontract that requires confidentiality,ensuring that protected healthinformation is not distributed to thirdparties. To provide individuals with abetter understanding of how theirprotected health information is beingused for marketing, the provisionrequires that the communicationidentify that the covered entity is thesource of the communication; a coveredentity may not send out informationabout the product of a third partywithout disclosing to the individualwhere the communication originated.We also require covered entities todisclose any direct or indirectremuneration from third parties. Thisrequirement permits individuals tobetter understand why they arereceiving a communication, and toweigh the extent to which theirinformation is being used to promotetheir health or to enrich the coveredentity. Covered entities also are requiredto include in their communication(unless it is a general newsletter or

similar device) how the individual mayprevent further communications abouthealth-related products and services.This provision enhances individuals’control over how their information isbeing used. Finally, where a coveredentity targets communications toindividuals on the basis of their healthstatus or condition, we require that theentity make a determination that theproduct or service being communicatedmay be beneficial to the health of thetype of individuals targeted, and thatthe communication to the targetedindividuals explain why they have beentargeted and how the product or servicerelates to their health. This finalprovision balances the advantages thataccrue from health care entitiesinforming their patients and enrollees ofnew or valuable health products withindividuals’ expectations that theirprotected health information will beused to promote their health.

Section 164.514(f)—FundraisingWe proposed in the NPRM to require

covered entities to obtain authorizationfrom an individual in order to use theindividual’s protected healthinformation for fundraising activities.

As noted in § 164.501, in the final rulewe define fundraising on behalf of acovered entity to be a health careoperation. In § 164.514, we permit acovered entity to use protected healthinformation without individualauthorization for fundraising on behalfof itself, provided that it limits theinformation that it uses to demographicinformation about the individual andthe dates that it has provided service tothe individual (see the § 164.501discussion of ‘‘health care operations’’).In addition, we require fundraisingmaterials to explain how the individualmay opt out of any further fundraisingcommunications, and covered entitiesare required to honor such requests. Wepermit a covered entity to disclose thelimited protected health information toa business associate for fundraising onits own behalf. We also permit a coveredentity to disclose the information to aninstitutionally related foundation.

By ‘‘institutionally relatedfoundation,’’ we mean a foundation thatqualifies as a nonprofit charitablefoundation under section 501(c)(3) ofthe Internal Revenue Code and that hasin its charter statement of charitablepurposes an explicit linkage to thecovered entity. An institutionallyrelated foundation may, as explicitlystated in its charter, support the coveredentity as well as other covered entitiesor health care providers in itscommunity. For example, a coveredhospital may disclose for fundraising on

its own behalf the specified protectedhealth information to a nonprofitfoundation established for the specificpurpose of raising funds for the hospitalor to a foundation that has as its missionthe support of the members of aparticular hospital chain that includesthe covered hospital. The term does notinclude an organization with a generalcharitable purpose, such as to supportresearch about or to provide treatmentfor certain diseases, that may givemoney to a covered entity, because itscharitable purpose is not specific to thecovered entity.

Section 164.514(g)—Underwriting

As described under the definition of‘‘health care operations’’ (§ 164.501),protected health information may beused or disclosed for underwriting andother activities relating to the creation,renewal, or replacement of a contract ofhealth insurance or health benefits. Thisfinal rule includes a requirement, notincluded in the NPRM, that health plansreceiving such information for thesepurposes may not use or disclose it forany other purpose, except as may berequired by law, if the insurance orbenefits contract is not placed with thehealth plan.

Section 164.514(h)—Verification ofIdentity and Authority of PersonsRequesting Protected HealthInformation

Disclosure of Protected HealthInformation

We reorganize the provision regardingverification of identity of individualsrequesting protected health informationto improve clarity, but we retain thesubstance of requirements proposed inthe NPRM in § 164.518(c), as follows.

The covered entity must establish anduse written policies and procedures(which may be standard protocols) thatare reasonably designed to verify theidentity and authority of the requestorwhere the covered entity does not knowthe person requesting the protectedhealth information. The knowledge ofthe person may take the form of aknown place of business, address,phone or fax number, as well a knownhuman being. Where documentation,statements or representations, whetheroral or written, from the personrequesting the protected healthinformation is a condition of disclosureunder this rule or other law, thisverification must involve obtaining suchdocumentation statement, orrepresentation. In such a case,additional verification is only requiredwhere this regulation (or other law)



requires additional proof of authorityand identity.

The NPRM proposed that coveredentities would be permitted to rely onthe required documentation of IRB orprivacy board approval to constitutesufficient verification that the personmaking the request was a researcher andthat the research is authorized. The finalrule retains this provision.

For most disclosures, verifying theauthority for the request means takingreasonable steps to verify that therequest is lawful under this regulation.Additional proof is required by otherprovisions of this regulation where therequest is made pursuant to § 164.512for national priority purposes. Wherethe person requesting the protectedhealth information is a public official,covered entities must verify the identityof the requester by examination ofreasonable evidence, such as a writtenstatement of identity on agencyletterhead, an identification badge, orsimilar proof of official status. Similarly,covered entities are required to verifythe legal authority supporting therequest by examination of reasonableevidence, such as a written requestprovided on agency letterhead thatdescribes the legal authority forrequesting the release. Where § 164.512explicitly requires written evidence oflegal process or other authority before adisclosure may be made, a publicofficial’s proof of identity and theofficial’s oral statement that the requestis authorized by law are not sufficientto constitute the required reasonableevidence of legal authority; under theseprovisions, only the required writtenevidence will suffice.

In some circumstances, a person orentity acting on behalf of a governmentagency may make a request fordisclosure of protected healthinformation under these subsections.For example, public health agenciesmay contract with a nonprofit agency tocollect and analyze certain data. In suchcases, the covered entity is required toverify the requestor’s identity andauthority through examination ofreasonable documentation that therequestor is acting on behalf of thegovernment agency. Reasonableevidence includes a written requestprovided on agency letterhead thatdescribes the legal authority forrequesting the release and states that theperson or entity is acting under theagency’s authority, or otherdocumentation, including a contract, amemorandum of understanding, orpurchase order that confirms that therequestor is acting on behalf of thegovernment agency.

In some circumstances, identity orauthority will be verified as part ofmeeting the underlying requirements fordisclosure. For example, a disclosureunder § 164.512(j)(1)(i) to avert animminent threat to safety is lawful onlyif made in the good faith belief that thedisclosure is necessary to prevent orlessen a serious and imminent threat tothe health or safety of a person or thepublic, and to a person reasonably ableto prevent or lessen the threat. If theseconditions are met, no furtherverification is needed. In suchemergencies, the covered entity is notrequired to demand written proof thatthe person requesting the protectedhealth information is legally authorized.Reasonable reliance on verbalrepresentations are appropriate in suchsituations.

Similarly, disclosures permittedunder § 164.510(a) for facilitydirectories may be made to the generalpublic; the covered entity’s policies andprocedures do not need to addressverifying the identity and authority forthese disclosures. In § 164.510(b) we donot require verification of identity forpersons assisting in an individual’s careor for notification purposes. Fordisclosures when the individual is notpresent, such as when a friend ispicking up a prescription, we allow thecovered entity to use professionaljudgment and experience with commonpractice to make reasonable inferences.

Under § 164.524, a covered entity isrequired to give individuals access toprotected health information about them(under most circumstances). Under thegeneral verification requirements of§ 164.514(h), the covered entity isrequired to take reasonable steps toverify the identity of the individualmaking the request. We do not mandateparticular identification requirements(e.g., drivers licence, photo ID), butrather leave this to the discretion of thecovered entity. The covered entity mustalso establish and document proceduresfor verification of identity and authorityof personal representatives, if notknown to the entity. For example, ahealth care provider can require a copyof a power of attorney, or can askquestions to determine that an adultacting for a young child has therequisite relationship to the child.

In Subpart C of Part 160, we requiredisclosure to the Secretary for purposesof enforcing this regulation. When acovered entity is asked by the Secretaryto disclose protected health informationfor compliance purposes, the coveredentity must verify the same informationthat it is required to verify for any otherlaw enforcement or oversight request fordisclosure.

Use of Protected Health InformationThe proposed rule’s verification

requirements applied to any personrequesting protected health information,whether for a use or a disclosure. In thefinal regulation, the verificationprovisions apply only to disclosures ofprotected health information. Therequirements in § 164.514(d), forimplementation of policies andprocedures for ‘‘minimum necessary’’uses of protected health information, aresufficient to ensure that onlyappropriate persons within a coveredentity will have access to protectedhealth information.

Section 164.520—Notice of PrivacyPractices for Protected HealthInformation

Section 164.520(a)—Right to NoticeWe proposed to establish a right for

individuals to receive adequate notice ofhow covered health care providers andhealth plans use and disclose protectedhealth information, and of theindividual’s rights with respect to thatinformation.

In the final regulation, we retain thegeneral right for individuals to receiveand the requirement for covered entitiesto produce a notice of privacy practices,with significant modifications to thecontent and distribution requirements.

We also modify the requirements withrespect to certain covered entities. First,in § 164.500(b)(2), we clarify that ahealth care clearinghouse that creates orreceives protected health informationother than as a business associate of acovered entity must produce a notice. Ifa health care clearinghouse creates orreceives protected health informationonly as a business associate of othercovered entities, it is not required toproduce a notice.

Second, in § 164.520(a)(2), we clarifythe notice requirements with respect togroup health plans. Individuals whoreceive health benefits under a grouphealth plan other than throughinsurance are entitled to a notice fromthe group health plan; self-insuredgroup health plans must maintain anotice that meets the requirements ofthis section and must provide the noticein accordance with the requirements of§ 164.520(c). At a minimum, the self-insured group health plan’s notice mustdescribe the group health plan’s privacypractices with respect to the protectedhealth information it creates or receivesthrough its self-insured arrangements.For example, if a group health planmaintains both fully-insured and self-insured arrangements, the group healthplan must, at a minimum, maintain andprovide a notice that describes its



privacy practices with respect toprotected health information it createsor receives through the self-insuredarrangements. This notice would bedistributed to all participants in the self-insured arrangements (in accordancewith § 164.520(c)(1)) and would also beavailable on request to other persons,including participants in the fully-insured arrangements.

