United States: Guide To The Disclosure Of Information Under The Hipaa Privacy Rule
Part 2 of 2

[Author’s Note: The following is the second of a two-part article focusing on issues in the disclosure of information under the HIPAA Privacy Rule. Part one discusses the history, purpose, and summary of the Privacy Rule; compliance deadlines and rule enforcement; applicability of the Privacy Rule; interaction of the Privacy Rule with other laws; and certain administrative requirements. Part two discusses the required notice of privacy practices; specific uses and disclosures of protected health information, with and without patient authorizations; and individual rights under the Privacy Rule.]

Simply stated, the HIPAA¹ Privacy Rule precludes the use or disclosure of Protected Health Information² ("PHI") by a covered entity³, except as permitted under the Privacy Rule. 45 C.F.R. § 164.502(a). In turn, the Privacy Rule tends to allow relatively free use and disclosure of PHI to the extent necessary for the provision of health care; but erects numerous and detail-oriented barriers to the use of PHI for any other use. Id.

First and foremost, HIPAA’s Privacy Rule grants to the individual a fundamental right to be informed of the privacy practices of his or her health care plan and, for the most part, of his or her health care provider. 45 C.F.R. § 164.520(a)(1). Specifically, the Privacy Rule provides that most covered entities shall provide to the individual a notice, in plain language, of the manner in which the covered entity may use and disclose the individual’s PHI; of the covered entity’s legal obligations with respect to the individual’s PHI, including a statement that the covered entity is required by law to maintain the privacy of the individual’s PHI; and of the individual’s rights with respect to the individual’s PHI.⁴ See 45 C.F.R. § 164.520(b). The various specific requirements for developing the content of the notice can be found at 45 C.F.R. § 164.520(b).

Most covered health plans were required to provide an initial notice of privacy practices to individuals then covered by the plan on or before April 14, 2003. 45 C.F.R. § 164.520(c)(1)(i)(A). Thereafter, a covered health plan must provide its notice of privacy practices to new enrollees at the time of enrollment; must provide any revised notice of privacy practices to individuals then covered by the plan within sixty days of any material revisions; and must further notify individuals then covered by the plan of the availability of the notice of privacy practices, and the method of obtaining such notice, at least once every three years. 45 C.F.R. §§ 164.520(c)(1)(i)(B-C); 164.520(c)(1)(ii). Small health care plans are not required to provide an initial notice of privacy practices until April 14, 2004. 45 C.F.R. § 164.520(c)(1)(i)(A).

Most health care providers must provide an initial notice of privacy practices to individuals no later than the date of the first service delivery after April 14, 2003; and, except in an emergency treatment situation, such providers must make a good faith effort to obtain the individual’s written acknowledgement of receipt of the notice. 45 C.F.R. §§ 164.520(c)(2)(i)(A); 64.520(c)(2)(ii). If an emergency treatment situation, the health care provider must provide the notice as soon as reasonably practicable. 45 C.F.R. § 164.520(c)(2)(i)(B).

If the health care provider’s first service of delivery is tendered over the Internet, or through e-mail, or through some other electronic format, the health care provider must send an electronic notice of privacy practices automatically and contemporaneously. 45 C.F.R. § 164.520(c)(3)(iii). In addition, the health care provider must make a good faith attempt to obtain a return receipt or other transmission from the individual acknowledging receipt of the privacy notice. Id.

A health care provider must also make its latest notice of privacy practices available at its office or facilities; must post the notice in a clear and prominent location in its office or facilities; and must permit individuals to take copies of its notice upon request. 45 C.F.R. §§ 164.520(c), 164.520(c)(2)(iii-iv).

Finally, a covered entity must make its notice available to any individual asking for such notice; must prominently post and make available its notice on any website maintained by the covered entity that provides information about its customer services or benefits; and may provide its notice through e-mail if the individual agrees to receive the notice through that medium. 45 C.F.R. §§ 164.520(c), 164.520(c)(3)(i-ii).

