[Federal Register Volume 65, Number 132 (Monday, July 10, 2000)]
[Notices]
[Pages 42370-42378]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-17339]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


National Committee on Vital and Health Statistics: Publication of 
Recommendations Relating to HIPAA Health Data Standards

AGENCY: Office of the Secretary, HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Health Insurance Portability and Accountability Act of 
1996, (Section 1172 (f), Subtitle F of Pub. L. 104-191), requires the 
Secretary of Health and Human Services to publish in the Federal 
Register any recommendation of the National Committee on Vital and 
Health Statistics (NCVHS) regarding the adoption of a data standard 
under that law. Accordingly, the full text of the NCVHS comments on the 
Notice of Proposed Rulemaking issued by HHS entitled ``Standards for 
the Privacy of Individually Identifiable Health Information'' is 
reproduced below. The text of the comments has also been available on 
the NCVHS website and the HHS Administrative Simplification website: 
http://ncvhs.hhs.gov/.

SUPPLEMENTARY INFORMATION: Under the Administrative Simplification 
provisions of the Health Insurance Portability and Accountability Act 
of 1996 (HIPAA), the Secretary of Health and Human Services is required 
to adopt standards for specified administrative health care 
transactions to enable information to be exchanged electronically, as 
well as security standards. The law requires that, within 24 months of 
adoption, all health plans, health care clearinghouses and health care 
providers who choose to conduct these transactions electronically must 
comply with these standards. In addition, the law outlined a process 
leading to the development of standards to protect the privacy of 
individually identifiable health information.
    In preparing these reports and recommendations, the Secretary is 
required to consult with the NCVHS, the statutory public advisory body 
to HHS on health data, privacy and health information policy. On 
February 7, 2000 the Committee submitted a set of public comments on 
the Notice of Proposed Rulemaking issued by HHS entitled ``Standards 
for the Privacy of Individually Identifiable Health Information.''
    In accordance with the law, the full text of the NCVHS comments is 
published below.
    February 7, 2000, U. S. Department of Health and Human Services, 
Assistant Secretary for Planning and Evaluation, Attention: Privacy-P, 
Room G-322A, Hubert H. Humphrey Building, 200 Independence Avenue SW, 
Washington, D. C. 20201.
Dear Sirs:
    On behalf of the National Committee on Vital and Health Statistics 
(NCVHS), I am pleased to forward to you our recommendations on the 
notice of proposed rule-making for standards for

[[Page 42371]]

privacy of individually identifiable health information. The NCVHS 
congratulates the Department for the solid work done in drafting this 
notice of proposed rule-making. The NCVHS is also pleased that many of 
its recommendations on health information privacy in its June 1997 
report have been incorporated into the proposed rule.
    While the scope of the proposed rule addresses many health 
information privacy issues, it should be noted that there is still a 
need for anti-discrimination legislation. The NCVHS previously urged 
the Secretary to propose legislation expanding the anti-discrimination 
provisions of the Health Insurance Portability and Accountability Act 
of 1996 (HIPAA) to cover all aspects of discrimination based on health 
status and condition.
    While the proposed rule meets the requirements of HIPAA, the NCVHS 
strongly believes that there is a need for comprehensive federal 
legislation to address the privacy of individually identifiable health 
information. The proposed rule is limited in scope and does not cover 
all records or all entities with access to individually identifiable 
health information.

Applicability

    The NCVHS agrees that the scope of the rule should be extended to 
all individually identifiable health information, including purely 
paper records. The privacy regulations should be uniform across all 
forms of identifiable health information and across all holders of such 
information. Having uniform regulations apply to all medical records 
would simplify the burden for covered entities to comply with.
    The NCVHS also recommends that HHS use all available authority (or 
all available means to extend HHS authority) to try to achieve uniform 
regulations across medical records, types of records, and types of 
covered entities. For example, the conditions of participation under 
Medicare and Medicaid could be utilized to achieve uniform regulation.

