Sec. 1171 through 1179 of the Social Security Act, (42 U.S.C. 1320d-1329d-8) as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031 and sec. 264 of Pub. L. 104-191 (42 U.S.C. 1320d-2(note)).
The requirements of this subchapter implement sections 1171 through 1179 of the Social Security Act (the Act), as added by section 262 of Public Law 104-191, and section 264 of Public Law 104-191.
(a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
(b) To the extent required under section 201(a)(5) of the Health Insurance Portability Act of 1996, (Pub. L. 104-191), nothing in this subchapter shall be construed to diminish the authority of any Inspector General, including such authority as provided in the Inspector General Act of 1978, as amended (5 U.S.C. App.).
At 67 FR 53266, Aug. 14, 2002, in § 160.102, paragraph (b) was amended by removing the phrase “section 201(a)(5) of the Health Insurance Portability Act of 1996, (Pub. L. No. 104-191)” and adding in its place the phrase “the Social Security Act, 42 U.S.C. 1320a-7c(a)(5)”, effective Oct. 15, 2002.
Except as otherwise provided, the following definitions apply to this subchapter:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial,
(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.
(3) A covered entity may be a business associate of another covered entity.
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
(1) 26 U.S.C. 6011(b), which is the portion of the Internal Revenue Code dealing with identifying the taxpayer in tax returns and statements, or corresponding provisions of prior law.
(2) 26 U.S.C. 6109, which is the portion of the Internal Revenue Code dealing with identifying numbers in tax returns, statements, and other required documents.
(1) Has 50 or more participants (as defined in section 3(7) of ERISA, 29 U.S.C. 1002(7)); or
(2) Is administered by an entity other than the employer that established and maintains the plan.
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard
(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
(1)
(i) A group health plan, as defined in this section.
(ii) A health insurance issuer, as defined in this section.
(iii) An HMO, as defined in this section.
(iv) Part A or Part B of the Medicare program under title XVIII of the Act.
(v) The Medicaid program under title XIX of the Act, 42 U.S.C. 1396,
(vi) An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).
(vii) An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy.
(viii) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.
(ix) The health care program for active military personnel under title 10 of the United States Code.
(x) The veterans health care program under 38 U.S.C. chapter 17.
(xi) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)).
(xii) The Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601,
(xiii) The Federal Employees Health Benefits Program under 5 U.S.C. 8902,
(xiv) An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 U.S.C. 1397,
(xv) The Medicare+Choice program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-21 through 1395w-28.
(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals.
(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for
(2)
(i) Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and
(ii) A government-funded program (other than one listed in paragraph (1)(i)-(xvi) of this definition):
(A) Whose principal purpose is other than providing, or paying the cost of, health care; or
(B) Whose principal activity is:
(1) The direct provision of health care to persons; or
(2) The making of grants to fund the direct provision of health care to persons.
(1) Describing the following information for products, systems, services or practices:
(i) Classification of components.
(ii) Specification of materials, performance, or operations; or
(iii) Delineation of procedures; or
(2) With respect to the privacy of individually identifiable health information.
(1) For a health plan established or regulated by Federal law, State has the meaning set forth in the applicable section of the United States Code for such health plan.
(2) For all other purposes,
(1) Health care claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Other transactions that the Secretary may prescribe by regulation.
At 67 FR 53266, Aug. 14, 2002, in § 160.103, add the definition of “individually identifiable health information”, effective Oct. 15, 2002. For the convenience of the user, the added text is set forth as follows:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
(a) Except as provided in paragraph (b) of this section, the Secretary may adopt a modification to a standard or implementation specification adopted under this subchapter no more frequently than once every 12 months.
(b) The Secretary may adopt a modification at any time during the first year after the standard or implementation specification is initially adopted, if the Secretary determines that the modification is necessary to permit compliance with the standard or implementation specification.
(c) The Secretary will establish the compliance date for any standard or implementation specification modified under this section.
(1) The compliance date for a modification is no earlier than 180 days after the effective date of the final rule in which the Secretary adopts the modification.
(2) The Secretary may consider the extent of the modification and the time needed to comply with the modification in determining the compliance date for the modification.
(3) The Secretary may extend the compliance date for small health plans, as the Secretary determines is appropriate.
The provisions of this subpart implement section 1178 of the Act, as added by section 262 of Public Law 104-191.
For purposes of this subpart, the following terms have the following meanings:
(1) A covered entity would find it impossible to comply with both the State and federal requirements; or
(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable.
(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:
(i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or
(ii) To the individual who is the subject of the individually identifiable health information.
(2) With respect to the rights of an individual who is the subject of the individually identifiable health information of access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable; provided that, nothing in this subchapter may be construed to preempt any State law to the extent that it authorizes or prohibits disclosure of protected health information about a minor to a parent,
(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.
(4) With respect to the form or substance of an authorization or consent for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the authorization or consent, as applicable.
(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.
(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.
At 67 FR 53266, Aug. 14, 2002, in § 160.202, revise paragraphs (2) and (4) of the definition of “more stringent”, effective Oct. 15, 2002. For the convenience of the user, the revised text is set forth as follows:
(2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.
(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.
A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met:
(a) A determination is made by the Secretary under § 160.204 that the provision of State law:
(1) Is necessary:
(i) To prevent fraud and abuse related to the provision of or payment for health care;
(ii) To ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation;
(iii) For State reporting on health care delivery or costs; or
(iv) For purposes of serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification under part 164 of this subchapter is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
(2) Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.
(b) The provision of State law relates to the privacy of health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.
(c) The provision of State law, including State procedures established
(d) The provision of State law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals.
At 67 FR 53266, Aug. 14, 2002, in § 160.203, paragraph (b) was amended by adding the words “individually identifiable” before “health”, effective Oct. 15, 2002.
(a) A request to except a provision of State law from preemption under § 160.203(a) may be submitted to the Secretary. A request by a State must be submitted through its chief elected official, or his or her designee. The request must be in writing and include the following information:
(1) The State law for which the exception is requested;
(2) The particular standard, requirement, or implementation specification for which the exception is requested;
(3) The part of the standard or other provision that will not be implemented based on the exception or the additional data to be collected based on the exception, as appropriate;
(4) How health care providers, health plans, and other entities would be affected by the exception;
(5) The reasons why the State law should not be preempted by the federal standard, requirement, or implementation specification, including how the State law meets one or more of the criteria at § 160.203(a); and
(6) Any other information the Secretary may request in order to make the determination.
(b) Requests for exception under this section must be submitted to the Secretary at an address that will be published in the
(c) The Secretary's determination under this section will be made on the basis of the extent to which the information provided and other factors demonstrate that one or more of the criteria at § 160.203(a) has been met.
An exception granted under this subpart remains in effect until:
(a) Either the State law or the federal standard, requirement, or implementation specification that provided the basis for the exception is materially changed such that the ground for the exception no longer exists; or
(b) The Secretary revokes the exception, based on a determination that the ground supporting the need for the exception no longer exists.
This subpart applies to actions by the Secretary, covered entities, and others with respect to ascertaining the compliance by covered entities with and the enforcement of the applicable requirements of this part 160 and the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter.
As used in this subpart, terms defined in § 164.501 of this subchapter have the same meanings given to them in that section.
(a)
(b)
(a)
(b)
(1) A complaint must be filed in writing, either on paper or electronically.
(2) A complaint must name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of this part 160 or the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter.
(3) A complaint must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown.
(4) The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the
(c)
The Secretary may conduct compliance reviews to determine whether covered entities are complying with the applicable requirements of this part 160 and the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter.
(a)
(b)
(c)
(2) If any information required of a covered entity under this section is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, the covered entity must so certify and set forth what efforts it has made to obtain the information.
(3) Protected health information obtained by the Secretary in connection
(a)
(2) If the Secretary finds the covered entity is not in compliance and determines that the matter cannot be resolved by informal means, the Secretary may issue to the covered entity and, if the matter arose from a complaint, to the complainant written findings documenting the non-compliance.
(b)
Secs. 1171 through 1179 of the Social Security Act (42 U.S.C. 1320d—1320d-8), as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).
Covered entities (as defined in § 160.103 of this subchapter) must comply with the applicable requirements of this part.
For purposes of this part, the following definitions apply:
(a)
(b)
(1)
(2)
(c)
The Secretary adopts the EIN as the standard unique employer identifier provided for by 42 U.S.C. 1320d-2(b).
(a) The standard unique employer identifier of an employer of a particular employee is the EIN that appears on that employee's IRS Form W-2, Wage and Tax Statement, from the employer.
(b) A covered entity must use the standard unique employer identifier (EIN) of the appropriate employer in standard transactions that require an employer identifier to identify a person or entity as an employer, including where situationally required.
(a)
(b)
(1)
(2)
(c)
(a)
(i) Maintain standards adopted under this subchapter.
(ii) Receive and process requests for adopting a new standard or modifying an adopted standard.
(2) The Secretary designates a DSMO by notice in the
(b)
(c)
(1) Open public access.
(2) Coordination with other DSMOs.
(3) An appeals process for each of the following, if dissatisfied with the decision on the request:
(i) The requestor of the proposed modification.
(ii) A DSMO that participated in the review and analysis of the request for the proposed modification, or the proposed new standard.
(4) Expedited process to address content needs identified within the industry, if appropriate.
(5) Submission of the recommendation to the National Committee on Vital and Health Statistics (NCVHS).
A covered entity must not enter into a trading partner agreement that would do any of the following:
(a) Change the definition, data condition, or use of a data element or segment in a standard.
(b) Add any data elements or segments to the maximum defined data set.
