HIPAA Frequently Asked Questions

STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION
[45 CFR Parts 160 and 164]

General Overview
The following is an overview that provides answers to general questions regarding the regulation entitled, Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), promulgated by the Department of Health and Human Services (HHS), and process for modifications to that rule. Detailed guidance on specific requirements in the regulation is presented in subsequent sections, each of which addresses a different standard.

Frequently Asked Questions
Q: What does this regulation do?
A: The Privacy Rule became effective on April 14, 2001. Most health plans and health care providers that are covered by the new rule must comply with the new requirements by April 2003.
The Privacy Rule for the first time creates national standards to protect individuals' medical records and other personal health information.

For patients - it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

Q: Why is this regulation needed?
A: In enacting the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress mandated the establishment of standards for the privacy of individually identifiable health information.

When it comes to personal information that moves across hospitals, doctors' offices, insurers or third party payers, and state lines, our country has relied on a patchwork of federal and state laws. Under the current patchwork of laws, personal health information can be distributed - without either notice or consent - for reasons that have nothing to do with a patient's medical treatment or health care reimbursement. Patient information held by a health plan may be passed on to a lender who may then deny the patient's application for a home mortgage or a credit card - or to an employer who may use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections will continue to apply over and above the new federal privacy standards.

Q: What does this regulation require the average provider or health plan to do?
A: For the average health care provider or health plan, the Privacy Rule requires activities, such as:

Q. Who must comply with these new privacy standards?
A: As required by Congress in HIPAA, the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards are required to be adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities (collectively called "covered entities") are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions.

Q: When will covered entities have to meet these standards?
A: As Congress required in HIPAA, most covered entities have two full years from the date that the regulation took effect - or, until April 14, 2003 - to come into compliance with these standards. Under the law, small health plans will have three full years - or, until April 14, 2004 - to come into compliance.

Q: What changes might you make in the final rule?
A: We continue to review the input received during the recent public comment period to determine what changes are appropriate to ensure that the rule protects patient privacy as intended without harming consumers' access to care or the quality of that care.
Examples of standards in the Privacy Rule for which we will propose changes are:

Frequently Asked Questions
Q. Are health plans or clearinghouses required to obtain an individual's consent to use or disclose PHI to carry out TPO?
A: No. Health plans and clearinghouses may use and disclose PHI for these purposes without obtaining consent. These entities are permitted to obtain consent. If they choose to seek individual consent for these uses and disclosures, the consent must meet the standards, requirements, and implementation specifications for consents set forth under the rule.

Q: Can a pharmacist use PHI to fill a prescription that was telephoned in by a patient's physician if the patient is a new patient to the pharmacy and has not yet provided written consent to the pharmacy?
A: The Privacy Rule, as written, does not permit this activity without prior patient consent. It poses a problem for first-time users of a particular pharmacy or pharmacy chain. The Department of Health and Human Services did not intend the rule to interfere with a pharmacist's normal activities in this way. The Secretary is aware of this problem, and will propose modifications to fix it to ensure ready patient access to high quality health care.

Q: Can direct treatment providers, such as a specialist or hospital, to whom a patient is referred for the first time, use PHI to set up appointments or schedule surgery or other procedures before obtaining the patient's written consent?
A: As in the pharmacist example above, the Privacy Rule, as written, does not permit uses of PHI prior to obtaining the patient's written consent for TPO. This unintended problem potentially exists in any circumstance when a patient's first contact with a direct treatment provider is not in person. As noted above, the Secretary is aware of this problem and will propose modifications to fix it.

Q: Will the consent requirement restrict the ability of providers to consult with other providers about a patient's condition?
A: No. A provider with a direct treatment relationship with a patient would have to have initially obtained consent to use that patient's health information for treatment purposes. Consulting with another health care provider about the patient's case falls within the definition of "treatment" and, therefore, is permissible. If the provider being consulted does not otherwise have a direct treatment relationship with the patient, that provider does not need to obtain the patient's consent to engage in the consultation.

Q: Does a pharmacist have to obtain a consent under the Privacy Rule in order to provide advice about over-the-counter medicines to customers?
A: No. A pharmacist may provide advice about over-the-counter medicines without obtaining the customers' prior consent, provided that the pharmacist does not create or keep a record of any PHI. In this case, the only interaction or disclosure of information is a conversation between the pharmacist and the customer. The pharmacist may disclose PHI about the customer to the customer without obtaining his or her consent (§ 164.502(a)(1)(i)), but may not otherwise use or disclose that information.

Q: Can a patient have a friend or family member pick up a prescription for her?
A: Yes. A pharmacist may use professional judgment and experience with common practice to make reasonable inferences of the patient's best interest in allowing a person, other than the patient, to pick up a prescription (see § 164.510(b)). For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that he or she is involved in the individual's care, and the rule allows the pharmacist to give the filled prescription to the relative or friend. The individual does not need to provide the pharmacist with the names of such persons in advance.