Definitions

    The definition of protected health information raises serious 
problems outside the treatment and payment process. Within the 
treatment and payment process, we can safely assume that all 
information about data subjects is protected health information. As a 
result, we do not encounter major line drawing problems. However, for 
employers or life insurers, the same assumption does not work. These 
non-medical record keepers routinely maintain other, non-health, 
information on individuals. How can they tell when personal information 
is protected health information within the meaning of the rule? Schools 
would present the same problem, except that the rules unfortunately and 
inappropriately exempt most schools from the health privacy rules 
altogether. We believe that there is a lot of confusion in the 
definition and this needs to be clarified.
    The definition of health plan excludes health care payment under 
property and casualty insurance. Putting aside the issue of workers 
compensation, the definition creates a significant loophole for 
insurers who want to avoid the scope of the privacy rules in order to 
use health information for marketing or other uses unrelated to health. 
From the perspective of a patient, the nature of the policy is not 
relevant. When a casualty insurance company pays for health care, the 
patient will think that the company looks the same as other insurance 
companies. Yet the rule denies a patient privacy rights for property 
and casualty insurance information. Sometimes, treatment may continue 
while the ultimate source of payment (property policy vs. health 
policy) remains unknown, perhaps for months or years. Will information 
be subject to the privacy rule in the interim, and how will covered 
entities or others know?
    Workers compensation is a complex subject that requires special 
treatment and reasonable accommodation. However, like other casualty 
insurance, it is not entitled to a complete exemption. The Department 
should not evade its responsibility to address these difficult issues 
by simply exempting them. If necessary, a separate and subsequent 
rulemaking should consider how to meet confidentiality interests of 
patients while allowing workers' compensation to be administered 
efficiently.
    The definition of designated record set has two fundamental 
problems. First, record keepers will find it impossible to determine 
how to apply this term under the privacy rule. Second, the definition 
relies upon an outmoded and discredited concept from the Privacy Act of 
1974. The Privacy Protection Study Commission recommended abandoning 
the ``retrieved in fact'' standard in the Privacy Act of 1974 more than 
twenty years ago. We believe that this definition will be difficult to 
operationalize and recommend that this definition should be revisited.
    The definition of individual excludes foreign military and foreign 
diplomatic personnel and their dependents. The commentary offers no 
adequate justification for this exclusion. If it only applied to 
records maintained directly by the federal government, then the 
problems inflicted by the exclusion would fall exclusively on the 
federal government. But it includes care paid for by the Department of 
Defense, and this means providers, plans, and clearinghouses will have 
some records. This is a specific problem which needs to be addressed in 
the rule.
    The term research information unrelated to treatment is not clear. 
The need for the term is elusive. There is an inability to understand 
the point of the term and its associated substantive provision. Regular 
research information is subject to IRB oversight. This category of 
research information is apparently not. The recognition of two separate 
categories of research information is confusing and potentially 
troublesome. There is a need for more explanation. The NCVHS recommends 
that there be no distinction in the categories of research. All 
research should be treated the same.
    The definition of treatment includes disease management as an 
included function. Disease management is not a defined term and this 
creates one of the biggest loopholes in the rule. Protected health 
information could be disclosed to virtually anyone--including marketers 
and employers--under the guise of disease management. It is essential 
that this loophole be closed. The potential breadth of the term is 
evident from a definition recently adopted by the Disease Management 
Association of America:
    Disease management is a multidisciplinary, continuum-based approach 
to health care delivery that proactively identifies populations with, 
or at risk for, established medical conditions that: supports the 
physician/patient relationship and plan of care; emphasizes prevention 
of exacerbations and complications utilizing cost-effective evidence-
based practice guidelines and patient empowerment strategies such as 
self-management education; and continuously evaluates clinical, 
humanistic, and economic outcomes with the goal of improving overall 
health.
    It is difficult to imagine any privacy-invasive use or disclosure 
of patient information that could not be justified as disease 
management under this definition. The definition fails to recognize 
that patient privacy and patient consent are relevant limiting factors 
in disease management activities. We do not recommend the adoption of 
this definition in the

[[Page 42372]]

regulations. Rather, we recommend that functions that might be called 
disease management and are prohibited under this rule be identified.

Treatment, Payment and Health Care Operations

    There was a divergence of opinion among the Committee regarding 
informed consent versus statutory authorization. Concern was expressed 
that statutory authorization undercut traditional codes of medical 
ethics and that informed consent should be preserved. However, many 
NCVHS members felt that statutory authorization provided a better, more 
uniform level of protection than the case by case application of 
informed consent. Some NCVHS members expressed concern that the 
proposed rules will interfere with good clinical care. The issue of how 
much access physicians should have to the records of non-patients and 
whether consent is required needs to be clarified.

Minimum Necessary

    The NCVHS supports the concept of minimum necessary use and 
disclosure. The Committee, however, would add an additional standard: 
minimum identifiable form. Minimum identifiable form would limit the 
amount of identifiable data. For example, rather than using name, one 
would use another identifier. Therefore, any use or disclosure would be 
the minimum amount of protected health information necessary to 
accomplish the intended purpose of use or disclosure in a minimum 
identifiable form.
    Statutorily mandated public health requests are recurring and 
routine and involve a broad range of information for epidemiological 
investigations. This rule should not unduly interfere with these 
requests. These requests are established by a state law and rules that 
are published with public comment. This requirement should also not 
require duplication between tasks that are already accomplished by an 
IRB and Privacy Board approved research. It does not make sense to ask 
a covered entity to create (or contract) with an IRB or privacy board 
and then also have to review the board's findings itself.
    The covered entity is not likely to have the expertise needed to 
make fine distinctions regarding minimum necessary in the research 
context. The regulation could accomplish their purpose by simply 
requiring covered entities to verify that the research received IRB (or 
privacy board) approval.
    Several members of the NCVHS recommend exempting treatment from the 
concept of minimum necessary use and disclosure. Some members believe 
that the concept is appropriate for treatment, payment and health care 
operations.
    The following language is a suggested addition to the minimum 
necessary rule:

    All procedures and policies that covered entities develop should 
take into consideration the minimum necessary principle. However 
this rule should never compromise patient safety, and requests for 
protected data for patient treatment, and operations and payment and 
public health should be exempted from the requirement of individual 
application of this rule to each specific request. Further research 
requests will be deemed to have satisfied these requirements if the 
covered entity has verified receipt of the signed approval of an IRB 
or privacy board.

