Standards
for Privacy of Individually Identifiable Health Information
H. Section 164.520--Notice
of Privacy Practices for Protected Health Information
December 2000 Privacy Rule
The Privacy Rule at Sec. 164.520 requires most covered entities
to provide individuals with adequate notice of the uses and disclosures
of protected health information that may be made by the covered
entity, and of the individual's rights and the covered entity's
responsibilities with respect to protected health information. The
Rule delineates specific requirements for the content of the notice,
as well as for provision of the notice. The requirements for providing
notice to individuals vary based on type of covered entity and method
of service delivery. For example, a covered health care provider
that has a direct treatment relationship with an individual must
provide the notice no later than the date of first service delivery
and, if the provider maintains a physical service delivery site,
must post the notice in a clear and prominent location and have
it available upon request for individuals to take with them. If
the first service delivery to an individual is electronic, the covered
provider must furnish electronic notice automatically and contemporaneously
in response to the individual's first request for service. In addition,
if a covered entity maintains a web site, the notice must be available
electronically through the web site.
March 2002 NPRM
The Department proposed to modify the notice requirements at Sec.
164.520(c)(2) to require that a covered health care provider with
a direct treatment relationship make a good faith effort to obtain
an individual's written acknowledgment of receipt of the provider's
notice of privacy practices. Other covered entities, such as health
plans, would not be required to obtain this acknowledgment from
individuals, but could do so if they chose.
The Department proposed to strengthen the notice requirements in
order to preserve a valuable aspect of the consent process. The
notice acknowledgment proposal was intended to create the "initial
moment" between a covered health care provider and an individual,
formerly a result of the consent requirement, when individuals may
focus on information practices and privacy rights and discuss with
the provider any concerns related to the privacy of their protected
health information. This "initial moment" also would provide
an opportunity for an individual to make a request for additional
restrictions on the use or disclosure of his or her protected health
information or for additional confidential treatment of communications,
as permitted under Sec. 164.522.
With one exception for emergency treatment situations, the proposal
would require that the good faith effort to obtain the written acknowledgment
be made no later than the date of first service delivery, including
service delivered electronically. To address potential operational
difficulties with implementing these notice requirements in emergency
treatment situations, the Department proposed in Sec. 164.520(c)(2)
to delay the requirement for provision of notice until reasonably
practicable after the emergency treatment situation, and exempt
health care providers with a direct treatment relationship with
the individual from having to make a good faith effort to obtain
the acknowledgment altogether in such situations.
Other than requiring that the acknowledgment be in writing, the
proposal would not prescribe other details of the form of the acknowledgment
or limit the manner in which a covered health care provider could
obtain the acknowledgment.
The proposal also provided that, if the individual's acknowledgment
of receipt of the notice could not be obtained, the covered health
care provider would be required to document its good faith efforts
to obtain the acknowledgment and the reason why the acknowledgment
was not obtained. Failure by a covered entity to obtain an individual's
acknowledgment, assuming it otherwise documented its good faith
effort, would not be considered a violation of the Privacy Rule.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
In general, many commenters expressed support for the proposal
to require that certain health care providers, as an alternative
to obtaining prior consent, make a good faith effort to obtain a
written acknowledgment from the individual of receipt of the notice.
Commenters stated that even though the requirement would place some
burden on certain health care providers, the proposed policy was
a reasonable and workable alternative to the Rule's prior consent
requirement. A number of these commenters conveyed support for the
proposed flexibility of the requirement that would allow covered
entities to implement the requirement in accordance with their own
practices. Commenters urged that the Department not prescribe (other
than that the acknowledgment be in writing) the form or content
of the acknowledgment, or other requirements that would further
burden the acknowledgment process. In addition, commenters viewed
the proposed exception for emergency treatment situations as a practical
policy.
