Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations - § 164.506(c)

    As Contained in the HHS HIPAA Privacy Rules

    HHS Guidance: Uses and Disclosures For Treatment, Payment and Health Care Operations

     

    HHS Regulations as Amended January 2013
    Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations - § 164.506(c)

     

    (c) Implementation specifications: Treatment, payment, or health care operations. (1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.

    (2) A covered entity may disclose protected health information for treatment activities of a health care provider.

    (3) A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information.

    (4) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is:

    (i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or

    (ii) For the purpose of health care fraud and abuse detection or compliance.

    (5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to other participants in the organized health care arrangement for any health care operations activities of the organized health care arrangement.

     

    HHS Description and Commentary From the January 2013 Amendments
    Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations

     

    Section 164.506(c)(5) permits a covered entity to disclose protected health information “to another covered entity that participates in the organized health care arrangement.” We proposed to change the words “another covered entity that participates” to “other participants” because not all participants in an organized health care arrangement may be covered entities; for example, some physicians with staff privileges at a hospital may not be covered entities.

    Overview of Public Comments

    One commenter requested clarification about whether business associates may participate in an organized health care arrangement (OHCA) under § 164.506(c)(5).

    Another commenter recommended against changing the language of § 164.506(c)(5), arguing that such a change could bring entities like employers and pharmaceutical companies into OHCAs that should not otherwise have access to protected health information, and suggested that the Department change the language to make clear that an OHCA may include only professional staff members.

    Final Rule

    The final rule implements the technical, conforming, and clarifying changes as proposed. In response to the comments regarding which entities may participate in an OHCA, we clarify that a covered entity participating in an OHCA or the OHCA itself may contract with a business associate to provide certain functions, activities, or services on its behalf that involve access to protected health information, provided the applicable requirements of §§ 164.502(e), 164.504(e), 164.308(b) and 164.314(a) are met. Further, the definition of an organized health care arrangement (OHCA) at § 160.103 includes a clinically integrated care setting in which individuals typically receive health care from more than one health care provider. We modified § 164.506(c)(5) as discussed above in recognition of the fact that not all participants in a clinically integrated care setting may be covered entities (e.g., hospital with physicians with staff privileges that are not workforce members). Such change does not permit employers and pharmaceutical representatives to receive access to protected health information from or through an OHCA in a manner they would otherwise be prohibited from now.

     

    HHS Description From the August 2002 Revisions
    Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations

     

    December 2000 Privacy Rule. The Privacy Rule permits a covered entity to use and disclose protected health information for treatment, payment, or health care operations. For treatment purposes, the Rule generally allows protected health information to be shared without restriction. The definition of “treatment” incorporates the necessary interaction of more than one entity. In particular, the definition of “treatment” includes the coordination and management of health care among health care providers or by a health care provider with a third party, consultations between health care providers, and referrals of a patient for health care from one health care provider to another. As a result, covered entities are permitted to disclose protected health information for treatment purposes regardless of to whom the disclosure is made, as well as to disclose protected health information for the treatment activities of another health care provider.

    However, for payment and health care operations, the Privacy Rule, as published in December 2000, generally limited a covered entity’s uses and disclosures of protected health information to those that were necessary for its own payment and health care operations activities. This limitation was explicitly stated in the December 2000 preamble discussions of the definitions of “payment” and “health care operations.” 65 FR 82490, 82495. The Privacy Rule also provided that a covered entity must obtain authorization to disclose protected health information for the payment or health care operations of another entity. The Department intended these requirements to be consistent with individuals’ privacy expectations. See 45 CFR '§ 164.506(a)(5) and 164.508(e).

    March 2002 NPRM. Since the publication of the December 2000 Rule, a number of commenters raised specific concerns with the restriction that a covered entity may not disclose protected health information for another entity’s payment and health care operations activities, absent an authorization. These commenters presented a number of examples where such a restriction would impede the ability of certain entities to obtain reimbursement for health care, to conduct certain quality assurance or improvement activities, such as accreditation, or to monitor fraud and abuse.

    With regard to payment, for example, the Department heard concerns of ambulance service providers who explained that they normally receive the information they need to obtain payment for their treatment services from the hospital emergency departments to which they transport their patients. They explained that it is usually not possible for the ambulance service provider to obtain such information directly from the individual, nor is it always practicable or feasible for the hospital to obtain the individual’s authorization to provide payment information to the ambulance service provider. This disclosure of protected health information from the hospital to the ambulance service provider was not permitted under the December 2000 Privacy Rule without an authorization from the patient, because it was a disclosure by the hospital for the payment activities of the ambulance service provider.

