[Federal Register Volume 65, Number 250 (Thursday, December 28, 2000)]
[Rules and Regulations]
[Pages 82462-82829]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-32678]
[[Page 82461]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
Standards for Privacy of Individually Identifiable Health Information;
Final Rule
��Federal Register / Vol. 65 , No. 250 / Thursday, December 28, 2000 /
Rules and Regulations��
[[Page 82462]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
Rin: 0991-AB08
Standards for Privacy of Individually Identifiable Health
Information
AGENCY: Office of the Assistant Secretary for Planning and Evaluation,
DHHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This rule includes standards to protect the privacy of
individually identifiable health information. The rules below, which
apply to health plans, health care clearinghouses, and certain health
care providers, present standards with respect to the rights of
individuals who are the subjects of this information, procedures for
the exercise of those rights, and the authorized and required uses and
disclosures of this information.
The use of these standards will improve the efficiency and
effectiveness of public and private health programs and health care
services by providing enhanced protections for individually
identifiable health information. These protections will begin to
address growing public concerns that advances in electronic technology
and evolution in the health care industry are resulting, or may result,
in a substantial erosion of the privacy surrounding individually
identifiable health information maintained by health care providers,
health plans and their administrative contractors. This rule implements
the privacy requirements of the Administrative Simplification subtitle
of the Health Insurance Portability and Accountability Act of 1996.
DATES: The final rule is effective on February 26, 2001.
FOR FURTHER INFORMATION CONTACT: Kimberly Coleman, 1-866-OCR-PRIV (1-
866-627-7748) or TTY 1-866-788-4989.
SUPPLEMENTARY INFORMATION: Availability of copies, and electronic
access.
Copies: To order copies of the Federal Register containing this
document, send your request to: New Orders, Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date
of the issue requested and enclose a check or money order payable to
the Superintendent of Documents, or enclose your Visa or Master Card
number and expiration date. Credit card orders can also be placed by
calling the order desk at (202) 512-1800 or by fax to (202) 512-2250.
The cost for each copy is $8.00. As an alternative, you can view and
photocopy the Federal Register document at most libraries designated as
Federal Depository Libraries and at many other public and academic
libraries throughout the country that receive the Federal Register.
Electronic Access: This document is available electronically at
http://aspe.hhs.gov/admnsimp/ as well as at the web site of the
Government Printing Office at http://www.access.gpo.gov/su_docs/aces/aces140.html.
I. Background
Table of Contents
Sec.
160.101 Statutory basis and purpose.
160.102 Applicability.
160.103 Definitions.
160.104 Modifications.
160.201 Applicability
160.202 Definitions.
160.203 General rule and exceptions.
160.204 Process for requesting exception determinations.
160.205 Duration of effectiveness of exception determinations.
160.300 Applicability.
160.302 Definitions.
160.304 Principles for achieving compliance.
(a) Cooperation.
(b) Assistance.
160.306 Complaints to the Secretary.
(a) Right to file a complaint.
(b) Requirements for filing complaints.
(c) Investigation.
160.308 Compliance reviews.
160.310 Responsibilities of covered entities.
(a) Provide records and compliance reports.
(b) Cooperate with complaint investigations and compliance
reviews.
(c) Permit access to information.
160.312 Secretarial action regarding complaints and compliance
reviews.
(a) Resolution where noncompliance is indicated.
(b) Resolution when no violation is found.
164.102 Statutory basis.
164.104 Applicability.
164.106 Relationship to other parts.
164.500 Applicability.
164.501 Definitions.
164.502 Uses and disclosures of protected health information:
general rules.
(a) Standard.
(b) Standard: minimum necessary.
(c) Standard: uses and disclosures of protected health
information subject to an agreed upon restriction.
(d) Standard: uses and disclosures of de-identified protected
health information.
(e) Standard: disclosures to business associates.
(f) Standard: deceased individuals.
(g) Standard: personal representatives.
(h) Standard: confidential communications.
(i) Standard: uses and disclosures consistent with notice.
(j) Standard: disclosures by whistleblowers and workforce member
crime victims.
164.504 Uses and disclosures: organizational requirements.
(a) Definitions.
(b) Standard: health care component.
(c) Implementation specification: application of other
provisions.
(d) Standard: affiliated covered entities.
(e) Standard: business associate contracts.
(f) Standard: requirements for group health plans.
(g) Standard: requirements for a covered entity with multiple
covered functions.
164.506 Consent for uses or disclosures to carry out treatment,
payment, or health care operations.
(a) Standard: consent requirement.
(b) Implementation specifications: general requirements.
(c) Implementation specifications: content requirements.
(d) Implementation specifications: defective consents.
(e) Standard: resolving conflicting consents and authorizations.
(f) Standard: joint consents.
164.508 Uses and disclosures for which an authorization is
required.
(a) Standard: authorizations for uses and disclosures.
(b) Implementation specifications: general requirements.
(c) Implementation specifications: core elements and
requirements.
(d) Implementation specifications: authorizations requested by a
covered entity for its own uses and disclosures.
(e) Implementation specifications: authorizations requested by a
covered entity for disclosures by others.
(f) Implementation specifications: authorizations for uses and
disclosures of protected health information created for research
that includes treatment of the individual.
164.510 Uses and disclosures requiring an opportunity for the
individual to agree or to object.
(a) Standard: use and disclosure for facility directories.
(b) Standard: uses and disclosures for involvement in the
individual's care and notification purposes.
164.512 Uses and disclosures for which consent, an authorization,
or opportunity to agree or object is not required.
(a) Standard: uses and disclosures required by law.
(b) Standard: uses and disclosures for public health activities.
(c) Standard: disclosures about victims of abuse, neglect or
domestic violence.
(d) Standard: uses and disclosures for health oversight
activities.
(e) Standard: disclosures for judicial and administrative
proceedings.
(f) Standard: disclosures for law enforcement purposes.
(g) Standard: uses and disclosures about decedents.
(h) Standard: uses and disclosures for cadaveric organ, eye or
tissue donation purposes.
[[Page 82463]]
(i) Standard: uses and disclosures for research purposes.
(j) Standard: uses and disclosures to avert a serious threat to
health or safety.
(k) Standard: uses and disclosures for specialized government
functions.
(l) Standard: disclosures for workers' compensation.
164.514 Other requirements relating to uses and disclosures of
protected health information.
(a) Standard: de-identification of protected health information.
(b) Implementation specifications: requirements for de-
identification of protected health information.
(c) Implementation specifications: re-identification.
(d) Standard: minimum necessary requirements.
(e) Standard: uses and disclosures of protected health
information for marketing.
(f) Standard: uses and disclosures for fundraising.
(g) Standard: uses and disclosures for underwriting and related
purposes.
(h) Standard: verification requirements
164.520 Notice of privacy practices for protected health
information.
(a) Standard: notice of privacy practices.
(b) Implementation specifications: content of notice.
(c) Implementation specifications: provision of notice.
(d) Implementation specifications: joint notice by separate
covered entities.
(e) Implementation specifications: documentation.
164.522 Rights to request privacy protection for protected health
information.
(a) Standard: right of an individual to request restriction of
uses and disclosures.
(b) Standard: confidential communications requirements.
164.524 Access of individuals to protected health information.
(a) Standard: access to protected health information.
(b) Implementation specifications: requests for access and timely
action.
(c) Implementation specifications: provision of access.
(d) Implementation specifications: denial of access.
(e) Implementation specification: documentation.
164.526 Amendment of protected health information.
(a) Standard: right to amend.
(b) Implementation specifications: requests for amendment and
timely action.
(c) Implementation specifications: accepting the amendment.
(d) Implementation specifications: denying the amendment.
(e) Implementation specification: actions on notices of
amendment.
(f) Implementation specification: documentation.
164.528 Accounting of disclosures of protected health information.
(a) Standard: right to an accounting of disclosures of protected
health information.
(b) Implementation specifications: content of the accounting.
(c) Implementation specifications: provision of the accounting.
(d) Implementation specification: documentation.
164.530 Administrative requirements.
(a) Standard: personnel designations.
(b) Standard: training.
(c) Standard: safeguards.
(d) Standard: complaints to the covered entity.
(e) Standard: sanctions
(f) Standard: mitigation.
(g) Standard: refraining from intimidating or retaliatory acts.
(h) Standard: waiver of rights.
(i) Standard: policies and procedures.
(j) Standard: documentation.
(k) Standard: group health plans.
164.532 Transition provisions.
(a) Standard: effect of prior consents and authorizations.
(b) Implementation specification: requirements for retaining
effectiveness of prior consents and authorizations.
164.534 Compliance dates for initial implementation of the privacy
standards.
(a) Health care providers.
(b) Health plans.
(c) Health care clearinghouses.
Purpose of the Administrative Simplification Regulations
This regulation has three major purposes: (1) To protect and
enhance the rights of consumers by providing them access to their
health information and controlling the inappropriate use of that
information; (2) to improve the quality of health care in the U.S. by
restoring trust in the health care system among consumers, health care
professionals, and the multitude of organizations and individuals
committed to the delivery of care; and (3) to improve the efficiency
and effectiveness of health care delivery by creating a national
framework for health privacy protection that builds on efforts by
states, health systems, and individual organizations and individuals.
This regulation is the second final regulation to be issued in the
package of rules mandated under title II subtitle F section 261-264 of
the Health Insurance Portability and Accountability Act of 1996
(HIPAA), Public Law 104-191, titled ``Administrative Simplification.''
Congress called for steps to improve ``the efficiency and effectiveness
of the health care system by encouraging the development of a health
information system through the establishment of standards and
requirements for the electronic transmission of certain health
information.'' To achieve that end, Congress required the Department to
promulgate a set of interlocking regulations establishing standards and
protections for health information systems. The first regulation in
this set, Standards for Electronic Transactions 65 FR 50312, was
published on August 17, 2000 (the ``Transactions Rule''). This
regulation establishing Standards for Privacy of Individually
Identifiable Health Information is the second final rule in the
package. A rule establishing a unique identifier for employers to use
in electronic health care transactions, a rule establishing a unique
identifier for providers for such transactions, and a rule establishing
standards for the security of electronic information systems have been
proposed. See 63 FR 25272 and 25320 (May 7, 1998); 63 FR 32784 (June
16, 1998); 63 FR 43242 (August 12, 1998). Still to be proposed are
rules establishing a unique identifier for health plans for electronic
transactions, standards for claims attachments, and standards for
transferring among health plans appropriate standard data elements
needed for coordination of benefits. (See section C, below, for a more
detailed explanation of the statutory mandate for these regulations.)
In enacting HIPAA, Congress recognized the fact that administrative
simplification cannot succeed if we do not also protect the privacy and
confidentiality of personal health information. The provision of high-
quality health care requires the exchange of personal, often-sensitive
information between an individual and a skilled practitioner. Vital to
that interaction is the patient's ability to trust that the information
shared will be protected and kept confidential. Yet many patients are
concerned that their information is not protected. Among the factors
adding to this concern are the growth of the number of organizations
involved in the provision of care and the processing of claims, the
growing use of electronic information technology, increased efforts to
market health care and other products to consumers, and the increasing
ability to collect highly sensitive information about a person's
current and future health status as a result of advances in scientific
research.
Rules requiring the protection of health privacy in the United
States have been enacted primarily by the states. While virtually every
state has enacted one or more laws to safeguard privacy, these laws
vary significantly from state to state and typically apply to only part
of the health care system. Many states have adopted laws that protect
the health information relating to certain health conditions such as
mental illness, communicable diseases, cancer, HIV/AIDS, and other
stigmatized conditions. An examination of state health privacy laws and
regulations,
[[Page 82464]]
however, found that ``state laws, with a few notable exceptions, do not
extend comprehensive protections to people's medical records.'' Many
state rules fail to provide such basic protections as ensuring a
patient's legal right to see a copy of his or her medical record. See
Health Privacy Project, ``The State of Health Privacy: An Uneven
Terrain,'' Institute for Health Care Research and Policy, Georgetown
University (July 1999) (http://www.healthprivacy.org) (the ``Georgetown
Study'').
Until now, virtually no federal rules existed to protect the
privacy of health information and guarantee patient access to such
information. This final rule establishes, for the first time, a set of
basic national privacy standards and fair information practices that
provides all Americans with a basic level of protection and peace of
mind that is essential to their full participation in their care. The
rule sets a floor of ground rules for health care providers, health
plans, and health care clearinghouses to follow, in order to protect
patients and encourage them to seek needed care. The rule seeks to
balance the needs of the individual with the needs of the society. It
creates a framework of protection that can be strengthened by both the
federal government and by states as health information systems continue
to evolve.
Need for a National Health Privacy Framework
The Importance of Privacy
Privacy is a fundamental right. As such, it must be viewed
differently than any ordinary economic good. The costs and benefits of
a regulation must, of course, be considered as a means of identifying
and weighing options. At the same time, it is important not to lose
sight of the inherent meaning of privacy: it speaks to our individual
and collective freedom.
A right to privacy in personal information has historically found
expression in American law. All fifty states today recognize in tort
law a common law or statutory right to privacy. Many states
specifically provide a remedy for public revelation of private facts.
Some states, such as California and Tennessee, have a right to privacy
as a matter of state constitutional law. The multiple historical
sources for legal rights to privacy are traced in many places,
including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen
Alderman & Caroline Kennedy, The Right to Privacy (1995).
Throughout our nation's history, we have placed the rights of the
individual at the forefront of our democracy. In the Declaration of
Independence, we asserted the ``unalienable right'' to ``life, liberty
and the pursuit of happiness.'' Many of the most basic protections in
the Constitution of the United States are imbued with an attempt to
protect individual privacy while balancing it against the larger social
purposes of the nation.
To take but one example, the Fourth Amendment to the United States
Constitution guarantees that ``the right of the people to be secure in
their persons, houses, papers and effects, against unreasonable
searches and seizures, shall not be violated.'' By referring to the
need for security of ``persons'' as well as ``papers and effects'' the
Fourth Amendment suggests enduring values in American law that relate
to privacy. The need for security of ``persons'' is consistent with
obtaining patient consent before performing invasive medical
procedures. The need for security in ``papers and effects'' underscores
the importance of protecting information about the person, contained in
sources such as personal diaries, medical records, or elsewhere. As is
generally true for the right of privacy in information, the right is
not absolute. The test instead is what constitutes an ``unreasonable''
search of the papers and effects.
The United States Supreme Court has upheld the constitutional
protection of personal health information. In Whalen v. Roe, 429 U.S.
589 (1977), the Court analyzed a New York statute that created a
database of persons who obtained drugs for which there was both a
lawful and unlawful market. The Court, in upholding the statute,
recognized at least two different kinds of interests within the
constitutionally protected ``zone of privacy.'' ``One is the individual
interest in avoiding disclosure of personal matters,'' such as this
regulation principally addresses. This interest in avoiding disclosure,
discussed in Whalen in the context of medical information, was found to
be distinct from a different line of cases concerning ``the interest in
independence in making certain kinds of important decisions.''
Individuals' right to privacy in information about themselves is
not absolute. It does not, for instance, prevent reporting of public
health information on communicable diseases or stop law enforcement
from getting information when due process has been observed. But many
people believe that individuals should have some right to control
personal and sensitive information about themselves. Among different
sorts of personal information, health information is among the most
sensitive. Many people believe that details about their physical self
should not generally be put on display for neighbors, employers, and
government officials to see. Informed consent laws place limits on the
ability of other persons to intrude physically on a person's body.
Similar concerns apply to intrusions on information about the person.
Moving beyond these facts of physical treatment, there is also
significant intrusion when records reveal details about a person's
mental state, such as during treatment for mental health. If, in
Justice Brandeis' words, the ``right to be let alone'' means anything,
then it likely applies to having outsiders have access to one's
intimate thoughts, words, and emotions. In the recent case of Jaffee v.
Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held that statements
made to a therapist during a counseling session were protected against
civil discovery under the Federal Rules of Evidence. The Court noted
that all fifty states have adopted some form of the psychotherapist-
patient privilege. In upholding the federal privilege, the Supreme
Court stated that it ``serves the public interest by facilitating the
appropriate treatment for individuals suffering the effects of a mental
or emotional problem. The mental health of our citizenry, no less than
its physical health, is a public good of transcendent importance.''
Many writers have urged a philosophical or common-sense right to
privacy in one's personal information. Examples include Alan Westin,
Privacy and Freedom (1967) and Janna Malamud Smith, Private Matters: In
Defense of the Personal Life (1997). These writings emphasize the link
between privacy and freedom and privacy and the ``personal life,'' or
the ability to develop one's own personality and self-expression.
Smith, for instance, states:
The bottom line is clear. If we continually, gratuitously,
reveal other people's privacies, we harm them and ourselves, we
undermine the richness of the personal life, and we fuel a social
atmosphere of mutual exploitation. Let me put it another way: Little
in life is as precious as the freedom to say and do things with
people you love that you would not say or do if someone else were
present. And few experiences are as fundamental to liberty and
autonomy as maintaining control over when, how, to whom, and where
you disclose personal material. Id. at 240-241.
In 1890, Louis D. Brandeis and Samuel D. Warren defined the right
to privacy as ``the right to be let alone.'' See L. Brandeis, S.
Warren, ``The Right
[[Page 82465]]
To Privacy,'' 4 Harv.L.Rev. 193. More than a century later, privacy
continues to play an important role in Americans' lives. In their book,
The Right to Privacy, (Alfred A. Knopf, New York, 1995) Ellen Alderman
and Caroline Kennedy describe the importance of privacy in this way:
Privacy covers many things. It protects the solitude necessary
for creative thought. It allows us the independence that is part of
raising a family. It protects our right to be secure in our own
homes and possessions, assured that the government cannot come
barging in. Privacy also encompasses our right to self-determination
and to define who we are. Although we live in a world of noisy self-
confession, privacy allows us to keep certain facts to ourselves if
we so choose. The right to privacy, it seems, is what makes us
civilized.
Or, as Cavoukian and Tapscott observed the right of privacy is: ``the
claim of individuals, groups, or institutions to determine for
themselves when, how, and to what extent information about them is
communicated.'' See A. Cavoukian, D. Tapscott, ``Who Knows:
Safeguarding Your Privacy in a Networked World,'' Random House (1995).
Increasing Public Concern About Loss of Privacy
Today, it is virtually impossible for any person to be truly ``let
alone.'' The average American is inundated with requests for
information from potential employers, retail shops, telephone marketing
firms, electronic marketers, banks, insurance companies, hospitals,
physicians, health plans, and others. In a 1998 national survey, 88
percent of consumers said they were ``concerned'' by the amount of
information being requested, including 55 percent who said they were
``very concerned.'' See Privacy and American Business, 1998 Privacy
Concerns & Consumer Choice Survey (http://www.pandab.org). These
worries are not just theoretical. Consumers who use the Internet to
make purchases or request ``free'' information often are asked for
personal and financial information. Companies making such requests
routinely promise to protect the confidentiality of that information.
Yet several firms have tried to sell this information to other
companies even after promising not to do so.
Americans' concern about the privacy of their health information is
part of a broader anxiety about their lack of privacy in an array of
areas. A series of national public opinion polls conducted by Louis
Harris & Associates documents a rising level of public concern about
privacy, growing from 64 percent in 1978 to 82 percent in 1995. Over 80
percent of persons surveyed in 1999 agreed with the statement that they
had ``lost all control over their personal information.'' See Harris
Equifax, Health Information Privacy Study (1993) (http://www.epic.org/privacy/medical/polls.html). A Wall Street Journal/ABC poll on
September 16, 1999 asked Americans what concerned them most in the
coming century. ``Loss of personal privacy'' was the first or second
concern of 29 percent of respondents. All other issues, such a
terrorism, world war, and global warming had scores of 23 percent or
less.
This growing concern stems from several trends, including the
growing use of interconnected electronic media for business and
personal activities, our increasing ability to know an individual's
genetic make-up, and, in health care, the increasing complexity of the
system. Each of these trends brings the potential for tremendous
benefits to individuals and society generally. At the same time, each
also brings new potential for invasions of our privacy.
Increasing Use of Interconnected Electronic Information Systems
Until recently, health information was recorded and maintained on
paper and stored in the offices of community-based physicians, nurses,
hospitals, and other health care professionals and institutions. In
some ways, this imperfect system of record keeping created a false
sense of privacy among patients, providers, and others. Patients'
health information has never remained completely confidential. Until
recently, however, a breach of confidentiality involved a physical
exchange of paper records or a verbal exchange of information. Today,
however, more and more health care providers, plans, and others are
utilizing electronic means of storing and transmitting health
information. In 1996, the health care industry invested an estimated
$10 billion to $15 billion on information technology. See National
Research Council, Computer Science and Telecommunications Board, ``For
the Record: Protecting Electronic Health Information,'' (1997). The
electronic information revolution is transforming the recording of
health information so that the disclosure of information may require
only a push of a button. In a matter of seconds, a person's most
profoundly private information can be shared with hundreds, thousands,
even millions of individuals and organizations at a time. While the
majority of medical records still are in paper form, information from
those records is often copied and transmitted through electronic means.
This ease of information collection, organization, retention, and
exchange made possible by the advances in computer and other electronic
technology affords many benefits to individuals and to the health care
industry. Use of electronic information has helped to speed the
delivery of effective care and the processing of billions of dollars
worth of health care claims. Greater use of electronic data has also
increased our ability to identify and treat those who are at risk for
disease, conduct vital research, detect fraud and abuse, and measure
and improve the quality of care delivered in the U.S. The National
Research Council recently reported that ``the Internet has great
potential to improve Americans'' health by enhancing communications and
improving access to information for care providers, patients, health
plan administrators, public health officials, biomedical researchers,
and other health professionals.'' See ``Networking Health:
Prescriptions for the Internet,'' National Academy of Sciences (2000).
At the same time, these advances have reduced or eliminated many of
the financial and logistical obstacles that previously served to
protect the confidentiality of health information and the privacy
interests of individuals. And they have made our information available
to many more people. The shift from paper to electronic records, with
the accompanying greater flows of sensitive health information, thus
strengthens the arguments for giving legal protection to the right to
privacy in health information. In an earlier period where it was far
more expensive to access and use medical records, the risk of harm to
individuals was relatively low. In the potential near future, when
technology makes it almost free to send lifetime medical records over
the Internet, the risks may grow rapidly. It may become cost-effective,
for instance, for companies to offer services that allow purchasers to
obtain details of a person's physical and mental treatments. In
addition to legitimate possible uses for such services, malicious or
inquisitive persons may download medical records for purposes ranging
from identity theft to embarrassment to prurient interest in the life
of a celebrity or neighbor. The comments to the proposed privacy rule
indicate that many persons believe that they have a right to live in
society without having these details of their lives laid open to
unknown and possibly hostile eyes. These technological changes, in
short, may provide a reason for institutionalizing
[[Page 82466]]
privacy protections in situations where the risk of harm did not
previously justify writing such protections into law.
The growing level of trepidation about privacy in general, noted
above, has tracked the rise in electronic information technology.
Americans have embraced the use of the Internet and other forms of
electronic information as a way to provide greater access to
information, save time, and save money. For example, 60 percent of
Americans surveyed in 1999 reported that they have a computer in their
home; 82 percent reported that they have used a computer; 64 percent
say they have used the Internet; and 58 percent have sent an e-mail.
Among those who are under the age of 60, these percentages are even
higher. See ``National Survey of Adults on Technology,'' Henry J.
Kaiser Family Foundation (February, 2000). But 59 percent of Americans
reported that they worry that an unauthorized person will gain access
to their information. A recent survey suggests that 75 percent of
consumers seeking health information on the Internet are concerned or
very concerned about the health sites they visit sharing their personal
health information with a third party without their permission. Ethics
Survey of Consumer Attitudes about Health Web Sites, California Health
Care Foundation, at 3 (January, 2000).
Unless public fears are allayed, we will be unable to obtain the
full benefits of electronic technologies. The absence of national
standards for the confidentiality of health information has made the
health care industry and the population in general uncomfortable about
this primarily financially-driven expansion in the use of electronic
data. Many plans, providers, and clearinghouses have taken steps to
safeguard the privacy of individually identifiable health information.
Yet they must currently rely on a patchwork of State laws and
regulations that are incomplete and, at times, inconsistent. States
have, to varying degrees, attempted to enhance confidentiality by
establishing laws governing at least some aspects of medical record
privacy. This approach, though a step in the right direction, is
inadequate. These laws fail to provide a consistent or comprehensive
legal foundation of health information privacy. For example, there is
considerable variation among the states in the type of information
protected and the scope of the protections provided. See Georgetown
Study, at Executive Summary; Lawrence O. Gostin, Zita Lazzarrini,
Kathleen M. Flaherty, Legislative Survey of State Confidentiality Laws,
with Specific Emphasis on HIV and Immunization, Report to Centers for
Disease Control, Council of State and Territorial Epidemiologists, and
Task Force for Child Survival and Development, Carter Presidential
Center (1996) (Gostin Study).
Moreover, electronic health data is becoming increasingly
``national''; as more information becomes available in electronic form,
it can have value far beyond the immediate community where the patient
resides. Neither private action nor state laws provide a sufficiently
comprehensive and rigorous legal structure to allay public concerns,
protect the right to privacy, and correct the market failures caused by
the absence of privacy protections (see discussion below of market
failure under section V.C). Hence, a national policy with consistent
rules is necessary to encourage the increased and proper use of
electronic information while also protecting the very real needs of
patients to safeguard their privacy.
Advances in Genetic Sciences
Recently, scientists completed nearly a decade of work unlocking
the mysteries of the human genome, creating tremendous new
opportunities to identify and prevent many of the leading causes of
death and disability in this country and around the world. Yet the
absence of privacy protections for health information endanger these
efforts by creating a barrier of distrust and suspicion among
consumers. A 1995 national poll found that more than 85 percent of
those surveyed were either ``very concerned'' or ``somewhat concerned''
that insurers and employers might gain access to and use genetic
information. See Harris Poll, 1995 #34. Sixty-three percent of the
1,000 participants in a 1997 national survey said they would not take
genetic tests if insurers and employers could gain access to the
results. See ``Genetic Information and the Workplace,'' Department of
Labor, Department of Health and Human Services, Equal Employment
Opportunity Commission, January 20, 1998. ``In genetic testing studies
at the National Institutes of Health, thirty-two percent of eligible
people who were offered a test for breast cancer risk declined to take
it, citing concerns about loss of privacy and the potential for
discrimination in health insurance.'' Sen. Leahy's comments for March
10, 1999 Introduction of the Medical Information Privacy and Security
Act.
The Changing Health Care System
The number of entities who are maintaining and transmitting
individually identifiable health information has increased
significantly over the last 10 years. In addition, the rapid growth of
integrated health care delivery systems requires greater use of
integrated health information systems. The health care industry has
been transformed from one that relied primarily on one-on-one
interactions between patients and clinicians to a system of integrated
health care delivery networks and managed care providers. Such a system
requires the processing and collection of information about patients
and plan enrollees (for example, in claims files or enrollment
records), resulting in the creation of databases that can be easily
transmitted. This dramatic change in the practice of medicine brings
with it important prospects for the improvement of the quality of care
and reducing the cost of that care. It also, however, means that
increasing numbers of people have access to health information. And, as
health plan functions are increasingly outsourced, a growing number of
organizations not affiliated with our physicians or health plans also
have access to health information.
According to the American Health Information Management Association
(AHIMA), an average of 150 people ``from nursing staff to x-ray
technicians, to billing clerks'' have access to a patient's medical
records during the course of a typical hospitalization. While many of
these individuals have a legitimate need to see all or part of a
patient's records, no laws govern who those people are, what
information they are able to see, and what they are and are not allowed
to do with that information once they have access to it. According to
the National Research Council, individually identifiable health
information frequently is shared with:
Consulting physicians;
Managed care organizations;
Health insurance companies
Life insurance companies;
Self-insured employers;
Pharmacies;
Pharmacy benefit managers;
Clinical laboratories;
Accrediting organizations;
State and Federal statistical agencies; and
Medical information bureaus.
Much of this sharing of information is done without the knowledge of
the patient involved. While many of these functions are important for
smooth functioning of the health care system, there are no rules
governing how that
[[Page 82467]]
information is used by secondary and tertiary users. For example, a
pharmacy benefit manager could receive information to determine whether
an insurance plan or HMO should cover a prescription, but then use the
information to market other products to the same patient. Similarly,
many of us obtain health insurance coverage though our employer and, in
some instances, the employer itself acts as the insurer. In these
cases, the employer will obtain identifiable health information about
its employees as part of the legitimate health insurance functions such
as claims processing, quality improvement, and fraud detection
activities. At the same time, there is no comprehensive protection
prohibiting the employer from using that information to make decisions
about promotions or job retention.
