Standards
for Privacy of Individually Identifiable Health Information
List of Subjects
45 CFR Part 160
Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
Medical research, Medicare, Privacy, Reporting and record keeping
requirements.
45 CFR Part 164
Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
Medical research, Medicare, Privacy, Reporting and record keeping
requirements.
Dated: August 6, 2002.
Tommy G. Thompson,
Secretary.
For the reasons set forth in the preamble, the Department amends
45 CFR subtitle A, subchapter C, as follows:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 160 continues to read as follows:
Authority: Sec. 1171 through 1179 of the Social Security Act (42
U.S.C. 1320d-1329d-8), as added by sec. 262 of Pub. L. No. 104-191,
110 Stat. 2021-2031 and sec. 264 of Pub. L. No. 104-191 (42 U.S.C.
1320d-2(note)).
2. Amend Sec. 160.102(b), by removing the phrase "section
201(a)(5) of the Health Insurance Portability Act of 1996, (Pub.
L. No. 104-191)" and adding in its place the phrase "the
Social Security Act, 42 U.S.C. 1320a-7c(a)(5)".
3. In Sec. 160.103 add the definition of "individually identifiable
health information" in alphabetical order to read as follows:
Sec. 160.103 Definitions.
* * * * *
Individually identifiable health information is information that
is a subset of health information, including demographic information
collected from an individual, and:
(1) Is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care
to an individual; or the past, present, or future payment for the
provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe
the information can be used to identify the individual.
* * * * *
4. In Sec. 160.202 revise paragraphs (2) and (4) of the definition
of "more stringent" to read as follows:
Sec. 160.202 Definitions.
* * * * *
More stringent means * * *
(2) With respect to the rights of an individual, who is the subject
of the individually identifiable health information, regarding access
to or amendment of individually identifiable health information,
permits greater rights of access or amendment, as applicable.
* * * * *
(4) With respect to the form, substance, or the need for express
legal permission from an individual, who is the subject of the individually
identifiable health information, for use or disclosure of individually
identifiable health information, provides requirements that narrow
the scope or duration, increase the privacy protections afforded
(such as by expanding the criteria for), or reduce the coercive
effect of the circumstances surrounding the express legal permission,
as applicable.
* * * * *
5. Amend Sec. 160.203(b) by adding the words "individually
identifiable" before the word "health".
PART 164--SECURITY AND PRIVACY
Subpart E--Privacy of Individually Identifiable Health Information
1. The authority citation for part 164 continues to read as follows:
Authority: 42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L. No.
104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)).
2. Amend Sec. 164.102 by removing the words "implementation
standards" and adding in its place the words "implementation
specifications."
3. In Sec. 164.500, remove "consent," from paragraph
(b)(1)(v).
4. Amend Sec. 164.501 as follows:
a. In the definition of "health care operations" remove
from the introductory text of the definition ", and any of
the following activities of an organized health care arrangement
in which the covered entity participates" and revise paragraphs
(6)(iv) and (v).
b. Remove the definition of "individually identifiable health
information".
c. Revise the definition of "marketing".
d. In paragraph (1)(ii) of the definition of "payment,"
remove the word "covered".
e. Revise paragraph (2) of the definition of "protected health
information".
f. Remove the words "a covered" and replace them with
"an" in the definition of "required by law".
The revisions read as follows:
Sec. 164.501 Definitions.
* * * * *
Health care operations means * * *
(6) * * *
(iv) The sale, transfer, merger, or consolidation of all or part
of the covered entity with another covered entity, or an entity
that following such activity will become a covered entity and due
diligence related to such activity; and
(v) Consistent with the applicable requirements of Sec. 164.514,
creating de-identified health information or a limited data set,
and fundraising for the benefit of the covered entity.
* * * * *
Marketing means:
(1) To make a communication about a product or service that encourages
recipients of the communication to purchase or use the product or
service, unless the communication is made:
(i) To describe a health-related product or service (or payment
for such product or service) that is provided by, or included in
a plan of benefits of, the covered entity making the communication,
including communications about: the entities participating in a
health care provider network or health plan network; replacement
of, or enhancements to, a health plan; and health-related products
or services available only to a health plan enrollee that add value
to, but are not part of, a plan of benefits.
(ii) For treatment of the individual; or
(iii) For case management or care coordination for the individual,
or to direct or recommend alternative treatments, therapies, health
care providers, or settings of care to the individual.
(2) An arrangement between a covered entity and any other entity
whereby the covered entity discloses protected health information
to the other entity, in exchange for direct or indirect remuneration,
for the other entity or its affiliate to make a communication about
its own product or service that encourages recipients of the communication
to purchase or use that product or service.
