Proposed Standards for Privacy and Individually Identifiable Health Information

1. Use and disclosure for treatment, payment, and health care operations. (§ 164.506(a))

We are proposing that, subject to limited exceptions for psychotherapy notes and research information unrelated to treatment discussed below, a covered entity be permitted to use or disclose protected health information without individual authorization for treatment, payment or health care operations.

The Secretary’s Recommendations proposed that covered entities be able to use individually identifiable health information without authorization of the identified individual for treatment and payment and for purposes that are “compatible with and directly related to” treatment and payment. The Recommendations further explained that the terms “treatment” and “payment” were to be construed broadly, encompassing treatment and payment for all patients. They also noted that the test of “compatible with and directly related to” is meant to be more restrictive than the test currently used in the Privacy Act, 5. U.S.C. 552a, for determining whether a proposed “routine use” is sufficiently related to the primary purpose for which the information would be collected to permit its release under the proposed “routine use.” The Privacy Act permits release of such information if the proposed routine use is “compatible with” the purpose for which the information is collected. Our proposal is intended to be consistent with this discussion from the Secretary’s Recommendations.

a. General rule for treatment, payment, and health care operations.

We are not proposing to require individual authorizations of uses and disclosures for health care and related purposes, although such authorizations are routinely gathered today as a condition of obtaining health care or enrolling in a health plan. Although many current disclosures of health information are made pursuant to individual authorizations, these authorizations provide individuals with little actual control over their health information. When an individual is required to sign a blanket authorization at the point of receiving care or enrolling for coverage, that consent is often not voluntary because the individual must sign the form as a condition of treatment or payment for treatment. Individuals are also often asked to sign broad authorizations but are provided little or no information about how their health information may be or will in fact be used. Individuals cannot make a truly informed decision without knowing all the possible uses, disclosures and re-disclosures to which their information will be subject. In addition, since the authorization usually precedes creation of the record, the individual cannot predict all the information the record may contain and therefore cannot make an informed decision as to what would be released.

Our proposal is intended to make the exchange of protected health information relatively easy for health care purposes and more difficult for purposes other than health care. For individuals, health care treatment and payment are the core functions of the health care system. This is what they expect their health information will be used for when they seek medical care and present their proof of insurance to the provider. Consistent with this expectation, we considered requiring a separate individual authorization for every use or disclosure of information but rejected such an approach because it would not be realistic in an increasingly integrated health care system. For example, a requirement for separate patient authorization for each routine referral could impair care, by delaying consultation and referral, as well as payment.

We therefore propose that covered entities be permitted to use and disclose protected health information without individual authorization for treatment and payment purposes, and for related purposes that we have defined as health care operations. For example, health care providers could maintain and refer to a medical record, disclose information to other providers or persons as necessary for consultation about diagnosis or treatment, and disclose information as part of referrals to other providers. Health care providers also could use a patient’s protected health information for payment purposes such as submitting a claim to a payer. In addition, they could use a patient’s protected health information for health care operations, such as use for an internal quality oversight review. We would note that, in the case of an individual where the provider has agreed to restrictions on use or disclosure of the patient’s protected health information, the provider is bound by such restrictions as provided in § 164.506(c).

Similarly, health plans could use an enrollee’s protected health information for payment purposes, such as reviewing and paying health claims that have been submitted to it, pre- admission screening of a request for hospitalization, or post-claim audits of health care providers. Health plans also could use an enrollee’s protected health information for health care operations, such as reviewing the utilization patterns or outcome performance of providers participating in their network.

Further, as described in more detail below, health care providers and health plans would not need individual authorization to provide protected health information to a business partner for treatment, payment or health care operations functions if the other requirements for disclosing to business partners are met. See proposed § 164.506(e).

We intend that the right to use and disclose protected health information be interpreted to apply for treatment and payment of all individuals. For example, in the course of providing care to a patient, a physician could wish to examine the records of other patients with similar conditions. Likewise, a physician could consult the records of several people in the same family or living in the same household to assist in diagnosis of conditions that could be contagious or that could arise from a common environmental factor. A health plan or a provider could use the protected health information of a number of enrollees to develop treatment protocols, practice guidelines, or to assess quality of care. All of these uses would be permitted under this proposed rule.