Public concerns reflect these developments. A 1993 Lou Harris poll
found that 75 percent of those surveyed worry that medical information
from a computerized national health information system will be used for
many non-health reasons, and 38 percent are very concerned. This poll,
taken during the health reform efforts of 1993, showed that 85 percent
of respondents believed that protecting the confidentiality of medical
records is ``absolutely essential'' or ``very essential'' in health
care reform. An ACLU Poll in 1994 also found that 75 percent of those
surveyed are concerned a ``great deal'' or a ``fair amount''' about
insurance companies putting medical information about them into a
computer information bank to which others have access. Harris Equifax,
Health Information Privacy Study 2,33 (1993) http://www.epic.org/privacy/medical/poll.html. Another survey found that 35 percent of
Fortune 500 companies look at people's medical records before making
hiring and promotion decisions. Starr, Paul. ``Health and the Right to
Privacy,'' American Journal of Law and Medicine, 1999. Vol 25, pp. 193-
201.
Concerns about the lack of attention to information privacy in the
health care industry are not merely theoretical. In the absence of a
national legal framework of health privacy protections, consumers are
increasingly vulnerable to the exposure of their personal health
information. Disclosure of individually identifiable information can
occur deliberately or accidentally and can occur within an organization
or be the result of an external breach of security. Examples of recent
privacy breaches include:
A Michigan-based health system accidentally posted the
medical records of thousands of patients on the Internet (The Ann Arbor
News, February 10, 1999).
A Utah-based pharmaceutical benefits management firm used
patient data to solicit business for its owner, a drug store
(Kiplingers, February 2000).
An employee of the Tampa, Florida, health department took
a computer disk containing the names of 4,000 people who had tested
positive for HIV, the virus that causes AIDS (USA Today, October 10,
1996).
The health insurance claims forms of thousands of patients
blew out of a truck on its way to a recycling center in East Hartford,
Connecticut (The Hartford Courant, May 14, 1999).
A patient in a Boston-area hospital discovered that her
medical record had been read by more than 200 of the hospital's
employees (The Boston Globe, August 1, 2000).
A Nevada woman who purchased a used computer discovered
that the computer still contained the prescription records of the
customers of the pharmacy that had previously owned the computer. The
pharmacy data base included names, addresses, social security numbers,
and a list of all the medicines the customers had purchased. (The New
York Times, April 4, 1997 and April 12, 1997).
A speculator bid $4000 for the patient records of a family
practice in South Carolina. Among the businessman's uses of the
purchased records was selling them back to the former patients. (New
York Times, August 14, 1991).
In 1993, the Boston Globe reported that Johnson and
Johnson marketed a list of 5 million names and addresses of elderly
incontinent women. (ACLU Legislative Update, April 1998).
A few weeks after an Orlando woman had her doctor perform
some routine tests, she received a letter from a drug company promoting
a treatment for her high cholesterol. (Orlando Sentinel, November 30,
1997).
No matter how or why a disclosure of personal information is made,
the harm to the individual is the same. In the face of industry
evolution, the potential benefits of our changing health care system,
and the real risks and occurrences of harm, protection of privacy must
be built into the routine operations of our health care system.
Privacy Is Necessary To Secure Effective, High Quality Health Care
While privacy is one of the key values on which our society is
built, it is more than an end in itself. It is also necessary for the
effective delivery of health care, both to individuals and to
populations. The market failures caused by the lack of effective
privacy protections for health information are discussed below (see
section V.C below). Here, we discuss how privacy is a necessary
foundation for delivery of high quality health care. In short, the
entire health care system is built upon the willingness of individuals
to share the most intimate details of their lives with their health
care providers.
The need for privacy of health information, in particular, has long
been recognized as critical to the delivery of needed medical care.
More than anything else, the relationship between a patient and a
clinician is based on trust. The clinician must trust the patient to
give full and truthful information about their health, symptoms, and
medical history. The patient must trust the clinician to use that
information to improve his or her health and to respect the need to
keep such information private. In order to receive accurate and
reliable diagnosis and treatment, patients must provide health care
professionals with accurate, detailed information about their personal
health, behavior, and other aspects of their lives. The provision of
health information assists in the diagnosis of an illness or condition,
in the development of a treatment plan, and in the evaluation of the
effectiveness of that treatment. In the absence of full and accurate
information, there is a serious risk that the treatment plan will be
inappropriate to the patient's situation.
Patients also benefit from the disclosure of such information to
the health plans that pay for and can help them gain access to needed
care. Health plans and health care clearinghouses rely on the provision
of such information to accurately and promptly process claims for
payment and for other administrative functions that directly affect a
patient's ability to receive needed care, the quality of that care, and
the efficiency with which it is delivered.
Accurate medical records assist communities in identifying
troubling public health trends and in evaluating the effectiveness of
various public health efforts. Accurate information helps public and
private payers make correct payments for care received and lower costs
by identifying fraud. Accurate information provides scientists with
data they need to conduct research. We cannot improve the quality of
health care without information about which treatments work, and which
do not.
Individuals cannot be expected to share the most intimate details
of their lives unless they have confidence that such information will
not be used or
[[Page 82468]]
shared inappropriately. Privacy violations reduce consumers' trust in
the health care system and institutions that serve them. Such a loss of
faith can impede the quality of the health care they receive, and can
harm the financial health of health care institutions.
Patients who are worried about the possible misuse of their
information often take steps to protect their privacy. Recent studies
show that a person who does not believe his privacy will be protected
is much less likely to participate fully in the diagnosis and treatment
of his medical condition. A national survey conducted in January 1999
found that one in five Americans believe their health information is
being used inappropriately. See California HealthCare Foundation,
``National Survey: Confidentiality of Medical Records'' (January, 1999)
(http://www.chcf.org). More troubling is the fact that one in six
Americans reported that they have taken some sort of evasive action to
avoid the inappropriate use of their information by providing
inaccurate information to a health care provider, changing physicians,
or avoiding care altogether. Similarly, in its comments on our proposed
rule, the Association of American Physicians and Surgeons reported 78
percent of its members reported withholding information from a
patient's record due to privacy concerns and another 87 percent
reported having had a patient request to withhold information from
their records. For an example of this phenomenon in a particular
demographic group, see Drs. Bearman, Ford, and Moody, ``Foregone Health
Care among Adolescents,'' JAMA, vol. 282, no. 23 (999); Cheng, T.L., et
al., ``Confidentiality in Health Care: A Survey of Knowledge,
Perceptions, and Attitudes among High School Students,'' JAMA, vol.
269, no. 11 (1993), at 1404-1407.
The absence of strong national standards for medical privacy has
widespread consequences. Health care professionals who lose the trust
of their patients cannot deliver high-quality care. In 1999, a
coalition of organizations representing various stakeholders including
health plans, physicians, nurses, employers, disability and mental
health advocates, accreditation organizations as well as experts in
public health, medical ethics, information systems, and health policy
adopted a set of ``best principles'' for health care privacy that are
consistent with the standards we lay out here. (See the Health Privacy
Working Group, ``Best Principles for Health Privacy'' (July, 1999)
(Best Principles Study). The Best Principles Study states that--
To protect their privacy and avoid embarrassment, stigma, and
discrimination, some people withhold information from their health
care providers, provide inaccurate information, doctor-hop to avoid
a consolidated medical record, pay out-of-pocket for care that is
covered by insurance, and--in some cases--avoid care altogether.
Best Principles Study, at 9. In their comments on our proposed rule,
numerous organizations representing health plans, health providers,
employers, and others acknowledged the value of a set of national
privacy standards to the efficient operation of their practices and
businesses.
Breaches of Health Privacy Harm More Than Our Health Status
A breach of a person's health privacy can have significant
implications well beyond the physical health of that person, including
the loss of a job, alienation of family and friends, the loss of health
insurance, and public humiliation. For example:
A banker who also sat on a county health board gained
access to patients' records and identified several people with cancer
and called in their mortgages. See the National Law Journal, May 30,
1994.
A physician was diagnosed with AIDS at the hospital in
which he practiced medicine. His surgical privileges were suspended.
See Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super.
597.
A candidate for Congress nearly saw her campaign derailed
when newspapers published the fact that she had sought psychiatric
treatment after a suicide attempt. See New York Times, October 10,
1992, Section 1, page 25.
A 30-year FBI veteran was put on administrative leave
when, without his permission, his pharmacy released information about
his treatment for depression. (Los Angeles Times, September 1, 1998)
Consumer Reports found that 40 percent of insurers disclose personal
health information to lenders, employers, or marketers without customer
permission. ``Who's reading your Medical Records,'' Consumer Reports,
October 1994, at 628, paraphrasing Sweeny, Latanya, ``Weaving
Technology and Policy Together to Maintain Confidentiality,'' The
Journal Of Law Medicine and Ethics (Summer & Fall 1997) Vol. 25,
Numbers 2,3.
The answer to these concerns is not for consumers to withdraw from
society and the health care system, but for society to establish a
clear national legal framework for privacy. By spelling out what is and
what is not an allowable use of a person's identifiable health
information, such standards can help to restore and preserve trust in
the health care system and the individuals and institutions that
comprise that system. As medical historian Paul Starr wrote: ``Patients
have a strong interest in preserving the privacy of their personal
health information but they also have an interest in medical research
and other efforts by health care organizations to improve the medical
care they receive. As members of the wider community, they have an
interest in public health measures that require the collection of
personal data.'' (P. Starr, ``Health and the Right to Privacy,''
American Journal of Law & Medicine, 25, nos. 2&3 (1999) 193-201). The
task of society and its government is to create a balance in which the
individual's needs and rights are balanced against the needs and rights
of society as a whole.
National standards for medical privacy must recognize the sometimes
competing goals of improving individual and public health, advancing
scientific knowledge, enforcing the laws of the land, and processing
and paying claims for health care services. This need for balance has
been recognized by many of the experts in this field. Cavoukian and
Tapscott described it this way: ``An individual's right to privacy may
conflict with the collective rights of the public * * *. We do not
suggest that privacy is an absolute right that reigns supreme over all
other rights. It does not. However, the case for privacy will depend on
a number of factors that can influence the balance--the level of harm
to the individual involved versus the needs of the public.''
The Federal Response
There have been numerous federal initiatives aimed at protecting
the privacy of especially sensitive personal information over the past
several years--and several decades. While the rules below are likely
the largest single federal initiative to protect privacy, they are by
no means alone in the field. Rather, the rules arrive in the context of
recent legislative activity to grapple with advances in technology, in
addition to an already established body of law granting federal
protections for personal privacy.
In 1965, the House of Representatives created a Special
Subcommittee on Invasion of Privacy. In 1973, this Department's
predecessor agency, the Department of Health, Education and Welfare
issued The Code of Fair Information Practice Principles establishing an
important baseline for
[[Page 82469]]
information privacy in the U.S. These principles formed the basis for
the federal Privacy Act of 1974, which regulates the government's use
of personal information by limiting the disclosure of personally-
identifiable information, allows consumers access to information about
them, requires federal agencies to specify the purposes for collecting
personal information, and provides civil and criminal penalties for
misuse of information.
In the last several years, with the rapid expansion in electronic
technology--and accompanying concerns about individual privacy--laws,
regulations, and legislative proposals have been developed in areas
ranging from financial privacy to genetic privacy to the safeguarding
of children on-line. For example, the Children's Online Privacy
Protection Act was enacted in 1998, providing protection for children
when interacting at web-sites. In February, 2000, President Clinton
signed Executive Order 13145, banning the use of genetic information in
federal hiring and promotion decisions. The landmark financial
modernization bill, signed by the President in November, 1999, likewise
contained financial privacy protections for consumers. There also has
been recent legislative activity on establishing legal safeguards for
the privacy of individuals' Social Security numbers, and calls for
regulation of on-line privacy in general.
These most recent laws, regulations, and legislative proposals come
against the backdrop of decades of privacy-enhancing statutes passed at
the federal level to enact safeguards in fields ranging from government
data files to video rental records. In the 1970s, individual privacy
was paramount in the passage of the Fair Credit Reporting Act (1970),
the Privacy Act (1974), the Family Educational Rights and Privacy Act
(1974), and the Right to Financial Privacy Act (1978). These key laws
were followed in the next decade by another series of statutes,
including the Privacy Protection Act (1980), the Electronic
Communications Privacy Act (1986), the Video Privacy Protection Act
(1988), and the Employee Polygraph Protection Act (1988). In the last
ten years, Congress and the President have passed additional legal
privacy protection through, among others, the Telephone Consumer
Protection Act (1991), the Driver's Privacy Protection Act (1994), the
Telecommunications Act (1996), the Children's Online Privacy Protection
Act (1998), the Identity Theft and Assumption Deterrence Act (1998),
and Title V of the Gramm-Leach-Bliley Act (1999) governing financial
privacy.
In 1997, a Presidential advisory commission, the Advisory
Commission on Consumer Protection and Quality in the Health Care
Industry, recognized the need for patient privacy protection in its
recommendations for a Consumer Bill of Rights and Responsibilities
(November 1997). In 1997, Congress enacted the Balanced Budget Act
(Public Law 105-34), which added language to the Social Security Act
(18 U.S.C. 1852) to require Medicare+Choice organizations to establish
safeguards for the privacy of individually identifiable patient
information. Similarly, the Veterans Benefits section of the U.S. Code
provides for confidentiality of medical records in cases involving drug
abuse, alcoholism or alcohol abuse, HIV infection, or sickle cell
anemia (38 U.S.C. 7332).
As described in more detail in the next section, Congress
recognized the importance of protecting the privacy of health
information by enacting the Health Insurance Portability and
Accountability Act of 1996. The Act called on Congress to enact a
medical privacy statute and asked the Secretary of Health and Human
Services to provide Congress with recommendations for protecting the
confidentiality of health care information. The Congress further
recognized the importance of such standards by providing the Secretary
with authority to promulgate regulations on health care privacy in the
event that lawmakers were unable to act within the allotted three
years.
Finally, it also is important for the U.S. to join the rest of the
developed world in establishing basic medical privacy protections. In
1995, the European Union (EU) adopted a Data Privacy Directive
requiring its 15 member states to adopt consistent privacy laws by
October 1998. The EU urged all other nations to do the same or face the
potential loss of access to information from EU countries.
Statutory Background
History of the Privacy Component of the Administrative Simplification
Provisions
The Congress addressed the opportunities and challenges presented
by the rapid evolution of health information systems in the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Public
Law 104-191, which was enacted on August 21, 1996. Sections 261 through
264 of HIPAA are known as the Administrative Simplification provisions.
The major part of these Administrative Simplification provisions are
found at section 262 of HIPAA, which enacted a new part C of title XI
of the Social Security Act (hereinafter we refer to the Social Security
Act as the ``Act'' and we refer to all other laws cited in this
document by their names).
In section 262, Congress primarily sought to facilitate the
efficiencies and cost savings for the health care industry that the
increasing use of electronic technology affords. Thus, section 262
directs HHS to issue standards to facilitate the electronic exchange of
information with respect to financial and administrative transactions
carried out by health plans, health care clearinghouses, and health
care providers who transmit information electronically in connection
with such transactions.
At the same time, Congress recognized the challenges to the
confidentiality of health information presented by the increasing
complexity of the health care industry, and by advances in health
information systems technology and communications. Section 262 thus
also directs HHS to develop standards to protect the security,
including the confidentiality and integrity, of health information.
Congress has long recognized the need for protection of health
information privacy generally, as well as the privacy implications of
electronic data interchange and the increased ease of transmitting and
sharing individually identifiable health information. Congress has been
working on broad health privacy legislation for many years and, as
evidenced by the self-imposed three year deadline included in the
HIPAA, discussed below, believes it can and should enact such
legislation. A significant portion of the first Administrative
Simplification section debated on the floor of the Senate in 1994 (as
part of the Health Security Act) consisted of privacy provisions. In
the version of the HIPAA passed by the House of Representatives in
1996, the requirement for the issuance of privacy standards was located
in the same section of the bill (section 1173) as the requirements for
issuance of the other HIPAA Administrative Simplification standards. In
conference, the requirement for privacy standards was moved to a
separate section in the same part of HIPAA, section 264, so that
Congress could link the Privacy standards to Congressional action.
Section 264(b) requires the Secretary of HHS to develop and submit
to the Congress recommendations for:
The rights that an individual who is a subject of
individually identifiable health information should have.
[[Page 82470]]
The procedures that should be established for the exercise
of such rights.
The uses and disclosures of such information that should
be authorized or required.
The Secretary's Recommendations were submitted to the Congress on
September 11, 1997. Section 264(c)(1) provides that:
If legislation governing standards with respect to the privacy
of individually identifiable health information transmitted in
connection with the transactions described in section 1173(a) of the
Social Security Act (as added by section 262) is not enacted by
[August 21, 1999], the Secretary of Health and Human Services shall
promulgate final regulations containing such standards not later
than [February 21, 2000]. Such regulations shall address at least
the subjects described in subsection (b).
As the Congress did not enact legislation regarding the privacy of
individually identifiable health information prior to August 21, 1999,
HHS published proposed rules setting forth such standards on November
3, 1999, 64 FR 59918, and is now publishing the mandated final
regulation.
These privacy standards have been, and continue to be, an integral
part of the suite of Administrative Simplification standards intended
to simplify and improve the efficiency of the administration of our
health care system.
The Administrative Simplification Provisions, and Regulatory Actions to
Date
Part C of title XI consists of sections 1171 through 1179 of the
Act. These sections define various terms and impose several
requirements on HHS, health plans, health care clearinghouses, and
health care providers who conduct the identified transactions
electronically.
The first section, section 1171 of the Act, establishes definitions
for purposes of part C of title XI for the following terms: code set,
health care clearinghouse, health care provider, health information,
health plan, individually identifiable health information, standard,
and standard setting organization.
Section 1172 of the Act makes the standard adopted under part C
applicable to: (1) Health plans, (2) health care clearinghouses, and
(3) health care providers who transmit health information in electronic
form in connection with transactions referred to in section 1173(a)(1)
of the Act (hereinafter referred to as the ``covered entities'').
Section 1172 also contains procedural requirements concerning the
adoption of standards, including the role of standard setting
organizations and required consultations, summarized in subsection F
and section VI, below.
Section 1173 of the Act requires the Secretary to adopt standards
for transactions, and data elements for such transactions, to enable
health information to be exchanged electronically. Section 1173(a)(1)
describes the transactions to be promulgated, which include the nine
transactions listed in section 1173(a)(2) and other transactions
determined appropriate by the Secretary. The remainder of section 1173
sets out requirements for the specific standards the Secretary is to
adopt: Unique health identifiers, code sets, security standards,
electronic signatures, and transfer of information among health plans.
Of particular relevance to this proposed rule is section 1173(d), the
security standard provision. The security standard authority applies to
both the transmission and the maintenance of health information, and
requires the entities described in section 1172(a) to maintain
reasonable and appropriate safeguards to ensure the integrity and
confidentiality of the information, protect against reasonably
anticipated threats or hazards to the security or integrity of the
information or unauthorized uses or disclosures of the information, and
to ensure compliance with part C by the entity's officers and
employees.
In section 1174 of the Act, the Secretary is required to establish
standards for all of the above transactions, except claims attachments,
by February 21, 1998. The statutory deadline for the claims attachment
standard is February 21, 1999.
As noted above, a proposed rule for most of the transactions was
published on May 7, 1998, and the final Transactions Rule was
promulgated on August 17, 2000. The delay was caused by the deliberate
consensus building process, working with industry, and the large number
of comments received (about 17,000). In addition, in a series of
Notices of Proposed Rulemakings, HHS published other proposed
standards, as described above. Each of these steps was taken in concert
with the affected professions and industries, to ensure rapid adoption
and compliance.
Generally, after a standard is established, it may not be changed
during the first year after adoption except for changes that are
necessary to permit compliance with the standard. Modifications to any
of these standards may be made after the first year, but not more
frequently than once every 12 months. The Secretary also must ensure
that procedures exist for the routine maintenance, testing,
enhancement, and expansion of code sets and that there are crosswalks
from prior versions.
Section 1175 of the Act prohibits health plans from refusing to
process, or from delaying processing of, a transaction that is
presented in standard format. It also establishes a timetable for
compliance: each person to whom a standard or implementation
specification applies is required to comply with the standard within 24
months (or 36 months for small health plans) of its adoption. A health
plan or other entity may, of course, comply voluntarily before the
effective date. The section also provides that compliance with
modifications to standards or implementation specifications must be
accomplished by a date designated by the Secretary, which date may not
be earlier than 180 days from the notice of change.
Section 1176 of the Act establishes civil monetary penalties for
violation of the provisions in part C of title XI of the Act, subject
to several limitations. Penalties may not be more than $100 per person
per violation and not more than $25,000 per person for violations of a
single standard for a calendar year. The procedural provisions of
section 1128A of the Act apply to actions taken to obtain civil
monetary penalties under this section.
Section 1177 establishes penalties for any person that knowingly
uses a unique health identifier, or obtains or discloses individually
identifiable health information in violation of the part. The penalties
include: (1) A fine of not more than $50,000 and/or imprisonment of not
more than 1 year; (2) if the offense is ``under false pretenses,'' a
fine of not more than $100,000 and/or imprisonment of not more than 5
years; and (3) if the offense is with intent to sell, transfer, or use
individually identifiable health information for commercial advantage,
personal gain, or malicious harm, a fine of not more than $250,000 and/
or imprisonment of not more than 10 years.
Under section 1178 of the Act, the requirements of part C, as well
as any standards or implementation specifications adopted thereunder,
preempt contrary state law. There are three exceptions to this general
rule of preemption: State laws that the Secretary determines are
necessary for certain purposes set forth in the statute; state laws
that the Secretary determines address controlled substances; and state
laws relating to the privacy of
[[Page 82471]]
individually identifiable health information that are contrary to and
more stringent than the federal requirements. There also are certain
areas of state law (generally relating to public health and oversight
of health plans) that are explicitly carved out of the general rule of
preemption and addressed separately.
Section 1179 of the Act makes the above provisions inapplicable to
financial institutions (as defined by section 1101 of the Right to
Financial Privacy Act of 1978) or anyone acting on behalf of a
financial institution when ``authorizing, processing, clearing,
settling, billing, transferring, reconciling, or collecting payments
for a financial institution.''
Finally, as explained above, section 264 requires the Secretary to
issue standards with respect to the privacy of individually
identifiable health information. Section 264 also contains a preemption
provision that provides that contrary provisions of state laws that are
more stringent than the federal standards, requirements, or
implementation specifications will not be preempted.
Our Approach to This Regulation
Balance
A number of facts informed our approach to this regulation.
Determining the best approach to protecting privacy depends on where we
start, both with respect to existing legal expectations and also with
respect to the expectations of individuals, health care providers,
payers and other stakeholders. From the comments we received on the
proposed rule, and from the extensive fact finding in which we engaged,
a confused picture developed. We learned that stakeholders in the
system have very different ideas about the extent and nature of the
privacy protections that exist today, and very different ideas about
appropriate uses of health information. This leads us to seek to
balance the views of the different stakeholders, weighing the varying
interests on each particular issue with a view to creating balance in
the regulation as a whole.
For example, we received hundreds of comments explaining the
legitimacy of various uses and disclosure of health information. We
agree that many uses and disclosures of health information are
``legitimate,'' but that is not the end of the inquiry. Neither
privacy, nor the important social goals described by the commenters,
are absolutes. In this regulation, we are asking health providers and
institutions to add privacy into the balance, and we are asking
individuals to add social goals into the balance.
The vast difference among regulated entities also informed our
approach in significant ways. This regulation applies to solo
practitioners, and multi-national health plans. It applies to
pharmacies and information clearinghouses. These entities differ not
only in the nature and scope of their businesses, but also in the
degree of sophistication of their information systems and information
needs. We therefore designed the core requirements of this regulation
to be flexible and ``scalable.'' This is reflected throughout the rule,
particularly in the implementation specifications for making the
minimum necessary uses and disclosures, and in the administrative
policies and procedures requirements.
We also are informed by the rapid evolution in industry
organization and practice. Our goal is to enhance privacy protections
in ways that do not impede this evolution. For example, we received
many comments asking us to assign a status under this regulation based
on a label or title. For example, many commenters asked whether
``disease management'' is a ``health care operation,'' or whether a
``pharmacy benefits manager'' is a covered entity. From the comments
and our fact-finding, however, we learned that these terms do not have
consistent meanings today; rather, they encompass diverse activities
and information practices. Further, the statutory definitions of key
terms such as health care provider and health care clearinghouse
describe functions, not specific types of persons or entities. To
respect both the Congressional approach and industry evolution, we
design the rule to follow activities and functions, not titles and
labels.
Similarly, many comments asked whether a particular person would be
a ``business associate'' under the rule, based on the nature of the
person's business. Whether a business associate arrangement must exist
under the rule, however, depends on the relationship between the
entities and the services being performed, not on the type of persons
or companies involved.
Our approach is also significantly informed by the limited
jurisdiction conferred by HIPAA. In large part, we have the authority
to regulate those who create and disclose health information, but not
many key stakeholders who receive that health information from a
covered entity. Again, this led us to look to the balance between the
burden on covered entities and need to protect privacy in determining
our approach to such disclosures. In some instances, we approach this
dilemma by requiring covered entities to obtain a representation or
documentation of purpose from the person requesting information. While
there would be advantages to legislation regulating such third persons
directly, we cannot justify abandoning any effort to enhance privacy.
It also became clear from the comments and our fact-finding that we
have expectations as a society that conflict with individuals' views
about the privacy of health information. We expect the health care
industry to develop treatment protocols for the delivery of high
quality health care. We expect insurers and the government to reduce
fraud in the health care system. We expect to be protected from
epidemics, and we expect medical research to produce miracles. We
expect the police to apprehend suspects, and we expect to pay for our
care by credit card. All of these activities involve disclosure of
health information to someone other than our physician.
While most commenters support the concept of health privacy in
general, many go on to describe activities that depend on the
disclosure of health information and urge us to protect those
information flows. Section III, in which we respond to the comments,
describes our approach to balancing these conflicting expectations.
Finally, we note that many commenters were concerned that this
regulation would lessen current privacy protections. It is important to
understand this regulation as a new federal floor of privacy
protections that does not disturb more protective rules or practices.
Nor do we intend this regulation to describe a set of a ``best
practices.'' Rather, this regulation describes a set of basic consumer
protections and a series of regulatory permissions for use and
disclosure of health information. The protections are a mandatory
floor, which other governments and any covered entity may exceed. The
permissions are just that, permissive--the only disclosures of health
information required under this rule are to the individual who is the
subject of the information or to the Secretary for enforcement of this
rule. We expect covered entities to rely on their professional ethics
and use their own best judgements in deciding which of these
permissions they will use.
Combining Workability With New Protections
This rule establishes national minimum standards to protect the
privacy of individually identifiable health information in prescribed
[[Page 82472]]
settings. The standards address the many varied uses and disclosures of
individually identifiable health information by health plans, certain
health care providers and health care clearinghouses. The complexity of
the standards reflects the complexity of the health care marketplace to
which they apply and the variety of subjects that must be addressed.
The rule applies not only to the core health care functions relating to
treating patients and reimbursing health care providers, but also to
activities that range from when individually identifiable health
information should be available for research without authorization to
whether a health care provider may release protected health information
about a patient for law enforcement purposes. The number of discrete
provisions, and the number of commenters requesting that the rule
recognize particular activities, is evidence of the significant role
that individually identifiable health information plays in many vital
public and private concerns.
At the same time, the large number of comments from individuals and
groups representing individuals demonstrate the deep public concern
about the need to protect the privacy of individually identifiable
health information. The discussion above is rich with evidence about
the importance of protecting privacy and the potential adverse
consequences to individuals and their health if such protections are
not extended.
The need to balance these competing interests--the necessity of
protecting privacy and the public interest in using identifiable health
information for vital public and private purposes--in a way that is
also workable for the varied stakeholders causes much of the complexity
in the rule. Achieving workability without sacrificing protection means
some level of complexity, because the rule must track current practices
and current practices are complex. We believe that the complexity
entailed in reflecting those practices is better public policy than a
perhaps simpler rule that disturbed important information flows.
Although the rule taken as a whole is complicated, we believe that
the standards are much less complex as they apply to particular actors.
What a health plan or covered health care provider must do to comply
with the rule is clear, and the two-year delayed implementation
provides a substantial period for trade and professional associations,
working with their members, to assess the effects of the standards and
develop policies and procedures to come into compliance with them. For
individuals, the system may look substantially more complicated
because, for the first time, we are ensuring that individuals will
receive detailed information about how their individually identifiable
health information may be used and disclosed. We also provide
individuals with additional tools to exercise some control over those
uses and disclosures. The additional complexity for individuals is the
price of expanding their understanding and their rights.
The Department will work actively with members of the health care
industry, representatives of individuals and others during the
implementation of this rule. As stated elsewhere, our focus is to
develop broader understanding of how the standards work and to
facilitate compliance. We intend to provide guidance and check lists as
appropriate, particularly to small businesses affected by the rule. We
also will work with trade and professional associations to develop
guidance and provide technical assistance so that they can help their
members understand and comply with these new standards. If this effort
is to succeed, the various public and private participants inside and
outside of the health care system will need to work together to assure
that the competing interests described above remain in balance and that
an ethic that recognizes their importance is established.