Individuals who receive healthbenefits under a group health planthrough an insurance contract (i.e., afully-insured group health plan) areentitled to a notice from the issuer orHMO through which they receive theirhealth benefits. The health insuranceissuer or HMO must maintain andprovide the notice in accordance with§ 164.520(c)(1). In addition, some fully-insured group health plans are requiredto maintain and provide a notice of thegroup health plan’s privacy practices. Ifa group health plan provides healthbenefits solely through an insurancecontract with a health insurance issueror HMO, and the group health plancreates or receives protected healthinformation in addition to summaryinformation (as defined in § 164.504(a))and information about individuals’enrollment in or disenrollment from ahealth insurance issuer or HMO offeredby the group health plan, the grouphealth plan must maintain a notice thatmeets the requirements of this sectionand must provide the notice uponrequest of any person. The group healthplan is not required to meet the otherdistribution requirements of§ 164.520(c)(1). Individuals enrolled insuch group health plans have the rightto notice of the health insurance issueror HMO’s privacy practices and, onrequest, to notice of the group healthplan’s privacy practices. If the grouphealth plan, however, provides healthbenefits solely through an insurancecontract with a health insurance issueror HMO, and the only protected healthinformation the group health plancreates or receives is summaryinformation (as defined in § 164.504(a))and information about individuals’enrollment in or disenrollment from ahealth insurance issuer or HMO offeredby the group health plan, the grouphealth plan is not required to maintainor provide a notice under this section.In this case, the individuals enrolled inthe group health plan would receivenotice of the health insurance issuer orHMO’s privacy practices, but would notbe entitled to notice of the group healthplan’s privacy practices.

Third, in § 164.520(a)(3), we clarifythat inmates do not have a right tonotice under this section and acorrectional institution that is a covered

entity is not required to produce anotice. No person, including a currentor former inmate, has the right to noticeof such a covered entity’s privacypractices.

Section 164.520(b)—Content of NoticeWe proposed to require the notice to

be written in plain language and containeach of the following elements: adescription of the uses and disclosuresexpected to be made without individualauthorization; statements that other usesand disclosures would be made onlywith the individual’s authorization andthat the individual could revoke suchauthorization; descriptions of the rightsto request restrictions, inspect and copyprotected health information, amend orcorrect protected health information,and receive an accounting of disclosuresof protected health information;statements about the entity’s legalrequirements to protect privacy, providenotice, and adhere to the notice; astatement about how individuals wouldbe informed of changes to the entity’spolicies and procedures; instructions onhow to make complaints with the entityor Secretary; the name and telephonenumber of a contact person or office;and the date the notice was produced.We provided a model notice ofinformation policies and procedures forcovered health care providers.

In § 164.520(b), and immediatelybelow in this preamble, we describe thenotice content requirements for the finalrule. As described in detail, below, wemake substantial changes to the usesand disclosures of protected healthinformation that must be described inthe notice. Unlike the proposed rule, wedo not include a model notice. Weintend to develop further guidance onnotice requirements prior to thecompliance date of this rule. In thissection of the final rule, we also refer tothe covered entity’s privacy ‘‘practices,’’rather than its ‘‘policies andprocedures.’’ The purpose of this changein vocabulary is to clarify that a coveredentity’s ‘‘policies and procedures’’ is adetailed documentation of all of theentity’s privacy practices as requiredunder this rule, not just those describedin the notice. For example, we requirecovered entities to have policies andprocedures implementing therequirements for ‘‘minimum necessary’’uses and disclosures of protected healthinformation, but these policies andprocedures need not be reflected in theentity’s notice. Similarly, we requirecovered entities to have policies andprocedures for assuring individualsaccess to protected health informationabout them. While such policies andprocedures will need to include

documentation of the designated recordsets subject to access, who is authorizedto determine when information will bewithheld from an individual, andsimilar details, the notice need onlyexplain generally that individuals havethe right to inspect and copyinformation about them, and tellindividuals how to exercise that right.

A covered entity that adopts andfollows the notice content anddistribution requirements describedbelow will have provided adequatenotice. However, the requirements forthe content of the notice are notintended to be exclusive. As with therest of the rule, we specify minimumrequirements, not best practices.Covered entities may want to includemore detail. We note that all federalagencies must still comply with thePrivacy Act of 1974. This means thatfederal agencies that are covered entitiesor have covered health care componentsmust comply with the noticerequirements of the Privacy Act as wellas those included in this rule.

In addition, covered entities maywant or be required to produce morethan one notice in order to satisfy thenotice content requirements under thisrule. For example, a covered entity thatconducts business in multiple stateswith different laws regarding the usesand disclosures that the covered entityis permitted to make withoutauthorization may be required toproduce a different notice for each state.A covered entity that conducts businessboth as part of an organized health carearrangement or affiliated covered entityand as an independent enterprise (e.g.,a physician who sees patients throughan on-call arrangement with a hospitaland through an independent privatepractice) may want to adopt differentprivacy practices with respect to eachline of business; such a covered entitywould be required to produce a differentnotice describing the practices for eachline of business. Covered entities mustproduce notices that accurately describethe privacy practices that are relevant tothe individuals receiving the notice.

Required Elements

Plain Language

As in the proposed rule, we requirethe notice to be written in plainlanguage. A covered entity can satisfythe plain language requirement if itmakes a reasonable effort to: organizematerial to serve the needs of the reader;write short sentences in the active voice,using ‘‘you’’ and other pronouns; usecommon, everyday words in sentences;and divide material into short sections.



We do not require particularformatting specifications, such as easy-to-read design features (e.g., lists, tables,graphics, contrasting colors, and whitespace), type face, and font size.However, the purpose of the notice is toinform the recipients about their rightsand how protected health informationcollected about them may be used ordisclosed. Recipients who cannotunderstand the covered entity’s noticewill miss important information abouttheir rights under this rule and abouthow the covered entity is protectinghealth information about them. One ofthe goals of this rule is to create anenvironment of open communicationand transparency with respect to the useand disclosure of protected healthinformation. A lack of clarity in thenotice could undermine this goal andcreate misunderstandings. Coveredentities have an incentive to make theirnotice statements clear and concise. Webelieve that the more understandablethe notice is, the more confidence thepublic will have in the covered entity’scommitment to protecting the privacy ofhealth information.

It is important that the content of thenotice be communicated to allrecipients and therefore we encouragethe covered entity to consideralternative means of communicatingwith certain populations. We note thatany covered entity that is a recipient offederal financial assistance is generallyobligated under Title VI of the CivilRights Act of 1964 to provide materialordinarily distributed to the public inthe primary languages of persons withlimited English proficiency in therecipients’ service areas. Specifically,this Title VI obligation provides that,where a significant number orproportion of the population eligible tobe served or likely to be directly affectedby a federally assisted program needsservice or information in a languageother than English in order to beeffectively informed of or participate inthe program, the recipient shall takereasonable steps, considering the scopeof the program and the size andconcentration of such population, toprovide information in languagesappropriate to such persons. Forcovered entities not subject to Title VI,the Title VI standards provide helpfulguidance for effectively communicatingthe content of their notices to non-English speaking populations.

We also encourage covered entities tobe attentive to the needs of individualswho cannot read. For example, anemployee of the covered entity couldread the notice to individuals uponrequest or the notice could be

incorporated into a video presentationthat is played in the waiting area.

HeaderUnlike the proposed rule, covered

entities must include prominent andspecific language in the notice thatindicates the importance of the notice.This is the only specific language werequire covered entities to include inthe notice. The header must read, ‘‘THISNOTICE DESCRIBES HOW MEDICALINFORMATION ABOUT YOU MAY BEUSED AND DISCLOSED AND HOWYOU CAN GET ACCESS TO THISINFORMATION. PLEASE REVIEW ITCAREFULLY.’’

Uses and DisclosuresWe proposed to require covered

entities to describe in plain language theuses and disclosures of protected healthinformation, and the covered entity’spolicies and procedures with respect tosuch uses and disclosures, that thehealth plan or covered providerexpected to make without individualauthorization. The covered provider orhealth plan would have had todistinguish between those uses anddisclosures required by law and thosepermitted but not required by law.

We also proposed to require coveredhealth care providers and health plansto state in the notice that all other usesand disclosures would be made onlywith the individual’s authorization andthat such authorization could berevoked. The notice would also havebeen required to state that theindividual could request restrictions oncertain uses and disclosures and that thecovered entity would not be required toagree to such a request.

We significantly modify theserequirements in the final rule. Coveredentities must describe all uses anddisclosures of protected healthinformation that they are permitted orrequired to make under this rulewithout authorization, including thoseuses and disclosures subject to theconsent requirements under § 164.506.If other applicable law prohibits ormaterially limits the covered entity’sability to make any uses or disclosuresthat would otherwise be permittedunder the rule, the covered entity mustdescribe only the uses and disclosurespermitted under the more stringent law.

Covered entities must separatelydescribe each purpose for which theyare permitted to use or discloseprotected health information under thisrule without authorization, and must doso in sufficient detail to place theindividual on notice of those uses anddisclosures. With respect to uses anddisclosures to carry out treatment,

payment, and health care operations,the description must include at leastone example of the types of uses anddisclosures that the covered entity ispermitted to make. This requirement isintended to inform individuals of all theuses and disclosures that the coveredentity is legally required or permitted tomake under applicable law, even if thecovered entity does not anticipateactually making such uses anddisclosures. We do not require coveredentities to distinguish in their noticesbetween those uses and disclosuresrequired by law and those permitted butnot required by law.

Unlike the proposed rule, weadditionally require covered entitiesthat wish to contact individuals for anyof the following activities to list theseactivities in the notice: providingappointment reminders, describing orrecommending treatment alternatives,providing information about health-related benefits and services that may beof interest to the individual, or solicitingfunds to benefit the covered entity. Ifthe covered entity does not includethese statements in its notice, it isprohibited from using or disclosingprotected health information for theseactivities without authorization. See§ 164.502(i).

In addition, if a group health plan, ora health insurance issuer or HMO withrespect to a group health plan, wants theoption to disclose protected healthinformation to a group health plansponsor without authorization aspermitted under § 164.504(f), the grouphealth plan, health insurance issuer orHMO must describe that practice in itsnotice.