Q: The rule provides an exception to the prior consent requirement for "emergency treatment situations." How will a provider know when the situation is an "emergency treatment situation" and, therefore, is exempt from the Privacy Rule's prior consent requirement?
A: Health care providers must exercise their professional judgment to determine whether obtaining a consent would interfere with the timely delivery of necessary health care. If, based on professional judgment, a provider reasonably believes at the time the patient presents for treatment that a delay involved in obtaining the patient's consent to use or disclose information would compromise the patient's care, the provider may use or disclose PHI that was obtained during the emergency treatment, without prior consent, to carry out TPO. The provider must attempt to obtain consent as soon as reasonably practicable after the provision of treatment. If the provider is able to obtain the patient's consent to use or disclose information before providing care, without compromising the patient's care, we require the provider to do so.

Q: Does the exception to the consent requirement regarding substantial barriers to communication with the individual affect requirements under Title VI of the Civil Rights Act of 1964 or the Americans with Disabilities Act?
A: No. The provision of the Privacy Rule regarding substantial barriers to communication does not affect covered entities' obligations under Title VI or the Americans with Disabilities Act. Entities that are covered by these statutes must continue to meet the requirements of the statutes. The Privacy Rule works in conjunction with these laws to remove impediments to access to necessary health care for all individuals.

Q: What is the difference between "consent" and "authorization" under the Privacy Rule?
A: A consent is a general document that gives health care providers, which have a direct treatment relationship with a patient, permission to use and disclose all PHI for TPO. It gives permission only to that provider, not to any other person. Health care providers may condition the provision of treatment on the individual providing this consent. One consent may cover all uses and disclosures for TPO by that provider, indefinitely. A consent need not specify the particular information to be used or disclosed, nor the recipients of disclosed information.
Only doctors or other health care providers with a direct treatment relationship with a patient are required to obtain consent. Generally, a "direct treatment provider" is one that treats a patient directly, rather than based on the orders of another provider, and/or provides health care services or test results directly to patients. Other health care providers, health plans, and health care clearinghouses may use or disclose information for TPO without consent, or may choose to obtain a consent.

An authorization is a more customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. Covered entities may not condition treatment or coverage on the individual providing an authorization. An authorization is more detailed and specific than a consent. It covers only the uses and disclosures and only the PHI stipulated in the authorization; it has an expiration date; and, in some cases, it also states the purpose for which the information may be used or disclosed.
An authorization is required for use and disclosure of PHI not otherwise allowed by the rule. In general, this means an authorization is required for purposes that are not part of TPO and not described in § 164.510 (uses and disclosures that require an opportunity for the individual to agree or to object) or § 164.512 (uses and disclosures for which consent, authorization, or an opportunity to agree or to object is not required). Situations in which an authorization is required for TPO purposes are identified and discussed in the next question.
All covered entities, not just direct treatment providers, must obtain an authorization to use or disclose PHI for these purposes. For example, a covered entity would need an authorization from individuals to sell a patient mailing list, to disclose information to an employer for employment decisions, or to disclose information for eligibility for life insurance. A covered entity will never need to obtain both an individual's consent and authorization for a single use or disclosure. However, a provider may have to obtain consent and authorization from the same patient for different uses or disclosures. For example, an obstetrician may, under the consent obtained from the patient, send an appointment reminder to the patient, but would need authorization from the patient to send her name and address to a company marketing a diaper service.

Q: Would a covered entity ever need an authorization rather than a consent for uses or disclosures of PHI for TPO?
A: Yes. The Privacy Rule requires providers to obtain authorization and not consent to use or disclose PHI maintained in psychotherapy notes for treatment by persons other than the originator of the notes, for payment, or for health care operations purposes, except as specified in the Privacy Rule (§ 164.508(a)(2)). In addition, because the consent is only for a use or disclosure of PHI for the TPO purposes of the covered entity obtaining the consent, an authorization is also required if the disclosure is for the TPO purposes of an entity other than the provider who obtained the consent. For example, a health plan seeking payment for a particular service from a second health plan, such as in coordination of benefits or secondary payer situations, may need PHI from a physician who rendered the health care services. In this case, the provider typically has been paid, and the transaction is between the plans. Since the provider's disclosure is for the TPO purposes of the plan, it would not be covered by the provider's consent. Rather, an authorization, and not a consent, would be the proper document for the plan to use when requesting such a disclosure.