Enforcement
The Secretary has decided to delegate her responsibility under this
regulation to the Department's Office for Civil Rights (OCR). OCR will
be responsible for enforcement of this regulation. Enforcement
activities will include working with covered entities to secure
voluntary compliance through the provision of technical assistance and
other means; responding to questions regarding the regulation and
providing interpretations and guidance; responding to state requests
for exception determinations; investigating complaints and conducting
compliance reviews; and, where voluntary compliance cannot be achieved,
seeking civil monetary penalties and making referrals for criminal
prosecution.
Consent
Current Law and Practice
The issue that drew the most comments overall is the question of
when individuals' permission should be obtained prior to use or
disclosure of their health information. We learned that individuals'
views and the legal view of ``consent'' for use and disclosure of
health information are different and in many ways incompatible.
Comments from individuals revealed a common belief that, today, people
must be asked permission for each and every release of their health
information. Many believe that they ``own'' the health records about
them. However, current law and practice do not support this view.
Current privacy protection practices are determined in part by the
standards and practices that the professional associations have adopted
for their members. Professional codes of conduct for ethical behavior
generally can be found as opinions and guidelines developed by
organizations such as the American Medical Association, American
Nurses' Association, the American Hospital Association, the American
Psychiatric Association, and the American Dental Association. These are
generally issued though an organization's governing body. The codes do
not have the force of law, but providers often recognize them as
binding rules.
Our review of professional codes of ethics revealed partial, but
loose, support for individuals' expectations of privacy. For example,
the American Medical Association's Code of Ethics recognizes both the
right to privacy and the need to balance it against societal needs. It
reads in part: ``conflicts between a patient's right to privacy and a
third party's need to know should be resolved in favor of the patient,
except where that would result in serious health hazard or harm to the
patient or others.'' AMA Policy No 140.989. See also, Mass. Med.
Society, Patient Privacy and Confidentiality (1996), at 14:
Patients enter treatment with the expectation that the
information they share will be used exclusively for their clinical
care. Protection of our patients' confidences is an integral part of
our ethical training.
These codes, however, do not apply to many who obtain information
from providers. For example, the National Association of Insurance
Commissioners model code, ``Health Information Privacy Model Act''
(1998), applies to insurers but has not been widely adopted. Codes of
ethics are also often written in general terms that do not provide
guidance to providers and plans confronted with specific questions
about protecting health information.
State laws are a crucial means of protecting health information,
and today state laws vary dramatically. Some states defer to the
professional codes of conduct, others provide general guidelines for
privacy protection, and
[[Page 82473]]
others provide detailed requirements relating to the protection of
information relating to specific diseases or to entire classes of
information. Cf., D.C. Code Ann. Sec. 2-3305.14(16) and Haw. Rev. Stat.
323C, et seq. In general, state statutes and case law addressing
consent to use of health information do not support the public's strong
expectations regarding consent for use and disclosure of health
information. Only about half of the states have a general law that
prohibits disclosure of health information without patient
authorization and some of these are limited to hospital medical
records.
Even when a state has a law limiting disclosure of health
information, the law typically exempts many types of disclosure from
the authorization requirement. Georgetown Study, Key Findings; Lisa
Dahm, ``50-State Survey on Patient Health Care Record
Confidentiality,'' American Health Lawyers Association (1999). One of
the most common exemptions from a consent requirement is disclosure of
health information for treatment and related purposes. See, e.g.,
Wis.Stat. Sec. 164.82; Cal. Civ. Code 56:10; National Conference of
Commissioners on Uniform State Laws, Uniform Health-Care Information
Act, Minneapolis, MN, August 9, 1985. Some states include utilization
review and similar activities in the exemption. See, e.g., Ariz. Rev.
Stat. Sec. 12-2294. Another common exemption from consent is disclosure
of health information for purposes of obtaining payment. See, e.g.,
Fla. Stat. Ann. Sec. 455.667; Tex. Rev. Civ. Stat. Art. 4495,
Sec. 5.08(h); 410 Ill. Comp. Stat. 50/3(d). Other common exemptions
include disclosures for emergency care, and for disclosures to
government authorities (such as a department of public health). See
Gostin Study, at 1-2; 48-51. Some states also exempt disclosure to law
enforcement officials (e.g., Massachusetts, Ch. 254 of the Acts of
2000), coroners (Wis. Stat. Sec. 146.82), and for such purposes as
business operations, oversight, research, and for directory
information. Under these exceptions, providers can disclose health
information without any consent or authorization from the patient. When
states require specific, written authorization for disclosure of health
information, the authorizations are usually only required for certain
types of disclosures or certain types of information, and one
authorization can suffice for multiple disclosures over time.
The states that do not have laws prohibiting disclosure of health
information impose no specific requirements for consent or
authorization prior to release of health information. There may,
however, be other controls on release of health information. For
instance, most health care professional licensure laws include general
prohibitions against ``breaches of confidentiality.'' In some states,
patients can hold providers accountable for some unauthorized
disclosures of health information about them under various tort
theories, such as invasion of privacy and breach of a confidential
relationship. While these controls may affect certain disclosure
practices, they do not amount to a requirement that a provider obtain
authorization for each and every disclosure of health information.
Further, patients are typically not given a choice; they must sign
the ``consent'' in order to receive care. As the Georgetown Study
points out, ``In effect, the authorization may function more as a
waiver of consent--the patient may not have an opportunity to object to
any disclosures.'' Georgetown Study, Key Findings.
In the many cases where neither state law nor professional ethical
standards exist, the only privacy protection individuals have is
limited to the policies and procedures that the health care entity
adopts. Corporate privacy policies are often proprietary. While several
professional associations attached their privacy principles to their
comments, health care entities did not. One study we found indicates
that these policies are not adequate to provide appropriate privacy
protections and alleviate public concern. The Committee on Maintaining
Privacy and Security in Health Care Applications of the National
Information Infrastructure made multiple findings highlighting the need
for heightened privacy and security, including:
Finding 5: The greatest concerns regarding the privacy of health
information derives from widespread sharing of patient information
throughout the health care industry and the inadequate federal and
state regulatory framework for systematic protection of health
information.
For the Record: Protecting Electronic Health Information,
National Academy Press, Washington DC, 1997.
Consent Under This Rule
In the NPRM, we expressed concern about the coercive nature of
consents currently obtained by providers and plans relating to the use
and disclosure of health information. We also expressed concern about
the lack of information available to the patient during the process,
and the fact that patients often were not even presented with a copy of
the consent that they have signed. These and other concerns led us to
propose that covered entities be permitted to use and disclose
protected health information for treatment, payment and health care
operations without the express consent of the subject individual.
In the final rule, we alter our proposed approach and require, in
most instances, that health care providers who have a direct treatment
relationship with their patients obtain the consent of their patients
to use and disclose protected health information for treatment, payment
and health care operations. While our concern about the coerced nature
of these consents remains, many comments that we received from
individuals, health care professionals, and organizations that
represent them indicated that both patients and practitioners believe
that patient consent is an important part of the current health care
system and should be retained.
Providing and obtaining consent clearly has meaning for patients
and practitioners. Patient advocates argued that the act of signing
focuses the patient's attention on the substance of the transaction and
provides an opportunity for the patient to ask questions about or seek
modifications in the provider's practices. Many health care
practitioners and their representatives argued that seeking a patient's
consent to disclose confidential information is an ethical requirement
that strengthens the physician-patient relationship. Both practitioners
and patients argued that the approach proposed in the NPRM actually
reduced patient protections by eliminating the opportunity for patients
to agree to how their confidential information would be used and
disclosed.
While we believe that the provisions in the NPRM that provided for
detailed notice to the patient and the right to request restrictions
would have provided an opportunity for patients and providers to
discuss and negotiate over information practices, it is clear from the
comments that many practitioners and patients believe the approach
proposed in the NPRM is not an acceptable replacement for the patient
providing consent.
To encourage a more informed interaction between the patient and
the provider during the consent process, the final rule requires that
the consent form that is presented to the patient be accompanied by a
notice that contains a detailed discussion of the provider's health
information practices. The consent form must reference the notice and
also must inform the patient that he
[[Page 82474]]
or she has the right to ask the health care provider to request certain
restrictions as to how the information of the patient will be used or
disclosed. Our goal is to provide an opportunity for and to encourage
more informed discussions between patients and providers about how
protected health information will be used and disclosed within the
health care system.
We considered and rejected other approaches to consent, including
those that involved individuals providing a global consent to uses and
disclosures when they sign up for insurance. While such approaches do
require the patient to provide consent, it is not really an informed
one or a voluntary one. It is also unclear how a consent obtained at
the enrollment stage would be meaningfully communicated to the many
providers who create the health information in the first instance. The
ability to negotiate restrictions or otherwise have a meaningful
discussion with the front-line provider would be independent of, and
potentially in conflict with, the consent obtained at the enrollment
stage. In addition, employers today are moving toward simplified
enrollment forms, using check-off boxes and similar devices. The
opportunity for any meaningful consideration or interaction at that
point is slight. For these and other reasons, we decided that, to the
extent a consent can accomplish the goal sought by individuals and
providers, it must be focused on the direct interaction between an
individual and provider.
The comments and fact-finding indicate that our approach will not
significantly change the administrative aspect of consent as it exists
today. Most direct treatment providers today obtain some type of
consent for some uses and disclosures of health information. Our
regulation will ensure that those consents cover the routine uses and
disclosures of health information, and provide an opportunity for
individuals to obtain further information and have further discussion,
should they so desire.
Administrative Costs
Section 1172(b) of the Act provides that ``[a]ny standard adopted
under this part [part C of title XI of the Act] shall be consistent
with the objective of reducing the administrative costs of providing
and paying for health care.'' The privacy and security standards are
the platform on which the remaining standards rest; indeed, the design
of part C of title XI makes clear that the various standards are
intended to function together. Thus, the costs of privacy and security
are properly attributable to the suite of administrative simplification
regulations as a whole, and the cost savings realized should likewise
be calculated on an aggregated basis, as is done below. Because the
privacy standards are an integral and necessary part of the suite of
Administrative Simplification standards, and because that suite of
standards will result in substantial administrative cost savings, the
privacy standards are ``consistent with the objective of reducing the
administrative costs of providing and paying for health care.''
As more fully discussed in the Regulatory Impact and Regulatory
Flexibility analyses below, we recognize that these privacy standards
will entail substantial initial and ongoing administrative costs for
entities subject to the rules. It is also the case that the privacy
standards, like the security standards authorized by section 1173(d) of
the Act, are necessitated by the technological advances in information
exchange that the remaining Administrative Simplification standards
facilitate for the health care industry. The same technological
advances that make possible enormous administrative cost savings for
the industry as a whole have also made it possible to breach the
security and privacy of health information on a scale that was
previously inconceivable. The Congress recognized that adequate
protection of the security and privacy of health information is a sine
qua non of the increased efficiency of information exchange brought
about by the electronic revolution, by enacting the security and
privacy provisions of the law. Thus, as a matter of policy as well as
law, the administrative standards should be viewed as a whole in
determining whether they are ``consistent with'' the objective of
reducing administrative costs.
Consultations
The Congress required the Secretary to consult with specified
groups in developing the standards under sections 262 and 264. Section
264(d) of HIPAA specifically requires the Secretary to consult with the
National Committee on Vital and Health Statistics (NCVHS) and the
Attorney General in carrying out her responsibilities under the
section. Section 1172(b)(3) of the Act, which was enacted by section
262, requires that, in developing a standard under section 1172 for
which no standard setting organization has already developed a
standard, the Secretary must, before adopting the standard, consult
with the National Uniform Billing Committee (NUBC), the National
Uniform Claim Committee (NUCC), the Workgroup for Electronic Data
Interchange (WEDI), and the American Dental Association (ADA). Section
1172(f) also requires the Secretary to rely on the recommendations of
the NCVHS and consult with other appropriate federal and state agencies
and private organizations.
We engaged in the required consultations including the Attorney
General, NUBC, NUCC, WEDI and the ADA. We consulted with the NCVHS in
developing the Recommendations, upon which this proposed rule is based.
We continued to consult with this committee by requesting the committee
to review the proposed rule and provide comments prior to its
publication, and by reviewing transcripts of its public meeting on
privacy and related topics. We consulted with representatives of the
National Congress of American Indians, the National Indian Health
Board, and the self governance tribes. We also met with representatives
of the National Governors' Association, the National Conference of
State Legislatures, the National Association of Public Health
Statistics and Information Systems, and a number of other state
organizations to discuss the framework for the proposed rule, issues of
special interests to the states, and the process for providing comments
on the proposed rule.
Many of these groups submitted comments to the proposed rule, and
those were taken into account in developing the final regulation.
In addition to the required consultations, we met with numerous
individuals, entities, and agencies regarding the regulation, with the
goal of making these standards as compatible as possible with current
business practices, while still enhancing privacy protection. During
the open comment period, we met with dozens of groups.
Relevant federal agencies participated in the interagency working
groups that developed the NPRM and the final regulation, with
additional representatives from all operating divisions and many staff
offices of HHS. The following federal agencies and offices were
represented on the interagency working groups: the Department of
Justice, the Department of Commerce, the Social Security
Administration, the Department of Defense, the Department of Veterans
Affairs, the Department of Labor, the Office of Personnel Management,
and the Office of Management and Budget.
[[Page 82475]]
II. Section-by-Section Description of Rule Provisions
Part 160--Subpart A--General Provisions
Part 160 applies to all the administrative simplification
regulations. We include the entire regulation text in this rule, not
just those provisions relevant to this Privacy regulation. For example,
the term ``trading partner'' is defined here, for use in the Health
Insurance Reform: Standards for Electronic Transactions regulation,
published at 65 FR 50312, August 17, 2000 (the ``Transactions Rule'').
It does not appear in the remainder of this Privacy rule.
Sections 160.101 and 160.104 of Subpart A of part 160 were
promulgated in the Transactions Rule, and we do not change them here.
We do, however, make changes and additions to Sec. 160.103, the
definitions section of Subpart A. The definitions that were promulgated
in the Transactions Rule and that remain unchanged here are: Act, ANSI,
covered entity, compliance date, group health plan, HCFA, HHS, health
care provider, health information, health insurance issuer, health
maintenance organization, modify or modification, Secretary, small
health plan, standard setting organization, and trading partner
agreement. Of these terms, we discuss further in this preamble only
covered entity and health care provider.
Section 160.102--Applicability
The proposed rule stated that the subchapter (Parts 160, 162, and
164) applies to the entities set out at section 1172(a) of the Act:
Health plans, health care clearinghouses, and health care providers who
transmit any health information in electronic form in connection with a
transaction covered by the subchapter. The final rule adds a provision
(Sec. 160.102(b)) clarifying that to the extent required under section
201(a)(5) of HIPAA, nothing in the subchapter is to be construed to
diminish the authority of any Inspector General. This was done in
response to comment, to clarify that the administrative simplification
rules, including the rules below, do not conflict with the cited
provision of HIPAA.
Section 160.103--Definitions
Business Associate
We proposed to define the term ``business partner'' to mean, with
respect to a covered entity, a person to whom the covered entity
discloses protected health information so that the person can carry
out, assist with the performance of, or perform on behalf of, a
function or activity for the covered entity. ``Business partner'' would
have included contractors or other persons who receive protected health
information from the covered entity (or from another business partner
of the covered entity) for the purposes described in the previous
sentence, including lawyers, auditors, consultants, third-party
administrators, health care clearinghouses, data processing firms,
billing firms, and other covered entities. ``Business partner'' would
have excluded persons who are within the covered entity's workforce, as
defined in this section.
This rule reflects the change in the name from ``business partner''
to ``business associate,'' included in the Transactions Rule.
In the final rule, we change the definition of ``business
associate'' to clarify the circumstances in which a person is acting as
a business associate of a covered entity. The changes clarify that the
business association occurs when the right to use or disclose the
protected health information belongs to the covered entity, and another
person is using or disclosing the protected health information (or
creating, obtaining and using the protected health information) to
perform a function or activity on behalf of the covered entity. We also
clarify that providing specified services to a covered entity creates a
business associate relationship if the provision of the service
involves the disclosure of protected health information to the service
provider. In the proposed rule, we had included a list of persons that
were considered to be business partners of the covered entity. However,
it is not always clear whether the provision of certain services to a
covered entity is ``for'' the covered entity or whether the service
provider is acting ``on behalf of'' the covered entity. For example, a
person providing management consulting services may need protected
health information to perform those services, but may not be acting
``on behalf of'' the covered entity. This we believe led to some
general confusion among the commenters as to whether certain
arrangements fell within the definition of a business partner under the
proposed rule. The construction of the final rule clarifies that the
provision of the specified services gives rise to a business associate
relationship if the performance of the service involves disclosure of
protected health information by the covered entity to the business
associate. The specified services are legal, actuarial, accounting,
consulting, management, administrative accreditation, data aggregation,
and financial services. The list is intended to include the types of
services commonly provided to covered entities where the disclosure of
protected health information is routine to the performance of the
service, but when the person providing the service may not always be
acting ``on behalf of'' the covered entity.
In the final rule, we reorganize the list of examples of the
functions or activities that may be conducted by business associates.
We place a part of the proposed list in the portion of the definition
that addresses when a person is providing functions or activities for
or on behalf of a covered entity. We place other parts of the list in
the portion of the definition that specifies the services that give
rise to a business associate relationship, as discussed above. We also
have expanded the examples to provide additional guidance and in
response to questions from commenters.
We have added data aggregation to the list of services that give
rise to a business associate relationship. Data aggregation, as
discussed below, is where a business associate in its capacity as the
business associate of one covered entity combines the protected health
information of such covered entity with protected health information
received by the business associate in its capacity as a business
associate of another covered entity in order to permit the creation of
data for analyses that relate to the health care operations of the
respective covered entities. Adding this service to the business
associate definition clarifies the ability of covered entities to
contract with business associates to undertake quality assurance and
comparative analyses that involve the protected health information of
more than one contracting covered entity. For example, a state hospital
association could act as a business associate of its member hospitals
and could combine data provided to it to assist the hospitals in
evaluating their relative performance in areas such as quality,
efficiency and other patient care issues. As discussed below, however,
the business associate contracts of each of the hospitals would have to
permit the activity, and the protected health information of one
hospital could not be disclosed to another hospital unless the
disclosure is otherwise permitted by the rule.
The definition also states that a business associate may be a
covered entity, and that business associate excludes a person who is
part of the covered entity's workforce.
We also clarify in the final rule that a business association
arises with
[[Page 82476]]
respect to a covered entity when a person performs functions or
activities on behalf of, or provides the specified services to or for,
an organized health care health care arrangement in which the covered
entity participates. This change recognizes that where covered entities
participate in certain joint arrangements for the financing or delivery
of health care, they often contract with persons to perform functions
or to provide services for the joint arrangement. This change is
consistent with changes made in the final rule to the definition of
health care operations, which permits covered entities to use or
disclose protected health information not only for their own health
care operations, but also for the operations of an organized health
care arrangement in which the covered entity participates. By making
these changes, we avoid the confusion that could arise in trying to
determine whether a function or activity is being provided on behalf of
(or if a specified service is being provided to or for) a covered
entity or on behalf of or for a joint enterprise involving the covered
entity. The change clarifies that in either instance the person
performing the function or activity (or providing the specified
service) is a business associate.
We also add language to the final rule that clarifies that the mere
fact that two covered entities participate in an organized health care
arrangement does not make either of the covered entities a business
associate of the other covered entity. The fact that the entities
participate in joint health care operations or other joint activities,
or pursue common goals through a joint activity, does not mean that one
party is performing a function or activity on behalf of the other party
(or is providing a specified services to or for the other party).
In general under this provision, actions relating to the protected
health information of an individual undertaken by a business associate
are considered, for the purposes of this rule, to be actions of the
covered entity, although the covered entity is subject to sanctions
under this rule only if it has knowledge of the wrongful activity and
fails to take the required actions to address the wrongdoing. For
example, if a business associate maintains the medical records or
manages the claims system of a covered entity, the covered entity is
considered to have protected health information and the covered entity
must ensure that individuals who are the subject of the information can
have access to it pursuant to Sec. 164.524.
The business associate relationship does not describe all
relationships between covered entities and other persons or
organizations. While we permit uses or disclosures of protected health
information for a variety of purposes, business associate contracts or
other arrangements are only required for those cases in which the
covered entity is disclosing information to someone or some
organization that will use the information on behalf of the covered
entity, when the other person will be creating or obtaining protected
health information on behalf of the covered entity, or when the
business associate is providing the specified services to the covered
entity and the provision of those services involves the disclosure of
protected health information by the covered entity to the business
associate. For example, when a health care provider discloses protected
health information to health plans for payment purposes, no business
associate relationship is established. While the covered provider may
have an agreement to accept discounted fees as reimbursement for
services provided to health plan members, neither entity is acting on
behalf of or providing a service to the other.
Similarly, where a physician or other provider has staff privileges
at an institution, neither party to the relationship is a business
associate based solely on the staff privileges because neither party is
providing functions or activities on behalf of the other. However, if a
party provides services to or for the other, such as where a hospital
provides billing services for physicians with staff privileges, a
business associate relationship may arise with respect to those
services. Likewise, where a group health plan purchases insurance or
coverage from a health insurance issuer or HMO, the provision of
insurance by the health insurance issuer or HMO to the group health
plan does not make the issuer a business associate. In such case, the
activities of the health insurance issuer or HMO are on their own
behalf and not on the behalf of the group health plan. We note that
where a group health plan contracts with a health insurance issuer or
HMO to perform functions or activities or to provide services that are
in addition to or not directly related to the provision of insurance,
the health insurance issuer or HMO may be a business associate with
respect to those additional functions, activities or services. We also
note that covered entities are permitted to disclose protected health
information to oversight agencies that act to provide oversight of
federal programs and the health care system. These oversight agencies
are not performing services for or on behalf of the covered entities
and so are not business associates of the covered entities. Therefore
HCFA, the federal agency that administers Medicare, is not required to
enter into a business associate contract in order to disclose protected
health information to the Department's Office of Inspector General.
We do not require a covered entity to enter into a business
associate contract with a person or organization that acts merely as a
conduit for protected health information (e.g., the US Postal Service,
certain private couriers and their electronic equivalents). A conduit
transports information but does not access it other than on a random or
infrequent basis as may be necessary for the performance of the
transportation service, or as required by law. Since no disclosure is
intended by the covered entity and the probability of exposure of any
particular protected health information to a conduit is very small, we
do not consider a conduit to be a business associate of the covered
entity.
We do not consider a financial institution to be acting on behalf
of a covered entity, and therefore no business associate contract is
required, when it processes consumer-conducted financial transactions
by debit, credit or other payment card, clears checks, initiates or
processes electronic funds transfers, or conducts any other activity
that directly facilitates or effects the transfer of funds for
compensation for health care. A typical consumer-conducted payment
transaction is when a consumer pays for health care or health insurance
premiums using a check or credit card. In these cases the identity of
the consumer is always included and some health information (e.g.,
diagnosis or procedure) may be implied through the name of the health
care provider or health plan being paid. Covered entities that initiate
such payment activities must meet the minimum necessary disclosure
requirements described in the preamble to Sec. 164.514.
Covered Entity
We provided this definition in the NPRM for convenience of
reference and proposed it to mean the entities to which part C of title
XI of the Act applies. These are the entities described in section
1172(a)(1): Health plans, health care clearinghouses, and health care
providers who transmit any health information in electronic form in
connection with a transaction referred
[[Page 82477]]
to in section 1173(a)(1) of the Act (a ``standard transaction'').
We note that health care providers who do not submit HIPAA
transactions in standard form become covered by this rule when other
entities, such as a billing service or a hospital, transmit standard
electronic transactions on their behalf. A provider could not
circumvent these requirements by assigning the task to its business
associate since the business associate would be considered to be acting
on behalf of the provider. See the definition of ``business
associate.''
Where a public agency is required or authorized by law to
administer a health plan jointly with another entity, we consider each
agency to be a covered entity with respect to the health plan functions
it performs. Unlike private sector health plans, public plans are often
required by or expressly authorized by law to jointly administer health
programs that meet the definition of ``health plan'' under this
regulation. In some instances the public entity is required or
authorized to administer the program with another public agency. In
other instances, the public entity is required or authorized to
administer the program with a private entity. In either circumstance,
we note that joint administration does not meet the definition of
``business associate'' in Sec. 164.501. Examples of joint
administration include state and federal administration of the Medicaid
and SCHIP program, or joint administration of a Medicare+Choice plan by
the Health Care Financing Administration and the issuer offering the
plan.
Health Care
We proposed to define ``health care'' to mean the provision of
care, services, or supplies to a patient and to include any: (1)
Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or
palliative care, counseling, service, or procedure with respect to the
physical or mental condition, or functional status, of a patient or
affecting the structure or function of the body; (2) sale or dispensing
of a drug, device, equipment, or other item pursuant to a prescription;
or (3) procurement or banking of blood, sperm, organs, or any other
tissue for administration to patients.
The final rule revises both the NPRM definition and the definition
as provided in the Transactions Rule, to now mean ``care, services, or
supplies related to the health of an individual. Health care includes
the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative,
maintenance, or palliative care, and counseling, service, assessment,
or procedure with respect to the physical or mental condition, or
functional status, of an individual or that affects the structure or
function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item
in accordance with a prescription.
We delete the term ``providing'' from the definition to delineate
more clearly the relationship between ``treatment,'' as the term is
defined in Sec. 164.501, and ``health care.'' Other key revisions
include adding the term ``assessment'' in subparagraph (1) and deleting
proposed subparagraph (3) from the rule. Therefore the procurement or
banking of organs, blood (including autologous blood), sperm, eyes or
any other tissue or human product is not considered to be health care
under this rule and the organizations that perform such activities
would not be considered health care providers when conducting these
functions. As described in Sec. 164.512(h), covered entities are
permitted to disclose protected health information without individual
authorization, consent, or agreement (see below for explanation of
authorizations, consents, and agreements) as necessary to facilitate
cadaveric donation.
Health Care Clearinghouse
In the NPRM, we defined ``health care clearinghouse'' as a public
or private entity that processes or facilitates the processing of
nonstandard data elements of health information into standard data
elements. The entity receives health care transactions from health care
providers or other entities, translates the data from a given format
into one acceptable to the intended payor or payors, and forwards the
processed transaction to appropriate payors and clearinghouses. Billing
services, repricing companies, community health management information
systems, community health information systems, and ``value-added''
networks and switches would have been considered to be health care
clearinghouses for purposes of this part, if they perform the functions
of health care clearinghouses as described in the preceding sentences.
In the final regulation, we modify the definition of health care
clearinghouse to reflect changes in the definition published in the
Transactions Rule. The definition in the final rule is:
Health care clearinghouse means a public or private entity,
including billing services, repricing companies, community health
management information systems or community health information systems,
and ``value-added'' networks and switches, that does either of the
following functions:
(1) Processes or facilitates the processing of health information
received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard
transaction.
(2) Receives a standard transaction from another entity and
processes or facilitates the processing of health information into
nonstandard format or nonstandard data content for the receiving
entity.
We note here that the term health care clearinghouse may have other
meanings and connotations in other contexts, but the regulation defines
it specifically, and an entity is considered a health care
clearinghouse only to the extent that it meets the criteria in this
definition. Telecommunications entities that provide connectivity or
mechanisms to convey information, such as telephone companies and
Internet Service Providers, are not health care clearinghouses as
defined in the rule unless they actually carry out the functions
outlined in our definition. Value added networks and switches are not
health care clearinghouses unless they carry out the functions outlined
in the definition. The examples of entities in our proposed definition
we continue to consider to be health care clearinghouses, as well as
any other entities that meet that definition, to the extent that they
perform the functions in the definition.
In order to fall within this definition of clearinghouse, the
covered entity must perform the clearinghouse function on health
information received from some other entity. A department or component
of a health plan or health care provider that transforms nonstandard
information into standard data elements or standard transactions (or
vice versa) is not a clearinghouse for purposes of this rule, unless it
also performs these functions for another entity. As described in more
detail in Sec. 164.504(d), we allow affiliates to perform clearinghouse
functions for each other without triggering the definition of
``clearinghouse'' if the conditions in Sec. 164.504(d) are met.
Health Care Provider
We proposed to define health care provider to mean a provider of
services as defined in section 1861(u) of the Act, a provider of
medical or health services as defined in section 1861(s) of the Act,
and any other person or organization who furnishes, bills, or is paid
for health care services or supplies in the normal course of business.
[[Page 82478]]
In the final rule, we delete the term ``services and supplies,'' in
order to eliminate redundancy within the definition. The definition
also reflects the addition of the applicable U.S.C. citations (42
U.S.C. 1395x(u) and 42 U.S.C. 1395x(s), respectively) for the
referenced provisions of the Act that were promulgated in the
Transactions Rule.