(c) Use any code or data elements that are either marked “not used” in the standard's implementation specification or are not in the standard's implementation specification(s).
(d) Change the meaning or intent of the standard's implementation specification(s).
(a)
(1)
(i) The ASC X12N 837—Health Care Claim: Dental, Version 4010, May 2000, Washington Publishing Company, 004010X097, as referenced in §§ 162.1102 and 162.1802.
(ii) The ASC X12N 837—Health Care Claim: Professional, Volumes 1 and 2, Version 4010, May 2000, Washington Publishing Company, 004010X098, as referenced in §§ 162.1102 and 162.1802.
(iii) The ASC X12N 837—Health Care Claim: Institutional, Volumes 1 and 2, Version 4010, May 2000, Washington Publishing Company, 004010X096, as referenced in §§ 162.1102 and 162.1802.
(iv) The ASC X12N 270/271—Health Care Eligibility Benefit Inquiry and Response, Version 4010, May 2000, Washington Publishing Company, 004010X092, as referenced in § 162.1202.
(v) The ASC X12N 278—Health Care Services Review—Request for Review and Response, Version 4010, May 2000, Washington Publishing Company, 004010X094, as referenced in § 162.1302.
(vi) The ASC X12N 276/277 Health Care Claim Status Request and Response, Version 4010, May 2000, Washington Publishing Company, 004010X093, as referenced in § 162.1402.
(vii) The ASC X12N 834—Benefit Enrollment and Maintenance, Version 4010, May 2000, Washington Publishing Company, 004010X095, as referenced in § 162.1502.
(viii) The ASC X12N 835—Health Care Claim Payment/Advice, Version 4010, May 2000, Washington Publishing Company, 004010X091, as referenced in § 162.1602.
(ix) The ASC X12N 820—Payroll Deducted and Other Group Premium Payment for Insurance Products, Version 4010, May 2000, Washington Publishing Company, 004010X061, as referenced in § 162.1702.
(2)
(i) The Telecommunication Standard Implementation Guide, Version 5 Release 1, September 1999, National Council for Prescription Drug Programs, as referenced in §§ 162.1102, 162.1202, 162.1602, and 162.1802.
(ii) The Batch Standard Batch Implementation Guide, Version 1 Release 0, February 1, 1996, National Council for Prescription Drug Programs, as referenced in §§ 162.1102, 162.1202, 162.1602, and 162.1802.
(b)
(a)
(b)
(c)
(1) Comply with all applicable requirements of this part.
(2) Require any agent or subcontractor to comply with all applicable requirements of this part.
(a)
(2) A health plan may not delay or reject a transaction, or attempt to adversely affect the other entity or the transaction, because the transaction is a standard transaction.
(3) A health plan may not reject a standard transaction on the basis that it contains data elements not needed or used by the health plan (for example, coordination of benefits information).
(4) A health plan may not offer an incentive for a health care provider to conduct a transaction covered by this part as a transaction described under the exception provided for in § 162.923(b).
(5) A health plan that operates as a health care clearinghouse, or requires an entity to use a health care clearinghouse to receive, process, or transmit a standard transaction may not charge fees or costs in excess of the fees or costs for normal telecommunications that the entity incurs when it directly transmits, or receives, a standard transaction to, or from, a health plan.
(b)
(c)
(1) Accept and promptly process any standard transaction that contains codes that are valid, as provided in subpart J of this part.
(2) Keep code sets for the current billing period and appeals periods still open to processing under the terms of the health plan's coverage.
When acting as a business associate for another covered entity, a health care clearinghouse may perform the following functions:
(a) Receive a standard transaction on behalf of the covered entity and translate it into a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) for transmission to the covered entity.
(b) Receive a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) from the covered entity and translate it into a standard transaction for transmission on behalf of the covered entity.
(a)
(1)
(i) Improve the efficiency and effectiveness of the health care system by leading to cost reductions for, or improvements in benefits from, electronic health care transactions.
(ii) Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses.
(iii) Be uniform and consistent with the other standards adopted under this part and, as appropriate, with other private and public sector health data standards.
(iv) Have low additional development and implementation costs relative to the benefits of using the standard.
(v) Be supported by an ANSI-accredited SSO or other private or public organization that would maintain the standard over time.
(vi) Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster.
(vii) Be technologically independent of the computer platforms and transmission protocols used in electronic health transactions, unless they are explicitly part of the standard.
(viii) Be precise, unambiguous, and as simple as possible.
(ix) Result in minimum data collection and paperwork burdens on users.
(x) Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology.
(2)
(3)
(4)
(b)
(1) An assessment of whether the proposed modification demonstrates a significant improvement to the current standard.
(2) The extent and length of time of the exception.
(3) Consultations with DSMOs.
(c)
(1)
(i) The length of time for which the exception applies.
(ii) The trading partners and geographical areas the Secretary approves for testing.
(iii) Any other conditions for approving the exception.
(2)
(d)
(e)
When conducting a transaction covered by this part, a covered entity must meet the following requirements:
(a)
(b)
The Secretary adopts the following code set maintaining organization's code sets as the standard medical data code sets:
(a)
(1) Diseases.
(2) Injuries.
(3) Impairments.
(4) Other health problems and their manifestations.
(5) Causes of injury, disease, impairment, or other health problems.
(b)
(1) Prevention.
(2) Diagnosis.
(3) Treatment.
(4) Management.
(c)
(1) Drugs
(2) Biologics.
(d)
(e) The combination of
(1) Physician services.
(2) Physical and occupational therapy services.
(3) Radiologic procedures.
(4) Clinical laboratory tests.
(5) Other medical diagnostic procedures.
(6) Hearing and vision services.
(7) Transportation services including ambulance.
(f) The
(1) Medical supplies.
(2) Orthotic and prosthetic devices.
(3) Durable medical equipment.
Each code set is valid within the dates specified by the organization responsible for maintaining that code set.
The health care claims or equivalent encounter information transaction is the transmission of either of the following:
(a) A request to obtain payment, and the necessary accompanying information from a health care provider to a health plan, for health care.
(b) If there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care.
The Secretary adopts the following standards for the health care claims or equivalent encounter information transaction:
(a)
(b)
(c)
(d)
The eligibility for a health plan transaction is the transmission of either of the following:
(a) An inquiry from a health care provider to a health plan, or from one health plan to another health plan, to obtain any of the following information about a benefit plan for an enrollee:
(1) Eligibility to receive health care under the health plan.
(2) Coverage of health care under the health plan.
(3) Benefits associated with the benefit plan.
(b) A response from a health plan to a health care provider's (or another health plan's) inquiry described in paragraph (a) of this section.
The Secretary adopts the following standards for the eligibility for a health plan transaction:
(a)
(b)
The referral certification and authorization transaction is any of the following transmissions:
(a) A request for the review of health care to obtain an authorization for the health care.
(b) A request to obtain authorization for referring an individual to another health care provider.
(c) A response to a request described in paragraph (a) or paragraph (b) of this section.
The Secretary adopts the ASC X12N 278—Health Care Services Review—Request for Review and Response, Version 4010, May 2000, Washington Publishing Company, 004010X094 as the standard for the referral certification and authorization transaction. The implementation specification is available at the addresses specified in § 162.920(a)(1).
A health care claim status transaction is the transmission of either of the following:
(a) An inquiry to determine the status of a health care claim.
(b) A response about the status of a health care claim.
The Secretary adopts the ASC X12N 276/277 Health Care Claim Status Request and Response, Version 4010, May 2000, Washington Publishing Company, 004010X093 as the standard for the health care claim status transaction. The implementation specification is available at the addresses specified in § 162.920(a)(1).
The enrollment and disenrollment in a health plan transaction is the transmission of subscriber enrollment information to a health plan to establish or terminate insurance coverage.
The Secretary adopts the ASC X12N 834—Benefit Enrollment and Maintenance, Version 4010, May 2000, Washington Publishing Company, 004010X095 as the standard for the enrollment and disenrollment in a health plan transaction. The implementation specification is available at the addresses specified in § 162.920(a)(1).
The health care payment and remittance advice transaction is the transmission of either of the following for health care:
(a) The transmission of any of the following from a health plan to a health care provider's financial institution:
(1) Payment.
(2) Information about the transfer of funds.
(3) Payment processing information.
(b) The transmission of either of the following from a health plan to a health care provider:
(1) Explanation of benefits.
(2) Remittance advice.
The Secretary adopts the following standards for the health care payment and remittance advice transaction:
(a)
(b)
The health plan premium payment transaction is the transmission of any of the following from the entity that is arranging for the provision of health care or is providing health care coverage payments for an individual to a health plan:
(a) Payment.
(b) Information about the transfer of funds.
(c) Detailed remittance information about individuals for whom premiums are being paid.
(d) Payment processing information to transmit health care premium payments including any of the following:
(1) Payroll deductions.
(2) Other group premium payments.
(3) Associated group premium payment information.
The Secretary adopts the ASC X12N 820—Payroll Deducted and Other Group Premium Payment for Insurance Products, Version 4010, May 2000, Washington Publishing Company, 004010X061 as the standard for the health plan premium payments transaction. The implementation specification is available at the addresses specified in § 162.920(a)(1).
The coordination of benefits transaction is the transmission from any entity to a health plan for the purpose of determining the relative payment responsibilities of the health plan, of either of the following for health care:
(a) Claims.
(b) Payment information.
The Secretary adopts the following standards for the coordination of benefits information transaction:
(a)
(b)
(c)
(d)
42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320(d-2(note)).
The provisions of this part are adopted pursuant to the Secretary's authority to prescribe standards, requirements, and implementation standards under part C of title XI of the Act and section 264 of Public Law 104-191.
