[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2001]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.514]
[Page 711-715]
TITLE 45--PUBLIC WELFARE
SUBTITLE A--DEPARTMENT OF HEALTH
AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY--Table of Contents
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.514 Other requirements relating to uses and disclosures of protected health information.
(a) Standard: de-identification of protected health information.
Health information that does not identify an individual and with respect
to which there is no reasonable basis to believe that the information
can be used to identify an individual is not individually identifiable
health information.
(b) Implementation specifications: requirements for de-
identification of protected health information. A covered entity may
determine that health information is not individually identifiable
health information only if:
(1) A person with appropriate knowledge of and experience with
generally accepted statistical and scientific principles and methods for
rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk
is very small that the information could be used, alone or in
combination with other reasonably available information, by an
anticipated recipient to identify an individual who is a subject of the
information; and
(ii) Documents the methods and results of the analysis that justify
such determination; or
(2)(i) The following identifiers of the individual or of relatives,
employers, or household members of the individual, are removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including
street address, city, county, precinct, zip code, and their equivalent
geocodes, except for the initial three digits of a zip code if,
according to the current publicly available data from the Bureau of the
Census:
(1) The geographic unit formed by combining all zip codes with the
same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic
units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related
to an individual, including birth date, admission date, discharge date,
date of death; and all ages over 89 and all elements of dates (including
year) indicative of such age, except that such ages and elements may be
aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
[[Page 712]]
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate
numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code;
and
(ii) The covered entity does not have actual knowledge that the
information could be used alone or in combination with other information
to identify an individual who is a subject of the information.
(c) Implementation specifications: re-identification. A covered
entity may assign a code or other means of record identification to
allow information de-identified under this section to be re-identified
by the covered entity, provided that:
(1) Derivation. The code or other means of record identification is
not derived from or related to information about the individual and is
not otherwise capable of being translated so as to identify the
individual; and
(2) Security. The covered entity does not use or disclose the code
or other means of record identification for any other purpose, and does
not disclose the mechanism for re-identification.
(d)(1) Standard: minimum necessary requirements. A covered entity
must reasonably ensure that the standards, requirements, and
implementation specifications of Sec. 164.502(b) and this section
relating to a request for or the use and disclosure of the minimum
necessary protected health information are met.
(2) Implementation specifications: minimum necessary uses of
protected health information. (i) A covered entity must identify:
(A) Those persons or classes of persons, as appropriate, in its
workforce who need access to protected health information to carry out
their duties; and
(B) For each such person or class of persons, the category or
categories of protected health information to which access is needed and
any conditions appropriate to such access.
(ii) A covered entity must make reasonable efforts to limit the
access of such persons or classes identified in paragraph (d)(2)(i)(A)
of this section to protected health information consistent with
paragraph (d)(2)(i)(B) of this section.
(3) Implementation specification: Minimum necessary disclosures of
protected health information. (i) For any type of disclosure that it
makes on a routine and recurring basis, a covered entity must implement
policies and procedures (which may be standard protocols) that limit the
protected health information disclosed to the amount reasonably
necessary to achieve the purpose of the disclosure.
(ii) For all other disclosures, a covered entity must:
(A) Develop criteria designed to limit the protected health
information disclosed to the information reasonably necessary to
accomplish the purpose for which disclosure is sought; and
(B) Review requests for disclosure on an individual basis in
accordance with such criteria.
(iii) A covered entity may rely, if such reliance is reasonable
under the circumstances, on a requested disclosure as the minimum
necessary for the stated purpose when:
(A) Making disclosures to public officials that are permitted under
Sec. 164.512, if the public official represents that the information
requested is the minimum necessary for the stated purpose(s);
(B) The information is requested by another covered entity;
(C) The information is requested by a professional who is a member
of its workforce or is a business associate of the covered entity for
the purpose of providing professional services to the covered entity, if
the professional represents that the information requested is the
minimum necessary for the stated purpose(s); or
(D) Documentation or representations that comply with the applicable
requirements of Sec. 164.512(i) have been provided by a person
requesting the information for research purposes.
[[Page 713]]
(4) Implementation specifications: Minimum necessary requests for
protected health information. (i) A covered entity must limit any
request for protected health information to that which is reasonably
necessary to accomplish the purpose for which the request is made, when
requesting such information from other covered entities.
(ii) For a request that is made on a routine and recurring basis, a
covered entity must implement policies and procedures (which may be
standard protocols) that limit the protected health information
requested to the amount reasonably necessary to accomplish the purpose
for which the request is made.
(iii) For all other requests, a covered entity must review the
request on an individual basis to determine that the protected health
information sought is limited to the information reasonably necessary to
accomplish the purpose for which the request is made.
(5) Implementation specification: Other content requirement. For all
uses, disclosures, or requests to which the requirements in paragraph
(d) of this section apply, a covered entity may not use, discloses or
request an entire medical record, except when the entire medical record
is specifically justified as the amount that is reasonably necessary to
accomplish the purpose of the use, disclosure, or request.
(e)(1) Standard: Uses and disclosures of protected health
information for marketing. A covered entity may not use or disclose
protected health information for marketing without an authorization that
meets the applicable requirements of Sec. 164.508, except as provided
for by paragraph (e)(2) of this section.
(2) Implementation specifications: Requirements relating to
marketing. (i) A covered entity is not required to obtain an
authorization under Sec. 164.508 when it uses or discloses protected
health information to make a marketing communication to an individual
that:
(A) Occurs in a face-to-face encounter with the individual;
(B) Concerns products or services of nominal value; or
(C) Concerns the health-related products and services of the covered
entity or of a third party and the communication meets the applicable
conditions in paragraph (e)(3) of this section.