To assist the reader, we also provide here excerpts from the
relevant sections of the Act. (Refer to the U.S.C. sections cited above
for complete definitions in sections 1861(u) and 1861(s).) Section
1861(u) of the Act defines a ``provider of services,'' to include, for
example,
a hospital, critical access hospital, skilled nursing facility,
comprehensive outpatient rehabilitation facility, home health
agency, hospice program, or, for purposes of section 1814(g) (42
U.S.C. 1395f(g)) and section 1835(e) (42 U.S.C. 1395n(e)), a fund.''
Section 1861(s) of the Act defines the term, ``medical and other
health services,'' and includes a list of covered items or services,
as illustrated by the following excerpt:
(s) Medical and other health services. The term ``medical and
other health services'' means any of the following items or
services:
(1) Physicians' services;
(2) (A) services and supplies * * * furnished as an incident to
a physician's professional service, or kinds which are commonly
furnished in physicians' offices and are commonly either rendered
without charge or included in the physicians' bills;
(B) hospital services * * * incident to physicians' services
rendered to outpatients and partial hospitalization services
incident to such services;
(C) diagnostic services which are--
(i) furnished to an individual as an outpatient by a hospital or
by others under arrangements with them made by a hospital, and
(ii) ordinarily furnished by such hospital (or by others under
such arrangements) to its outpatients for the purpose of diagnostic
study;
(D) outpatient physical therapy services and outpatient
occupational therapy services;
(E) rural health clinic services and federally qualified health
center services;
(F) home dialysis supplies and equipment, self-care home
dialysis support services, and institutional dialysis services and
supplies;
(G) antigens * * * prepared by a physician * * * for a
particular patient, including antigens so prepared which are
forwarded to another qualified person * * * for administration to
such patient, * * * by or under the supervision of another such
physician;
(H)(i) services furnished pursuant to a contract under section
1876 (42 U.S.C. 1395mm) to a member of an eligible organization by a
physician assistant or by a nurse practitioner * * * and such
services and supplies furnished as an incident to his service to
such a member * * * and
(ii) services furnished pursuant to a risk-sharing contract
under section 1876(g) (42 U.S.C. 1395mm(g)) to a member of an
eligible organization by a clinical psychologist * * * or by a
clinical social worker * * * (and) furnished as an incident to such
clinical psychologist's services or clinical social worker's
services * * *;
(I) blood clotting factors, for hemophilia patients * * *;
(J) prescription drugs used in immunosuppressive therapy
furnished, to an individual who receives an organ transplant for
which payment is made under this title (42 U.S.C. 1395 et seq.), but
only in the case of (certain) drugs furnished * * *
(K)(i) services which would be physicians' services if furnished
by a physician * * * and which are performed by a physician
assistant * * *; and
(ii) services which would be physicians' services if furnished
by a physician * * * and which are performed by a nurse * * *;
(L) certified nurse-midwife services;
(M) qualified psychologist services;
(N) clinical social worker services * * *;
(O) erythropoietin for dialysis patients * * *;
(P) prostate cancer screening tests * * *;
(Q) an oral drug (which is approved by the Federal Food and Drug
Administration) prescribed for use as an anti-cancer
chemotherapeutic agent for a given indication, and containing an
active ingredient (or ingredients) * * *;
(R) colorectal cancer screening tests * * *;
(S) diabetes outpatient self-management training services * * *;
and
(T) an oral drug (which is approved by the federal Food and Drug
Administration) prescribed for use as an acute anti-emetic used as
part of an anti-cancer chemotherapeutic regimen * * *
(3) diagnostic X-ray tests * * * furnished in a place of
residence used as the patient's home * * * ;
(4) X-ray, radium, and radioactive isotope therapy, including
materials and services of technicians;
(5) surgical dressings, and splints, casts, and other devices
used for reduction of fractures and dislocations;
(6) durable medical equipment;
(7) ambulance service where the use of other methods of
transportation is contraindicated by the individual's condition * *
* ;
(8) prosthetic devices (other than dental) which replace all or
part of an internal body organ (including colostomy bags and
supplies directly related to colostomy care), * * * and including
one pair of conventional eyeglasses or contact lenses furnished
subsequent to each cataract surgery * * * [;]
(9) leg, arm, back, and neck braces, and artificial legs, arms,
and eyes, including replacements if required * * * ;
(10) (A) pneumococcal vaccine and its administration * * *; and
(B) hepatitis B vaccine and its administration * * *, and
(11) services of a certified registered nurse anesthetist * * *;
(12) * * * extra-depth shoes with inserts or custom molded shoes
with inserts for an individual with diabetes, if * * *;
(13) screening mammography * * *;
(14) screening pap smear and screening pelvic exam; and
(15) bone mass measurement * * *. (etc.)
Health Plan
We proposed to define ``health plan'' essentially as section
1171(5) of the Act defines it. Section 1171 of the Act refers to
several definitions in section 2791 of the Public Health Service Act,
42 U.S.C. 300gg-91, as added by Public Law 104-191.
As defined in section 1171(5), a ``health plan'' is an individual
plan or group health plan that provides, or pays the cost of, medical
care. We proposed that this definition include, but not be limited to
the 15 types of plans (e.g., group health plan, health insurance
issuer, health maintenance organization) listed in the statute, as well
as any combination of them. Such term would have included, when applied
to public benefit programs, the component of the government agency that
administers the program. Church plans and government plans would have
been included to the extent that they fall into one or more of the
listed categories.
In the proposed rule, ``health plan'' included the following,
singly or in combination:
(1) A group health plan, defined as an employee welfare benefit
plan (as currently defined in section 3(1) of the Employee Retirement
Income and Security Act of 1974, 29 U.S.C. 1002(1)), including insured
and self-insured plans, to the extent that the plan provides medical
care (as defined in section 2791(a)(2) of the Public Health Service
Act, 42 U.S.C. 300gg-91(a)(2)), including items and services paid for
as medical care, to employees or their dependents directly or through
insurance or otherwise, that:
(i) Has 50 or more participants; or
(ii) Is administered by an entity other than the employer that
established and maintains the plan.
(2) A health insurance issuer, defined as an insurance company,
insurance service, or insurance organization that is licensed to engage
in the business of insurance in a state and is subject to state or
other law that regulates insurance.
(3) A health maintenance organization, defined as a federally
qualified health maintenance organization, an organization recognized
as a health maintenance organization under state law, or a similar
organization regulated for solvency under state law in the same manner
and to the same extent as such a health maintenance organization.
(4) Part A or Part B of the Medicare program under title XVIII of
the Act.
(5) The Medicaid program under title XIX of the Act.
[[Page 82479]]
(6) A Medicare supplemental policy (as defined in section
1882(g)(1) of the Act, 42 U.S.C. 1395ss).
(7) A long-term care policy, including a nursing home fixed-
indemnity policy.
(8) An employee welfare benefit plan or any other arrangement that
is established or maintained for the purpose of offering or providing
health benefits to the employees of two or more employers.
(9) The health care program for active military personnel under
title 10 of the United States Code.
(10) The veterans health care program under 38 U.S.C. chapter 17.
(11) The Civilian Health and Medical Program of the Uniformed
Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).
(12) The Indian Health Service program under the Indian Health Care
Improvement Act (25 U.S.C. 1601, et seq.).
(13) The Federal Employees Health Benefits Program under 5 U.S.C.
chapter 89.
(14) An approved state child health plan for child health
assistance that meets the requirements of section 2103 of the Act.
(15) A Medicare Plus Choice organization as defined in 42 CFR
422.2, with a contract under 42 CFR part 422, subpart K.
In addition to the 15 specific categories, we proposed that the
list include any other individual plan or group health plan, or
combination thereof, that provides or pays for the cost of medical
care. The Secretary would determine which plans that meet these
criteria would to be considered health plans for the purposes of this
rule.
Consistent with the other titles of HIPAA, our proposed definition
did not include certain types of insurance entities, such as workers'
compensation and automobile insurance carriers, other property and
casualty insurers, and certain forms of limited benefits coverage, even
when such arrangements provide coverage for health care services.
In the final rule, we add two provisions to clarify the types of
policies or programs that we do not consider to be a health plan.
First, the rule excepts any policy, plan or program to the extent that
it provides, or pays for the cost of, excepted benefits, as defined in
section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1). We note
that, while coverage for on-site medical clinics is excluded from
definition of ``health plans,'' such clinics may meet the definition of
``health care provider'' and persons who work in the clinic may also
meet the definition of health care provider.'' Second, many commenters
were confused by the statutory inclusion as a health plan of any
``other individual or group plan that provides or pays the cost of
medical care;'' they questioned how the provision applied to many
government programs. We therefore clarify that while many government
programs (other than the programs specified in the statute) provide or
pay the cost of medical care, we do not consider them to be individual
or group plans and therefore, do not consider them to be health plans.
Government funded programs that do not have as their principal purpose
the provision of, or payment for, the cost of health care but which do
incidentally provide such services are not health plans (for example,
programs such as the Special Supplemental Nutrition Program for Women,
Infants and Children (WIC) and the Food Stamp Program, which provide or
pay for nutritional services, are not considered to be health plans).
Government funded programs that have as their principal purpose the
provision of health care, either directly or by grant, are also not
considered to be health plans. Examples include the Ryan White
Comprehensive AIDS Resources Emergency Act, government funded health
centers and immunization programs. We note that some of these may meet
the rule's definition of health care provider.
We note that in certain instances eligibility for or enrollment in
a health plan that is a government program providing public benefits,
such as Medicaid or SCHIP, is determined by an agency other than the
agency that administers the program, or individually identifiable
health information used to determine enrollment or eligibility in such
a health plan is collected by an agency other than the agency that
administers the health plan. In these cases, we do not consider an
agency that is not otherwise a covered entity, such as a local welfare
agency, to be a covered entity because it determines eligibility or
enrollment or collects enrollment information as authorized by law. We
also do not consider the agency to be a business associate when
conducting these functions, as we describe further in the business
associate discussion above.
The definition in the final rule also reflects the following
changes promulgated in the Transactions Rule:
(1) Exclusion of nursing home fixed-indemnity policies;
(2) Addition of the word ``issuer'' to Medicare supplemental
policy, and long-term care policy;
(3) Addition or revision of the relevant statutory cites where
appropriate;
(4) Deletion of the term ``or assisted'' when referring to
government programs;
(5) Replacement of the word ``organization'' with ``program'' when
referring to Medicare + Choice;
(6) Deletion of the term ``health'' when referring to a group plan
in subparagraph (xvi);
(7) Extraction of the definitions of ``group health plan,''
``health insurance issuer,'' and ``health maintenance organization''
into Part 160 as distinct definitions;
(8) In the definition of ``group health plan,'' deletion of the
term ``currently'' from the reference to the statutory cite of ERISA,
addition of the relevant statutory cite for the term ``participant,''
and addition of the term ``reimbursement;''
(9) In the definition of ``health insurance issuer,'' addition of
the relevant statutory cite, deletion of the term ``or other law''
after ``state law,'' addition of health maintenance organizations for
consistency with the statute, and clarification that the term does not
include a group health plan; and
(10) In the definition of ``health maintenance organization,''
addition of the relevant statutory cite.
Finally, we add to this definition a high risk pool that is a
mechanism established under state law to provide health insurance
coverage or comparable coverage to eligible individuals. High risk
pools are designed mainly to provide health insurance coverage for
individuals who, due to health status or pre-existing conditions,
cannot obtain insurance through the individual market or who can do so
only at very high premiums. Some states use their high risk pool as an
alternative mechanism under section 2744 of HIPAA. We do not reference
the definition of ``qualified high risk pool'' in HIPAA because that
definition includes the requirements for a state to use its risk pool
as its alternative mechanism under HIPAA. Some states may have high
risk pools, but do not use them as their alternative mechanism and
therefore may not meet the definition in HIPAA. We want to make clear
that state high risk pools are covered entities under this rule whether
or not they meet the definition of a qualified high risk pool under
section 2744. High risk pools, as described in this rule, do not
include any program established under state law solely to provide
excepted benefits. For example, a state program established to provide
workers' compensation coverage is not
[[Page 82480]]
considered to be a high risk pool under the rule.
Implementation Specification
This definition was adopted in the Transactions Rule and is
minimally revised here. We add the words ``requirements or'' before the
word ``instructions.'' The word ``instructions'' is appropriate in the
context of the implementation specifications adopted in the
Transactions Rule, which are generally a series of instructions as to
how to use particular electronic forms. However, that word is not
apropos in the context of the rules below. In the rules below, the
implementation specifications are specific requirements for how to
comply with a given standard. The change to this definition thus ties
in to this regulatory framework.
Standard
This definition was adopted in the Transactions Rule and we have
modified it to make it clearer. We also add language reflecting section
264 of the statute, to clarify that the standards adopted by this rule
meet this definition.
State
We modify the definition of state as adopted in the Transactions
Rule to clarify that this term refers to any of the several states.
Transaction
We change the term ``exchange'' to the term ``transmission'' in the
definition of Transaction to clarify that these transactions may be
one-way communications.
Workforce
We proposed in the NPRM to define workforce to mean employees,
volunteers, trainees, and other persons under the direct control of a
covered entity, including persons providing labor on an unpaid basis.
The definition in the final rule reflects one revision established
in the Transactions Rule, which replaces the term ``including persons
providing labor on an unpaid basis'' with the term ``whether or not
they are paid by the covered entity.'' In addition, we clarify that if
the assigned work station of persons under contract is on the covered
entity's premises and such persons perform a substantial proportion of
their activities at that location, the covered entity may choose to
treat them either as business associates or as part of the workforce,
as explained in the discussion of the definition of business associate.
If there is no business associate contract, we assume the person is a
member of the covered entity's workforce. We note that independent
contractors may or may not be workforce members. However, for
compliance purposes we will assume that such personnel are members of
the workforce if no business associate contract exists.
Part 160--Subpart B--Preemption of State Laws
Statutory Background
Section 1178 of the Act establishes a ``general rule'' that state
law provisions that are contrary to the provisions or requirements of
part C of title XI or the standards or implementation specifications
adopted or established thereunder are preempted by the federal
requirements. The statute provides three exceptions to this general
rule: (1) In section 1178(a)(2)(A)(i), for state laws that the
Secretary determines are necessary to prevent fraud and abuse, ensure
appropriate state regulation of insurance and health plans, for state
reporting on health care delivery, and other purposes; (2) in section
1178(a)(2)(A)(ii), for state laws that address controlled substances;
and (3) in section 1178(a)(2)(B), for state laws relating to the
privacy of individually identifiable health information that as
provided for by the related provision of section 264(c)(2) of HIPAA,
are contrary to and more stringent than the federal requirements.
Section 1178 also carves out, in sections 1178(b) and 1178(c), certain
areas of state authority that are not limited or invalidated by the
provisions of part C of title XI: these areas relate to public health
and state regulation of health plans.
The NPRM proposed a new Subpart B of the proposed part 160. The new
Subpart B, which would apply to all standards, implementation
specifications, and requirements adopted under HIPAA, would consist of
four sections. Proposed Sec. 160.201 provided that the provisions of
Subpart B applied to exception determinations and advisory opinions
issued by the Secretary under section 1178. Proposed Sec. 160.202 set
out proposed definitions for four terms: (1) ``Contrary,'' (2) ``more
stringent,'' (3) ``relates to the privacy of individually identifiable
health information,'' and (4) ``state law.'' The definition of
``contrary'' was drawn from case law concerning preemption. A seven-
part set of specific criteria, drawn from fair information principles,
was proposed for the definition of ``more stringent.'' The definition
of ``relates to the privacy of individually identifiable health
information'' was also based on case law. The definition of ``state
law'' was drawn from the statutory definition of this term elsewhere in
HIPAA. We note that state action having the force and effect of law may
include common law. We eliminate the term ``decision'' from the
proposed rule because it is redundant.
Proposed Sec. 160.203 proposed a general rule reflecting the
statutory general rule and exceptions that generally mirrored the
statutory language of the exceptions. The one substantive addition to
the statutory exception language was with respect to the statutory
exception, ``for other purposes.'' The following language was added:
``for other purposes related to improving the Medicare program, the
Medicaid program, or the efficiency and effectiveness of the health
care system.''
Proposed Sec. 160.204 proposed two processes, one for the making of
exception determinations, relating to determinations under section
1178(a)(2)(A) of the Act, the other for the rendering of advisory
opinions, with respect to section 1178(a)(2)(B) of the Act. The
processes proposed were similar in the following respects: (1) Only the
state could request an exception determination or advisory opinion, as
applicable; (2) both required the request to contain the same
information, except that a request for an exception determination also
had to set out the length of time the requested exception would be in
effect, if less than three years; (3) both sets of requirements
provided that requests had to be submitted to the Secretary as required
by the Secretary, and until the Secretary's determination was made, the
federal standard, requirement or implementation specification remained
in effect; (4) both sets of requirements provided that the Secretary's
decision would be effective intrastate only; (5) both sets of
requirements provided that any change to either the federal or state
basis for the Secretary's decision would require a new request, and the
federal standard, implementation specification, or requirement would
remain in effect until the Secretary acted favorably on the new
request; (6) both sets of requirements provided that the Secretary
could seek changes to the federal rules or urge states or other
organizations to seek changes; and (7) both sets of requirements
provided for annual publication of Secretarial decisions. In addition,
the process for exception determinations provided for a maximum
effective period of three years for such determinations.
The following changes have been made to subpart B in the final
rules. First, Sec. 160.201 now expressly
[[Page 82481]]
implements section 1178. Second, the definition of ``more stringent''
has been changed by eliminating the criterion relating to penalties and
by framing the criterion under paragraph (1) more generally. Also, we
have clarified that the term ``individual'' means the person who is the
subject of the individually identifiable health information, since the
term ``individual'' is defined this way only in subpart E of part 164,
not in part 160. Third, the definition of ``state law'' has been
changed by substituting the words ``statute, constitutional provision''
for the word ``law,'' the words ``common law'' for the word
``decision,'' and adding the words ``force and'' before the word
``effect'' in the proposed definition. Fourth, in Sec. 160.203, several
criteria relating to the statutory grounds for exception determinations
have been further spelled out: (1) The words `` related to the
provision of or payment for health care'' have been added to the
exception for fraud and abuse; (2) the words ``to the extent expressly
authorized by statute or regulation'' have been added to the exception
for state regulation of health plans; (3) the words ``of serving a
compelling need related to public health, safety, or welfare, and,
where a standard, requirement, or implementation specification under
part 164 of this subchapter is at issue, where the Secretary determines
that the intrusion into privacy is warranted when balanced against the
need to be served'' have been added to the general exception ``for
other purposes''; and (4) the statutory provision regarding controlled
substances has been elaborated on as follows: ``Has as its principal
purpose the regulation of the manufacture, registration, distribution,
dispensing, or other control of any controlled substance, as defined at
21 U.S.C. 802, or which is deemed a controlled substance by state
law.''
The most extensive changes have been made to proposed Sec. 160.204.
The provision for advisory opinions has been eliminated. Section
160.204 now sets out only a process for requesting exception
determinations. In most respects, this process is the same as proposed.
However, the proposed restriction of the effect of exception
determinations to wholly intrastate transactions has been eliminated.
Section 160.204(a) has been modified to allow any person, not just a
state, to submit a request for an exception determination, and
clarifies that requests from states may be made by the state's chief
elected official or his or her designee. Proposed Sec. 160.204(a)(3)
stated that if it is determined that the federal standard, requirement,
or implementation specification in question meets the exception
criteria as well as or better than the state law for which the
exception is requested, the request will be denied; this language has
been deleted. Thus, the criterion for granting or denying an exception
request is whether the applicable exception criterion or criteria are
met.
A new Sec. 160.205 is also adopted, replacing part of what was
proposed at proposed Sec. 160.204. The new Sec. 160.205 sets out the
rules relating to the effectiveness of exception determinations.
Exception determinations are effective until either the underlying
federal or state laws change or the exception is revoked, by the
Secretary, based on a determination that the grounds supporting the
exception no longer exist. The proposed maximum of three years has been
eliminated.
Relationship to Other Federal Laws
Covered entities subject to these rules are also subject to other
federal statutes and regulations. For example, federal programs must
comply with the statutes and regulations that govern them. Pursuant to
their contracts, Medicare providers must comply with the requirements
of the Privacy Act of 1974. Substance abuse treatment facilities are
subject to the Substance Abuse Confidentiality provisions of the Public
Health Service Act, section 543 and its regulations. And, health care
providers in schools, colleges, and universities may come within the
purview of the Family Educational Rights and Privacy Act. Thus, covered
entities will need to determine how the privacy regulation will affect
their ability to comply with these other federal laws.
Many commenters raised questions about how different federal
statutes and regulations intersect with the privacy regulation. While
we address specific concerns in the response to comments later in the
preamble, in this section, we explore some of the general interaction
issues. These summaries do not identify all possible conflicts or
overlaps of the privacy regulation and other federal laws, but should
provide general guidance for complying with both the privacy regulation
and other federal laws. The summaries also provide examples of how
covered entities can analyze other federal laws when specific questions
arise. HHS may consult with other agencies concerning the
interpretation of other federal laws as necessary.
Implied Repeal Analysis
When faced with the need to determine how different federal laws
interact with one another, we turn to the judiciary's approach. Courts
apply the implied repeal analysis to resolve tensions that appear to
exist between two or more statutes. While the implication of a
regulation-on-regulation conflict is unclear, courts agree that
administrative rules and regulations that do not conflict with express
statutory provisions have the force and effect of law. Thus, we believe
courts would apply the standard rules of interpretation that apply to
statutes to address questions of interpretation with regard to
regulatory conflicts.
When faced with two potentially conflicting statutes, courts
attempt to construe them so that both are given effect. If this
construction is not possible, courts will look for express language in
the later statute, or an intent in its legislative history, indicating
that Congress intended the later statute to repeal the earlier one. If
there is no expressed intent to repeal the earlier statute, courts will
characterize the statutes as either general or specific. Ordinarily,
later, general statutes will not repeal the special provisions of an
earlier, specific statute. In some cases, when a later, general statute
creates an irreconcilable conflict or is manifestly inconsistent with
the earlier, specific statute in a manner that indicates a clear and
manifest Congressional intent to repeal the earlier statute, courts
will find that the later statute repeals the earlier statute by
implication. In these cases, the latest legislative action may prevail
and repeal the prior law, but only to the extent of the conflict.
There should be few instances in which conflicts exist between a
statute or regulation and the rules below. For example, if a statute
permits a covered entity to disclose protected health information and
the rules below permit such a disclosure, no conflict arises; the
covered entity could comply with both and choose whether or not to
disclose the information. In instances in which a potential conflict
appears, we would attempt to resolve it so that both laws applied. For
example, if a statute or regulation permits dissemination of protected
health information, but the rules below prohibit the use or disclosure
without an authorization, we believe a covered entity would be able to
comply with both because it could obtain an authorization under
Sec. 164.508 before disseminating the information under the other law.
Many apparent conflicts will not be true conflicts. For example, if
a conflict
[[Page 82482]]
appears to exist because a previous statute or regulation requires a
specific use or disclosure of protected health information that the
rules below appear to prohibit, the use or disclosure pursuant to that
statute or regulation would not be a violation of the privacy
regulation because Sec. 164.512(a) permits covered entities to use or
disclose protected health information as required by law.
If a statute or regulation prohibits dissemination of protected
health information, but the privacy regulation requires that an
individual have access to that information, the earlier, more specific
statute would apply. The interaction between the Clinical Laboratory
Improvement Amendments regulation is an example of this type of
conflict. From our review of several federal laws, it appears that
Congress did not intend for the privacy regulation to overrule existing
statutory requirements in these instances.
Examples of Interaction
We have summarized how certain federal laws interact with the
privacy regulation to provide specific guidance in areas deserving
special attention and to serve as examples of the analysis involved. In
the Response to Comment section, we have provided our responses to
specific questions raised during the comment period.
The Privacy Act
The Privacy Act of 1974, 5 U.S.C. 552a, prohibits disclosures of
records contained in a system of records maintained by a federal agency
(or its contractors) without the written request or consent of the
individual to whom the record pertains. This general rule is subject to
various statutory exceptions. In addition to the disclosures explicitly
permitted in the statute, the Privacy Act permits agencies to disclose
information for other purposes compatible with the purpose for which
the information was collected by identifying the disclosure as a
``routine use'' and publishing notice of it in the Federal Register.
The Act applies to all federal agencies and certain federal contractors
who operate Privacy Act systems of records on behalf of federal
agencies.
Some federal agencies and contractors of federal agencies that are
covered entities under the privacy rules are subject to the Privacy
Act. These entities must comply with all applicable federal statutes
and regulations. For example, if the privacy regulation permits a
disclosure, but the disclosure is not permitted under the Privacy Act,
the federal agency may not make the disclosure. If, however, the
Privacy Act allows a federal agency the discretion to make a routine
use disclosure, but the privacy regulation prohibits the disclosure,
the federal agency will have to apply its discretion in a way that
complies with the regulation. This means not making the particular
disclosure.
The Freedom of Information Act
FOIA, 5 U.S.C. 552, provides for public disclosure, upon the
request of any person, of many types of information in the possession
of the federal government, subject to nine exemptions and three
exclusions. For example, Exemption 6 permits federal agencies to
withhold ``personnel and medical files and similar files the disclosure
of which would constitute a clearly unwarranted invasion of personal
privacy.'' 5 U.S.C. 552(b)(6).
Uses and disclosures required by FOIA come within Sec. 164.512(a)
of the privacy regulation that permits uses or disclosures required by
law if the uses or disclosures meet the relevant requirements of the
law. Thus, a federal agency must determine whether it may apply an
exemption or exclusion to redact the protected health information when
responding to a FOIA request. When a FOIA request asks for documents
that include protected health information, we believe the agency, when
appropriate, must apply Exemption 6 to preclude the release of medical
files or otherwise redact identifying details before disclosing the
remaining information.
We offer the following analysis for federal agencies and federal
contractors who operate Privacy Act systems of records on behalf of
federal agencies and must comply with FOIA and the privacy regulation.
If presented with a FOIA request that would result in the disclosure of
protected health information, a federal agency must first determine if
FOIA requires the disclosure or if an exemption or exclusion would be
appropriate. We believe that generally a disclosure of protected health
information, when requested under FOIA, would come within FOIA
Exemption 6. We recognize, however, that the application of this
exemption to information about deceased individuals requires a
different analysis than that applicable to living individuals because,
as a general rule, under the Privacy Act, privacy rights are
extinguished at death. However, under FOIA, it is entirely appropriate
to consider the privacy interests of a decedent's survivors under
Exemption 6. See Department of Justice FOIA Guide 2000, Exemption 6:
Privacy Considerations. Covered entities subject to FOIA must evaluate
each disclosure on a case-by-case basis, as they do now under current
FOIA procedures.
Federal Substance Abuse Confidentiality Requirements
The federal confidentiality of substance abuse patient records
statute, section 543 of the Public Health Service Act, 42 U.S.C. 290dd-
2, and its implementing regulation, 42 CFR part 2, establish
confidentiality requirements for patient records that are maintained in
connection with the performance of any federally-assisted specialized
alcohol or drug abuse program. Substance abuse programs are generally
programs or personnel that provide alcohol or drug abuse treatment,
diagnosis, or referral for treatment. The term ``federally-assisted''
is broadly defined and includes federally conducted or funded programs,
federally licensed or certified programs, and programs that are tax
exempt. Certain exceptions apply to information held by the Veterans
Administration and the Armed Forces.
There are a number of health care providers that are subject to
both these rules and the substance abuse statute and regulations. In
most cases, a conflict will not exist between these rules. These
privacy rules permit a health care provider to disclose information in
a number of situations that are not permitted under the substance abuse
regulation. For example, disclosures allowed, without patient
authorization, under the privacy rule for law enforcement, judicial and
administrative proceedings, public health, health oversight, directory
assistance, and as required by other laws would generally be prohibited
under the substance abuse statute and regulation. However, because
these disclosures are permissive and not mandatory, there is no
conflict. An entity would not be in violation of the privacy rules for
failing to make these disclosures.
Similarly, provisions in the substance abuse regulation provide for
permissive disclosures in case of medical emergencies, to the FDA, for
research activities, for audit and evaluation activities, and in
response to certain court orders. Because these are permissive
disclosures, programs subject to both the privacy rules and the
substance abuse rule are able to comply with both rules even if the
privacy rules restrict these types of disclosures. In addition, the
privacy rules generally require that an individual be given access to
his or her own health information. Under the substance abuse
[[Page 82483]]
regulation, programs may provide such access, so there is no conflict.
The substance abuse regulation requires notice to patients of the
substance abuse confidentiality requirements and provides for written
consent for disclosure. While the privacy rules have requirements that
are somewhat different, the program may use notice and authorization
forms that include all the elements required by both regulations. The
substance abuse rule provides a sample notice and a sample
authorization form and states that the use of these forms would be
sufficient. While these forms do not satisfy all of the requirements of
the privacy regulation, there is no conflict because the substance
abuse regulation does not mandate the use of these forms.