A number of other commenters, while supportive of the Department's
proposal to make the obtaining of consent optional for all covered
entities, expressed concern over the administrative burden the proposed
notice acknowledgment requirements would impose on certain health
care providers. Some of these commenters viewed the notice acknowledgment
as an unnecessary burden on providers that would not afford individuals
with any additional privacy rights or protections. Thus, some commenters
urged that the good faith acknowledgment not be adopted in the final
Rule. As an alternative, it was suggested by some that covered entities
instead be required to make a good faith effort to make the notice
available to consumers.
Several commenters expressed concerns that the notice acknowledgment
process would reestablish some of the same operational problems
associated with the prior consent requirement. For example, commenters
questioned how the requirement should be implemented when the provider's
first contact with the patient is over the phone, electronically,
or otherwise not face-to-face, such as with telemedecine. Accordingly,
it was suggested that the good faith acknowledgment of the notice
be required no later than the date of first face-to-face encounter
with the patient rather than first service delivery to eliminate
these perceived problems.
A few others urged that the proposed notice acknowledgment requirement
be modified to allow for an individual's oral acknowledgment of
the notice, so long as the provider maintained a record that the
individual's acknowledgment was obtained.
Some commenters did not support the proposal's written notice acknowledgment
as a suitable alternative to the consent requirement, stating that
such a requirement would not provide individuals with comparable
privacy protections or rights. It was stated that there are a number
of fundamental differences between a consent and an acknowledgment
of the notice. For example, one commenter argued that asking individuals
to acknowledge receipt of the notice does not provide a comparable
"initial moment" between the provider and the individual,
especially when the individual is only asked to acknowledge receipt
of the notice, and not whether they have read or understood it,
or have questions. Further, commenters argued that the notice acknowledgment
process would not be the same as seeking the individual's permission
through a consent process. Some of these commenters urged that the
Department retain the consent requirements and make appropriate
modifications to fix the known operational problems associated with
the requirement.
A few commenters urged that the Department strengthen the notice
acknowledgment process. Some commenters suggested that the Department
do so by eliminating the "good faith" aspect of the standard
and simply requiring certain health care providers to obtain the
written acknowledgment, with appropriate exceptions for emergencies
and other situations where it may not be practical to do so. It
was also suggested that the Department require providers to ensure
that the consumer has an understanding of the information provided
in the notice. One commenter suggested that this may be achieved
by having individuals not only indicate whether they have received
the notice, but also be asked on separate lines after each section
of the notice whether they have read that section. Another commenter
argued that consumers should be asked to sign something more meaningful
than a notice acknowledgment, such as a "Summary of Consumer
Rights," which clearly and briefly summarizes the ways in which
their information may be used by covered entities, as well as the
key rights consumers have under the Privacy Rule.
Final Modifications
After consideration of the public comment, the Department adopts
in this final Rule at Sec. 164.520(c)(2)(ii), the proposed requirement
that a covered health care provider with a direct treatment relationship
with an individual make a good faith effort to obtain the individual's
written acknowledgment of receipt of the notice. Other covered entities,
such as health plans, are not required to obtain this acknowledgment
from individuals, but may do so if they choose. The Department agrees
with those commenters who stated that the notice acknowledgment
process is a workable alternative to the prior consent process,
retaining the beneficial aspects of the consent without impeding
timely access to quality health care. The Department continues to
believe strongly that promoting individuals' understanding of privacy
practices is an essential component of providing notice to individuals.
Through this requirement, the Department facilitates achieving this
goal by retaining the opportunity for individuals to discuss privacy
practices and concerns with their health care providers. Additionally,
the requirement provides individuals with an opportunity to request
any additional restrictions on uses and disclosures of their health
information or confidential communications, as permitted by Sec.
164.522.
As proposed in the NPRM, the final Rule requires, with one exception,
that a covered direct treatment provider make a good faith effort
to obtain the written acknowledgment no later than the date of first
service delivery, including service delivered electronically, that
is, at the time the notice is required to be provided. During emergency
treatment situations, the final Rule at Sec. 164.520(c)(2)(i)(B)
delays the requirement for provision of the notice until reasonably
practicable after the emergency situation, and at Sec. 164.520(c)(2)(ii)
exempts health care providers from having to make a good faith effort
to obtain an individual's acknowledgment in such emergency situations.