As in the proposed rule, the noticemust state that all other uses anddisclosures will be made only with theindividual’s authorization and that theindividual has the right to revoke suchauthorization.

We anticipate this requirement willlead to significant standardization of thenotice. This language could be the samefor every covered entity of a particulartype within a state, territory, or otherlocale. We encourage states, stateprofessional associations, and otherorganizations to develop modellanguage to assist covered entities inpreparing their notices.

Individual RightsAs in the proposed rule, covered

entities must describe individuals’rights under the rule and howindividuals may exercise those rightswith respect to the covered entity.Covered entities must describe each ofthe following rights, as provided underthe rule: the right to request restrictions



on certain uses and disclosures,including a statement that the coveredentity is not required to agree to arequested restriction (§ 164.522(a)); theright to receive confidentialcommunications of protected healthinformation (§ 164.522(b)); the right toinspect and copy protected healthinformation (§ 164.524); the right toamend protected health information(§ 164.526); and the right to anaccounting of disclosures of protectedhealth information (§ 164.528). Weadditionally require the notice todescribe the right of an individual,including an individual that has agreedto receive the notice electronically, toobtain a paper copy of the notice uponrequest.

Covered Entity’s DutiesAs in the proposed rule, covered

entities must state in the notice thatthey are required by law to maintain theprivacy of protected health information,to provide a notice of their legal dutiesand privacy practices, and to abide bythe terms of the notice currently ineffect. In the final rule, we additionallyrequire the covered entity, if it wishesto reserve the right to change its privacypractices and apply the revisedpractices to protected healthinformation previously created orreceived, to make a statement to thateffect and describe how it will provideindividuals with a revised notice. (Seebelow for a more detailed discussion ofa covered entity’s responsibilities whenit changes its privacy practices.)

ComplaintsAs in the proposed rule, a covered

entity’s notice must inform individualsabout how they can lodge complaintswith the covered entity if they believetheir privacy rights have been violated.See § 164.530(d) and the correspondingpreamble discussion for therequirements on covered entities forreceiving complaints. The notice mustalso state that individuals may filecomplaints with the Secretary. In thefinal rule, we additionally require thenotice to include a statement that theindividual will not suffer retaliation forfiling a complaint.

ContactAs in the proposed rule, the notice

must identify a point of contact wherethe individual can obtain additionalinformation about any of the mattersidentified in the notice.

Effective DateThe notice must include the date the

notice went into effect, rather than theproposed requirement to include the

date the notice was produced. Theeffective date cannot be earlier than thedate on which the notice was firstprinted or otherwise published. Coveredentities may wish to highlight orotherwise emphasize any materialmodifications that it has made, in orderto help the individual recognize suchchanges.

Optional ElementsAs described above, we proposed to

require covered entities to describe theuses and disclosures of protected healthinformation that the covered entity infact expected to make without theindividual’s authorization. We did notspecify any optional elements.

While the final rule requires coveredentities to describe all of the types ofuses and disclosures permitted orrequired by law (not just those that thecovered entity intends to make), we alsopermit and encourage covered entitiesto include optional elements thatdescribe the actual, more limited, usesand disclosures they intend to makewithout authorization. We anticipatethat some covered entities will want todistinguish themselves on the basis oftheir more stringent privacy practices.For example, covered health careproviders who routinely treat patientswith particularly sensitive conditionsmay wish to assure their patients that,even though the law permits them todisclose information for a wide array ofpurposes, the covered health careprovider will only disclose informationin very specific circumstances, asrequired by law, and to avert a seriousand imminent threat to health or safety.A covered entity may not includestatements in the notice that purport tolimit the entity’s ability to make uses ordisclosures that are required by law ornecessary to avert a serious andimminent threat to health or safety.

As described above, if the coveredentity wishes to reserve the right tochange its privacy practices with respectto the more limited uses and disclosuresand apply the revised practices toprotected health information previouslycreated or received, it must make astatement to that effect and describehow it will provide individuals with arevised notice. (See below for a moredetailed discussion of a covered entity’sresponsibilities when it changes itsprivacy practices.)

Revisions to the NoticeWe proposed to require a covered

entity to adhere to the terms of itsnotice, and would have permitted it tochange its information policies andprocedures at any time. We would haverequired covered health care providers

and health plans to update the notice toreflect material changes to theinformation policies and proceduresdescribed in the notice. Changes to thenotice would have applied to allprotected health information held by thecovered entity, including informationcollected under prior notices. That is,we would not have require coveredentities to segregate their recordsaccording to the notice in effect at thetime the record was created. Weproposed to prohibit covered entitiesfrom implementing a change to aninformation policy or proceduredescribed in the notice until the noticewas updated to reflect the change,unless a compelling reason existed tomake a use or disclosure or take otheraction that the notice would not havepermitted. In these situations, weproposed to require covered entities todocument the compelling reason and,within 30 days of the use, disclosure, orother action, change its notice to permitthe action.

As in the proposed rule, coveredentities are required to adhere to theterms of the notice currently in effect.See § 164.502(i). When a covered entitymaterially changes any of the uses ordisclosures, the individual’s rights, thecovered entity’s legal duties, or otherprivacy practices described in its notice,it must promptly revise its noticeaccordingly. See § 164.520(b)(3).(Pursuant to § 164.530(i), it must alsorevise its policies and procedures.)Except when required by law, a materialchange to any term in the notice maynot be implemented prior to theeffective date of the notice in whichsuch material change is reflected. In thefinal rule, however, we revise thecircumstances under and extent towhich the covered entity may revise thepractices stated in the notice and applythe new practices to protected healthinformation it created or received underprior notice.

Under § 164.530(i), a covered entitythat wishes to change its practices overtime without segregating its recordsaccording to the notice in effect at thetime the records were created mustreserve the right to do so in its notice.For example, a covered hospital thatstates in its notice that it will only makepublic health disclosures required bylaw, and that does not reserve the rightto change this practice, is prohibitedfrom making any discretionary publichealth disclosures of protected healthinformation created or received duringthe effective period of that notice. If thecovered hospital wishes at some pointin the future to make discretionarydisclosures for public health purposes,it must revise its notice to so state, and



must segregate its records so thatprotected health information created orreceived under the prior notice is notdisclosed for discretionary public healthpurposes. This hospital may then makediscretionary public health disclosuresof protected health information createdor received after the effective date of therevised notice.

If a second covered hospital states inits notice that it will only make publichealth disclosures required by law, butdoes reserve the right to change itspractices, it is prohibited from makingany discretionary public healthdisclosures of protected healthinformation created or received duringthe effective period of that notice. If thishospital wishes at some point in thefuture to make discretionary disclosuresfor public health purposes, it mustrevise its notice to so state, but need notsegregate its records. As of the effectivedate of the revised notice, it maydisclose any protected healthinformation, including informationcreated or received under the priornotice, for discretionary public healthpurposes.

Section 164.530(i) and thecorresponding discussion in thispreamble describes requirements forrevision of a covered entity’s privacypolicies and procedures, including theprivacy practices reflected in its notice.

Section 164.520(c)—Provision of NoticeAs in the proposed rule, all covered

entities that are required to produce anotice must provide the notice uponrequest of any person. The requestordoes not have to be a current patient orenrollee. We intend the notice to be apublic document that people can use inchoosing between covered entities.

For health plans, we proposed torequire health plans to distribute thenotice to individuals covered by thehealth plan as of the compliance date;after the compliance date, at enrollmentin the health plan; after enrollment,within 60 days of a material revision tothe content of the notice; and no lessfrequently than once every three years.

As in the proposed rule, under thefinal rule health plans must provide thenotice to all health plan enrollees as ofthe compliance date. After thecompliance date, health plans mustprovide the notice to all new enrolleesat the time of enrollment and to allenrollees within 60 days of a materialrevision to the notice. Of course, theterm ‘‘enrollees’’ includes participantsand beneficiaries in group health plans.

Unlike the proposed rule, we do notrequire health plans to distribute thenotice every three years. Instead, healthplans must notify enrollees no less than

once every three years about theavailability of the notice and how toobtain a copy.

We also clarify that, in each of thesecircumstances, if a named insured andone or more dependents are covered bythe same policy, the health plan cansatisfy the distribution requirement withrespect to the dependents by sending asingle copy of the notice to the namedinsured. For example, if an employee ofa firm and her three dependents are allcovered under a single health planpolicy, that health plan can satisfy theinitial distribution requirement bysending a single copy of the notice tothe employee rather than sending fourcopies, each addressed to a differentmember of the family.

We further clarify that if a health planhas more than one notice, it satisfies itsdistribution requirement by providingthe notice that is relevant to theindividual or other person requestingthe notice. For example, a healthinsurance issuer may have contractswith two different group health plans.One contract specifies that the issuermay use and disclose protected healthinformation about the participants inthe group health plan for researchpurposes without authorization (subjectto the requirements of this rule) and onecontract specifies that the issuer mustalways obtain authorizations for theseuses and disclosures. The issueraccordingly develops two noticesreflecting these different practices andsatisfies its distribution requirements byproviding the relevant notice to therelevant group health plan participants.

We proposed to require coveredhealth care providers with face-to-facecontact with individuals to provide thenotice to all such individuals at the firstservice delivery to the individual duringthe one year period after the compliancedate. After this one year period, coveredproviders with face-to-face contact withindividuals would have been requiredto distribute the notice to all newpatients at the first service delivery.Covered providers without face-to-facecontact with individuals would havebeen required to provide the notice ina reasonable period of time followingfirst service delivery.

We proposed to require all coveredproviders to post the notice in a clearand prominent location where it wouldbe reasonable to expect individualsseeking services from the coveredprovider to be able to read the notice.We would have required revisions to beposted promptly.

In the final rule, we vary thedistribution requirements according towhether the covered health careprovider has a direct treatment

relationship with an individual, ratherthan whether the covered health careprovider has face-to-face contact with anindividual. See § 164.501 and thecorresponding discussion in thispreamble regarding the definition ofindirect treatment relationship.