At 67 FR 53266, Aug. 14, 2002, § 164.102 was amended by removing the words “implementation standards” and adding in its place the words “implementation specifications”, effective Oct. 15, 2002.
Except as otherwise provided, the provisions of this part apply to covered entities: health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with any transaction referred to in section 1173(a)(1) of the Act.
In complying with the requirements of this part, covered entities are required to comply with the applicable provisions of parts 160 and 162 of this subchapter.
42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)).
(a) Except as otherwise provided herein, the standards, requirements, and implementation specifications of this subpart apply to covered entities with respect to protected health information.
(b) Health care clearinghouses must comply with the standards, requirements, and implementation specifications as follows:
(1) When a health care clearinghouse creates or receives protected health information as a business associate of another covered entity, the clearinghouse must comply with:
(i) Section 164.500 relating to applicability;
(ii) Section 164.501 relating to definitions;
(iii) Section 164.502 relating to uses and disclosures of protected health information, except that a clearinghouse is prohibited from using or disclosing protected health information other than as permitted in the business associate contract under which it created or received the protected health information;
(iv) Section 164.504 relating to the organizational requirements for covered entities, including the designation of health care components of a covered entity;
(v) Section 164.512 relating to uses and disclosures for which consent, individual authorization or an opportunity to agree or object is not required, except that a clearinghouse is prohibited from using or disclosing protected health information other than as permitted in the business associate contract under which it created or received the protected health information;
(vi) Section 164.532 relating to transition requirements; and
(vii) Section 164.534 relating to compliance dates for initial implementation of the privacy standards.
(2) When a health care clearinghouse creates or receives protected health information other than as a business associate of a covered entity, the clearinghouse must comply with all of the standards, requirements, and implementation specifications of this subpart.
(c) The standards, requirements, and implementation specifications of this subpart do not apply to the Department of Defense or to any other federal agency, or non-governmental organization acting on its behalf, when providing health care to overseas foreign national beneficiaries.
At 67 FR 53266, Aug. 14, 2002, in § 164.500, remove “consent,” from paragraph (b)(1)(v), effective Oct. 15, 2002.
As used in this subpart, the following terms have the following meanings:
(1) A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
(1) Conducting quality assessment and improvement activities, including
(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
(3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;
(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
(6) Business management and general administrative activities of the entity, including, but not limited to:
(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.
(iii) Resolution of internal grievances;
(iv) Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity; and
(v) Consistent with the applicable requirements of § 164.514, creating de-identified health information, fundraising for the benefit of the covered entity, and marketing for which an individual authorization is not required as described in § 164.514(e)(2).
(1) The health care provider delivers health care to the individual based on the orders of another health care provider; and
(2) The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
(1) Investigate or conduct an official inquiry into a potential violation of law; or
(2) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
(1)
(i) For the purpose of describing the entities participating in a health care provider network or health plan network, or for the purpose of describing if and the extent to which a product or service (or payment for such product or service) is provided by a covered entity or included in a plan of benefits; or
(ii) That are tailored to the circumstances of a particular individual and the communications are:
(A) Made by a health care provider to an individual as part of the treatment of the individual, and for the purpose of furthering the treatment of that individual; or
(B) Made by a health care provider or health plan to an individual in the course of managing the treatment of that individual, or for the purpose of directing or recommending to that individual alternative treatments, therapies, health care providers, or settings of care.
(2) A communication described in paragraph (1) of this definition is not included in marketing if:
(i) The communication is made orally; or
(ii) The communication is in writing and the covered entity does not receive direct or indirect remuneration from a third party for making the communication.
(1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;
(2) An organized system of health care in which more than one covered entity participates, and in which the participating covered entities:
(i) Hold themselves out to the public as participating in a joint arrangement; and
(ii) Participate in joint activities that include at least one of the following:
(A) Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;
(B) Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or
(C) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.
(3) A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to protected health information created or received by such
(4) A group health plan and one or more other group health plans each of which are maintained by the same plan sponsor; or
(5) The group health plans described in paragraph (4) of this definition and health insurance issuers or HMOs with respect to such group health plans, but only with respect to protected health information created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health plans.
(1) The activities undertaken by:
(i) A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or
(ii) A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care; and
(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:
(i) Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;
(iii) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
(v) Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
(vi) Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:
(A) Name and address;
(B) Date of birth;
(C) Social security number;
(D) Payment history;
(E) Account number; and
(F) Name and address of the health care provider and/or health plan.
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in any medium described in the definition of
(iii) Transmitted or maintained in any other form or medium.
(2)
(i) Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).
At 67 FR 53266, Aug. 14, 2002, amend § 164.501 in the definition of “health care operations” by removing from the introductory text of the definition “, and any of the following activities of an organized health care arrangement in which the covered entity participates” and revising paragraphs (6)(iv) and (v); by removing the definition of “individually identifiable health information”; by revising the definition of “marketing”; in paragraph (1)(ii) of the definition of “payment,” by removing the word “covered”; by revising paragraph (2) of the definition of “protected health information”; by removing the words “a covered” and replace them with “an” in the definition of “required by law”, effective Oct. 15, 2002. For the convenience of the user, the revised text is set forth as follows:
(6) * * *
(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
(v) Consistent with the applicable requirements of § 164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.
(1) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made:
(i) To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
(ii) For treatment of the individual; or
(iii) For case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
(2) An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.
(2)
(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
(iii) Employment records held by a covered entity in its role as employer.
(a)
(1)
(i) To the individual;
(ii) Pursuant to and in compliance with a consent that complies with § 164.506, to carry out treatment, payment, or health care operations;
(iii) Without consent, if consent is not required under § 164.506(a) and has not been sought under § 164.506(a)(4), to carry out treatment, payment, or health care operations, except with respect to psychotherapy notes;
(iv) Pursuant to and in compliance with a valid authorization under § 164.508;
(v) Pursuant to an agreement under, or as otherwise permitted by, § 164.510; and
(vi) As permitted by and in compliance with this section, § 164.512, or § 164.514(e), (f), and (g).
(2)
(i) To an individual, when requested under, and required by § 164.524 or § 164.528; and
(ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subpart.
(b)
(2)
(i) Disclosures to or requests by a health care provider for treatment;
(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section, as required by paragraph (a)(2)(i) of this section, or pursuant to an authorization under § 164.508, except for authorizations requested by the covered entity under § 164.508(d), (e), or (f);
(iii) Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter;
(iv) Uses or disclosures that are required by law, as described by § 164.512(a); and
(v) Uses or disclosures that are required for compliance with applicable requirements of this subchapter.
(c)
(d)
(2)
(i) Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and
(ii) If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart.
(e)(1)
(ii) This standard does not apply:
(A) With respect to disclosures by a covered entity to a health care provider concerning the treatment of the individual;
(B) With respect to disclosures by a group health plan or a health insurance issuer or HMO with respect to a group health plan to the plan sponsor, to the extent that the requirements of § 164.504(f) apply and are met; or
(C) With respect to uses or disclosures by a health plan that is a government program providing public benefits, if eligibility for, or enrollment in, the health plan is determined by an agency other than the agency administering the health plan, or if the protected health information used to determine enrollment or eligibility in the health plan is collected by an agency other than the agency administering the health plan, and such activity is authorized by law, with respect to the collection and sharing of individually identifiable health information for the performance of such functions by the health plan and the agency other than the agency administering the health plan.
(iii) A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and § 164.504(e).
(2)
(f)
(g)(1)
(2)
(3)
(i) The minor consents to such health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative;
(ii) The minor may lawfully obtain such health care service without the consent of a parent, guardian, or other person acting
(iii) A parent, guardian, or other person acting
(4)
(5)
(i) The covered entity has a reasonable belief that:
(A) The individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or
(B) Treating such person as the personal representative could endanger the individual; and
(ii) The covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative.
(h)
(i)
(j)
(i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.
(2)
(i) The protected health information disclosed is about the suspected perpetrator of the criminal act; and
(ii) The protected health information disclosed is limited to the information listed in § 164.512(f)(2)(i).
At 67 FR 53267, Aug. 14, 2002, § 164.502 was amended by revising paragraphs (a)(1)(ii), (iii), and (vi) and (b)(2)(ii); redesignating paragraphs (b)(2)(iii) through (v) as paragraphs (b)(2)(iv) through
(a) Standard. * * *
(1)
(ii) For treatment, payment, or health care operations, as permitted by and in compliance with § 164.506;
(iii) Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of § 164.502(b), § 164.514(d), and § 164.530(c) with respect to such otherwise permitted or required use or disclosure;
(vi) As permitted by and in compliance with this section, § 164.512, or § 164.514(e), (f), or (g).
(b)
(2)
(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section;
(iii) Uses or disclosures made pursuant to an authorization under § 164.508;
(g)(1)
(3)
(i) * * *
(ii) Notwithstanding the provisions of paragraph (g)(3)(i) of this section:
(A) If, and to the extent, permitted or required by an applicable provision of State or other law, including applicable case law, a covered entity may disclose, or provide access in accordance with § 164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting
(B) If, and to the extent, prohibited by an applicable provision of State or other law, including applicable case law, a covered entity may not disclose, or provide access in accordance with § 164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting
(C) Where the parent, guardian, or other person acting
(a)
(1) Components of a covered entity that perform covered functions are part of the health care component.
(2) Another component of the covered entity is part of the entity's health care component to the extent that:
(i) It performs, with respect to a component that performs covered functions, activities that would make such other component a business associate of the component that performs covered functions if the two components were separate legal entities; and
(ii) The activities involve the use or disclosure of protected health information that such other component creates or receives from or on behalf of the component that performs covered functions.