    Commenters also were concerned about situations in which covered entities outsource their billing, claims, and reimbursement functions to accounts receivable management companies. These collectors often attempt to recover payments from a patient on behalf of multiple health care providers. Commenters were concerned that the Privacy Rule would prevent these collectors, as business associates of multiple providers, from using a patient’s demographic information received from one provider to facilitate collection for another provider’s payment.

    With regard to health care operations, the Department also received comments about the difficulty that the Privacy Rule would place on health plans trying to obtain information needed for quality assessment activities. Health plans informed the Department that they need to obtain individually identifiable health information from health care providers for the plans’ quality-related activities, accreditation, and performance measures, such as Health Plan Employer Data and Information Set (HEDIS). Commenters explained that the information provided to plans for payment purposes (e.g., claims or encounter information) may not be sufficient for quality assessment or accreditation purposes.

    The NCVHS, in response to public testimony on this issue at its August 2001 hearing, also recommended that the Department amend the Privacy Rule to allow for uses and disclosures for quality-related activities among covered entities, without the individual’s written authorization.

    Based on these concerns, the Department proposed to modify § 164.506 to permit a covered entity to disclose protected health information for the payment activities of another covered entity or any health care provider, and also for certain types of health care operations of another covered entity. The proposal would broaden the uses and disclosures that are permitted without authorization as part of treatment, payment, and health care operations so as not to interfere inappropriately with access to quality and effective health care, while limiting this expansion in order to continue to protect the privacy expectations of the individual.

    Specifically, the Department proposed the following. First, the Department proposed to add to § 164.506(c)(1) language stating that a covered entity may use or disclose protected health information for its own treatment, payment, or health care operations without prior permission.

    Second, the Department proposed to include language in § 164.506(c)(2) to clarify its intent that a covered entity may share protected health information for the treatment activities of another health care provider. For example, a primary care provider who is a covered entity under the Privacy Rule may send a copy of an individual’s medical record to a specialist who needs the information to treat the same individual, whether or not that specialist is also a covered entity. No authorization would be required.

    Third, the Department proposed to include language in § 164.506(c)(3) to permit a covered entity to disclose protected health information to another covered entity or any health care provider for the payment activities of that entity. The Department recognized that not all health care providers who need protected health information to obtain payment are covered entities, and, therefore, proposed to allow disclosures of protected health information to both covered and non-covered health care providers. In addition, the Department proposed a conforming change to delete the word “covered” in paragraph (1)(ii) of the definition of “payment,” to permit disclosures to non-covered providers for their payment activities.

    The Department also proposed to limit disclosures under this provision to those health plans that are covered by the Privacy Rule. However, the Department solicited comment on whether plans that are not covered by the Privacy Rule would be able to obtain the protected health information that they need for payment purposes.

    Fourth, in § 164.506(c)(4), the Department proposed to permit a covered entity to disclose protected health information about an individual to another covered entity for specified health care operations purposes of the covered entity that receives the information, provided that both entities have a relationship with the individual. This proposed expansion was limited in a number of ways. The proposal would permit such disclosures only for the activities described in paragraphs (1) and (2) of the definition of “health care operations,” as well as for health care fraud and abuse detection and compliance programs (as provided for in paragraph (4) of the definition of “health care operations”). The activities that fall into paragraphs (1) and (2) of the definition of “health care operations” include quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management, conducting training programs, and accreditation, certification, licensing, or credentialing activities. The Department proposed this limitation because it recognized that “health care operations” is a broad term and that individuals are less aware of the business-related activities that are part of health care operations than they are of treatment- or payment-related activities. In addition, many commenters and the NCVHS focused their comments on covered entities’ needs to share protected health information for quality-related health care operations activities. The proposed provision was intended to allow information to flow from one covered entity to another for activities important to providing quality and effective health care.

    The proposal would have applied only to disclosures of protected health information to other covered entities. By limiting such disclosures to those entities that are required to comply with the Privacy Rule, the Department intended to ensure that the protected health information remained protected. The Department believed that this would create the appropriate balance between meeting an individual’s privacy expectations and meeting a covered entity’s need for information for quality-related health care operations.

    Further, such disclosures would be permitted only to the extent that each entity has, or had, a relationship with the individual who is the subject of the information being disclosed. Where the relationship between the individual and the covered entity has ended, a disclosure of protected health information about the individual would be allowed only if related to the past relationship. The Department believed that this limitation would be necessary in order to further protect the privacy expectations of the individual.

