Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Reaction to AHIMA’s Previous Comments on the Standards for the Privacy of Individual Identifiable Health Information


AHIMA recommended that the scope of the rule be extended to include all individually identifiable health information, including purely paper records, maintained by covered entities.

This comment was addressed positively. The scope of the protections extend to all individually identifiable health information in any form or medium that is held or transmitted by a covered entity. This includes paper records that have never been electronically stored or transmitted and oral communications.

(164.500, 164.501-definition of "protected health information")


Health Care Operations-AHIMA recommended that the words "risk reduction activities" be added to the definition of "health care operations" under subpart 1 or 5.

The specific words "risk reduction activities" were not added to the final definition of "health care operations." Still, the definition of "health care operations" was revised in such a manner that actual risk reduction activities are included in the definition.

AHIMA’s comments contended that not all risk reduction activities "can be classified as either ‘quality assessment and improvement’ (subpart 1) or "in anticipation of legal proceedings" (subpart 5), although risk managers are indeed involved in both of these activities.

In response to comments, DHHS revised and expanded the original definition of healthcare operations. Specifically, subpart 1 was revised from: "Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines;" to: "Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;"

Subpart 5 was renumbered to subpart 4 and revised from: "Compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding." To: "Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs."


Individual-Disclosures pursuant to power of attorney. AHIMA requested further clarification on "the person informally designated as the patient’s health care decision-maker."

References to the "power of attorney" have been deleted from the final rule. Further clarification of "the person informally designated as the patient’s health care decision-maker" was provided in situational form in section 164.510 (b)-Uses and Disclosures for Involvement in the Individual’s Care and Notification Purposes.

The final rule specifies that "covered entities may disclose to a person involved in the current health care of the individual…PHI directly related to the person’s involvement in the current health care of an individual or payment related to the individual’s health care." For example, the preamble to the rule states "the fact that a person brings a family member into the doctor’s office when treatment information will be discussed constitutes verification of the involved person’s identity…" Furthermore, the final rule suggested that "the fact that a friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that the friend is involved in the individual’s care, and the rule allows the pharmacist to give the filled prescription to the friend."

(164.502 (g), 164.510 (b))

AHIMA recommended amending the definition of "psychotherapy notes" to ensure their appropriate inclusion in the medical record. AHIMA recommended that the definition recognize a distinction between psychotherapy notes and the case notations maintained by the therapist.

Addressed affirmatively through a clarification of the definition. The definition distinctly mentions that "psychotherapy notes" are "separated from the rest of the individual’s medical record."

The definition of "psychotherapy notes" also excludes medication and prescription monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.


Introduction to General Rules

AHIMA recommended treating all health information equally, regardless of type.

Addressed affirmatively. This is addressed through the definitions of "individually identifiable health information" and "protected health information." Furthermore, the general rules regarding use and disclosure contain no special provisions for the various types of health information. Regardless of type, the information is addressed as either individually identifiable health information or PHI.

(164.501, 164.502)

Minimum Necessary Use and Disclosure

AHIMA urged DHHS to establish a "good faith" standard for covered entities who disclose the information with a statement that prohibits the use of the information for other than the stated purpose and requires the destruction of the information after the stated need has been fulfilled. AHIMA further recommended that covered entities be deemed in compliance with the "minimum necessary use and disclosure" standard with regard to internal uses and disclosures if their computer-based patient record (CPR) systems use the appropriate safeguard mechanisms and meet the forthcoming security requirements.

AHIMA’s recommendations were not specifically agreed to, but changes in the structure of the minimum necessary requirements in the final rule have a positive effect. The final rule states that, "the proposed requirement for individual review of all uses of PHI is replaced with a requirement for covered entities to implement policies and procedures that restrict access and uses based on the specific roles of members of the covered entity’s workforce. Routine disclosures also are not subject to individual review; instead, covered entities must implement policies and procedures to limit the PHI in routine disclosures to the minimum necessary to achieve the purpose of that type of disclosure…Covered entities must limit requests to other covered entities for individually identifiable health information to what is reasonably necessary of the use or disclosure intended." Healthcare provider disclosures and/or requests related to treatment are not subject to the minimum necessary standard.