Right to Restrict

    The choice made by the rule to allow disclosures without 
authorization for payment and treatment is a compromise that only works 
if the small percentage of patients who want additional restrictions on 
routine disclosures can be reasonably accommodated. Giving individuals 
a realistic opportunity to seek restrictions on payment and treatment 
disclosures authorized by the rule is crucial. However, the proposed 
rule does not strike an adequate balance.
    A health plan or provider might simply refuse all patient requests 
for additional restrictions because of a plan's or provider's 
noncompliance or administrative convenience. The commentary goes too 
far in telling covered entities that they can decline to even consider 
requests. Nevertheless, patients still need more consideration of their 
requests.
    The solution is to require that covered entities negotiate with 
patients over disclosure restrictions in good faith and that they must 
provide a written reason for rejecting the request of a patient. Fairer 
negotiations and clearer explanations will provide those patients whose 
requests cannot reasonably be accommodated with an opportunity to make 
other arrangements for their health care.
    Covered entities should also be required to keep track of how they 
handle patient requests for restrictions so that HHS can review the 
degree of good faith shown in handling requests. Without a record-
keeping requirement, those at HHS charged with enforcement may be 
unable to determine if an entity treats patients' requests fairly and 
honorably.

Creation of De-Identified Data

    The regulations could use further clarity defining what rules apply 
to what data. How do the rules about de-identified data interact with 
the rules about research and the rules about minimum necessary? If 
research is done on de-identified data is it exempt from all 
requirements? Are requests for de-identified data exempt from all 
reviews related to minimum necessary? The introductory section suggests 
that none of the other rules apply to de-identified data but it would 
be good to see that stated explicitly.

Business Partners

    This section is confusing. Why is an exemption made to 
communications related to consultations and referrals for treatment 
under this section? The goal obviously is to facilitate traditional 
clinical communications. We would have presumed that this exemption was 
already provided by the exemption for treatment, operation and payment 
purposes. If this exemption is needed for consultations and referrals 
then it is also needed for a host of many other clinical communications 
between business partners, i.e. between commercial laboratory services 
and (these are not usually consultations or referrals for treatment), 
between pharmacies so they could transmit prescriptions, between 
Hospital A and Hospital B when the patient is under care at Hospital A, 
but Hospital B carries relevant clinical data. If this exemption is 
needed it should be broadened beyond the limited exemption for 
consultation and treatment.
    The requirement to control information received from the covered 
entity for the purpose of consultation and treatment could be very 
difficult to implement. It is understandable why special protection 
might be required, but a consulting physician's history and physical, 
recorded as narrative (often dictated) text, will intermingle with the 
narrative information they obtain from the referring physician. How 
would one segregate the information obtained from the referring MD from 
that collected by the consult when it is buried in pure narrative text. 
Further, if read literally, the rule would preclude the sharing of such 
data with the physician who takes night call for the consulting 
physician. This also suggests that the broad example given for the 
sharing of data for patient care does not apply in many care 
situations.
    The constraint would be more easily applied if the treating 
physician's summary of such data rolled into their

[[Page 42373]]

note were exempted from the strict requirements. Then, the separate 
records sent from another practice could be treated just as they are in 
many hospitals, as ``correspondence'' which goes into a special section 
of the chart. This correspondence section part of the chart has all of 
the protection of the medical record and can be used for ``treatment 
purposes'' but has additional restrictions on disclosure.
    Covered entities disclose protected health information to many 
different business partners. Written contracts are appropriate for many 
of these disclosures in the way that the rule provides. However, the 
same procedure is not appropriate or practical for all relationships. 
For example, patient records may technically be ``disclosed'' to 
companies providing telephone service, delivery service (the law 
protects Postal Service mail against opening for inspection, but 
courier services have no similar legal restrictions), Internet service, 
credit card support, equipment repair, financial audits and legal 
service. Records may even be ``disclosed'' to moving companies hired to 
haul boxes from one location to another.
    Telling each covered entity to negotiate an agreement with every 
company providing routine, standard services is unnecessary. The 
Department should identify as many standard disclosures as possible and 
should develop language that meets the requirements and intent of the 
privacy rule for service providers to incorporate in standard 
contracts. This will avoid the need for tens of thousands of individual 
negotiations. The idea is similar to the proposal to exempt disclosures 
for consultations for treatment. A similar approach for selected other 
disclosures will be the most efficient way of solving common problems 
and will reduce the costs of compliance significantly. It will also 
benefit contractors who will not find it necessary to repeat identical 
negotiations with their subcontractors.