HIPAA’s Privacy Rule plainly recognizes that ready access to treatment and efficient payment for health care, both of which require use and disclosure of PHI, are essential to the effective operation of the health care system. The Privacy Rule also recognizes that certain health care operations, such as administrative, financial, legal, and quality improvement activities, conducted by or for covered entities, are essential to support treatment and payment. In fact, most individuals would expect that their PHI will be used and disclosed as necessary to treat and bill them, and, to some extent, to operate the covered entity’s business.

To avoid interference with individual access to quality health care or the efficient payment for such care, HIPAA’s Privacy Rule permits a covered entity to use and disclose PHI for treatment, payment, and other health care operations. 45 C.F.R. §§ 164.502(a)(1)(ii); 164.506(c)(1-5). Specifically, a covered entity may, without the individual’s valid authorization, usually:

• use or disclose PHI for its own treatment, payment, and health care operations activities (45 C.F.R. § 164.506(c)(1));
• disclose PHI for the treatment activities of any health care provider, including health care providers not covered by the Privacy Rule (45 C.F.R. § 164.506(c)(2));
• disclose PHI to another covered entity or health care provider, including health care providers not covered by the Privacy Rule, for payment activities of the entity that receives the PHI (45 C.F.R. § 164.506(c)(3));
• disclose PHI to another covered entity for certain health care operation activities of the entity that receives the PHI, if each entity has or had a relationship with the individual who is the subject of the PHI, the PHI pertains to the relationship, and the disclosure is for a quality-related health care operations activity or for the purpose of health care fraud and abuse detection and compliance (45 C.F.R. § 164.506(c)(4)(i-ii)); and
• if participating in an organized health care arrangement ("OCHA"), disclose PHI to another entity that participates in the OHCA for any joint health care operations of the OHCA (45 C.F.R. § 164.506(c)(5)).

See 45 C.F.R. §§ 164.502(a)(1)(ii).

For purposes of this right of disclosure, treatment means the provision, coordination, or management of health care and related services; consultation between providers relating to an individual; or referral of an individual to another provider for health care. 45 C.F.R. § 164.501. Payment means activities undertaken to obtain or provide reimbursement for health care, including determinations of eligibility or coverage; billing; collections activities; medical necessary determinations; and utilization reviews. Id. Health care operations include functions such as quality assessment and improvement activities; reviewing competence or qualifications of heath care professionals; conducting or arranging for medical review, legal services, or auditing functions; business planning and development; and general business and administrative activities. Id.

1. Consent.

A covered entity may, but is not required to, obtain an individual’s consent to the covered entity’s use and disclosure of the individual’s PHI for treatment, payment, and health care operations. See 45 C.F.R. § 164.506(a-b).

2. Notice.

Any use or disclosure of PHI must be compliant with the covered entity’s notice of privacy practices. 45 C.F.R. § 164.502(I).

Generally, a covered entity may not use or disclose PHI for any reason, other than treatment, payment, or health care operations, without a valid authorization from the individual associated with the PHI. Notwithstanding the foregoing general rule, HIPAA’s Privacy Rule does permit, and in some instances mandates, a covered entity’s use and disclosure of PHI, even in the absence of a valid authorization, for the following public purposes:

• use and disclosure for health oversight activities (45 C.F.R. § 164.512(d)(1-4));
• use and disclosure for public health activities (45 C.F.R. § 164.512(b)(1)(i-v));
• use and disclosure relating to victims of abuse, neglect, or domestic violence (45 C.F.R. § 164.512(c)(1-2));
• use and disclosure relating to judicial and administrative proceedings (45 C.F.R. § 164.512(e)(1)(i-iv));
• use and disclosure for law enforcement purposes (45 C.F.R. § 164.512(f)(1-6));
• use and disclosure to avert a serious threat to health or safety (45 C.F.R. § 164.512(j)(1-4));
• use and disclosure for research purposes (45 C.F.R. § 164.512(i)(1)(i-iii));
• use and disclosure about decedents (45 C.F.R. § 164.512(g)(1-2));
• use and disclosure for organ, eye, or tissue donation (45 C.F.R. § 164.512(h));
• use and disclosure for specialized government functions (45 C.F.R. § 164.512(k)(1-6));
• disclosure for workers’ compensation (45 C.F.R. § 164.512(l)); and
• use and disclosure required by law (45 C.F.R. § 164.512(a)(1)).