Right of an Individual to Request Restrictions on Uses and Disclosures

AHIMA recommended deleting the proposed standard "Right of an individual to request restriction on uses and disclosures."

DHHS disagreed with AHIMA’s recommendation. The final rule expands the individual’s right to request restrictions beyond the healthcare provider to the remainder of the covered entities-health plans and healthcare clearinghouses that create or receive PHI other than as a business associate of another covered entity. Moreover, the rule clarifies that an individual may request that a covered entity agree not to disclose PHI to persons assisting with the individual’s care, even if the disclosure is in accordance with the care standard (164.510 (b)). If the covered entity agrees to the request, they must abide by the agreement.

The final rule’s discussion of this subject does provide exceptions for emergency circumstances and various other situations.

Covered entities are required to document the restriction via a note in the medical record or some similar notation. The documentation must be retained for six years from the date it was created or the date it was last in effect, whichever is later.

Covered entities are not required to agree to the request.


Creation of De-Identified Information

AHIMA supported this concept, but requested further clarification on removing information from the body of the medical record that may indirectly identify the individual.

DHHS did not provide any further clarification on this issue. AHIMA harbors concerns about the possibility that any of the 18 potential identifiers required to be removed from individually identifiable health information to create de-identified health information establishes a difficult standard because any of these identifiers may be buried in lengthy text fields.

DHHS responded that they "see no alternative that protects privacy…" and "that such unstructured text fields have little or no value in a de-identified information set and would be removed in any case…with time, we expect that such identifiers will be kept out of places where they are hard to locate and expunge."

(164.514 (a)-(c))

AHIMA recommended that DHHS establish a "good faith" standard for covered entities who make reasonable efforts to de-identify information when required.

This recommendation was addressed positively in the standard for de-identifying individually identifiable health information. The final rule establishes two different methods to meet the de-identification standard:

  1. If a person with appropriate knowledge and experience applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable makes a determination that the risk is very small that the information could be used, either by itself or in combination with other available information, by anticipated recipients to identify the subject of the information. The covered entity is required to document the analysis and results that justify the determination.
  2. A "safe harbor" approach where covered entities can meet the standard by removing the list of 18 identifiers and if the covered entity has no actual knowledge that the information could be used alone or in combination to identify a subject of the information. In the final rule, geographic location and age can be included in the de-identified information. All dates directly related to the subject of the information must be removed or limited to the year, and zip codes must be removed or aggregated to include at least 20,000 people. Moreover, ages of 90 and over must be aggregated to a category of 90+ to avoid identification of very old individuals.

The covered entity is prohibited from disclosing the mechanism for re-identification of the information.

(164.514 (a)-(c))

AHIMA additionally recommended that the receiver of the de-identified information be required to sign an agreement not to reidentify or link the information to the individual(s) to whom it pertains. AHIMA believed that the proposed rule should make it a violation to attempt to reidentify or relink the previously de-identified information to the individual(s) to whom it pertains.

This recommendation was not addressed. DHHS response contended that they do not have the authority to regulate persons other than covered entities. Therefore, they could not attempt to regulate entities (receivers of the de-identified information) outside the scope of the final rule.

(164.514 (a)-(c))

Business Partners

AHIMA recommended that transcription services be specifically included as business partners.

Transcription services were not specifically included in the definition of "business associate." "Business associates" are based on what the entity does, not what the entity is. Therefore, since the "business associate" is based on the concept of function, DHHS did not list the types of entities that could be a "business associate."

(164.504 (e))

Deceased Persons

AHIMA recommended that the privacy standards for deceased persons be the same as those for living persons.

Agreed with AHIMA’s recommendation. Protections for a deceased individual’s health information will remain in effect for as long as the covered entity maintains the information.

