[Login]

Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Uses and Disclosure of Protected Health Information: General Rules

Standard: General

DHHS takes the approach to privacy-based on who, when, and under what circumstances protected health information (PHI) can and cannot be used. To further clarify the Rule’s intent, it has been written as a series of standards. The standards for Use and Disclosure will be presented, for the most part, in the order they appear in the final rule. [65FR82805]

Permitted Use and Disclosure of Protected Health Information

The Rule indicates at section 164.502 a variety of situations where a covered entity can use or disclose PHI, and it covers when a covered entity is required to disclose PHI. Each situation points to other sections of the Rule, which are listed throughout situations explained below.

Standard: Minimum Necessary

[When] Minimum Necessary Applies
The Rule introduces the concept of minimum necessary as applied to the use, disclosure, and request for PHI. The Rule (§164.502(b)) states that "when using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." [65FR82805 & 65FR82819]

{This was one of the items specifically addressed by AHIMA’s comments to DHHS. AHIMA members expressed concerns over requests for disclosure that typically asked for more PHI than was actually needed. It appears that this comment was heard.}

[When] Minimum Necessary Does Not Apply
The requirement for minimum necessary does not apply to:

  • Disclosure to or a request by a healthcare provider for treatment purposes.
  • Disclosures made in response to a request from the Secretary to investigate or determine the covered entity’s compliance.

Specification: Minimum Necessary Use Requirements
With respect to the uses of PHI, a covered entity must make reasonable efforts (§164.514) to identify:

  • Those persons or classes of persons, as appropriate, in its workforce who need access to PHI to carry out their duties;
  • (For each such person or class of persons) the category or categories of PHI to which access is needed and any conditions appropriate to such access.

Once such identification takes place, a covered entity is expected to make reasonable efforts to limit the access of such persons or classes identified with respect to the category or categories of the PHI.

{Significant concern was levied, especially by consumer groups, that too many persons had access to medical records and PHI. This access and the need for access varies from entity to entity. This part of the Privacy rule will require coordination with the HIPAA security rules when they are released. Covered entities will have to look at all classes of employees, volunteers, and so forth and determine policies and procedures -- and even computer access requirements -- for access to PHI information, and when. The Rule does not dictate who should have what access; that will vary by entity. Each entity, however, will have to document its decisions and will be expected to enforce its policies and procedures.}

Specification: Minimum Necessary Disclosures
Again, with respect to PHI, a covered entity (§164.514) is expected to:

  • Develop and implement reasonable "policies and procedures ("which may be standard protocols") that limit the PHI disclosed "on a routine and recurring basis" to the amount reasonably necessary to achieve the purpose of the disclosure."
  • Develop reasonable "criteria designed to reasonably limit the items of PHI disclosed to accomplish the purpose for which disclosure is sought and review requests for disclosure on an individual basis in accordance with such criteria."

A covered entity is permitted to assume that a request is for the minimum necessary information when:

  • "The information is requested by another covered entity;"
  • "The information is requested by a professional who is a member of its workforce or is a business associate of the covered entity for the purpose of providing professional services to the covered entity, if the professional represents that the information requested is the minimum necessary for the stated purpose(s);" or
  • "Documentation or representations that comply with the applicable requirements for" authorizations that "have been provided by a person requesting the information for research purposes."

Specification: Minimum Necessary Requests
A covered entity (§164.514) must limit any request for PHI to that "which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities." When such a request is made on a "routine and recurring basis" a covered entity [in this case the requestor] must develop and implement policies and procedures ("which may be standard protocols") that "limit the PHI requested to the amount reasonably necessary to accomplish the purpose for which the request is made." When the request is not routine or recurring, the covered entity is expected to review the (each) request "to determine that the PHI sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made."

{Note that when PHI is exchanged between covered entities, it is the requestor that is given the responsibility of determining what is minimally necessary. This could affect the ongoing dialogue between healthcare plan/payers and providers, that will not be resolved until most of the HIPAA electronic transactions are fully in use within the industry.}

Specification: Other Content Requirement
Finally, the Secretary reiterates that a "covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request."

{As we continue the discussion on use, disclosures, and requests, it is appropriate to cover two other elements that are in the Rule, "organized health care arrangement" and "payment."}

Organized Healthcare Arrangement

"Organized health care arrangement is defined (§164.501) as meaning:

  • A clinically integrated care setting in which individuals typically receive health care from more than one health care provider, and

  • An organized system of health care in which more than one covered entity participates, and in which the participating covered entities:
    • Hold themselves out to the public as participating in a joint arrangement, and
    • Participate in joint activities that include at least one of the following:
      • Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;
      • Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or
      • Payment activities, if the financial risk for delivering health care is shared in part or in whole by participating covered entities through the joint arrangement and if PHI created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk

  • A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to PHI created or received by such health insurance insurer or HMO that relates to individuals who are or who have been participants or beneficiaries in such group health plan;

  • A group health plan and one or more other group health plans, each of which are maintained by the same plan sponsor; or,

  • The group health group health plan described just above and health insurance issuers or HMO with respect to such group health plans, but only with respect to PHI created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health plans."

Payment

Payment means:

  • "The activities undertaken by a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or a covered health care provider or health plan to obtain or provide reimbursement for the provision of health care;" and

  • "The activities of these plans or providers related to the individual to whom health care is provided and including , but not limited to:
    • Determinations of eligibility or coverage (including coordination of benefits or the determination of cost-sharing amounts), and adjudication or subrogation of health benefit claims;
    • Risk adjusting amounts due based on enrollee health status and demographic characteristics;
    • Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
    • Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
    • Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
    • Disclosure to consumer reporting agencies of any of the following PHI relating to collection of premiums or reimbursement
      • Name and address:
      • Date of birth;
      • Social security number;
      • Payment history;
      • Account number; and
      • Name and address of the health care provider and/or health plan."

Go to next section, Uses and Disclosures of De-Identified Protected Health Information.

Go to previous section, Preemption of State [and other] Law[s].

Go to document index.