PRIA Logo
Take the PRIA Score
Title 42The Public Health and WelfareRelease 119-73

§17935 Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format

Title 42 › Chapter CHAPTER 156— - HEALTH INFORMATION TECHNOLOGY › Subchapter SUBCHAPTER III— - PRIVACY › Part Part A— - Improved Privacy Provisions and Security Provisions › § 17935

Last updated Apr 6, 2026|Official source

Summary

Requires health care groups to follow new rules about sharing and selling your health information. If you ask a provider not to share your protected health information with your health plan for payment or business reasons (not for treatment), the provider must honor that request when the information is only about a service you paid for yourself in full. Health care groups must also limit any use, request, or sharing of protected health information to the least needed information or a limited data set. The Department of Health and Human Services (HHS) must give guidance on what “minimum necessary” means within 18 months after February 17, 2009. Information that cannot be traced to you (de-identified) is not covered by these limits. If a provider uses an electronic health record (EHR), disclosures from that EHR are not exempt from accounting. You can get an accounting of EHR disclosures from the prior three years. HHS will make rules about what tracking information must be collected soon after it adopts standards on accounting. When you ask for an accounting, a provider must either include disclosures by its business associates or give you a list of those associates and how to contact them. Rules about when these requirements start depend on when the EHR was acquired (dates include January 1, 2009; January 1, 2011; and January 1, 2014), and HHS may delay the start dates but not past 2013 or 2016 as limited in the law. Health care groups and their business associates may not get paid for your protected health information unless you give a valid written permission that says whether the information may be exchanged for money. Exceptions include public health work, some research (if charges only cover costs of preparing and sending data), treatment, certain health operations, payment to business associates for services they do under contract, and giving you your own records. HHS must write final rules about these limits within 18 months after February 17, 2009, and the rule about selling data takes effect six months after those final rules. If you use an EHR, you have the right to get your records in an electronic form and to have them sent directly to someone you name. Business associates may provide or send those electronic copies. Any fee for an electronic copy may only cover the provider’s labor to make the copy. Covered entity — an organization that provides, pays for, or manages health care and keeps health records. Business associate — a person or company that does work for a covered entity and handles protected health information. Protected health information — private health facts that can identify a person. Electronic health record — a digital medical record kept by a provider.