The Department agrees with commenters that such exceptions are practical
and necessary to ensure that the notice and acknowledgment requirements
do not impede an individual's timely access to quality health care.
The Department also agrees with commenters that the notice acknowledgment
process must be flexible and provide covered entities with discretion
in order to be workable. Therefore, the final modification adopts
the flexibility proposed in the NPRM for the acknowledgment requirement.
The Rule requires only that the acknowledgment be in writing, and
does not prescribe other details such as the form that the acknowledgment
must take or the process for obtaining the acknowledgment. For example,
the final Rule does not require an individual's signature to be
on the notice. Instead, a covered health provider is permitted,
for example, to have the individual sign a separate sheet or list,
or to simply initial a cover sheet of the notice to be retained
by the provider. Alternatively, a pharmacist is permitted to have
the individual sign or initial an acknowledgment within the log
book that patients already sign when they pick up prescriptions,
so long as the individual is clearly informed on the log book of
what they are acknowledging and the acknowledgment is not also used
as a waiver or permission for something else (such as a waiver to
consult with the pharmacist). For notice that is delivered electronically
as part of first service delivery, the Department believes the provider's
system should be capable of capturing the individual's acknowledgment
of receipt electronically. In addition, those covered health care
providers that choose to obtain consent from an individual may design
one form that includes both a consent and the acknowledgment of
receipt of the notice. Covered health care providers are provided
discretion to design the acknowledgment process best suited to their
practices.
While the Department believes that the notice acknowledgment process
must remain flexible, the Department does not consider oral acknowledgment
by the individual to be either a meaningful or appropriate manner
by which a covered health care provider may implement these provisions.
The notice acknowledgment process is intended to provide a formal
opportunity for the individual to engage in a discussion with a
health care provider about privacy. At the very least, the process
is intended to draw the individual's attention to the importance
of the notice. The Department believes these goals are better accomplished
by requiring a written acknowledgment and, therefore, adopts such
provision in this final modification.
Under the final modification, if an individual refuses to sign
or otherwise fails to provide an acknowledgment, a covered health
care provider is required to document its good faith efforts to
obtain the acknowledgment and the reason why the acknowledgment
was not obtained. Failure by a covered entity to obtain an individual's
acknowledgment, assuming it otherwise documented its good faith
effort, is not a violation of this Rule. Such reason for failure
simply may be, for example, that the individual refused to sign
the acknowledgment after being requested to do so. This provision
also is intended to allow covered health care providers flexibility
to deal with a variety of circumstances in which obtaining an acknowledgment
is problematic. In response to commenters requests for examples
of good faith efforts, the Department intends to provide future
guidance on this and other modifications.
A covered entity is required by Sec. 164.530(j) to document compliance
with these provisions by retaining copies of any written acknowledgments
of receipt of the notice or, if not obtained, documentation of its
good faith efforts to obtain such written acknowledgment.
The Department was not persuaded by those commenters who urged
that the Department eliminate the proposed notice acknowledgment
requirements because of concerns about burden. The Department believes
that the final modification is simple and flexible enough so as
not to impose a significant burden on covered health care providers.
Covered entities are provided much discretion to design the notice
acknowledgment process that works best for their business. Further,
as described above, the Department believes that the notice acknowledgment
requirements are important in that they retain the important aspects
of the prior consent process that otherwise would be lost in the
final modifications.
In response to commenters' operational concerns about the proposed
notice acknowledgment requirements, the Department clarifies that
the modification as proposed and now adopted as final is intended
to be flexible enough to address the various types of relationships
that covered health care providers may have with the individuals
to whom they provide treatment, including those treatment situations
that are not face-to-face. For example, a health care provider whose
first treatment encounter with a patient is over the phone satisfies
the notice provision requirements of the Rule by mailing the notice
to the individual no later than the day of that service delivery.