(1) That summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and
(2) From which the information described at § 164.514(b)(2)(i) has been deleted, except that the geographic information described in § 164.514(b)(2)(i)(B) need only be aggregated to the level of a five digit zip code.
(b)
(c)(1)
(i) A reference in such provision to a “covered entity” refers to a health care component of the covered entity;
(ii) A reference in such provision to a “health plan,” “covered health care provider,” or “health care clearinghouse” refers to a health care component of the covered entity if such health care component performs the functions of a health plan, covered health care provider, or health care clearinghouse, as applicable; and
(iii) A reference in such provision to “protected health information” refers to protected health information that is created or received by or on behalf of the health care component of the covered entity.
(2)
(i) Its health care component does not disclose protected health information to another component of the covered entity in circumstances in which this subpart would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities;
(ii) A component that is described by paragraph (2)(i) of the definition of
(iii) If a person performs duties for both the health care component in the capacity of a member of the workforce of such component and for another component of the entity in the same capacity with respect to that component, such workforce member must not use or disclose protected health information created or received in the course of or incident to the member's work for the health care component in a way prohibited by this subpart.
(3)
(i) For purposes of subpart C of part 160 of this subchapter, pertaining to compliance and enforcement, the covered entity has the responsibility to comply with this subpart.
(ii) The covered entity has the responsibility for complying with § 164.530(i), pertaining to the implementation of policies and procedures to ensure compliance with this subpart, including the safeguard requirements in paragraph (c)(2) of this section.
(iii) The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation as required by § 164.530(j).
(d)(1)
(2)
(ii) The designation of an affiliated covered entity must be documented and the documentation maintained as required by § 164.530(j).
(3)
(i) The affiliated covered entity's use and disclosure of protected health information comply with the applicable requirements of this subpart; and
(ii) If the affiliated covered entity combines the functions of a health plan, health care provider, or health care clearinghouse, the affiliated covered entity complies with paragraph (g) of this section.
(e)(1)
(ii) A covered entity is not in compliance with the standards in § 164.502(e) and paragraph (e) of this section, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:
(A) Terminated the contract or arrangement, if feasible; or
(B) If termination is not feasible, reported the problem to the Secretary.
(2)
(i) Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:
(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and
(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;
(D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
(E) Make available protected health information in accordance with § 164.524;
(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526;
(G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528;
(H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and
(I) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity
(iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
(3)
(A) The covered entity may comply with paragraph (e) of this section by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section.
(B) The covered entity may comply with paragraph (e) of this section, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section.
(ii) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of
(iii) The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.
(4)
(A) For the proper management and administration of the business associate; or
(B) To carry out the legal responsibilities of the business associate.
(ii) The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if:
(A) The disclosure is required by law; or
(B)(
(
(f)(1)
(ii) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor
(A) Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or
(B) Modifying, amending, or terminating the group health plan.
(2)
(i) Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart.
(ii) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to:
(A) Not use or further disclose the information other than as permitted or required by the plan documents or as required by law;
(B) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from the group health plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information;
(C) Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor;
(D) Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware;
(E) Make available protected health information in accordance with § 164.524;
(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526;
(G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528;
(H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the group health plan available to the Secretary for purposes of determining compliance by the group health plan with this subpart;
(I) If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and
(J) Ensure that the adequate separation required in paragraph (f)(2)(iii) of this section is established.
(iii) Provide for adequate separation between the group health plan and the plan sponsor. The plan documents must:
(A) Describe those employees or classes of employees or other persons under the control of the plan sponsor to be given access to the protected health information to be disclosed, provided that any employee or person who receives protected health information relating to payment under, health care operations of, or other matters pertaining to the group health plan in the ordinary course of business must be included in such description;
(B) Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and
(C) Provide an effective mechanism for resolving any issues of noncompliance by persons described in paragraph (f)(2)(iii)(A) of this section with the plan document provisions required by this paragraph.
(3)
(i) Disclose protected health information to a plan sponsor to carry out plan administration functions that the plan sponsor performs only consistent with
(ii) Not permit a health insurance issuer or HMO with respect to the group health plan to disclose protected health information to the plan sponsor except as permitted by this paragraph;
(iii) Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by § 164.520(b)(1)(iii)(C) is included in the appropriate notice; and (iv) Not disclose protected health information to the plan sponsor for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the plan sponsor.
(g)
(2) A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for purposes related to the appropriate function being performed.
At 67 FR 53267, Aug. 14, 2002, § 164.504 was amended in paragraph (a), by revising the definitions of “health care component” and “hybrid entity”; revising paragraphs (c)(1)(ii), (c)(2)(ii), (c)(3)(iii), (f)(1)(i), and adding paragraph (f)(1)(iii), effective Oct. 15, 2002. For the convenience of the user, the revised and added text is set forth as follows:
(a)
(1) That is a covered entity;
(2) Whose business activities include both covered and non-covered functions; and
(3) That designates health care components in accordance with paragraph (c)(3)(iii) of this section.
(c)(1)
(ii) A reference in such provision to a “health plan,” “covered health care provider,” or “health care clearinghouse” refers to a health care component of the covered entity if such health care component performs the functions of a health plan, health care provider, or health care clearinghouse, as applicable; and
(2)
(ii) A component that is described by paragraph (c)(3)(iii)(B) of this section does not use or disclose protected health information that it creates or receives from or on behalf of the health care component in a way prohibited by this subpart; and
(3)
(iii) The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation as required by § 164.530(j), provided that, if the covered entity designates a health care component or components, it must include any component that would meet the definition of covered entity if it were a separate legal entity. Health care component(s) also may include a component only to the extent that it performs:
(A) Covered functions; or
(B) Activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities.
(f)(1)
(iii) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.
(a)
(2) A covered health care provider may, without consent, use or disclose protected health information to carry out treatment, payment, or health care operations, if:
(i) The covered health care provider has an indirect treatment relationship with the individual; or
(ii) The covered health care provider created or received the protected health information in the course of providing health care to an individual who is an inmate.
(3)(i) A covered health care provider may, without prior consent, use or disclose protected health information created or received under paragraph (a)(3)(i)(A)-(C) of this section to carry out treatment, payment, or health care operations:
(A) In emergency treatment situations, if the covered health care provider attempts to obtain such consent as soon as reasonably practicable after the delivery of such treatment;
(B) If the covered health care provider is required by law to treat the individual, and the covered health care provider attempts to obtain such consent but is unable to obtain such consent; or
(C) If a covered health care provider attempts to obtain such consent from the individual but is unable to obtain such consent due to substantial barriers to communicating with the individual, and the covered health care provider determines, in the exercise of professional judgment, that the individual's consent to receive treatment is clearly inferred from the circumstances.
(ii) A covered health care provider that fails to obtain such consent in accordance with paragraph (a)(3)(i) of this section must document its attempt to obtain consent and the reason why consent was not obtained.
(4) If a covered entity is not required to obtain consent by paragraph (a)(1) of this section, it may obtain an individual's consent for the covered entity's own use or disclosure of protected health information to carry out treatment, payment, or health care operations, provided that such consent meets the requirements of this section.
(5) Except as provided in paragraph (f)(1) of this section, a consent obtained by a covered entity under this section is not effective to permit another covered entity to use or disclose protected health information.
(b)
(2) A health plan may condition enrollment in the health plan on the provision by the individual of a consent under this section sought in conjunction with such enrollment.
(3) A consent under this section may not be combined in a single document with the notice required by § 164.520.
(4)(i) A consent for use or disclosure may be combined with other types of written legal permission from the individual (
(A) Is visually and organizationally separate from such other written legal permission; and
(B) Is separately signed by the individual and dated.
(ii) A consent for use or disclosure may be combined with a research authorization under § 164.508(f).
(5) An individual may revoke a consent under this section at any time, except to the extent that the covered entity has taken action in reliance thereon. Such revocation must be in writing.
(6) A covered entity must document and retain any signed consent under this section as required by § 164.530(j).
(c)
(1) Inform the individual that protected health information may be used and disclosed to carry out treatment, payment, or health care operations;
(2) Refer the individual to the notice required by § 164.520 for a more complete description of such uses and disclosures and state that the individual has the right to review the notice prior to signing the consent;
(3) If the covered entity has reserved the right to change its privacy practices that are described in the notice in accordance with § 164.520(b)(1)(v)(C), state that the terms of its notice may change and describe how the individual may obtain a revised notice;
(4) State that:
(i) The individual has the right to request that the covered entity restrict how protected health information is used or disclosed to carry out treatment, payment, or health care operations;
(ii) The covered entity is not required to agree to requested restrictions; and
(iii) If the covered entity agrees to a requested restriction, the restriction is binding on the covered entity;
(5) State that the individual has the right to revoke the consent in writing, except to the extent that the covered entity has taken action in reliance thereon; and
(6) Be signed by the individual and dated.
(d)
(1) The consent lacks an element required by paragraph (c) of this section, as applicable; or
(2) The consent has been revoked in accordance with paragraph (b)(5) of this section.
(e)
(2) A covered entity may attempt to resolve a conflict between a consent and an authorization or other written legal permission from the individual described in paragraph (e)(1) of this section by:
(i) Obtaining a new consent from the individual under this section for the disclosure to carry out treatment, payment, or health care operations; or
(ii) Communicating orally or in writing with the individual in order to determine the individual's preference in resolving the conflict. The covered entity must document the individual's preference and may only disclose protected health information in accordance with the individual's preference.
(f)(1)
(2)
(A) Include the name or other specific identification of the covered entities, or classes of covered entities, to which the joint consent applies; and
(B) Meet the requirements of this section, except that the statements required by this section may be altered to reflect the fact that the consent covers more than one covered entity.