Individual Authorization

    The collection of authorizations for marketing uses and disclosures 
is fraught with potential abuses. In the past, disclosure of patient 
information for marketing purposes was unethical. The demands of 
marketers combined with the allure of profits for record keepers and 
growth of health plans that operate without any of traditional provider 
ethical constraints have significantly weakened disclosure standards to 
the detriment of patients. An unfortunate consequence of standardizing 
procedures for authorizations may be that demands on patients for 
marketing authorizations will increase as covered entities learn how to 
pressure patients into signing authorizations.
    The Department should use the rule to stop the trend toward 
increased trafficking by marketers in patient data. Most patients 
strongly object to marketing activities based on identifiable patient 
data, but sick or inattentive individuals may not be able to understand 
or resist pressure from health plans or others to sign authorizations 
for marketing. One easy change is to expressly prohibit any 
clearinghouse from seeking patient authorization for marketing 
disclosures.
    For plans and providers, there are several ideas. First, a covered 
entity should be prohibited from seeking consent from patients for any 
marketing disclosures that benefit a third party. Third parties that 
want patient information for marketing should be forced to obtain the 
authorizations directly from patients and without the assistance or 
intervention of a covered entity. The purpose is to remove any 
incentive that a plan or provider might have to do business with 
marketers.
    Note that this suggestion applies only to disclosures and not to 
uses. A covered entity that seeks to market its own products or 
services directly to patients should be able to do so with notice and 
consent. However, any use that involves a disclosure of any type to a 
third party should not be permitted. Further, the marketing use must be 
for a service or product provided directly by the covered entity and 
not by the affiliated company. This type of restriction is necessary to 
prevent consumer marketing companies or others from purchasing health 
care providers just for the ability to access patient records for 
marketing purposes.
    Second, it is not sufficient for an authorization to reveal that 
the covered entity requesting the authorization will gain financially 
from the disclosure. The identity of the person providing the financial 
incentive should be included on the authorization, along with the 
amount of the financial gain. If these requirements inhibit the 
marketing uses of identifiable health information, that would be 
appropriate.
    Third, the rule should require full public disclosure of all 
marketing arrangements between covered entities and others. The details 
should be disclosed on the website of the covered entity or available 
upon the request of any person. If disclosure inhibits a covered entity 
from seeking authorizations for marketing, so much the better. No one 
should be permitted to hide a marketing campaign based on identifiable 
patient information behind a business confidentiality screen. Here too, 
the goal should be to discourage marketing using identifiable patient 
information.
    Fourth, the rule should provide that all authorizations for 
marketing expire in six months. A short, fixed period for these 
authorizations is essential so that a casual agreement by a patient in 
a weak or confused moment will not result in a lifetime of marketing 
disclosures by an avaricious covered entity.
    Additionally, accounting for marketing disclosures should include 
not only the person who received the information but the actual party 
in interest as well. For example, if a pharmacy disclosed patient data 
to a lettershop for a marketing campaign funded by a drug manufacturer, 
the accounting should identify both the lettershop and the 
manufacturer. Telling the patient that the XYZ Lettershop received the 
data is not as meaningful as telling the patient that the ABC 
Pharmaceutical Company benefited from the disclosure.
    The proposed rule states that a covered entity may not condition 
treatment or payment on a patient's authorization. This is a step in 
the right direction, but it does not go far enough. The rule does not 
prohibit the use of financial incentives to induce a patient to sign an 
authorization. For example, a health plan could offer a discount to 
patients who sign an authorization. If allowed, financial incentives 
could be used unfairly. For example, a health plan could establish a 
high copayment but reduce it drastically for patients who sign an 
authorization. This conduct should be prohibited.
    The rule does not require the use of a contract between a provider 
and a pharmaceutical company, but it requested comment on the idea. In 
our view, a contract that identifies the patient as a third party 
beneficiary is valuable. At best, the Department's enforcement will be 
able to identify, investigate and sanction only a small fraction of 
abuses. By giving patients enforcement rights as third party 
beneficiaries under contracts, patients will be able to supplement the 
work of the Department by seeking enforcement of their own rights in 
court. The rule should not only require contracts with third party 
beneficiary clauses for arrangements between providers and 
pharmaceutical companies, but it should require such contracts for all 
allowable arrangements between covered entities and anyone seeking 
information for a marketing purpose.

[[Page 42374]]

    The rule should provide that all authorizations be dated on the day 
they are signed. No one should be allowed to collect an authorization 
to become valid on a date in the future to be designated by the person 
seeking the authorization.
    The provision in section 164.508(a)(2)(iv) that prohibits a covered 
entity from seeking an authorization covering treatment, payment, or 
health care operations needs to be rethought. At times, a patient or 
provider may need a signed consent to comply with a state or foreign 
law, or in other special circumstances. In other cases, a provider 
(e.g. a psychiatrist) that shares a patient's concern about 
confidentiality may affirmatively seek an authorization narrowing the 
provider's ability to disclose information. The proposed rule prevents 
that from happening. We suggest amending the provision to prevent a 
provider from routinely requiring a patient authorization for 
treatment, payment or oversight that permits more disclosures than 
allowed by the rule. If a provider wants either a narrower 
authorization or an authorization identical to the rule, the patient 
should be allowed to agree.

Health Oversight

    The definition of health oversight activities includes almost any 
activity pertaining to government benefit programs. The rule should 
make it clear that government benefit programs requiring health 
information about applicants need authorizations. The authority to use 
health information in the oversight process should not be construed to 
include the initial collection of benefit information for routine 
health or welfare programs. Applicants should know when an eligibility 
decision requires health information. They should be asked to consent. 
Consent should be the default method for obtaining access to records.
    The commentary says that the regulation allowing a health oversight 
agency to obtain health information does not create any new right of 
access to records. That point is absent from the rule. It is crucial to 
make this point clearly in the body of the rule.
    Disclosures for health oversight can be a significant invasion of 
personal privacy. When they are necessary to serve a broader societal 
interest, patients deserve better protection. Some legislative 
proposals introduced in recent years include a policy that prevents 
information disclosed for a purpose such as health oversight from use 
in any administrative, civil, or criminal action or investigation 
against the subject of the record unless the action or investigation 
arises out of and relates to receipt of or payment for health care. It 
would be appropriate for the Department to include this policy in its 
rule.
    Admittedly, there is some doubt about the authority of the 
Secretary to impose this type of patient protection through the rule to 
all oversight agencies. However, the Secretary has more than enough 
power to order all components of the Department to follow the policy. 
Accordingly, we recommend that the Secretary issue an administrative 
order prohibiting all Department components from using any patient 
records obtained for oversight activities in any administrative, civil, 
or criminal action or investigation against the subject of the record. 
It may be appropriate to allow an exception if the action or 
investigation develops evidence that the patient is engaged in health 
care fraud or abuse. The same order should cover law enforcement, 
public health, and other non-consensual disclosures. An administrative 
order of this type could be issued immediately and without waiting for 
the privacy rule to take effect.