* * * * *
Protected health information means * * *
(2) Protected health information excludes individually identifiable
health information in:
(i) Education records covered by the Family Educational Rights
and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
(iii) Employment records held by a covered entity in its role as
employer.
* * * * *
5. Amend Sec. 164.502 as follows:
a. Revise paragraphs (a)(1)(ii), (iii), and (vi).
b. Revise paragraph (b)(2)(ii).
c. Redesignate paragraphs (b)(2)(iii) through (v) as paragraphs
(b)(2)(iv) through (vi).
d. Add a new paragraph (b)(2)(iii).
e. Redesignate paragraphs (g)(3)(i) through (iii) as (g)(3)(i)(A)
through (C) and redesignate paragraph (g)(3) as (g)(3)(i).
f. Add a new paragraph (g)(3)(ii).
The revisions and additions read as follows:
Sec. 164.502 Uses and disclosures of protected health information:
general rules.
(a) Standard. * * *
(1) Permitted uses and disclosures. * * *
(ii) For treatment, payment, or health care operations, as permitted
by and in compliance with Sec. 164.506;
(iii) Incident to a use or disclosure otherwise permitted or required
by this subpart, provided that the covered entity has complied with
the applicable requirements of Sec. 164.502(b), Sec. 164.514(d),
and Sec. 164.530(c) with respect to such otherwise permitted or
required use or disclosure;
* * * * *
(vi) As permitted by and in compliance with this section, Sec.
164.512, or Sec. 164.514(e), (f), or (g).
* * * * *
(b) Standard: Minimum necessary. * * *
(2) Minimum necessary does not apply. * * *
(ii) Uses or disclosures made to the individual, as permitted under
paragraph (a)(1)(i) of this section or as required by paragraph
(a)(2)(i) of this section;
(iii) Uses or disclosures made pursuant to an authorization under
Sec. 164.508;
* * * * *
(g)(1) Standard: Personal representatives. * * *
(3) Implementation specification: unemancipated minors. * * *
(i) * * *
(ii) Notwithstanding the provisions of paragraph (g)(3)(i) of this
section:
(A) If, and to the extent, permitted or required by an applicable
provision of State or other law, including applicable case law,
a covered entity may disclose, or provide access in accordance with
Sec. 164.524 to, protected health information about an unemancipated
minor to a parent, guardian, or other person acting in loco parentis;
(B) If, and to the extent, prohibited by an applicable provision
of State or other law, including applicable case law, a covered
entity may not disclose, or provide access in accordance with Sec.
164.524 to, protected health information about an unemancipated
minor to a parent, guardian, or other person acting in loco parentis;
and
(C) Where the parent, guardian, or other person acting in loco
parentis, is not the personal representative under paragraphs (g)(3)(i)(A),
(B), or (C) of this section and where there is no applicable access
provision under State or other law, including case law, a covered
entity may provide or deny access under Sec. 164.524 to a parent,
guardian, or other person acting in loco parentis, if such action
is consistent with State or other applicable law, provided that
such decision must be made by a licensed health care professional,
in the exercise of professional judgment.
* * * * *
6. Amend Sec. 164.504 as follows:
a. In paragraph (a), revise the definitions of "health care
component" and "hybrid entity".
b. Revise paragraph (c)(1)(ii).
c. Revise paragraph (c)(2)(ii).
d. Revise paragraph (c)(3)(iii).
e. Revise paragraph (f)(1)(i).
f. Add paragraph (f)(1)(iii).
The revisions and addition read as follows:
Sec. 164.504 Uses and disclosures: Organizational requirements.
(a) Definitions. * * *
Health care component means a component or combination of components
of a hybrid entity designated by the hybrid entity in accordance
with paragraph (c)(3)(iii) of this section.
Hybrid entity means a single legal entity:
(1) That is a covered entity;
(2) Whose business activities include both covered and non-covered
functions; and
(3) That designates health care components in accordance with paragraph
(c)(3)(iii) of this section.
* * * * *
(c)(1) Implementation specification: Application of other provisions.
* * *
(ii) A reference in such provision to a "health plan,"
"covered health care provider," or "health care clearinghouse"
refers to a health care component of the covered entity if such
health care component performs the functions of a health plan, health
care provider, or health care clearinghouse, as applicable; and
* * * * *
(2) Implementation specifications: Safeguard requirements. * *
*
(ii) A component that is described by paragraph (c)(3)(iii)(B)
of this section does not use or disclose protected health information
that it creates or receives from or on behalf of the health care
component in a way prohibited by this subpart; and
* * * * *
(3) Implementation specifications: Responsibilities of the covered
entity. * * *
(iii) The covered entity is responsible for designating the components
that are part of one or more health care components of the covered
entity and documenting the designation as required by Sec. 164.530(j),
provided that, if the covered entity designates a health care component
or components, it must include any component that would meet the
definition of covered entity if it were a separate legal entity.