(ii) If an individual revokes a joint consent, the covered entity that receives the revocation must inform the other entities covered by the joint consent of the revocation as soon as practicable.
At 67 FR 53268, Aug. 14, 2002, § 164.506 was revised, effective Oct. 15,
(a)
(b)
(2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under § 164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart.
(c)
(1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.
(2) A covered entity may disclose protected health information for treatment activities of a health care provider.
(3) A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information.
(4) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is:
(i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or
(ii) For the purpose of health care fraud and abuse detection or compliance.
(5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
(a)
(2)
(i) To carry out the following treatment, payment, or health care operations, consistent with consent requirements in § 164.506:
(A) Use by originator of the psychotherapy notes for treatment;
(B) Use or disclosure by the covered entity in training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or
(C) Use or disclosure by the covered entity to defend a legal action or other proceeding brought by the individual; and
(ii) A use or disclosure that is required by § 164.502(a)(2)(ii) or permitted by § 164.512(a); § 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; § 164.512(g)(1); or § 164.512(j)(1)(i).
(b)
(i) A valid authorization is a document that contains the elements listed in paragraph (c) and, as applicable, paragraph (d), (e), or (f) of this section.
(ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional
(2)
(i) The expiration date has passed or the expiration event is known by the covered entity to have occurred;
(ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c), (d), (e), or (f) of this section, if applicable;
(iii) The authorization is known by the covered entity to have been revoked;
(iv) The authorization lacks an element required by paragraph (c), (d), (e), or (f) of this section, if applicable;
(v) The authorization violates paragraph (b)(3) of this section, if applicable;
(vi) Any material information in the authorization is known by the covered entity to be false.
(3)
(i) An authorization for the use or disclosure of protected health information created for research that includes treatment of the individual may be combined as permitted by § 164.506(b)(4)(ii) or paragraph (f) of this section;
(ii) An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes;
(iii) An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations.
(4)
(i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization under paragraph (f) of this section;
(ii) A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if:
(A) The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and
(B) The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section;
(iii) A health plan may condition payment of a claim for specified benefits on provision of an authorization under paragraph (e) of this section, if:
(A) The disclosure is necessary to determine payment of such claim; and
(B) The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; and
(iv) A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.
(5)
(i) The covered entity has taken action in reliance thereon; or
(ii) If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy.
(6)
(c)
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
(iv) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure;
(v) A statement of the individual's right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization;
(vi) A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by this rule;
(vii) Signature of the individual and date; and
(viii) If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual.
(2)
(d)
(1)
(i) For any authorization to which the prohibition on conditioning in paragraph (b)(4) of this section applies, a statement that the covered entity will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual's providing authorization for the requested use or disclosure;
(ii) A description of each purpose of the requested use or disclosure;
(iii) A statement that the individual may:
(A) Inspect or copy the protected health information to be used or disclosed as provided in § 164.524; and
(B) Refuse to sign the authorization; and
(iv) If use or disclosure of the requested information will result in direct or indirect remuneration to the covered entity from a third party, a statement that such remuneration will result.
(2)
(e)
(1)
(i) A description of each purpose of the requested disclosure;
(ii) Except for an authorization on which payment may be conditioned under paragraph (b)(4)(iii) of this section, a statement that the covered entity will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual's providing authorization for the requested use or disclosure; and
(iii) A statement that the individual may refuse to sign the authorization.
(2)
(f)
(i) For uses and disclosures not otherwise permitted or required under this subpart, meet the requirements of paragraphs (c) and (d) of this section; and
(ii) Contain:
(A) A description of the extent to which such protected health information will be used or disclosed to carry out treatment, payment, or health care operations;
(B) A description of any protected health information that will not be used or disclosed for purposes permitted in accordance with §§ 164.510 and 164.512, provided that the covered entity may not include a limitation affecting its right to make a use or disclosure that is required by law or permitted by § 164.512(j)(1)(i); and
(C) If the covered entity has obtained or intends to obtain the individual's consent under § 164.506, or has provided or intends to provide the individual with a notice under § 164.520, the authorization must refer to that consent or notice, as applicable, and state that the statements made pursuant to this section are binding.
(2)
(i) A consent to participate in the research;
(ii) A consent to use or disclose protected health information to carry out treatment, payment, or health care operations under § 164.506; or
(iii) A notice of privacy practices under § 164.520.
At 67 FR 53268, Aug. 14, 2002, § 164.508 was revised, effective Oct. 15, 2002. For the convenience of the user, the revised text is set forth as follows:
(a)
(2)
(i) To carry out the following treatment, payment, or health care operations:
(A) Use by the originator of the psychotherapy notes for treatment;
(B) Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or
(C) Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and
(ii) A use or disclosure that is required by § 164.502(a)(2)(ii) or permitted by § 164.512(a); § 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; § 164.512(g)(1); or § 164.512(j)(1)(i).
(3)
(A) A face-to-face communication made by a covered entity to an individual; or
(B) A promotional gift of nominal value provided by the covered entity.
(ii) If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
(b)
(ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.
(2)
(i) The expiration date has passed or the expiration event is known by the covered entity to have occurred;
(ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable;
(iii) The authorization is known by the covered entity to have been revoked;
(iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable;
(v) Any material information in the authorization is known by the covered entity to be false.
(3)
(i) An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of protected health information for such research or a consent to participate in such research;
(ii) An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes;
(iii) An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes, may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations.
(4)
(i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research under this section;
(ii) A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if:
(A) The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and
(B) The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; and
(iii) A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.
(5)
(i) The covered entity has taken action in reliance thereon; or
(ii) If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself.
(6)
(c)
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.
(2)
(i) The individual's right to revoke the authorization in writing, and either:
(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
(B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by § 164.520, a reference to the covered entity's notice.
(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or
(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.
(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.
(3)
(4)
A covered entity may use or disclose protected health information without the written consent or authorization of the individual as described by §§ 164.506 and 164.508, respectively, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the disclosure in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section.
(a)
(i) Use the following protected health information to maintain a directory of individuals in its facility:
(A) The individual's name;
(B) The individual's location in the covered health care provider's facility;
(C) The individual's condition described in general terms that does not communicate specific medical information about the individual; and
(D) The individual's religious affiliation; and
(ii) Disclose for directory purposes such information:
(A) To members of the clergy; or
(B) Except for religious affiliation, to other persons who ask for the individual by name.
(2)
(3)
(A) Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and
(B) In the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment.
(ii) The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it becomes practicable to do so.
(b)
(ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (3), or (4) of this section, as applicable.
(2)
(i) Obtains the individual's agreement;
(ii) Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or
(iii) Reasonably infers from the circumstances, based the exercise of professional judgment, that the individual does not object to the disclosure.
(3)
(4)
At 67 FR 53270, Aug. 14, 2002, in § 164.510 revise the first sentence of the introductory text, and remove the word “for” from paragraph (b)(3), effective Oct. 15, 2002. For the convenience of the user, the revised text is set forth as follows:
A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. * * *
A covered entity may use or disclose protected health information without the written consent or authorization of the individual as described in §§ 164.506 and 164.508, respectively, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section. When the covered entity is required by this section to inform
(a)
(2) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law.
(b)
(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
(ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;
(iii) A person subject to the jurisdiction of the Food and Drug Administration:
(A) To report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations if the disclosure is made to the person required or directed to report such information to the Food and Drug Administration;
(B) To track products if the disclosure is made to a person required or directed by the Food and Drug Administration to track the product;
(C) To enable product recalls, repairs, or replacement (including locating and notifying individuals who have received products of product recalls, withdrawals, or other problems); or
(D) To conduct post marketing surveillance to comply with requirements or at the direction of the Food and Drug Administration;
(iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or
(v) An employer, about an individual who is a member of the workforce of the employer, if:
(A) The covered entity is a covered health care provider who is a member of the workforce of such employer or who provides a health care to the individual at the request of the employer:
(
(
(B) The protected health information that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;
(C) The employer needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance;
(D) The covered health care provider provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:
(
(
(2)
(c)
(i) To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law;
(ii) If the individual agrees to the disclosure; or
(iii) To the extent the disclosure is expressly authorized by statute or regulation and:
(A) The covered entity, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
(B) If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.
(2)
(i) The covered entity, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or
(ii) The covered entity would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.
(d)
(i) The health care system;
(ii) Government benefit programs for which health information is relevant to beneficiary eligibility;
(iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
(iv) Entities subject to civil rights laws for which health information is necessary for determining compliance.
(2)
(i) The receipt of health care;
(ii) A claim for public benefits related to health; or
(iii) Qualification for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services.
(3)
(4)
(e)
(1)
(i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or
(ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:
(A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or
(B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.
(iii) For the purposes of paragraph (e)(1)(ii)(A) of this section, a covered entity receives satisfactory assurances from a party seeking protecting health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:
(A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);
(B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and
(C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:
(
(
(iv) For the purposes of paragraph (e)(1)(ii)(B) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:
(A) The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or
(B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.
(v) For purposes of paragraph (e)(1) of this section, a qualified protective order means, with respect to protected health information requested under paragraph (e)(1)(ii) of this section, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:
(A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and
(B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.
(vi) Nothwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this
(2)
(f)
(1)
(i) As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or
(ii) In compliance with and as limited by the relevant requirements of:
(A) A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;
(B) A grand jury subpoena; or
(C) An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
(
(
(
(2)
(i) The covered entity may disclose only the following information:
(A) Name and address;
(B) Date and place of birth;
(C) Social security number;
(D) ABO blood type and rh factor;
(E) Type of injury;
(F) Date and time of treatment;
(G) Date and time of death, if applicable; and
(H) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.