Q: Will health care providers be required to determine whether another covered entity has a more restrictive consent form before disclosing information to that entity for TPO purposes?
A: No. Generally, a consent permits only the covered entity that obtains the consent to use or disclose PHI for its own TPO purposes. Under the Privacy Rule, one covered entity is not bound by a consent or any restrictions on that consent agreed to by another covered entity, with one exception. A covered entity would be bound by the consent of another covered entity if the entities use a "joint consent," as permitted by the Privacy Rule (§ 164.506(f)).

In addition, it is possible for several entities to choose to be treated as a single covered entity under the rule, as "affiliated entities." Because affiliated entities are considered to be one covered entity under the rule, there would be only one consent and each entity would be bound by that consent (§ 164.504(d)).

Q: What is the interaction between "consent" and "notice"?
A: The consent and the notice of privacy practices are two distinct documents. A consent document is brief (may be less than one page). It must refer to the notice and must inform the individual that he has the opportunity to review the notice prior to signing the consent. The Privacy Rule does not require that the individual read the notice or that the covered entity explain each item in the notice before the individual provides consent. We expect that some patients will simply sign the consent while others will read the notice carefully and discuss some of the practices with the covered entity.

Q: May consent for use or disclosure of PHI be provided electronically?
A: Yes. The covered entity may choose to obtain and store consents in paper or electronic form, provided that the consent meets all of the requirements under the Privacy Rule, including that it be signed by the individual. Paper is not required.

Q: Must a covered entity verify a signature on a consent form if the individual is not present when he signs it?
A: No.

Q: May consent be obtained by a health care provider only one time if there is a single connected course of treatment involving multiple visits?
A: Yes. A health care provider needs to obtain consent from a patient for use or disclosure of PHI only one time. This is true regardless of whether there is a connected course of treatment or treatment for unrelated conditions. A provider will need to obtain a new consent from a patient only if the patient has revoked the consent between treatments.

Q: If an individual consents to the use or disclosure of PHI for TPO purposes, obtains a health care service, and then revokes consent before the provider bills for such service, is the provider precluded from billing for such service?
A: No. A health care provider that provides a health care service to an individual after obtaining consent from the individual, may bill for such service even if the individual immediately revokes consent after the service has been provided. The Privacy Rule requires that an individual be permitted to revoke consent, but provides that the revocation is not effective to the extent that the health care provider has acted in reliance on the consent.

Q: If covered providers that are affiliated or part of an organized health care arrangement are located in different states with different laws regarding uses and disclosures of health information (e.g., a chain of pharmacies), do they need to obtain a consent in each state that the patient obtains treatment?
A: No. The consent is general and only needs to be obtained by a covered entity (or by affiliated entities or entities that are part of an organized health care arrangement) one time. The Privacy Rule does not require that the consent include any details about state law, and therefore, does not require different consent forms in each state.

Q: Must a revocation of a consent be in writing?
A: Yes.

Q: The Privacy Rule permits a covered entity to continue to use or disclose health information which it has on the compliance date pursuant to express legal permission obtained from an individual prior to the compliance date. Is a form, signed by a patient prior to the compliance date of the rule, that permits a provider to use or disclose information for the limited purpose of payment sufficient to meet these transition provision requirements?
A: Yes. A provider that obtains permission from a patient prior to the compliance date to use or disclose information for payment purposes may use the PHI about that patient collected pursuant to that permission for purposes of TPO. Under the transition provisions, if prior to the compliance date, a provider obtained a consent for the use or disclosure of health information for any one of the TPO purposes, the provider may use the health information collected pursuant to that consent for all three purposes after the compliance date (§ 164.532(b)). Thus, a provider that obtained consent for use or disclosure for billing purposes would be able to draw on the data obtained prior to the compliance date and covered by the consent form for all TPO activities to the extent not expressly excluded by the terms of the consent.

MINIMUM NECESSARY
[45 CFR §§ 164.502(b), 164.514(d)]

General Requirement
The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended purpose. The minimum necessary provisions do not apply to the following:

Uses and Disclosures of, and Requests for PHI
For uses of PHI, the policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. For example, hospitals may implement policies that permit doctors, nurses, or others involved in treatment to have access to the entire medical record, as needed. Case-by-case review of each use is not required. Where the entire medical record is necessary, the covered entity's policies and procedures must state so explicitly and include a justification.

Reasonable Reliance
In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by:

Frequently Asked Questions
Q: How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?
A: The Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly.

Q: Won't the minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment?
A: No. Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements.

Q: Do the minimum necessary requirements prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patients' medical information in the course of their training?
A: No. The definition of "health care operations" in the rule provides for "conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers." Covered entities can shape their policies and procedures for minimum necessary uses and disclosures to permit medical trainees access to patients' medical information, including entire medical records.