See also (45 C.F.R. § 164.502(a)(1)(i-vi)).

In addition to the foregoing, HIPAA’s Privacy Rule also permits certain additional uses and disclosures of an individual’s PHI without the need for a valid authorization, but only subject to the individual’s opportunity to object to such uses and disclosures. 45 C.F.R. § 164.510. See also 45 C.F.R. § 164.502(a)(1)(v).

1. Facility Directories.

For example, covered health care providers may include patient information in their facility directories if, and generally only if, the health care provider informs incoming patients of its policies governing the directory, and gives patients a meaningful opportunity to opt-out of the directory listing or restrict its uses and disclosures.⁵ 45 C.F.R. § 164.510(a)(1-2). Importantly, the health provider’s notice, and the individual’s opt-out or restriction, may be oral in this instance. Id.

In any event, and subject to the individual’s right to object, a covered health care provider may disclose the following information to persons who inquire about an individual by name: the individual’s general condition in terms that do not communicate specific medical information about the individual; and location in the facility. 45 C.F.R. § 164.510(a)(1)(i-ii). If the inquiring individual is a member of the clergy, the health care provider may, subject to the individual’s right to object, disclose the individual’s name; the individual’s general condition in terms that do not communicate specific medical information about the individual; location in the facility; and the individual’s religious affiliation. Id. Notably, the disclosure of information to the clergy is permitted even if they do not inquire about an individual by name. Id.

2. Other Persons.

Under HIPAA’s Privacy Rule, a covered entity may disclose PHI to a third person involved in the patient’s health care, without a valid written authorization, in certain situations. 45 C.F.R. § 164.510(b)(1).

First, when the patient is present and has the capacity to make his or her own decisions, a covered entity may disclose PHI to a third-person involved in teh patient’s health care, if the covered entity obtains the patient’s agreement to disclose to the third-person; provides the patient an opportunity to object to such disclosure and the patient does not express an objection; or reasonably infers from the circumstances that the patient does not object to the disclosure. 45 C.F.R. § 164.510(b)(2)(i-iii). One example of this type of disclosure is when a patient brings a spouse into a doctor’s office when treatment is being discussed.

Second, when the patient is not present or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interest of the individual, and, if so, disclose only the PHI that is directly relevant to the person’s involvement with the individual’s health care. 45 C.F.R. § 164.510(b)(3). Among other things, a covered entity may use such professional judgment, along with past experience, to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, and other PHI. Id.

Finally, a covered entity may notify family members, personal representatives, or other persons responsible for an individual’s care with respect to an individual’s location, condition, or death. 45 C.F.R. § 164.510(b)(1)(ii).

The Privacy Rule reflects an obvious and fundamental desire to involve the individual in his or her own health care, not only by providing to the individual notice of the manner in which the covered entity may use and disclose the individual’s PHI; but by permitting the individual the general right to access, and in some instances, amend records containing his or her PHI. 45 C.F.R. § 164.502(a)(1)(i).

1. Right of Access.

Under HIPAA’s Privacy Rule, an individual generally enjoys a right to access, inspect, and obtain a copy of his or her PHI, so long as such PHI is maintained by the covered entity in a designated record set. 45 C.F.R. §§ 164.524(a)(1)(i); 164.524(b)(1). See also 45 C.F.R. § 164.502(a)(2)(i). A record is defined as "any item, collection, or grouping of [PHI] maintained, collected, used, or disseminated by a covered entity." 45 C.F.R. § 164.501. In turn, a designated record set is defined as any group of records, used in whole or in part, by or for a covered entity making decisions about an individual. Id.

The covered entity may require that individuals make any requests for access in writing. 45 C.F.R. § 164.524(b)(1). The covered entity must act upon any request no later than thirty days after its receipt, or, in the event the requested PHI is not maintained or accessible to the covered entity on-site, sixty days. 45 C.F.R. § 164.524(b)(2)(i-iii). If the covered entity is unable to act on a request within the applicable period, the covered entity may extend the time for its response by no more than thirty days, by providing to the individual the reasons for delay and the date upon which the covered entity will complete its action on the request. 45 C.F.R. § 164.524(b)(2)(iii).

