Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team


Definitions play a key role in the Privacy Rule, and there are a number of definitions provided in the final rule: §160.103 (65FR82798), §160.202 (65FR82800), §164.501 (65FR82803), and §164.504 (65FR82802). Due to their detail, several of the definitions are important components in and of themselves. Key among these definitions (not provided above) are:

  • Common Control (§164.504): "exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity.

  • Common Ownership (§164.504): "exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity."

  • Contrary (§160.202) means: "when used to compare a provision of State law to a standard requirement, or implementation specification adopted" in this Rule. In such situations:
    • "(1) A covered entity would find it impossible to comply with both the State and federal requirements; or
    • (2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives" of HIPAA, "as applicable."

  • Correctional Institution (§164.501): "means any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center…for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody…." This definition was added to the rule to support the rule as it addresses inmates ("a person incarcerated in or otherwise confined to a correctional institution"). The expanded definition (65FR80803) defines who oversees the institution and "other persons" housed in such facilities.

  • Covered Functions (§164.501): "means those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse." The preamble review (65FR82489) of this definition notes some of the functions that would not be considered as "covered."

  • Data Aggregation (§164.501): a new definition that "means, with respect to PHI created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such PHI by the business associate with the PHI received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities." This definition when applied effectively allows an entity to use data for a variety of what are now common business practices.

  • Designated Record Set (§164.501) sets the tone for some of the activities and information that is cover in the Rule. It "means:
    • (1) A group of records maintained by or for a covered entity that is
      • (i) The medical records and billing records about individuals maintained by or for a covered health care provider;
      • (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan: or
      • (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals
    • (2) For purposes of [this rule] the term record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

  • Disclosure (§164.501): "means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information."

  • Health Care [or healthcare] (§160.103): "means care, services, or supplies related to the health of an individual," including but not limited to the following:
    • (1) "Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; " and
    • (2) "Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
    The preamble (65FR82477) also provides additional government-type definitions of what is included in health care. A key change in the definition is the addition of "assessment" to the list of services under this definition.

  • Health Care Component (§164.504): means that "components of a covered entity that perform covered functions are part of the health care component" and/or "another component of the covered entity is part of the entity’s health care component to the extent that it performs, with respect to a component that performs covered functions, activities that would make such other component a business associate of that component that performs covered functions if the two components were separate legal entities and the activities involve the use or disclosure of PHI that such other component creates or receives from or on behalf of the component that performs covered functions."

  • Healthcare Operations (§164.501): "means any of the following activities of the covered entity to the extent that the activities are related to covered functions, and any of the following activities of an organized health care arrangement in which the covered entity participates
    • (1) Conducting quality assessment and improvement activities…; population-based activities….; and related functions that do not include treatment [full definition at 65FR82803-82804]
    • (2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs.….
    • (3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care ….
    • (4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
    • (5) Business planing and development….; and
    • (6) Business management and general administrative activities of the entity including … management activities…customer service…resolution of internal grievances…due diligence…"
{This very long and detailed definition can be found at 65FR82803-82804 and is discussed at length at 65FR82489-82491.}
  • Health Information (§160.103 ) a key definition defined as: "any information, whether oral or recorded in any form or medium, that:
    • (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
    • (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."

{Note that health information can be oral or recorded. As the Rule plays out, there is the possibility that protected information could be released in oral form. This makes the job of ensuring privacy much more difficult. Also, note that this definition will play a key role in the expansion of this rule beyond electronic health information.}

  • Health Oversight Agency (§164.501): "means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant."

  • Hybrid Entity (§164.504): "means a single legal entity that is a covered entity and whose covered functions are not its primary functions."

  • Individual (§164.501): "means the person who is the subject of PHI." This definition was changed to eliminate confusion with personal representative, which is defined below. The background discussion on this definition (65FR82492-82493) notes that some records can potentially refer to more than one individual."

  • Individually Identifiable Health Information (§164.501): "is information that is a subset of health information, including demographic information collected from an individual, and:
    • (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
    • (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual."

  • Implementation Specification (§160.103 ) is a term used throughout the Rule and means: "specific requirements or instructions for implementing a standard." (see below)
  • Law Enforcement Official (§164.501): "means an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision or a State or territory, or an Indian tribe, who is empowered by law to:
    • (1) Investigate or conduct an official inquiry into a potential violation of law; or
    • (2) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law."