Employee Retirement Income Security Act of 1974
ERISA was enacted in 1974 to regulate pension and welfare employee
benefit plans established by private sector employers, unions, or both,
to provide benefits to their workers and dependents. Under ERISA, plans
that provide ``through the purchase of insurance or otherwise * * *
medical, surgical, or hospital care or benefits, or benefits in the
event of sickness, accident, disability, [or] death'' are defined as
employee welfare benefit plans. 29 U.S.C. 1002(1). In 1996, HIPAA
amended ERISA to require portability, nondiscrimination, and
renewability of health benefits provided by group health plans and
group health insurance issuers. Numerous, although not all, ERISA plans
are covered under the rules proposed below as ``health plans.''
Section 514(a) of ERISA, 29 U.S.C. 1144(a), preempts all state laws
that ``relate to'' any employee benefit plan. However, section 514(b)
of ERISA, 29 U.S.C. 1144(b)(2)(A), expressly saves from preemption
state laws that regulate insurance. Section 514(b)(2)(B) of ERISA, 29
U.S.C. 1144(b)(2)(B), provides that an ERISA plan is deemed not to be
an insurer for the purpose of regulating the plan under the state
insurance laws. Thus, under the deemer clause, states may not treat
ERISA plans as insurers subject to direct regulation by state law.
Finally, section 514(d) of ERISA, 29 U.S.C. 1144(d), provides that
ERISA does not ``alter, amend, modify, invalidate, impair, or supersede
any law of the United States.''
We considered whether the preemption provision of section 264(c)(2)
of HIPAA would give effect to state laws that would otherwise be
preempted by section 514(a) of ERISA. As discussed above, our reading
of the statutes together is that the effect of section 264(c)(2) is
only to leave in place state privacy protections that would otherwise
apply and that are more stringent than the federal privacy protections.
Many health plans covered by the privacy regulation are also
subject to ERISA requirements. Our discussions and consultations have
not uncovered any particular ERISA requirements that would conflict
with the rules.
The Family Educational Rights and Privacy Act
FERPA, as amended, 20 U.S.C. 1232g, provides parents of students
and eligible students (students who are 18 or older) with privacy
protections and rights for the records of students maintained by
federally funded educational agencies or institutions or persons acting
for these agencies or institutions. We have excluded education records
covered by FERPA, including those education records designated as
education records under Parts B, C, and D of the Individuals with
Disabilities Education Act Amendments of 1997, from the definition of
protected health information. For example, individually identifiable
health information of students under the age of 18 created by a nurse
in a primary or secondary school that receives federal funds and that
is subject to FERPA is an education record, but not protected health
information. Therefore, the privacy regulation does not apply. We
followed this course because Congress specifically addressed how
information in education records should be protected in FERPA.
We have also excluded certain records, those described at 20 U.S.C.
1232g(a)(4)(B)(iv), from the definition of protected health information
because FERPA also provided a specific structure for the maintenance of
these records. These are records (1) of students who are 18 years or
older or are attending post-secondary educational institutions, (2)
maintained by a physician, psychiatrist, psychologist, or recognized
professional or paraprofessional acting or assisting in that capacity,
(3) that are made, maintained, or used only in connection with the
provision of treatment to the student, and (4) that are not available
to anyone, except a physician or appropriate professional reviewing the
record as designated by the student. Because FERPA excludes these
records from its protections only to the extent they are not available
to anyone other than persons providing treatment to students, any use
or disclosure of the record for other purposes, including providing
access to the individual student who is the subject of the information,
would turn the record into an education record. As education records,
they would be subject to the protections of FERPA.
These exclusions are not applicable to all schools, however. If a
school does not receive federal funds, it is not an educational agency
or institution as defined by FERPA. Therefore, its records that contain
individually identifiable health information are not education records.
These records may be protected health information. The educational
institution or agency that employs a school nurse is subject to our
regulation as a health care provider if the school nurse or the school
engages in a HIPAA transaction.
While we strongly believe every individual should have the same
level of privacy protection for his/her individually identifiable
health information, Congress did not provide us with authority to
disturb the scheme it had devised for records maintained by educational
institutions and agencies under FERPA. We do not believe Congress
intended to amend or preempt FERPA when it enacted HIPAA.
With regard to the records described at 20 U.S.C.
1232g(a)(4)(b)(iv), we considered requiring health care providers
engaged in HIPAA transactions to comply with the privacy regulation up
to the point these records were used or disclosed for purposes other
than treatment. At that point, the records would be converted from
protected health information into education records. This conversion
would occur any time a student sought to exercise his/her access
rights. The provider, then, would need to treat the record in
accordance with FERPA's requirements and be relieved from its
obligations under the privacy regulation. We chose not to adopt this
approach because it would be unduly burdensome to require providers to
comply with two different, yet similar, sets of regulations and
inconsistent with the policy in FERPA that these records be exempt from
regulation to the extent the records were used only to treat the
student.
Gramm-Leach-Bliley
In 1999, Congress passed Gramm-Leach-Bliley (GLB), Pub. L. 106-102,
which included provisions, section 501 et seq., that limit the ability
of financial institutions to disclose ``nonpublic personal
information'' about consumers to non-affiliated third parties and
require financial institutions to provide customers with their privacy
policies and practices with respect to nonpublic
[[Page 82484]]
personal information. In addition, Congress required seven agencies
with jurisdiction over financial institutions to promulgate regulations
as necessary to implement these provisions. GLB and its accompanying
regulations define ``financial institutions'' as including institutions
engaged in the financial activities of bank holding companies, which
may include the business of insuring. See 15 U.S.C. 6809(3); 12 U.S.C.
1843(k). However, Congress did not provide the designated federal
agencies with the authority to regulate health insurers. Instead, it
provided states with an incentive to adopt and have their state
insurance authorities enforce these rules. See 15 U.S.C. 6805. If a
state were to adopt laws consistent with GLB, health insurers would
have to determine how to comply with both sets of rules.
Thus, GLB has caused concern and confusion among health plans that
are subject to our privacy regulation. Although Congress remained
silent as to its understanding of the interaction of GLB and HIPAA's
privacy provisions, the Federal Trade Commission and other agencies
implementing the GLB privacy provisions noted in the preamble to their
GLB regulations that they ``would consult with HHS to avoid the
imposition of duplicative or inconsistent requirements.'' 65 Fed. Reg.
33646, 33648 (2000). Additionally, the FTC also noted that ``persons
engaged in providing insurance'' would be within the enforcement
jurisdiction of state insurance authorities and not within the
jurisdiction of the FTC. Id.
Because the FTC has clearly stated that it will not enforce the GLB
privacy provisions against persons engaged in providing insurance,
health plans will not be subject to dual federal agency jurisdiction
for information that is both nonpublic personal information and
protected health information. If states choose to adopt GLB-like laws
or regulations, which may or may not track the federal rules
completely, health plans would need to evaluate these laws under the
preemption analysis described in subpart B of Part 160.
Federally Funded Health Programs
These rules will affect various federal programs, some of which may
have requirements that are, or appear to be, inconsistent with the
requirements of these regulations. These programs include those
operated directly by the federal government (such as health programs
for military personnel and veterans) as well as programs in which
health services or benefits are provided by the private sector or by
state or local governments, but which are governed by various federal
laws (such as Medicare, Medicaid, and ERISA).
Congress explicitly included some of these programs in HIPAA,
subjecting them directly to the privacy regulation. Section 1171 of the
Act defines the term ``health plan'' to include the following federally
conducted, regulated, or funded programs: Group plans under ERISA that
either have 50 or more participants or are administered by an entity
other than the employer who established and maintains the plan;
federally qualified health maintenance organizations; Medicare;
Medicaid; Medicare supplemental policies; the health care program for
active military personnel; the health care program for veterans; the
Civilian Health and Medical Program of the Uniformed Services
(CHAMPUS); the Indian health service program under the Indian Health
Care Improvement Act, 25 U.S.C. 1601, et seq.; and the Federal
Employees Health Benefits Program. There also are many other federally
conducted, regulated, or funded programs in which individually
identifiable health information is created or maintained, but which do
not come within the statutory definition of ``health plan.'' While
these latter types of federally conducted, regulated, or assisted
programs are not explicitly covered by part C of title XI in the same
way that the programs listed in the statutory definition of ``health
plan'' are covered, the statute may nonetheless apply to transactions
and other activities conducted under such programs. This is likely to
be the case when the federal entity or federally regulated or funded
entity provides health services; the requirements of part C may apply
to such an entity as a ``health care provider.'' Thus, the issue of how
different federal requirements apply is likely to arise in numerous
contexts.
There are a number of authorities under the Public Health Service
Act and other legislation that contain explicit confidentiality
requirements, either in the enabling legislation or in the implementing
regulations. Many of these are so general that there would appear to be
no problem of inconsistency, in that nothing in those laws or
regulations would appear to restrict the provider's ability to comply
with the privacy regulation's requirements.
There may, however, be authorities under which either the
requirements of the enabling legislation or of the program regulations
would impose requirements that differ from these rules.
For example, regulations applicable to the substance abuse block
grant program funded under section 1943(b) of the Public Health Service
Act require compliance with 42 CFR part 2, and, thus, raise the issues
identified above in the substance abuse confidentiality regulations
discussion. There are a number of federal programs which, either by
statute or by regulation, restrict the disclosure of patient
information to, with minor exceptions, disclosures ``required by law.''
See, for example, the program of projects for prevention and control of
sexually transmitted diseases funded under section 318(e)(5) of the
Public Health Service Act (42 CFR 51b.404); the regulations
implementing the community health center program funded under section
330 of the Public Health Service Act (42 CFR 51c.110); the regulations
implementing the program of grants for family planning services under
title X of the Public Health Service Act (42 CFR 59.15); the
regulations implementing the program of grants for black lung clinics
funded under 30 U.S.C. 437(a) (42 CFR 55a.104); the regulations
implementing the program of maternal and child health projects funded
under section 501 of the Act (42 CFR 51a.6); the regulations
implementing the program of medical examinations of coal miners (42 CFR
37.80(a)). These legal requirements would restrict the grantees or
other entities providing services under the programs involved from
making many of the disclosures that Secs. 164.510 or 164.512 would
permit. In some cases, permissive disclosures for treatment, payment,
or health care operations would also be limited. Because Secs. 164.510
and 164.512 are merely permissive, there would not be a conflict
between the program requirements, because it would be possible to
comply with both. However, entities subject to both sets of
requirements would not have the total range of discretion that they
would have if they were subject only to this regulation.
Food, Drug, and Cosmetic Act
The Food, Drug, and Cosmetic Act, 21 U.S.C. 301, et seq., and its
accompanying regulations outline the responsibilities of the Food and
Drug Administration with regard to monitoring the safety and
effectiveness of drugs and devices. Part of the agency's responsibility
is to obtain reports about adverse events, track medical devices, and
engage in other types of post marketing surveillance. Because many of
these reports contain protected health information, the information
within them may come within the purview of the privacy rules.
[[Page 82485]]
Although some of these reports are required by the Food, Drug, and
Cosmetic Act or its accompanying regulations, other types of reporting
are voluntary. We believe that these reports, while not mandated, play
a critical role in ensuring that individuals receive safe and effective
drugs and devices. Therefore, in Sec. 164.512(b)(1)(iii), we have
provided that covered entities may disclose protected health
information to a person subject to the jurisdiction of the Food and
Drug Administration for specified purposes, such as reporting adverse
events, tracking medical devices, or engaging in other post marketing
surveillance. We describe the scope and conditions of such disclosures
in more detail in Sec. 164.512(b).
Clinical Laboratory Improvement Amendments
CLIA, 42 U.S.C. 263a, and the accompanying regulations, 42 CFR part
493, require clinical laboratories to comply with standards regarding
the testing of human specimens. This law requires clinical laboratories
to disclose test results or reports only to authorized persons, as
defined by state law. If a state does not define the term, the federal
law defines it as the person who orders the test.
We realize that the person ordering the test is most likely a
health care provider and not the individual who is the subject of the
protected health information included within the result or report.
Under this requirement, therefore, a clinical laboratory may be
prohibited by law from providing the individual who is the subject of
the test result or report with access to this information.
Although we believe individuals should be able to have access to
their individually identifiable health information, we recognize that
in the specific area of clinical laboratory testing and reporting, the
Health Care Financing Administration, through regulation, has provided
that access may be more limited. To accommodate this requirement, we
have provided at Sec. 164.524(1)(iii) that covered entities maintaining
protected health information that is subject to the CLIA requirements
do not have to provide individuals with a right of access to or a right
to inspect and obtain a copy of this information if the disclosure of
the information to the individual would be prohibited by CLIA.
Not all clinical laboratories, however, will be exempted from
providing individuals with these rights. If a clinical laboratory
operates in a state in which the term ``authorized person'' is defined
to include the individual, the clinical laboratory would have to
provide the individual with these rights. Similarly, if the individual
was the person who ordered the test and an authorized person included
such a person, the laboratory would be required to provide the
individual with these rights.
Additionally, CLIA regulations exempt the components or functions
of ``research laboratories that test human specimens but do not report
patient specific results for the diagnosis, prevention or treatment of
any disease or impairment of, or the assessment of the health of
individual patients'' from the CLIA regulatory scheme. 42 CFR
493.3(a)(2). If subject to the access requirements of this regulation,
such entities would be forced to meet the requirements of CLIA from
which they are currently exempt. To eliminate this additional
regulatory burden, we have also excluded covered entities that are
exempt from CLIA under that rule from the access requirement of this
regulation.
Although we are concerned about the lack of immediate access by the
individual, we believe that, in most cases, individuals who receive
clinical tests will be able to receive their test results or reports
through the health care provider who ordered the test for them. The
provider will receive the information from the clinical laboratory.
Assuming that the provider is a covered entity, the individual will
have the right of access and right to inspect and copy this protected
health information through his or her provider.
Other Mandatory Federal or State Laws
Many federal laws require covered entities to provide specific
information to specific entities in specific circumstances. If a
federal law requires a covered entity to disclose a specific type of
information, the covered entity would not need an authorization under
Sec. 164.508 to make the disclosure because the final rule permits
covered entities to make disclosures that are required by law under
Sec. 164.512(a). Other laws, such as the Social Security Act (including
its Medicare and Medicaid provisions), the Family and Medical Leave
Act, the Public Health Service Act, Department of Transportation
regulations, the Environmental Protection Act and its accompanying
regulations, the National Labor Relations Act, the Federal Aviation
Administration, and the Federal Highway Administration rules, may also
contain provisions that require covered entities or others to use or
disclose protected health information for specific purposes.
When a covered entity is faced with a question as to whether the
privacy regulation would prohibit the disclosure of protected health
information that it seeks to disclose pursuant to a federal law, the
covered entity should determine if the disclosure is required by that
law. In other words, it must determine if the disclosure is mandatory
rather than merely permissible. If it is mandatory, a covered entity
may disclose the protected health information pursuant to
Sec. 164.512(a), which permits covered entities to disclose protected
health information without an authorization when the disclosure is
required by law. If the disclosure is not required (but only permitted)
by the federal law, the covered entity must determine if the disclosure
comes within one of the other permissible disclosures. If the
disclosure does not come within one of the provisions for permissible
disclosures, the covered entity must obtain an authorization from the
individual who is the subject of the information or de-identify the
information before disclosing it.
If another federal law prohibits a covered entity from using or
disclosing information that is also protected health information, but
the privacy regulation permits the use or disclosure, a covered entity
will need to comply with the other federal law and not use or disclose
the information.
Federal Disability Nondiscrimination Laws
The federal laws barring discrimination on the basis of disability
protect the confidentiality of certain medical information. The
information protected by these laws falls within the larger definition
of ``health information'' under this privacy regulation. The two
primary disability nondiscrimination laws are the Americans with
Disabilities Act (ADA), 42 U.S.C. 12101 et seq., and the Rehabilitation
Act of 1973, as amended, 29 U.S.C. 701 et seq., although other laws
barring discrimination on the basis of disability (such as the
nondiscrimination provisions of the Workforce Investment Act of 1988,
29 U.S.C. 2938) may also apply. Federal disability nondiscrimination
laws cover two general categories of entities relevant to this
discussion: employers and entities that receive federal financial
assistance.
Employers are not covered entities under the privacy regulation.
Many employers, however, are subject to the federal disability
nondiscrimination laws and, therefore, must protect the
[[Page 82486]]
confidentiality of all medical information concerning their applicants
and employees.
The employment provisions of the ADA, 42 U.S.C. 12111 et seq.,
expressly cover employers of 15 or more employees, employment agencies,
labor organizations, and joint labor-management committees. Since 1992,
employment discrimination complaints arising under sections 501, 503,
and 504 of the Rehabilitation Act also have been subject to the ADA's
employment nondiscrimination standards. See ``Rehabilitation Act
Amendments,'' Pub. L. No. 102-569, 106 Stat. 4344. Employers subject to
ADA nondiscrimination standards have confidentiality obligations
regarding applicant and employee medical information. Employers must
treat such medical information, including medical information from
voluntary health or wellness programs and any medical information that
is voluntarily disclosed as a confidential medical record, subject to
limited exceptions.
Transmission of health information by an employer to a covered
entity, such as a group health plan, is governed by the ADA
confidentiality restrictions. The ADA, however, has been interpreted to
permit an employer to use medical information for insurance purposes.
See 29 CFR part 1630 App. at Sec. 1630.14(b) (describing such use with
reference to 29 CFR 1630.16(f), which in turn explains that the ADA
regulation ``is not intended to disrupt the current regulatory
structure for self-insured employers * * * or current industry
practices in sales, underwriting, pricing, administrative and other
services, claims and similar insurance related activities based on
classification of risks as regulated by the states''). See also,
``Enforcement Guidance on Disability-Related Inquiries and Medical
Examinations of Employees under the Americans with Disabilities Act,''
4, n.10 (July 26, 2000), ____ FEP Manual (BNA) ____ (``Enforcement
Guidance on Employees''). See generally, ``ADA Enforcement Guidance on
Preemployment Disability-Related Questions and Medical Examinations''
(October 10, 1995), 8 FEP Manual (BNA) 405:7191 (1995) (also available
at http://www.eeoc.gov). Thus, use of medical information for insurance
purposes may include transmission of health information to a covered
entity.
If an employer-sponsored group health plan is closely linked to an
employer, the group health plan may be subject to ADA confidentiality
restrictions, as well as this privacy regulation. See Carparts
Distribution Center, Inc. v. Automotive Wholesaler's Association of New
England, Inc., 37 F.3d 12 (1st Cir. 1994)(setting forth three bases for
ADA Title I jurisdiction over an employer-provided medical
reimbursement plan, in a discrimination challenge to the plan's HIV/
AIDS cap). Transmission of applicant or employee health information by
the employer's management to the group health plan may be permitted
under the ADA standards as the use of medical information for insurance
purposes. Similarly, disclosure of such medical information by the
group health plan, under the limited circumstances permitted by this
privacy regulation, may involve use of the information for insurance
purposes as broadly described in the ADA discussion above.
Entities that receive federal financial assistance, which may also
be covered entities under the privacy regulation, are subject to
section 504 of the Rehabilitation Act (29 U.S.C. 794) and its
implementing regulations. Each federal agency has promulgated such
regulations that apply to entities that receive financial assistance
from that agency (``recipients''). These regulations may limit the
disclosure of medical information about persons who apply to or
participate in a federal financially assisted program or activity. For
example, the Department of Labor's section 504 regulation (found at 29
CFR part 32), consistent with the ADA standards, requires recipients
that conduct employment-related programs, including employment training
programs, to maintain confidentiality regarding any information about
the medical condition or history of applicants to or participants in
the program or activity. Such information must be kept separate from
other information about the applicant or participant and may be
provided to certain specified individuals and entities, but only under
certain limited circumstances described in the regulation. See 29 CFR
32.15(d). Apart from those circumstances, the information must be
afforded the same confidential treatment as medical records, id. Also,
recipients of federal financial assistance from the Department of
Health and Human Services, such as hospitals, are subject to the ADA's
employment nondiscrimination standards. They must, accordingly,
maintain confidentiality regarding the medical condition or history of
applicants for employment and employees.
The statutes and implementing regulations under which the federal
financial assistance is provided may contain additional provisions
regulating collection and disclosure of medical, health, and
disability-related information. See, e.g., section 188 of the Workforce
Investment Act of 1988 (29 U.S.C. 2938) and 29 CFR 37.3(b). Thus,
covered entities that are subject to this privacy regulation, may also
be subject to the restrictions in these laws as well.
U.S. Safe Harbor Privacy Principles (European Union Directive on Data
Protection)
The E.U. Directive became effective in October 1998 and prohibits
European Union Countries from permitting the transfer of personal data
to another country without ensuring that an ``adequate level of
protection,'' as determined by the European Commission, exists in the
other country or pursuant to one of the Directive's derogations of this
rule, such as pursuant to unambiguous consent or to fulfill a contract
with the individual. In July 2000, the European Commission concluded
that the U.S. Safe Harbor Privacy Principles \1\ constituted ``adequate
protection.'' Adherence to the Principles is voluntary. Organizations
wishing to engage in the exchange of personal data with E.U. countries
may assert compliance with the Principles as one means of obtaining
data from E.U. countries.
---------------------------------------------------------------------------
\1\ The Principles are: (1) Notice; (2) Choice (i.e., consent);
(3) Onward Transfer (i.e., subsequent disclosures); (4) Security;
(5) Data Integrity; (6) Access; and (7) Enforcement. Department of
Commerce, Safe Harbor Principles, July 21, 2000 (``Principles'').
They do not apply to manually processed data.
---------------------------------------------------------------------------
The Department of Commerce, which negotiated these Principles with
the European Commission, has provided guidance for U.S. organizations
seeking to adhere to the guidelines and comply with U.S. law. We
believe this guidance addresses the concerns covered entities seeking
to transfer personal data from E.U. countries may have. When ``U.S. law
imposes a conflicting obligation, U.S. organizations whether in the
safe harbor or not must comply with the law.'' An organization does not
need to comply with the Principles if a conflicting U.S. law
``explicitly authorizes'' the particular conduct. The organization's
non-compliance is ``limited to the extent necessary to meet the
overriding legitimate interests further[ed] by such authorization.''
However, if only a difference exists such that an ``option is allowable
under the Principles and/or U.S. law, organizations are expected to opt
for the higher protection where possible.'' Questions regarding
compliance and interpretation will be decided based on U.S. law. See
Department of Commerce, Memorandum on Damages for Breaches
[[Page 82487]]
of Privacy, Legal Authorizations and Mergers and Takeovers in U.S. Law
5 (July 17, 2000); Department of Commerce, Safe Harbor Privacy
Principles Issued by the U.S. Department of Commerce on July 21, 2000,
65 FR 45666 (2000). The Principles and our privacy regulation are based
on common principles of fair information practices. We believe they are
essentially consistent and that an organization complying with our
privacy regulation can fairly and correctly self-certify that it
complies with the Principles. If a true conflict arises between the
privacy regulation and the Principles, the Department of Commerce's
guidance provides that an entity must comply with the U.S. law.
Part 160--Subpart C--Compliance and Enforcement
Proposed Sec. 164.522 included five paragraphs addressing
activities related to the Secretary's enforcement of the rule. These
provisions were based on procedures and requirements in various civil
rights regulations. Proposed Sec. 164.522(a) provided that the
Secretary would, to the extent practicable, seek the cooperation of
covered entities in obtaining compliance, and could provide technical
assistance to covered entities to help them comply voluntarily.
Proposed Sec. 164.522(b) provided that individuals could file
complaints with the Secretary. However, where the complaint related to
the alleged failure of a covered entity to amend or correct protected
health information as proposed in the rule, the Secretary would not
make certain determinations such as whether protected health
information was accurate or complete. This paragraph also listed the
requirements for filing complaints and indicated that the Secretary may
investigate such complaints and what might be reviewed as part of such
investigation.
Under proposed Sec. 164.522(c), the Secretary would be able to
conduct compliance reviews. Proposed Sec. 164.522(d) described the
responsibilities that covered entities keep records and reports as
prescribed by the Secretary, cooperate with compliance reviews, permit
the Secretary to have access to their facilities, books, records, and
other sources of information during normal business hours, and seek
records held by other persons. This paragraph also stated that the
Secretary would maintain the confidentiality of protected health
information she collected and prohibit covered entities from taking
retaliatory action against individuals for filing complaints or for
other activities. Proposed Sec. 164.522(e) provided that the Secretary
would inform the covered entity and the individual complainant if an
investigation or review indicated a failure to comply and would seek to
resolve the matter informally if possible. If the matter could not be
resolved informally, the Secretary would be able to issue written
findings, be required to inform the covered entity and the complainant,
and be able to pursue civil enforcement action or make a criminal
referral. The Secretary would also be required to inform the covered
entity and the individual complainant if no violation was found.
We make the following changes and additions to proposed
Sec. 164.522 in the final rule. First, we have moved this section to
part 160, as a new subpart C, ``Compliance and Enforcement.'' Second,
we add new sections that explain the applicability of these provisions
and incorporate certain definitions. Accordingly, we change the
proposed references to violations to ``this subpart'' to violations of
``the applicable requirements of part 160 and the applicable standards,
requirements, and implementation specifications of subpart E of part
164 of this subchapter.'' Third, the final rule at Sec. 160.306(a)
provides that any person, not just an ``individual'' (the person who is
the subject of the individually identifiable health information) may
file a complaint with the Secretary. Other references in this subpart
to an individual have been changed accordingly. Fourth, we delete the
proposed Sec. 164.522(a) language that indicated that the Secretary
would not determine whether information was accurate or complete, or
whether errors or omissions might have an adverse effect on the
individual. While the policy is not changed in that the Secretary will
not make such determinations, we believe the language is unnecessary
and may suggest that we would make all other types of determinations,
such as all determinations in which the regulation defers to the
professional judgment of the covered entity. Fifth, Sec. 160.306(b)(3)
requires that complaints be filed within 180 days of when the
complainant knew or should have known that the act or omission
complained of occurred, unless this time limit is waived by the
Secretary for good cause shown. Sixth, Sec. 160.310(b) requires
cooperation with investigations as well as compliance reviews. Seventh,
Sec. 160.310 (c)(1) provides that the Secretary must be provided access
to a covered entity's facilities, books, records, accounts, and other
sources of information, including protected health information, at any
time and without notice where exigent circumstances exist, such as
where documents might be hidden or destroyed. Eighth, the provision
proposed at Sec. 164.522(d) that would prohibit covered entities from
taking retaliatory action against individuals for filing a complaint
with the Secretary or for certain other actions has been changed and
moved to Sec. 164.530. Ninth, Sec. 160. 312(a)(2) deletes the reference
in the proposed rule to using violation findings as a basis for
initiating action to secure penalties. This deletion is not a
substantive change. This language was removed because penalties will be
addressed in the enforcement regulation. As in the NPRM, the Secretary
may promulgate alternative procedures for complaints relating to
national security. For example, to protect classified information, we
may promulgate rules that would allow an intelligence community agency
to create a separate body within that agency to receive complaints.
The Department plans to issue an Enforcement Rule that applies to
all of the regulations that the Department issues under the
Administrative Simplification provisions of HIPAA. This regulation will
address the imposition of civil monetary penalties and the referral of
criminal cases where there has been a violation of this rule. Penalties
are provided for under section 262 of HIPAA. The Enforcement Rule would
also address the topics covered by Subpart C below. It is expected that
this Enforcement Rule would replace Subpart C.
Part 164--Subpart A--General Provisions
Section 164.102--Statutory Basis
In the NPRM, we provided that the provisions of this part are
adopted pursuant to the Secretary's authority to prescribe standards,
requirements, and implementation standards under part C of title XI of
the Act and section 264 of Public Law 104-191. The final rule adopts
this language.
Section 164.104--Applicability
In the NPRM, we provided that except as otherwise provided, the
provisions of this part apply to covered entities: health plans, health
care clearinghouses, and health care providers who transmit health
information in electronic form in connection with any transaction
referred to in section 1173(a)(1) of the Act. The final rule adopts
this language.
[[Page 82488]]
Section 164.106--Relationship to Other Parts
The final rule adds a new provision stating that in complying with
the requirements of this part, covered entities are required to comply
with the applicable provisions of parts 160 and 162 of this subchapter.
This language references Subchapter C in this regulation,
Administrative Data Standards and Related Requirements; Part 160,
General Administrative Requirements; and Part 162, Administrative
Requirements. Part 160 includes requirements such as keeping records
and submitting compliance reports to the Secretary and cooperating with
the Secretary's complaint investigations and compliance reviews. Part
162 includes requirements such as requiring a covered entity that
conducts an electronic transaction, adopted under this part, with
another covered entity to conduct the transaction as a standard
transaction as adopted by the Secretary.