Health care component(s) also may include a component only to the
extent that it performs:
(A) Covered functions; or
(B) Activities that would make such component a business associate
of a component that performs covered functions if the two components
were separate legal entities.
* * * * *
(f)(1) Standard: Requirements for group health plans. (i) Except
as provided under paragraph (f)(1)(ii) or (iii) of this section
or as otherwise authorized under Sec. 164.508, a group health plan,
in order to disclose protected health information to the plan sponsor
or to provide for or permit the disclosure of protected health information
to the plan sponsor by a health insurance issuer or HMO with respect
to the group health plan, must ensure that the plan documents restrict
uses and disclosures of such information by the plan sponsor consistent
with the requirements of this subpart.
* * * * *
(iii) The group health plan, or a health insurance issuer or HMO
with respect to the group health plan, may disclose to the plan
sponsor information on whether the individual is participating in
the group health plan, or is enrolled in or has disenrolled from
a health insurance issuer or HMO offered by the plan.
* * * * *
7. Revise Sec. 164.506 to read as follows:
Sec. 164.506 Uses and disclosures to carry out treatment, payment,
or health care operations.
(a) Standard: Permitted uses and disclosures. Except with respect
to uses or disclosures that require an authorization under Sec.
164.508(a)(2) and (3), a covered entity may use or disclose protected
health information for treatment, payment, or health care operations
as set forth in paragraph (c) of this section, provided that such
use or disclosure is consistent with other applicable requirements
of this subpart.
(b) Standard: Consent for uses and disclosures permitted. (1) A
covered entity may obtain consent of the individual to use or disclose
protected health information to carry out treatment, payment, or
health care operations.
(2) Consent, under paragraph (b) of this section, shall not be
effective to permit a use or disclosure of protected health information
when an authorization, under Sec. 164.508, is required or when another
condition must be met for such use or disclosure to be permissible
under this subpart.
(c) Implementation specifications: Treatment, payment, or health
care operations.
(1) A covered entity may use or disclose protected health information
for its own treatment, payment, or health care operations.
(2) A covered entity may disclose protected health information
for treatment activities of a health care provider.
(3) A covered entity may disclose protected health information
to another covered entity or a health care provider for the payment
activities of the entity that receives the information.
(4) A covered entity may disclose protected health information
to another covered entity for health care operations activities
of the entity that receives the information, if each entity either
has or had a relationship with the individual who is the subject
of the protected health information being requested, the protected
health information pertains to such relationship, and the disclosure
is:
(i) For a purpose listed in paragraph (1) or (2) of the definition
of health care operations; or
(ii) For the purpose of health care fraud and abuse detection or
compliance.
(5) A covered entity that participates in an organized health care
arrangement may disclose protected health information about an individual
to another covered entity that participates in the organized health
care arrangement for any health care operations activities of the
organized health care arrangement.
8. Revise Sec. 164.508 to read as follows:
Sec. 164.508 Uses and disclosures for which an authorization is
required.
(a) Standard: authorizations for uses and disclosures.--(1) Authorization
required: general rule. Except as otherwise permitted or required
by this subchapter, a covered entity may not use or disclose protected
health information without an authorization that is valid under
this section. When a covered entity obtains or receives a valid
authorization for its use or disclosure of protected health information,
such use or disclosure must be consistent with such authorization.
(2) Authorization required: psychotherapy notes. Notwithstanding
any provision of this subpart, other than the transition provisions
in Sec. 164.532, a covered entity must obtain an authorization for
any use or disclosure of psychotherapy notes, except:
(i) To carry out the following treatment, payment, or health care
operations:
(A) Use by the originator of the psychotherapy notes for treatment;
(B) Use or disclosure by the covered entity for its own training
programs in which students, trainees, or practitioners in mental
health learn under supervision to practice or improve their skills
in group, joint, family, or individual counseling; or
(C) Use or disclosure by the covered entity to defend itself in
a legal action or other proceeding brought by the individual; and
(ii) A use or disclosure that is required by Sec. 164.502(a)(2)(ii)
or permitted by Sec. 164.512(a); Sec. 164.512(d) with respect to
the oversight of the originator of the psychotherapy notes; Sec.
164.512(g)(1); or Sec. 164.512(j)(1)(i).
(3) Authorization required: Marketing. (i) Notwithstanding any
provision of this subpart, other than the transition provisions
in Sec. 164.532, a covered entity must obtain an authorization for
any use or disclosure of protected health information for marketing,
except if the communication is in the form of:
(A) A face-to-face communication made by a covered entity to an
individual; or
(B) A promotional gift of nominal value provided by the covered
entity.
