Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Notice of Privacy Practices for Protected Health Information

Standard: Notice of Privacy Practices—Right to Notice

The Rule states (§164.520) that "an individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to PHI." There are two exceptions to this part of the Rule, one (§164.520(a)(2)) dealing with who in various group health plan relationships must provide the notice (65FR82820), and the second indicating that "an inmate does not have a right to notice" and further stating that the requirements for notice "do not apply to a correctional institution that is a covered entity."

Specifications: Content of the Notice—Required Elements
A covered entity "must provide a notice [Notice] that is written in plain language and that contains the [following] elements:

• Header—"The Notice must contain the following statement as a header or otherwise prominently displayed: ‘THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE READ IT CAREFULLY.’"

• Uses and Disclosures—"The notice must contain:
  • "A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted…to make for…treatment, payment, and health care operations" under the Rule.
  • "A description of each of the other purposes for which the covered entity is permitted or required by" the Rule "to use or disclose PHI without the individual’s written consent or authorization."
  • A description of each of the previous two bullets where a more stringent law might apply, rather than that required of this Rule.
  • For each purpose included in the first two bullets, "the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by" the Rule "and other applicable law."
  • "A statement that other uses and disclosures will be made only with the individual’s written authorization and that the individual may revoke such authorization as provided by" the Rule.

• Separate Statements for Certain Uses or Disclosures-"If the covered entity intends to engage in any of the following activities, [then] the description required" in the first two bullets above (in Uses and Disclosures) "must include a separate statement as applicable that:"
  • "The covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual;
  • The covered entity may contact the individual to raise funds for the covered entity; or
  • A group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose PHI to the sponsor of the plan."

• Individual Rights—"The notice must contain a statement of the individual’s right with respect to PHI and a brief description of how the individual may exercise these rights, as follows:
  • The right to request restrictions on certain uses and disclosures of PHI" (Rights to Request Privacy Protection for Protected Health Information) "including a statement that the covered entity is not required to agree to a requested restriction;"
  • "The right to receive confidential communications of PHI as provided by" the Rule’s section on the right to request privacy protection for PHI "as applicable;"
  • "The right to inspect and copy PHI (Access of Individuals to Protected Health Information);
  • "The right to amend protected health information" (Amendment of Protected Health Information);
  • "The right to receive an accounting of disclosures (Accounting of Disclosures of Protected Health Information);
  • "The right of the individual, including an individual who has agreed to receive the notice electronically…to obtain a paper copy of the Notice from the covered entity upon request."

• Covered Entity’s Duties-"The Notice must contain:
  • "A statement that the covered entity is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI
  • A statement that the covered entity is required to abide by the terms of the notice currently in effect;" and…
  • A statement that "it [the covered entity] reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains" and a description on how it "will provide individuals with a revised notice."

{The Notice must reflect the practices of the covered entity. So, if the entity’s practices change the Notice must be changed accordingly. The way that the regulation is written, to be permitted to make changes in these privacy practices, the original and subsequent Notices need to indicate that the entity reserves the right to make such changes in its privacy practices, and what it will and must do when such changes occur.

The more detailed with which a Notice is written, the more often that it may need to be changed. Therefore it would behoove the covered entity to, within the Rule’s requirements, write its Notice in clear, simple, language that will permit the most flexibility without having to rewrite and distribute a new Notice.}

• Complaints-"The notice must contain:
  • A statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated,
  • A brief description of how the individual may file a complaint with the covered entity, and
  • A statement that the individual will not be retaliated against for filing a complaint.

• Contact-"The notice must contain the name, or title, and telephone number of a person or office to contact for further information."

{Note that these sections on complaints and contact provide for some flexibility. Facilities that already have a complaint mechanism, like a patient relations department, might consider routing privacy complaints to the same office or department. Likewise, the contact point for "further information" could be that same office, the privacy officer, health information management, and so forth.}

• Effective Date-"The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published."

Specifications: Content of the Notice—Optional Elements
In addition to the information required above for the Notice, if a covered entity elects to limit the uses or disclosures that it is permitted to make, it may describe its more limited uses or disclosures in its Notice, "provided that the covered entity may not include in its Notice a limitation affecting its right to make a use or disclosure that is required by law or permitted by" the Rule’s standard on the use and disclosures to overt a serious threat to health or safety. Again, any changes in the optional elements require the same changes in the Notice as that required for the required elements.

