Industries & Practices

Health Care Industry


    HIPAA Privacy Regulations: Definitions - Treatment - § 164.501

    As Contained in the HHS HIPAA Privacy Rules

    HHS Guidance: Uses and Disclosures For Treatment, Payment and Health Care Operations


    HHS Regulations
    Definitions - Treatment - § 164.501


    Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.


    HHS Description
    Definitions - Treatment


    The proposed rule defined “treatment” as the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; or the coordination of health care or other services among health care providers and third parties authorized by the health plan or the individual. The preamble noted that the definition was intended to relate only to services provided to an individual and not to an entire enrolled population.

    In the final rule, we do not change the general approach to defining treatment: treatment means the listed activities undertaken by any health care provider, not just a covered health care provider. A plan can disclose protected health information to any health care provider to assist the provider's treatment activities; and a health care provider may use protected health information about an individual to treat another individual. A health care provider may use any protected health information it maintains for treatment purposes (e.g., a provider may use protected health information about former patients as well as current patients). We modify the proposed list of treatment activities to reflect changes requested by commenters.

    Specifically, we modify the proposed definition of “treatment” to include the management of health care and related services. Under the definition, the provision, coordination, or management of health care or related services may be undertaken by one or more health care providers. “Treatment” includes coordination or management by a health care provider with a third party and consultation between health care providers. The term also includes referral by a health care provider of a patient to another health care provider.

    Treatment refers to activities undertaken on behalf of a single patient, not a population. Activities are considered treatment only if delivered by a health care provider or a health care provider working with another party. Activities of health plans are not considered to be treatment. Many services, such as a refill reminder communication or nursing assistance provided through a telephone service, are considered treatment activities if performed by or on behalf of a health care provider, such as a pharmacist, but are regarded as health care operations if done on behalf of a different type of entity, such as a health plan.

    We delete specific reference to risk assessment, case management, and disease management. Activities often referred to as risk assessment, disease and case management are treatment activities only to the extent that they are services provided to a particular patient by a health care provider; population based analyses or records review for the purposes of treatment protocol development or modification are health care operations, not treatment activities. If a covered entity is licensed as both a health plan and a health care provider, a single activity could be considered to be both treatment and health care operations; for compliance purposes we would consider the purpose of the activity. Given the integration of the health care system we believe that further classification of activities into either treatment or health care operations would not be helpful. See the definition of health care operations for additional discussion.


    HHS Response to Comments Received
    Definitions - Treatment


    Comment: Some commenters advocated for a narrow interpretation of treatment that applies only to the individual who is the subject of the information. Other commenters asserted that treatment should be broadly defined when activities are conducted by health care providers to improve or maintain the health of the patient. A broad interpretation may raise concerns about potential misuse of information, but too limited an interpretation will limit beneficial activities and further contribute to problems in patient compliance and medical errors.

    Response: We find the commenters' arguments for a broad definition of treatment persuasive. Today, health care providers consult with one another, share information about their experience with particular therapies, seek advise about how to handle unique or challenging cases, and engage in a variety of other discussions that help them maintain and improve the quality of care they provide. Quality of care improves when providers exchange information about treatment successes and failures. These activities require sharing of protected health information. We do not intend this rule to interfere with these important activities. We therefore define treatment broadly and allow use and disclosure of protected health information about one individual for the treatment of another individual.

    Under this definition, only health care providers or a health care provider working with a third party can perform treatment activities. In this way, we temper the breadth of the definition by limiting the scope of information sharing. The various codes of professional ethics also help assure that information sharing among providers for treatment purposes will be appropriate.

    We note that poison control centers are health care providers for purposes of this rule. We consider the counseling and follow-up consultations provided by poison control centers with individual providers regarding patient outcomes to be treatment. Therefore, poison control centers and other health care providers can share protected health information about the treatment of an individual without a business associate contract.

    Comment: Many commenters suggested that “treatment” activities should include services provided to both a specific individual and larger patient populations and therefore urged that the definition of treatment specifically allow for such activities, sometimes referred to as “disease management” activities. Some argued that an analysis of an overall population is integral to determining which individuals would benefit from disease management services. Thus, an analysis of health care claims for enrolled populations enables proactive contact with those identified individuals to notify them of the availability of services. Certain commenters noted that “disease management” services provided to their patient populations, such as reminders about recommended tests based on nationally accepted clinical guidelines, are integral components of quality health care.