Q: Must minimum necessary be applied to disclosures to third parties that are authorized by an individual?
A: No, unless the authorization was requested by a covered entity for its own purposes. The Privacy Rule exempts from the minimum necessary requirements most uses or disclosures that are authorized by an individual. This includes authorizations covered entities may receive directly from third parties, such as life, disability, or casualty insurers pursuant to the patient's application for or claim under an insurance policy. For example, if a covered health care provider receives an individual's authorization to disclose medical information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. The authorization must meet the requirements of § 164.508.

However, minimum necessary does apply to authorizations requested by the covered entity for its own purposes (see § 164.508(d), (e), and (f)).

Q: Are providers required to make a minimum necessary determination to disclose to federal or state agencies, such as the Social Security Administration (SSA) or its affiliated state agencies, for individuals' applications for federal or state benefits?
A: No. These disclosures must be authorized by an individual and, therefore, are exempt from the minimum necessary requirements. Further, use of the provider's own authorization form is not required. Providers can accept an agency's authorization form as long as it meets the requirements of § 164.508 of the rule. For example, disclosures to SSA (or its affiliated state agencies) for purposes of determining eligibility for disability benefits are currently made subject to an individual's completed SSA authorization form. After the compliance date, the current process may continue subject only to modest changes in the SSA authorization form to conform to the requirements in § 164.508.

Q: Does the rule strictly prohibit use, disclosure, or requests of an entire medical record? Does the rule prevent use, disclosure, or requests of entire medical records without case-by-case justification?
A: No. The Privacy Rule does not prohibit use, disclosure, or requests of an entire medical record. A covered entity may use, disclose, or request an entire medical record, without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes

Q: In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigns of office space and upgrades of computer systems, in order to comply with the minimum necessary requirements?
A: No. The basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to PHI to those in the workforce that need access based on their roles in the covered entity.

Q: Do the minimum necessary requirements prohibit covered entities from maintaining patient medical charts at bedside, require that covered entities shred empty prescription vials, or require that X-ray light boards be isolated?
A: No. The minimum necessary standards do not require that covered entities take any of these specific measures. Covered entities must, in accordance with other provisions of the Privacy Rule, take reasonable precautions to prevent inadvertent or unnecessary disclosures. For example, while the Privacy Rule does not require that X-ray boards be totally isolated from all other functions, it does require covered entities to take reasonable precautions to protect X-rays from being accessible to the public.

Q: Will doctors' and physicians' offices be allowed to continue using sign-in sheets in waiting rooms?
A: We did not intend to prohibit the use of sign-in sheets, but understand that the Privacy Rule is ambiguous about this common practice. We, therefore, intend to propose modifications to the rule to clarify that this and similar practices are permissible.

Q: What happens when a covered entity believes that a request is seeking more than the minimum necessary PHI?
A: In such a situation, the Privacy Rule requires a covered entity to limit the disclosure to the minimum necessary as determined by the disclosing entity. Where the rule permits covered entities to rely on the judgment of the person requesting the information, and if such reliance is reasonable despite the covered entity's concerns, the covered entity may make the disclosure as requested.

Nothing in the Privacy Rule prevents a covered entity from discussing its concerns with the person making the request, and negotiating an information exchange that meets the needs of both parties. Such discussions occur today and may continue after the compliance date of the Privacy Rule.

Background
The Privacy Rule applies to individually identifiable health information in all forms, electronic, written, oral, and any other. Coverage of oral (spoken) information ensures that information retains protections when discussed or read aloud from a computer screen or a written document. If oral communications were not covered, any health information could be disclosed to any person, so long as the disclosure was spoken.

Frequently Asked Questions
Q: If health care providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard?
A: The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers' primary consideration is the appropriate treatment of their patients. We also understand that overheard communications are unavoidable. For example, in a busy emergency room, it may be necessary for providers to speak loudly in order to ensure appropriate treatment. The Privacy Rule is not intended to prevent this appropriate behavior. We would consider the following practices to be permissible, if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart):

We will propose regulatory language to reinforce and clarify that these and similar oral communications (such as calling out patient names in a waiting room) are permissible.

Examples of the types of adjustments or modifications to facilities or systems that may constitute reasonable safeguards are:

Q: Do covered entities need to provide patients access to oral information?
A: No. The Privacy Rule requires covered entities to provide individuals with access to PHI about themselves that is contained in their "designated record sets." The term "record" in the term "designated record set" does not include oral information; rather, it connotes information that has been recorded in some manner.
The rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or tape recorded information after transcription. But if such records are maintained and used to make decisions about the individual, they may meet the definition of "designated record set." For example, a health plan is not required to provide a member access to tapes of a telephone "advice line" interaction if the tape is only maintained for customer service review and not to make decisions about the member.

Q: Do covered entities have to document all oral communications?
A: No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations (TPO).