Covered health care providers thathave direct treatment relationships withindividuals must provide the notice tosuch individuals as of the first servicedelivery after the compliance date. Thisrequirement applies whether the firstservice is delivered electronically or inperson. Covered providers may satisfythis requirement by sending the noticeto all of their patients at once, by givingthe notice to each patient as he or shecomes into the provider’s office orfacility or contacts the providerelectronically, or by some combinationof these approaches. Covered providersthat maintain a physical service deliverysite must prominently post the noticewhere it is reasonable to expectindividuals seeking service from theprovider to be able to read the notice.The notice must also be available on sitefor individuals to take on request. In theevent of a revision to the notice, thecovered provider must promptly postthe revision and make it available onsite.

Covered health care providers thathave indirect treatment relationshipswith individuals are only required toproduce the notice upon request, asdescribed above.

The proposed rule was silentregarding electronic distribution of thenotice. Under the final rule, a coveredentity that maintains a web sitedescribing the services and benefits itoffers must make its privacy noticeprominently available through the site.

A covered entity may satisfy theapplicable distribution requirementsdescribed above by providing the noticeto the individual electronically, if theindividual agrees to receiving materialsfrom the covered entity electronicallyand the individual has not withdrawnhis or her agreement. If the coveredentity knows that the electronictransmission has failed, the coveredentity must provide a paper copy of thenotice to the individual.

If an individual’s first service deliveryfrom a covered provider occurselectronically, the covered providermust provide electronic noticeautomatically and contemporaneouslyin response to the individual’s firstrequest for service. For example, thefirst time an individual requests to filla prescription through a coveredinternet pharmacy, the pharmacy mustautomatically and contemporaneouslyprovide the individual with the



pharmacy’s notice of privacy practices.An individual that receives a coveredentity’s notice electronically retains theright to request a paper copy of thenotice as described above. This rightmust be described in the notice.

We note that the Electronic Signaturesin Global and National Commerce Act(Pub. L. 106–229) may apply todocuments required under this rule tobe provided in writing. We do notintend to affect the application of thatlaw to documents required under thisrule.

Section 164.520(d)—Joint Notice bySeparate Covered Entities

The proposed rule was silentregarding the ability of legally separatecovered entities to produce a singlenotice.

In the final rule, we allow coveredentities that participate in an organizedhealth care arrangement to comply withthis section by producing a single noticethat describes their combined privacypractices. See § 164.501 and thecorresponding preamble discussionregarding the definition of organizedhealth care arrangement. (We note that,under § 164.504(d), covered entities thatare under common ownership or controlmay designate themselves as a singleaffiliated covered entity. Joint noticerequirements do not apply to suchentities. Single affiliated coveredentities must produce a single notice,consistent with the requirementsdescribed above for any other coveredentity. Covered entities under commonownership or control that elect not todesignate themselves as a singleaffiliated covered entity, however, mayelect to produce a joint notice if theymeet the definition of an organizedhealth care arrangement.)

The joint notice must meet all of therequirements described above. Thecovered entities must agree to abide bythe terms of the notice with respect toprotected health information created orreceived by the covered entities as partof their participation in the organizedhealth care arrangement. In addition,the joint notice must reasonably identifythe covered entities, or class of coveredentities, to which the joint noticeapplies and the service delivery sites, orclasses of service delivery sites, towhich the joint notice applies. If thecovered entities participating in theorganized health care arrangement willshare protected health information witheach other as necessary to carry outtreatment, payment, or health careoperations relating to the arrangement,that fact must be stated in the notice.

Typical examples where this policymay be useful are health care facilities

where physicians and other providerswho have offices elsewhere also provideservices at the facility (e.g. hospital staffprivileges, physicians visiting theirpatients at a residential facility). Inthese cases, a single notice may coverboth the physician and the facility, ifthe above conditions are met. Thephysician is required to have a separatenotice covering the privacy practices atthe physician’s office if those practicesare different than the practicesdescribed in the joint notice.

If any one of the covered entitiesincluded in the joint notice distributesthe notice to an individual, as requiredabove, the distribution requirement ismet for all of the covered entitiesincluded in the joint notice.

Section 164.520(e)—Documentation

As in the proposed rule, we establishdocumentation requirements forcovered entities subject to thisprovision. In the final rule, we specifythat covered entities must retain copiesof the notice(s) they issue in accordancewith § 164.530(j). See § 164.530(j) andthe corresponding preamble discussionfor further description of thedocumentation requirements.

Section 164.522—Rights To RequestPrivacy Protection for Protected HealthInformation

Section 164.522(a)—Right of AnIndividual To Request Restriction ofUses and Disclosures

We proposed that individuals havethe right to request that a covered healthcare provider restrict the use ordisclosure of protected healthinformation for treatment, payment, orhealth care operations. Providers wouldnot have been required to agree torequested restrictions. However, acovered provider that agreed to arestriction could not use or discloseprotected health informationinconsistent with the restriction. Therequirement would not have applied topermissible uses or disclosures underproposed § 164.510, including uses anddisclosures in emergency circumstancesunder proposed § 164.510(k); when thehealth care services provided wereemergency services; or to requireddisclosures to the Secretary underproposed § 164.522. We would haverequired covered providers to haveprocedures for individuals to requestrestrictions, for agreed-upon restrictionsto be documented, for the provider tohonor such restrictions, and fornotification of the existence of arestriction to others to whom suchprotected health information isdisclosed.

In the final rule, we retain the generalright of an individual to request thatuses and disclosures of protected healthinformation be restricted and therequirement for covered entities toadhere to restrictions to which theyhave agreed. However, we include somesignificant changes and clarifications.

Under the final rule, we extend theright to request restrictions to healthplans and to health care clearinghousesthat create or receive protected healthinformation other than as a businessassociate of another covered entity. Allcovered entities must permitindividuals to request that uses anddisclosures of protected healthinformation to carry out treatment,payment, and health care operations berestricted and must adhere torestrictions to which they have agreed.A covered entity is not required to agreeto a restriction. We note that restrictionsbetween an individual and a coveredentity for these or other purposes maybe otherwise enforceable under otherlaw.

Under § 164.522(a)(1)(i)(B), the rightto request restrictions applies todisclosures to persons assisting in theindividual’s care under § 164.510(b). Anindividual may request that a coveredentity agree not to disclose protectedhealth information to persons assistingwith the individual’s care, even if suchdisclosure is permissible in accordancewith § 164.510(b). For example, if anindividual requests that a covered entitynever disclose protected healthinformation to a particular familymember, and the covered entity agreesto that restriction, the covered entity isprohibited from disclosing protectedhealth information to that familymember, even if the disclosure wouldotherwise be permissible under§ 164.510(b). We note that individualsadditionally have the opportunity toagree or object to disclosures to personsassisting in the individual’s care under§ 164.510(b)(2). The individual retainsthe right to agree or object to suchdisclosures under § 164.510(b)(2), inaccordance with the standards of thatprovision, regardless of whether theindividual has requested a restrictionunder § 164.522(a). See § 164.510(b) andthe corresponding preamble discussionregarding the individual’s right to agreeor object to disclosures to personsassisting in the individual’s care.

In §§ 164.522(a)(1)(iii) and (iv) weclarify the requirements with respect toemergency treatment situations. Inemergency treatment situations, acovered entity that has agreed to arestriction may use, or disclose to ahealth care provider, restrictedprotected health information that is



necessary to provide the emergencytreatment. If the covered entity disclosesrestricted protected health informationto a health care provider for emergencytreatment purposes, it must request thatthe provider not further use or disclosethe information. We expect coveredentities to consider the need for accessto protected health information fortreatment purposes when considering arequest for a restriction, to discuss thisneed with the individual making therequest for restriction, and to agree torestrictions that will not foreseeablyimpede the individual’s treatment.Therefore, we expect covered entitieswill rarely need to use or discloserestricted protected health informationin emergency treatment situations. Wedo not intend, however, to adverselyimpact the delivery of health care. Wetherefore provide a means for the useand disclosure of restricted protectedhealth information in emergencytreatment situations, where anunexpected need for the informationcould arise and there is insufficient timeto secure the individual’s permission touse or disclose the restrictedinformation.

In § 164.522(a)(1)(v) we clarify thatrestrictions are not effective under thisrule to prevent uses and disclosuresrequired by § 164.502(a)(2)(ii) orpermitted under § 164.510(a) (regardingfacility directories) or § 164.512(regarding uses and disclosures forwhich consent, individualauthorization, or opportunity to agree orobject is not required). Covered entitiesare permitted to agree to suchrestrictions, but if they do so, therestrictions are not enforceable underthis rule. For example, a provider whomakes a disclosure under§ 164.512(j)(1)(i) relating to serious andimminent threats will not be inviolation of this rule even if thedisclosure is contrary to a restrictionagreed to under this paragraph.

In § 164.522(a)(2) we clarify a coveredentity’s ability to terminate a restrictionto which it has agreed. A covered entitymay terminate a restriction with theindividual’s written or oral agreement. Ifthe individual’s agreement is obtainedorally, the covered entity mustdocument that agreement. A note in themedical record or similar notation issufficient documentation. If theindividual agrees to terminate therestriction, the covered entity may useand disclose protected healthinformation as otherwise permittedunder the rule. If the covered entitywants to terminate the restrictionwithout the individual’s agreement, itmay only terminate the restriction withrespect to protected health information

it creates or receives after it informs theindividual of the termination. Therestriction continues to apply toprotected health information created orreceived prior to informing theindividual of the termination. That is,any protected health information thathad been collected before thetermination may not be used ordisclosed in a way that is inconsistentwith the restriction, but any informationthat is collected after informing theindividual of the termination of therestriction may be used or disclosed asotherwise permitted under the rule.

In § 164.522(a)(3), we clarify that acovered entity must document arestriction to which it has agreed. We donot require a specific form ofdocumentation; a note in the medicalrecord or similar notation is sufficient.The documentation must be retained forsix years from the date it was created orthe date it was last in effect, whicheveris later, in accordance with § 164.530(j).

We eliminate the requirement fromthe NPRM for covered entities to informpersons to whom they discloseprotected health information of theexistence of any restriction on thatinformation. A restriction is onlybinding on the covered entity thatagreed to the restriction. We encouragecovered entities to inform others of theexistence of a restriction when it isappropriate to do so. We note, however,that disclosure of the existence of arestriction often amounts to a de factodisclosure of the restricted informationitself. If a restriction does not permit acovered entity to disclose protectedhealth information to a particularperson, the covered entity mustcarefully consider whether disclosingthe existence of the restriction to thatperson would also violate therestriction.