If the covered entity agrees to the request, then access, including the right to copy, shall be provided within a reasonable time. 45 C.F.R. §§ 164.524(c)(1), 164.524(c)(3). Generally, the covered entity must provide the individual access to the PHI in the form or format requested, if readily producible in such form or format. 45 C.F.R. § 164.524(c)(2)(i). Otherwise, the covered entity shall provide the PHI in a readable hard copy or as otherwise agreed. Id. The covered entity may impose a reasonable and cost-based fee for copying (including supplies and labor) and postage, and, if agreed to in advance, may impose preparation fees for any explanation or summary of the PHI. 45 C.F.R. § 164.524(c)(4)(i-iii).

Notwithstanding the general rule, HIPAA’s Privacy Rule explicitly denies individuals the right to access three types of PHI, even if maintained by a covered entity in a designated record set: psychotherapy notes; information complied in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and certain PHI maintained by a covered entity that is subject to or exempted from the Clinical Laboratory Improvements of 1988. 45 C.F.R. § 164.524(a)(1)(i-iii).

In addition, a covered entity may deny an individual the right to access his or her PHI, without any right of review, if the PHI is exempted from the right of access as noted above or is exempted from the right of access by the Privacy Act; if, in the case of a inmate’s request for his or her PHI, the disclosure would jeopardize the health, safety, custody, or rehabilitation of the individual or other persons at the correctional institution or other persons responsible for the inmate; or the PHI was obtained from someone other than a health care provider under a promise of confidentiality, and access would likely reveal the source of the information. 45 C.F.R. § 164.524(a)(2)(i-iv).

Finally, a covered entity may deny an individual the right to access his or her PHI, provided the individual is given a right to have such denial reviewed, if the access is reasonably likely to endanger the life or physical safety of the individual or other person; if the PHI refers to another person (not a health care provider) and its disclosure is reasonably likely to cause substantial harm to such other person; or, in the case where the information is requested by the individual’s representative, its disclosure is reasonably likely to cause substantial harm to the individual or some other person. 45 C.F.R. § 164.524(a)(3)(i-iii).

A covered entity shall provide notice of a denial of access in writing. 45 C.F.R. §§ 164.524(b)(2)(B); 164.524(d)(2)(i-iii). The writing shall be in plain language and must contain the basis for the denial; if applicable, the individual’s right to have the denial reviewed, including a description of how the individual may exercise such right; and a description of how the individual may complain to the covered entity. Id. If review of a denial is both permitted and requested, the covered entity shall promptly refer the request to review the original decision to the individual designated by the covered entity for such, and such reviewing official shall then determine, in a reasonable time, whether to permit access. 45 C.F.R. §§ 164.524(a)(4), 164.524(d)(4). The reviewing officer must not have participated in the original decision to deny access. 45 C.F.R. § 164.524(d)(4).

Notably, an individual’s right to access his or her own PHI is extremely broad. 45 C.F.R. § 164.524(d)(1). In fact, even a covered entity that does not maintain the requested PHI is required to inform the individual of where that PHI is located if the covered entity knows. 45 C.F.R. § 164.524(d)(3).

2. Right to Request Privacy Protections for PHI.

Under HIPAA’s Privacy Rule, individuals have the right to request restrictions on how a covered entity may use and disclose their PHI for treatment, payment, and health care operations; however, the covered entity is not required to agree to such requested restrictions. 45 C.F.R. 164.522(a)(i-ii). The covered entity will be required to document and comply with any restrictions to which it does agree. 45 C.F.R. 164.522(a)(iii), 164.522(a)(3).

3. Right to Request Confidential Communications.

Under HIPAA’s Privacy Rule, individuals may request that confidential communications from a covered entity be received at alternative locations or through alternative means. 45 C.F.R. 164.522(b)(1). A health care provider must accommodate such a request, if reasonable; and a health plan must accommodate such a request if the individual clearly states that not doing so would endanger him or her. Id.