Judicial and Administrative Proceedings

    The proposed rule permits a covered entity to disclose protected 
health information that relates to a party whose health condition is at 
issue in a proceeding and where the disclosure is pursuant to a lawful 
process such as a discovery order. The rule assumes that because the 
subject of the record is a party to the proceeding, the subject will 
have notice of discovery orders. This is not always true. The rule 
needs to be modified to require actual notice to the record subject or 
to the subject's lawyer. Further, access through this method should be 
limited to instances in which the record subject placed his or her 
medical condition or history at issue. If another party to litigation 
raised a medical question, then the party seeking the record should be 
required to obtain a court order rather than a routine discovery 
request.
    The rule should establish a process that offers appropriate 
assurance to record keepers as well as adequate notice to the subject 
of the record. A person seeking protected health information through 
discovery should be required to notify the subject or the subject's 
attorney of the request for information. The person seeking the 
information should be required to provide the covered entity holding 
the information with a signed document attesting (1) that the subject 
of the record is a party to the litigation; (2) that the individual has 
placed his or her medical condition or history in issue; (3) the date 
on which the subject of the record received notice of the request; and 
(4) that ten days have passed after the notice and the subject of the 
record has not objected.
    This procedure will assure that the subject of protected health 
information receives actual notice of a discovery request and that the 
subject can object in a timely fashion. Just because litigation 
involves an individual's medical condition, the individual's entire 
medical file will not necessarily be relevant. If litigation involves a 
broken leg, the disclosure of the plaintiff's psychiatric history may 
not be relevant. The general rule limiting disclosures to the minimum 
amount of information necessary to accomplish the purpose should be 
fully applicable. Patients can use the rule to contest the scope of 
discovery requests. Of course, if a dispute arises over a discovery 
disclosure, the notice procedure allows the tribunal considering the 
matter to resolve it without any involvement on the part of the covered 
entity.

Law Enforcement

    The NCVHS believes that the current proposal for law enforcement 
access is overly broad. The proposal allows any law enforcement agent 
to obtain health information without requiring a written request.
    The rule should require that any routine request for information 
from the police be in writing and signed by a supervisory official. The 
proposed three-part test is useful and should be retained. However, 
unless law enforcement agencies make their determinations in a written 
and signed document, the requirement will be an ineffective barrier to 
appropriate access. An oral representation that the request qualifies 
under the test has little significance.
    Law enforcement agencies should be obliged to state with some 
precision the information that they require. If the police need only 
the location of a patient, they should not obtain access to the 
complete medical record. The police must provide enough information 
about their needs to allow application of the minimum purpose rule.
    The commentary says that substance abuse records continue to be 
covered by 42 U.S.C. 290dd-2. That statement belongs clearly in the 
rule itself or else it will create unnecessary confusion.
    The rule governing disclosures for intelligence and national 
security activities needs reconsideration. As written, the provision 
allows a large number of employees of many different

[[Page 42375]]

agencies to make requests for health records. The rule requires no 
writing or involvement by supervisory personnel of the requesting 
agency. The rule offers no protections to patients. It is far from 
apparent why any personnel of the National Reconnaissance Office or the 
other agencies identified in the law as part of the intelligence 
community need the ability to seek health records.
    Nothing in the Privacy Act of 1974 allows such broad and 
unrestricted access by intelligence agencies to health records or even 
to less sensitive records about individuals. The intelligence community 
needs to make its case for access to federally maintained health 
records in a public way. The rule should be revised to permit 
disclosures only for those specific needs. Further, all requests for 
access should be accompanied by a written request signed by a 
supervisory official of the agency.

Governmental Health Data Systems

    The commentary tries to make the case for permitting open-ended 
authority for the collection of health information for health data 
systems with a variety of functions. We do not oppose allowing 
legitimate health data systems to obtain patient information under 
defined circumstances when information in the data system has adequate 
protection. The rule, however, imposes no procedural or substantive 
requirements on disclosures to health data systems. Indeed, the rule 
allows disclosure of health data for policy, planning, regulatory, or 
management functions unrelated to health care.
    Requiring verification of identity, as provided in section 
164.518(c) is appropriate, but the suggestion that verification 
presents a significant barrier to access is wrong. The standard for 
access is so broad that dozens of federal and state agencies with no 
direct health responsibilities could legitimately obtain information. 
Virtually any government agency in the United States could use this 
provision to seek health records unless expressly prohibited by law 
from doing so. Under the verification rule, agency personnel need only 
show an identification card and orally state that they qualify for 
access.
    The rule needs several changes to address access by agencies that 
do not have express statutory authority to obtain patient data. First, 
an agency seeking data should be required to inform the public of its 
request. Many requests will be routine and continuing so a public 
notice requirement will not be onerous. The notice should allow for 
public comment before any actual disclosures. Second, if data collected 
for a governmental health data system can be used in any way against a 
patient, then the public notice should be required to explain all of 
the possible consequences. Third, the requesting agency should be 
required to make a written request, state the reason for the request, 
and identify all planned uses of the information. Fourth, the rule 
should require the removal of identifiers at the earliest opportunity 
consistent with the purpose of access. Finally, the purposes for 
authorized disclosure need to be much more carefully defined and 
limited to health care functions.