Our proposal would not restrict to whom disclosures could be made for treatment, payment or operations. For example, covered entities could make disclosures to non-covered entities for payment purposes, such as a disclosure to a workers compensation carrier for coordination of benefits purposes. We note, however, that when disclosures are made to non- covered entities, the ability of this proposed rule to protect the confidentiality of the information ends. This points to the need for passage of more comprehensive privacy legislation that would permit the restrictions on use and disclosure to follow the information beyond covered entities.

We also propose to prohibit covered entities from seeking individual authorization for uses and disclosures for treatment, payment and health care operations unless required by State or other applicable law. As discussed above in this section, such authorizations could not provide meaningful privacy protections or individual control and could in fact cultivate in individuals erroneous understandings of their rights and protections.

The general approach that we are proposing is not new. Some existing State health confidentiality laws permit disclosures without individual authorization to other health care providers treating the individual, and the Uniform Health-Care Information Act permits disclosure “to a person who is providing health-care to the patient” (9 part I, U.L.A. 475, 2-104 (1988 and Supp. 1998)). We believe that this approach would be the most realistic way to protect individual confidentiality in an increasingly data-driven, electronic and integrated health care system. We recognize, however, that particularly given the limited scope of the authority that we have under this proposed rule to reach some significant actors in the health care system, that other approaches could be of interest. We invite comments on whether other approaches to protecting individuals’ health information would be more effective.

b. Health care operations.

We considered the extent to which the covered entities might benefit from further guidance on the types of activities that appropriately would be considered health care operations. The term is defined in proposed § 164.504. In the debates that have surrounded privacy legislation before the Congress, there has been substantial discussion of the definition of health care operations, with some parties advocating for a very broad definition and others advocating a more restrictive approach.

Given the lack of consensus over the extent of the activities that could be encompassed within the term health care operations, we determined that it would be helpful to identify activities that, in our opinion, are sufficiently unrelated to the treatment and payment functions to require a individual to authorize use of his or her information. We want to make clear that these activities would not be prohibited, and do not dispute that many of these activities are indeed beneficial to both individuals and the institutions involved. Nonetheless, they are not necessary for the key functions of treatment and payment and therefore would require the authorization of the individual before his/her information could be used. These activities would include but would not be limited to:

• the use of protected health information for marketing of health and non-health items and services;

• the disclosure of protected health information for sale, rent or barter;

• the use of protected health information by a non-health related divisions of the same corporation, e.g., for use in marketing or underwriting life or casualty insurance, or in banking services;

• the disclosure, by sale or otherwise, of protected health information to a plan or provider for making eligibility or enrollment determinations, or for underwriting or risk rating determinations, prior to the individual’s enrollment in the plan;

• the disclosure of information to an employer for use in employment determinations; and

• the use or disclosure of information for fund raising purposes.

We invite comments on the activities within the proposed definitions of “treatment,” “payment,” and “health care operations,” as well as the activities proposed to be excluded from these definitions.

c. Exception for psychotherapy notes.

We propose that a covered health care provider not be permitted to disclose psychotherapy notes, as defined by this proposed rule, for treatment, payment, or health care operations unless a specific authorization is obtained from the individual. In addition, a covered entity would not be permitted to condition treatment of an individual, enrollment of an individual in a health plan, or payment of a claim for benefits made by or on behalf of an individual on a requirement that the individual provide a specific authorization for the disclosure of psychotherapy notes.

We would define “psychotherapy notes” to mean detailed notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. Such notes could be used only by the therapist who wrote them, would have to be maintained separately from the medical record, and could not be involved in the documentation necessary for health care treatment, payment, or operations (as defined in section 164.504). Such term would not include medication prescription and monitoring, counseling session start and stop times or the modalities and frequencies of treatment furnished, results of clinical tests, or summaries of the following items: diagnoses, functional status, the treatment plan, symptoms, prognosis and progress to date.