To satisfy the requirement that the provider also make a good faith
effort to obtain the individual's acknowledgment of the notice,
the provider may include a tear-off sheet or other document with
the notice that requests such acknowledgment be mailed back to the
provider. The Department would not consider the health care provider
in violation of the Rule if the individual chooses not to mail back
an acknowledgment. The Department clarifies, however, that where
a health care provider's initial contact with the patient is simply
to schedule an appointment, the notice provision and acknowledgment
requirements may be satisfied at the time the individual arrives
at the provider's facility for his or her appointment. For service
provided electronically, the Department believes that, just as a
notice may be delivered electronically, a provider should be capable
of capturing the individual's acknowledgment of receipt electronically
in response to that transmission.
Finally, the Department does not agree with those commenters who
argued that the proposed notice acknowledgment requirements are
not an adequate alternative to the prior consent requirements, nor
with those who argued that the proposed acknowledgment process should
be strengthened if an individual's consent is no longer required.
The Department believes that the notice acknowledgment process retains
the important aspects of the consent process, such as creating an
opportunity for a discussion between the individual and the provider
of privacy issues, including the opportunity for the individual
to request restrictions on how her information may be used and disclosed
as permitted by Sec. 164.522.
Additionally, the Department believes that requiring certain health
care providers to obtain the individual's acknowledgment of receipt
of the notice, rather than make a good faith effort to do so, would
remove the flexibility of the standard and increase the burden substantially
on covered entities. Such a modification, therefore, would have
the potential to cause workability and operational problems similar
to those caused by the prior consent requirements. Prescribing the
form or content of the acknowledgment could have the same effect.
The Department believes that the notice acknowledgment process must
not negatively impact timely access to quality health care.
Also, the Department agrees that it will not be easy for every
individual to understand fully the information in the notice, and
acknowledges that the onus of ensuring that individuals have an
understanding of the notice should not be placed solely on health
care providers. The Rule ensures that individuals are provided with
a notice in plain language but leaves it to each individual's discretion
to review the notice and to initiate a discussion with the covered
entity about the use and disclosure of his or her health information
or the individual's rights. However, the Department continues to
believe strongly that promoting individuals' understanding of privacy
practices is an essential component of providing notice to individuals.
The Department anticipates that many stakeholders, including the
Department, covered entities, consumer organizations, health educators,
the mass media and journalists, and a host of other organizations
and individuals, will be involved in educating individuals about
privacy notices and practices.
Response to Other Public Comments
Comment: Several commenters requested clarification as to
whether a health care provider is required to obtain from individuals
a new acknowledgment of receipt of the notice if the facility changes
its privacy policy.
Response: The Department clarifies that this is not required.
To minimize burden on the covered direct treatment provider, the
final modification intends the obtaining of the individual's acknowledgment
to be consistent with the timing for provision of the notice to
the individual, that is, no later than the date of first service
delivery. Upon revision of the notice, the Privacy Rule requires
only that the direct treatment provider make the notice available
upon request on or after the effective date of the revision, and,
if he maintains a physical service delivery site, to post the revised
notice in a clear and prominent location in his facility. See Sec.
164.520(c)(2)(iii). As the Rule does not require a health care provider
to provide the revised notice directly to the individual, unless
requested by the individual, a new written acknowledgment is not
required at the time of revision of the notice.
Comment: A few commenters requested clarification as to
how the Department intended the notice acknowledgment process to
be implemented within an affiliated covered entity or an organized
health care arrangement (OHCA).
Response: The requirement for an individual's written acknowledgment
of the notice corresponds with the requirement that the notice be
provided to the individual by certain health care providers at first
service delivery, regardless of whether the notice itself is the
joint notice of an OHCA, the notice of an affiliated covered entity,
or the notice of one entity. With respect to an OHCA, the Privacy
Rule permits covered entities that participate in an OHCA to satisfy
the notice requirements through the use of a joint notice, provided
that the relevant conditions of Sec. 164.520(d) are met. Section
164.520(d)(3) further provides that provision of a joint notice
to an individual by any one of the covered entities included in
the joint notice satisfies the notice provision requirements at
Sec. 164.520(c) with respect to all others covered by the joint
notice. Thus, a health care provider with a direct treatment relationship
with an individual that is participating in an OHCA only need make
a good faith effort to obtain the individual's acknowledgment of
the joint notice if that provider is the covered entity within the
OHCA that is providing the joint notice to the individual. Where
the joint notice is provided to the individual by a participating
covered entity other than a provider with a direct treatment relationship
with the individual, no acknowledgment need be obtained. However,
covered entities that participate in an OHCA are not required to
utilize a joint notice and may maintain separate notices. In such
case, each covered health care provider with a direct treatment
relationship within the OHCA must make a good faith effort to obtain
the individual's acknowledgment of the notice he or she provides.