Directory Information

    The proposed rule is far too impractical. The rule requires 
agreement by patients. Lawyers are likely to interpret this to require 
writing. How else can a covered entity document patient approval when a 
dispute arises? The commentary says that verbal agreement is adequate. 
The rule itself says no such thing. Even if it did, providers would 
still face the practical requirement of documenting that the patient 
was asked. A failure to check a box on an admission form could open 
providers to liability.
    Allowing verbal agreement is impractical in other ways. Spend time 
in an Emergency Department where dozens of patients await care. When a 
physician is ready for the next patient, a nurse enters the waiting 
room and calls the name of the patient. The presence of the patient in 
an emergency room is directory information, and the announcement is a 
disclosure. If a patient objected to the release of directory 
information, then how would the nurse find the next patient?
    When disclosing directory information, privacy must yield to the 
practicalities of the world. Telling emergency department personnel 
that they must ask each patient for permission to call his or her name 
will only create burdens and unnecessary liability for providers. The 
same will be true in any physician's office. It is sufficient to allow 
a patient with a special concern about directory information to step 
forward with that concern and make a special arrangement. The 
Department should reexamine the lesson from the Maine health privacy 
law that the state legislature withdrew and revised because it imposed 
impractical limitations on the operations of the health care system. 
The public will not tolerate a privacy law that is not practical and 
that imposes unreasonable burdens on patients and their families.

Banking and Payment Processes

    The proposed rule addresses a problem, but the rule is too broad.
    Disclosures to a bank or other financial institution without 
express patient consent should only be permitted after a patient offers 
a check, credit card or other payment method to the provider. The 
presentation of a payment method is the moral equivalent of consent for 
disclosures necessary to complete the transaction. The rule should 
expressly make payment disclosures contingent on a prior patient 
action. Presentation of a check or credit card or a standing 
authorization of a payment method would suffice. However, it should be 
improper to assume that a patient who previously paid by credit card 
intended to continue that payment method without evidence supporting 
the intention.
    No provider should be able to query banks or other institutions 
looking for someone who has funds to pay a bill. Further, the provision 
should expressly exclude bill collectors from receiving information. 
Bill collectors should be business partners and fully subject to the 
rule because of their relationship with providers. Disclosures to 
credit bureaus by covered entities should require patient consent 
unless a limited disclosure reveals no protected health information at 
all. However, a credit card company should be able to disclose an 
unpaid bill to a credit bureau under applicable law even if the bill 
covers health care services. A disclosure to the credit bureau would 
not normally identify the nature of the transaction that gave rise to 
the debt, unless the credit card is exclusively for health expenses.
    Finally, the rule should expressly ban the disclosure to financial 
institutions of any diagnostic information or other detailed treatment 
information. If questions arise about a transaction that might justify 
any detailed disclosure, the patient involvement and express consent 
should be required. The suggestion in the commentary that disclosures 
be limited to specific data elements is entirely appropriate, but the 
rule should expressly list the elements.

Research

    For most part, this is a good and well-balanced proposal. However, 
clarification is needed about how the other rules in this regulation 
interact with the research rules. There is a potential problem with 
placing all the burden in the covered entity. That could be a real 
disincentive for covered entities to participate in research--
especially if the covered entity was not

[[Page 42376]]

a research hospital and not culturally attuned to the value of 
research. Instead of placing the full burden on the covered entities 
would it be possible to create a contract relationship between the 
researcher and the covered entity, as the regulations require for 
business partners?
    The justification for the additional requirements beyond the 
existing IRB requirements is also hard to understand. Much traditional 
medical research involves medical data and often involves medical 
records. The strong distinction between medical research and medical 
record research is arbitrary and contrived. Further, most of the 
``new'' and additional requirements are contained in, or implicit to, 
the existing IRB requirements. Patient confidentiality must always be 
addressed for current IRB protocols to apply. Finally, the argument 
that not adding the former new rules to the common rules on the basis 
of creating differences between IRBs and privacy boards is not 
convincing. The two are different in many dimensions even after these 
added requirements.
    The business of destroying identifiers is repeatedly described as a 
good thing. We are unaware of any defense of that position or any 
experience that suggests destroying such links is good. There are many 
clinical situations where new information about a patient could 
interact positively with information previously collected about a 
patient. With the regulations as it stands we could not. It would be 
better to find another solution to the previous concern (e.g. require 
heavy encryption of the entire files when they were no longer needed 
for the research and leaving the keys in the hands of NIH or some other 
group).

Next-of-Kin

    The rule's next of kin provision is another example of a policy 
that is impractical. We recommend that next-of-kin disclosures be 
allowed for oral disclosures of protected health information about an 
individual to the next of kin or to a person with whom the individual 
has a close personal relationship if (a) the entity has no reason to 
believe that the individual would consider the information to be 
especially sensitive; (b) the individual has not previously objected; 
(c) the disclosure is consistent with good medical or other 
professional practice; and (d) the disclosure is limited to information 
about current health treatment.
    Requiring verbal agreement by patients will not work well in the 
real world. Lawyers for covered entities are still likely to insist on 
a writing to prove that the entity asked and that the patient agreed. 
Without documentary evidence, an entity faces the prospect of liability 
for any disclosure just on procedural grounds.
    It is easy to envision circumstances in which the failure to obtain 
verbal consent will create real world disruptions. The commentary seeks 
to deal with some (e.g. disclosures by a pharmacist) but the attempt to 
create exceptions in this fashion is directly inconsistent with the 
stated rule. If the Department can tolerate these ``loopholes'', it 
should do so more generally. The overwhelming impracticality of the 
requirement for verbal agreements will increase cost, create enormous 
disruptions and impositions, and ultimately undermine the privacy 
effort. Once again, we refer to the recent Maine example where the 
state legislature withdrew a rule that violated the expectations of 
patients and unduly burdened patients and their families.