Q: Did the Department change its position from the proposed rule by covering oral communications in the final Privacy Rule?
A: No. The proposed rule would have covered information in any form or medium, as long as it had at some point been maintained or transmitted electronically. Once information had been electronic, it would have continued to be covered as long as it was held by a covered entity, whether in electronic, written, or oral form.
The final Privacy Rule eliminates this nexus to electronic information. All individually identifiable health information of the covered entity is covered by the rule.

Background
By law, the Privacy Rule applies only to health plans, health care clearinghouses, and certain health care providers. In today's health care system, however, most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses. In allowing providers and plans to give protected health information (PHI) to these "business associates," the Privacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will use the information only for the purposes for which they were engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with the covered entity's duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with the covered entity to provide individuals access to information upon request). PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions - not for independent use by the business associate.

What is a "business associate"
A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI.

Frequently Asked Questions
Q: Has the Secretary exceeded the statutory authority by requiring "satisfactory assurances" for disclosures to business associates?
A: No. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gives the Secretary authority to directly regulate health care providers, health plans, and health care clearinghouses. It also grants the Department explicit authority to regulate the uses and disclosures of PHI maintained and transmitted by covered entities. Therefore, we do have the authority to condition the disclosure of PHI by a covered entity to a business associate on the covered entity's having a contract with that business associate.

Q: Has the Secretary exceeded the HIPAA statutory authority by requiring "business associates" to comply with the Privacy Rule, even if that requirement is through a contract?
A: The Privacy Rule does not "pass through" its requirements to business associates or otherwise cause business associates to comply with the terms of the rule. The assurances that covered entities must obtain prior to disclosing PHI to business associates create a set of contractual obligations far narrower than the provisions of the rule, to protect information generally and help the covered entity comply with its obligations under the rule. For example, covered entities do not need to ask their business associates to agree to appoint a privacy officer, or develop policies and procedures for use and disclosure of PHI.

Q: Is it reasonable for covered entities to be held liable for the privacy violations of business associates?
A: A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Covered entities are not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.
Moreover, a business associate's violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by the covered entity. The contract must obligate the business associate to advise the covered entity when violations have occurred.
If the covered entity becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate's obligations under its contract, the covered entity must take "reasonable steps" to cure the breach or to end the violation.

If such steps are not successful, the covered entity must terminate the contract if feasible. The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for the covered entity. In such circumstances where termination is not feasible, the covered entity must report the problem to the Department.

General Requirements
The Privacy Rule provides individuals with certain rights with respect to their personal health information, including the right to obtain access to and to request amendment of health information about themselves.

These rights rest with that individual, or with the "personal representative" of that individual. In general, a person's right to control protected health information (PHI) is based on that person's right (under state or other applicable law, e.g., tribal or military law) to control the health care itself.

Because a parent usually has authority to make health care decisions about his or her minor child, a parent is generally a "personal representative" of his or her minor child under the Privacy Rule and has the right to obtain access to health information about his or her minor child. This would also be true in the case of a guardian or other person acting in loco parentis of a minor.

There are exceptions in which a parent might not be the "personal representative" with respect to certain health information about a minor child. In the following situations, the Privacy Rule defers to determinations under other law that the parent does not control the minor's health care decisions and, thus, does not control the PHI related to that care.

In the following situations, the Privacy Rule reflects current professional practice in determining that the parent is not the minor's personal representative with respect to the relevant PHI:

In addition to the provisions (described above) tying the right to control information to the right to control treatment, the Privacy Rule also states that it does not preempt state laws that specifically address disclosure of health information about a minor to a parent (§ 160.202). This is true whether the state law authorizes or prohibits such disclosure. Thus, if a physician believes that disclosure of information about a minor would endanger that minor, but a state law requires disclosure to a parent, the physician may comply with the state law without violating the Privacy Rule. Similarly, a provider may comply with a state law that requires disclosure to a parent and would not have to accommodate a request for confidential communications that would be contrary to state law.

Frequently Asked Questions
Q: Does the Privacy Rule allow parents the right to see their children's medical records?
A: The Privacy Rule generally allows parents, as their minor children's personal representatives, to have access to information about the health and well-being of their children when state or other underlying law allows parents to make treatment decisions for the child. There are two exceptions: (1) when the parent agrees that the minor and the health care provider may have a confidential relationship, the provider is allowed to withhold information from the parent to the extent of that agreement; and (2) when the provider reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child's personal representative could endanger the child, the provider is permitted not to treat the parent as the child's personal representative with respect to health information.

Q: Does the Privacy Rule provide rights for children to be treated without parental consent?
A: No. The Privacy Rule does not address consent to treatment, nor does it preempt or change state or other laws that address consent to treatment. The Rule addresses access to health information, not the underlying treatment.

