Standards
for Privacy of Individually Identifiable Health Information
B. Section 164.502--Uses
and Disclosures of Protected Health Information: General
Rules
1. Incidental Uses and Disclosures
December 2000 Privacy Rule
The December 2000 Rule did not explicitly address incidental uses
and disclosures of protected health information. Rather, the Privacy
Rule generally requires covered entities to make reasonable efforts
to limit the use or disclosure of, and requests for, protected health
information to the minimum necessary to accomplish the intended
purpose. See Sec. 164.502(b). Additionally, Sec. 164.530(c) of the
Privacy Rule requires covered entities to implement appropriate
administrative, technical, and physical safeguards to reasonably
safeguard protected health information from any intentional or unintentional
use or disclosure that violates the Rule.
March 2002 NPRM
After publication of the Privacy Rule, the Department received
a number of concerns and questions as to whether the Privacy Rule's
restrictions on uses and disclosures will prohibit covered entities
from engaging in certain common and essential health care communications
and practices in use today. In particular, concern was expressed
that the Privacy Rule establishes absolute, strict standards that
would not allow for the incidental or unintentional disclosures
that could occur as a by-product of engaging in these health care
communications and practices. It was argued that the Privacy Rule
would, in effect, prohibit such practices and, therefore, impede
many activities and communications essential to effective and timely
treatment of patients.
For example, some expressed concern that health care providers
could no longer engage in confidential conversations with other
providers or with patients, if there is a possibility that they
could be overheard. Similarly, others questioned whether they would
be prohibited from using sign-in sheets in waiting rooms or maintaining
patient charts at bedside, or whether they would need to isolate
X-ray lightboards or destroy empty prescription vials. These concerns
seemed to stem from a perception that covered entities are required
to prevent any incidental disclosure such as those that may occur
when a visiting family member or other person not authorized to
access protected health information happens to walk by medical equipment
or other material containing individually identifiable health information,
or when individuals in a waiting room sign their name on a log sheet
and glimpse the names of other patients.
The Department, in its July 6 guidance, clarified that the Privacy
Rule is not intended to impede customary and necessary health care
communications or practices, nor to require that all risk of incidental
use or disclosure be eliminated to satisfy its standards. The guidance
promised that the Department would propose modifications to the
Privacy Rule to clarify that such communications and practices may
continue, if reasonable safeguards are taken to minimize the chance
of incidental disclosure to others.
Accordingly, the Department proposed to modify the Privacy Rule
to add a new provision at Sec. 164.502(a)(1)(iii) which would explicitly
permit certain incidental uses and disclosures that occur as a result
of a use or disclosure otherwise permitted by the Privacy Rule.
The proposal described an incidental use or disclosure as a secondary
use or disclosure that cannot reasonably be prevented, is limited
in nature, and that occurs as a by-product of an otherwise permitted
use or disclosure. The Department proposed that an incidental use
or disclosure be permissible only to the extent that the covered
entity had applied reasonable safeguards as required by Sec. 164.530(c),
and implemented the minimum necessary standard, where applicable,
as required by Secs. 164.502(b) and 164.514(d).
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
The Department received many comments on its proposal to permit
certain incidental uses and disclosures, the majority of which expressed
strong support for the proposal. Many of these commenters indicated
that such a policy would help to ensure that essential health care
communications and practices are not chilled by the Privacy Rule.
A few commenters opposed the Department's proposal to permit certain
incidental uses and disclosures, one of whom asserted that the burden
on medical staff to take precautions not to be overheard is minimal
compared to the potential harm to patients if incidental disclosures
were to be considered permissible.
Final Modifications
In response to the overwhelming support of commenters on this proposal,
the Department adopts the proposed provision at Sec. 164.502(a)(1)(iii),
explicitly permitting certain incidental uses and disclosures that
occur as a by-product of a use or disclosure otherwise permitted
under the Privacy Rule. As in the proposal, an incidental use or
disclosure is permissible only to the extent that the covered entity
has applied reasonable safeguards as required by Sec. 164.530(c),
and implemented the minimum necessary standard, where applicable,
as required by Secs. 164.502(b) and 164.514(d). The Department continues
to believe, as was stated in the proposed Rule, that so long as
reasonable safeguards are employed, the burden of impeding such
communications is not outweighed by any benefits that may accrue
to individuals' privacy interests.
However, an incidental use or disclosure that occurs as a result
of a failure to apply reasonable safeguards or the minimum necessary
standard, where required, is not a permissible use or disclosure
and, therefore, is a violation of the Privacy Rule. For example,
a hospital that permits an employee to have unimpeded access to
patients' medical records, where such access is not necessary for
the employee to do her job, is not applying the minimum necessary
standard and, therefore, any incidental use or disclosure that results
from this practice would be an unlawful use or disclosure under
the Privacy Rule.
In response to the few comments that opposed the proposal to permit
certain incidental uses and disclosures, the Department reiterates
that the Privacy Rule must not impede essential health care communications
and practices. Prohibiting all incidental uses and disclosures would
have a chilling effect on normal and important communications among
providers, and between providers and their patients, and, therefore,
would negatively affect individuals' access to quality health care.
The Department does not intend with this provision to obviate the
need for medical staff to take precautions to avoid being overheard,
but rather, will only allow incidental uses and disclosures where
appropriate precautions have been taken.
The Department clarifies, in response to a comment, that this provision
applies, subject to reasonable safeguards and the minimum necessary
standard, to an incidental use or disclosure that occurs as a result
of any permissible use or disclosure under the Privacy Rule made
to any person, and not just to incidental uses and disclosures resulting
from treatment communications or only to communications among health
care providers or other medical staff. For example, a provider may
instruct an administrative staff member to bill a patient for a
particular procedure, and may be overheard by one or more persons
in the waiting room. Assuming that the provider made reasonable
efforts to avoid being overheard and reasonably limited the information
shared, an incidental disclosure resulting from such conversation
is permissible under the Rule.
