Health Plan Strategies for Using Predictive Modeling in Underwriting

AIS Compliance Health Reform Pharmacy Benefit Consumer-Directed Care Compliance Market Data Health Plans
 HOME
 New on the Site
Customer Service
Sample Newsletters MarketPlace
AIS Products & Services

E-Savings Club weekly specials

Free E-Mail Newsletters
Health Business Daily
Government News
Sign Up for Free E-Mail Newsletters

Health Business Job Openings

Health Business Meetings

People on the Move
 
Health Plans
General Business Issues
Product News
Company Intelligence
Disease Management
Blue Cross and Blue Shield
Medicare Advantage
Managed Medicaid
Health Plan Products
Compliance
Compliance Strategies
HIPAA Resource Center
Government Resources
Compliance Products
Pharmacy Benefit
Pharmacy Benefit Mgmt.
Specialty Pharmacy
Drug Mgmt. Products
Consumer-Directed Care
Articles on CDH
CDH Data
CDH Products
Market Data
Health Plan Enrollment
Pharmacy Benefit Mgmt.
Data Products
 
Health Reform
Presidential Candidates' Proposals
Federal Legislation
State Legislation
 
MarketPlace
Newsletters
Web Services & Looseleaf Guides
Books & Reports, Directories & Databases
Live Meetings & Audioconferences
Alphabetical Listing

Health Care Links
 

 
Visit AISEducation.com for more news and strategic information for today's business leaders

 

AIS Side-by-Side Comparison of March 27 Proposed Modifications to Existing
HIPAA Regulatory Language

Minimum Necessary Standard

HHS Fact Sheet

Minimum Necessary and Oral Communications – The "minimum necessary" provision is an essential element in the privacy protections for individual health information. This provision requires covered entities to make reasonable efforts to limit the use and disclosure of and request for protected health information to the minimum necessary to accomplish the intended purpose. The proposal would retain both the oral communication and "minimum necessary" requirements, but it would make clear that a doctor could discuss a patient's treatment with other doctors and professionals involved in the patient's care without fear of violating the rule if they are overheard. As long as a covered entity met the minimum necessary standards and took reasonable safeguards to protect personal health information, incidental disclosures -- such as another patient overhearing a fragment of conversation -- would not be an impermissible disclosure.

Preamble Discussion: 67 Federal Register p. 14785

AIS Regulatory Comparison

Provisions Affected:
§ 164.502,
§164.514

How to Read the Table

Proposed changes from the March 27, 2002 Federal Register are in the left column
Existing language, from the December 28, 2000 final rule, is in the right column. The legend for changes is as follows:

Legend
Bold underlined text = proposed revision.
Red text (or within a clause red text with strikethrough) = language proposed for deletion or revision.
[Bracketed text] = editor's note to change.
Regular text = Unchanged existing language

§ 164.502 Uses and disclosures of protected health information: general rules.

Proposed Revisions, Federal Register, 3/27/2002

Existing Language, Final Rule, 12/28/2000

§ 164.502 Uses and disclosures of protected health information: general rules.

§ 164.502 Uses and disclosures of protected health information: general rules.

(a) Standard.

[No changes proposed through (a)(1)(i)]

(a) Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.

(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:

(i) To the individual; 

(ii) For treatment, payment, or health care operations, as permitted by and in compliance with §164.506;

(iii) As incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §164.502(b), §164.514(d), and §164.530(c) with respect to such otherwise permitted or required uses or disclosures;

[(ii) and (iii), below, have been deleted and replaced]

(ii) Pursuant to and in compliance with a consent that complies with § 164.506, to carry out

(iii) Without consent, if consent is not required under § 164.506(a) and has not been sought under § 164.506(a)(4), to carry out treatment, payment, or health care operations, except with respect to psychotherapy notes;

[conforming change only in iv-vi]

(iv) Pursuant to and in compliance with an authorization that complies with § 164.508;

(v) Pursuant to an agreement under, or as otherwise permitted by, § 164.510; and

(vi) As permitted by and in compliance with this section, § 164.512, or § 164.514(e), (f), and (g).

(2) Required disclosures.

[No changes proposed for (2)]

(2) Required disclosures. A covered entity is required to disclose protected health information:

(i) To an individual, when requested under, and as required by §§ 164.524 or 164.528; and

(ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subpart.

(b) Standard: minimum necessary.

[No change proposed for (b)(1)]

(b) Standard: minimum necessary.