Q: If a child receives emergency medical care without a parent's consent, can the parent get all information about the child's treatment and condition?
A: Generally, yes. Even though the parent did not provide consent to the treatment in this situation, under the Privacy Rule, the parent would still be the child's personal representative. This would not be so only when the minor provided consent (and no other consent is required) or the treating physician suspects abuse or neglect or reasonably believes that releasing the information to the parent will endanger the child.

HEALTH-RELATED COMMUNICATIONS AND MARKETING
[45 CFR §§ 164.501, 164.514(e)]

General Requirements
The Privacy Rule addresses the use and disclosure of protected health information (PHI) for marketing purposes in the following ways:

What Is Marketing?
The Privacy Rule defines "marketing" as "a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service." To make this definition easier for covered entities to understand and comply with, we specified what "marketing" is not, as well as generally defined what it is.

Communications That Are Not Marketing
A covered entity is not "marketing" when it:

Business Associates
Disclosure of PHI for marketing purposes is limited to disclosure to business associates that undertake marketing activities on behalf of the covered entity. No other disclosure for marketing is permitted. Covered entities may not give away or sell lists of patients or enrollees without obtaining authorization from each person on the list. As with any disclosure to a business associate, the covered entity must obtain the business associate's agreement to use the PHI only for the covered entity's marketing activities. A covered entity may not give PHI to a business associate for the business associate's own purposes.

Frequently Asked Questions
Q: Does this rule expand the ability of providers, plans, marketers and others to use my PHI to market goods and services to me? Does the Privacy Rule make it easier for health care businesses to engage in door-to-door sales and marketing efforts?
A: No. The provisions described above impose limits on the use or disclosure of PHI for marketing that do not exist in most states today. For example, the rule requires patients' authorization for the following types of uses or disclosures of PHI for marketing:

These activities can occur today with no authorization from the individual. In addition, for the marketing activities that are allowed by the rule without authorization from the individual, the Privacy Rule requires covered entities to offer individuals the ability to opt-out of further marketing communications.

Similarly, under the business associate provisions of the rule, a covered entity may not give PHI to a telemarketer, door-to-door salesperson, or other marketer it has hired unless that marketer has agreed by contract to use the information only for marketing on behalf of the covered entity. Today, there may be no restrictions on how marketers re-use information they obtain from health plans and providers.

Q: Can telemarketers gain access to PHI and call individuals to sell goods and services?
A: Under the rule, unless the covered entity obtains the individual's authorization, it may only give health information to a telemarketer that it has hired to undertake marketing on its behalf. The telemarketer must be a business associate under the rule, which means that it must agree by contract to use the information only for marketing on behalf of the covered entity, and not to market its own goods or services (or those of another third party). The caller must identify the covered entity that is sponsoring the marketing call. The caller must provide individuals the opportunity to opt-out of further marketing.

Q: When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?
A: An authorization for use or disclosure of PHI for marketing is always required, unless one of the following three exceptions apply:

Q: How can I distinguish between activities for treatment, payment or health care operations (TPO) versus marketing activities?
A: There is no need for covered entities to make this distinction. In recommending treatments, providers and health plans advise us to purchase good and services. The overlap between "treatment," "health care operations," and "marketing" is unavoidable. Instead of creating artificial distinctions, the rule imposes requirements that do not require such distinctions. Specifically:

Q: Do disease management, health promotion, preventive care, and wellness programs fall under the definition of "marketing"?
A: Whether these kinds of activities fall under the rule's definition of "marketing" depends on the specifics of how the activity is conducted. The activities currently undertaken under these rubrics are diverse. Covered entities must examine the particular activities they undertake, and compare these to the activities that are exempt from the definition of "marketing."

Q: Can contractors (business associates) use PHI to market to individuals for their own business purposes?
A: The Privacy Rule prohibits health plans and covered health care providers from giving PHI to third parties for the third party's own business purposes, absent authorization from the individuals. Under the statute, this regulation cannot govern contractors directly.

Background
The Privacy Rule establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. A covered entity may always use or disclose for research purposes health information which has been de-identified (in accordance with §§ 164.502(d), 164.514(a)-(c) of the rule) without regard to the provisions below.

The Privacy Rule also defines the means by which individuals/human research subjects are informed of how medical information about themselves will be used or disclosed and their rights with regard to gaining access to information about themselves, when such information is held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time, ensuring that researchers continue to have access to medical information necessary to conduct vital research. Currently, most research involving human subjects operates under the Common Rule (codified for the Department of Health and Human Services (HHS) at Title 45 Code of Federal Regulations Part 46) and/or the Food and Drug Administration's (FDA) human subjects protection regulations, which have some provisions that are similar to, but more stringent than and separate from, the Privacy Rule's provisions for research.

Using and Disclosing PHI for Research
In the course of conducting research, researchers may create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose PHI for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule.

