Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Rights to Request Privacy Protection: Confidential Communications - § 164.522(b)

    As Contained in the HHS HIPAA Privacy Rules

     

    HHS Regulations
    Rights to Request Privacy Protection: Confidential Communications - § 164.522(b)

     

    (b)(1) Standard: Confidential communications requirements. (i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations.

    (ii) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual.

    (2) Implementation specifications: Conditions on providing confidential communications. (i) A covered entity may require the individual to make a request for a confidential communication described in paragraph (b)(1) of this section in writing.

    (ii) A covered entity may condition the provision of a reasonable accommodation on:

    (A) When appropriate, information as to how payment, if any, will be handled; and

    (B) Specification of an alternative address or other method of contact.

    (iii) A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis.

    (iv) A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual.

     

    HHS Description
    Rights to Request Privacy Protection: Confidential Communications

     

    In the NPRM, we did not directly address the issue of whether an individual could request that a covered entity restrict the manner in which it communicated with the individual. As described above, the NPRM would have provided individuals with the right to request that health care providers restrict uses and disclosures of protected health information for treatment, payment and health care operations, but would not have required providers to agree to such a restriction.

    In the final rule, we require covered entities to permit individuals to request that the covered entity provide confidential communications of protected health information about the individual. The requirement applies to communications from the covered entity to the individual, and also communications from the covered entity that would otherwise be sent to the named insured of an insurance policy that covers the individual as a dependent of the named insured. Individuals may request that the covered entity send such communications by alternative means or at alternative locations. For example, an individual who does not want his or her family members to know about a certain treatment may request that the provider communicate with the individual about that treatment at the individual’s place of employment, by mail to a designated address, or by phone to a designated phone number. Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card, as an “alternative means.” Covered health care providers must accommodate all reasonable requests. Health plans must accommodate all reasonable requests, if the individual clearly states that the disclosure of all or part of the protected health information could endanger the individual. For example, if an individual requests that a health plan send explanations of benefits about particular services to the individual’s work rather than home address because the individual is concerned that a member of the individual’s household (e.g., the named insured) might read the explanation of benefits and become abusive towards the individual, the health plan must accommodate the request.

    The reasonableness of a request made under this paragraph must be determined by a covered entity solely on the basis of the administrative difficulty of complying with the request and as otherwise provided in this section. A covered health care provider or health plan cannot refuse to accommodate a request based on its perception of the merits of the individual’s reason for making the request. A covered health care provider may not require the individual to provide a reason for the request as a condition of accommodating the request. As discussed above, a health plan is not required to accommodate a request unless the individual indicates that the disclosure could endanger the individual. If the individual indicates such endangerment, however, the covered entity cannot further consider the individual’s reason for making the request in determining whether it must accommodate the request.

    A covered health care provider or health plan may refuse to accommodate a request, however, if the individual has not provided information as to how payment, if applicable, will be handled, or if the individual has not specified an alternative address or method of contact.

     

    HHS Response to Comments Received
    Rights to Request Privacy Protection: Confidential Communications

     

    Comment: Several commenters requested that we add a new section to prevent disclosure of sensitive health care services to members of the patient’s family through communications to the individual’s home, such as appointment notices, confirmation or scheduling of appointments, or mailing a bill or explanation of benefits, by requiring covered entities to agree to correspond with the patient in another way. Some commenters stated that this is necessary in order to protect inadvertent disclosure of sensitive information and to protect victims of domestic violence from disclosure to an abuser. A few commenters suggested that a covered entity should be required to obtain an individual’s authorization prior to communicating with the individual at the individual’s home with respect to health care relating to sensitive subjects such as reproductive health, sexually transmissible diseases, substance abuse or mental health.

    Response: We agree with commenters’ concerns regarding covered entities’ communications with individuals. We created a new provision, § 164.522(b), to address confidential communications by covered entities. This provision gives individuals the right to request that they receive communications from covered entities at an alternative address or by an alternative means, regardless of the nature of the protected health information involved. Covered providers are required to accommodate reasonable requests by individuals and may not require the individual to explain the basis for the request as a condition of accommodation. Health plans are required to accommodate reasonable requests by individuals as well; however, they may require the individual to provide a statement that disclosure of the information could endanger the individual, and they may condition the accommodation on the receipt of such statement.

    Under the rule, we have required covered providers to accommodate requests for communications to alternative addresses or by alternative means, regardless of the reason, to limit risk of harm. Providers have more frequent one-on-one communications with patients, making the safety concerns from an inadvertent disclosure more substantial and the need for confidential communications more compelling. We have made the requirement for covered providers absolute and not contingent on the reason for the request because we wanted to make it relatively easy for victims of domestic violence, who face real safety concerns by disclosures of health information, to limit the potential for such disclosures.