(ii) If the marketing involves direct or indirect remuneration
to the covered entity from a third party, the authorization must
state that such remuneration is involved.
(b) Implementation specifications: general requirements.--(1) Valid
authorizations. (i) A valid authorization is a document that meets
the requirements in paragraphs (a)(3)(ii), (c)(1), and (c)(2) of
this section, as applicable.
(ii) A valid authorization may contain elements or information
in addition to the elements required by this section, provided that
such additional elements or information are not inconsistent with
the elements required by this section.
(2) Defective authorizations. An authorization is not valid, if
the document submitted has any of the following defects:
(i) The expiration date has passed or the expiration event is known
by the covered entity to have occurred;
(ii) The authorization has not been filled out completely, with
respect to an element described by paragraph (c) of this section,
if applicable;
(iii) The authorization is known by the covered entity to have
been revoked;
(iv) The authorization violates paragraph (b)(3) or (4) of this
section, if applicable;
(v) Any material information in the authorization is known by the
covered entity to be false.
(3) Compound authorizations. An authorization for use or disclosure
of protected health information may not be combined with any other
document to create a compound authorization, except as follows:
(i) An authorization for the use or disclosure of protected health
information for a research study may be combined with any other
type of written permission for the same research study, including
another authorization for the use or disclosure of protected health
information for such research or a consent to participate in such
research;
(ii) An authorization for a use or disclosure of psychotherapy
notes may only be combined with another authorization for a use
or disclosure of psychotherapy notes;
(iii) An authorization under this section, other than an authorization
for a use or disclosure of psychotherapy notes, may be combined
with any other such authorization under this section, except when
a covered entity has conditioned the provision of treatment, payment,
enrollment in the health plan, or eligibility for benefits under
paragraph (b)(4) of this section on the provision of one of the
authorizations.
(4) Prohibition on conditioning of authorizations. A covered entity
may not condition the provision to an individual of treatment, payment,
enrollment in the health plan, or eligibility for benefits on the
provision of an authorization, except:
(i) A covered health care provider may condition the provision
of research-related treatment on provision of an authorization for
the use or disclosure of protected health information for such research
under this section;
(ii) A health plan may condition enrollment in the health plan
or eligibility for benefits on provision of an authorization requested
by the health plan prior to an individual's enrollment in the health
plan, if:
(A) The authorization sought is for the health plan's eligibility
or enrollment determinations relating to the individual or for its
underwriting or risk rating determinations; and
(B) The authorization is not for a use or disclosure of psychotherapy
notes under paragraph (a)(2) of this section; and
(iii) A covered entity may condition the provision of health care
that is solely for the purpose of creating protected health information
for disclosure to a third party on provision of an authorization
for the disclosure of the protected health information to such third
party.
(5) Revocation of authorizations. An individual may revoke an authorization
provided under this section at any time, provided that the revocation
is in writing, except to the extent that:
(i) The covered entity has taken action in reliance thereon; or
(ii) If the authorization was obtained as a condition of obtaining
insurance coverage, other law provides the insurer with the right
to contest a claim under the policy or the policy itself.
(6) Documentation. A covered entity must document and retain any
signed authorization under this section as required by Sec. 164.530(j).
(c) Implementation specifications: Core elements and requirements.--(1)
Core elements. A valid authorization under this section must contain
at least the following elements:
(i) A description of the information to be used or disclosed that
identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s),
or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s),
or class of persons, to whom the covered entity may make the requested
use or disclosure.
(iv) A description of each purpose of the requested use or disclosure.
The statement "at the request of the individual" is a
sufficient description of the purpose when an individual initiates
the authorization and does not, or elects not to, provide a statement
of the purpose.
(v) An expiration date or an expiration event that relates to the
individual or the purpose of the use or disclosure. The statement
"end of the research study," "none," or similar
language is sufficient if the authorization is for a use or disclosure
of protected health information for research, including for the
creation and maintenance of a research database or research repository.
(vi) Signature of the individual and date. If the authorization
is signed by a personal representative of the individual, a description
of such representative's authority to act for the individual must
also be provided.
(2) Required statements. In addition to the core elements, the
authorization must contain statements adequate to place the individual
on notice of all of the following:
(i) The individual's right to revoke the authorization in writing,
and either:
(A) The exceptions to the right to revoke and a description of
how the individual may revoke the authorization; or
(B) To the extent that the information in paragraph (c)(2)(i)(A)
of this section is included in the notice required by Sec. 164.520,
a reference to the covered entity's notice.