Frequently Asked Questions
Q: Will the rule hinder medical research by making doctors and others less willing and/or able to share information about individual patients?
A: We do not believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to participate in research when they know their information is protected. For example, in genetic studies at the National Institutes of Health (NIH), nearly 32 percent of eligible people offered a test for breast cancer risk decline to take it. The overwhelming majority of those who refuse cite concerns about health insurance discrimination and loss of privacy as the reason. The Privacy Rule both permits important research and, at the same time, encourages patients to participate in research by providing much needed assurances about the privacy of their health information.

Q: Does the Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing PHI?
A: No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information.

RESTRICTIONS ON GOVERNMENT ACCESS TO HEALTH INFORMATION
[45 CFR §§ 160.300; 164.512(b); 164.512(f)]

Background
Under the Privacy Rule, government-operated health plans and health care providers must meet substantially the same requirements as private ones for protecting the privacy of individual identifiable health information. For instance, government-run health plans, such as Medicare and Medicaid, must take virtually the same steps to protect the claims and health information that they receive from beneficiaries as private insurance plans or health maintenance organizations (HMO). In addition, all federal agencies must also meet the requirements of the Privacy Act of 1974, which restricts what information about individual citizens - including any personal health information - can be shared with other agencies and with the public.
The only new authority for government involves enforcement of the Privacy Rule itself. In order to ensure covered entities protect patients' privacy as required, the rule provides that health plans, hospitals, and other covered entities cooperate with the Department's efforts to investigate complaints or otherwise ensure compliance. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the privacy protections and access rights for consumers under this rule.

Frequently Asked Questions
Q: Does the rule require my doctor to send my medical records to the government?
A: No. The rule does not require a physician or any other covered entity to send medical information to the government for a government data base or similar operation. This rule does not require or allow any new government access to medical information, with one exception: the rule does give OCR the authority to investigate complaints and to otherwise ensure that covered entities comply with the rule.
As is typical in many enforcement settings, OCR may need to look at how a covered entity handled medical records and other personal health information. The Privacy Rule limits disclosure to OCR to information that is "pertinent to ascertaining compliance." OCR will maintain stringent controls to safeguard any individually identifiable health information that it receives. If covered entities could avoid or ignore enforcement requests, consumers would not have a way to ensure an independent review of their concerns about privacy violations under the rule.

Q: Why would a Privacy Rule require covered entities to turn over anybody's personal health information as part of a government enforcement process?
A: An important ingredient in ensuring compliance with the Privacy Rule is the Department's responsibility to investigate complaints that the rule has been violated and to follow up on other information regarding noncompliance. At times, this responsibility entails seeing personal health information, such as when an individual indicates to the Department that they believe a covered entity has not properly handled their medical records.

What information would be needed depends on the circumstances and the alleged violations. The Privacy Rule limits OCR's access to information that is "pertinent to ascertaining compliance." In some cases, no personal health information would be needed. For instance, OCR may need to review only a business contract to determine whether a health plan included appropriate language to protect privacy when it hired an outside company to help process claims.

Examples of investigations that may require OCR to have access to protected health information (PHI) include:

Q: Will this rule make it easier for police and law enforcement agencies to get my medical information?
A: No. The rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists. Today, law enforcement officers obtain health information for many purposes, sometimes without a warrant or other prior process. The rule establishes new procedures and safeguards to restrict the circumstances under which a covered entity may give such information to law enforcement officers.
Even in those circumstances when disclosure to law enforcement is permitted by the rule, the Privacy Rule does not require covered entities to disclose any information. However, unless the disclosure is required by some other law, covered entities should use their professional judgment to decide whether to disclose information, reflecting their own policies and ethical principles. In other words, doctors, hospitals, and health plans could continue to follow their own policies to protect privacy in such instances.

General Requirements
As provided for by the Privacy Rule, a covered entity may use and disclose protected health information (PHI) for payment purposes. "Payment" is a defined term that encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.

In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:

Frequently Asked Questions
Q: Does the rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?
A: No. The Privacy Rule's definition of "payment" includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following PHI about the individual: name and address; date of birth; social security number; payment history; account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.

We are not aware of any conflict in the consumer credit reporting disclosures permitted by the Privacy Rule and FCRA. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by FCRA or other law. Therefore, we do not believe there would be a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.

Q: Does the Privacy Rule prevent health plans and providers from using debt collection agencies? Does the rule conflict with the Fair Debt Collection Practices Act?
A: The Privacy Rule permits covered entities to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the "payment" definition. Through a business associate arrangement, the covered entity may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies under a business associate agreement are governed by other provisions of the rule, including consent (where consent is required) and the minimum necessary requirements.