    The proposal made clear that these provisions would not eliminate a covered entity’s responsibility to apply the Privacy Rule’s minimum necessary provisions to both the disclosure of and request for protected health information for payment and health care operations purposes. In addition, the proposal strongly encouraged the use of de-identified information, wherever feasible.

    While the Department stated that it believed it had struck the right balance with respect to the proposed modification for disclosures for health care operations, the Department was aware that the proposal could pose barriers to disclosures for quality-related health care operations to health plans and health care providers that are not covered entities, or to entities that do not have a relationship with the individual. Therefore, the preamble referred commenters to the Department’s request for comment on an approach that would permit for any health care operations purposes the disclosure of protected health information that does not contain direct identifiers, subject to a data use or similar agreement.

    In addition, related to the above modifications and in response to comments evidencing confusion on this matter, the Department also proposed to clarify that covered entities participating in an organized health care arrangement (OHCA) may share protected health information for the health care operations of the OHCA (§ 164.506(c)(5)). The Department also proposed to remove the language regarding OHCAs from the definition of “health care operations” as unnecessary because such language now would appear in § 164.506(c)(5).

     

    HHS Explanation From the Original Rulemaking
    Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations

     

    In this final Rule, the Department adopts its proposal to allow covered entities to disclose protected health information for the treatment, payment, and certain health care operations purposes of another entity. Specifically, the final Rule at § 164.506(c):

    1. States that a covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.

    2. Clarifies that a covered entity may use or disclose protected health information for the treatment activities of any health care provider.

    3. Permits a covered entity to disclose protected health information to another covered entity or any health care provider for the payment activities of the entity that receives the information.

    4. Permits a covered entity to disclose protected health information to another covered entity for the health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the information, the protected health information pertains to such relationship, and the disclosure is:

      i. For a purpose listed in paragraphs (1) or (2) of the definition of “health care operations,” which includes quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, conducting training programs, and accreditation, licensing, or credentialing activities; or

      ii. For the purpose of health care fraud and abuse detection or compliance.

    5. Clarifies that a covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.

    Based on the comments received, the Department believes that the above provisions strike the appropriate balance between meeting an individual’s privacy expectations and meeting a covered entity’s need for information for reimbursement and quality purposes. The Department also clarifies that disclosures pursuant to the above provisions may be made to or by a business associate of a covered entity.

    In § 164.506(c)(2), in response to a comment, the Department deletes the word “another” before “health care provider” to eliminate any implication that the disclosing entity must also be a health care provider.

    With respect to payment, the majority of commenters were supportive of the Department’s proposal. In response to those commenters who expressed support for the proposal because it would facilitate coordination of benefits, the Department clarifies that the definition of “payment” in the Privacy Rule allows for uses and disclosures necessary for coordination of benefits. The new language may, however, reinforce that uses and disclosures for such purposes are permitted under the Rule.

    The Department does not believe, as suggested by one commenter, that a targeted approach, one that would address only the problems raised by the ambulance providers and collection agencies, is a practical solution to these problems. The Department believes that these problems may apply in other situations. For example, an indirect treatment provider, such as a pathologist, may need to obtain health coverage information about an individual for billing purposes from the hospital to which the pathologist provided services. If the Department addressed only these discrete scenarios in this final modification, each additional similar problem that arises would require another rulemaking, which would, in and of itself, create a problem because the Department can change a standard only once per year. In addition, by creating special rules to address multiple, distinct circumstances, the Department would have created a substantially more complicated policy for covered entities to follow and implement.

    The suggestion that the Department require a covered entity to obtain assurances from non-covered providers, prior to disclosure of protected health information for payment purposes, that the recipient will not use protected health information for any other purpose or disclose it to others, similarly would add a layer of complexity to payment disclosures. Such a requirement would encumber these communications and may interfere with the ability of non-covered health care providers to be paid for treatment they have provided. Moreover, the Privacy Rule requires a covered entity to apply the minimum necessary standard to disclosures for a non-covered provider’s payment purposes. Thus, a non-covered provider will receive only the minimum information reasonably necessary for such purposes. Accordingly, the Department believes the final Rule appropriately and practically addresses the issue.

