Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Other Requirements Relating to Uses and Disclosures of Protected Health Information

This section of the Rule (§164.514) begins by covering the standard and specifications for de-identification of PHI. In this analysis, this item is covered in Uses and Disclosures of De-Identified Protected Health Information.

This section also covers implementation specifications for minimum necessary uses and disclosures of PHI. Again to make this analysis easier to understand, these items are covered in Uses and Disclosure of Protected Health Information: General Rules.

{Marketing to patients of healthcare entities and beneficiaries of health plans also received considerable comments in response to the NPRM. The final privacy rule has not resolved some parties’ concern for the use of PHI in marketing (as defined in the Rule). There is considerable detailed discussion on marketing in the preamble (65FR82543-82545) and in the comments section (65FR82716-82718).}

Standard: Uses and Disclosures of PHI for Marketing

As noted in the definitions section the issue of marketing received considerable attention in the creation of this rule. Much of this attention came about because of public concerns that health information was being shared with manufacturers and distributors. Covered entities, however, were concerned that, given the NPRM definition of marketing, routing operations functions could be hampered and could affect the patient negatively. Therefore, DHHS is attempting balance when it comes to its marketing standard.

Specifications: Requirements Relating to Marketing
The Rule states (§164.514(e)) that "a covered entity may not use or disclose PHI for marketing without an authorization…" However, "a covered entity is not required to obtain an authorization when it uses or discloses PHI to make a marketing communication to an individual that:

  • Occurs in a face-to-face encounter with the individual;
  • Concerns products or services of nominal value; or
  • Concerns the health-related products and services of the covered entity or a third party and the communication."

Specifications: Requirements for Certain Marketing Communication
For a "marketing communication" to be permitted under the Rule, it must:

  • Identify "the covered entity as the party making the communication;"
  • State "prominently," when appropriate, the fact that "the covered entity has received or will receive direct or indirect remuneration for making the communication;" and
  • "Contain instructions describing how the individual may opt out of receiving future such communications," "except when the communication is contained in a newsletter or similar type of general communication device that the covered entity distributes to a broad cross-section of patients, enrollees, or other broad groups of individuals."

It should be noted here that the Rule explicitly notes that "the covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future marketing communications…are not sent such communications" in the future.

If, instead of the communication just described, "the covered entity uses or discloses PHI to target the communication to individuals based on their health status or condition," then:

  • "The covered entity must make a determination prior to making the communication that the product or service being marketed may be beneficial to the health of the type or class of individual being targeted; and
  • The communication must explain why the individual has been targeted and how the product or service relates to the health of the individual."

Note also that a covered entity may disclose PHI for the purpose of these marketing communications to "a business associate that assists the covered entity with such communications."

Standard: Uses and Disclosures for Fundraising

Fundraising was another issue raised by many hospitals who were concerned that the NPRM for privacy would eliminate this practice. The Rule (§164.514(f)) states that a "covered entity may use, or disclose to a business associate or to an institutionally related foundation," "demographic information relating to an individual and [the] dates of health care provided to an individual," [both of these items are considered PHI] "for the purpose of raising funds for its own benefit," without an authorization.

Specifications: Fundraising Requirements
In order to take advantage of this fundraising option, the covered entity must:

  • "Not use or disclose PHI for fundraising purposes" other than under the circumstances just stated unless an authorization is appropriately used;
  • State in the covered entity’s privacy notice that it will be using PHI for fundraising purposes as permitted;
  • "Include in any fundraising materials it sends to an individual…a description of how the individual may opt out of receiving any further fundraising communications;" and
  • "Make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications."

Standard: Uses and Disclosures for Underwriting and Related Purposes

The Rule (§164.514(g)) allows a health plan to receive PHI for the "purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits." However, if such health insurance or health benefits are not placed with the health plan…[the] plan may not use or disclose such PHI for any other purpose except as may be required by law."

Standard: Verification Requirement

The Rule (§164.514(h)) requires that prior to disclosing PHI a covered entity must verify the identity of a person requesting the information and the authority of any such person to have access to the PHI. The only exception to this are the items noted under Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object (where a minimal amount of data is available for directory and notification purposes). In this case, if the identity or any such authority of such a person is not known to the covered entity that is being asked to disclose PHI, then it must "obtain any documentation, statements, or representations, whether oral or written, from the person requesting the PHI".

The preamble to the rule (65FR82546) suggests that "the covered entity must establish and use written policies and procedures (which may be standard protocols) that are reasonably designed to verify the identify and authority of the requestor where the covered entity does not know the person requesting the PHI.

Specifications: Verification

Conditions on Disclosures
"If a disclosure [of PHI] is conditioned by this…[Rule] on particular documentation, statements, or representations from the person requesting the PHI, a covered entity may rely, if such reliance is reasonable under the circumstances, on documentation, statements, or representations that, on their face meet the applicable requirements."

Included in the "documentation, statements, or representations" allowed are:

  • An administrative (from §164.512) request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
    • "The information sought is relevant and material to a legitimate law enforcement inquiry;
    • The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
    • De-identified information could not reasonably be used."
  • The covered entity receives an IRB waver that meets the conditions specified in the section above, provided that all waivers and requests are appropriately dated and signed.

{In other words, if an entity receives what it can reasonably consider the appropriate documentation necessary for the entity to disclose PHI to the requestor, then it may do so. Patently, the best practice would be to ensure that such an exchange is documented.}

Identity of Public Officials

"A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of PHI is to a public official or person acting on behalf of the public official:

  • If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;

  • If the request is in writing, the request is on the appropriate government letterhead; or

  • If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government’s authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official."

Authority of Public Officials
"A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of PHI is to a public official or person acting on behalf of the public official:

  • A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority;

  • If a request is made pursuant to legal process, warrant, subpoena order, or other legal process is issued by a grand jury or judicial or administrative tribunal is presumed to constitute legal authority."

{The regulations in this section point to "circumstances," "professional judgement," "may." This leaves a significant amount of room for the covered entity to define when, where, who, and how it will meet this requirement. When a decision is made to release information, it is obvious that documentation will be necessary in the form of the original or copy of the document that caused the entity to release the PHI, or the badge number, or other identification that was accepted as being legitimate for the purposes of the release.

The requests for such releases come in through a variety of different points in an entity, especially a hospital or a health system. Decisions, policies, and procedures follow by training, and an internal communication system will need to be established to ensure that these requirements are appropriately followed and documented.}

Go to next section, Notice of Privacy Practices for Protected Health Information.

Go to previous section, Use and Disclosures for Which Consent, an Authorization, or Opportunity to Agree or Object Is Not Required.

Go to document index.