4. Right to Amend.

Under HIPAA’s Privacy Rule, an individual may request that a covered entity amend the individual’s PHI maintained by the covered entity as part of a designated record set. 45 C.F.R. 164.522(a)(1). Generally, the covered entity must act upon a request for amendment, i.e., accept or deny the request for amendment, within sixty days of receipt of the request. 45 C.F.R. 164.522(b)(2). The covered entity may obtain one extension for up to thirty days, if it notifies the individual in writing of the reasons for delay and the date by which action will be taken. 45 C.F.R. 164.522(b)(2)(ii)(A-B).

Moreover, if the covered entity has informed the individual in advance that any request for amendment must be in writing and must specify a reason for the requested amendment, then the time for the covered entity to act upon the request will not start running until the request for amendment complies with those requirements. 45 C.F.R. 164.522(b)(1).

A covered entity may deny a request for amendment if the covered entity did not create the PHI or record that is subject to the request⁶; if the PHI that is subject to the request is not part of a designated record set or would not otherwise be available for inspection; or if the PHI is accurate and complete. 45 C.F.R. 164.522(a)(2)(I-iv). Any denial of a requested amendment, in whole or in part, must be in writing and must inform the requesting individual of the basis for denial; how the individual may submit and file a written statement disagreeing with the denial; that the individual, in lieu of filing a written statement disagreeing with the denial, may require that the covered entity provide the individual’s request and the denial with all future disclosures of the PHI; and how the individual may make a complaint to both the covered entity and the DHHS. 45 C.F.R. 164.522(d)(1)(i-iv). The covered entity may limit the length of the written statement disagreeing with the denial of the requested amendment, and may prepare a written statement in rebuttal. 45 C.F.R. 164.522(d)(2-3).

If the covered entity accepts an individual’s request for amendment, then it must make the appropriate amendments. 45 C.F.R. 164.522(c)(1). At a minimum, the covered entity must identify the affected records and must append the amendment or otherwise provide a link to the location of the amendment. Id. Moreover, the entity must provide a copy of the amendment to persons the individual identifies as having received PHI about the individual and having need of the amendment; and to persons, including business associates⁷, the covered entity knows have the unamended information and who may have relied, or could foreseeably rely, on such unamended information to the individual’s detriment. 45 C.F.R. 164.522(c)(3)(i-ii).

Notably, the covered entity is never required to expunge PHI, but may do so if consistent with other applicable law and the covered entity’s record keeping practices.

If a covered entity is informed by another covered entity of an amendment to an individual’s PHI, it must amend the PHI in its designated record as indicated above. 45 C.F.R. 164.522(e).

5. Right to Accounting.

Under HIPAA’s Privacy Rule, an individual has a right to receive an accounting of the disclosures of his or her PHI made by a covered entity in the six years prior to the date on which the accounting is requested. 45 C.F.R. § 164.528(a)(1). However, the individual’s right to accounting is limited to exceptional disclosures; and no accounting is required for disclosures made for treatment, payment, or health care operations; made pursuant to an individual’s authorization; that are part of a facility directory or made to persons involved in the individual’s care; that are part of a limited data set; that are merely incidental to another permissible use or disclosure; that occurred prior to the compliance date for the covered entity; made for national security standards or intelligence purposes; or made to correctional institutions or law enforcement officials. 45 C.F.R. 164.528(a)(1)(i-iv).

A covered entity must generally act on a request for accounting within sixty days after receipt of a request; but may obtain one extension of thirty days if the covered entity provides the individual with a written statement of the reasons for delay and the date upon which the covered entity will provide the accounting. 45 C.F.R. § 164.528(c)(1)(i-ii). The covered entity must provide the first accounting to an individual in a twelve-month period without charge; but may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the twelve-month period, provided the covered entity informs the individual in advance of the fee and provides the individual an opportunity to withdraw or modify the request for subsequent accounting. 45 C.F.R. § 164.528(c)(2)(i-iv). The accounting must be in writing and provide to the individual the date of the disclosure; the identity and address of the receipient, if known; a brief description of the PHI disclosed; and a brief statement of the purpose of the disclosure. 45 C.F.R. § 164.528(b).