(ii) Except as permitted by paragraph (f)(2)(i) of this section, the covered entity may not disclose for the purposes of identification or location under paragraph (f)(2) of this section any protected health information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.
(3)
(ii) The individual agrees to the disclosure; or
(iii) The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that:
(A) The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;
(B) The law enforcement official represents that immediate law enforcement activity that depends upon the
(C) The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.
(4)
(5)
(6)
(A) The commission and nature of a crime;
(B) The location of such crime or of the victim(s) of such crime; and
(C) The identity, description, and location of the perpetrator of such crime.
(ii) If a covered health care provider believes that the medical emergency described in paragraph (f)(6)(i) of this section is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, paragraph (f)(6)(i) of this section does not apply and any disclosure to a law enforcement official for law enforcement purposes is subject to paragraph (c) of this section.
(g)
(2)
(h)
(i)
(i)
(A) An Institutional Review Board (IRB), established in accordance with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or
(B) A privacy board that:
(
(
(
(ii)
(A) Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research;
(B) No protected health information is to be removed from the covered entity by the researcher in the course of the review; and
(C) The protected health information for which use or access is sought is necessary for the research purposes.
(iii)
(A) Representation that the use or disclosure is sought is solely for research on the protected health information of decedents;
(B) Documentation, at the request of the covered entity, of the death of such individuals; and
(C) Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes.
(2)
(i)
(ii)
(A) The use or disclosure of protected health information involves no more than minimal risk to the individuals;
(B) The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;
(C) The research could not practicably be conducted without the alteration or waiver;
(D) The research could not practicably be conducted without access to and use of the protected health information;
(E) The privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;
(F) There is an adequate plan to protect the identifiers from improper use and disclosure;
(G) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and
(H) There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.
(iii)
(iv)
(A) An IRB must follow the requirements of the Common Rule, including the normal review procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40 CFR
(B) A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section;
(C) A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and
(v)
(j)
(i)(A) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
(B) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or
(ii) Is necessary for law enforcement authorities to identify or apprehend an individual:
(A) Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or
(B) Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody, as those terms are defined in § 164.501.
(2)
(i) In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or
(ii) Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described in paragraph (j)(2)(i) of this section.
(3)
(4)
(k)
(A) Appropriate military command authorities; and
(B) The purposes for which the protected health information may be used or disclosed.
(ii)
(iii)
(iv)
(2)
(3)
(4)
(i) For the purpose of a required security clearance conducted pursuant to Executive Orders 10450 and 12698;
(ii) As necessary to determine worldwide availability or availability for mandatory service abroad under sections 101(a)(4) and 504 of the Foreign Service Act; or
(iii) For a family to accompany a Foreign Service member abroad, consistent with section 101(b)(5) and 904 of the Foreign Service Act.
(5)
(A) The provision of health care to such individuals;
(B) The health and safety of such individual or other inmates;
(C) The health and safety of the officers or employees of or others at the correctional institution;
(D) The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another;
(E) Law enforcement on the premises of the correctional institution; and
(F) The administration and maintenance of the safety, security, and good order of the correctional institution.
(ii)
(iii)
(6)
(ii) A covered entity that is a government agency administering a government program providing public benefits may disclose protected health information relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs.
(l)
At 67 FR 53270, Aug. 14, 2002, § 164.512 was amended by revising the section heading and the first sentence of the introductory text; revising paragraph (b)(1)(iii); in paragraph (b)(1)(v)(A) removing the word “a” before the word “health”; adding the word “and” after the semicolon at the end of paragraph (b)(1)(v)(C); redesignating paragraphs (f)(3)(ii) and (iii) as (f)(3)(i) and (ii); in the second sentence of paragraph (g)(2) add the word “to” after the word “directors”; in paragraph (i)(1)(iii)(A) removing the word “is” after the word “disclosure”; revising paragraph (i)(2)(ii); in paragraph (i)(2)(iii) remove “(i)(2)(ii)(D)” and add in its place “(i)(2)(ii)(C)”, effective Oct. 15, 2002. For the convenience of the user, the revised text is set forth as follows:
A covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section. * * *
(b)
(1)
(iii) A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include:
(A) To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;
(B) To track FDA-regulated products;
(C) To enable product recalls, repairs, or replacement, or lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or
(D) To conduct post marketing surveillance;
(i)
(2)
(ii)
(A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;
(
(
(
(B) The research could not practicably be conducted without the waiver or alteration; and
(C) The research could not practicably be conducted without access to and use of the protected health information.
(a)
(b)
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination; or
(2)(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(
(
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code; and
(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination
(c)
(1)
(2)
(d)(1)
(2)
(A) Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and
(B) For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.
(ii) A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section.
(3)
(ii) For all other disclosures, a covered entity must:
(A) Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and
(B) Review requests for disclosure on an individual basis in accordance with such criteria.
(iii) A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:
(A) Making disclosures to public officials that are permitted under § 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s);
(B) The information is requested by another covered entity;
(C) The information is requested by a professional who is a member of its workforce or is a business associate of the covered entity for the purpose of providing professional services to the covered entity, if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or
(D) Documentation or representations that comply with the applicable requirements of § 164.512(i) have been provided by a person requesting the information for research purposes.
(4)
(ii) For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.
(iii) For all other requests, a covered entity must review the request on an
(5)
(e)(1)
(2)
(A) Occurs in a face-to-face encounter with the individual;
(B) Concerns products or services of nominal value; or
(C) Concerns the health-related products and services of the covered entity or of a third party and the communication meets the applicable conditions in paragraph (e)(3) of this section.
(ii) A covered entity may disclose protected health information for purposes of such communications only to a business associate that assists the covered entity with such communications.
(3)
(i) The communication must:
(A) Identify the covered entity as the party making the communication;
(B) If the covered entity has received or will receive direct or indirect remuneration for making the communication, prominently state that fact; and
(C) Except when the communication is contained in a newsletter or similar type of general communication device that the covered entity distributes to a broad cross-section of patients, enrollees, or other broad groups of individuals, contain instructions describing how the individual may opt out of receiving future such communications.
(ii) If the covered entity uses or discloses protected health information to target the communication to individuals based on their health status or condition:
(A) The covered entity must make a determination prior to making the communication that the product or service being marketed may be beneficial to the health of the type or class of individual targeted; and
(B) The communication must explain why the individual has been targeted and how the product or service relates to the health of the individual.
(iii) The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future marketing communications, under paragraph (e)(3)(i)(C) of this section, are not sent such communications.
(f)(1)
(i) Demographic information relating to an individual; and
(ii) Dates of health care provided to an individual.
(2)
(ii) The covered entity must include in any fundraising materials it sends to an individual under this paragraph a description of how the individual may opt out of receiving any further fundraising communications.
(iii) The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications.
(g)
(h)(1)
(i) Except with respect to disclosures under § 164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and
(ii) Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under this subpart.
(2)
(A) The conditions in § 164.512(f)(1)(ii)(C) may be satisfied by the administrative subpoena or similar process or by a separate written statement that, on its face, demonstrates that the applicable requirements have been met.
(B) The documentation required by § 164.512(i)(2) may be satisfied by one or more written statements, provided that each is appropriately dated and signed in accordance with § 164.512(i)(2)(i) and (v).
(ii)
(A) If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;
(B) If the request is in writing, the request is on the appropriate government letterhead; or
(C) If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
(iii)
(A) A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority;
(B) If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority.
(iv)
At 67 FR 53270, Aug. 14, 2002, § 164.514 was amended by revising paragraphs (b)(2)(i)(R), (d)(1), (d)(4)(iii), and (e); and in paragraph (d)(5), removing the word “discloses” and adding in its place the word “disclose”, effective Oct. 15, 2002. For the convenience of the user, the revised text is set forth as follows:
(b)
(2)(i) * * *
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and
(d)(1)
(4)
(iii) For all other requests, a covered entity must:
(A) Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and
(B) Review requests for disclosure on an individual basis in accordance with such criteria.
(e) (1)
(2)
(i) Names;
(ii) Postal address information, other than town or city, State, and zip code;
(iii) Telephone numbers;
(iv) Fax numbers;
(v) Electronic mail addresses;
(vi) Social security numbers;
(vii) Medical record numbers;
(viii) Health plan beneficiary numbers;
(ix) Account numbers;
(x) Certificate/license numbers;
(xi) Vehicle identifiers and serial numbers, including license plate numbers;
(xii) Device identifiers and serial numbers;
(xiii) Web Universal Resource Locators (URLs);
(xiv) Internet Protocol (IP) address numbers;
(xv) Biometric identifiers, including finger and voice prints; and
(xvi) Full face photographic images and any comparable images.
(3)
(ii) A covered entity may use protected health information to create a limited data set that meets the requirements of paragraph (e)(2) of this section, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by the covered entity.
(4)
(ii)
(A) Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity;
(B) Establish who is permitted to use or receive the limited data set; and
(C) Provide that the limited data set recipient will:
(
(
(
(
(
(iii)
(1) Discontinued disclosure of protected health information to the recipient; and
(2) Reported the problem to the Secretary.
(B) A covered entity that is a limited data set recipient and violates a data use agreement will be in noncompliance with the standards, implementation specifications, and requirements of paragraph (e) of this section.
(a)
(2)
(A) From the group health plan, if, and to the extent that, such an individual does not receive health benefits under the group health plan through an insurance contract with a health insurance issuer or HMO; or
(B) From the health insurance issuer or HMO with respect to the group health plan through which such individuals receive their health benefits under the group health plan.
