(a) If a patient consents to a disclosure of their records under § 2.31, a part 2 program may disclose those records in accordance with that consent to any person or category of persons identified or generally designated in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively.
(b) If a patient consents to a disclosure of their records under § 2.31 for payment or health care operations activities, a lawful holder who receives such records under the terms of the written consent may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out payment and/or health care operations on behalf of such lawful holder. In accordance with § 2.13(a), disclosures under this section must be limited to that information which is necessary to carry out the stated purpose of the disclosure. Examples of permissible payment or health care operations activities under this section include:
(1) Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing, and/or related health care data processing;
(2) Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);
(3) Patient safety activities;
(4) Activities pertaining to:
(i) The training of student trainees and health care professionals;
(ii) The assessment of practitioner competencies;
(iii) The assessment of provider or health plan performance; and/or
(iv) Training of non-health care professionals;
(5) Accreditation, certification, licensing, or credentialing activities;
(6) Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and/or ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
(7) Third-party liability coverage;
(8) Activities related to addressing fraud, waste and/or abuse;
(9) Conducting or arranging for medical review, legal services, and/or auditing functions;
(10) Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies;
(11) Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
(12) Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
(13) Resolution of internal grievances;
(14) The sale, transfer, merger, consolidation, or dissolution of an organization;
(15) Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
(16) Risk adjusting amounts due based on enrollee health status and demographic characteristics;
(17) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
(18) Care coordination and/or case management services in support of payment or health care operations; and/or
(19) Other payment/health care operations activities not expressly prohibited in this provision.
(c) Lawful holders who wish to disclose patient identifying information pursuant to paragraph (b) of this section must have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor, or voluntary legal representative is fully bound by the provisions of part 2 upon receipt of the patient identifying information. In making any such disclosures, the lawful holder must furnish such recipients with the notice required under § 2.32; require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures; and require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder. The lawful holder may only disclose information to the contractor or subcontractor or voluntary legal representative that is necessary for the contractor or subcontractor or voluntary legal representative to perform its duties under the contract or comparable legal instrument. Contracts may not permit a contractor or subcontractor or voluntary legal representative to re-disclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated.
[83 FR 251, Jan. 3, 2018, as amended at 85 FR 43037, July 15, 2020]