Psychotherapy notes are of primary value to the specific provider and the promise of strict confidentiality helps to ensure that the patient will feel comfortable freely and completely disclosing very personal information essential to successful treatment. Unlike information shared with other health care providers for the purposes of treatment, psychotherapy notes are more detailed and subjective and are subject to unique rules of disclosure. In Jaffee v. Redmond , 518 U. S. 1 (1996), the Supreme Court ruled that conversations and notes between a patient and psychotherapist are confidential and protected from compulsory disclosure. The language in the Supreme Court opinion makes the rationale clear:

Like the spousal and attorney-client privileges, the psychotherapist-patient privilege is “rooted in the imperative need for confidence and trust.” . . . Treatment by a physician for physical ailments can often proceed successfully on the basis of a physical examination, objective information supplied by the patient, and the results of diagnostic tests. Effective psychotherapy, by contrast, depends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears. Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment or disgrace. For this reason, the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment. As the Judicial Conference Advisory Committee observed in 1972 when it recommended that Congress recognize a psychotherapist privilege as part of the Proposed Federal Rules of Evidence, a psychiatrist's ability to help her patients

“is completely dependent upon [the patients'] willingness and ability to talk freely. This makes it difficult if not impossible for [a psychiatrist] to function without being able to assure . . . patients of confidentiality and, indeed, privileged communication. Where there may be exceptions to this general rule . . . , there is wide agreement that confidentiality is a sine qua non for successful psychiatric treatment. ...”

By protecting confidential communications between a psychotherapist and her patient from involuntary disclosure, the proposed privilege thus serves important private interests. ... The psychotherapist privilege serves the public interest by facilitating the provision of appropriate treatment for individuals suffering the effects of a mental or emotional problem. The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance.

That it is appropriate for the federal courts to recognize a psychotherapist privilege under Rule 501 is confirmed by the fact that all 50 States and the District of Columbia have enacted into law some form of psychotherapist privilege. ... Because state legislatures are fully aware of the need to protect the integrity of the fact finding functions of their courts, the existence of a consensus among the States indicates that “reason and experience” support recognition of the privilege. In addition, given the importance of the patient's understanding that her communications with her therapist will not be publicly disclosed, any State's promise of confidentiality would have little value if the patient were aware that the privilege would not be honored in a federal court. ... Jaffee, 518 U.S. 7-9.

The special status of the psychotherapist privilege in our society as well as the physical and conceptual segregation of the psychotherapy notes makes this prohibition on disclosures for treatment, payment and health care operations without a specific authorization from the individual reasonable and practical.

We note that the policy being applied to psychotherapy notes differs from the policy being applied to most other types of protected health information. For most protected health information, a covered entity would be prohibited from soliciting an authorization from an individual for treatment, payment and health operations unless such an authorization is required by other applicable law. In this case, because of the special status of psychotherapy notes as described above, we propose that a specific authorization be required before such notes can be disclosed within the treatment and payment systems. We propose this special treatment because there are few reasons why other health care entities should need the psychotherapy notes about an individual, and in those cases, the individual is in the best position to determine if the notes should be disclosed. For example, an individual could authorize disclosure if they are changing health care providers. Since we have defined psychotherapy notes in such a way that they do not include information that health plans would need to process a claim for services, special authorizations for payment purposes should be rare. We would note that the provisions governing authorizations under § 164.508 would apply to the special authorizations under this provision.

We also propose that covered entities not be permitted to condition treatment or payment decisions on a requirement that an individual provide a specific authorization for the use or disclosure of psychotherapy notes. The special protections that are being proposed would not be meaningful if covered entities could coerce individuals by conditioning treatment or payment decisions on a requirement that the individual authorize use or disclosures of such notes. This requirement would not prohibit the provider that creates the psychotherapy notes information from using the notes for treatment of the individual. The provider could not, however, condition the provision of treatment on a requirement that the individual authorize the use of the psychotherapy notes by the covered entity for other purposes or the disclosure of the notes by the provider to others.