    In response to the comment that the proposal may impede disclosures to reinsurers who are not covered entities, the Department clarifies that disclosures to obtain payment under a contract for reinsurance explicitly are permitted as part of the definition of “payment,” regardless of whether the reinsurer is a covered entity. Similarly, disclosures for the purposes of ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care are explicitly permitted as part of the definition of “health care operations,” also without regard to whether the reinsurer is a covered entity. See the definitions of “payment” and “health care operations” in § 164.501.

    With respect to disclosures for the health care operations of another covered entity, the Department continues to believe that the condition that both entities have a relationship with the individual is appropriate to balance an individual’s privacy expectations with a covered entity’s need for the information. The Department clarifies that a covered entity, prior to making a disclosure allowed under this requirement, is permitted to communicate with another covered entity as necessary to determine if this condition has been met. Additionally, in response to comments, the Department adds language to § 164.506(c)(4) to make clear that the condition that both covered entities have a relationship with the individual is not limited to a current relationship. Where the relationship between the covered entity and the individual has ended, a disclosure of protected health information about the individual is permitted to the extent the disclosure is related to the past relationship. For example, the final Rule would permit a health care provider to disclose protected health information to a health plan for HEDIS purposes, even if the individual no longer was covered by the health plan, provided that the period for which information is needed overlaps with period for which the individual was enrolled in the health plan.

    In response to commenters who were concerned that this condition would impede certain health care operations activities where the covered entity may not have a relationship with the individual, the Department notes that the new limited data set provisions in § 164.514(e) are intended to provide a mechanism for disclosures of protected health information for quality and other health care operations where the covered entity requesting the information does not have a relationship with the individual. Under those provisions, the final modifications permit a covered entity to disclose protected health information, with direct identifiers removed, for any health care operations activities of the entity requesting the information, subject to a data use agreement. Additionally, as clarified by § 164.506(c)(5), covered entities that participate in an OHCA may share protected health information for the health care operations of the OHCA, without the condition that each covered entity have a relationship with the individual who is the subject of the information. The Department believes that such provisions provide adequate avenues for covered entities to obtain the information they need for health care operations activities, without eliminating appropriate privacy protections and conditions on such disclosures.

    The Department also was not persuaded by the comments that the proposal should be broadened to allow disclosures for other types of health care operations activities, such as resolution of internal grievances, customer service, or medical review or auditing activities. The Department believes that the provisions at § 164.506(c)(5), which permit covered entities that participate in an OHCA to share information for any health care operations activities of the OHCA, adequately provides for such disclosures. For example, a health plan and the health care providers in its network that participate as part of the same OHCA are permitted to share information for any of the activities listed in the definition of “health care operations.” The Department understands the need for entities participating in these joint arrangements to have shared access to information for health care operations purposes and intended the OHCA provisions to provide for such access. Where such a joint arrangement does not exist and fully identifiable health information is needed, one covered entity may disclose protected health information for another covered entity’s health care operations pursuant to an individual’s authorization as required by § 164.508. In addition, as described above, a covered entity also may disclose protected health information as part of a limited data set, with direct identifiers removed, for such purposes, as permitted by § 164.514(e).

    With respect to underwriting and premium rating, a few commenters raised similar concerns that the Department’s proposal to expand the disclosures permitted under health care operations would not allow for the disclosures between a health insurance issuer and a group health plan, or the agent or broker as a business associate of the plan, needed to perform functions related to supplementing or replacing insurance coverage, such as to solicit bids from prospective issuers. The Department clarifies that, if more than summary health information is needed for this purpose, paragraphs (3), (4), and (5) of the definition of “organized health care arrangement” may permit the disclosure. These provisions define the arrangements between group health plans and their health insurance issuers or HMOs as OHCAs, which are permitted to share information for each other’s health care operations. Such disclosures also may be made to a broker or agent that is a business associate of the health plan. The Department clarifies that the OHCA provisions also permit the sharing of protected health information between such entities even when they no longer have a current relationship, that is, when a group health plan needs protected health information from a former issuer. The Department, therefore, does not believe that a broadening of the provisions under § 164.506(c)(4), to allow disclosures of protected health information for other types of health care operations activities, is warranted.

    The final Rule also adopts the condition proposed in the NPRM that disclosures for these health care operations may be made only to another covered entity. The Department continues to consider such a condition necessary to appropriately balance an individual’s privacy interests with entities’ needs for the information. The Department was not convinced by the commenters who urged that this condition needed to be eliminated to allow for disclosures to non-covered health care providers or third parties. The Department believes that permitting disclosures of protected health information to a non-covered provider for that provider’s treatment and payment purposes is warranted and appropriate so as not to impede such core activities. However, given that an individual’s health information will no longer be protected when it is disclosed to a non-covered provider, the Department does not consider disclosures for a non-covered provider’s health care operations to warrant similar consideration under the Rule. Moreover, this final Rule at § 164.514(e) permits a covered entity to disclose a limited data set, with direct identifiers removed, to a non-covered provider for any of the provider’s health care operations purposes, without individual authorization.