Part 164--Subpart B-D--Reserved
Part 164--Subpart E--Privacy
Section 164.500--Applicability
The discussion below describes the entities and the information
that are subject to the final regulation.
Many of the provisions of the regulation are presented as
``standards.'' Generally, the standards indicate what must be
accomplished under the regulation and implementation specifications
describe how the standards must be achieved.
Covered Entities
We proposed in the NPRM to apply the standards in the regulation to
health plans, health care clearinghouses, and to any health care
provider who transmits health information in electronic form in
connection with transactions referred to in section 1173(a)(1) of the
Act. The proposal referred to these entities as ``covered entities.''
We have revised Sec. 164.500 to clarify the applicability of the
rule to health care clearinghouses. As we stated in the preamble to the
NPRM, we believe that in most instances health care clearinghouses will
receive protected health information as a business associate to another
covered entity. This understanding was confirmed by the comments and by
our fact finding. Clearinghouses rarely have direct contact with
individuals, and usually will not be in a position to create protected
health information or to receive it directly from them. Unlike health
plans and providers, clearinghouses usually convey and repackage
information and do not add materially to the substance of protected
health information of an individual.
The revised language provides that clearinghouses are not subject
to certain requirements in the rule when acting as business associates
of other covered entities. As revised, a clearinghouse acting as a
business associate is subject only to the provisions of this section,
to the definitions, to the general rules for uses and disclosures of
protected health information (subject to limitations), to the provision
relating to health care components, to the provisions relating to uses
and disclosures for which consent, individual authorization or an
opportunity to agree or object is not required (subject to
limitations), to the transition requirements and to the compliance
date. With respect to the uses and disclosures authorized under
Sec. 164.502 or Sec. 164.512, a clearinghouse acting as a business
associate is not authorized by the rule to make any use or disclosure
not permitted by its business associate contract. Clearinghouses acting
as business associates are not subject to the other requirements of
this rule, which include the provisions relating to procedural
requirements, requirements for obtaining consent, individual
authorization or agreement, provision of a notice, individual rights to
request privacy protection, access and amend information and receive an
accounting of disclosures and the administrative requirements.
We note that, even as business associates, clearinghouses remain
covered entities. Clearinghouses, like other covered entities, are
responsible under this regulation for abiding by the terms of business
associate contracts. For example, while the provisions regarding
individuals' access to and right to request corrections to protected
health information about them apply only to health plans and covered
health care providers, clearinghouses may have some responsibility for
providing such access under their business associate contracts. A
clearinghouse (or any other covered entity) that violates the terms of
a business associate contract also is in direct violation of this rule
and, as a covered entity, is subject to compliance and enforcement
action.
We clarify that a covered entity is only subject to these rules to
the extent that they possess protected health information. Moreover,
these rules only apply with regard to protected health information. For
example, if a covered entity does not disclose or receive from its
business associate any protected health information and no protected
health information is created or received by its business associate on
behalf of the covered entity, then the business associate requirements
of this rule do not apply.
We clarify that the Department of Defense or any other federal
agency and any non-governmental organization acting on its behalf, is
not subject to this rule when it provides health care in another
country to foreign national beneficiaries. The Secretary believes that
this exemption is warranted because application of the rule could have
the unintended effect of impeding or frustrating the conduct of such
activities, such as interfering with the ability of military command
authorities to obtain protected health information on prisoners of war,
refugees, or detainees for whom they are responsible under
international law. See the preamble to the definition of ``individual''
for further discussion.
Covered Information
We proposed in the NPRM to apply the requirements of the rule to
individually identifiable health information that is or has been
electronically transmitted or maintained by a covered entity. The
provisions would have applied to the information itself, referred to as
protected health information in the rule, and not to the particular
records in which the information is contained. We proposed that once
information was maintained or transmitted electronically by a covered
entity, the protections would follow the information in whatever form,
including paper records, in which it exists while held by a covered
entity. The proposal would not have applied to information that was
never electronically maintained or transmitted by a covered entity.
In the final rule, we extend the scope of protections to all
individually identifiable health information in any form, electronic or
non-electronic, that is held or transmitted by a covered entity. This
includes individually identifiable health information in paper records
that never has been electronically stored or transmitted. (See
Sec. 164.501, definition of ``protected health information,'' for
further discussion.)
Section 164.501--Definitions
Correctional Institution
The proposed rule did not define the term correctional institution.
The final rule defines correctional institution as any penal or
correctional facility, jail, reformatory, detention center, work farm,
halfway house, or residential community program center operated by, or
under contract to, the United States,
[[Page 82489]]
a state, a territory, a political subdivision of a state or territory,
or an Indian tribe, for the confinement or rehabilitation of persons
charged with or convicted of a criminal offense or other persons held
in lawful custody. Other persons held in lawful custody includes
juvenile offenders adjudicated delinquent, aliens detained awaiting
deportation, persons committed to mental institutions through the
criminal justice system, witnesses, or others awaiting charges or
trial. This language was necessary to explain the privacy rights and
protections of inmates in this regulation.
Covered Functions
We add a new term, ``covered functions,'' as a shorthand way of
expressing and referring to the functions that the entities covered by
section 1172(a) of the Act perform. Section 1171 defines the terms
``health plan'', ``health care provider'', and ``health care
clearinghouse'' in functional terms. Thus, a ``health plan'' is an
individual or group plan ``that provides, or pays the cost of, medical
care * * *'', a ``health care provider'' ``furnish[es] health care
services or supplies,'' and a ``health care clearinghouse'' is an
entity ``that processes or facilitates the processing of * * * data
elements of health information * * *''. Covered functions, therefore,
are the activities that any such entity engages in that are directly
related to operating as a health plan, health care provider, or health
care clearinghouse; that is, they are the functions that make it a
health plan, health care provider, or health care clearinghouse.
The term ``covered functions'' is not intended to include various
support functions, such as computer support, payroll and other office
support, and similar support functions, although we recognize that
these support functions must occur in order for the entity to carry out
its health care functions. Because such support functions are often
also performed for parts of an organization that are not doing
functions directly related to the health care functions and may involve
access to and/or use of protected health information, the rules below
describe requirements for ensuring that workforce members who perform
these support functions do not impermissibly use or disclose protected
health information. See Sec. 164.504.
Data Aggregation
The NPRM did not include a definition of data aggregation. In the
final rule, data aggregation is defined, with respect to protected
health information received by a business associate in its capacity as
the business associate of a covered entity, as the combining of such
protected health information by the business associate with protected
health information received by the business associate in its capacity
as a business associate of another covered entity, to permit the
creation of data for analyses that relate to the health care operations
of the respective covered entities. The definition is included in the
final rule to help describe how business associates can assist covered
entities to perform health care operations that involve comparative
analysis of protected health information from otherwise unaffiliated
covered entities. Data aggregation is a service that gives rise to a
business associate relationship if the performance of the service
involves disclosure of protected health information by the covered
entity to the business associate.
Designated Record Set
In the proposed rule, we defined designated record set as ``a group
of records under the control of a covered entity from which information
is retrieved by the name of the individual or by some identifying
number, symbol, or other identifying particular assigned to the
individual and which is used by the covered entity to make decisions
about the individual.'' We defined a ``record'' as ``any item,
collection, or grouping of protected health information maintained,
collected, used, or disseminated by a covered entity.''
In the final rule, we modify the definition of designated record
set to specify certain records maintained by or for a covered entity
that are always part of a covered entity's designated record sets and
to include other records that are used to make decisions about
individuals. We do not use the means of retrieval of a record as a
defining criteria.
For health plans, designated record sets include, at a minimum, the
enrollment, payment, claims adjudication, and case or medical
management record systems of the plan. For covered health care
providers, designated record sets include, at a minimum, the medical
record and billing record about individuals maintained by or for the
provider. In addition to these records, designated record sets include
any other group of records that are used, in whole or in part, by or
for a covered entity to make decisions about individuals. We note that
records that otherwise meet the definition of designated record set and
which are held by a business associate of the covered entity are part
of the covered entity's designated record sets. Although we do not
specify particular types of records that are always included in the
designated record sets of clearinghouses when they are not acting as
business associates, this definition includes a group of records that
such a clearinghouse uses, in whole or in part, to make decisions about
individuals.
For the most part we retain, with slight modifications, the
definition of ``record,'' defining it as any item, collection, or
grouping of information that includes protected health information and
is maintained, collected, used, or disseminated.
Direct Treatment Relationship
This term was not included in the proposed rule. Direct treatment
relationship means a relationship between a health care provider and an
individual that is not an indirect treatment relationship (see
definition of indirect treatment relationship, below). For example,
outpatient pharmacists and Web-based providers generally have direct
treatment relationships with patients. Outpatient pharmacists fill
prescriptions written by other providers, but they furnish the
prescription and advice about the prescription directly to the patient,
not through another treating provider. Web-based providers generally
deliver health care independently, without the orders of another
provider.
A provider may have direct treatment relationships with some
patients and indirect treatment relationships with others. In some
provisions of the final rule, providers with indirect treatment
relationships are excepted from requirements that apply to other
providers. See Sec. 164.506 regarding consent for uses and disclosures
of protected health information for treatment, payment, and health care
operations, and Sec. 164.520 regarding notice of information practices.
These exceptions apply only with respect to the individuals with whom
the provider has an indirect treatment relationship.
Disclosure
We proposed to define ``disclosure'' to mean the release, transfer,
provision of access to, or divulging in any other manner of information
outside the entity holding the information. The final rule is
unchanged. We note that the transfer of protected health information
from a covered entity to a business associate is a disclosure for
purposes of this regulation.
Health Care Operations
The preamble to the proposed rule explained that in order for
treatment and payment to occur, protected health
[[Page 82490]]
information must be used within entities and shared with business
partners. In the proposed rule we provided a definition for ``health
care operations'' to clarify the activities we considered to be
``compatible with and directly related to'' treatment and payment and
for which protected health information could be used or disclosed
without individual authorization. These activities included conducting
quality assessment and improvement activities, reviewing the competence
or qualifications and accrediting/licensing of health care
professionals and plans, evaluating health care professional and health
plan performance, training future health care professionals, insurance
activities relating to the renewal of a contract for insurance,
conducting or arranging for medical review and auditing services, and
compiling and analyzing information in anticipation of or for use in a
civil or criminal legal proceeding. Recognizing the dynamic nature of
the health care industry, we acknowledged that the specified categories
may need to be modified as the industry evolves.
The preamble discussion of the proposed general rules listed
certain activities that would not be considered health care operations
because they were sufficiently unrelated to treatment and payment to
warrant requiring an individual to authorize such use or disclosure.
Those activities included: marketing of health and non-health items and
services; disclosure of protected health information for sale, rent or
barter; use of protected health information by a non-health related
division of an entity; disclosure of protected health information for
eligibility, enrollment, underwriting, or risk rating determinations
prior to an individuals' enrollment in a health plan; disclosure to an
employer for employment determinations; and fundraising.
In the final rule, we do not change the general approach of
defining health care operations: health care operations are the listed
activities undertaken by the covered entity that maintains the
protected health information (i.e., one covered entity may not disclose
protected health information for the operations of a second covered
entity); a covered entity may use any protected health information it
maintains for its operations (e.g., a plan may use protected health
information about former enrollees as well as current enrollees); we
expand the proposed list to reflect many changes requested by
commenters.
We modify the proposal that health care operations represent
activities ``in support of'' treatment and payment functions. Instead,
in the final rule, health care operations are the enumerated activities
to the extent that the activities are related to the covered entity's
functions as a health care provider, health plan or health care
clearinghouse, i.e., the entity's ``covered functions.'' We make this
change to clarify that health care operations includes general
administrative and business functions necessary for the covered entity
to remain a viable business. While it is possible to draw a connection
between all the enumerated activities and ``treatment and payment,''
for some general business activities (e.g., audits for financial
disclosure statements) that connection may be tenuous. The proposed
concept also did not include the operations of those health care
clearinghouses that may be covered by this rule outside their status as
business associate to a covered entity. We expand the definition to
include disclosures for the enumerated activities of organized health
care arrangements in which the covered entity participates. See also
the definition of organized health care arrangements, below.
In addition, we make the following changes and additions to the
enumerated subparagraphs:
(1) We add language to clarify that the primary purpose of the
studies encompassed by ``quality assessment and improvement
activities'' must not be to obtain generalizable knowledge. A study
with such a purpose would meet the rule's definition of research, and
use or disclosure of protected health information would have to meet
the requirements of Secs. 164.508 or 164.512(i). Thus, studies may be
conducted as a health care operation if development of generalizable
knowledge is not the primary goal. However, if the study changes and
the covered entity intends the results to be generalizable, the change
should be documented by the covered entity as proof that, when
initiated, the primary purpose was health care operations.
We add population-based activities related to improving health or
reducing health care costs, protocol development, case management and
care coordination, contacting of health care providers and patients
with information about treatment alternatives, and related functions
that do not entail direct patient care. Many commenters recommended
adding the term ``disease management'' to health care operations. We
were unable, however, to find a generally accepted definition of the
term. Rather than rely on this label, we include many of the functions
often included in discussions of disease management in this definition
or in the definition of treatment. This topic is discussed further in
the comment responses below.
(2) We have deleted ``undergraduate and graduate'' as a qualifier
for ``students,'' to make the term more general and inclusive. We add
the term ``practitioners.'' We expand the purposes encompassed to
include situations in which health care providers are working to
improve their skills. The rule also adds the training of non-health
care professionals.
(3) The rule expands the range of insurance related activities to
include those related to the creation, renewal or replacement of a
contract for health insurance or health benefits, as well as ceding,
securing, or placing a contract for reinsurance of risk relating to
claims for health care (including stop-loss and excess of loss
insurance). For these activities, we also eliminate the proposed
requirement that these uses and disclosures apply only to protected
health information about individuals already enrolled in a health plan.
Under this provision, a group health plan that wants to replace its
insurance carrier may disclose certain protected health information to
insurance issuers in order to obtain bids on new coverage, and an
insurance carrier interested in bidding on new business may use
protected health information obtained from the potential new client to
develop the product and pricing it will offer. For circumstances in
which no new contract is issued, we add a provision in Sec. 164.514(g)
restricting the recipient health plan from using or disclosing
protected health information obtained for this purpose, other than as
required by law. Uses and disclosures in these cases come within the
definition of ``health care operations,'' provided that the
requirements of Sec. 164.514(g) are met, if applicable. See
Sec. 164.504(f) for requirements for such disclosures by group health
plans, as well as specific restrictions on the information that may be
disclosed to plan sponsors for such purposes. We note that a covered
health care provider must obtain an authorization under Sec. 164.508 in
order to disclose protected health information about an individual for
purposes of pre-enrollment underwriting; the underwriting is not an
``operation'' of the provider and that disclosure is not otherwise
permitted by a provision of this rule.
(4) We delete reference to the ``compiling and analyzing
information in anticipation of or for use in a civil or criminal legal
proceeding'' and replace it with a broader reference to
[[Page 82491]]
conducting or arranging for ``legal services.''
We add two new categories of activities:
(5) Business planning and development, such as conducting cost-
management and planning-related analyses related to managing and
operating the entity, including formulary development and
administration, development or improvement of methods of payment or
coverage policies.
(6) Business management activities and general administrative
functions, such as management activities relating to implementation of
and compliance with the requirements of this subchapter, fundraising
for the benefit of the covered entity to the extent permitted without
authorization under Sec. 164.514(f), and marketing of certain services
to individuals served by the covered entity, to the extent permitted
without authorization under Sec. 164.514(e) (see discussion in the
preamble to that section, below). For example, under this category we
permit uses or disclosures of protected health information to determine
from whom an authorization should be obtained, for example to generate
a mailing list of individuals who would receive an authorization
request.
We add to the definition of health care operations disclosure of
protected health information for due diligence to a covered entity that
is a potential successor in interest. This provision includes
disclosures pursuant to the sale of a covered entity's business as a
going concern, mergers, acquisitions, consolidations, and other similar
types of corporate restructuring between covered entities, including a
division of a covered entity, and to an entity that is not a covered
entity but will become a covered entity if the transfer or sale is
completed. Other types of sales of assets, or disclosures to
organizations that are not and would not become covered entities, are
not included in the definition of health care operations and could only
occur if the covered entity obtained valid authorization for such
disclosure in accordance with Sec. 164.508, or if the disclosure is
otherwise permitted under this rule.
We also add to health care operations disclosure of protected
health information for resolution of internal grievances. These uses
and disclosures include disclosure to an employee and/or employee
representative, for example when the employee needs protected health
information to demonstrate that the employer's allegations of improper
conduct are untrue. We note that such employees and employee
representatives are not providing services to or for the covered
entity, and, therefore, no business associate contract is required.
Also included are resolution of disputes from patients or enrollees
regarding the quality of care and similar matters.
We also add use for customer service, including the provision of
data and statistical analyses for policyholders, plan sponsors, or
other customers, as long as the protected health information is not
disclosed to such persons. We recognize that part of the general
management of a covered entity is customer service. We clarify that
customer service may include the use of protected health information to
provide data and statistical analyses. For example, a plan sponsor may
want to understand why its costs are rising faster than average, or why
utilization in one plant location is different than in another
location. An association that sponsors an insurance plan for its
members may want information on the relative costs of its plan in
different areas. Some plan sponsors may want more detailed analyses
that attempt to identify health problems in a work site. We note that
when a plan sponsor has several different group health plans, or when
such plans provide insurance or coverage through more than one health
insurance issuer or HMO, the covered entities may jointly engage in
this type of analysis as a health care operation of the organized
health care arrangement.
This activity qualifies as a health care operation only if it does
not result in the disclosure of protected health information to the
customer. The results of the analyses must be presented in a way that
does not disclose protected health information. A disclosure of
protected health information to the customer as a health care operation
under this provision violates this rule. This provision is not intended
to permit covered entities to circumvent other provisions in this rule,
including requirements relating to disclosures of protected health
information to plan sponsors or the requirements relating to research.
See Sec. 164.504(f) and Sec. 164.512(i).
We use the term customer to provide flexibility to covered
entities. We do not intend the term to apply to persons with whom the
covered entity has no other business; this provision is intended to
permit covered entities to provide service to their existing customer
base.
We note that this definition, either alone or in conjunction with
the definition of ``organized health care arrangement,'' allows an
entity such as an integrated staff model HMO, whether legally
integrated or whether a group of associated entities, that hold
themselves out as an organized arrangement to share protected health
information under Sec. 164.506. In these cases, the sharing of
protected health information will be either for the operations of the
disclosing entity or for the organized health care arrangement in which
the entity is participating.
Whether a disclosure is allowable for health care operations under
this provision is determined separately from whether a business
associate contract is required. These provisions of the rule operate
independently. Disclosures for health care operations may be made to an
entity that is neither a covered entity nor a business associate of the
covered entity. For example, a covered academic medical center may
disclose certain protected health information to community health care
providers who participate in one of its continuing medical education
programs, whether or not such providers are covered health care
providers under this rule. A provider attending a continuing education
program is not thereby performing services for the covered entity
sponsoring the program and, thus, is not a business associate for that
purpose. Similarly, health plans may disclose for due diligence
purposes to another entity that may or may not be a covered entity or a
business associate.
Health Oversight Agency
The proposed rule would have defined ``health oversight agency'' as
``an agency, person, or entity, including the employees or agents
thereof, (1) That is: (i) A public agency; or (ii) A person or entity
acting under grant of authority from or contract with a public agency;
and (2) Which performs or oversees the performance of any audit;
investigation; inspection; licensure or discipline; civil, criminal, or
administrative proceeding or action; or other activity necessary for
appropriate oversight of the health care system, of government benefit
programs for which health information is relevant to beneficiary
eligibility, or of government regulatory programs for which health
information is necessary for determining compliance with program
standards.'' The proposed rule also described the functions of health
oversight agencies in the proposed health oversight section
(Sec. 164.510(c)) by repeating much of this definition.
In the final rule, we modify the definition of health oversight
agency by eliminating from the definition the language in proposed
Sec. 164.510(c) (now Sec. 164.512(d)). In addition, the final rule
clarifies this definition by specifying that a ``health oversight
agency'' is an agency or authority of the United States,
[[Page 82492]]
a state, a territory, a political subdivision of a state or territory,
or an Indian tribe, or a person or entity acting under a grant of
authority from or contract with such public agency, including the
employees or agents of such public agency or its contractors or
grantees, that is authorized by law to oversee the health care system
or government programs in which health information is necessary to
determine eligibility or compliance, or to enforce civil rights laws
for which health information is relevant.
The preamble to the proposed rule listed the following as examples
of health oversight agencies that conduct oversight activities relating
to the health care system: state insurance commissions, state health
professional licensure agencies, Offices of Inspectors General of
federal agencies, the Department of Justice, state Medicaid fraud
control units, Defense Criminal Investigative Services, the Pension and
Welfare Benefit Administration, the HHS Office for Civil Rights, and
the FDA. The proposed rule listed the Social Security Administration
and the Department of Education as examples of health oversight
agencies that conduct oversight of government benefit programs for
which health information is relevant to beneficiary eligibility. The
proposed rule listed the Occupational Health and Safety Administration
and the Environmental Protection Agency as examples of oversight
agencies that conduct oversight of government regulatory programs for
which health information is necessary for determining compliance with
program standards.
In the final rule, we include the following as additional examples
of health oversight activities: (1) The U.S. Department of Justice's
civil rights enforcement activities, and in particular, enforcement of
the Civil Rights of Institutionalized Persons Act (42 U.S.C. 1997-
1997j) and the Americans with Disabilities Act (42 U.S.C. 12101 et
seq.), as well as the EEOC's civil rights enforcement activities under
titles I and V of the ADA; (2) the FDA's oversight of food, drugs,
biologics, devices, and other products pursuant to the Food, Drug, and
Cosmetic Act (21 U.S.C. 301 et seq.) and the Public Health Service Act
(42 U.S.C. 201 et seq.); and (3) data analysis --performed by a public
agency or by a person or entity acting under grant of authority from or
under contract with a public agency --to detect health care fraud.
``Overseeing the health care system,'' which is included in the
definition of health oversight, encompasses activities such as:
oversight of health care plans; oversight of health benefit plans;
oversight of health care providers; oversight of health care and health
care delivery; oversight activities that involve resolution of consumer
complaints; oversight of pharmaceuticals, medical products and devices,
and dietary supplements; and a health oversight agency's analysis of
trends in health care costs, quality, health care delivery, access to
care, and health insurance coverage for health oversight purposes.
We recognize that health oversight agencies, such as the U.S.
Department of Labor's Pension and Welfare Benefits Administration, may
perform more than one type of health oversight. For example, agencies
may sometimes perform audits and investigations and at other times
conduct general oversight of health benefit plans. Such entities are
considered health oversight agencies under the rule for any and all of
the health oversight functions that they perform.
The definition of health oversight agency does not include private
organizations, such as private-sector accrediting groups. Accreditation
organizations are performing health care operations functions on behalf
of health plans and covered health care providers. Accordingly, in
order to obtain protected health information without individuals'
authorizations, accrediting groups must enter into business associate
agreements with health plans and covered health care providers for
these purposes. Similarly, private entities, such as coding committees,
that help government agencies that are health plans make coding and
payment decisions are performing health care payment functions on
behalf the government agencies and, therefore, must enter into business
associate agreements in order to receive protected health information
from the covered entity (absent individuals' authorization for such
disclosure).
Indirect Treatment Relationship
This term was not included in the proposed rule. An ``indirect
treatment relationship'' is a relationship between a health care
provider and an individual in which the provider delivers health care
to the individual based on the orders of another health care provider
and the health care services, products, diagnoses, or results are
typically furnished to the patient through another provider, rather
than directly. For example, radiologists and pathologists generally
have indirect treatment relationships with patients because they
deliver diagnostic services based on the orders of other providers and
the results of those services are furnished to the patient through the
direct treating provider. This definition is necessary to clarify the
relationships between providers and individuals in the regulation. For
example, see the consent discussion at Sec. 164.506.
Individual
We proposed to define ``individual'' to mean the person who is the
subject of the protected health information. We proposed that the term
include, with respect to the signing of authorizations and other rights
(such as access, copying, and correction), the following types of legal
representatives:
(1) With respect to adults and emancipated minors, legal
representatives (such as court-appointed guardians or persons with a
power of attorney), to the extent to which applicable law permits such
legal representatives to exercise the person's rights in such contexts.
(2) With respect to unemancipated minors, a parent, guardian, or
person acting in loco parentis, provided that when a minor lawfully
obtains a health care service without the consent of or notification to
a parent, guardian, or other person acting in loco parentis, the minor
shall have the exclusive right to exercise the rights of an individual
with respect to the protected health information relating to such care.
(3) With respect to deceased persons, an executor, administrator,
or other person authorized under applicable law to act on behalf of the
decedent's estate.
In addition, we proposed to exclude from the definition:
(1) Foreign military and diplomatic personnel and their dependents
who receive health care provided by or paid for by the Department of
Defense or other federal agency or by an entity acting on its behalf,
pursuant to a country-to-country agreement or federal statute.
(2) Overseas foreign national beneficiaries of health care provided
by the Department of Defense or other federal agency or by a non-
governmental organization acting on its behalf.
In the final rule, we eliminate from the definition of
``individual'' the provisions designating a legal representative as the
``individual'' for purposes of exercising certain rights with regard to
protected health information. Instead, we include in the final rule a
separate standard for ``personal representatives.'' A covered entity
must treat a personal representative of an individual as the individual
except under specified circumstances. See discussion in
[[Page 82493]]
Sec. 164.502(g) regarding personal representatives.
In addition, we eliminate from the definition of ``individual'' the
above exclusions for foreign military and diplomatic personnel and
overseas foreign national beneficiaries. We address the special
circumstances for use and disclosure of protected health information
about individuals who are foreign military personnel in
Sec. 164.512(k). We address overseas foreign national beneficiaries in
Sec. 164.500, ``Applicability.'' The protected health information of
individuals who are foreign diplomatic personnel and their dependents
are not subject to special treatment under the final rule.
Individually identifiable health information about one individual
may exist in the health records of another individual; health
information about one individual may include health information about a
second person. For example, a patient's medical record may contain
information about the medical conditions of the patient's parents,
children, and spouse, as well as their names and contact information.
For the purpose of this rule, if information about a second person is
included within the protected health information of an individual, the
second person is not the person who is the subject of the protected
health information. The second person is not the ``individual'' with
regard to that protected health information, and under this rule thus
does not have the individual's rights (e.g., access and amendment) with
regard to that information.
Individually Identifiable Health Information
We proposed to define ``individually identifiable health
information'' to mean information that is a subset of health
information, including demographic information collected from an
individual, and that:
(1) Is created by or received from a health care provider, health
plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental
health or condition of an individual, the provision of health care to
an individual, or the past, present, or future payment for the
provision of health care to an individual, and
(i) Which identifies the individual, or
(ii) With respect to which there is a reasonable basis to believe
that the information can be used to identify the individual.
In the final rule, we change ``created by or received from a health
care provider * * *'' to ``created or received by a health care
provider * * * ``in order to conform to the statute. We otherwise
retain the definition of ``individually identifiable health
information'' without change in the final rule.
Inmate
The proposed rule did not define the term inmate. In the final
rule, it is defined as a person incarcerated in or otherwise confined
to a correctional institution. The addition of this definition is
necessary to explain the privacy rights and protections of inmates in
this regulation.
Law Enforcement Official
The proposed rule would have defined a ``law enforcement official''
as ``an official of an agency or authority of the United States, a
state, a territory, a political subdivision of a state or territory, or
an Indian tribe, who is empowered by law to conduct: (1) An
investigation or official proceeding inquiring into a violation of, or
failure to comply with, any law; or (2) a criminal, civil, or
administrative proceeding arising from a violation of, or failure to
comply with, any law.''
The final rule modifies this definition slightly. The definition in
the final rule recognizes that law enforcement officials are empowered
to prosecute cases as well as to conduct investigations and civil,
criminal, or administrative proceedings. In addition, the definition in
the final rule reflects the fact that when investigations begin, often
it is not clear that law has been violated. Thus, the final rule
describes law enforcement investigations and official proceedings as
inquiring into a potential violation of law. In addition, it describes
law enforcement-related civil, criminal, or administrative proceedings
as arising from alleged violation of law.
Marketing
The proposed rule did not include a definition of ``marketing.''
The proposed rule generally required that a covered entity would need
an authorization from an individual to use or disclose protected health
information for marketing.
In the final rule we define marketing as a communication about a
product or service a purpose of which is to encourage recipients of the
communication to purchase or use the product or service. The definition
does not limit the type or means of communication that are considered
marketing.
The definition of marketing contains three exceptions. If a covered
entity receives direct or indirect remuneration from a third party for
making a written communication otherwise described in an exception,
then the communication is not excluded from the definition of
marketing. The activities we except from the definition of marketing
are encompassed by the definitions of treatment, payment, and health
care operations. Covered entities may therefore use and disclose
protected health information for these excepted activities without
authorization under Sec. 164.508 and pursuant to any applicable consent
obtained under Sec. 164.506.