(ii) The ability or inability to condition treatment, payment,
enrollment or eligibility for benefits on the authorization, by
stating either:
(A) The covered entity may not condition treatment, payment, enrollment
or eligibility for benefits on whether the individual signs the
authorization when the prohibition on conditioning of authorizations
in paragraph (b)(4) of this section applies; or
(B) The consequences to the individual of a refusal to sign the
authorization when, in accordance with paragraph (b)(4) of this
section, the covered entity can condition treatment, enrollment
in the health plan, or eligibility for benefits on failure to obtain
such authorization.
(iii) The potential for information disclosed pursuant to the authorization
to be subject to redisclosure by the recipient and no longer be
protected by this subpart.
(3) Plain language requirement. The authorization must be written
in plain language.
(4) Copy to the individual. If a covered entity seeks an authorization
from an individual for a use or disclosure of protected health information,
the covered entity must provide the individual with a copy of the
signed authorization.
9. Amend Sec. 164.510 as follows:
a. Revise the first sentence of the introductory text.
b. Remove the word "for" from paragraph (b)(3).
The revision reads as follows:
Sec. 164.510 Uses and disclosures requiring an opportunity for
the individual to agree or to object.
A covered entity may use or disclose protected health information,
provided that the individual is informed in advance of the use or
disclosure and has the opportunity to agree to or prohibit or restrict
the use or disclosure, in accordance with the applicable requirements
of this section. * * *
* * * * *
10. Amend Sec. 164.512 as follows:
a. Revise the section heading and the first sentence of the introductory
text.
b. Revise paragraph (b)(1)(iii).
c. In paragraph (b)(1)(v)(A) remove the word "a" before
the word "health."
d. Add the word "and" after the semicolon at the end
of paragraph (b)(1)(v)(C).
e. Redesignate paragraphs (f)(3)(ii) and (iii) as (f)(3)(i) and
(ii).
f. In the second sentence of paragraph (g)(2) add the word "to"
after the word "directors."
g. In paragraph (i)(1)(iii)(A) remove the word "is" after
the word "disclosure."
h. Revise paragraph (i)(2)(ii).
i. In paragraph (i)(2)(iii) remove "(i)(2)(ii)(D)" and
add in its place "(i)(2)(ii)(C)".
The revisions read as follows:
Sec. 164.512 Uses and disclosures for which an authorization or
opportunity to agree or object is not required.
A covered entity may use or disclose protected health information
without the written authorization of the individual, as described
in Sec. 164.508, or the opportunity for the individual to agree
or object as described in Sec. 164.510, in the situations covered
by this section, subject to the applicable requirements of this
section. * * *
* * * * *
(b) Standard: uses and disclosures for public health activities.
(1) Permitted disclosures. * * *
(iii) A person subject to the jurisdiction of the Food and Drug
Administration (FDA) with respect to an FDA-regulated product or
activity for which that person has responsibility, for the purpose
of activities related to the quality, safety or effectiveness of
such FDA- regulated product or activity. Such purposes include:
(A) To collect or report adverse events (or similar activities
with respect to food or dietary supplements), product defects or
problems (including problems with the use or labeling of a product),
or biological product deviations;
(B) To track FDA-regulated products;
(C) To enable product recalls, repairs, or replacement, or lookback
(including locating and notifying individuals who have received
products that have been recalled, withdrawn, or are the subject
of lookback); or
(D) To conduct post marketing surveillance;
* * * * *
(i) Standard: Uses and disclosures for research purposes. * * *
(2) Documentation of waiver approval. * * *
(ii) Waiver criteria. A statement that the IRB or privacy board
has determined that the alteration or waiver, in whole or in part,
of authorization satisfies the following criteria:
(A) The use or disclosure of protected health information involves
no more than a minimal risk to the privacy of individuals, based
on, at least, the presence of the following elements;
(1) An adequate plan to protect the identifiers from improper use
and disclosure;
(2) An adequate plan to destroy the identifiers at the earliest
opportunity consistent with conduct of the research, unless there
is a health or research justification for retaining the identifiers
or such retention is otherwise required by law; and
(3) Adequate written assurances that the protected health information
will not be reused or disclosed to any other person or entity, except
as required by law, for authorized oversight of the research study,
or for other research for which the use or disclosure of protected
health information would be permitted by this subpart;
(B) The research could not practicably be conducted without the
waiver or alteration; and
(C) The research could not practicably be conducted without access
to and use of the protected health information.
* * * * *
11. Amend Sec. 164.514 as follows:
a. Revise paragraph (b)(2)(i)(R).
b. Revise paragraph (d)(1).
c. Revise paragraph (d)(4)(iii).
d. In paragraph (d)(5), remove the word "discloses" and
add in its place the word "disclose".
e. Revise paragraph (e).