Full Legal Text

Title 42, §17935

The Public Health and Welfare — Source: USLM XML via OLRC

(a)In the case that an individual requests under paragraph (a)(1)(i)(A) of section 164.522 of title 45, Code of Federal Regulations, that a covered entity restrict the disclosure of the protected health information of the individual, notwithstanding paragraph (a)(1)(ii) of such section, the covered entity must comply with the requested restriction if—
(1)except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and
(2)the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
(b)(1)(A)Subject to subparagraph (B), a covered entity shall be treated as being in compliance with section 164.502(b)(1) of title 45, Code of Federal Regulations, with respect to the use, disclosure, or request of protected health information described in such section, only if the covered entity limits such protected health information, to the extent practicable, to the limited data set (as defined in section 164.514(e)(2) of such title) or, if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively.
(B)Not later than 18 months after February 17, 2009, the Secretary shall issue guidance on what constitutes “minimum necessary” for purposes of subpart E of part 164 of title 45, Code of Federal Regulation.11 So in original. Probably should be “Regulations.” In issuing such guidance the Secretary shall take into consideration the guidance under section 17953(c) of this title and the information necessary to improve patient outcomes and to detect, prevent, and manage chronic disease.
(C)Subparagraph (A) shall not apply on and after the effective date on which the Secretary issues the guidance under subparagraph (B).
(2)For purposes of paragraph (1), in the case of the disclosure of protected health information, the covered entity or business associate disclosing such information shall determine what constitutes the minimum necessary to accomplish the intended purpose of such disclosure.
(3)The exceptions described in section 164.502(b)(2) of title 45, Code of Federal Regulations, shall apply to the requirement under paragraph (1) as of the effective date described in section 13423 22 See References in Text note below. in the same manner that such exceptions apply to section 164.502(b)(1) of such title before such date.
(4)Nothing in this subsection shall be construed as affecting the use, disclosure, or request of protected health information that has been de-identified.
(c)(1)In applying section 164.528 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information—
(A)the exception under paragraph (a)(1)(i) of such section shall not apply to disclosures through an electronic health record made by such entity of such information; and
(B)an individual shall have a right to receive an accounting of disclosures described in such paragraph of such information made by such covered entity during only the three years prior to the date on which the accounting is requested.
(2)The Secretary shall promulgate regulations on what information shall be collected about each disclosure referred to in paragraph (1), not later than 6 months after the date on which the Secretary adopts standards on accounting for disclosure described in the 33 So in original. section 300jj–12(b)(2)(B)(iv) of this title, as added by section 13101.2 Such regulations shall only require such information to be collected through an electronic health record in a manner that takes into account the interests of the individuals in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures.
(3)In response to an 44 So in original. Probably should be “a”. request from an individual for an accounting, a covered entity shall elect to provide either an—
(A)accounting, as specified under paragraph (1), for disclosures of protected health information that are made by such covered entity and by a business associate acting on behalf of the covered entity; or
(B)accounting, as specified under paragraph (1), for disclosures that are made by such covered entity and provide a list of all business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone, and email address).
(4)(A)In the case of a covered entity insofar as it acquired an electronic health record as of January 1, 2009, paragraph (1) shall apply to disclosures, with respect to protected health information, made by the covered entity from such a record on and after January 1, 2014.
(B)In the case of a covered entity insofar as it acquires an electronic health record after January 1, 2009, paragraph (1) shall apply to disclosures, with respect to protected health information, made by the covered entity from such record on and after the later of the following:
(i)January 1, 2011; or
(ii)the date that it acquires an electronic health record.
(C)The Secretary may set an effective date that is later that 55 So in original. Probably should be “than”. the date specified under subparagraph (A) or (B) if the Secretary determines that such later date is necessary, but in no case may the date specified under—
(i)subparagraph (A) be later than 2016; or
(ii)subparagraph (B) be later than 2013.
(d)(1)Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual.
(2)Paragraph (1) shall not apply in the following cases:
(A)The purpose of the exchange is for public health activities (as described in section 164.512(b) of title 45, Code of Federal Regulations).
(B)The purpose of the exchange is for research (as described in section 164.501 and 164.512(i) of title 45, Code of Federal Regulations) and the price charged reflects the costs of preparation and transmittal of the data for such purpose.
(C)The purpose of the exchange is for the treatment of the individual, subject to any regulation that the Secretary may promulgate to prevent protected health information from inappropriate access, use, or disclosure.
(D)The purpose of the exchange is the health care operation specifically described in subparagraph (iv) of paragraph (6) of the definition of healthcare operations in section 164.501 of title 45, Code of Federal Regulations.
(E)The purpose of the exchange is for remuneration that is provided by a covered entity to a business associate for activities involving the exchange of protected health information that the business associate undertakes on behalf of and at the specific request of the covered entity pursuant to a business associate agreement.
(F)The purpose of the exchange is to provide an individual with a copy of the individual’s protected health information pursuant to section 164.524 of title 45, Code of Federal Regulations.
(G)The purpose of the exchange is otherwise determined by the Secretary in regulations to be similarly necessary and appropriate as the exceptions provided in subparagraphs (A) through (F).
(3)Not later than 18 months after February 17, 2009, the Secretary shall promulgate regulations to carry out this subsection. In promulgating such regulations, the Secretary—
(A)shall evaluate the impact of restricting the exception described in paragraph (2)(A) to require that the price charged for the purposes described in such paragraph reflects the costs of the preparation and transmittal of the data for such purpose, on research or public health activities, including those conducted by or for the use of the Food and Drug Administration; and
(B)may further restrict the exception described in paragraph (2)(A) to require that the price charged for the purposes described in such paragraph reflects the costs of the preparation and transmittal of the data for such purpose, if the Secretary finds that such further restriction will not impede such research or public health activities.
(4)Paragraph (1) shall apply to exchanges occurring on or after the date that is 6 months after the date of the promulgation of final regulations implementing this subsection.
(e)In applying section 164.524 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual—
(1)the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific;
(2)if the individual makes a request to a business associate for access to, or a copy of, protected health information about the individual, or if an individual makes a request to a business associate to grant such access to, or transmit such copy directly to, a person or entity designated by the individual, a business associate may provide the individual with such access or copy, which may be in an electronic form, or grant or transmit such access or copy to such person or entity designated by the individual; and
(3)notwithstanding paragraph (c)(4) of such section, any fee that the covered entity may impose for providing such individual with a copy of such information (or a summary or explanation of such information) if such copy (or summary or explanation) is in an electronic form shall not be greater than the entity’s labor costs in responding to the request for the copy (or summary or explanation).

Legislative History

Notes & Related Subsidiaries

Editorial Notes

References in Text

section 13423, referred to in subsec. (b)(3), means section 13423 of div. A of Pub. L. 111–5, which is set out as an

Effective Date

note under section 17931 of this title. section 300jj–12(b)(2)(B)(iv) of this title, as added by section 13101, referred to in subsec. (c)(2), means section 300jj–12(b)(2)(B)(iv) of this title as added by section 13101 of div. A of Pub. L. 111–5. section 300jj–12 of this title was repealed by Pub. L. 114–255, div. A, title IV, § 4003(e)(1), Dec. 13, 2016, 130 Stat. 1168. Similar provisions as pertaining to the HIT Advisory Committee are contained in section 300jj–12(b)(2)(B)(ii) of this title as enacted by Pub. L. 114–255.

Amendments

2016—Subsec. (e)(2), (3). Pub. L. 114–255 added par. (2) and redesignated former par. (2) as (3).

Statutory Notes and Related Subsidiaries

Effective Date

Section effective 12 months after Feb. 17, 2009, except as otherwise specifically provided, see section 13423 of Pub. L. 111–5, set out as a note under section 17931 of this title.

Reference

Citations & Metadata

Citation

42 U.S.C. § 17935

Title 42The Public Health and Welfare

Last Updated

Apr 6, 2026

Release point: 119-73