(1) Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

(2) Minimum necessary does not apply.

[No changes proposed for (i); (ii) revised]

(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section, as required by paragraph (a)(2)(i) of this section;

(2) Minimum necessary does not apply. This requirement does not apply to:

(i) Disclosures to or requests by a health care provider for treatment;

(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section, as required by paragraph (a)(2)(i) of this section, or pursuant to an authorization under § 164.508, except for authorizations requested by the covered entity under § 164.508(d), (e), or (f);  

(iii) Uses or disclosures made pursuant to an authorization under §164.508; 

[add new (iii)]

 

[renumber clauses; no language change]

(iii) (iv) Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter;

(iii) (v) Uses or disclosures that are required by law, as described by § 164.512(a); and

(v) (vi) Uses or disclosures that are required for compliance with applicable requirements of this subchapter.

(c) Standard: uses and disclosures of protected health information subject to an agreed upon restriction.

[No changes proposed to (c).]

(c) Standard: uses and disclosures of protected health information subject to an agreed upon restriction. A covered entity that has agreed to a restriction pursuant to § 164.522(a)(1) may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in § 164.522(a). 

(d) Standard: uses and disclosures of de-identified protected health information.

[No changes proposed to (d).]

(d) Standard: uses and disclosures of de-identified protected health information.

(1) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.

(2) Uses and disclosures of de-identified information. Health information that meets the standard and implementation specifications for de-identification under § 164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of § 164.514, provided that:

(i) Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and

(ii) If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart.

[For proposed changes to (e) and (g), see AIS Side-by-Side, “Business Associates,” and “Parents as Personal Representatives of Unemancipated Minors.” No changes proposed for (f), Deceased Individuals.”]

 

§ 164.514 Other requirements relating to uses and disclosures of
protected health information

Proposed Revisions, Federal Register, 3/27/2002

Existing Language, Final Rule, 12/28/2000

§ 164.514 Other requirements relating to uses and disclosures of protected health information.

§ 164.514 Other requirements relating to uses and disclosures of protected health information.

[For proposed changes to (a) - (c) regarding de-identification of PHI, see AIS Side-by-Side, “De-identification of PHI.”]

(d)(1) Standard: minimum necessary requirements.

In order to comply with §164.502(b) and this section, a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section with respect to a request for or the and disclosure of protected health information.

(d)(1) Standard: minimum necessary requirements

[Clause is substantially revised. Note deletion of term “reasonably ensure” in revised provision.]

A covered entity must reasonably ensure that the standards, requirements, and implementation specifications of § 164.502(b) and this section relating to a request for or the use and disclosure of the minimum necessary protected health information are met.

[No changes to (d)(2) and (3).]

(2) Implementation specifications: minimum necessary uses of protected health information.

(i) A covered entity must identify:

(A) Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and

(B) For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.

(ii) A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section.

(3) Implementation specification: minimum necessary disclosures of protected health information.

(i) For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.

(ii) For all other disclosures, a covered entity must:

(A) Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and

(B) Review requests for disclosure on an individual basis in accordance with such criteria.

(iii) A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:

(A) Making disclosures to public officials that are permitted under § 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s);

(B) The information is requested by another covered entity;

(C) The information is requested by a professional who is a member of its workforce or is a business associate of the covered entity for the purpose of providing professional services to the covered entity, if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or

(D) Documentation or representations that comply with the applicable requirements of § 164.512(i) have been provided by a person requesting the information for research purposes.


(4) Implementation specifications: Minimum necessary requests for protected health information.

[No changes proposed to (i) or (ii)]

(4) Implementation specifications: Minimum necessary requests for protected health information.

(i) A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities.

(ii) For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.

(iii) For all other requests, a covered entity must

(A) Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and

(B) Review requests for disclosure on an individual basis in accordance with such criteria.

[(iii) revised and rewritten]

(iii) For all other requests, a covered entity must review the request on an individual basis to determine that the protected health information sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made.

[No changes proposed to (5).]

(5) Implementation specification: other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, discloses or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.

[(e) deleted. No changes proposed to (f), fundraising,  and (g), underwriting.]

 

Back to the Proposed Modifications
To HIPAA Privacy Rule Page

 

Advertise With AIS

Privacy

Site Map



Copyright © 2008 by Atlantic Information Services, Inc. All rights reserved.
1100 17th Street, NW, Suite 300, Washington, DC 20036
Phone 202-775-9008 or 800-521-4323; E-mail customerserv@aispub.com