The revisions read as follows:
Sec. 164.514 Other requirements relating to uses and disclosures
of protected health information.
* * * * *
(b) Implementation specifications: Requirements for de- identification
of protected health information. * * *
(2)(i) * * *
(R) Any other unique identifying number, characteristic, or code,
except as permitted by paragraph (c) of this section; and
* * * * *
(d)(1) Standard: minimum necessary requirements. In order to comply
with Sec. 164.502(b) and this section, a covered entity must meet
the requirements of paragraphs (d)(2) through (d)(5) of this section
with respect to a request for, or the use and disclosure of, protected
health information.
* * * * *
(4) Implementation specifications: Minimum necessary requests for
protected health information. * * *
(iii) For all other requests, a covered entity must:
(A) Develop criteria designed to limit the request for protected
health information to the information reasonably necessary to accomplish
the purpose for which the request is made; and
(B) Review requests for disclosure on an individual basis in accordance
with such criteria.
* * * * *
(e) (1) Standard: Limited data set. A covered entity may use or
disclose a limited data set that meets the requirements of paragraphs
(e)(2) and (e)(3) of this section, if the covered entity enters
into a data use agreement with the limited data set recipient, in
accordance with paragraph (e)(4) of this section.
(2) Implementation specification: Limited data set: A limited data
set is protected health information that excludes the following
direct identifiers of the individual or of relatives, employers,
or household members of the individual:
(i) Names;
(ii) Postal address information, other than town or city, State,
and zip code;
(iii) Telephone numbers;
(iv) Fax numbers;
(v) Electronic mail addresses;
(vi) Social security numbers;
(vii) Medical record numbers;
(viii) Health plan beneficiary numbers;
(ix) Account numbers;
(x) Certificate/license numbers;
(xi) Vehicle identifiers and serial numbers, including license
plate numbers;
(xii) Device identifiers and serial numbers;
(xiii) Web Universal Resource Locators (URLs);
(xiv) Internet Protocol (IP) address numbers;
(xv) Biometric identifiers, including finger and voice prints;
and
(xvi) Full face photographic images and any comparable images.
(3) Implementation specification: Permitted purposes for uses and
disclosures. (i) A covered entity may use or disclose a limited
data set under paragraph (e)(1) of this section only for the purposes
of research, public health, or health care operations.
(ii) A covered entity may use protected health information to create
a limited data set that meets the requirements of paragraph (e)(2)
of this section, or disclose protected health information only to
a business associate for such purpose, whether or not the limited
data set is to be used by the covered entity.
(4) Implementation specifications: Data use agreement.--(i) Agreement
required. A covered entity may use or disclose a limited data set
under paragraph (e)(1) of this section only if the covered entity
obtains satisfactory assurance, in the form of a data use agreement
that meets the requirements of this section, that the limited data
set recipient will only use or disclose the protected health information
for limited purposes.
(ii) Contents. A data use agreement between the covered entity
and the limited data set recipient must:
(A) Establish the permitted uses and disclosures of such information
by the limited data set recipient, consistent with paragraph (e)(3)
of this section. The data use agreement may not authorize the limited
data set recipient to use or further disclose the information in
a manner that would violate the requirements of this subpart, if
done by the covered entity;
(B) Establish who is permitted to use or receive the limited data
set; and
(C) Provide that the limited data set recipient will:
(1) Not use or further disclose the information other than as permitted
by the data use agreement or as otherwise required by law;
(2) Use appropriate safeguards to prevent use or disclosure of
the information other than as provided for by the data use agreement;
(3) Report to the covered entity any use or disclosure of the information
not provided for by its data use agreement of which it becomes aware;
(4) Ensure that any agents, including a subcontractor, to whom
it provides the limited data set agrees to the same restrictions
and conditions that apply to the limited data set recipient with
respect to such information; and
(5) Not identify the information or contact the individuals.
(iii) Compliance. (A) A covered entity is not in compliance with
the standards in paragraph (e) of this section if the covered entity
knew of a pattern of activity or practice of the limited data set
recipient that constituted a material breach or violation of the
data use agreement, unless the covered entity took reasonable steps
to cure the breach or end the violation, as applicable, and, if
such steps were unsuccessful:
(1) Discontinued disclosure of protected health information to
the recipient; and
(2) Reported the problem to the Secretary.
(B) A covered entity that is a limited data set recipient and violates
a data use agreement will be in noncompliance with the standards,
implementation specifications, and requirements of paragraph (e)
of this section.
