We proposed to define “disclosure” to mean the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. The final rule is unchanged. We note that the transfer of protected health information from a covered entity to a business associate is a disclosure for purposes of this regulation.
Comment: A number of commenters asked that the definition of “disclosure” be modified so that it is clear that it does not include the release, transfer, provision of access to, or divulging in any other manner of protected health information to the individual who is the subject of that information. It was suggested that we revise the definition in this way to clarify that a health care provider may release protected health information to the subject of the information without first requiring that the patient complete an authorization form.
Response: We agree with the commenters’ concern, but accomplish this result through a different provision in the regulation. In § 164.502 of this final rule, we specify that disclosures of protected health information to the individual are not subject to the limitations on disclosure of protected health information otherwise imposed by this rule.
Comment: A number of commenters stated that the regulation should not apply to disclosures occurring within or among different subsidiaries or components of the same entity. One commenter interpreted “disclosure” to mean outside the agency or, in the case of a state Department of Health, outside sister agencies and offices that directly assist the Secretary in performing Medicaid functions and are listed in the state plan as entitled to receive Medicaid data.
Response: We agree that there are circumstances under which related organizations may be treated as a single covered entity for purposes of protecting the privacy of health information, and modify the rule to accommodate such circumstances. In § 164.504 of the final rule, we specify the conditions under which affiliated companies may combine into a single covered entity and similarly describe which components of a larger organization must comply with the requirements of this rule. For example, transfers of information within the designated component or affiliated entity are uses while transfers of information outside the designated component or affiliated entity are disclosures. See the discussion of § 164.504 for further information and rationale. It is not clear from these comments whether the particular organizational arrangements described could constitute a single covered entity.
Comment: A commenter noted that the definition of “disclosure” should reflect that health plan correspondence containing protected health information, such as Explanation of Benefits (EOBs), is frequently sent to the policyholder. Therefore, it was suggested that the words “provision of access to” be deleted from the definition and that a “disclosure” be clarified to include the conveyance of protected health information to a third party.
Response: The definition is, on its face, broad enough to cover the transfers of information
described and so is not changed. We agree that health plans must be able to send EOBs to policyholders.
Sending EOB correspondence to a policyholder by a covered entity is a disclosure for purposes of this rule,
but it is a disclosure for purposes of payment. Therefore, subject to the provisions of § 164.522(b) regarding
Confidential Communications, it is permitted even if it discloses to the policyholder protected health information
about another individual (see below).