The first exception applies to communications made by a covered
entity for the purpose of describing the entities participating in a
provider network or health plan network. It also applies to
communications made by a covered entity for the purpose of describing
if and the extent to which a product or service, or payment for a
product or service, is provided by the covered entity or included in a
benefit plan. This exception permits covered entities to use or
disclose protected health information when discussing topics such as
the benefits and services available under a health plan, the payment
that may be made for a product or service, which providers offer a
particular product or service, and whether a provider is part of a
network or whether (and what amount of) payment will be provided with
respect to the services of particular providers. This exception
expresses our intent not to interfere with communications made to
individuals about their health benefits.
The second exception applies to communications tailored to the
circumstances of a particular individual, made by a health care
provider to an individual as part of the treatment of the individual,
and for the purpose of furthering the treatment of that individual.
This exception leaves health care providers free to use or disclose
protected health information as part of a discussion of its products
and services, or the products and services of others, and to prescribe,
recommend, or sell such products or services, as part of the treatment
of an individual. This exception includes activities such as referrals,
prescriptions, recommendations, and other communications that address
how a product or service may relate to the individual's health. This
exception expresses our intent not to interfere with communications
made to individuals about their treatment.
The third exception applies to communications tailored to the
[[Page 82494]]
circumstances of a particular individual and made by a health care
provider or health plan to an individual in the course of managing the
treatment of that individual or for the purpose of directing or
recommending to that individual alternative treatments, therapies,
providers, or settings of care. As with the previous exception, this
exception permits covered entities to discuss freely their products and
services and the products and services of third parties, in the course
of managing an individual's care or providing or discussing treatment
alternatives with an individual, even when such activities involve the
use or disclose protected health information.
Section 164.514 contains provisions governing use or disclosure of
protected health information in marketing communications, including a
description of certain marketing communications that may use or include
protected health information but that may be made by a covered entity
without individual authorization. The definition of health care
operations includes those marketing communications that may be made
without an authorization pursuant to Sec. 164.514. Covered entities may
therefore use and disclose protected health information for these
activities pursuant to any applicable consent obtained under
Sec. 164.506, or, if they are not required to obtain a consent under
Sec. 164.506, without one.
Organized Health Care Arrangement
This term was not used in the proposed rule. We define the term in
order to describe certain arrangements in which participants need to
share protected health information about their patients to manage and
benefit the common enterprise. To allow uses and disclosures of
protected health information for these arrangements, we also add
language to the definition of ``health care operations.'' See
discussion of that term above.
We include five arrangements within the definition of organized
health care arrangement. The arrangements involve clinical or
operational integration among legally separate covered entities in
which it is often necessary to share protected health information for
the joint management and operations of the arrangement. They may range
in legal structure, but a key component of these arrangements is that
individuals who obtain services from them have an expectation that
these arrangements are integrated and that they jointly manage their
operations. We include within the definition a clinically integrated
care setting in which individuals typically receive health care from
more than one health care provider. Perhaps the most common example of
this type of organized health care arrangement is the hospital setting,
where a hospital and a physician with staff privileges at the hospital
together provide treatment to the individual. Participants in such
clinically integrated settings need to be able to share health
information freely not only for treatment purposes, but also to improve
their joint operations. For example, any physician with staff
privileges at a hospital must be able to participate in the hospital's
morbidity and mortality reviews, even when the particular physician's
patients are not being discussed. Nurses and other hospital personnel
must also be able to participate. These activities benefit the common
enterprise, even when the benefits to a particular participant are not
evident. While protected health information may be freely shared among
providers for treatment purposes under other provisions of this rule,
some of these joint activities also support the health care operations
of one or more participants in the joint arrangement. Thus, special
rules are needed to ensure that this rule does not interfere with
legitimate information sharing among the participants in these
arrangements.
We also include within the definition an organized system of health
care in which more than one covered entity participates, and in which
the participating covered entities hold themselves out to the public as
participating in a joint arrangement, and in which the joint activities
of the participating covered entities include at least one of the
following: utilization review, in which health care decisions by
participating covered entities are reviewed by other participating
covered entities or by a third party on their behalf; quality
assessment and improvement activities, in which treatment provided by
participating covered entities is assessed by other participating
covered entities or by a third party on their behalf; or payment
activities, if the financial risk for delivering health care is shared
in whole or in part by participating covered entities through the joint
arrangement and if protected health information created or received by
a covered entity is reviewed by other participating covered entities or
by a third party on their behalf for the purpose of administering the
sharing of financial risk. A common example of this type of organized
health care arrangement is an independent practice association formed
by a large number of physicians. They may advertise themselves as a
common enterprise (e.g., Acme IPA), whether or not they are under
common ownership or control, whether or not they practice together in
an integrated clinical setting, and whether or not they share financial
risk.
If such a group engages jointly in one or more of the listed
activities, the participating covered entities will need to share
protected health information to undertake such activities and to
improve their joint operations. In this example, the physician
participants in the IPA may share financial risk through common
withhold pools with health plans or similar arrangements. The IPA
participants who manage the financial arrangements need protected
health information about all the participants' patients in order to
manage the arrangement. (The participants may also hire a third party
to manage their financial arrangements.) If the participants in the IPA
engage in joint quality assurance or utilization review activities,
they will need to share protected health information about their
patients much as participants in an integrated clinical setting would.
Many joint activities that require the sharing of protected health
information benefit the common enterprise, even when the benefits to a
particular participant are not evident.
We include three relationships related to group health plans as
organized health care arrangements. First, we include a group health
plan and an issuer or HMO with respect to the group health plan within
the definition, but only with respect to the protected health
information of the issuer or HMO that relates to individuals who are or
have been participants or beneficiaries in the group health plan. We
recognize that many group health plans are funded partially or fully
through insurance, and that in some cases the group health plan and
issuer or HMO need to coordinate operations to properly serve the
enrollees. Second, we include a group health plan and one or more other
group health plans each of which are maintained by the same plan
sponsor. We recognize that in some instances plan sponsors provide
health benefits through a combination of group health plans, and that
they may need to coordinate the operations of such plans to better
serve the participants and beneficiaries of the plans. Third, we
include a combination of group health plans maintained by the same plan
sponsor and the health insurance issuers and HMOs with respect to such
plans, but again only with respect to the protected health information
of such issuers and HMOs that relates to
[[Page 82495]]
individuals who are or have been enrolled in such group health plans.
We recognize that is some instances a plan sponsor may provide benefits
through more than one group health plan, and that such plans may fund
the benefits through one or more issuers or HMOs. Again, coordinating
health care operations among these entities may be necessary to serve
the participants and beneficiaries in the group health plans. We note
that the necessary coordination may necessarily involve the business
associates of the covered entities and may involve the participation of
the plan sponsor to the extent that it is providing plan administration
functions and subject to the limits in Sec. 164.504.
Payment
We proposed the term payment to mean:
(1) The activities undertaken by or on behalf of a covered entity
that is:
(i) A health plan, or by a business partner on behalf of a health
plan, to obtain premiums or to determine or fulfill its responsibility
for coverage under the health plan and for provision of benefits under
the health plan; or
(ii) A health care provider or health plan, or a business partner
on behalf of such provider or plan, to obtain reimbursement for the
provision of health care.
(2) Activities that constitute payment include:
(i) Determinations of coverage, adjudication or subrogation of
health benefit claims;
(ii) Risk adjusting amounts due based on enrollee health status and
demographic characteristics;
(iii) Billing, claims management, and medical data processing;
(iv) Review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges; and
(v) Utilization review activities, including precertification and
preauthorization of services.
In the final rule, we maintain the general approach of defining of
payment: payment activities are described generally in the first clause
of the definition, and specific examples are given in the second
clause. Payment activities relate to the covered entity that maintains
the protected health information (i.e., one covered entity may not
disclose protected health information for the payment activities of a
second covered entity). A covered entity may use or disclose only the
protected health information about the individual to whom care was
rendered, for its payment activities (e.g., a provider may disclose
protected health information only about the patient to whom care was
rendered in order to obtain payment for that care, or only the
protected health information about persons enrolled in the particular
health plan that seeks to audit the provider's records). We expand the
proposed list to reflect many changes requested by commenters.
We add eligibility determinations as an activity included in the
definition of payment. We expand coverage determinations to include the
coordination of benefits and the determination of a specific
individual's cost sharing amounts. The rule deletes activities related
to the improvement of methods of paying or coverage policies from this
definition and instead includes them in the definition of health care
operations. We add to the definition ``collection activities.'' We
replace ``medical data processing'' activities with health care data
processing related to billing, claims management, and collection
activities. We add activities for the purpose of obtaining payment
under a contract for reinsurance (including stop-loss and excess of
loss insurance). Utilization review activities now include concurrent
and retrospective review of services.
In addition, we modify this definition to clarify that the
activities described in section 1179 of the Act are included in the
definition of ``payment.'' We add new subclause (vi) allowing covered
entities to disclose to consumer reporting agencies an individual's
name, address, date of birth, social security number and payment
history, account number, as well as the name and address of the
individual's health care provider and/or health plan, as appropriate.
Covered entities may make disclosure of this protected health
information to consumer reporting agencies for purposes related to
collection of premiums or reimbursement. This allows reporting not just
of missed payments and overdue debt but also of subsequent positive
payment experience (e.g., to expunge the debt). We consider such
positive payment experience to be ``related to'' collection of premiums
or reimbursement.
The remaining activities described in section 1179 are included in
other language in this definition. For example, ``authorizing,
processing, clearing, settling, billing, transferring, reconciling or
collecting, a payment for, or related to, health plan premiums or
health care'' are covered by paragraph (2)(iii) of the definition,
which allows use and disclosure of protected health information for
``billing, claims management, collection activities and related health
care data processing.'' ``Claims management'' also includes auditing
payments, investigating and resolving payment disputes and responding
to customer inquiries regarding payments. Disclosure of protected
health information for compliance with civil or criminal subpoenas, or
with other applicable laws, are covered under Sec. 164.512 of this
regulation. (See discussion above regarding the interaction between
1179 and this regulation.)
We modify the proposed regulation text to clarify that payment
includes activities undertaken to reimburse health care providers for
treatment provided to individuals.
Covered entities may disclose protected health information for
payment purposes to any other entity, regardless of whether it is a
covered entity. For example, a health care provider may disclose
protected health information to a financial institution in order to
cash a check or to a health care clearinghouse to initiate electronic
transactions. However, if a covered entity engages another entity, such
as a billing service or a financial institution, to conduct payment
activities on its behalf, the other entity may meet the definition of
``business associate'' under this rule. For example, an entity is
acting as a business associate when it is operating the accounts
receivable system on behalf of a health care provider.
Similarly, payment includes disclosure of protected health
information by a health care provider to an insurer that is not a
``health plan'' as defined in this rule, to obtain payment. For
example, protected health information may be disclosed to obtain
reimbursement from a disability insurance carrier. We do not interpret
the definition of ``payment'' to include activities that involve the
disclosure of protected health information by a covered entity,
including a covered health care provider, to a plan sponsor for the
purpose of obtaining payment under a group health plan maintained by
such plan sponsor, or for the purpose of obtaining payment from a
health insurance issuer or HMO with respect to a group health plan
maintained by such plan sponsor, unless the plan sponsor is performing
plan administration pursuant to Sec. 164.504(f).
The Transactions Rule adopts standards for electronic health care
transactions, including two for processing payments. We adopted the ASC
X12N 835 transaction standard for ``Health Care Payment and Remittance
[[Page 82496]]
Advice'' transactions between health plans and health care providers,
and the ASC X12N 820 standard for ``Health Plan Premium Payments''
transactions between entities that arrange for the provision of health
care or provide health care coverage payments and health plans. Under
these two transactions, information to effect funds transfer is
transmitted in a part of the transaction separable from the part
containing any individually identifiable health information.
We note that a covered entity may conduct the electronic funds
transfer portion of the two payment standard transactions with a
financial institution without restriction, because it contains no
protected health information. The protected health information
contained in the electronic remittance advice or the premium payment
enrollee data portions of the transactions is not necessary either to
conduct the funds transfer or to forward the transactions. Therefore, a
covered entity may not disclose the protected health information to a
financial institution for these purposes. A covered entity may transmit
the portions of the transactions containing protected health
information through a financial institution if the protected health
information is encrypted so it can be read only by the intended
recipient. In such cases no protected health information is disclosed
and the financial institution is acting solely as a conduit for the
individually identifiable data.
Plan Sponsor
In the final rule we add a definition of ``plan sponsor.'' We
define plan sponsor by referencing the definition of the term provided
in (3)(16)(B) of the Employee Retirement Income Security Act (ERISA).
The plan sponsor is the employer or employee organization, or both,
that establishes and maintains an employee benefit plan. In the case of
a plan established by two or more employers, it is the association,
committee, joint board of trustees, or other similar group or
representative of the parties that establish and maintain the employee
benefit plan. This term includes church health plans and government
health plans. Group health plans may disclose protected health
information to plan sponsors who conduct payment and health care
operations activities on behalf of the group health plan if the
requirements for group health plans in Sec. 164.504 are met.
The preamble to the Transactions Rule noted that plan sponsors of
group health plans are not covered entities and, therefore, are not
required to use the standards established in that regulation to perform
electronic transactions, including enrollment and disenrollment
transactions. We do not change that policy through this rule. Plan
sponsors that perform enrollment functions are doing so on behalf of
the participants and beneficiaries of the group health plan and not on
behalf of the group health plan itself. For purposes of this rule, plan
sponsors are not subject to the requirements of Sec. 164.504 regarding
group health plans when conducting enrollment activities.
Protected Health Information
We proposed to define ``protected health information'' to mean
individually identifiable health information that is or has been
electronically maintained or electronically transmitted by a covered
entity, as well as such information when it takes any other form. For
purposes of this definition, we proposed to define ``electronically
transmitted'' as including information exchanged with a computer using
electronic media, such as the movement of information from one location
to another by magnetic or optical media, transmissions over the
Internet, Extranet, leased lines, dial-up lines, private networks,
telephone voice response, and ``faxback'' systems. We proposed that
this definition not include ``paper-to-paper'' faxes, or person-to-
person telephone calls, video teleconferencing, or messages left on
voice-mail.
Further, ``electronically maintained'' was proposed to mean
information stored by a computer or on any electronic medium from which
the information may be retrieved by a computer, such as electronic
memory chips, magnetic tape, magnetic disk, or compact disc optical
media.
The proposal's definition explicitly excluded:
(1) Individually identifiable health information that is part of an
``education record'' governed by the Family Educational Rights and
Privacy Act (FERPA), 20 U.S.C. 1232g.
(2) Individually identifiable health information of inmates of
correctional facilities and detainees in detention facilities.
In this final rule we expand the definition of protected health
information to encompass all individually identifiable health
information transmitted or maintained by a covered entity, regardless
of form. Specifically, we delete the conditions for individually
identifiable health information to be ``electronically maintained'' or
``electronically transmitted'' and the corresponding definitions of
those terms. Instead, the final rule defines protected health
information to be individually identifiable health information that is:
(1) Transmitted by electronic media;
(2) Maintained in any medium described in the definition of
electronic media at Sec. 162.103 of this subchapter; or
(3) Transmitted or maintained in any other form or medium.
We refer to electronic media, as defined in Sec. 162.103, which
means the mode of electronic transmission. It includes the Internet
(wide-open), Extranet (using Internet technology to link a business
with information only accessible to collaborating parties), leased
lines, dial-up lines, private networks, and those transmissions that
are physically moved from one location to another using magnetic tape,
disk, or compact disk media.
The definition of protected health information is set out in this
form to emphasize the severability of this provision. As discussed
below, we believe we have ample legal authority to cover all
individually identifiable health information transmitted or maintained
by covered entities. We have structured the definition this way so
that, if a court were to disagree with our view of our authority in
this area, the rule would still be operational, albeit with respect to
a more limited universe of information.
Other provisions of the rules below may also be severable,
depending on their scope and operation. For example, if the rule itself
provides a fallback, as it does with respect to the various
discretionary uses and disclosures permitted under Sec. 164.512, the
provisions would be severable under case law.
The definition in the final rule retains the exception relating to
individually identifiable health information in ``education records''
governed by FERPA. We also exclude the records described in 20 U.S.C.
1232g(a)(4)(B)(iv). These are records of students held by post-
secondary educational institutions or of students 18 years of age or
older, used exclusively for health care treatment and which have not
been disclosed to anyone other than a health care provider at the
student's request. (See discussion of FERPA above.)
We have removed the exception for individually identifiable health
information of inmates of correctional facilities and detainees in
detention facilities. Individually identifiable health information
about inmates is protected health information under the final rule, and
special rules for use and disclosure of the protected health
[[Page 82497]]
information about inmates and their ability to exercise the rights
granted in this rule are described below.
Psychotherapy Notes
Section 164.508(a)(3)(iv)(A) of the proposed rule defined
psychotherapy notes as notes recorded (in any medium) by a health care
provider who is a mental health professional documenting or analyzing
the contents of conversation during a private counseling session or a
group, joint, or family counseling session. The proposed definition
excluded medication prescription and monitoring, counseling session
start and stop times, the modalities and frequencies of treatment
furnished, results of clinical tests, and any summary of the following
items: Diagnosis, functional status, the treatment plan, symptoms,
prognosis and progress. Furthermore, we stated in the preamble of the
proposed rule that psychotherapy notes would have to be maintained
separately from the medical record.
In this final rule, we retain the definition of psychotherapy notes
that we had proposed, but add to the regulation text the requirement
that, to meet the definition of psychotherapy notes, the information
must be separated from the rest of the individual's medical record.
Public Health Authority
The proposed rule would have defined ``public health authority'' as
``an agency or authority of the United States, a state, a territory, or
an Indian tribe that is responsible for public health matters as part
of its official mandate.''
The final rule changes this definition slightly to clarify that a
``public health authority'' also includes a person or entity acting
under a grant of authority from or contract with a public health
agency. Therefore, the final rule defines this term as an agency or
authority of the United States, a state, a territory, a political
subdivision of a state or territory, or an Indian tribe, or a person or
entity acting under a grant of authority from or contract with such
public agency, including the employees or agents of such public agency
or its contractors or persons or entities to whom it has granted
authority, that is responsible for public health matters as part of its
official mandate.
Required By Law
In the preamble to the NPRM, we did not include a definition of
``required by law.'' We discussed what it meant for an action to be
considered to be ``required'' or ``mandated'' by law and included
several examples of activities that would be considered as required by
law for the purposes of the proposed rule, including a valid Inspector
General subpoena, grand jury subpoena, civil investigative demand, or a
statute or regulation requiring production of information justifying a
claim would constitute a disclosure required by law.
In the final rule we include a new definition, move the preamble
clarifications to the regulatory text and add several items to the
illustrative list. For purposes of this regulation, ``required by law''
means a mandate contained in law that compels a covered entity to make
a use or disclosure of protected health information and that is
enforceable in a court of law. Among the examples listed in definition
are Medicare conditions of participation with respect to health care
providers participating in that program, court-ordered warrants, and
subpoenas issued by a court. We note that disclosures ``required by
law'' include disclosures of protected health information required by
this regulation in Sec. 164.502(a)(2). It does not include contracts
between private parties or similar voluntary arrangements. This list is
illustrative only and is not intended in any way to limit the scope of
this paragraph or other paragraphs in Sec. 164.512 that permit uses or
disclosures to the extent required by other laws. We note that nothing
in this rule compels a covered entity to make a use or disclosure
required by the legal demands or prescriptions listed in this
clarification or by any other law or legal process, and a covered
entity remains free to challenge the validity of such laws and
processes.
Research
We proposed to define ``research'' as it is defined in the Federal
Policy for the Protection of Human Subjects, at 45 CFR part 46, subpart
A (referred to elsewhere in this rule as ``Common Rule''), and in
addition, elaborated on the meaning of the term ``generalizable
knowledge.'' In Sec. 164.504 of the proposed rule we defined research
as ``* * * a systematic investigation, including research development,
testing and evaluation, designed to develop or contribute to
generalizable knowledge. `Generalizable knowledge' is knowledge related
to health that can be applied to populations outside of the population
served by the covered entity.''
The final rule eliminates the further elaboration of
``generalizable knowledge.'' Therefore, the rule defines ``research''
as the term is defined in the Common Rule: a systematic investigation,
including research development, testing and evaluation, designed to
develop or contribute to generalizable knowledge.
Research Information Unrelated to Treatment
We delete this definition and the associated requirements from the
final rule. Refer to Sec. 164.508(f) for new requirements regarding
authorizations for research that includes treatment of the individual.
Treatment
The proposed rule defined ``treatment'' as the provision of health
care by, or the coordination of health care (including health care
management of the individual through risk assessment, case management,
and disease management) among, health care providers; the referral of a
patient from one provider to another; or the coordination of health
care or other services among health care providers and third parties
authorized by the health plan or the individual. The preamble noted
that the definition was intended to relate only to services provided to
an individual and not to an entire enrolled population.
In the final rule, we do not change the general approach to
defining treatment: treatment means the listed activities undertaken by
any health care provider, not just a covered health care provider. A
plan can disclose protected health information to any health care
provider to assist the provider's treatment activities; and a health
care provider may use protected health information about an individual
to treat another individual. A health care provider may use any
protected health information it maintains for treatment purposes (e.g.,
a provider may use protected health information about former patients
as well as current patients). We modify the proposed list of treatment
activities to reflect changes requested by commenters.
Specifically, we modify the proposed definition of ``treatment'' to
include the management of health care and related services. Under the
definition, the provision, coordination, or management of health care
or related services may be undertaken by one or more health care
providers. ``Treatment'' includes coordination or management by a
health care provider with a third party and consultation between health
care providers. The term also includes referral by a health care
provider of a patient to another health care provider.
Treatment refers to activities undertaken on behalf of a single
patient, not a population. Activities are considered treatment only if
delivered
[[Page 82498]]
by a health care provider or a health care provider working with
another party. Activities of health plans are not considered to be
treatment. Many services, such as a refill reminder communication or
nursing assistance provided through a telephone service, are considered
treatment activities if performed by or on behalf of a health care
provider, such as a pharmacist, but are regarded as health care
operations if done on behalf of a different type of entity, such as a
health plan.
We delete specific reference to risk assessment, case management,
and disease management. Activities often referred to as risk
assessment, disease and case management are treatment activities only
to the extent that they are services provided to a particular patient
by a health care provider; population based analyses or records review
for the purposes of treatment protocol development or modification are
health care operations, not treatment activities. If a covered entity
is licensed as both a health plan and a health care provider, a single
activity could be considered to be both treatment and health care
operations; for compliance purposes we would consider the purpose of
the activity. Given the integration of the health care system we
believe that further classification of activities into either treatment
or health care operations would not be helpful. See the definition of
health care operations for additional discussion.
Use
We proposed to define ``use'' to mean the employment, application,
utilization, examination, or analysis of information within an entity
that holds the information. In the final rule, we clarify that use
refers to the use of individually identifiable health information. We
replace the term ``holds'' with the term ``maintains.'' These changes
are for clarity only, and are not intended to effect any substantive
change.
Section 164.502--General Rules for Uses and Disclosures of
Protected Health Information
Section 164.502(a)--Use and Disclosure for Treatment, Payment and
Health Care Operations
As a general rule, we proposed in the NPRM to prohibit covered
entities from using or disclosing protected health information except
as authorized by the individual who is the subject of such information
or as explicitly permitted by the rule. The proposed rule explicitly
would have permitted covered entities to use or disclose an
individual's protected health information without authorization for
treatment, payment, and health care operations. The proposal would not
have restricted to whom disclosures could be made for the purposes of
treatment, payment, or operations. The proposal would have allowed
disclosure of the protected health information of one individual for
the treatment or payment of another, as appropriate. We also proposed
to prohibit covered entities from seeking individual authorization for
uses and disclosures for treatment, payment, and health care operations
unless required by state or other applicable law.
We proposed two exceptions to this general rule which prohibited
covered entities from using or disclosing research information
unrelated to treatment or psychotherapy notes for treatment, payment,
or health care operations purposes unless a specific authorization was
obtained from the subject of the information. In addition, we proposed
that a covered entity be prohibited from conditioning treatment,
enrollment in a health plan or payment decisions on a requirement that
the individual provide a specific authorization for the disclosure of
these two types of information (see proposed Sec. 164.508(a)(3)(iii)).
We also proposed to permit covered entities to use or disclose an
individual's protected health information for specified public and
public policy-related purposes, including public health, research,
health oversight, law enforcement, and use by coroners. In addition,
the proposal would have permitted covered entities to use and disclose
protected health information when required to do so by other law or
pursuant to an authorization from the individual allowing them to use
or disclose the information for purposes other than treatment, payment
or health care operations.
We proposed to require covered entities to disclose protected
health information for only two purposes: to permit individuals to
inspect and copy protected health information about themselves and for
enforcement of the rule.
We proposed not to require covered entities to vary the level of
protection accorded to protected health information based on the
sensitivity of such information. In addition, we proposed to require
that each affected entity assess its own needs and devise, implement,
and maintain appropriate privacy policies, procedures, and
documentation to address its business requirements.
In the final rule, the general standard remains that covered
entities may use or disclose protected health information only as
permitted or required by this rule. However, we make significant
changes to the conditions under which uses and disclosures are
permitted.
We revise the application of the general standard to require
covered health care providers who have a direct treatment relationship
with an individual to obtain a general ``consent'' from the individual
in order to use or disclose protected health information about the
individual for treatment, payment and health care operations (for
details on who must obtain such consents and the requirements they must
meet, see Sec. 164.506). These consents are intended to accommodate
both the covered provider's need to use or disclose protected health
information for treatment, payment, and health care operations, and
also the individual's interest in understanding and acquiescing to such
uses and disclosures. In general, other covered entities are permitted
to use and disclose protected health information to carry out
treatment, payment, or health care operations (as defined in this rule)
without obtaining such consent, as in the proposed rule. Covered
entities must, as under the proposed rule, obtain the individual's
``authorization'' in order to use or disclose psychotherapy notes for
most purposes: see Sec. 164.508(a)(2) for exceptions to this rule. We
delete the proposed special treatment of ``research information
unrelated to treatment.''
We revise the application of the general standard to require all
covered entities to obtain the individual's verbal ``agreement'' before
using or disclosing protected health information for facility
directories, to persons assisting in the individual's care, and for
other purposes described in Sec. 164.510. Unlike ``consent'' and
``authorization,'' verbal agreement may be informal and implied from
the circumstances (for details on who must obtain such agreements and
the requirements they must meet, see Sec. 164.510). Verbal agreements
are intended to accommodate situations where it is neither appropriate
to remove from the individual the ability to control the protected
health information nor appropriate to require formal, written
permission to share such information. For the most part, these
provisions reflect current practices.
As under the proposed rule, we permit covered entities to use or
disclose protected health information without the individual's consent,
authorization or agreement for specified
[[Page 82499]]
public policy purposes, in compliance with the requirements in
Sec. 164.512.
We permit covered entities to disclose protected health information
to the individual who is the subject of that information without any
condition. We note that this may include disclosures to ``personal
representatives'' of individuals as provided by Sec. 164.502(g).
We permit a covered entity to use or disclose protected health
information for other lawful purposes if the entity obtains a written
``authorization'' from the individual, consistent with the provisions
of Sec. 164.508. Unlike ``consents,'' these ``authorizations'' are
specific and detailed. (For details on who must obtain such
authorizations and the requirements they must meet, see Sec. 164.508.)
They are intended to provide the individuals with concrete information
about, and control over, the uses and disclosures of protected health
information about themselves.
The final rule retains the provision that requires a covered entity
to disclose protected health information only in two instances: When
individuals request access to information about themselves, and when
disclosures are compelled by the Secretary for compliance and
enforcement purposes.
Finally, Sec. 164.502(a)(1) also requires covered entities to use
or disclose protected health information in compliance with the other
provisions of Sec. 164.502, for example, consistent with the minimum
necessary standard, to create de-identified information, or to a
personal representative of an individual. These provisions are
described below.
We note that a covered entity may use or disclose protected health
information as permitted by and in accordance with a provision of this
rule, regardless of whether that use or disclosure fails to meet the
requirements for use or disclosure under another provision of this
rule.
Section 164.502(b)--Minimum Necessary Uses and Disclosures
The proposed rule required a covered entity to make all reasonable
efforts not to use or disclose more than the minimum amount of
protected health information necessary to accomplish the intended
purpose of the use or disclosure (proposed Sec. 164.506(b)). This final
rule significantly modifies the proposed requirements for implementing
the minimum necessary standard. In the final rule, Sec. 164.502(b)
contains the basic standard and Sec. 164.514 describes the requirements
for implementing the standard. Therefore we discuss all aspects of the
minimum necessary standard and specific requirements below in the
discussion of Sec. 164.514(d).