(164.502 (f))

Individual Authorization (Consent)

The final rule distinguished between a consent and an authorization. A consent "allows use and disclosure of PHI only for treatment, payment, and health care operations." An authorization "allows use and disclosure of PHI for purposes other than treatment, payment, and health care operations."

AHIMA recommended that authorizations be required to specify an expiration date not to exceed one year.

DHHS did not establish an expiration date not to exceed one year. In lieu of an expiration date, DHHS cited that an individual has the right to revoke an authorization at any time. DHHS stated in the comment section that "If an individual determines that an authorized use or disclosure is no longer in her best interest, she should be able to withdraw the authorization and prevent any further uses or disclosures."

(164.506, 164.508)

AHIMA also recommended that the use of "prospective" authorizations (authorizations signed prior to the treatment episode from which the information is requested) be prohibited.

DHHS did not specifically address this issue. The right to revoke and the right for an individual to request that the covered entity restrict how PHI is used or disclosed to carry out treatment, payment, or healthcare operations are applicable to this concern.

(164.506 (b)(5), (c)(4), 106.508, 164.522)

In all cases, AHIMA recommended that it be a violation of the rule if the information is redisclosed beyond what was authorized by the patient or the patient’s legal representative.

A covered entity may not use or disclose PHI without an authorization that is valid under this section (164.508). Covered entities may use or disclose PHI only as permitted or required by this rule (164.502).

Noncovered entities are not bound by this final rule. If information is authorized to be disclosed by a covered entity to a noncovered entity, the noncovered entity could redisclose the information unless they are bound by a contractual agreement.

(164.508, 164.502)

Law Enforcement

AHIMA recommended that, except in cases described in Section 164.510 (f)(2), Limited information for identifying purposes, a warrant, subpoena, or court order be required for the release of PHI.

DHHS addressed AHIMA’s recommendation affirmatively, but stipulated several exceptions where PHI could be released by a covered entity to a law enforcement official in the absence of a warrant, subpoena, or court order. The final rule permits PHI to be released under the following circumstances:

  1. Pursuant to process and as otherwise required by law. This includes the release of information pursuant to a court order or court-ordered warrant, subpoena, or summons issued by a judicial officer; a grand jury subpoena; or an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law. The administrative request must meet a three-part test that requires that: (1) the information sought is relevant and material to a legitimate law enforcement inquiry; (2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) De-identified information could not reasonably be used.
  2. Limited information for identification and location purposes. PHI may be disclosed in response to a law enforcement official’s request for such information for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. A law enforcement official’s request may be made orally or in writing, and DHHS intends for it to include requests by a person acting on behalf of law enforcement as a media organization making a television or radio announcement seeking the public’s assistance with identifying a suspect. The covered entity is only permitted to disclose (A) Name and address; (B) Date and place of birth; (C) Social security number; (D) ABO blood type and rh factor; (E) Type of injury; (F) Date and time of treatment; (G) Date and time of death, if applicable, and (H) A description of distinguishing physical characteristics including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos.
  3. Victims of a crime. A covered entity may disclose PHI in response to a law enforcement official’s request for such information about an individual who is or is suspected to be a victim of a crime if the individual agrees to the disclosure or the covered entity is unable to obtain the individual’s agreement because of incapacity or other emergency circumstance, provided that: (A) The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim; (B) The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and (C) The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.
  4. Decedents. A covered entity may disclose PHI about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.
  5. Crime on premises. A covered entity may disclose to a law enforcement official PHI that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.
  6. Reporting crime in emergencies. A covered healthcare provider providing emergency healthcare in response to a medical emergency, other than such emergency on the premises of the covered healthcare provider, may disclose PHI to a law enforcement official if such disclosure appears necessary to alert law enforcement to: (A) The commission and nature of a crime; (B) The location of such crime or of the victim(s) of such crime; and (C) The identity, description, and location of the perpetrator of such crime. Any medical emergencies that the provider believes are the result of abuse, neglect, or domestic violence, the disclosures are beholden to a different standard that exists at (164.510 (c)).

