Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Uses and Disclosures of De-Identified Protected Health Information

Standard: Uses and Disclosures to Create De-Identified Information

The Rule (§164.502(c)) states "a covered entity may use PHI to create information that is not individually identifiable health information or disclose PHI only to a business associate for such purpose, whether or not the de-identified information is to by used by the covered entity." (65FR82806)

Uses and disclosures of De-Identified Information

"Health information that meets the standard and implementation specifications for de-identification [see below] is considered not to be individually identifiable health information" and is therefore "de-identified." "The requirements of this ..[Rule] not apply to information that has been de-identified," If however, there is the use of a code or other means to identify the information, the information is then considered covered by the Rule.

De-Identified Information

DHHS specifies (§164.514) how health information can be shared without an authorization when it discusses its standard for "de-identification of PHI under its "Other Requirements" section. [65FR82818]

Standard: De-Identification of PHI

"Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information."

Specification: Requirements for De-Identification of PHI

The Rule presents alternatives to ensure that information is de-identified. The first option (called a "safe harbor" in the preamble) is for the covered entity to strip the information of certain data listed in the rule including:

  • Names of the individual, and relatives, employers or household members of the individual

  • Geographic identifiers of the individual, et. al. including:
    • Subdivisions smaller than a state
    • Street addresses
    • City
    • County
    • Precinct

  • Zip code—at any level less than the initial three digits (e.g. NNNxx-xxxx). However, if the initial digits cover a geographical area of 20,000 or less people, then it has to be reported as 000.
  • "All elements of dates (except year) or dates directly related to an individual, including:
    • Birth date,
    • Admission date
    • Discharge dat
    • Date of death, and
    • All ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older."
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serials numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IO) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full-face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code"

Once these data items are removed, the covered entity must also attest that it has "no actual knowledge" that the information could be used alone or in combination to identify a subject of the information.

In lieu of stripping off all these identifiers, the rule requires the covered entity to ensure or determine that health information is not identifiable, by requiring (§164.514(b)) that an expert, with appropriate knowledge and experience, applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, make a determination that the [actual language at 65FR82818)] "risk is very small that the information [in question] could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information."

The covered entity will need to document the analysis and the results in case it must justify this determination. [see the preamble at 65FR82543 for additional information]

The covered entity can assign a code "or other means" ((§164.514 (c)) to de-identified information to allow for re-identification provided that:

  • (Derivation) "the code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated to as to identify the individual."
  • (Security) "the covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification." [65FR82819]

{If an entity can de-identify its information subject to one or more of the alternatives above, then it is no longer PHI and not subject to the requirements of this rule. While these alternatives may not be easy, they need to be compared to the steps the entity must take to use PHI, especially if it is a situation that requires an authorization.}

Standard: Disclosures to Business Associates

The Rule (§164.502 (e)) indicates that "a covered entity may disclose PHI to a business associate and may allow a business associate to create or receive PHI on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information." (See Business Associate and Business Associate Contracts)

Specification: Documentation

The covered entity "must document the satisfactory assurances required…through a written contract or other written agreement or arrangement with the business associate that meets the requirements of" the Rules section on business associate contracts.

The Rule goes on to note that "a covered entity that violates the satisfactory assurances it provided as a business associate or another covered entity will be in noncompliance with" not only with the standards, implementation specifications, and requirements of the Rule, but also with the requirements related to business associate contracts [see below].

Rules Related to Individuals or Parties

{The Rule, at this point, discusses uses and disclosures of certain individual’s PHI to certain parties that are identified in other sections of the Rule and this commentary. Unless specific content were discussed, at this point we will only identify the individual situation and hold discussion until a more appropriate place.}

The rule notes the following individuals or parties in its discussion [at §164.502]:

  • Specification: Adults and emancipated minors—"If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under..[this Rule]..with respect to PHI relevant to such personal representation."
  • Specification: Unemancipated minors—"If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this..[Rule], with respect to PHI relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to PHI pertaining to health care services if:
    • The minor consents to such health care service; no other consent to such health care services is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative;
    • The minor may lawfully obtain such health care service without the consent of a parent, guardian, or other person acting in loco parentis, and the minor, a court, or another person authorized by law consents to such health care service; or
    • A parent, guardian, or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service."
  • Specification: Deceased individuals—"If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such person as a personal representative under this..[Rule], with respect to PHI relevant to such personal representation."
  • Specification: Abuse, neglect, endangerment situations—"Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative of an individual if:
    • the covered entity has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or treating such person as the personal representative could endanger the individual; and
    • The covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative."

Standard: Uses and Disclosures Consistent with Notice

A covered entity that is required…to have a Notice may not use or disclose PHI in a manner inconsistent with such Notice. A covered entity that is required…to include a specific statement in its Notice, if it intends to engage in an activity listed in [the Notice requirements] may not disclose PHI for such activities, unless the required statement is included in the Notice.

Standard: Disclosures by Whistleblowers and Workforce Member Crime Victims

Disclosures by Whistleblowers
The Rule indicates (§164.502 (j)) that "a covered entity is not considered to have violated the requirements of..[the Rule] if a member of its workforce or a business associate discloses PHI, provided that:

  • The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and

  • The disclosure is to:
    • A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or
    • An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct under scrutiny."

Disclosures by Workforce Members Who Are Victims of a Crime
"A covered entity is not considered to have violated the requirements of..[this Rule]..if a member of its workforce who is the victim of a criminal act discloses PHI to a law enforcement official, provided that the PHI disclosed is about the suspected perpetrator of the criminal act and the PHI disclosed is limited to the Rules standard for release of information to law enforcement.

{This discussion is very much like some of the language in the Medicare compliance programs. Covered entities should note in policies, procedures, and training, the conditions noted above, the internal reporting mechanisms for handling problems, and the sanctions that will be applied if a member of the workforce does not comply with the Rule’s requirement (above). At this point, this is the only way the entity will have any control related to a workforce member’s activities. These same points and discussions should take place, when appropriate, with business associates as well.}

Go to next section, Uses and Disclosures: Organizational Requirements.

Go to previous section, Uses and Disclosure of Protected Health Information: General Rules .

Go to document index.