MODIFICATIONS TO THE STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION -- FINAL RULE

Overview: The Department of Health and Human Services on August 14th will publish final modifications to the Privacy Rule to ensure that the Rule provides strong privacy protection without hindering access to quality health care. President Bush and Secretary Thompson are committed to maintaining protections for the privacy of individually identifiable health information. Based on the comments received on the notice of proposed rulemaking, the Department modified a number of provisions of the Privacy Rule.

The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) took effect on April 14, 2001. The Privacy Rule creates national standards to protect individuals' personal health information and gives patients increased access to their medical records. As required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. Most covered entities must comply with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004 to comply with the Rule.

Final Modifications:
Marketing -- The final Rule requires a covered entity to obtain an individual's prior written authorization to use his or her protected health information for marketing purposes except for a face-to-face encounter or a communication involving a promotional gift of nominal value. The Department defines marketing to distinguish between the types of communications that are and are not marketing, and makes clear that a covered entity is prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party, without the individual's authorization. The Rule clarifies that doctors and other covered entities communicating with patients about treatment options or the covered entity's own health-related products and services are not considered marketing. For example, health care plans can inform patients of additional health plan coverage and value-added items and services, such as discounts for prescription drugs or eyeglasses.

Consent and Notice -- The Department makes changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirement and making consent for routine health care delivery purposes (known as treatment, payment, and health care operations) optional. The Rule requires covered entities to provide patients with notice of the patient's privacy rights and the privacy practices of the covered entity. The strengthened notice requires direct treatment providers to make a good faith effort to obtain patient's written acknowledgement of the notice of privacy rights and practices. The final Rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity. The Rule also allows consent requirements already in place to continue.

Uses and Disclosures Regarding Food and Drug Administration (FDA)-Regulated Products and Activities -- The final Rule permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products. This assures that information will continue to be available to protect public health and safety, as it is today.
Incidental Use and Disclosure -- The final Rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the Rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met, doctors' offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse's stations without fear of violating the rule if overheard by a passerby.

Authorization -- The final Rule clarifies the authorization requirements to the Privacy Rule to, among other things, eliminate separate authorization requirements for covered entities. Patients will have to grant permission in advance for each type of non-routine use or disclosure, but providers will not have to use different types of forms. These modifications also consolidate and streamline core elements and notification requirements.

Minimum Necessary -- The final Rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization. The Rule previously exempted only certain types of authorizations from the minimum necessary requirement, but since the rule will only have one type of authorization, the exemption is now applied to all authorizations. Minimum necessary requirements are still in effect to ensure an individual's privacy for most other uses and disclosures.

The Department clarifies in the preamble that the minimum necessary standard is not intended to impede disclosures necessary for workers' compensation programs. The Department will actively monitor to ensure that worker's compensation programs are not unduly affected by the Rule.

Parents and Minors -- The final Rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the Privacy Rule provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice. For example, where a state has explicitly addressed disclosure of a minor's health information to a parent, or access to a child's medical record by a parent, the final Rule clarifies that state law governs. In addition, the final Rule clarifies that, in the special cases in which the minor controls his or her own health information under such law and that law does not define the parents' ability to access the child's health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.

Business Associates -- The final Rule gives covered entities (except small health plans) up to an additional year to change existing written contracts to come into compliance with the business associate requirements. The additional time will ease the burden of covered entities renegotiating contracts all at once. The Department has also provided sample business associate contract provisions.
Research -- The final Rule facilitates researchers' use of a single combined form to obtain informed consent for the research and authorization to use or disclose protected health information for such research. The final Rule also clarifies the requirements relating to a researcher obtaining an IRB or Privacy Board waiver of authorization by streamlining the privacy waiver criteria to more closely follow the requirement of the "Common Rule," which governs federally funded research. The transition provisions have been expanded to prevent needless interruption of ongoing research.

Limited Data Set -- The final Rule permits the creation and dissemination of a limited data set (that does not include directly identifiable information) for research, public health, and health care operations. In addition, to further protect privacy, the final Rule conditions disclosure of the limited data set on a covered entity and the recipient entering into a data use agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given, and to ensure the security of the data, as well as not to identify the information or use it to contact any individual.

The final Rule also includes technical corrections and additional clarifications related to various sections of the existing rule. The final Rule is designed to ensure that protections for patient privacy are implemented in a manner that maximizes privacy while not compromising either the availability or the quality of medical care.

On July 6, 2001, the Department issued its first guidance to answer common questions and clarify certain of the Privacy Rule's provisions. The Department is committed to assisting covered entities come into compliance with the Rule. Therefore, the Department will update the guidance to reflect the modifications adopted in this final Rule. The revised guidance will be available on the HHS Office for Civil Rights Privacy Web site at http://www.hhs.gov/ocr/hipaa/.