(164.510 (f))

Rights and Procedures for a Written Notice of Informaiton Practices

AHIMA supported the requirement that an entity maintaining healthcare information must prepare and make available to patients upon request a written statement outlining its information practices and posting the notice in a clear and conspicuous manner. AHIMA did not support the idea of obtaining a signed acknowledgement from the individual upon the receipt of a notice of information practices.

The final rule agreed with AHIMA’s position of not obtaining a signed acknowledgement from the individual upon the receipt of a notice of information practices.


Access for Inspection or Copying

AHIMA supported the reasonable, cost-based fee standard for copying health information pursuant to this section. In addition, AHIMA recommended that a covered entity be permitted to charge a reasonable, cost-based fee for inspection of the record and establish the procedures for the review process.

DHHS agreed with AHIMA’s position. The covered entity can charge a reasonable, cost-based fee if the individual requests a copy of PHI or agrees to a summary or explanation of such information. The reasonable, cost-based fee can only include the cost of:

  • Copying, including the cost of supplies for and labor of copying, the PHI requested by the individual;
  • Postage, when the individual has requested the copy, or the summary or explanation be mailed; and
  • Preparing an explanation or summary of the PHI, if agreed to by the individual.

Covered entities may not charge any fees for retrieving or handling the information or for processing the request. These costs are not acceptable under this rule.

(164.524 (c)(4))

Accounting of Disclosures

AHIMA did not support the proposed requirement that covered entities maintain an accounting of disclosures for as long as the entity maintains the PHI. AHIMA recommended that the accounting of disclosures be maintained for a period of six years.

DHHS agreed with AHIMA’s recommendation. The final rule provides that ‘individuals have a right to an accounting of the applicable disclosures that have been made in the six-year period prior to a request for an accounting."

(164.528 (a)(1))

Rights and Procedures for Amendment and Correction

AHIMA supported the proposed requirement that covered plans and providers be required to accommodate requests for amendment or correction for as long as the entity maintains the PHI.

No change was necessary. The rule is consistent with AHIMA’s position.


Designation of a Privacy Official

AHIMA supported the proposal that covered entities designate a privacy official. AHIMA strongly recommends that the privacy official be a credentialed health information management professional.

DHHS retained the requirement that covered entities designate a privacy official. DHHS did not agree with AHIMA’s recommendation that the privacy official be a credentialed health information management professional. DHHS cited that a specific set of qualifications "sacrifice flexibility and scalability in implementation."

(164.530 (a))


AHIMA supports the concept of requiring recertification once every three years and retraining in the event of material changes in the policy.

DHHS slightly revised these provisions by eliminating the requirement for recertification once every three years. Retraining is still required for material changes in the privacy policies and procedures of the covered entity.

(164.530 (b))

Relationship to State Laws

AHIMA continues to support federal preemptive legislation as a necessary ultimate solution. While recognizing the limitations of the HIPAA statute with respect to state laws and regulations, AHIMA recommended that federal efforts must preempt state laws and regulations to create a single national standard for handling health information. AHIMA will continue to pursue health information confidentiality legislation that preempts state laws and regulations, treats all health information equally, and establishes a strong, single, national standard for the use and disclosure of health information.

As expected, the HIPAA final privacy rule does not provide a uniform national standard for the use and disclosure of health information. The final rule does preempt state laws to a certain degree and establishes what can be termed as a federal "floor." Section 160.203 of the final rule outlines the preemption criteria and exceptions, including an exception for provisions of state law relating to the privacy of health information and are more stringent than the standards, requirements, or implementation specifications contained in the HIPAA final privacy rule. States are permitted to enact additional laws relating to health information privacy. Furthermore, the final rule establishes a process where states can request an exception to the Federal standards.

The preemption result was expected as the policy choice was made by Congress in the HIPAA legislation (PL 104-191).


Go to next section, Background and History.

Go to previous section, Secretarial Action Regarding Complaints and Compliance Reviews.

Go to document index.