In the proposal, the Department did not address whether or not
incidental disclosures would need to be included in the accounting
of disclosures required by Sec. 164.528. However, one commenter
urged the Department to exclude incidental disclosures from the
accounting. The Department agrees with this commenter and clarifies
that covered entities are not required to include incidental disclosures
in an accounting of disclosures provided to the individual pursuant
to Sec. 164.528. The Department does not believe such a requirement
would be practicable; in many instances, the covered entity may
not know that an incidental disclosure occurred. To make this policy
clear, the Department includes an explicit exception for such disclosures
to the accounting standard at Sec. 164.528(a)(1).
Response to Other Public Comments
Comment: One commenter expressed concern that the requirement
reasonably to safeguard protected health information would be problematic
because any unintended use or disclosure could arguably demonstrate
a failure to "reasonably safeguard." This commenter requested
that the Department either delete the language in Sec. 164.530(c)(2)(ii)
or modify the language to make clear that the fact that an incidental
use or disclosure occurs does not imply that safeguards were not
reasonable.
Response: The Department clarifies that the fact that an
incidental use or disclosure occurs does not by itself imply that
safeguards were not reasonable. However, the Department does not
believe that a modification to the proposed language is necessary
to express this intent. The language proposed and now adopted at
Sec. 164.530(c)(2)(ii) requires only that the covered entity reasonably
safeguard protected health information to limit incidental uses
or disclosures, not that the covered entity prevent all incidental
uses and disclosures. Thus, the Department expects that incidental
uses and disclosures will occur and permits such uses and disclosures
to the extent the covered entity has in place reasonable safeguards
and has applied the minimum necessary standard, where applicable.
Comment: Another commenter requested that the Department
clarify its proposal to assure that unintended disclosures will
not result in civil penalties.
Response: The Department's authority to impose civil monetary
penalties on violations of the Privacy Rule is defined in HIPAA.
Specifically, HIPAA added section 1176 to the Social Security Act,
which prescribes the Secretary's authority to impose civil monetary
penalties. Therefore, in the case of a violation of a disclosure
provision in the Privacy Rule, a penalty may not be imposed, among
other things, if the person liable for the penalty did not know
and, by exercising reasonable diligence would not have known, that
such person violated the provision. HIPAA also provides for criminal
penalties under certain circumstances, but the Department of Justice,
not this Department, has authority for criminal penalties.
Comment: One commenter requested that the Department clarify
how covered entities should implement technical and physical safeguards
when they do not yet know what safeguards the final Security Rule
will require.
Response: Each covered entity should assess the nature of
the protected health information it holds, and the nature and scope
of its business, and implement safeguards that are reasonable for
its particular circumstances. There should be no potential for conflict
between the safeguards required by the Privacy Rule and the final
Security Rule standards, for several reasons. First, while the Privacy
Rule applies to protected health information in all forms, the Security
Rule will apply only to electronic health information systems that
maintain or transmit individually identifiable health information.
Thus, all safeguards for protected health information in oral, written,
or other non-electronic forms will be unaffected by the Security
Rule. Second, in preparing the final Security Rule, the Department
is working to ensure the Security Rule requirements for electronic
information systems work "hand in glove" with any relevant
requirements in the Privacy Rule, including Sec. 164.530.
Comment: One commenter argued that while this new provision
is helpful, it does not alleviate covered entities' concerns that
routine practices, often beneficial for treatment, will be prohibited
by the Privacy Rule. This commenter stated that, for example, specialists
provide certain types of therapy to patients in a group setting,
and, in some cases, where family members are also present.
Response: The Department reiterates that the Privacy Rule
is not intended to impede common health care communications and
practices that are essential in providing health care to the individual.
Further, the Privacy Rule's new provision permitting certain incidental
uses and disclosures is intended to increase covered entities' confidence
that such practices can continue even where an incidental use or
disclosure may occur, provided that the covered entity has taken
reasonable precautions to safeguard and limit the protected health
information disclosed. For example, this provision should alleviate
concerns that common practices, such as the use of sign-in sheets
and calling out names in waiting rooms will not violate the Rule,
so long as the information disclosed is appropriately limited. With
regard to the commenters' specific example, disclosure of protected
health information in a group therapy setting would be a treatment
disclosure, and thus permissible without individual authorization.
Further, Sec. 164.510(b) generally permits a covered entity to disclose
protected health information to a family member or other person
involved in the individual's care. In fact, this section specifically
provides that, where the individual is present during a disclosure,
the covered entity may disclose protected health information if
it is reasonable to infer from the circumstances that the individual
does not object to the disclosure. Absent countervailing circumstances,
the individual's agreement to participate in group therapy or family
discussions is a good basis for such a reasonable inference. As
such disclosures are permissible disclosures in and of themselves,
they would not be incidental disclosures.
Comment: Some commenters, while in support of permitting
incidental uses and disclosures, requested that the Department provide
additional guidance in this area by providing additional examples
of permitted incidental uses and disclosures and/or clarifying what
would constitute "reasonable safeguards."
Response: The reasonable safeguards and minimum necessary
standards are flexible and adaptable to the specific
business needs and circumstances of the covered entity.
Given the discretion covered entities have in implementing
these standards, it is difficult for the Department
to provide specific guidance in this area that is generally
applicable to many covered entities. However, the Department
intends to provide future guidance through frequently
asked questions or other materials in response to specific
scenarios that are raised by industry.
|