Application to Specialized Classes

    The special rules provided in this section are too broad, except 
the rule for the Department of Veterans Affairs. The VA exception is 
the only one that seems narrow and specifically responsive to an 
apparent need. In the other cases, the government may have some 
legitimate needs for access to health records for individuals in the 
military and intelligence community, and less likely, the Foreign 
Service. However, the permitted disclosures are too broad and do not 
include adequate procedural protections for patients.
    In most cases, the consent of the record subject should be sought 
as a first resort, except in emergency circumstances. Only where there 
is demonstrable reason that consent is inappropriate should the rule 
authorize other methods of access. The requirement for publication of a 
notice by the Armed Forces is a step in the right direction, although 
it does not go far enough by requiring public comment. At a minimum, 
intelligence agencies and the State Department should be required to 
publish a similar rule defining the scope and circumstances of access 
to health records.
    The Foreign Service disclosures are especially troublesome. We 
cannot imagine why the State Department needs to obtain health records 
of Foreign Service members or of family members of those who may serve 
abroad without any notice or consent. The State Department has no 
comparable authority today to obtain health records without consent. If 
the State Department's current inability to obtain records without 
consent creates insurmountable difficulties, the case has not been 
presented publicly. Consent should be the preferred and only method for 
access for Foreign Service disclosures. The same policy should apply to 
family members of employees in the intelligence community. If consent 
for necessary disclosures cannot be obtained, the proper remedy is to 
deny the foreign assignment. Obtaining information without consent is 
inappropriate, and it will likely conflict with state laws and policies 
on confidentiality. Because stronger state laws will continue to apply, 
the best that this rule could accomplish is to authorize requesting 
disclosures in some states but not others. Regardless, it is difficult 
to envision circumstances that would prompt a physician to disclose 
patient records to the State Department.

Notice of Information Practices

    Any covered entity that maintains a website for public use should 
be required to post its current notice of information practices on the 
web for public inspection. If an entity does not maintain a website, 
the public posting rule should not apply until the covered entity 
otherwise establishes a website.
    The rule proposes to allow a covered entity to change its notice 
any time. This is a difficult issue, and the rule takes a practical 
position. However, the Department should consider efficient ways to 
make covered entities more accountable for their privacy policies and 
changes to privacy notices.
    First, a covered entity should be required to maintain for public 
inspection a log of all past notices with changes highlighted. Second, 
if a covered entity maintains a website for use by patients or the 
public, it should be required to put a log of all notices and changes 
on the website. Public disclosure of changes will provide some degree 
of accountability by inhibiting entities from making unreasonable or 
unnecessary changes. Third, covered entities that have Internet 
capabilities should be required to establish listservs for sending 
email notification of any change to the standard patient notice. Mail 
notices would probably be too expensive to justify. Email notices would 
be nearly cost-free.

Access for Inspection or Copying

    The rule permits a covered entity to deny access when a disclosure 
would be reasonably likely to endanger life or physical safety of the 
individual or another person. We disagree with the

[[Page 42377]]

policy, at least in so far as it permits the withholding of information 
from a patient, because that patient would be placed in danger. The 
circumstances that would trigger this type of denial are so unlikely 
that the exception is not worth keeping. There is no evidence from 
experience with the Privacy Act of 1974 or state laws or policies 
regarding patient access that this exception is justified. Patients 
should be able to obtain access to their own records without any 
concern about the consequences to themselves.
    By allowing a covered entity to deny access on the basis that 
disclosure will harm the subject of the record (no matter the 
standard), the rule allows for a complex and expensive administrative 
process. Record keepers may simply refuse all requests until the 
provider who created the record determines in writing that disclosure 
will not cause harm. An insurer or health plan that is not a provider 
could use this excuse to delay or deny all patients with access. 
Providers who are most capable of making the determination may have no 
incentive to do so, and they may simply ignore or delay responding to 
requests from covered entities for opinions. The result will be that 
any covered entity can use potential harm to the patient as an excuse 
for not complying with an access request.
    The availability of procedural denials and delays creates an 
opportunity for covered entities to deny patients their rights. If 
retained, the exception should include these safeguards: (1) The 
exceptions should be considered to be permanently waived if not 
properly invoked within thirty days; (2) the rule should expressly 
provide that the exception cannot be used to withhold an entire record; 
(3) covered entities should be required to use the exception in good 
faith; (4) the burden of justifying the exception should expressly 
belong to the record keeper, and the record keeper should be expressly 
prohibited from asking the record subject to obtain approval from 
previous providers; and (5) all determinations of harm must be made by 
health professionals who must be identified by name if an individual is 
denied access to a record on the basis of a finding of harm.
    By creating an exception that requires record keepers to exercise 
judgment, the rule creates an unnecessary liability. Covered entities 
that receive requests will worry that they will be liable if a 
disclosure results in harm, no matter how unlikely it may be. A rule 
that did not allow for an exception based on harm to the record subject 
would not present the same concern about liability. The result would be 
a simpler administrative process, more ready patient access, and less 
stress for covered entities.
    The rule permits a covered entity to charge a reasonable, cost-
based fee for copying. The rule should be more specific. We have enough 
experience from the early days of the Freedom of Information Act to 
know that a loosely drafted fee schedule will result in high fees that 
impede access to records. A fee that is three times the direct and 
indirect cost may qualify as ``cost-based'' and still be excessive. We 
suggest that the fee be limited so that it does not exceed the lowest 
standard charge imposed by the covered entity for providing copies in 
other circumstances. In the alternative, the fee should be limited to 
direct costs of copying under a published fee schedule.