Similarly, an affiliated covered entity may have one single notice
that covers all of its affiliates. Thus, if the affiliated covered
entity's notice is provided to the individual by a health care provider
with which the individual has a direct treatment relationship, the
health care provider must make a good faith effort to obtain the
individual's acknowledgment of receipt of the notice. Alternatively,
where the affiliated entity's notice is provided to the individual
by a participating entity other than a provider with a direct treatment
relationship with the individual, no acknowledgment need be obtained.
However, as with the OHCA, the Department clarifies that covered
entities that are part of an affiliated covered entity may maintain
separate notices if they choose to do so; if they do so, each provider
with a direct treatment relationship with the individual must make
a good faith effort to obtain the individual's acknowledgment of
the notice he or she provides.
Comment: It was suggested that if a provider chooses to
obtain consent, the provider should not also be required to obtain
the individual's acknowledgment of the notice.
Response: For those covered entities that choose to obtain
consent, the Rule does not prescribe any details of the form or
manner in which the consent must be obtained. Given this discretion,
the Department does not believe that all consents will provide the
same benefits to the individual as those afforded by the notice
acknowledgment process. The Rule, therefore, does not relieve a
covered health care provider of his obligations with respect to
obtaining an individual's acknowledgment of the notice if that provider
also obtains the individual's consent. However, the Rule provides
those covered health care providers that choose to obtain consent
from an individual the discretion to design one form that includes
both a consent and the acknowledgment of receipt of the notice.
Comment: Some commenters asked that the Privacy Rule allow
the written acknowledgment of the notice to be obtained electronically
without regard to channel of delivery (electronically or on paper)
of the notice.
Response: Generally, the Privacy Rule allows for electronic
documents to qualify as written documents for purposes of meeting
the Rule's requirements. This also applies with respect to the notice
acknowledgment. For notice delivered electronically, the Department
intends a return receipt or other transmission from the individual
to suffice as the notice acknowledgment.
For notice delivered on paper in a face-to-face encounter with
the provider, although it is unclear to the Department how exactly
the provider may do so, the Rule does not preclude providers from
obtaining the individual's written acknowledgment electronically.
The Department cautions, however, that the notice acknowledgment
process is intended to alert individuals to the importance of the
notice and provide them the opportunity to discuss privacy issues
with their providers. To ensure that individuals are aware of the
importance of the notice, the Rule requires that the individual's
acknowledgment be in writing. Thus, the Department would not consider
a receptionist's notation in a computer system to be an individual's
written acknowledgment.
Comment: One commenter expressed concern that the Rule did
not define "emergency" as it applies to ambulance services
given the Rule's exceptions to the notice requirements for such
situations. This commenter also urged that the Rule's notice provisions
at Sec. 164.520(c)(2) with respect to emergency treatment situations
be expanded also to apply to non-emergency trips of ambulance providers.
The commenter explained that even in non-emergency circumstances,
patients, especially the elderly, often suffer from incapacitating
or stressful conditions when they need to be transferred by ambulance,
at which time it may not be effective or appropriate to provide
the notice and obtain the individual's acknowledgment of receipt
of the notice.
Response: During emergency treatment situations, the final
Rule at Sec. 164.520(c)(2)(i)(B) delays the requirement for provision
of the notice until reasonably practicable after the emergency situation,
and exempts health care providers from having to make a good faith
effort to obtain an individual's acknowledgment. As the provisions
are not intended to apply only to ambulance providers, the Department
does not believe that defining emergency with respect to such providers
is appropriate or necessary. Nor does the Department believe that
expanding these provisions to cover non-emergency trips of ambulance
providers is appropriate. The provisions are intended to provide
exceptions for those situations where providing the notice and obtaining
an individual's acknowledgment may not be feasible or practicable.