    Response: We do not agree that population based services should be considered treatment activities. The definition of “treatment” is closely linked to the § 160.103 definition of “health care,” which describes care, services and procedures related to the health of an individual. The activities described by “treatment,” therefore, all involve health care providers supplying health care to a particular patient. While many activities beneficial to patients are offered to entire populations or involve examining health information about entire populations, treatment involves health services provided by a health care provider and tailored to the specific needs of an individual patient. Although a population-wide analysis or intervention may prompt a health care provider to offer specific treatment to an individual, we consider the population-based analyses to improve health care or reduce health care costs to be health care operations (see definition of “health care operations,” above).

    Comment: A number of commenters requested clarification about whether prescription drug compliance management programs would be considered “treatment.” One commenter urged HHS to clarify that provision by a pharmacy to a patient of customized prescription drug information about the risks, benefits, and conditions of use of a prescription drug being dispensed is considered a treatment activity. Others asked that the final rule expressly recognize that prescription drug advice provided by a dispensing pharmacist, such as a customized pharmacy letter, is within the scope of treatment.

    Response: The activities that are part of prescription drug compliance management programs were not fully described by these commenters, so we cannot state a general rule regarding whether such activities constitute treatment. We agree that pharmacists' provision of customized prescription drug information and advice about the prescription drug being dispensed is a treatment activity. Pharmacists' provisions of information and counseling about pharmaceuticals to their customers constitute treatment, and we exclude certain communications made in the treatment context from the definition of marketing. (See discussion above.)

    Comment: Some commenters noted the issues and recommendations raised in the Institutes of Medicine report 'To Err Is Human' and the critical need to share information about adverse drug and other medical events, evaluation of the information, and its use to prevent future medical errors. They noted that privacy rules should not be so stringent as to prohibit the sharing of patient data needed to reduce errors and optimize health care outcomes. To bolster the notion that other programs associated with the practice of pharmacy must be considered as integral to the definition of health care and treatment, they reference OBRA '90 (42 U.S.C. 1396r-8) and the minimum required activities for dispensing drugs; they also note that virtually every state Board of Pharmacy adopted regulations imposing OBRA'90 requirements on pharmacies for all patients and not just Medicaid recipients.

    Response: We agree that reducing medical errors is critical, and do not believe that this regulation impairs efforts to reduce medical errors. We define treatment broadly and include quality assessment and improvement activities in the definition of health care operations. Covered pharmacies may conduct such activities, as well as treatment activities appropriate to improve quality and reduce errors. We believe that respect for the privacy rights of individuals and appropriate protection of the confidentiality of their health information are compatible with the goal of reducing medical errors.

    Comment: Some commenters urged us to clarify that health plans do not perform “treatment” activities; some of these were concerned that a different approach in this regulation could cause conflict with state corporate practice of medicine restrictions. Some commenters believed that the proposed definition of treatment crossed into the area of cost containment, which would seem to pertain more directly to payment. They supported a narrower definition that would eliminate any references to third party payors. One commenter argued that the permissible disclosure of protected health information to carry out treatment is too broad for health plans and that health plans that have no responsibility for treatment or care coordination should have no authority to release health information without authorization for treatment purposes.

    Response: We do not consider the activities of third party payors, including health plans, to be “treatment.” Only health care providers, not health plans, conduct “treatment” for purposes of this rule. A health plan may, however, disclose protected health information without consent or authorization for treatment purposes if that disclosure is made to a provider. Health plans may have information the provider needs, for example information from other providers or information about the patient's treatment history, to develop an appropriate plan of care.

    Comment: We received many comments relating to “disease management” programs and whether activities described as disease management should be included in the definition of treatment. One group of commenters supported the proposed definition of treatment that includes disease management. One commenter offered the position that disease management services are more closely aligned with treatment because they involve the coordination of treatment whereas health care operations are more akin to financial and ministerial functions of plans.

    Some recommended that the definition of treatment be limited to direct treatment of individual patients and not allow for sharing of information for administrative or other programmatic reasons. They believed that allowing disclosures for disease management opens a loophole for certain uses and disclosures, such as marketing, that should only be permitted with authorization. Others recommended that the definition of disease management be restricted to prevent unauthorized use of individual health records to target individuals in a health plan or occupational health program. Many asked that the definition of disease management be clarified to identify those functions that, although some might consider them to be subsumed by the term, are not permitted under this regulation without authorization, such as marketing and disclosures of protected health information to employers. They suggested that disease management may describe desirable activities, but is subject to abuse and therefore should be restricted and controlled. One commenter recommends that we adopt a portion of the definition adopted by the Disease Management Association of America in October 1999.