    Also, the Department believes that expanding the provision to allow disclosures to a third party for any of the third party’s business operations would severely weaken the Privacy Rule and essentially negate the need for individual authorization. With respect to those commenters who urged the Department to permit disclosures to non-health care components of a hybrid entity or to an affiliated entity for the purposes of investigating fraud and abuse, the Department’s position is that disclosures to a non-health care component within a hybrid entity or to a non-covered affiliated entity present the same privacy risks as do disclosures to a non-covered entity. The Privacy Rule, therefore, permits such disclosures only to the same extent the disclosures are permitted to a separate entity. This policy is further explained in section III.C.1. regarding hybrid entities.

    Lastly, the Department believes that the final Rule does in fact implement a targeted solution to the problems previously identified by commenters, by allowing disclosures for only quality-related and fraud and abuse activities.

    The Department does not believe further limiting such disclosures to only certain activities within paragraphs (1) and (2) of the definition of “health care operations” is practical or appropriate. The Department is aware of the important role that these quality-related activities play in ensuring that individuals have access to quality health care. Covered entities have a legitimate need for protected health information in order to conduct these quality activities, regardless of whether such information is used for HEDIS purposes or for training.

    Moreover, as described above, the final Rule retains a number of conditions on such disclosures that serve to protect an individual’s privacy interests and expectations. In addition, the Privacy Rule requires that the minimum necessary standard be applied to both covered entities’ requests for and disclosures of protected health information for such purposes.

     

    HHS Response to Comments Received - Published With the August 2002 Revisions
    Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations

     

    Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, “Response to Other Public Comments.”

    The Department received a number of comments on its proposal to permit a covered entity to disclose protected health information for the payment and health care operations activities of other entities.

    Most of the commenters who addressed the Department’s proposed clarification regarding treatment expressed support for the clarification. Also, the majority of commenters supported, either wholly or in part, the Department’s proposal to expand the payment and health care operations disclosures that would be permitted.

    Most commenters generally were supportive of the Department’s proposed approach regarding disclosures for payment. A number of commenters stated that the proposed expansion is important to facilitate coordination of benefits for many patients who have multiple sources of payment for prescription drugs. One commenter, however, requested that the Department narrow its proposed language to address only those problems specifically described in the preamble, that is, payment issues faced by ambulance providers and collection agencies that are business associates of multiple health care providers. This commenter stated that, at the very least, covered entities should be required to obtain assurances from non-covered providers, prior to disclosure of protected health information, that the recipient will not use protected health information for any other purpose or disclose it to others. Another commenter remarked that the proposal to limit disclosures only to another covered entity or any health care provider may impede disclosures to reinsurers that are not covered entities.

    While most commenters supported expanding disclosures for health care operations, many requested that the Department modify the proposal in a number of ways. For example, a number of health plans and others requested that the Department eliminate the condition that both covered entities have a relationship with the individual. Some of these commenters explained that such a restriction would impede some fraud and abuse activities, credentialing investigations, and quality assurance research and outcome studies. Some commenters asked that the Department clarify that the condition that both covered entities have a relationship with the individual would not be limited to a current relationship, but also would include a past relationship with the individual.

    In addition, many commenters requested that the Department expand the proposed provision to allow for disclosures for any type of health care operation of another covered entity, or at least additional activities beyond those specified in the proposal. Some health plans commented that they may need information from a health care provider in order for the health plan to resolve member or internal grievances, provide customer service, arrange for legal services, or conduct medical review or auditing activities. A number of commenters requested that the proposal be expanded to allow for disclosures for another covered entity’s underwriting or premium rating.

    Some commenters also requested that the Department expand the provision to allow for disclosures to non-covered entities. In particular, a number of these commenters urged that the Department allow disclosures to non-covered insurers for fraud and abuse purposes. Some of these commenters specifically requested that the Department allow for disclosures to affiliated entities or non-health care components of the covered entity for purposes of investigating fraud and abuse. A few commenters requested that the Rule allow for disclosures to a non-covered health care provider for that provider’s operations. For example, it was explained that an independent emergency services provider, who is not a covered entity and who often asks for outcome information on patients it has treated and transported to a facility because it wants to improve care, would be unable to obtain such information absent the individual’s authorization.