Where such extenuating circumstances do not exist, the Department
expects that covered health care providers are able to provide individuals
with a notice and make a good faith effort to obtain their acknowledgment
of receipt. Where an individual does not provide an acknowledgment,
the Rule requires only that the provider document his good faith
effort to obtain the acknowledgment.
Comment: A number of commenters requested clarification
on how to implement the "good faith" standard and urged
the Department to provide more specific guidance and examples. Some
commenters expressed concern over the perceived liability that would
arise from such a discretionary standard.
Response: Covered entities are provided much discretion
to implement the notice acknowledgment process as best suited to
their specific business practices. The standard is designed as a
"good faith effort" standard because the Department understands
that obtaining an individual's acknowledgment of the notice may
not always be feasible or practical, in spite of a covered entity's
efforts. Thus, the standard is intended to account for those difficult
situations, including where an individual simply refuses to provide
the written acknowledgment. Given the discretion covered health
care providers have in implementing these standards and the various
ways such providers interact with their patients, it is difficult
for the Department to provide specific guidance in this area that
is generally applicable to many covered health care providers. However,
the Department intends to provide future guidance through frequently
asked questions or other materials in response to specific scenarios
that are raised by industry.
With respect to commenters' concerns regarding potential liability,
the Department's position is that a failure by a covered entity
to obtain an individual's acknowledgment, assuming it otherwise
documented its good faith effort (as required by Sec. 164.520(c)(2)(ii)),
will not be considered a violation of this Rule.
Comment: Many commenters generally urged that the Department
modify the Rule to allow for a simpler, shorter, and, therefore,
more readable notice. Some of the commenters explained that a shorter
notice would assure that more individuals would take the time to
read and be able to understand the information. Others suggested
that a shorter notice would help to alleviate burden on the covered
entity. A number of these commenters suggested that the Department
allow for a shorter summary or 1-page notice to replace the prescriptive
notice required by the Privacy Rule. It was recommended that such
a notice could refer individuals to a more detailed notice, available
on request, or to an HHS web site, for additional information about
an individual's rights under the Privacy Rule. Others recommended
that the Department allow for a layered notice that contains: (1)
A short notice that briefly describes, for example, the entity's
principal uses and disclosures of an individual's health information,
as well as the individual's rights with respect to that information;
and (2) a longer notice, layered beneath the short notice, that
contains all the elements required by the Rule.
Certain other commenters urged that one way to make the notice
shorter, as well as to alleviate burden on the covered entity, would
be to eliminate the requirement that the notice explain the more
stringent State privacy laws. Commenters stated that companies that
operate in multiple States will have to develop and print up to
50 different notices, and then update and reissue those notices
whenever a material change is made to the State law. These commenters
recommended instead that the notice simply state that State law
may provide additional protections.
A few commenters urged that the Department provide a model notice
that covered entities could use in their implementation efforts.
Response: The Department does not modify the notice content
provisions at Sec. 164.520(b). The Department believes that the
elements required by Sec. 164.520(b) are important to fully inform
the individual of the covered entity's privacy practices, as well
as his or her rights. However, the Department agrees that such information
must be provided in a clear, concise, and easy to understand manner.
Therefore, the Department clarifies that covered entities may utilize
a "layered notice" to implement the Rule's provisions,
so long as the elements required by Sec. 164.520(b) are included
in the document that is provided to the individual. For example,
a covered entity may satisfy the notice provisions by providing
the individual with both a short notice that briefly summarizes
the individual's rights, as well as other information; and a longer
notice, layered beneath the short notice, that contains all the
elements required by the Privacy Rule. Covered entities, however,
while encouraged to use a layered notice, are not required to do
so. Nothing in the final modifications relieve a covered entity
of its duty to provide the entire notice in plain language so the
average reader can understand it. See Sec. 164.520(b)(1).