Revisions to the Notice
The covered entity must "promptly revise and distribute its Notice whenever there is a material change to:

• The uses or disclosures,
• The individual’s rights,
• The covered entity’s legal duties, or
• Other privacy practices stated in the Notice."

"Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the Notice in which such material change is reflected."

Specifications: Provision of Notice
A covered entity must make the notice available on request to any person and to individuals as follows:

• Health Plans—must provide notice:
  • "No later than the compliance date for health plans ["small plans," as defined, have an extra year], to individual then covered by the plan;
  • Thereafter, at the time of enrollment, to individuals who are new enrollees; and
  • Within 60 days of a material revision to the Notice, to individuals then covered by the plan."

The health plan must also "no less frequently than once every three years…notify individuals then covered by the plan of the availability of the Notice and how to obtain the Notice. The health plan can satisfy this Notice requirement "if a [privacy] Notice is provided to the named insured of a policy under which coverage is provide to the named insured and on or more dependents." If a plan has more than one Notice, it can satisfy these requirements by "providing the Notice that is relevant to the individual or other person requesting the Notice."

• Covered Healthcare Providers That Have a Direct Treatment Relationship with an Individual-must:
  • "Provide the Notice no later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date" [which for these rules would be the same as the large health plan.]
  • If maintain a physical service delivery site [facility or office],
  • "Have a Notice available at the service delivery site for individuals to request to take with them; and
  • Post [in a facility] the Notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the Notice; and
  • Whenever the Notice is revised, make the Notice available upon request on or after the effective date of the revision…"

• Specific Requirements for Electronic Notices:
  • A covered entity that maintains a web site that "provides information about the covered entity’s customer services or benefits must prominently post its Notice on the Web site and make the Notice available electronically through the Web site."
  • "A covered entity may provide the notice to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail has failed, a paper copy of the Notice must be provided to the individual."
  • A covered entity can meet the requirements for Notices as described above by sending an e-mail Notice, as long as the notice conforms with all the requirements noted.
  • If an individual’s "first service delivery" is delivered electronically (for example, electronic prescription) then "the covered healthcare provider must provide electronic Notice automatically and contemporaneously in response to this first request for service.
  • "The individual who is the recipient of electronic Notice retains the right to obtain a paper copy of the Notice from a covered entity upon request."

Note that "a covered entity must document compliance with the[se] Notice requirement[s] by retaining copies of [all] the Notices" it issues and as required by the documentation requirements of the Rule.

{The requirements for electronic notices is written in very confusing language, and a better description of DHHS’s intent can be found in the preamble at 65FR82551.}

Specifications: Joint Notices by Separate Covered Entities
The Rule provides (§164.520(d)) for a joint Notice by separately covered entities. Covered entities that participate in organized healthcare arrangements may comply with the notice requirement by a "joint notice, provided that:

• The covered entities participating in the organized health care arrangement agree to abide by the terms of the Notice with respect to PHI created or received by the covered entity as part of its participation in the organized health care arrangement;"

• The joint Notice meets the requirements related to the required and optional elements for a notice and the posting and availability of the Notice as covered above, except to the extent that the joint notice has to be altered "to reflect the fact that the notice covers more than one covered entity;" and that the joint Notice:

• Describes with reasonable specificity the covered entities, or class of entities, to which the joint Notice applies;
  
  
• Describes with reasonable specificity the service delivery sites, or classes of service delivery sites, to which the joint Notice applies; and
  
  
• If applicable, states that the covered entities participating in the organized health care arrangement will share PHI with each other, as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement."

The covered entities included in the joint Notice must provide the Notice to individuals in accordance with the same rules as noted above. However, "provision of the joint Notice to an individual by any one of the covered entities included in the joint Notice will satisfy the provision requirements of" the Rule "with respect to all others covered by the joint Notice.

{Note that the same documentation requirements for Notices apply to joint and single covered entities. It is unclear in the Rule if each member of the organized healthcare arrangement must maintain these copies, however, until clarified, it is appropriate to assume that they should.

While a joint Notice offers some advantages, it also means that any change by any of the parties must undergo the same reflected changes in the Notice, and so forth. Any agreement among the entities that want a joint Notice will have to be written and followed to ensure that the Notice is always in compliance with what is the current actual practice(s) of each and every entity it represents.}

Go to next section, Rights to Request Privacy Protection for Protected Health Information.

Go to previous section, Other Requirements Relating to Uses and Disclosures of Protected Health Information.

Go to document index.