Section 164.522(b)—ConfidentialCommunications Requirements

In the NPRM, we did not directlyaddress the issue of whether anindividual could request that a coveredentity restrict the manner in which itcommunicated with the individual. Asdescribed above, the NPRM would haveprovided individuals with the right torequest that health care providersrestrict uses and disclosures ofprotected health information fortreatment, payment and health careoperations, but would not have requiredproviders to agree to such a restriction.

In the final rule, we require coveredentities to permit individuals to requestthat the covered entity provideconfidential communications ofprotected health information about theindividual. The requirement applies to

communications from the covered entityto the individual, and alsocommunications from the covered entitythat would otherwise be sent to thenamed insured of an insurance policythat covers the individual as adependent of the named insured.Individuals may request that thecovered entity send suchcommunications by alternative means orat alternative locations. For example, anindividual who does not want his or herfamily members to know about a certaintreatment may request that the providercommunicate with the individual aboutthat treatment at the individual’s placeof employment, by mail to a designatedaddress, or by phone to a designatedphone number. Similarly, an individualmay request that the provider sendcommunications in a closed enveloperather than a post card, as an‘‘alternative means.’’ Covered healthcare providers must accommodate allreasonable requests. Health plans mustaccommodate all reasonable requests, ifthe individual clearly states that thedisclosure of all or part of the protectedhealth information could endanger theindividual. For example, if anindividual requests that a health plansend explanations of benefits aboutparticular services to the individual’swork rather than home address becausethe individual is concerned that amember of the individual’s household(e.g., the named insured) might read theexplanation of benefits and becomeabusive towards the individual, thehealth plan must accommodate therequest.

The reasonableness of a request madeunder this paragraph must bedetermined by a covered entity solelyon the basis of the administrativedifficulty of complying with the requestand as otherwise provided in thissection. A covered health care provideror health plan cannot refuse toaccommodate a request based on itsperception of the merits of theindividual’s reason for making therequest. A covered health care providermay not require the individual toprovide a reason for the request as acondition of accommodating therequest. As discussed above, a healthplan is not required to accommodate arequest unless the individual indicatesthat the disclosure could endanger theindividual. If the individual indicatessuch endangerment, however, thecovered entity cannot further considerthe individual’s reason for making therequest in determining whether it mustaccommodate the request.

A covered health care provider orhealth plan may refuse to accommodatea request, however, if the individual has



not provided information as to howpayment, if applicable, will be handled,or if the individual has not specified analternative address or method ofcontact.

Section 164.524—Access of Individualsto Protected Health Information

Section 164.524(a)—Right of AccessIn the NPRM, we proposed to

establish a right for individuals toaccess (i.e., inspect and obtain a copy of)protected health information about themmaintained by a covered provider orhealth plan, or its business partners, ina designated record set.

As in the proposed rule, in the finalrule we provide that individuals have aright of access to protected healthinformation that is maintained in adesignated record set. This right appliesto health plans, covered health careproviders, and health careclearinghouses that create or receiveprotected health information other thanas a business associate of anothercovered entity (see § 164.500(b)). In thefinal rule, however, we modify thedefinition of designated record set. Fora discussion of the significant changesmade to the definition of designatedrecord set, see § 164.501 and thecorresponding preamble.

Under the revised definition,individuals have a right of access to anyprotected health information that isused, in whole or in part, to makedecisions about individuals. Thisinformation includes, for example,information used to make health caredecisions or information used todetermine whether an insurance claimwill be paid. Covered entities oftenincorporate the same protected healthinformation into a variety of differentdata systems, not all of which will beutilized to make decisions aboutindividuals. For example, informationsystems that are used for quality controlor peer review analyses may not be usedto make decisions about individuals. Inthat case, the information systemswould not fall within the definition ofdesignated record set. We do not requireentities to grant an individual access toprotected health informationmaintained in these types ofinformation systems.

Duration of the Right of AccessAs in the proposed rule, covered

entities must provide access toindividuals for as long as the protectedhealth information is maintained in adesignated record set.

Exceptions to the Right of AccessIn the NPRM, we proposed to

establish a right for individuals to

access any protected health informationmaintained in a designated record set.Though we proposed to permit coveredentities to deny access in certainsituations relating to the particularindividual requesting access, we did notspecifically exclude any protectedhealth information from the right ofaccess.

In the final rule, we specify threetypes of information to whichindividuals do not have a right ofaccess, even if the information ismaintained in a designated record set.They are psychotherapy notes,information compiled in reasonableanticipation of, or for use in, a civil,criminal, or administrative action orproceeding, and certain protected healthinformation maintained by a coveredentity that is subject to or exemptedfrom the Clinical LaboratoryImprovements Amendments of 1988(CLIA). Covered entities may, but arenot required to, provide access to thisinformation.

First, unlike the proposed rule, wespecify that individuals do not have aright of access to psychotherapy notes.

Second, individuals do not have aright of access to information compiledin reasonable anticipation of, or for usein, a civil, criminal, or administrativeaction or proceeding. In the NPRM, wewould have permitted covered entitiesto deny a request for access to protectedhealth information complied inreasonable anticipation of, or for use in,a legal proceeding. We change thelanguage in the final rule to clarify thata legal proceeding includes civil,criminal, and administrative actions andproceedings. In the final rule, we clarifythat an individual does not have a rightto this information by including it in thelist of exceptions rather than stating thata covered entity may deny access to thisinformation. Under this exception, thecovered entity may deny access to anyinformation that relates specifically tolegal preparations but may not denyaccess to the individual’s underlyinghealth information. We do not intend torequire covered entities to provideaccess to documents protected byattorney work-product privilege nor dowe intend to alter rules of discovery.

Third, unlike the proposed rule,individuals do not have a right of accessto protected health information held byclinical laboratories if CLIA prohibitssuch access. CLIA states that clinicallaboratories may provide clinicallaboratory test records and reports onlyto ‘‘authorized persons,’’ as definedprimarily by state law. The individualwho is the subject of the information isnot always included in this set ofauthorized persons. When an individual

is not an authorized person, thisrestriction effectively prohibits theclinical laboratory from providing anindividual access to this information.We do not intend to preempt CLIA and,therefore, do not require coveredclinical laboratories to provide anindividual access to this information ifCLIA prohibits them from doing so. Wenote, however, that individuals have theright of access to this information if itis maintained by a covered health careprovider, clearinghouse, or health planthat is not subject to CLIA.

Finally, unlike the proposed rule,individuals do not have access toprotected health information held bycertain research laboratories that areexempt from the CLIA regulations. TheCLIA regulations specifically exemptthe components or functions of‘‘research laboratories that test humanspecimens but do not report patientspecific results for the diagnosis,prevention or treatment of any diseaseor impairment of, or the assessment ofthe health of individual patients.’’ 42CFR 493.3(a)(2). If subject to the accessrequirements, these laboratories, or theapplicable components of them, wouldbe forced to comply with the CLIAregulations once they provided anindividual with the access under thisprivacy rule. Therefore, to alleviate thisadditional regulatory burden, we haveexempted these laboratories, or therelevant components of them, from theaccess requirements of this regulation.

Grounds for Denial of AccessIn the NPRM we proposed to permit

covered health care providers andhealth plans to deny an individualaccess to inspect and copy protectedhealth information about them for fivereasons: (1) a licensed health careprofessional determined the inspectionand copying was reasonably likely toendanger the life or physical safety ofthe individual or another person; (2) theinformation was about another person(other than a health care provider) anda licensed health care professionaldetermined the inspection and copyingwas reasonably likely to causesubstantial harm to that other person;(3) the information was obtained undera promise of confidentiality fromsomeone other than a health careprovider and the inspection andcopying was likely to reveal the sourceof the information; (4) the informationwas obtained by a covered provider inthe course of a clinical trial, theindividual agreed to the denial of accessin consenting to participate in the trial,and the trial was in progress; and (5) theinformation was compiled in reasonableanticipation of, or for use in, a legal



proceeding. In the NPRM, coveredentities would not have been permittedto use these grounds to deny individualsaccess to protected health informationthat was also subject to the Privacy Act.

In the final rule, we retain all of thesegrounds for denial, with somemodifications. One of the proposedgrounds for denial (regarding legalproceedings) is retained as an exceptionto the right of access. (See discussionabove.) We also include additionalgrounds for denial and create a right forindividuals to request review of certaindenials.

There are five types of denialscovered entities may make withoutproviding the individual with a right tohave the denial reviewed.

First, a covered entity may deny anindividual access to any informationthat is excepted from the right of accessunder § 164.524(a)(1). (See discussionabove.)

Second, we add a new provision thatpermits a covered entity that is acorrectional institution or coveredhealth care provider acting under thedirection of a correctional institution todeny an inmate’s request to obtain acopy of protected health information ifobtaining a copy would jeopardize thehealth, safety, security, custody, orrehabilitation of the individual or otherinmates or the safety of any officer,employee or other person at thecorrectional institution or responsiblefor the transporting of the inmate. Thisground for denial is restricted to aninmate’s request to obtain a copy ofprotected health information. If aninmate requests inspection of protectedhealth information, the request must begranted unless one of the other groundsfor denial applies. The purpose for thisexception, and the reason that theexception is limited to denying aninmate a copy and not to denying a rightto inspect, is to give correctionalinstitutions the ability to maintain orderin these facilities and among inmateswithout denying an inmate the right toreview his or her protected healthinformation.

Third, as in the proposed rule, acovered entity may deny an individualaccess to protected health informationobtained by a covered provider in thecourse of research that includestreatment of the research participants,while such research is in progress. Forthis exception to apply, the individualmust have agreed to the denial of accessin conjunction with the individual’sconsent to participate in the researchand the covered provider must haveinformed the individual that the right ofaccess will be reinstated uponcompletion of the research. If either of

these conditions is not met, theindividual has the right to inspect andcopy the information (subject to theother exceptions we provide here). In allcases, the individual has the right toinspect and copy the information afterthe research is complete.

As with all the grounds for denial,covered entities are not required to denyaccess under the research exception. Weexpect all researchers to maintain a highlevel of ethical consideration for thewelfare of research participants andprovide access in appropriatecircumstances. For example, if aparticipant has a severe adversereaction, disclosure of informationduring the course of the research may benecessary to give the participantadequate information for propertreatment decisions.