* * * * *
12. Amend Sec. 164.520 as follows:
a. Remove the words "consent or" from paragraph (b)(1)(ii)(B).
b. In paragraph (c), introductory text, remove "(c)(4)"
and add in its place "(c)(3)".
c. Revise paragraph (c)(2)(i).
d. Redesignate paragraphs (c)(2)(ii) and (iii) as (c)(2)(iii) and
(iv).
e. Add new paragraph (c)(2)(ii).
f. Amend redesignated paragraph (c)(2)(iv) by removing "(c)(2)(ii)"
and adding in its place "(c)(2)(iii)".
g. Amend paragraph (c)(3)(iii) by adding a sentence at the end.
h. Revise paragraph (e).
The revisions and addition read as follows:
Sec. 164.520 Notice of privacy practices for protected health information.
* * * * *
(c) Implementation specifications: provision of notice. * * *
(2) Specific requirements for certain covered health care providers.
* * *
(i) Provide the notice:
(A) No later than the date of the first service delivery, including
service delivered electronically, to such individual after the compliance
date for the covered health care provider; or
(B) In an emergency treatment situation, as soon as reasonably
practicable after the emergency treatment situation.
(ii) Except in an emergency treatment situation, make a good faith
effort to obtain a written acknowledgment of receipt of the notice
provided in accordance with paragraph (c)(2)(i) of this section,
and if not obtained, document its good faith efforts to obtain such
acknowledgment and the reason why the acknowledgment was not obtained;
* * * * *
(3) Specific requirements for electronic notice. * * *
(iii) * * * The requirements in paragraph (c)(2)(ii) of this section
apply to electronic notice.
* * * * *
(e) Implementation specifications: Documentation. A covered entity
must document compliance with the notice requirements, as required
by Sec. 164.530(j), by retaining copies of the notices issued by
the covered entity and, if applicable, any written acknowledgments
of receipt of the notice or documentation of good faith efforts
to obtain such written acknowledgment, in accordance with paragraph
(c)(2)(ii) of this section.
13. Amend Sec. 164.522 by removing the reference to "164.502(a)(2)(i)"
in paragraph (a)(1)(v), and adding in its place "164.502(a)(2)(ii)".
14. Amend Sec. 164.528 as follows:
a. In paragraph (a)(1)(i), remove "Sec. 164.502" and
add in its place "Sec. 164.506".
b. Remove the word "or" from paragraph (a)(1)(v).
c. Redesignate paragraph (a)(1)(vi) as (a)(1)(ix) and redesignate
paragraphs (a)(1)(iii) through (v) as (a)(1)(v) through (vii).
d. Add paragraphs (a)(1)(iii), (iv), and (a)(1)(viii).
e. Revise paragraph (b)(2), introductory text.
f. Revise paragraph (b)(2)(iv).
g. Remove "or pursuant to a single authorization under Sec.
164.508," from paragraph (b)(3), introductory text.
h. Add paragraph (b)(4).
The additions and revisions read as follows:
Sec. 164.528 Accounting of disclosures of protected health information.
(a) Standard: Right to an accounting of disclosures of protected
health information.
(1) * * *
(iii) Incident to a use or disclosure otherwise permitted or required
by this subpart, as provided in Sec. 164.502;
(iv) Pursuant to an authorization as provided in Sec. 164.508;
* * * * *
(viii) As part of a limited data set in accordance with Sec. 164.514(e);
or
* * * * *
(b) Implementation specifications: Content of the accounting. *
* *
(2) Except as otherwise provided by paragraphs (b)(3) or (b)(4)
of this section, the accounting must include for each disclosure:
* * * * *
(iv) A brief statement of the purpose of the disclosure that reasonably
informs the individual of the basis for the disclosure or, in lieu
of such statement, a copy of a written request for a disclosure
under Secs. 164.502(a)(2)(ii) or 164.512, if any.
* * * * *
(4)(i) If, during the period covered by the accounting, the covered
entity has made disclosures of protected health information for
a particular research purpose in accordance with Sec. 164.512(i)
for 50 or more individuals, the accounting may, with respect to
such disclosures for which the protected health information about
the individual may have been included, provide:
(A) The name of the protocol or other research activity;
(B) A description, in plain language, of the research protocol
or other research activity, including the purpose of the research
and the criteria for selecting particular records;
(C) A brief description of the type of protected health information
that was disclosed;
(D) The date or period of time during which such disclosures occurred,
or may have occurred, including the date of the last such disclosure
during the accounting period;
(E) The name, address, and telephone number of the entity that
sponsored the research and of the researcher to whom the information
was disclosed; and
(F) A statement that the protected health information of the individual
may or may not have been disclosed for a particular protocol or
other research activity.