(ii) A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and that creates or receives protected health information in addition to summary health information as defined in § 164.504(a) or information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, must:
(A) Maintain a notice under this section; and
(B) Provide such notice upon request to any person. The provisions of paragraph (c)(1) of this section do not apply to such group health plan.
(iii) A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and does not create or receive protected health information other than summary health information as defined in § 164.504(a) or information on whether an individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, is not required to maintain or provide a notice under this section.
(3)
(b)
(i)
(ii)
(A) A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by this subpart to make for
(B) A description of each of the other purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual's written consent or authorization.
(C) If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law as defined in § 160.202 of this subchapter.
(D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law.
(E) A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization as provided by § 164.508(b)(5).
(iii)
(A) The covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual;
(B) The covered entity may contact the individual to raise funds for the covered entity; or
(C) A group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan.
(iv)
(A) The right to request restrictions on certain uses and disclosures of protected health information as provided by § 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction;
(B) The right to receive confidential communications of protected health information as provided by § 164.522(b), as applicable;
(C) The right to inspect and copy protected health information as provided by § 164.524;
(D) The right to amend protected health information as provided by § 164.526;
(E) The right to receive an accounting of disclosures of protected health information as provided by § 164.528; and
(F) The right of an individual, including an individual who has agreed to receive the notice electronically in accordance with paragraph (c)(3) of this section, to obtain a paper copy of the notice from the covered entity upon request.
(v)
(A) A statement that the covered entity is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information;
(B) A statement that the covered entity is required to abide by the terms of the notice currently in effect; and
(C) For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with § 164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice.
(vi)
(vii)
(viii)
(2)
(ii) For the covered entity to apply a change in its more limited uses and disclosures to protected health information created or received prior to issuing a revised notice, in accordance with § 164.530(i)(2)(ii), the notice must include the statements required by paragraph (b)(1)(v)(C) of this section.
(3)
(c)
(1)
(A) No later than the compliance date for the health plan, to individuals then covered by the plan;
(B) Thereafter, at the time of enrollment, to individuals who are new enrollees; and
(C) Within 60 days of a material revision to the notice, to individuals then covered by the plan.
(ii) No less frequently than once every three years, the health plan must notify individuals then covered by the plan of the availability of the notice and how to obtain the notice.
(iii) The health plan satisfies the requirements of paragraph (c)(1) of this section if notice is provided to the named insured of a policy under which coverage is provided to the named insured and one or more dependents.
(iv) If a health plan has more than one notice, it satisfies the requirements of paragraph (c)(1) of this section by providing the notice that is relevant to the individual or other person requesting the notice.
(2)
(i) Provide the notice no later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider;
(ii) If the covered health care provider maintains a physical service delivery site:
(A) Have the notice available at the service delivery site for individuals to request to take with them; and
(B) Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice; and
(iii) Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(ii) of this section, if applicable.
(3)
(ii) A covered entity may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of paragraph (c) of this section when timely made in accordance with paragraph (c)(1) or (2) of this section.
(iii) For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service.
(iv) The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a covered entity upon request.
(d)
(1) The covered entities participating in the organized health care arrangement agree to abide by the terms of the notice with respect to protected health information created or received by the covered entity as part of its participation in the organized health care arrangement;
(2) The joint notice meets the implementation specifications in paragraph (b) of this section, except that the statements required by this section may be altered to reflect the fact that the notice covers more than one covered entity; and
(i) Describes with reasonable specificity the covered entities, or class of entities, to which the joint notice applies;
(ii) Describes with reasonable specificity the service delivery sites, or classes of service delivery sites, to which the joint notice applies; and
(iii) If applicable, states that the covered entities participating in the organized health care arrangement will share protected health information with each other, as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement.
(3) The covered entities included in the joint notice must provide the notice to individuals in accordance with the applicable implementation specifications of paragraph (c) of this section. Provision of the joint notice to an individual by any one of the covered entities included in the joint notice will satisfy the provision requirement of paragraph (c) of this section with respect to all others covered by the joint notice.
(e)
At 67 FR 53271, Aug. 14, 2002, § 164.520, was amended by removing the words “consent or” from paragraph (b)(1)(ii)(B); in paragraph (c), introductory text, remove “(c)(4)” and add in its place “(c)(3)”; revising paragraph (c)(2)(i); redesignating paragraphs (c)(2)(ii) and (iii) as (c)(2)(iii) and (iv); adding new paragraph (c)(2)(ii); amend redesignated paragraph (c)(2)(iv) by removing “(c)(2)(ii)” and adding in its place “(c)(2)(iii)”; amend paragraph (c)(3)(iii) by adding a sentence at the end; revising paragraph (e), effective Oct. 15, 2002. For the convenience of the user, the added and revised text is set forth as follows:
(c)
(2)
(i) Provide the notice:
(A) No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or
(B) In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
(ii) Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain
(3)
(iii) * * * The requirements in paragraph (c)(2)(ii) of this section apply to electronic notice.
(e)
(a)(1)
(A) Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and
(B) Disclosures permitted under § 164.510(b).
(ii) A covered entity is not required to agree to a restriction.
(iii) A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual.
(iv) If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information.
(v) A restriction agreed to by a covered entity under paragraph (a) of this section, is not effective under this subpart to prevent uses or disclosures permitted or required under §§ 164.502(a)(2)(i), 164.510(a) or 164.512.
(2)
(i) The individual agrees to or requests the termination in writing;
(ii) The individual orally agrees to the termination and the oral agreement is documented; or
(iii) The covered entity informs the individual that it is terminating its agreement to a restriction, except that such termination is only effective with respect to protected health information created or received after it has so informed the individual.
(3)
(b)(1)
(ii) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual.
(2)
(i) A covered entity may require the individual to make a request for a confidential communication described in paragraph (b)(1) of this section in writing.
(ii) A covered entity may condition the provision of a reasonable accommodation on:
(A) When appropriate, information as to how payment, if any, will be handled; and
(B) Specification of an alternative address or other method of contact.
(iii) A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis.
(iv) A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual.
At 67 FR 53271, Aug. 14, 2002, § 164.522, was amended by removing the reference to “164.502(a)(2)(i)” in paragraph (a)(1)(v), and adding in its place “164.502(a)(2)(ii)”, effective Oct. 15, 2002.
(a)
(i) Psychotherapy notes;
(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and
(iii) Protected health information maintained by a covered entity that is:
(A) Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access to the individual would be prohibited by law; or
(B) Exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2).
(2)
(i) The protected health information is excepted from the right of access by paragraph (a)(1) of this section.
(ii) A covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate's request to obtain a copy of protected health information, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.
(iii) An individual's access to protected health information created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research.
(iv) An individual's access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law.
(v) An individual's access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
(3)
(i) A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
(ii) The protected health information makes reference to another person (unless such other person is a health care
(iii) The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
(4)
(b)
(2)
(A) If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section.
(B) If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d) of this section.
(ii) If the request for access is for protected health information that is not maintained or accessible to the covered entity on-site, the covered entity must take an action required by paragraph (b)(2)(i) of this section by no later than 60 days from the receipt of such a request.
(iii) If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) or (ii) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that:
(A) The covered entity, within the time limit set by paragraph (b)(2)(i) or (ii) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and
(B) The covered entity may have only one such extension of time for action on a request for access.
(c)
(1)
(2)
(ii) The covered entity may provide the individual with a summary of the
(A) The individual agrees in advance to such a summary or explanation; and
(B) The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation.
(3)
(4)
(i) Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual;
(ii) Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
(iii) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(ii) of this section.
(d)
(1)
(2)
(i) The basis for the denial;
(ii) If applicable, a statement of the individual's review rights under paragraph (a)(4) of this section, including a description of how the individual may exercise such review rights; and
(iii) A description of how the individual may complain to the covered entity pursuant to the complaint procedures in § 164.530(d) or to the Secretary pursuant to the procedures in § 160.306. The description must include the name, or title, and telephone number of the contact person or office designated in § 164.530(a)(1)(ii).
(3)
(4) Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination.
(e)
(1) The designated record sets that are subject to access by individuals; and
(2) The titles of the persons or offices responsible for receiving and processing requests for access by individuals.
(a)
(2)
(i) Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment;
(ii) Is not part of the designated record set;
(iii) Would not be available for inspection under § 164.524; or
(iv) Is accurate and complete.
(b)
(2)
(A) If the covered entity grants the requested amendment, in whole or in part, it must take the actions required by paragraphs (c)(1) and (2) of this section.
(B) If the covered entity denies the requested amendment, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d)(1) of this section.
(ii) If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that:
(A) The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and
(B) The covered entity may have only one such extension of time for action on a request for an amendment.
(c)
(1)
(2)
(3)
(i) Persons identified by the individual as having received protected health information about the individual and needing the amendment; and
(ii) Persons, including business associates, that the covered entity knows have the protected health information
(d)
(1)
(i) The basis for the denial, in accordance with paragraph (a)(2) of this section;
(ii) The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
(iii) A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual's request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; and
(iv) A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in § 164.530(d) or to the Secretary pursuant to the procedures established in § 160.306. The description must include the name, or title, and telephone number of the contact person or office designated in § 164.530(a)(1)(ii).
(2)
(3)
(4)
(5)
(ii) If the individual has not submitted a written statement of disagreement, the covered entity must include the individual's request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the protected health information only if the individual has requested such action in accordance with paragraph (d)(1)(iii) of this section.
(iii) When a subsequent disclosure described in paragraph (d)(5)(i) or (ii) of this section is made using a standard transaction under part 162 of this subchapter that does not permit the additional material to be included with the disclosure, the covered entity may separately transmit the material required by paragraph (d)(5)(i) or (ii) of this section, as applicable, to the recipient of the standard transaction.