We considered including other disclosures permitted under proposed § 164.510 within the prohibition described in this provision, but were unsure if psychotherapy notes were ever relevant to the public policy purposes underlying those disclosures. For example, we would assume that such notes are rarely disclosed for public health purposes or to next of kin. We solicit comment on whether there are additional categories of disclosures permitted under proposed § 164.510 for which the disclosure of psychotherapy notes by covered entities without specific individual authorization would be appropriate.

d. Exception for research information unrelated to treatment.

Given the voluntary, often altruistic, nature of research participation, and the experimental character of data generated from many research studies, research participants should have assurances that the confidentiality of their individually identifiable information will be maintained in a manner that respects these unique characteristics. In the process of conducting health research, some information that is collected could be related to the delivery of health care to the individual and some could be unrelated to the care of the individual. Some information that is generated in the course of a research study could have unknown analytic validity, clinical validity, or clinical utility. In general, unknown analytic or clinical validity means that the sensitivity, specificity, and predictive value of the research information is not known. Specifically, analytic validity refers to how well a test performs in measuring the property or characteristic it is intended to measure. Another element of the test’s analytical validity is its reliability – that is, it must give the same result each time. Clinical validity is the accuracy with which a test predicts a clinical condition. Unknown clinical utility means that there is an absence of scientific and medical agreement regarding the applicability of the information for the diagnosis, prevention, or treatment of any malady, or the assessment of the health of the individual.

We would define "research information unrelated to treatment" as information that is received or created by a covered entity in the course of conducting research for which there is insufficient scientific and medical evidence regarding the validity or utility of the information such that it should not be used for the purpose of providing health care, and with respect to which the covered entity has not requested payment from a health plan.

Such information should never be used in a clinical treatment protocol but could result as a byproduct of such a protocol. For example, consider a study which involves the evaluation of a new drug, as well as an assessment of a genetic marker. The drug trial includes physical and radiographic examinations, as well as blood tests to monitor potential toxicity of the new drug on the liver; all of these procedures are part of the provision of health care, and therefore, would constitute "protected health information," but not "research information unrelated to treatment." In the same study, the investigators are searching for a genetic marker for this particular disease. To date, no marker has been identified and it is uncertain whether or not the preliminary results from this research study would prove to be a marker for this disease. The genetic information generated from this study would constitute "research information unrelated to treatment".

We solicit comment on this definition of "research information unrelated to treatment" and how it would work in practice.

Because the meaning of this information is currently unknown, we would prohibit its use and disclosure for treatment, payment and health care operations unless a specific authorization is obtained from the subject of the information. Failing to limit the uses and disclosures of this information within the health payment system would place research participants at increased risk of discrimination, which could result in individuals refusing to volunteer to participate in this type of research. Without the special protections that we are proposing, we are concerned that much potentially life-saving research could be halted. Moreover, because this information that lacks analytical or clinical validity and clinical utility, and because we have defined it terms that preclude researchers from seeking third-party reimbursement for its creation, there would not be a reason for this information to be further used or disclosed within the treatment and payment system without individual authorization.

We also propose that covered entities not be permitted to condition treatment or payment decisions on a requirement that an individual provide a specific authorization for the use or disclosure of research information unrelated to treatment. The special protections that are being proposed would not be meaningful if covered entities could coerce individuals into authorizing disclosure by conditioning treatment or payment decisions on a requirement that the individual authorize disclosures of such information. This requirement would not prohibit the covered entity that creates the information from using the information for the research purposes for which it was collected. The entity could not, however, condition the provision of treatment on a requirement that the individual authorize use of research information unrelated to treatment by the covered entity for other purposes or the disclosure of the information by the covered entity to others.

We considered including other of the uses and disclosures that would be permitted under § 164.510 within the prohibition described in this provision, but were unsure if research information unrelated to treatment would ever be relevant to the public policy purposes underlying those disclosures. We solicit comment on whether there are additional categories of uses or disclosures that would be permitted under proposed § 164.510 for which the use or disclosure of such information by covered entities without specific individual authorization would be appropriate.

[Top of Page] [Previous] [Next: Minimum Necessary Use and Disclosure]