Accounting of Disclosures

    The rule does not require disclosure to the record subject of any 
accounting records for disclosures for treatment, payment, and health 
care operations. If audit trails of disclosures for treatment, payment, 
and health care operations exist, then record subjects should have the 
right to see the audit trails. Some institutions already maintain 
complete audit trails, and there is no reason to deny record subjects 
access to the trails when they exist.
    Whether audit trails are valuable enough to require for all 
disclosures is a more complex decision. Routine activities for a single 
hospitalized patient may result in dozens or even hundreds of audit 
trails a day. An enormous volume of records would be created if the 
rule required recording all accesses. On the other hand, audit trails 
have great potential for preventing abuse of records. Because most 
abuses are the result of activity by insiders, excluding disclosures 
for treatment, payment, and health care operations from an audit trail 
requirement would destroy the deterrent value of the audit trails. The 
rule should not discourage institutions from maintaining full audit 
trails. However, when the audit trails exist, record subjects should 
have access to them.
    Audit trails for paper records are too expensive to require. 
Similarly, disclosures of information between providers through 
personal communications would also be expensive and cumbersome to 
record in an audit trail. However, when access to records comes through 
a computer, maintaining an audit trail is simple because it can be 
accomplished automatically. We recommend that the rule encourage cost-
effective and practical audit trails for treatment, payment and 
oversight (as well as all other disclosures) for computer systems. This 
should be prospective so that it only applies to new computer systems 
placed in service at some time in the future. If record-keepers have 
sufficient notice of the requirement, it will be relatively easy to 
include an audit trail capability at little additional cost.
    The rule allows an exclusion from the audit trail requirement for 
law enforcement or health oversight disclosures on written request. 
Under this rule, it will be routine for law enforcement and oversight 
agencies to seek exclusion from accounting every time they request a 
health record. This should not be acceptable. If there is an adequate 
reason for exclusion, the rule should require a court order. Obtaining 
a court order will establish a sufficiently high procedural barrier so 
that exclusions will not be sought casually. In the alternative, if a 
written request for exclusion is acceptable, the request should be 
dated, signed by supervisory official, and contain a certification that 
the official is personally familiar with the purpose of the request and 
the justification for exclusion from accounting. It would be better if 
the rule required that the entire request for exclusion be handwritten 
by the supervisory official.

Amendment or Correction

    The rule permits a covered entity to refuse a request for 
correction if it did not create the information at issue. This 
limitation makes the amendment process ineffective. For example, many 
records at insurance companies will not be correctable because 
insurance company records mostly consist of claims from providers. The 
insurance company can refuse most requests for correction on strictly 
procedural grounds. At hospitals, incorrect records created by 
providers long-since dead or by health plans no longer in operation 
could remain uncorrected. The proposed rule for correcting a record may 
force a patient back through a trail of record-keepers that extends for 
decades. It will be an impossible challenge.
    Even worse, the rule actually provides a defense to the hospital 
that does not want to correct a record that came from another source. 
Ethically, a provider would have an obligation to make sure that the 
questioned record is accurate. Under the rule, not only does a provider 
have no such obligation, it has a defense should it choose to deny a 
request for correction.
    If a covered entity uses health information to make decisions about 
an individual, it must be required to

[[Page 42378]]

consider in good faith any request for correction or amendment. The 
proposed rule establishes a policy that allows a covered entity to use 
information to affect the rights, benefits, or treatment of an 
individual but it does not require the entity to even consider a 
request for amendment in some circumstances. It is not necessary to 
require a covered entity to change a record that it did not create in 
some circumstances, but the covered entity must be required to consider 
the request in good faith if it is using the information to make 
decisions about the record subject.

Relationship to State Laws

    While a State may submit a written request to the Secretary to 
except a provision of State law from preemption, it is recommended that 
the Secretary prior to granting the waiver give notice to the citizens 
of the State.

Definition of Protected Health Information (Sec. 164.504)

    The definition of protected health information excludes 
individually identifiable health information of inmates of correctional 
facilities and detainees in detention facilities. The NCVHS is opposed 
to exempting inmates and detainees from the proposed rule. Information 
about this vulnerable population should be protected to the extent 
possible without jeopardizing the safety of the facilities or inmates. 
For example, access to schedules that would jeopardize security would 
not be provided.
    We appreciate the opportunity to offer these comments and again 
congratulate the Department on a comprehensive regulation.
Sincerely,

John R. Lumpkin,
Chairman, National Committee on Vital and Health Statistics.

CONTACT PERSON FOR MORE INFORMATION:

    Information about the Committee as well as the text of the HIPAA 
recommendations is available on the NCVHS website (http://ncvhs/hhs/gov 
or from Marjorie S. Greenberg, Executive Secretary, NCVHS, NCHS, Room 
1100, Presidential Building, 6525 Belcrest Road, Hyattsville, Maryland 
20782, telephone (301) 458-7245.

    Dated: June 28, 2000.
James Scanlon,
Director, Division of Data Policy, Office of the Assistant Secretary 
for Planning and Evaluation, Executive Staff Director, National 
Committee on Vital and Health Statistics.
[FR Doc. 00-17339 Filed 7-7-00; 8:45 am]
BILLING CODE 4151-05-U