(ii) A covered entity may disclose protected health information for
purposes of such communications only to a business associate that
assists the covered entity with such communications.
(3) Implementation specifications: Requirements for certain
marketing communications. For a marketing communication to qualify under
paragraph (e)(2)(i) of this section, the following conditions must be
met:
(i) The communication must:
(A) Identify the covered entity as the party making the
communication;
(B) If the covered entity has received or will receive direct or
indirect remuneration for making the communication, prominently state
that fact; and
(C) Except when the communication is contained in a newsletter or
similar type of general communication device that the covered entity
distributes to a broad cross-section of patients, enrollees, or other
broad groups of individuals, contain instructions describing how the
individual may opt out of receiving future such communications.
(ii) If the covered entity uses or discloses protected health
information to target the communication to individuals based on their
health status or condition:
(A) The covered entity must make a determination prior to making the
communication that the product or service being marketed may be
beneficial to the health of the type or class of individual targeted;
and
(B) The communication must explain why the individual has been
targeted and how the product or service relates to the health of the
individual.
(iii) The covered entity must make reasonable efforts to ensure that
individuals who decide to opt out of receiving future marketing
communications, under paragraph (e)(3)(i)(C) of this section, are not
sent such communications.
(f)(1) Standard: Uses and disclosures for fundraising. A covered
entity may use, or disclose to a business associate or to an
institutionally related foundation, the following protected health
information for the purpose of raising funds
[[Page 714]]
for its own benefit, without an authorization meeting the requirements
of Sec. 164.508:
(i) Demographic information relating to an individual; and
(ii) Dates of health care provided to an individual.
(2) Implementation specifications: Fundraising requirements. (i) The
covered entity may not use or disclose protected health information for
fundraising purposes as otherwise permitted by paragraph (f)(1) of this
section unless a statement required by Sec. 164.520(b)(1)(iii)(B) is
included in the covered entity's notice;
(ii) The covered entity must include in any fundraising materials it
sends to an individual under this paragraph a description of how the
individual may opt out of receiving any further fundraising
communications.
(iii) The covered entity must make reasonable efforts to ensure that
individuals who decide to opt out of receiving future fundraising
communications are not sent such communications.
(g) Standard: Uses and disclosures for underwriting and related
purposes. If a health plan receives protected heath information for the
purpose of underwriting, premium rating, or other activities relating to
the creation, renewal, or replacement of a contract of health insurance
or health benefits, and if such health insurance or health benefits are
not placed with the health plan, such health plan may not use or
disclose such protected health information for any other purpose, except
as may be required by law.
(h)(1) Standard: Verification requirements. Prior to any disclosure
permitted by this subpart, a covered entity must:
(i) Except with respect to disclosures under Sec. 164.510, verify
the identity of a person requesting protected health information and the
authority of any such person to have access to protected health
information under this subpart, if the identity or any such authority of
such person is not known to the covered entity; and
(ii) Obtain any documentation, statements, or representations,
whether oral or written, from the person requesting the protected health
information when such documentation, statement, or representation is a
condition of the disclosure under this subpart.
(2) Implementation specifications: Verification. (i) Conditions on
disclosures. If a disclosure is conditioned by this subpart on
particular documentation, statements, or representations from the person
requesting the protected health information, a covered entity may rely,
if such reliance is reasonable under the circumstances, on
documentation, statements, or representations that, on their face, meet
the applicable requirements.
(A) The conditions in Sec. 164.512(f)(1)(ii)(C) may be satisfied by
the administrative subpoena or similar process or by a separate written
statement that, on its face, demonstrates that the applicable
requirements have been met.
(B) The documentation required by Sec. 164.512(i)(2) may be
satisfied by one or more written statements, provided that each is
appropriately dated and signed in accordance with Sec. 164.512(i)(2)(i)
and (v).
(ii) Identity of public officials. A covered entity may rely, if
such reliance is reasonable under the circumstances, on any of the
following to verify identity when the disclosure of protected health
information is to a public official or a person acting on behalf of the
public official:
(A) If the request is made in person, presentation of an agency
identification badge, other official credentials, or other proof of
government status;
(B) If the request is in writing, the request is on the appropriate
government letterhead; or
(C) If the disclosure is to a person acting on behalf of a public
official, a written statement on appropriate government letterhead that
the person is acting under the government's authority or other evidence
or documentation of agency, such as a contract for services, memorandum
of understanding, or purchase order, that establishes that the person is
acting on behalf of the public official.
(iii) Authority of public officials. A covered entity may rely, if
such reliance is reasonable under the circumstances, on any of the
following to verify authority when the disclosure of protected health
information is to a
[[Page 715]]
public official or a person acting on behalf of the public official:
(A) A written statement of the legal authority under which the
information is requested, or, if a written statement would be
impracticable, an oral statement of such legal authority;
(B) If a request is made pursuant to legal process, warrant,
subpoena, order, or other legal process issued by a grand jury or a
judicial or administrative tribunal is presumed to constitute legal
authority.
(iv) Exercise of professional judgment. The verification
requirements of this paragraph are met if the covered entity relies on
the exercise of professional judgment in making a use or disclosure in
accordance with Sec. 164.510 or acts on a good faith belief in making a
disclosure in accordance with Sec. 164.512(j).