Fourth, we clarify the ability of acovered entity to deny individualsaccess to protected health informationthat is also subject to the Privacy Act.In the final rule, we specify that acovered entity may deny an individualaccess to protected health informationthat is contained in records that aresubject to the Privacy Act if such denialis permitted under the Privacy Act. Thisground for denial exists in addition tothe other grounds for denial availableunder this rule. If an individual requestsaccess to protected health informationthat is also subject to the Privacy Act,a covered entity may deny access to thatinformation for any of the reasonspermitted under the Privacy Act and forany of the reasons permitted under thisrule.

Fifth, as in the proposed rule, acovered entity may deny an individualaccess to protected health information ifthe covered entity obtained therequested information from someoneother than a health care provider undera promise of confidentiality and suchaccess would be reasonably likely toreveal the source of the information.This provision is intended to preserve acovered entity’s ability to maintain animplicit or explicit promise ofconfidentiality. A covered entity maynot, however, deny access to protectedhealth information when theinformation has been obtained from ahealth care provider. An individual isentitled to have access to all informationabout him or her generated by the healthcare system (apart from the otherexceptions we provide here).Confidentiality promises to health careproviders should not interfere with thataccess.

As in the proposed rule, a coveredentity may deny access to protectedhealth information under certaincircumstances in which the access may

harm the individual or others. In thefinal rule, we specify that a coveredentity may only deny access for thesereasons if the covered entity providesthe individual with a right to have thedenial reviewed. (See below for adiscussion of the right to review.)

There are three types of denials forwhich covered entities must provide theindividual with a right to review. Adenial under these provisions requires adetermination by a licensed health careprofessional (such as a physician,physician’s assistant, or nurse) based onan assessment of the particularcircumstances and current professionalmedical standards of harm. Therefore,when the request is made to a healthplan or clearinghouse, the coveredentity will need to consult with alicensed health care professional beforedenying access under this provision.

First, as in the proposed rule, coveredentities may deny individuals access toprotected health information about themif a licensed health care professional hasdetermined, in the exercise ofprofessional judgment, that the accessrequested is reasonably likely toendanger the life or physical safety ofthe individual or another person. Themost commonly cited example is whenan individual exhibits suicidal orhomicidal tendencies. If a licensedhealth care professional determines thatan individual exhibits such tendenciesand that permitting inspection orcopying of some of the individual’sprotected health information isreasonably likely to result in theindividual committing suicide, murder,or other physical violence, then thehealth care professional may deny theindividual access to that information.Under this reason for denial, coveredentities may not deny access on thebasis of the sensitivity of the healthinformation or the potential for causingemotional or psychological harm.

Second, as in the proposed rule,covered entities may deny an individualaccess to protected health information ifthe information requested makesreference to someone other than theindividual (and other than a health careprovider) and a licensed health careprofessional has determined, in theexercise of professional judgment, thatthe access requested is reasonably likelyto cause serious harm to that otherperson. On some occasions when healthinformation about one person is relevantto the care of another, a physician mayincorporate it into the latter’s record,such as information from group therapysessions and information about illnesseswith a genetic component. Thisprovision permits a covered entity towithhold information in such cases if



the release of such information isreasonably likely to cause substantialphysical, emotional, or psychologicalharm.

Third, we add a new provisionregarding denial of access requested bypersonal representatives. Under§ 164.502(g), a person that is a personalrepresentative of an individual mayexercise the rights of the individual,including the right to inspect and copyprotected health information about theindividual that is relevant to suchperson’s representation. The provisionpermits covered entities to refuse totreat a personal representative as theindividual, generally, if the coveredentity has a reasonable belief that theindividual has been or will be subjectedto domestic violence, abuse or neglectby the personal representative, or thattreating the personal representative asthe individual may endanger theindividual and, in its professionaljudgment, the covered entity decidesthat it is not in the best interest of theindividual to treat such person as thepersonal representative.

In addition to that provision, we adda new provision at § 164.524(a)(3)(iii) toclarify that a covered entity may denya request to inspect or copy protectedhealth information if the information isrequested by a personal representativeof the individual and a licensed healthcare professional has determined that,in the exercise of professional judgment,such access is reasonably likely to causesubstantial harm to the individual whois the subject of the information or toanother person. The health careprofessional need not have a reasonablebelief that the personal representativehas abused or neglected the individualsand the harm that is likely to result neednot be limited to the individual who isthe subject of the requested protectedhealth information. Therefore, a coveredentity can recognize a person as apersonal representative but deny suchperson access to protected healthinformation as a personalrepresentative.

We do not intend these provisions tocreate a legal duty for the covered entityto review all of the relevant protectedhealth information before releasing it.Rather, we are preserving the flexibilityand judgment of covered entities todeny access under appropriatecircumstances. Denials are notmandatory; covered entities may alwayselect to provide requested healthinformation to the individual. For eachrequest by an individual, the coveredentity may provide all of theinformation requested or evaluate therequested information, consider thecircumstances surrounding the

individual’s request, and make adetermination as to whether that requestshould be granted or denied, in wholeor in part, in accordance with one of thereasons for denial under this rule. Weintend to create narrow exceptions tothe right of access and we expectcovered entities to employ theseexceptions rarely, if at all. Coveredentities may only deny access for thereasons specifically provided in therule.

Review of a Denial of AccessIn the NPRM, we proposed to require

covered entities, when denying anindividual’s request for access, toinform the individual of how to make acomplaint to the covered entity and theSecretary.

We retain in the final rule theproposed approach (see below). Inaddition, if the covered entity denies therequest on the basis of one of thereviewable grounds for denial describedabove, the individual has the right tohave the denial reviewed by a licensedhealth care professional who isdesignated by the covered entity to actas a reviewing official and who did notparticipate in the original decision todeny access. The covered entity mustprovide access in accordance with thereviewing official’s determination. ( Seebelow for further description of thecovered entity’s requirements under§ 164.524(d)(4) if the individual requestsa review of denial of access.)

Section 164.524(b)—Requests for Accessand Timely Action

In the NPRM, we proposed to requirecovered health care providers andhealth plans to provide a means forindividuals to request access toprotected health information aboutthem. We proposed to require coveredhealth care providers and health plansto take action on a request for access assoon as possible, but not later than 30days following the request.

As in the proposed rule, the final rulerequires covered entities to permit anindividual to request access to inspector to obtain a copy of the protectedhealth information about the individualthat is maintained in a designatedrecord set. We additionally permitcovered entities to require individualsto make requests for access in writing,if the individual is informed of thisrequirement.

In the final rule, we eliminate therequirement for the covered entity to acton a request as soon as possible. Werecognize that circumstances may arisein which an individual will requestaccess on an expedited basis. Weencourage covered entities to have

procedures in place for handling suchrequests. The time limitation isintended to be an outside deadline,rather than an expectation.

In the final rule, covered entities mustact on a request for access within 30days of receiving the request if theinformation is maintained or accessibleon-site. Covered entities must act on arequest for access within 60 days ofreceiving the request if the informationis not maintained or accessible on-site.If the covered entity is unable to act ona request within the applicabledeadline, it may extend the deadline byno more than 30 days by providing theindividual with a written statement ofthe reasons for the delay and the date bywhich the covered entity will completeits action on the request. This writtenstatement describing the extension mustbe provided within the standarddeadline. A covered entity may onlyextend the deadline once per request foraccess. This provision permits a coveredentity to take a total of up to 60 days toact on a request for access toinformation maintained on-site and upto 90 days to act on a request for accessto information maintained off-site.

The requirements for a covered entityto comply with or deny a request foraccess, in whole or in part, aredescribed below.

Section 164.524(c)—Provision of AccessIn the NPRM, we proposed to require

covered health care providers andhealth plans, upon accepting a requestfor access, to notify the individual of thedecision and of any steps necessary tofulfill the request; to provide theinformation requested in the form orformat requested, if readily produciblein such form or format; and to facilitatethe process of inspection and copying.

We generally retain the proposedapproach in the final rule. If a coveredentity accepts a request, in whole or inpart, it must notify the individual of thedecision and provide the accessrequested. Individuals have the rightboth to inspect and to copy protectedhealth information in a designatedrecord set. The individual may choosewhether to inspect the information, tocopy the information, or to do both.

In the final rule, we clarify that if thesame protected health information ismaintained in more than one designatedrecord set or at more than one location,the covered entity is required toproduce the information only once perrequest for access. We intend thisprovision to reduce covered entities’burden in complying with requestswithout reducing individuals’ access toprotected health information. We notethat summary information and reports



are not the same as the underlyinginformation on which the summary orreport was based. Individuals have theright to obtain access both to summariesand to the underlying information. Anindividual retains the right of access tothe underlying information even if theindividual requests access to, orproduction of, a summary. (See belowregarding requests for summaries.)

The covered entity must provide theinformation requested in the form orformat requested if it is readilyproducible in such form or format. Forexample, if the covered entity maintainshealth information electronically andthe individual requests an electroniccopy, the covered entity mustaccommodate such request, if possible.Additionally, we specify that if theinformation is not available in the formor format requested, the covered entitymust produce a readily readable hardcopy of the information or another formor format to which the individual andcovered entity can agree. If theindividual agrees, including agreeing toany associated fees (see below), thecovered entity may provide access to asummary of information rather than allprotected health information indesignated record sets. Similarly, acovered entity may provide anexplanation in addition to the protectedhealth information, if the individualagrees in advance to the explanationand any associated fees.

The covered entity must provide theaccess requested in a timely manner, asdescribed above, and arrange for amutually convenient time and place forthe individual to inspect the protectedhealth information or obtain a copy. Ifthe individual requests that the coveredentity mail a copy of the information,the covered entity must do so, and maycharge certain fees for copying andmailing. For requests to inspectinformation that is maintainedelectronically, the covered entity mayprint a copy of the information andallow the individual to view the print-out on-site. Covered entities maydiscuss the request with the individualas necessary to facilitate the timelyprovision of access. For example, if theindividual requested a copy of theinformation by mail, but the coveredentity is able to provide the informationfaster by providing it electronically, thecovered entity may discuss this optionwith the individual.

We proposed in the NPRM to permitthe covered entity to charge areasonable, cost-based fee for copyingthe information.