In response to comments regarding a model notice, it would be difficult
for the Department to develop a document that would be generally
useful to many different types of covered entities. A covered entity's
notice must reflect in sufficient detail the particular uses and
disclosures that entity may make. Such uses and disclosures likely
will be very different for each type of covered entity. Thus, a
uniform, model notice could not capture the wide variation in information
practices across covered entities. The Department intends, however,
to issue further general guidance to help covered entities implement
the notice provisions of the Rule.
Comment: A number of commenters also requested that the
Department lessen the burden associated with distributing the notice.
For example, some commenters asked that covered entities be permitted
to satisfy the notice provision requirements by posting the notice
at the facility or on a web site and by providing a copy only to
those consumers who request one, or by placing copies on display
where an interested consumer may take one.
Response: The Department's position that making the notice
available to individuals, either on request, by posting it at a
facility or on a web site, or by placing copies on display, does
not substitute for physically providing the notice directly to individuals.
Adequate notice of privacy practices is a fundamental right afforded
individuals by the Rule. As such, the Department does not believe
that the burden of obtaining such information should be placed on
the individual. Covered entities are required to distribute the
notice in the manner described under Sec. 164.520(c).
Comment: A few commenters requested that the Department
make clear that no special mailings are required to provide individuals
with a covered entity's notice; rather, that the notice may be distributed
as part of other mailings or distributions by the covered entity.
For example, one commenter argued that the Rule should be flexible
enough to allow for notices to be included in a health plan's Summary
Plan Descriptions, Booklets, or an Enrollment Application. It was
argued that the notice would receive greater attention, be more
carefully reviewed and, thus, better understood if it were published
in materials known to be widely read by members.
Response: The Department clarifies that no special or separate
mailings are required to satisfy the notice distribution requirements.
The Privacy Rule provides covered entities with discretion in this
area. A health plan distributing its notice through the mail, in
accordance with Sec. 164.520(c)(1), may do so as part of another
mailing to the individual. In addition, a covered entity that provides
its notice to an individual by e-mail, in accordance with Sec. 164.520(c)(3),
may include additional materials in the e-mail. No separate e-mail
is required. However, the Privacy Rule at Sec. 164.508(b)(3) continues
to prohibit a covered entity from combining the notice in a single
document with an authorization.
Comment: Commenters also urged that the Rule permit, for
group products, a health plan to send its notice to the administrator
of the group product or the plan sponsor, who would then be responsible
for distributing the notice to each enrollee/employee. One commenter
claimed this distribution method is especially appropriate where
there is no regular communication with the covered individuals,
as in an employer-pay-all group medical or dental plan. According
to the commenter, providing the notice to the employer makes sense
because the employer picks the plan and should be aware of the plan's
privacy practices when doing so.
Response: The Privacy Rule requires a health plan to distribute
its notice to each individual covered by the plan. Health plans
may arrange to have another entity, or person, for example, a group
administrator or a plan sponsor, distribute the notice on their
behalf. However, the Department cautions that if such other entity
or person fails to distribute the notice to individuals, the health
plan would be in violation of the Rule.
Comment: Another commenter asked that the Department eliminate
the requirement that a covered entity must provide the notice to
every dependent, rather than just the head of the household. This
commenter argued that while it makes sense to provide the notice
to an emancipated minor or to a minor who pursuant to State law
has consented to treatment, it does not make sense to send the notice
to a 2-year old child.
Response: The Privacy Rule provides that a health plan may
satisfy the notice provision requirements by distributing the notice
to the named insured of a policy under which coverage is provided
to the named insured and one or more dependents. A health plan is
not required to distribute the notice to each dependent. See Sec.
164.520(c)(1)(iii).
Further, a covered health care provider with a direct treatment
relationship with the individual is required only to
provide the notice to the individual receiving treatment
at first service delivery. Where a parent brings a 2-year
old child in for treatment, the provider satisfies the
notice distribution requirements by providing the notice
only to the child's parent.
|