    The standard we created for health plans is different from the requirement for covered providers, in that we only require health plans to make requested accommodations for confidential communications when the individual asserts that disclosure could be dangerous to the individual. We address health plan requirements in this way because health plans are often issued to a family member (the employee), rather than to each individual member of a family, and therefore, health plans tend to communicate with the named insured rather than with individual family members. Requiring plans to accommodate a restriction for one individual could be administratively more difficult than it is for providers that regularly communicate with individuals. However, in the case of domestic violence or potential abuse, the level of harm that can result from a disclosure of protected health information tips the balance in favor of requiring such restriction to prevent inadvertent disclosure. We have adopted the policy recommended by the National Association of Insurance Commissioners in the Health Information Policy Model Act (1998) as this best reflects the balance of the appropriate level of regulation of the industry compared with the need to protect individuals from harm that may result from inadvertent disclosure of information. This policy is also consistent with recommendations made in the Family Violence Prevention Fund’s publication “Health Privacy Principles for Protecting Victims of Domestic Violence” (October 2000). Of course, health plans may accommodate requests for confidential communications without requiring a statement that the individual would be in danger from disclosure of protected health information.

    Comment: One commenter requested that we create a standard that all information from a health plan be sent to the patient and not the policyholder or subscriber.

    Response: We require health plans to accommodate certain requests that information not be sent to a particular location or by particular means. A health plan must accommodate reasonable requests by individuals that protected health information about them be sent directly to them and not to a policyholder or subscriber, if the individual states that he or she may be in danger from disclosure of such information. We did not generally require health plans to send information to the patient and not the policyholder or subscriber because we believed it would be administratively burdensome and because the named insured may have a valid need for such information to manage payment and benefits.

    Sensitive Subjects

    Comment: Many commenters requested that additional protections be placed on sensitive information, including information regarding HIV/AIDS, sexually transmitted diseases, mental health, substance abuse, reproductive health, and genetics. Many requested that we ensure the regulation adequately protects victims of domestic violence. They asserted that the concern for discrimination or stigma resulting from disclosure of sensitive health information could dissuade a person from seeking needed treatment. Some commenters noted that many state laws provide additional protections for various types of information. They requested that we develop federal standards to have consistent rules regarding the protection of sensitive information to achieve the goals of cost savings and patient protection. Others requested that we require patient consent or special authorization before certain types of sensitive information was disclosed, even for treatment, payment, and health care operations, and some thought we should require a separate request for each disclosure. Some commenters requested that the right to request restrictions be replaced with a requirement for an authorization for specific types of sensitive information. There were recommendations that we require covered entities to develop internal policies to address sensitive information.

    Other commenters argued that sensitive information should not be segregated from the record because it may limit a future provider’s access to information necessary for treatment of the individual and it could further stigmatize a patient by labeling him or her as someone with sensitive health care issues. These commenters further maintained that segregation of particular types of information could negatively affect analysis of community needs, research, and would lead to higher costs of health care delivery.

    Response: We generally do not differentiate among types of protected health information, because all health information is sensitive. The level of sensitivity varies not only with the type of information, but also with the individual and the particular situation faced by the individual. This is demonstrated by the different types of information that commenters singled out as meriting special protection, and in the great variation among state laws in defining and protecting sensitive information. Most states have a law providing heightened protection for some type of health information. However, even though most states have considered the issue of sensitive information, the variation among states in the type of information that is specially protected and the requirements for permissible disclosure of such information demonstrates that there is no national consensus.

    Where, as in this case, most states have acted and there is no predominant rule that emerges from the state experience with this issue, we have decided to let state law predominate. The final rule only provides a floor of protection for health information and does not preempt state laws that provider greater protection than the rule. Where states have decided to treat certain information as more sensitive than other information, we do not preempt those laws.

    To address the variation in the sensitivity of protected health information without defining specially sensitive information, we incorporate opportunities for individuals and covered entities to address specific sensitivities and concerns about uses and disclosures of certain protected health information that the patient and provider believe are particularly sensitive, as follows:

     

    • Covered entities are required to provide individuals with notice of their privacy practices and give individuals the opportunity to request restrictions of the use and disclosure of protected health information by the covered entity. (See § 164.522(a) regarding right to request restrictions.)

    • Individuals have the right to request, and in some cases require, that communications from the covered entity to them be made to an alternative address or by an alternative means than the covered entity would otherwise use. (See § 164.522(b) regarding confidential communications.)

    • Covered entities have the opportunity to decide not to treat a person as a personal representative when the covered entity has a reasonable belief that an individual has been subjected to domestic violence, abuse, or neglect by such person or that treating such person as a personal representative could endanger the individual. (See § 164.502(g)(5) regarding personal representatives.)

    • Covered entities may deny access to protected health information when there are concerns that the access may result in varying levels of harm. (See § 164.524(a)(3) regarding denial of access.)

    • Covered health care providers may, in some circumstances and consistent with any known prior preferences of the individual, exercise professional judgment in the individual’s best interest to not disclose directory information. (See § 164.510(a) regarding directory information.)

    • Covered entities may, in some circumstances, exercise professional judgment in the individual’s best interest to limit disclosure to persons assisting in the individual’s care. (See § 164.510(b) regarding persons assisting in the individual’s care.)

    This approach allows for state law and personal variation in this area.

    The only type of protected health information that we treat with heightened protection is psychotherapy notes. We provide a different level of protection because they are unique types of protected health information that typically are not used or required for treatment, payment, or health care operations other than by the mental health professional that created the notes. (See § 164.508(a)(2) regarding psychotherapy notes.)