We clarify this provision in the finalrule. If the individual requests a copy ofprotected health information, a covered

entity may charge a reasonable, cost-based fee for the copying, including thelabor and supply costs of copying. Ifhard copies are made, this wouldinclude the cost of paper. If electroniccopies are made to a computer disk, thiswould include the cost of the computerdisk. Covered entities may not chargeany fees for retrieving or handling theinformation or for processing therequest. If the individual requests theinformation to be mailed, the fee mayinclude the cost of postage. Fees forcopying and postage provided understate law, but not for other costsexcluded under this rule, are presumedreasonable. If such per page costsinclude the cost of retrieving orhandling the information, such costs arenot acceptable under this rule.

If the individual requests anexplanation or summary of theinformation provided, and agrees inadvance to any associated fees, thecovered entity may charge for preparingthe explanation or summary as well.

The inclusion of a fee for copying isnot intended to impede the ability ofindividuals to copy their records.Rather, it is intended to reduce theburden on covered entities. If the cost isexcessively high, some individuals willnot be able to obtain a copy. Weencourage covered entities to limit thefee for copying so that it is within reachof all individuals.

We do not intend to affect the feesthat covered entities charge forproviding protected health informationto anyone other than the individual. Forexample, we do not intend to affectcurrent practices with respect to the feesone health care provider charges forforwarding records to another healthcare provider for treatment purposes.

Section 164.524(d)—Denial of Access

We proposed in the NPRM to requirea covered health care provider or healthplan that elects to deny a request forinspection or copying to make any otherprotected health information requestedavailable to the individual to the extentpossible, consistent with the denial.

In the final rule, we clarify theproposed approach. A covered entitythat denies access, in whole or in part,must, to the extent possible, give theindividual access to any other protectedhealth information requested afterexcluding the protected healthinformation to which the covered entityhas a ground to deny access. We intendcovered entities to redact or otherwiseexclude only the information that fallswithin one or more of the denial criteriadescribed above and to permitinspection and copying of all remaining

information, to the extent it is possibleto do so.

We also proposed to require coveredproviders and health plans, upondenying a request for access in whole orin part, to provide the individual witha written statement in plain language ofthe basis for the denial and how theindividual could make a complaint tothe covered entity or the Secretary.

We retain the proposed approach. Acovered entity that denies access, inwhole or in part, must provide theindividual with a written denial in plainlanguage that explains the basis for thedenial. The written denial could includea direct reference to the section of theregulation relied upon for the denial,but the regulatory citation alone doesnot sufficiently explain the reason forthe denial. The written denial must alsodescribe how the individual cancomplain to the covered entity and theSecretary and must include the name ortitle and the telephone number of thecovered entity’s contact person or officethat is responsible for receivingcomplaints.

In the final rule, we impose twoadditional requirements when thecovered entity denies access, in wholeor in part. First, if a covered entitydenies a request on the basis of one ofthe reviewable grounds for denial, thewritten denial must describe theindividual’s right to a review of thedenial and how the individual mayexercise this right. Second, if thecovered entity denies the requestbecause it does not maintain therequested information, and the coveredentity knows where the requestedinformation is maintained, the coveredentity must inform the individual whereto direct the request for access.

Finally, we specify a covered entity’sresponsibilities when an individualrequests a review of a denial. If theindividual requests a review of a denialmade under § 164.524(a)(3), the coveredentity must designate a licensed healthcare professional to act as the reviewingofficial. This reviewing official must nothave been involved in the originaldecision to deny access. The coveredentity must promptly refer a request forreview to the designated reviewingofficial. The reviewing official mustdetermine, within a reasonable period oftime, whether or not to deny the accessrequested based on the standards in§ 164.524(a)(3). The covered entity mustpromptly provide the individual withwritten notice of the reviewing official’sdecision and otherwise carry out thedecision in accordance with therequirements of this section.



Section 164.524(e)—Policies,Procedures, and Documentation

As in the proposed rule, we establishdocumentation requirements forcovered entities that are subject to thisprovision. In accordance with§ 164.530(j), the covered entity mustretain documentation of the designatedrecord sets that are subject to access byindividuals and the titles of the personsor offices responsible for receiving andprocessing requests for access byindividuals.

Section 164.526—Amendment ofProtected Health Information

Section 164.526(a)—Right to AmendIn proposed § 164.516, we proposed

to establish the individual’s right torequest a covered health care provideror health plan to amend or correctprotected health information about theindividual for as long as the coveredentity maintains the information.

In § 164.526 of the final rule, weretain the general proposed approach,but establish an individual’s right tohave the covered entity amend, ratherthan amend or correct, protected healthinformation. This right applies toprotected health information andrecords in a designated record set for aslong as the information is maintained inthe designated record set. In the finalrule, covered health care providers,health plans, and health careclearinghouses that create or receiveprotected health information other thanas a business associate must complywith these requirements.

Denial of AmendmentWe proposed to permit a covered

health care provider or health plan todeny a request for amendment if itdetermined that the protected healthinformation that was the subject of therequest was not created by the coveredprovider or health plan, would not beavailable for inspection and copyingunder proposed § 164.514, or wasaccurate and complete. A covered entitywould have been permitted, but notrequired, to deny a request if any ofthese conditions were met.

As in the proposed rule, the final rulepermits a covered entity to deny arequest for amendment if the coveredentity did not create the protectedhealth information or record that is thesubject of the request for amendment.We add one exception to this provision:if the individual provides a reasonablebasis to believe that the originator of theprotected health information is nolonger available to act on the requestedamendment, the covered entity mustaddress the request for amendment as

though the covered entity had createdthe information.

As in the proposed rule, a coveredentity also may deny a request foramendment if the protected healthinformation that is the subject of therequest for amendment is not part of adesignated record set or would nototherwise be available for inspectionunder § 164.524. We eliminate theability to deny a request for amendmentif the information or record that is thesubject of the request would not beavailable for copying under the rule.Under § 164.524(a)(2)(ii), an inmate maybe denied a copy of protected healthinformation about the inmate. Weintend to preserve an inmate’s ability torequest amendments to information,even if a copy of the information wouldnot be available to the inmate, subject tothe other exceptions provided in thissection.

Finally, as in the proposed rule, acovered entity may deny a request foramendment if the covered entitydetermines that the information indispute is accurate and complete. Wedraw this concept from the Privacy Actof 1974, governing records held byfederal agencies, which permits anindividual to request correction oramendment of a record ‘‘which theindividual believes is not accurate,relevant, timely, or complete.’’ (5 U.S.C.552a(d)(2)). We adopt the standards of‘‘accuracy’’ and ‘‘completeness’’ anddraw on the clarification and analysis ofthese terms that have emerged inadministrative and judicialinterpretations of the Privacy Act duringthe last 25 years. We note that forfederal agencies that are also coveredentities, this rule does not diminishtheir present obligations under thePrivacy Act of 1974.

This right is not intended to interferewith medical practice or to modifystandard business record keepingpractices. Perfect records are notrequired. Instead, a standard ofreasonable accuracy and completenessshould be used. In addition, this right isnot intended to provide a procedure forsubstantive review of decisions such ascoverage determinations by payors. It isintended only to affect the content ofrecords, not the underlying truth orcorrectness of materials recountedtherein. Attempts under the Privacy Actof 1974 to use this mechanism as a basisfor collateral attack on agencydeterminations have generally beenrejected by the courts. The same resultsare intended here.

Section 164.526(b)—Requests forAmendment and Timely Action

We proposed to require coveredhealth care providers and health plansto provide a means for individuals torequest amendment of protected healthinformation about them. Under theNPRM, we would have required coveredhealth care providers and health plansto take action on a request foramendment or correction within 60days of the request.

As in the proposed rule, coveredentities must permit individuals torequest that the covered entity amendprotected health information aboutthem. We also permit certainspecifications for the form and contentof the request. If a covered entityinforms individuals of suchrequirements in advance, a coveredentity may require individuals to makerequests for amendment in writing andto provide a reason to support arequested amendment. If the coveredentity imposes such a requirement andinforms individuals of the requirementin advance, the covered entity is notrequired to act on an individual’srequest that does not meet therequirements.

We retain the requirement for coveredentities to act on a request foramendment within 60 days of receipt ofthe request. In the final rule, we specifythe nature of the action the coveredentity must take within the time frame.The covered entity must inform theindividual, as described below, that therequest has been either accepted ordenied, in whole or in part. It must alsotake certain actions pursuant to itsdecision to accept or deny the request,as described below. If the covered entityis unable to meet the deadline, thecovered entity may extend the deadlineby no more than 30 days. The coveredentity must inform the individual inwriting, within the initial 60-day period,of the reason for the delay and the dateby which the covered entity willcomplete its action on the request. Acovered entity may only extend thedeadline one time per request foramendment.

Section 164.526(c)—Accepting theAmendment

If a covered health care provider orhealth plan accepted a request foramendment, in whole or in part, weproposed to require the covered entityto make the appropriate change. Thecovered entity would have had toidentify the challenged entries asamended or corrected and indicate thelocation of the amended or correctedinformation.



We also proposed to require thecovered provider or health plan to makereasonable efforts to notify certainentities of the amendment: 1) entitiesthe individual identified as needing tobe notified and 2) entities the coveredprovider or health plan knew hadreceived the erroneous or incompleteinformation and who may have relied,or could foreseeably rely, on suchinformation to the detriment of theindividual.

The covered provider or health planwould also have been required to notifythe individual of the decision to amendthe information.

As in the proposed rule, if a coveredentity accepts an individual’s requestfor amendment or correction, it mustmake the appropriate amendment. Inthe final rule, we clarify that, at aminimum, the covered entity mustidentify the records in the designatedrecord set that are affected by theamendment and must append orotherwise provide a link to the locationof the amendment. We do not requirecovered entities to expunge anyprotected health information. Coveredentities may expunge information ifdoing so is consistent with otherapplicable law and the covered entity’srecord keeping practices.