The covered entity must also retain a copy of any accounting provided, and must document the person or offices responsible for receiving and processing requests for accountings. 45 C.F.R. § 164.528(d).

In all other instances of use and disclosure, an valid authorization is required under the Privacy Rule. 45 C.F.R. § 164.508(a)(1). See also 45 C.F.R. § 164.502(a)(1)(iv). The various specific requirements for developing the content of the Authorization can be found at 45 C.F.R. § 164.508.

1. Marketing.

As a general rule, a covered entity must obtain the individual’s authorization before using his or her PHI for marketing. 45 C.F.R. § 164.508(a)(3)(i). Moreover, if the marketing involves direct or indirect remuneration to the covered entity from a third party, that authorization must state that such remuneration is involved. 45 C.F.R. § 164.508(a)(3)(ii). But, what is marketing under the HIPAA Privacy Rule?

Marketing is defined under the Privacy Rule as (i) "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service;" or (ii) "[a]n arrangement between a covered entity and any other entity whereby the covered entity discloses [PHI] to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service." 45 C.F.R. § 164.501. The definition is not without its exceptions, however. See 45 C.F.R. § 164.501.

First, a communication is not marketing under the HIPAA Privacy Rule if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or in a plan of benefits of, the covered entity making the communication, including communications about the entities participating in a health care provider network or health plan network; replacement of, or enhancements to a health plan; and health-related products or services available only to a plan enrollee that add value to, but are not part of, a plan of benefits. 45 C.F.R. §§ 164.501. In essence, this exception to marketing permits communications by a covered entity about its own products or services. Id.

Second, a communication is not marketing under the HIPAA Privacy Rule if it is made for treatment of the individual. 45 C.F.R. §§ 164.501. For example, a pharmacy or other health care provider may mail prescription refill reminders to patients or contract with a mail house to do so. Or, a primary care physician may refer an individual to a specialist or provide free samples of a prescription drug.

Third, a communication is not marketing under the HIPAA Privacy Rule if it is made for case management or care coordination of the individual, or to direct or recommend alterative treatments, therapies, health care providers, or settings of care to the individual. 45 C.F.R. §§ 164.501. For instance, a hospital worker may share PHI with various nursing homes in the course of recommending that a patient be transferred from a hospital bed to a nursing home.

To the extent that one of the exceptions to the definition of marketing applies, an authorization will not be required as such; however, the activity must still be otherwise permissible under the Privacy Rule.

In addition to the foregoing, a communication does not require an authorization, even if it is marketing, if it is in the form of a face-to-face communication made by the covered entity to an individual; or is a promotional gift of nominal value provided by the covered entity. 45 C.F.R. §§ 164.514(e)(2)(i)(A-B).

2. Psycotherapy Notes.

As an exception to the general rules relating to use and disclosure of PHI for purposes of treatment, payment, and health care operations, use and disclosure of psychotherapy notes, unless by the originator to carry out treatment, or by the covered entity for some other limited health care operations, always requires the individual’s authorization. See 45 C.F.R. 164.508(a)(2)(i-ii).

Covered entities will not be liable under the HIPAA Privacy Rule for incidental disclosures of PHI, provided the covered entity utilizes reasonable safeguards to protect from such incidental disclosures. 45 C.F.R. § 164.502(a)(iii).

In return for granting the above described rights of use and disclosure with respect to PHI, HIPAA’s Privacy Rule mandates that the covered entity develop policies and procedures that reasonably limit its disclosures of, and requests for, PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. 45 C.F.R. § 164.502(b)(i). See also 45 C.F.R. § 164.512(d)(1-5). Among other things, a covered entity is required to develop role-based policies and procedures that limit which members of its workforce⁸ may access PHI, based on those who need such access to do their jobs. 45 C.F.R. § 164.514(d)(2)(i-ii). Notably, covered entities are not required to apply the minimum necessary standard to disclosures to, or requests by, a health care provider for treatment purposes; disclosures to an individual of that individual’s own PHI; disclosures made pursuant to a valid authorization; or disclosures to the DHHS. 45 C.F.R. § 164.502(b)(2)(i-v).