    Some commenters were generally opposed to the proposed expansion of the disclosures permitted under the Rule for health care operations purposes, viewing the proposal as a weakening of the Privacy Rule. One of these commenters urged the Department to implement a targeted solution allowing disclosures for only those activities specifically identified as problematic in the preamble, instead of allowing disclosures for all activities that fall within certain paragraphs within the definition of “health care operations.”

    Response to Other Public Comments.

    Comment: One commenter urged that the Department permit disclosures among participants in an OHCA only when their privacy notices (or any joint notice they issue) informs individuals of this possibility.

    Response: The Privacy Rule requires the joint notice of an OHCA to reflect the fact that the notice covers more than one covered entity and that, if applicable, the covered entities participating in the OHCA will share protected health information with each other, as necessary to carry out treatment, payment, or health care operations relating to the OHCA. See § 164.520(d). Where the participants of an OHCA choose to have separate notices, such notices must reflect and describe in sufficient detail the particular uses and disclosures that each covered entity may make to place the individual on notice. This detail should include disclosures to other members of an OHCA, where appropriate.

    Comment: Another commenter requested clarification as to whether a covered entity (such as an HMO) is permitted to disclose protected health information for payment and health care operations both to the group health plan and to the plan’s third party administrator or plan sponsor. The commenter stated that it was not clear from the proposal whether a covered entity could share protected health information directly with another covered entity’s business associate.

    Response: The Department clarifies that, if the Rule permits a covered entity to share protected health information with another covered entity, the covered entity is permitted to disclose protected health information directly to a business associate acting on behalf of that other covered entity. This is true with respect to all of the Rule’s provisions. Also, an HMO may disclose protected health information to a group health plan, or a third party administrator that is a business associate of the plan, because the relationship between the HMO and the group health plan is defined as an OHCA for purposes of the Rule. See § 164.501, definition of “organized health care arrangement.” The group health plan (or the HMO with respect to the group health plan) may disclose protected health information to a plan sponsor in accordance with § 164.504(f).

    Comment: Several commenters requested that the Department expand the definition of “payment” to include disclosures to a responsible party. Additionally, these commenters urged that the Department permit covered entities (and their business associates) to use and disclose protected health information as permitted by other law, rather than only as required by law. These commenters were concerned that the Privacy Rule would impede the ability of first-party billing companies, collection agencies, and accounts receivable management companies to continue to bill and communicate, on behalf of a health care provider, with the responsible party on an account when that person is different from the individual to whom health care services were provided; report outstanding receivables owed by the responsible party on an account to a credit reporting agency; and perform collection litigation services.

    Response: The Department does not believe a modification to the definition of “payment” is necessary. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. See the definition of “payment” in § 164.501. Therefore, a collection agency, as a business associate of a covered entity, is permitted to contact persons other than the individual to whom health care is provided as necessary to obtain payment for such services.

    Regarding the commenters’ concerns about collection or payment activities otherwise permitted by law, the Department clarifies that the Privacy Rule permits covered entities to use and disclose protected health information as required by other law, or as permitted by other law provided that such use or disclosure does not conflict with the Privacy Rule. For example, the Privacy Rule permits a collection agency, as a business associate of a covered health care provider, to use and disclose protected health information as necessary to obtain reimbursement for health care services, which could include disclosures of certain protected health information to a credit reporting agency, or as part of collection litigation. See the definition of “payment” in § 164.501.

    The Department notes, however, that a covered entity, and its business associate through its contract, is required to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, where applicable, as well as abide by any reasonable requests for confidential communications and any agreed-to restrictions as required by the Privacy Rule.

    Comment: One commenter asked that the Department clarify that disclosure by an eye doctor to confirm a contact prescription received by a mail-order contact company is treatment.

    Response: The Department agrees that disclosure of protected health information by an eye doctor to a distributor of contact lenses for the purpose of confirming a contact lens prescription is treatment and is permissible under § 164.506. In relevant part, treatment is defined by the Privacy Rule as “the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party . . .” Health care is defined, in part, as “care, services, or supplies related to the health of an individual. Health care includes . . . Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.” Therefore, the dispensing of contact lenses based on a prescription is health care and the disclosure of protected health information by a provider to confirm a prescription falls within the provision, coordination, or management of health care and related services and is a treatment activity.