We alter some of the requiredprocedures for informing the individualand others of the accepted amendment.As in the proposed rule, the coveredentity must inform individuals aboutaccepted amendments. In the final rule,the covered entity must obtain theindividual’s agreement to have theamended information shared withcertain persons. If the individual agrees,the covered entity must makereasonable efforts to provide a copy ofthe amendment within a reasonabletime to: (1) Persons the individualidentifies as having received protectedhealth information about the individualand needing the amendment; and (2)persons, including business associates,that the covered entity knows have theunamended information and who mayhave relied, or could foreseeably rely,on the information to the detriment ofthe individual. For example, a coveredentity must make reasonable efforts toinform a business associate that usesprotected health information to makedecisions about individuals aboutamendments to protected healthinformation used for such decisions.

Section 164.526(d)—Denying theAmendment

If a covered health care provider orhealth plan denied a request foramendment, in whole or in part, weproposed to require the covered entity

to provide the individual with a writtenstatement in plain language of the basisfor the denial, a description of how theindividual could submit a writtenstatement of disagreement with thedenial, and a description of how theindividual could make a complaint withthe covered entity and the Secretary.

We proposed to require coveredhealth care providers and health plansto have procedures to permit theindividual to file a written statement ofdisagreement with the denial and toinclude the covered entity’s statement ofdenial and the individual’s statement ofdisagreement with any subsequentdisclosure of the disputed information.Covered entities would have beenpermitted to establish a limit to thelength of the individual’s statement ofdisagreement and to summarize thestatement if necessary. We alsoproposed to permit covered entities toprovide a rebuttal to the individual’sstatement with future disclosures.

As in the proposed rule, if a coveredentity denies a request for amendment,it must provide the individual with astatement of denial written in plainlanguage. The written denial mustinclude the basis for the denial, how theindividual may file a written statementdisagreeing with the denial, and howthe individual may make a complaint tothe covered entity and the Secretary.

In the final rule, we additionallyrequire the covered entity to informindividuals of their options with respectto future disclosures of the disputedinformation in order to ensure that anindividual is aware of his or her rights.The written denial must state that if theindividual chooses not to file astatement of disagreement, theindividual may request that the coveredentity include the individual’s requestfor amendment and the covered entity’sdenial of the request with any futuredisclosures of the protected healthinformation that is the subject of therequested amendment.

As in the proposed rule, the coveredentity must permit the individual tosubmit a written statement disagreeingwith the denial and the basis of suchdisagreement. The covered entity mayreasonably limit the length of astatement of disagreement and mayprepare a written rebuttal to theindividual’s statement of disagreement.If the covered entity prepares a rebuttal,it must provide a copy to the individual.

The covered entity must identify therecord or protected health informationthat is the subject of the disputedamendment and append or otherwiselink the following information to thedesignated record set: the individual’srequest for amendment, the covered

entity’s denial of the request, theindividual’s statement of disagreement(if any), and the covered entity’s rebuttal(if any). If the individual submits awritten statement of disagreement, all ofthe appended or linked information, oran accurate summary of it, must beincluded with any subsequentdisclosure of the protected healthinformation to which the disagreementrelates. If the individual does not submita written statement of disagreement, thecovered entity must include theappended or linked information only ifthe individual requests that the coveredentity do so.

In the final rule, we clarify that whena subsequent disclosure is a standardtransaction adopted under theTransactions Rule that cannotaccommodate the additional materialsdescribed above, the covered entity mayseparately disclose the additionalmaterial to the recipient of thetransaction.

Section 164.526(e)—Actions on Noticesof Amendment

We proposed to require any coveredentity that received a notification ofamendment to have procedures in placeto make the amendment in any of itsdesignated record sets and to notify itsbusiness associates, if appropriate, ofamendments.

We retain the proposed approach inthe final rule. If a covered entityreceives a notification of amendedprotected health information fromanother covered entity as describedabove, the covered entity must make thenecessary amendment to protectedhealth information in designated recordsets it maintains. In addition, coveredentities must require their businessassociates who receive suchnotifications to incorporate anynecessary amendments to designatedrecord sets maintained on the coveredentity’s behalf. (See § 164.504 regardingbusiness associate requirements.)

Section 164.526(f)—Policies,Procedures, and Documentation

As in the proposed rule, we establishdocumentation requirements forcovered entities subject to thisprovision. In accordance with§ 164.530(j), the covered entity mustdocument the titles of the persons oroffices responsible for receiving andprocessing requests for amendment.

§ 164.528—Accounting of Disclosures ofProtected Health Information

Right to an Accounting of Disclosures

We proposed in the NPRM to grantindividuals a right to receive an



accounting of all disclosures ofprotected health information about themby a covered entity for purposes otherthan treatment, payment, and healthcare operations. We proposed this rightto exist for as long as the covered entitymaintained the protected healthinformation.

We also proposed that individualswould not have a right to an accountingof disclosures to health oversight or lawenforcement agencies if the agencyprovided a written request for exclusionfor a specified time period and therequest stated that access by theindividual during that time periodwould be reasonably likely to impedethe agency’s activities.

We generally retain the proposedapproach in the final rule. As in theproposed rule, individuals have a rightto receive an accounting of disclosuresmade by a covered entity, includingdisclosures by or to a business associateof the covered entity, for purposes otherthan treatment, payment, and healthcare operations, subject to certainexceptions as discussed below.

We revise the duration of this rightunder the final rule. Individuals have aright to an accounting of the applicabledisclosures that have been made in the6 year period prior to the date of arequest for an accounting. Weadditionally clarify in § 164.528(b)(1)that an individual may request, and acovered entity may then provide, anaccounting of disclosures for a period oftime less than 6 years from the date ofthe request. For example, an individualcould request an accounting only ofdisclosures that occurred during theyear prior to the request.

In the final rule, we exclude severaladditional types of disclosures from theaccounting requirement. Coveredentities are not required to include inthe accounting disclosures to theindividual as provided in § 164.502;disclosures for facility directories,disclosures to persons involved in theindividual’s care, or other disclosuresfor notification purposes as provided in§ 164.510; disclosures for nationalsecurity or intelligence purposes asprovided in § 164.512(k)(2); disclosuresto correctional institutions or lawenforcement officials as provided in§ 164.512(k)(5); or any disclosures thatwere made by the covered entity priorto the compliance date of the rule forthat covered entity.

We retain the time-limited exclusionfor disclosures to health oversight andlaw enforcement agencies, but requirerather than permit the exclusion for thespecified time period. Covered entitiesmust exclude disclosures to a healthoversight agency or law enforcement

official from the accounting for the timeperiod specified by the applicableagency or official if the agency orofficial provides the covered entity witha statement that inclusion of thedisclosure(s) in the accounting to theindividual during that time periodwould be reasonably likely to impedethe agency or official’s activities. Theagency or official’s statement mustspecifically state how long theinformation must be excluded. At theexpiration of that period, the coveredentity is required to include thedisclosure(s) in an accounting for theindividual. If the agency or official’sstatement is made orally, the coveredentity must document the identity of theagency or official who made thestatement and must exclude thedisclosure(s) for no longer than 30 daysfrom the date of the oral statement,unless a written statement is providedduring that time. If the agency or officialprovides a written statement, thecovered entity must exclude thedisclosure(s) for the time periodspecified in the written statement.

Content of the AccountingWe proposed in the NPRM to require

the accounting to include all disclosuresas described above, includingdisclosures authorized by theindividual. The accounting would havebeen required to contain the date ofeach disclosure; the name and addressof the organization or person whoreceived the protected healthinformation; a brief description of theinformation disclosed; and copies of allrequests for disclosures. For disclosuresother than those made at the request ofthe individual, the accounting wouldhave also included the purpose forwhich the information was disclosed.

We generally retain the proposedapproach in the final rule, but do notrequire covered entities to make copiesof authorizations or other requests fordisclosures available with theaccounting. Instead, we require theaccounting to contain a brief statementof the purpose of the disclosure. Thestatement must reasonably inform theindividual of the basis for thedisclosure. In lieu of the statement ofpurpose, a covered entity may includea copy of the individual’s authorizationunder § 164.508 or a copy of a writtenrequest for disclosure, if any, under§ 164.502(a)(2)(ii) or § 164.512. We alsoclarify that covered entities are onlyrequired to include the address of therecipient of the disclosed protectedhealth information if the covered entityknows the address.

We add a provision allowing for asummary accounting of recurrent

disclosures. For multiple disclosures tothe same recipient pursuant to a singleauthorization under § 164.508 or for asingle purpose under §§ 164.502(a)(2)(ii)or 164.512, the covered entity mayprovide a summary accountingaddressing the series of disclosuresrather than a detailed accounting ofeach disclosure in the series. In thiscircumstance, a covered entity maylimit the accounting of the series ofdisclosures to the followinginformation: the information otherwiserequired above for the first disclosure inthe series during the accounting period;the frequency, periodicity, or number ofdisclosures made during the accountingperiod; and the date of the most recentdisclosure in the series. For example, ifunder § 164.512(b), a covered entitydiscloses the same protected healthinformation to a public health authorityfor the same purpose every month, itcan account for those disclosures byincluding in the accounting the date ofthe first disclosure, the public healthauthority to whom the disclosures weremade and the public health authority’saddress, a brief description of theinformation disclosed, a briefdescription of the purpose of thedisclosures, the fact that the disclosureswere made every month during theaccounting period, and the date of themost recent disclosure.

Provision of the AccountingWe proposed in the NPRM to require

covered entities to provide individualswith an accounting of disclosures assoon as possible, but not later than 30days following receipt of the request forthe accounting.

In the final rule, we eliminate therequirement for the covered entity to actas soon as possible. We recognize thatcircumstances may arise in which anindividual will request an accountingon an expedited basis. We encouragecovered entities to implementprocedures for handling such requests.The time limitation is intended to be anoutside deadline, rather than anexpectation. We expect covered entitiesalways to be attentive to thecircumstances surrounding each requestand to respond in an appropriate timeframe.

In the final rule, covered entities mustprovide a requested accounting no laterthan 60 days after receipt of the request.If the covered entity is unable to meetthe deadline, the covered entity mayextend the deadline by no more than 30days. The covered entity must informthe individual in writing, within thestandard 60-day deadline, of the reasonfor the delay and the date by which thecovered entity will provide the request.


Documents

Federal Register /Vol. 65, No. 250/Thursday, …Federal Register/Vol. 65, No. 250/Thursday, December 28, 2000/Rules and Regulations82511 prohibited under 164.502(a)(1) from using or