(e)
(f)
(a)
(i) To carry out treatment, payment and health care operations as provided in § 164.502;
(ii) To individuals of protected health information about them as provided in § 164.502;
(iii) For the facility's directory or to persons involved in the individual's care or other notification purposes as provided in § 164.510;
(iv) For national security or intelligence purposes as provided in § 164.512(k)(2);
(v) To correctional institutions or law enforcement officials as provided in § 164.512(k)(5); or
(vi) That occurred prior to the compliance date for the covered entity.
(2)(i) The covered entity must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement official, as provided in § 164.512(d) or (f), respectively, for the time specified by such agency or official, if such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities and specifying the time for which such a suspension is required.
(ii) If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must:
(A) Document the statement, including the identity of the agency or official making the statement;
(B) Temporarily suspend the individual's right to an accounting of disclosures subject to the statement; and
(C) Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement pursuant to paragraph (a)(2)(i) of this section is submitted during that time.
(3) An individual may request an accounting of disclosures for a period of time less than six years from the date of the request.
(b)
(1) Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity.
(2) The accounting must include for each disclosure:
(i) The date of the disclosure;
(ii) The name of the entity or person who received the protected health information and, if known, the address of such entity or person;
(iii) A brief description of the protected health information disclosed; and
(iv) A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or, in lieu of such statement:
(A) A copy of the individual's written authorization pursuant to § 164.508; or
(B) A copy of a written request for a disclosure under §§ 164.502(a)(2)(ii) or 164.512, if any.
(3) If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §§ 164.502(a)(2)(ii) or 164.512, or pursuant to a single authorization under § 164.508, the accounting may, with respect to such multiple disclosures, provide:
(i) The information required by paragraph (b)(2) of this section for the first disclosure during the accounting period;
(ii) The frequency, periodicity, or number of the disclosures made during the accounting period; and
(iii) The date of the last such disclosure during the accounting period.
(c)
(i) The covered entity must provide the individual with the accounting requested; or
(ii) If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that:
(A) The covered entity, within the time limit set by paragraph (c)(1) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and
(B) The covered entity may have only one such extension of time for action on a request for an accounting.
(2) The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.
(d)
(1) The information required to be included in an accounting under paragraph (b) of this section for disclosures of protected health information that are subject to an accounting under paragraph (a) of this section;
(2) The written accounting that is provided to the individual under this section; and
(3) The titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals.
At 67 FR 53271, Aug. 14, 2002, § 164.528, was amended in paragraph (a)(1)(i), by removing “§ 164.502” and adding in its place “§ 164.506”; removing the word “or” from paragraph (a)(1)(v); redesignating paragraph (a)(1)(vi) as (a)(1)(ix) and redesignating paragraphs (a)(1)(iii) through (v) as (a)(1)(v) through (vii); adding paragraphs (a)(1)(iii), (iv), and (a)(1)(viii); revising paragraphs (b)(2), introductory text and (b)(2)(iv); removing “or pursuant to a single authorization under § 164.508,” from paragraph (b)(3), introductory text; and adding paragraph (b)(4), effective Oct. 15, 2002. For the convenience of the user, the added and revised text is set forth as follows:
(a)
(1) * * *
(iii) Incident to a use or disclosure otherwise permitted or required by this subpart, as provided in § 164.502;
(iv) Pursuant to an authorization as provided in § 164.508;
(viii) As part of a limited data set in accordance with § 164.514(e); or
(b)
(2) Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure:
(iv) A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §§ 164.502(a)(2)(ii) or 164.512, if any.
(4)(i) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with § 164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide:
(A) The name of the protocol or other research activity;
(B) A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records;
(C) A brief description of the type of protected health information that was disclosed;
(D) The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period;
(E) The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and
(F) A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity.
(ii) If the covered entity provides an accounting for research disclosures, in accordance with paragraph (b)(4) of this section, and if it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, the covered entity shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.
(a)(1)
(ii) A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by § 164.520.
(2)
(b)(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart, as necessary and appropriate for the members of the workforce to carry out their function within the covered entity.
(2)
(A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and
(C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.
(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
(c)(1)
(2)
(d)(1)
(2)
(e)(1)
(2)
(f)
(g)
(1)
(2)
(i) Filing of a complaint with the Secretary under subpart C of part 160 of this subchapter;
(ii) Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under Part C of Title XI; or
(iii) Opposing any act or practice made unlawful by this subpart, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of this subpart.
(h)
(i)(1)
(2)
(ii) When a covered entity changes a privacy practice that is stated in the notice described in § 164.520, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if the covered entity has, in accordance with § 164.520(b)(1)(v)(C), included in the notice a statement reserving its right to make such a change in its privacy practices; or
(iii) A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section.
(3)
(4)
(A) Ensure that the policy or procedure, as revised to reflect a change in the covered entity's privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications of this subpart;
(B) Document the policy or procedure, as revised, as required by paragraph (j) of this section; and
(C) Revise the notice as required by § 164.520(b)(3) to state the changed practice and make the revised notice available as required by § 164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice.
(ii) If a covered entity has not reserved its right under § 164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that:
(A) Such change meets the implementation the requirements in paragraphs (i)(4)(i)(A)-(C) of this section; and
(B) Such change is effective only with respect to protected health information created or received after the effective date of the notice.
(5)
(i) The policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of this subpart; and
(ii) Prior to the effective date of the change, the policy or procedure, as revised, is documented as required by paragraph (j) of this section.
(j)(1)
(i) Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form;
(ii) If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and
(iii) If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation.
(2)
(k)
(i) The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and
(ii) The group health plan does not create or receive protected health information, except for:
(A) Summary health information as defined in § 164.504(a); or
(B) Information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.
(2) A group health plan described in paragraph (k)(1) of this section is subject to the standard and implementation specification in paragraph (j) of this section only with respect to plan documents amended in accordance with § 164.504(f).
At 67 FR 53272, Aug. 14, 2002, § 164.530, was amended by redesignating paragraph (c)(2) as (c)(2)(i); adding paragraph (c)(2)(ii); removing the words “the requirements” from paragraph (i)(4)(ii)(A) and adding in their place the word “specifications”, effective Oct. 15, 2002. For the convenience of the user, the added text is set forth as follows:
(c)
(2)
(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
(a)
(b)
(1) If the consent, authorization, or other express legal permission obtained from an individual permits a use or disclosure for purposes of carrying out treatment, payment, or health care operations, the covered entity may, with respect to protected health information that it created or received before the applicable compliance date of this subpart and to which the consent, authorization, or other express legal permission obtained from an individual applies, use or disclose such information for purposes of carrying out treatment, payment, or health care operations, provided that:
(i) The covered entity does not make any use or disclosure that is expressly excluded from the a consent, authorization, or other express legal permission obtained from an individual; and
(ii) The covered entity complies with all limitations placed by the consent, authorization, or other express legal permission obtained from an individual.
(2) If the consent, authorization, or other express legal permission obtained from an individual specifically permits a use or disclosure for a purpose other than to carry out treatment, payment, or health care operations, the covered entity may, with respect to protected health information that it created or received before the applicable compliance date of this subpart and to which the consent, authorization, or other express legal permission obtained from an individual applies, make such use or disclosure, provided that:
(i) The covered entity does not make any use or disclosure that is expressly excluded from the consent, authorization, or other express legal permission obtained from an individual; and
(ii) The covered entity complies with all limitations placed by the consent, authorization, or other express legal permission obtained from an individual.
(3) In the case of a consent, authorization, or other express legal permission obtained from an individual that identifies a specific research project that includes treatment of individuals:
(i) If the consent, authorization, or other express legal permission obtained from an individual specifically permits a use or disclosure for purposes of the project, the covered entity may, with respect to protected health information that it created or received either before or after the applicable compliance date of this subpart and to which the consent or authorization applies, make such use or disclosure for purposes of that project, provided that the covered entity complies with all limitations placed by the consent, authorization, or other express legal permission obtained from an individual.
(ii) If the consent, authorization, or other express legal permission obtained
(4) If, after the applicable compliance date of this subpart, a covered entity agrees to a restriction requested by an individual under § 164.522(a), a subsequent use or disclosure of protected health information that is subject to the restriction based on a consent, authorization, or other express legal permission obtained from an individual as given effect by paragraph (b) of this section, must comply with such restriction.
At 67 FR 53272, Aug. 14, 2002, § 164.532 was revised, effective Oct. 15, 2002. For the convenience of the user, the revised text is set forth as follows:
(a)
(b)
(c)
(1) An authorization or other express legal permission from an individual to use or disclose protected health information for the research;
(2) The informed consent of the individual to participate in the research; or
(3) A waiver, by an IRB, of informed consent for the research, in accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d), 15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d), 24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 97.116(d), 38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 690.116(d), or 49 CFR 11.116(d), provided that a covered entity must obtain authorization in accordance with § 164.508 if, after the compliance date, informed consent is sought from an individual participating in the research.
(d)
(e)
(i) Prior to October 15, 2002, such covered entity has entered into and is operating pursuant to a written contract or other written arrangement with a business associate for such business associate to perform functions or activities or provide services that make the entity a business associate; and
(ii) The contract or other arrangement is not renewed or modified from October 15, 2002, until the compliance date set forth in § 164.534.
(2)
(i) The date such contract or other arrangement is renewed or modified on or after the compliance date set forth in § 164.534; or
(ii) April 14, 2004.
(3)
(a)
(b)
(1)
(2)
(c)