    On the other hand, many comments urged that disease management be part of the “treatment” definition or the “health care operations” definition and asked that specific activities be included in a description of the term. They viewed disease management as important element of comprehensive health care services and cost management efforts. They recommended that the definition of disease management include services directed at an entire population and not just individual care, in order to identify individuals who would benefit from services based on accepted clinical guidelines. They recommended that disease management be included under health care operations and include population level services. A commenter asserted that limiting disease management programs to the definition of treatment ignores that these programs extend beyond providers, especially since NCQA accreditation standards strongly encourage plans and insurers to provide these services.

    Response: Disease management appeared to represent different activities to different commenters. Our review of the literature, industry materials, state and federal statutes, , and discussions with physician groups, health plan groups and disease management associations confirm that a consensus definition from the field has not yet evolved, although efforts are underway. Therefore, rather than rely on this label, we delete “disease management” from the treatment definition and instead include the functions often discussed as disease management activities in this definition or in the definition of health care operations and modify both definitions to address the commenters' concerns.

    We add population-based activities to improve health care or reduce health care costs to the definition of health care operations. Outreach programs as described by the commenter may be considered either health care operations or treatment, depending on whether population-wide or patient-specific activities occur, and if patient-specific, whether the individualized communication with a patient occurs on behalf of health care provider or a health plan. For example, a call placed by a nurse in a doctor's office to a patient to discuss follow-up care is a treatment activity. The same activity performed by a nurse working for a health plan would be a health care operation. In both cases, the database analysis that created a list of patients that would benefit from the intervention would be a health care operation. Use or disclosure of protected health information to provide education materials to patients may similarly be either treatment or operations, depending on the circumstances and on who is sending the materials. We cannot say in the abstract whether any such activities constitute marketing under this rule. See §§ 164.501 and 164.514 for details on what communications are marketing and when the authorization of the individual may be required.

    Comment: Many commenters were concerned that the definition of treatment would not permit Third Party Administrators (TPAs) to be involved with disease management programs without obtaining authorization. They asserted that while the proposed definition of treatment included disease management conducted by health care providers it did not recognize the role of employers and TPAs in the current disease management process.

    Response:. Covered entities disclose protected health information to other persons, including TPAs, that they hire to perform services for them or on their behalf. If a covered entity hires a TPA to perform the disease management activities included in the rule's definitions of treatment and health care operations that disclosure will not require authorization. The relationship between the covered entity and the TPA may be subject to the business associate requirements of §§ 164.502 and 164.504. Disclosures by covered entities to plan sponsors, including employers, for the purpose of plan administration are addressed in § 164.504.

    Comment: Commenters suggested that as disease management is defined only as an element of treatment, it could only be carried out by health care providers, and not health plans. They opposed this approach because health plans also conduct such programs, and are indeed required to do it by accreditation standards and HCFA Managed Care Organization standards.

    Response: We agree that the placement of disease management in the proposed definition of treatment suggested that health plans could not conduct such programs. We revise the final rule to clarify that health plans may conduct population based care management programs as a health care operation activity.

    Comment: Some commenters stated that the rule should require that disease management only be done with the approval of the treating physician or at least with the knowledge of the physician.

    Response: We disagree with this comment because we do not believe that this privacy rule is an appropriate venue for setting policies regarding the management of health care costs or treatment.

    Comment: Some industry groups stated that if an activity involves selling products, it is not disease management. They asked for a definition that differentiates use of information for the best interests of patient from uses undertaken for "ulterior purposes" such as advertising, marketing, or promoting separate products.

    Response: We eliminate the definition of 'disease management' from the rule. Often however, treatment decisions involve discussing the relevant advantages and disadvantages if products and services. Health plans, as part of payment and operations, sometimes communicate with individuals about particular products and services. We address these distinctions in the definitions of marketing and “health care operations” in § 164.501, and in the requirements for use and disclosure of protected health information for marketing in § 164.514.

    Comment: Some health care providers noted that there is a danger that employers will "force" individual employees with targeted conditions into self-care or compliance programs in ways that violate both the employee's privacy interest and his or her right to control own medical care.