(ii) If the covered entity provides an accounting for research
disclosures, in accordance with paragraph (b)(4) of this section,
and if it is reasonably likely that the protected health information
of the individual was disclosed for such research protocol or activity,
the covered entity shall, at the request of the individual, assist
in contacting the entity that sponsored the research and the researcher.
* * * * *
15. Amend Sec. 164.530 as follows:
a. Redesignate paragraph (c)(2) as (c)(2)(i).
b. Add paragraph (c)(2)(ii).
c. Remove the words "the requirements" from paragraph
(i)(4)(ii)(A) and add in their place the word "specifications."
The addition reads as follows:
Sec. 164.530 Administrative requirements.
* * * * *
(c) Standard: Safeguards. * * *
(2) Implementation specifications: Safeguards. (i) * * *
(ii) A covered entity must reasonably safeguard protected health
information to limit incidental uses or disclosures made pursuant
to an otherwise permitted or required use or disclosure.
* * * * *
16. Revise Sec. 164.532 to read as follows:
Sec. 164.532 Transition provisions.
(a) Standard: Effect of prior authorizations. Notwithstanding Secs.
164.508 and 164.512(i), a covered entity may use or disclose protected
health information, consistent with paragraphs (b) and (c) of this
section, pursuant to an authorization or other express legal permission
obtained from an individual permitting the use or disclosure of
protected health information, informed consent of the individual
to participate in research, or a waiver of informed consent by an
IRB.
(b) Implementation specification: Effect of prior authorization
for purposes other than research. Notwithstanding any provisions
in Sec. 164.508, a covered entity may use or disclose protected
health information that it created or received prior to the applicable
compliance date of this subpart pursuant to an authorization or
other express legal permission obtained from an individual prior
to the applicable compliance date of this subpart, provided that
the authorization or other express legal permission specifically
permits such use or disclosure and there is no agreed-to restriction
in accordance with Sec. 164.522(a).
(c) Implementation specification: Effect of prior permission for
research. Notwithstanding any provisions in Secs. 164.508 and 164.512(i),
a covered entity may, to the extent allowed by one of the following
permissions, use or disclose, for research, protected health information
that it created or received either before or after the applicable
compliance date of this subpart, provided that there is no agreed-to
restriction in accordance with Sec. 164.522(a), and the covered
entity has obtained, prior to the applicable compliance date, either:
(1) An authorization or other express legal permission from an
individual to use or disclose protected health information for the
research;
(2) The informed consent of the individual to participate in the
research; or
(3) A waiver, by an IRB, of informed consent for the research,
in accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d),
15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d),
24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 97.116(d),
38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 690.116(d),
or 49 CFR 11.116(d), provided that a covered entity must obtain
authorization in accordance with Sec. 164.508 if, after the compliance
date, informed consent is sought from an individual participating
in the research.
(d) Standard: Effect of prior contracts or other arrangements with
business associates. Notwithstanding any other provisions of this
subpart, a covered entity, other than a small health plan, may disclose
protected health information to a business associate and may allow
a business associate to create, receive, or use protected health
information on its behalf pursuant to a written contract or other
written arrangement with such business associate that does not comply
with Secs. 164.502(e) and 164.504(e) consistent with the requirements,
and only for such time, set forth in paragraph (e) of this section.
(e) Implementation specification: Deemed compliance.-- (1) Qualification.
Notwithstanding other sections of this subpart, a covered entity,
other than a small health plan, is deemed to be in compliance with
the documentation and contract requirements of Secs. 164.502(e)
and 164.504(e), with respect to a particular business associate
relationship, for the time period set forth in paragraph (e)(2)
of this section, if:
(i) Prior to October 15, 2002, such covered entity has entered
into and is operating pursuant to a written contract or other written
arrangement with a business associate for such business associate
to perform functions or activities or provide services that make
the entity a business associate; and
(ii) The contract or other arrangement is not renewed or modified
from October 15, 2002, until the compliance date set forth in Sec.
164.534.
(2) Limited deemed compliance period. A prior contract or other
arrangement that meets the qualification requirements in paragraph
(e) of this section, shall be deemed compliant until the earlier
of:
(i) The date such contract or other arrangement is renewed or modified
on or after the compliance date set forth in Sec. 164.534; or
(ii) April 14, 2004.
(3) Covered entity responsibilities. Nothing in this section shall
alter the requirements of a covered entity to comply with part 160,
subpart C of this subchapter and Secs. 164.524, 164.526, 164.528,
and 164.530(f) with respect to protected health information held
by a business associate.
[FR Doc. 02-20554 Filed 8-9-02; 2:00
pm]
BILLING CODE 4153-01-P
|