  • The marketing definition and concept are receiving much attention. There is a sizable discussion on this issue in the Rule’s preamble (65FR82493-82494). The Rule (§164.501) states that marketing: "means to make a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service." (see more on marketing below****)
  • More Stringent (§160.202): "means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted " under HIPAA and in the section on Security and Privacy, a sate law that meets one of a number of six criteria (see discussion on Contrary and More Stringent in Preemption below).
  • Plan Administration Functions (§164.504): "means administration functions performed by the plan sponsor of a group health plan on behalf of the group health plan, and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor."
  • Protected Health Information (§164.501): "means individually identifiable health information…that is:
    • (i) Transmitted by electronic media;
    • (ii) Maintained in any medium described in the definition of electronic media …[under HIPAA], or
    • (iii) Transmitted or maintained in any other form or medium."

Excluded from PHI is education records covered by the Family Educational Right and Privacy Act and other educational records covered under 20 U.S.C. 1232g((a)(4)(B)(iv). Under HIPAA, electronic media means the mode of electronic transmission including the Internet, Extranet, leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disc media." (65FR82496)

In the preamble discussion (65FR82496) the Secretary also discusses that this definition is "set out in this form to emphasize the severability of this provision….we believe we have ample legal authority to cover all individually identifiable health information transmitted or maintained by covered entities." The definition has been structured so that "if a court were to disagree with our [DHHS’s] authority in this area, the rule would still be operational, albeit with respect to a more limited universe of information."

  • Psychotherapy Notes (§164.501): "means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date."

Besides content, the key to the definition of psychotherapy notes is the requirement that they are separate from other information and records. If such notes are maintained in another or with another record, they are no longer covered by this definition. This definition is significant in the discussion of consents and authorizations (below).

  • Public Health Authority (§164.501): "means an agency or authority…or a person or entity acting under a grant of authority from or contact with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate." (65FR82805).
  • Relates to the Privacy of Individually Identifiable Health Information (§160.202) means: "with respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial law."
  • Required by Law (§164.501): a new definition key to the Rule’s compliance, this "means a mandate contained in law that compels a covered entity to make a use or disclosure of PHI and that is enforceable in a court of law. Required by law includes, but is not limited to court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand, Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits."

{It is important to note that in its discussion of this definition (65FR82497) DHHS states: "nothing in this rule compels a covered entity to make a use or disclosure required by the legal demands or prescriptions listed in this [definition] clarification or by any other law or legal process, and a covered entity remains free to challenge the validity of such laws and processes.}

  • Research (§164.501): "means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge."

This definition is taken from the "Common Rule" which is the Federal Policy for the Protection of Human Subjects at 45 CFR part 46, subpart A. The term "generalizable knowledge" is not defined in the Rule, but in the preamble (65FR82497) it is defined as "knowledge related to health that can be applied to populations outside of the population served by the covered entity."

  • Standard (§160.103) in this Rule means: "a rule, condition, or requirement:
    • (1) Describing the following information for products, systems, services or practices: (i) Classification of components, (ii) Specification of materials, performance, or operations; or (iii) Delineation of procedures; or
    • (2) With respect to the privacy of individually identifiable health information."

  • State (§160.103) becomes an important definition in this Rule due to the preemption sections. Here state "refers to one of the following:
    • (1) For a health plan established or regulated by Federal law, State has the meaning set forth in the applicable section of the United States Code for such health plan.
    • (2) For all other purposes, State means any of the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, and Guam."

  • State Law (§160.202): "means a constitution, statute, regulation, rule common law, or other State action having the force and effect of law.
  • Summary Health Information (§164.504): "means information that may be individually identifiable health information, and that:
    • (1) That summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan;" and
    • (2)" From which specific identifiers defined in the Rule have been deleted with some exceptions for aggregated zip codes."

  • Transaction (§160.103): "means the transmission [called "exchange" in the NPRM] of information between two parties to carry out financial or administrative activities related to health care" including the transactions as defined in the HIPAA final rules for Transactions and Code Sets6.
  • Treatment (§164.501): "means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another. The preamble contains a significant discussion on treatment (65FR82497).
  • Use (§164.501): "means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information."
  • Workforce (§160.103) has significant meaning in the Rule and "means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity." It should be noted that in the Rule there are times when personnel employed by a business associate could be considered part of the "workforce."

Go to next section, Preemption of State [and other] Law[s].

Go to previous section, Application to Specific Entities.

Go to document index.