    Response: Employers are not covered entities under HIPAA, so we cannot prohibit them under this rule from undertaking these or other activities with respect to health information. In § 164.504 we limit disclosure of health information from group health plans to the employers sponsoring the plans. However, other federal and/or state laws, such as disability nondiscrimination laws, may govern the rights of employees under such circumstances.

    Comment: Many commenters urged that disease management only be allowed with the written consent of the individual. Others also desired consent but suggested that an opt-out would be sufficient. Other commenters complained that the absence of a definition for disease management created uncertainty in view of the proposed rule's requirement to get authorization for marketing. They were concerned that the effect would be to require patient consent for many activities that are desirable, not practicably done if authorization is required, and otherwise classifiable as treatment, payment, or health care operations. Examples provided include reminders for appointments, reminders to get preventive services like mammograms, and information about home management of chronic illnesses.

    Response: We agree with the commenters who stated that the requirement for specific authorization for certain activities considered part of disease management could impede the ability of health plans and covered providers to implement effective health care management and cost containment programs. In addition, this approach would require us to distinguish activities undertaken as part of a formal disease management program from the same activities undertaken outside the context of disease management program. For example, we see no clear benefit to privacy in requiring written authorization before a physician may call a patient to discuss treatment options in all cases, nor do we see a sound basis for requiring it only when the physician was following a formal protocol as part of a population based intervention. We also are not persuaded that the risk to privacy for these activities warrants a higher degree of protection than do other payment, health care operations or treatment activities for which specific authorization was not suggested by commenters.

    Comment: A few commenters asked that we clarify that disclosure of protected health information about a prospective patient to a health care provider (e.g., a possible admission to an assisted living facility from a nursing facility) is a treatment activity that does not require authorization.

    Response: We agree that the described activity is “treatment,” because it constitutes referral and coordination of health care.

    Comment: Comments called for the removal of “other services” from the definition.

    Response: We disagree with the concept that only health care services are appropriately included in the treatment definition. We have modified this definition to instead include “the provision, coordination, or management of health care and related services.” This definition allows health care providers to offer or coordinate social, rehabilitative, or other services that are associated with the provision of health care. Our use of the term “related” prevents “treatment” from applying to the provision of services unrelated to health care.

    Comment: Several commenters stated that the definition of treatment should include organ and tissue recovery activities. They asserted that the information exchanged and collected to request consent, evaluate medical information about a potential donor and perform organ recoveries relates to treatment and are not administrative activities. When hospitals place a patient on the UNOS list it is transferring individually identifiable health information. Also, when an organ procurement organization registers a donor with UNOS it could be disclosing protected health information. Commenters questioned whether these activities would be administrative or constitute treatment.

    Response: In the proposed rule we included in the definition of “health care” activities related to the procurement or organs, blood, eyes and other tissues. This final rule deletes those activities from the definition of “health care.” We do so because, while organ and tissue procurement organizations are integral components of the health care system, we do not believe that the testing, procurement, and other procedures they undertake describe “health care” offered to the donors of the tissues or organs themselves. See the discussion under the definition of “health care” in § 160.103.

    Comment: Some commenters recommended including health promotion activities in the definition of health care.

    Response: We consider health promotion activities to be preventive care, and thus within the definition of health care. In addition, such activities that are population based are included in the definition of health care operations.

    Comment: We received a range of comments regarding the proper placement of case and disease management in the definitions and the perceived overlap between health care operations and treatment. Some consider that these activities are a function of improving quality and controlling costs. Thus, they recommend that the Secretary move risk assessment, case and disease management to the definition of health care operations.

    Response: In response to these comments, we remove these terms from the definition of treatment and add case management to the definition of health care operations. We explain our treatment of disease management in responses to comments above. Whether an activity described as disease or case management falls under treatment or health care operations would depend in part on whether the activity is focused on a particular individual or a population. A single program described as a “case management” effort may include both health care operations activities (e.g., records analysis, protocol development, general risk assessment) and treatment activities (e.g., particular services provided to or coordinated for an individual, even if applying a standardized treatment protocol).

    Comment: We received comments that argued for the inclusion of “disability management” in the treatment definition. They explained that through disability management, health care providers refer and coordinate medical management and they require contemporaneous exchange of an employee's specific medical data for the provider to properly manage.

    Response: To the extent that a covered provider is coordinating health care services, the provider is providing treatment. We do not include the term “disability management” because the scope of the activities covered by that term is not clear. In addition, the commenters did not provide enough information for us to make a fact-based determination of how this rule applies to the uses and disclosures of protected health information that are made in a particular “disability management” program.