Final Standards for
Privacy of Individually Identifiable Health Information

§ 164.514 Other requirements relating to uses and disclosures of protected health information.

(a) Standard: de-identification of protected health information. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

(b) Implementation specifications: requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:

1. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
   
   
   1. Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and

   2. Documents the methods and results of the analysis that justify such determination; or

2. 1. The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
      
      
      1. Names;

      2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
         
         
         1. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

         2. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

      3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

      4. Telephone numbers;

      5. Fax numbers;

      6. Electronic mail addresses;

      7. Social security numbers;

      8. Medical record numbers;

      9. Health plan beneficiary numbers;

      10. Account numbers;

      11. Certificate/license numbers;

      12. Vehicle identifiers and serial numbers, including license plate numbers;

      13. Device identifiers and serial numbers;

      14. Web Universal Resource Locators (URLs);

      15. Internet Protocol (IP) address numbers;

      16. Biometric identifiers, including finger and voice prints;

      17. Full face photographic images and any comparable images; and

      18. Any other unique identifying number, characteristic, or code; and

   2. The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

(c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

1. Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

2. Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

(d)

1. Standard: minimum necessary requirements. A covered entity must reasonably ensure that the standards, requirements, and implementation specifications of § 164.502(b) and this section relating to a request for or the use and disclosure of the minimum necessary protected health information are met.

2. Implementation specifications: minimum necessary uses of protected health information.
   
   
   1. A covered entity must identify:
      
      
      1. Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and

      2. For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.

   2. A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section.

3. Implementation specification: minimum necessary disclosures of protected health information.
   
   
   1. For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.

   2. For all other disclosures, a covered entity must:
      
      
      1. Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and

      2. Review requests for disclosure on an individual basis in accordance with such criteria.

   3. A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:
      
      
      1. Making disclosures to public officials that are permitted under § 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s);

      2. The information is requested by another covered entity;

      3. The information is requested by a professional who is a member of its workforce or is a business associate of the covered entity for the purpose of providing professional services to the covered entity, if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or

      4. Documentation or representations that comply with the applicable requirements of §164.512(i) have been provided by a person requesting the information for research purposes.

4. Implementation specifications: minimum necessary requests for protected health information.
   
   
   1. A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities.

   2. For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.

   3. For all other requests, a covered entity must review the request on an individual basis to determine that the protected health information sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made.

5. Implementation specification: other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, discloses or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.

(e)

1. Standard: uses and disclosures of protected health information for marketing. A covered entity may not use or disclose protected health information for marketing without an authorization that meets the applicable requirements of § 164.508, except as provided for by paragraph (e)(2) of this section.

2. Implementation specifications: requirements relating to marketing.
   
   
   1. A covered entity is not required to obtain an authorization under § 164.508 when it uses or discloses protected health information to make a marketing communication to an individual that:
      
      
      1. Occurs in a face-to-face encounter with the individual;

      2. Concerns products or services of nominal value; or

      3. Concerns the health-related products and services of the covered entity or of a third party and the communication meets the applicable conditions in paragraph (e)(3) of this section.

   2. A covered entity may disclose protected health information for purposes of such communications only to a business associate that assists the covered entity with such communications.

3. Implementation specifications: requirements for certain marketing communications. For a marketing communication to qualify under paragraph (e)(2)(i) of this section, the following conditions must be met:
   
   
   1. The communication must:
      
      
      1. Identify the covered entity as the party making the communication;

      2. If the covered entity has received or will receive direct or indirect remuneration for making the communication, prominently state that fact; and

      3. Except when the communication is contained in a newsletter or similar type of general communication device that the covered entity distributes to a broad cross-section of patients, enrollees, or other broad groups of individuals, contain instructions describing how the individual may opt out of receiving future such communications.

   2. If the covered entity uses or discloses protected health information to target the communication to individuals based on their health status or condition:
      
      
      1. The covered entity must make a determination prior to making the communication that the product or service being marketed may be beneficial to the health of the type or class of individual targeted; and

      2. The communication must explain why the individual has been targeted and how the product or service relates to the health of the individual.

   3. The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future marketing communications, under paragraph (e)(3)(i)(C) of this section, are not sent such communications.

(f)

1. Standard: uses and disclosures for fundraising. A covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of § 164.508:
   
   
   1. Demographic information relating to an individual; and

   2. Dates of health care provided to an individual.

2. Implementation specifications: fundraising requirements.
   
   
   1. The covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by § 164.520(b)(1)(iii)(B) is included in the covered entity’s notice;

   2. The covered entity must include in any fundraising materials it sends to an individual under this paragraph a description of how the individual may opt out of receiving any further fundraising communications.

   3. The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications.

(g) Standard: uses and disclosures for underwriting and related purposes. If a health plan receives protected heath information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may not use or disclose such protected health information for any other purpose, except as may be required by law.

(h)

1. Standard: verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must:
   
   
   1. Except with respect to disclosures under § 164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and

   2. Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under this subpart.

2. Implementation specifications: verification.
   
   
   1. Conditions on disclosures. If a disclosure is conditioned by this subpart on particular documentation, statements, or representations from the person requesting the protected health information, a covered entity may rely, if such reliance is reasonable under the circumstances, on documentation, statements, or representations that, on their face, meet the applicable requirements.
      
      
      1. The conditions in § 164.512(f)(1)(ii)(C) may be satisfied by the administrative subpoena or similar process or by a separate written statement that, on its face, demonstrates that the applicable requirements have been met.

      2. The documentation required by § 164.512(i)(2) may be satisfied by one or more written statements, provided that each is appropriately dated and signed in accordance with §164.512(i)(2)(i) and (v).

   2. Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official:
      
      
      1. If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;

      2. If the request is in writing, the request is on the appropriate government letterhead; or If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.

   3. Authority of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of protected health information is to a public official or a person acting on behalf of the public official:
      
      
      1. A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority;

      2. If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority.

   4. Exercise of professional judgment. The verification requirements of this paragraph are met if the covered entity relies on the exercise of professional judgment in making a use or disclosure in accordance with § 164.510 or acts on a good faith belief in making a disclosure in accordance with § 164.512(j).