Section 164.502(c)--Uses and Disclosures Under a Restriction Agreement
The proposed rule would have required that covered health care
providers permit individuals to request restrictions of uses and
disclosures of protected health information and would have prohibited
covered providers from using or disclosing protected health information
in violation of any agreed-to restriction.
The final rule retains an individual's right to request
restrictions on uses or disclosures for treatment, payment or health
care operations and prohibits a covered entity from using or disclosing
protected health information in a way that is inconsistent with an
agreed upon restriction between the covered entity and the individual,
but makes some changes to this right. Most significantly, under the
final rule individuals have the right to request restrictions of all
covered entities. This standard is set forth in Sec. 164.522. Details
about the changes to the standard are explained in the preamble
discussion to Sec. 164.522.
Section 164.502(d)--Creation of De-identified Information
In proposed Sec. 164.506(d) of the NPRM, we proposed to permit use
of protected health information for the purpose of creating de-
identified information and we provided detailed mechanisms for doing
so.
In Sec. 164.502(d) of the final rule, we permit a covered entity to
use protected health information to create de-identified information,
whether or not the de-identified information is to be used by the
covered entity. We clarify that de-identified information created in
accordance with our procedures (which have been moved to
Sec. 164.514(a)) is not subject to the requirements of these privacy
rules unless it is re-identified. Disclosure of a key or mechanism that
could be used to re-identify such information is also defined to be
disclosure of protected health information. See the preamble to
Sec. 164.514(a) for further discussion.
Section 164.502(e)--Business Associates
In the proposed rule, other than for purposes of consultation or
referral for treatment, we would have allowed a covered entity to
disclose protected health information to a business partner only
pursuant to a written contract that would, among other specified
provisions, limit the business partner's uses and disclosures of
protected health information to those permitted by the contract, and
would impose certain security, inspection and reporting requirements on
the business partner. We proposed to define the term ``business
partner'' to mean, with respect to a covered entity, a person to whom
the covered entity discloses protected health information so that the
person can carry out, assist with the performance of, or perform on
behalf of, a function or activity for the covered entity.
In the final rule, we change the term ``business partner'' to
``business associate'' and in the definition clarify the full range of
circumstances in which a person is acting as a business associate of a
covered entity. (See definition of ``business associate'' in
Sec. 160.103.) These changes mean that Sec. 164.502(e) requires a
business associate contract (or other arrangement, as applicable) not
only when the covered entity discloses protected health information to
a business associate, but also when the business associate creates or
receives protected health information on behalf of the covered entity.
In the final rule, we modify the proposed standard and
implementation specifications for business associates in a number of
significant ways. These modifications are explained in the preamble
discussion of Sec. 164.504(e).
Section 164.502(f)--Deceased Individuals
We proposed to extend privacy protections to the protected health
information of a deceased individual for two years following the date
of death. During the two-year time frame, we proposed in the definition
of ``individual'' that the right to control the deceased individual's
protected health information would be held by an executor or
administrator, or other person (e.g., next of kin) authorized under
applicable law to act on behalf of the decedent's estate. The only
proposed exception to this standard allowed for uses and disclosures of
a decedent's protected health information for research purposes without
the authorization of a legal representative and without the
Institutional Review Board (IRB) or privacy board approval required (in
proposed Sec. 164.510(j)) for most other uses and disclosures for
research.
In the final rule (Sec. 164.502(f)), we modify the standard to
extend protection of protected health information about deceased
individuals for as long as the covered entity maintains the
information. We retain the exception for uses and disclosures for
research purposes, now part of Sec. 164.512(i), but also require that
the
[[Page 82500]]
covered entity take certain verification measures prior to release of
the decedent's protected health information for such purposes (see
Secs. 164.514(h) and 164.512(i)(1)(iii)).
We remove from the definition of ``individual'' the provision
related to deceased persons. Instead, we create a standard for
``personal representatives'' (Sec. 164.502(g), see discussion below)
that requires a covered entity to treat a personal representative of an
individual as the individual in certain circumstances, i.e., allows the
representative to exercise the rights of the individual. With respect
to deceased individuals, the final rule describes when a covered entity
must allow a person who otherwise is permitted under applicable law to
act with respect to the interest of the decedent or on behalf of the
decedent's estate, to make decisions regarding the decedent's protected
health information.
The final rule also adds a provision to Sec. 164.512(g), that
permits covered entities to disclose protected health information to a
funeral director, consistent with applicable law, as necessary to carry
out their duties with respect to the decedent. Such disclosures are
permitted both after death and in reasonable anticipation of death.
Section 164.502(g)--Personal Representatives
In the proposed rule we defined ``individual'' to include certain
persons who were authorized to act on behalf of the person who is the
subject of the protected health information. For adults and emancipated
minors, the NPRM provided that ``individual'' includes a legal
representative to the extent to which applicable law permits such legal
representative to exercise the individual's rights in such contexts.
With respect to unemancipated minors, we proposed that the definition
of ``individual'' include a parent, guardian, or person acting in loco
parentis, (hereinafter referred to as ``parent'') except when an
unemancipated minor obtained health care services without the consent
of, or notification to, a parent. Under the proposed rule, if a minor
obtained health care services under these conditions, the minor would
have had the exclusive rights of an individual with respect to the
protected health information related to such health care services.
In the final rule, the definition of ``individual'' is limited to
the subject of the protected health information, which includes
unemancipated minors and other individuals who may lack capacity to act
on their own behalf. We remove from the definition of ``individual''
the provisions regarding legal representatives. The circumstances in
which a representative must be treated as an individual for purposes of
this rule are addressed in a separate standard titled ``personal
representatives.'' (Sec. 164.502(g)). The standard regarding personal
representatives incorporates some changes to the proposed provisions
regarding legal representatives. In general, under the final
regulation, the ``personal representatives'' provisions are directed at
the more formal representatives, while Sec. 164.510(b) addresses
situations in which persons are informally acting on behalf of an
individual.
With respect to adults or emancipated minors, we clarify that a
covered entity must treat a person as a personal representative of an
individual if such person is, under applicable law, authorized to act
on behalf of the individual in making decisions related to health care.
This includes a court-appointed guardian and a person with a power of
attorney, as set forth in the NPRM, but may also include other persons.
The authority of a personal representative under this rule is limited:
the representative must be treated as the individual only to the extent
that protected health information is relevant to the matters on which
the personal representative is authorized to represent the individual.
For example, if a person's authority to make health care decisions for
an individual is limited to decisions regarding treatment for cancer,
such person is a personal representative and must be treated as the
individual with respect to protected health information related to the
cancer treatment of the individual. Such a person is not the personal
representative of the individual with respect to all protected health
information about the individual, and therefore, a covered entity may
not disclose protected health information that is not relevant to the
cancer treatment to the person, unless otherwise permitted under the
rule. We intend this provision to apply to persons empowered under
state or other law to make health related decisions for an individual,
whether or not the instrument or law granting such authority
specifically addresses health information.
In addition, we clarify that with respect to an unemancipated
minor, if under applicable law a parent may act on behalf of an
unemancipated minor in making decisions related to health care, a
covered entity must treat such person as a personal representative
under this rule with respect to protected health information relevant
to such personal representation, with three exceptions. Under the
general rule, in most circumstances the minor would not have the
capacity to act as the individual, and the parent would be able to
exercise rights and authorities on behalf of the minor. Under the
exceptions to the rule on personal representatives of unemancipated
minors, the minor, and not the parent, would be treated as the
individual and able to exercise the rights and authorities of an
individual under the rule. These exceptions occur if: (1) The minor
consents to a health care service; no other consent to such health care
service is required by law, regardless of whether the consent of
another person has also been obtained; and the minor has not requested
that such person be treated as the personal representative; (2) the
minor may lawfully obtain such health care service without the consent
of a parent, and the minor, a court, or another person authorized by
law consents to such health care service; or (3) a parent assents to an
agreement of confidentiality between a covered health care provider and
the minor with respect to such health care service. We note that the
definition of health care includes services, but we use ``health care
service'' in this provision to clarify that the scope of the rights of
minors under this rule is limited to the protected health information
related to a particular service.
Under this provision, we do not provide a minor with the authority
to act under the rule unless the state has given them the ability to
obtain health care without consent of a parent, or the parent has
assented. In addition, we defer to state law where the state authorizes
or prohibits disclosure of protected health information to a parent.
See part 160, subpart B, Preemption of State Law. This rule does not
affect parental notification laws that permit or require disclosure of
protected health information to a parent. However, the rights of a
minor under this rule are not otherwise affected by such notification.
In the final rule, the provision regarding personal representatives
of deceased individuals has been changed to clarify the provision. The
policy has not changed substantively from the NPRM.
Finally, we added a provision in the final rule to permit covered
entities to elect not to treat a person as a personal representative in
abusive situations. Under this provision, a covered entity need not
treat a person as a personal representative of an individual if the
covered entity, in the exercise of professional judgment, decides that
it is
[[Page 82501]]
not in the best interest of the individual to treat the person as the
individual's personal representative and the covered entity has a
reasonable belief that the individual has been or may be subjected to
domestic violence, abuse, or neglect by such person, or that treating
such person as the personal representative could endanger the
individual.
Section 164.502(g) requires a covered entity to treat a person that
meets the requirements of a personal representative as the individual
(with the exceptions described above). We note that disclosure of
protected health information to a personal representative is mandatory
under this rule only if disclosure to the individual is mandatory.
Disclosure to the individual is mandatory only under Secs. 164.524 and
164.528. Further, as noted above, the personal representative's rights
are limited by the scope of its authority under other law. Thus, this
provision does not constitute a general grant of authority to personal
representatives.
We make disclosure to personal representatives mandatory to ensure
that an individual's rights under Secs. 164.524 and 164.528 are
preserved even when individuals are incapacitated or otherwise unable
to act for themselves to the same degree as other individuals. If the
covered entity were to have the discretion to recognize a personal
representative as the individual, there could be situations in which no
one could invoke an individual's rights under these sections.
We continue to allow covered entities to use their discretion to
disclose certain protected health information to family members,
relatives, close friends, and other persons assisting in the care of an
individual, in accordance with Sec. 164.510(b). We recognize that many
health care decisions take place on an informal basis, and we permit
disclosures in certain circumstance to permit this practice to
continue. Health care providers may continue to use their discretion to
address these informal situations.
Section 164.502(h)--Confidential Communications
In the NPRM, we did not directly address the issue of whether an
individual could request that a covered entity restrict the manner in
which it communicated with the individual. The NPRM did provide
individuals with the right to request that health care providers
restrict uses and disclosures of protected health information for
treatment, payment and health operations, but providers were not
required to agree to such a restriction.
In the final rule, we require covered providers to accommodate
reasonable requests by patients about how the covered provider
communicates with the individual. For example, an individual who does
not want his or her family members to know about a certain treatment
may request that the provider communicate with the individual at his or
her place of employment, or to send communications to a designated
address. Covered providers must accommodate the request unless it is
unreasonable. Similarly, the final rule permits individuals to request
that health plans communicate with them by alternative means, and the
health plan must accommodate such a request if it is reasonable and the
individual states that disclosure of the information could endanger the
individual. The specific provisions relating to confidential
communications are in Sec. 164.522.
Section 164.502(i)--Uses and Disclosures Consistent with Notice
We proposed to prohibit covered entities from using or disclosing
protected health information in a manner inconsistent with their notice
of information practices. We retain this provision in the final rule.
See Sec. 164.520 regarding notice content and distribution
requirements.
Section 164.502(j)--Disclosures by Whistleblowers and Workforce Member
Crime Victims
Disclosures by Whistleblowers
In Sec. 164.518(c)(4) of the NPRM we addressed the issue of
whistleblowers by proposing that a covered entity not be held in
violation of this rule because a member of its workforce or a person
associated with a business associate of the covered entity used or
disclosed protected health information that such person believed was
evidence of a civil or criminal violation, and any disclosure was: (1)
Made to relevant oversight agencies or law enforcement or (2) made to
an attorney to allow the attorney to determine whether a violation of
criminal or civil law had occurred or to assess the remedies or actions
at law that may be available to the person disclosing the information.
We included an extensive discussion on how whistleblower actions
can further the public interest, including reference to the need in
some circumstances to utilize protected health information for this
purpose as well as reference to the qui tam provisions of the Federal
False Claims Act.
In the final rule we retitle the provision and include it in
Sec. 164.502 to reflect the fact that these disclosures are not made by
the covered entity and therefore this material does not belong in the
section on safeguarding information against disclosure.
We retain the basic concept in the NPRM of providing protection to
a covered entity for the good faith whistleblower action of a member of
its workforce or a business associate. We clarify that a whistleblower
disclosure by an employee, subcontractor, or other person associated
with a business associate is considered a whistleblower disclosure of
the business associate under this provision. However, in the final
rule, we modify the scope of circumstances under which a covered entity
is protected in whistleblower situations. A covered entity is not in
violation of the requirements of this rule when a member of its
workforce or a business associate of the covered entity discloses
protected health information to: (i) A health oversight agency or
public health authority authorized by law to investigate or otherwise
oversee the relevant conduct or conditions of the covered entity; (ii)
an appropriate health care accreditation organization; or (iii) an
attorney, for the purpose of determining his or her legal options with
respect to whistleblowing. We delete disclosures to a law enforcement
official.
We expand the scope of this section to cover disclosures of
protected health information to an oversight or accreditation
organization for the purpose of reporting breaches of professional
standards or problems with quality of care. The covered entity will not
be in violation of this rule, provided that the disclosing individual
believes in good faith that the covered entity has engaged in conduct
which is unlawful or otherwise violates professional or clinical
standards, or that the care, services or conditions provided by the
covered entity potentially endanger one or more patients, workers or
the public. Since these provisions only relate to whistleblower actions
in relation to the covered entity, disclosure of protected health
information to expose malfeasant conduct by another person, such as
knowledge gained during the course of treatment about an individual's
illicit drug use, would not be protected activity.
We clarify that this section only applies to protection of a
covered entity, based on the whistleblower action of a member of its
workforce or business associates. Since the HIPAA legislation only
applies to covered entities, not their workforces, it is beyond the
scope of this rule to directly regulate the
[[Page 82502]]
whistleblower actions of members of a covered entity's workforce.
In the NPRM, we had proposed to require covered entities to apply
sanctions to members of its workforce who improperly disclose protected
health information. In this final rule, we retain this requirement in
Sec. 164.530(e)(1) but modify the proposed provision on sanctions to
clarify that the sanctions required under this rule do not apply to
workforce members of a covered entity for whistleblower disclosures.
Disclosures by Workforce Members Who Are Crime Victims
The proposed rule did not address disclosures by workforce members
who are victims of a crime. In the final rule, we clarify that a
covered entity is not in violation of the rule when a workforce member
of a covered entity who is the victim of a crime discloses protected
health information to law enforcement officials about the suspected
perpetrator of the crime. We limit the amount of protected health
information that may be disclosed to the limited information for
identification and location described in Sec. 164.512(f)(2).
We note that this provision is similar to the provision in
Sec. 164.512(f)(5), which permits a covered entity to disclose
protected health information to law enforcement that the covered entity
believes in good faith constitutes evidence of criminal conduct that
occurred on the premises of the covered entity. This provision differs
in that it permits the disclosure even if the crime occurred somewhere
other than on the premises of the covered entity. For example, if a
hospital employee is the victim of an attack outside of the hospital,
but spots the perpetrator sometime later when the perpetrator seeks
medical care at the hospital, the workforce member who was attacked may
notify law enforcement of the perpetrator's location and other
identifying information. We do not permit, however, the disclosure of
protected health information other than that described in
Sec. 164.512(f)(2).
Section 164.504--Uses and Disclosures--Organizational
Requirements--Component Entities, Affiliated Entities, Business
Associates and Group Health Plans
Section 164.504(a)-(c)--Health Care Component (Component Entities)
In the preamble to the proposed rule we introduced the concept of a
``component entity'' to differentiate the health care unit of a larger
organization from the larger organization. In the proposal we noted
that some organizations that are primarily involved in non-health care
activities do provide health care services or operate health plans or
health care clearinghouses. Examples included a school with an on-site
health clinic and an employer that self administers a sponsored health
plan. In such cases, the proposal said that the health care component
of the entity would be considered the covered entity, and any release
of information from that component to another office or person in the
organization would be a regulated disclosure. We would have required
such entities to create barriers to prevent protected health
information from being used or disclosed for activities not authorized
or permitted under the proposal.
We discuss group health plans and their relationships with plan
sponsors below under ``Requirements for Group Health Plans.''
In the final rule we address the issue of differentiating health
plan, covered health care provider and health care clearinghouse
activities from other functions carried out by a single legal entity in
paragraphs (a)-(c) of Sec. 164.504. We have created a new term,
``hybrid entity'', to describe the situation where a health plan,
health care provider, or health care clearinghouse is part of a larger
legal entity; under the definition, a ``hybrid entity'' is ``a single
legal entity that is a covered entity and whose covered functions are
not its primary functions.'' The term ``covered functions'' is
discussed above under Sec. 164.501. By ``single legal entity'' we mean
a legal entity, such as a corporation or partnership, that cannot be
further differentiated into units with their own legal identities. For
example, for purposes of this rule a multinational corporation composed
of multiple subsidiary companies would not be a single legal entity,
but a small manufacturing firm and its health clinic, if not separately
incorporated, could be a single legal entity.
The health care component rules are designed for the situation in
which the health care functions of the legal entity are not its
dominant mission. Because some part of the legal entity meets the
definition of a health plan or other covered entity, the legal entity
as a whole could be required to comply with the rules below. However,
in such a situation, it makes sense not to require the entire entity to
comply with the requirements of the rules below, when most of its
activities may have little or nothing to do with the provision of
health care; rather, as a practical matter, it makes sense for such an
entity to focus its compliance efforts on the component that is
actually performing the health care functions. On the other hand, where
most of what the covered entity does consist of covered functions, it
makes sense to require the entity as a whole to comply with the rules.
The provisions at Secs. 164.504(a)-(c) provide that for a hybrid
entity, the rules apply only to the part of the entity that is the
health care component. At the same time, the lack of corporate
boundaries increases the risk that protected health information will be
used in a manner that would not otherwise be permitted by these rules.
Thus, we require that the covered entity erect firewalls to protect
against the improper use or disclosure within or by the organization.
See Sec. 164.504(c)(2).
The term ``primary functions'' in the definition of ``hybrid
entity'' is not meant to operate with mathematical precision. Rather,
we intend that a more common sense evaluation take place: Is most of
what the covered entity does related to its health care functions? If
so, then the whole entity should be covered. Entities with different
insurance lines, if not separately incorporated, present a particular
issue with respect to this analysis. Because the definition of ``health
plan'' excludes many types of insurance products (in the exclusion
under paragraph (2)(i) of the definition), we would consider an entity
that has one or more of these lines of insurance in addition to its
health insurance lines to come within the definition of ``hybrid
entity,'' because the other lines of business constitute substantial
parts of the total business operation and are required to be separate
from the health plan(s) part of the business.
An issue that arises in the hybrid entity situation is what records
are covered in the case of an office of the hybrid entity that performs
support functions for both the health care component of the entity and
for the rest of the entity. For example, this situation could arise in
the context of a company with an onsite clinic (which we will assume is
a covered health care provider), where the company's business office
maintains both clinic records and the company's personnel records.
Under the definition of the term ``health care component,'' the
business office is part of the health care component (in this
hypothetical, the clinic) ``to the extent that'' it is performing
covered functions on behalf of the clinic involving the use or
disclosure of protected health information that it receives from,
creates or maintains for the clinic. Part of the business office,
therefore, is part of the
[[Page 82503]]
health care component, and part of the business office is outside the
health care component. This means that the non-health care component
part of the business office is not covered by the rules below. Under
our hypothetical, then, the business office would not be required to
handle its personnel records in accordance with the rules below. The
hybrid entity would be required to establish firewalls with respect to
these record systems, to ensure that the clinic records were handled in
accordance with the rules.
With respect to excepted benefits, the rules below operate as
follows. (Excepted benefits include accident, disability income,
liability, workers' compensation and automobile medical payment
insurance.) Excepted benefit programs are excluded from the health care
component (or components) through the definition of ``health plan.'' If
a particular organizational unit performs both excepted benefits
functions and covered functions, the activities associated with the
excepted benefits program may not be part of the health care component.
For example, an accountant who works for a covered entity with both a
health plan and a life insurer would have his or her accounting
functions performed for the health plan as part of the component, but
not the life insurance accounting function. See
Sec. 164.504(c)(2)(iii). We require this segregation of excepted
benefits because HIPAA does not cover such programs, policies and
plans, and we do not permit any use or disclosure of protected health
information for the purposes of operating or performing the functions
of the excepted benefits without authorization from the individual,
except as otherwise permitted in this rule.
In Sec. 164.504(c)(2) we require covered entities with a health
care component to establish safeguard policies and procedures to
prevent any access to protected health information by its other
organizational units that would not be otherwise permitted by this
rule. We note that section 1173(d)(1)(B) of HIPAA requires policies and
procedures to isolate the activities of a health care clearinghouse
from a ``larger organization'' to prevent unauthorized access by the
larger organization. This safeguard provision is consistent with the
statutory requirement and extends to any covered entity that performs
``non-covered entity functions'' or operates or conducts functions of
more than one type of covered entity.
Because, as noted, the covered entity in the hybrid entity
situation is the legal entity itself, we state explicitly what is
implicitly the case, that the covered entity (legal entity) remains
responsible for compliance vis-a-vis subpart C of part 160. See
Sec. 164.504(c)(3)(i). We do this simply to make these responsibilities
clear and to avoid confusion on this point. Also, in the hybrid entity
situation the covered entity/legal entity has control over the entire
workforce, not just the workforce of the health care component. Thus,
the covered entity is in a position to implement policies and
procedures to ensure that the part of its workforce that is doing mixed
or non-covered functions does not impermissibly use or disclose
protected health information. Its responsibility to do so is clarified
in Sec. 164.504(c)(3)(ii).
Section 164.504(d)--Affiliated Entities
Some legally distinct covered entities may share common
administration of organizationally differentiated but similar
activities (for example, a hospital chain). In Sec. 164.504(d) we
permit legally distinct covered entities that share common ownership or
control to designate themselves, or their health care components,
together to be a single covered entity. Common control exists if an
entity has the power, directly or indirectly, significantly to
influence or direct the actions or policies of another entity. Common
ownership exists if an entity or entities possess an ownership or
equity interest of 5 percent or more in another entity.
Such organizations may promulgate a single shared notice of
information practices and a consent form. For example, a corporation
with hospitals in twenty states may designate itself as a covered
entity and, therefore, able to merge information for joint marketplace
analyses. The requirements that apply to a covered entity also apply to
an affiliated covered entity. For example, under the minimum necessary
provisions, a hospital in one state could not share protected health
information about a particular patient with another hospital if such a
use is not necessary for treatment, payment or health care operations.
The covered entities that together make up the affiliated covered
entity are separately subject to liability under this rule. The
safeguarding requirements for affiliated covered entities track the
requirements that apply to health care components.
Section 164.504(e)--Business Associates
In the NPRM, we proposed to require a contract between a covered
entity and a business associate, except for disclosures of protected
health information by a covered entity that is a health care provider
to another health care provider for the purposes of consultation or
referral. A covered entity would have been in violation of this rule if
the covered entity knew or reasonably should have known of a material
breach of the contract by a business associate and it failed to take
reasonable steps to cure the breach or terminate the contract. We
proposed in the preamble that when a covered entity acted as a business
associate to another covered entity, the covered entity that was acting
as business associate also would have been responsible for any
violations of the regulation.
We also proposed that covered health care providers receiving
protected health information for consultation or referral purposes
would still have been subject to this rule, and could not have used or
disclosed such protected health information for a purpose other than
the purpose for which it was received (i.e., the consultation or
referral). Further, we noted that providers making disclosures for
consultations or referrals should be careful to inform the receiving
provider of any special limitations or conditions to which the
disclosing provider had agreed to impose (e.g., the disclosing provider
had provided notice to its patients that it would not make disclosures
for research).
We proposed that business associates would not have been permitted
to use or disclose protected health information in ways that would not
have been permitted of the covered entity itself under these rules, and
covered entities would have been required to take reasonable steps to
ensure that protected health information disclosed to a business
associate remained protected.
In the NPRM (proposed Sec. 164.506(e)(2)) we would have required
that the contractual agreement between a covered entity and a business
associate be in writing and contain provisions that would:
Prohibit the business associate from further using or
disclosing the protected health information for any purpose other than
the purpose stated in the contract.
Prohibit the business associate from further using or
disclosing the protected health information in a manner that would
violate the requirements of this proposed rule if it were done by the
covered entity.
Require the business associate to maintain safeguards as
necessary to ensure that the protected health information is not used
or disclosed except as provided by the contract.
Require the business associate to report to the covered
entity any use or disclosure of the protected health information of
which the business
[[Page 82504]]
associate becomes aware that is not provided for in the contract.
Require the business associate to ensure that any
subcontractors or agents to whom it provides protected health
information received from the covered entity will agree to the same
restrictions and conditions that apply to the business associate with
respect to such information.
Require the business associate to provide access to non-
duplicative protected health information to the subject of that
information, in accordance with proposed Sec. 164.514(a).
Require the business associate to make available its
internal practices, books and records relating to the use and
disclosure of protected health information received from the covered
entity to the Secretary for the purposes of enforcing the provisions of
this rule.
Require the business associate, at termination of the
contract, to return or destroy all protected health information
received from the covered entity that the business associate still
maintains in any form to the covered entity and prohibit the business
associate from retaining such protected health information in any form.
Require the business associate to incorporate any
amendments or corrections to protected health information when notified
by the covered entity that the information is inaccurate or incomplete.
State that individuals who are the subject of the
protected health information disclosed are intended to be third party
beneficiaries of the contract.
Authorize the covered entity to terminate the contract, if
the covered entity determines that the business associate has violated
a material term of the contract.
We also stated in the preamble to the NPRM that the contract could
have included any additional arrangements that did not violate the
provisions of this regulation.
We explained in the preamble to the NPRM that a business associate
(including business associates that are covered entities) that had
contracts with more than one covered entity would have had no authority
to combine, aggregate or otherwise use for a single purpose protected
health information obtained from more than one covered entity unless
doing so would have been a lawful use or disclosure for each of the
covered entities that supplied the protected health information that is
being combined, aggregated or used. In addition, the business associate
would have had to have been authorized through the contract or
arrangement with each covered entity that supplied the protected health
information to combine or aggregate the information. A covered entity
would not have been permitted to obtain protected health information
through a business associate that it could not otherwise obtain itself.
In the final rule we retain the overall approach proposed: covered
entities may disclose protected health information to persons that meet
the rule's definition of business associate, or hire such persons to
obtain or create protected health information for them, only if covered
entities obtain specified satisfactory assurances from the business
associate that it will appropriately handle the information; the
regulation specifies the elements of such satisfactory assurances;
covered entities have responsibilities when such specified satisfactory
assurances are violated by the business associate. We retain the
requirement that specified satisfactory assurances must be obtained if
a covered entity's business associate is also a covered entity. We note
that a master business associate contract or MOU that otherwise meets
the requirements regarding specified satisfactory assurances meets the
requirements with respect to all the signatories.
A covered entity may disclose protected health information to a
business associate, consistent with the other requirements of the final
rule, as necessary to permit the business associate to perform
functions and activities for or on behalf of the covered entity, or to
provide the services specified in the business associate definition to
or for the covered entity. As discussed below, a business associate may
only use the protected health information it receives in its capacity
as a business associate to a covered entity as permitted by its
contract or agreement with the covered entity.
We do not attempt to directly regulate business associates, but
pursuant to our authority to regulate covered entities we place
restrictions on the flow of information from covered entities to non-
covered entities. We add a provision to clarify that a violation of a
business associate agreement by a covered entity that is a business
associate of another covered entity constitutes a violation of this
rule.
In the final rule, we make significant changes to the requirements
regarding business associates. As explained below in more detail: we
make significant changes to the content of the required contractual
satisfactory assurances; we include exceptions for arrangements that
would otherwise meet the definition of business associate; we make
special provisions for government agencies that by law cannot enter
into contracts with one another or that operate under other legal
requirements incompatible with some aspects of the required contractual
satisfactory assurances; we provide a new mechanism for covered
entities to hire a third party to aggregate data.
The final rule provides several exception to the business associate
requirements, where a business associate relationship would otherwise
exist. We substantially expand the exception for disclosure of
protected health information for treatment. Rather than allowing
disclosures without business associate assurances only for the purpose
of consultation or referral, in the final rule we allow covered
entities to make any disclosure of protected health information for
treatment purposes to a health care provider without a business
associate arrangement. This provision includes all activities that fall
under the definition of treatment.
We do not require a business associate contract for a group health
plan to make disclosures to the plan sponsor, to the extent that the
health plan meets the applicable requirements of Sec. 164.504(f).
We also include an exception for certain jointly administered
government programs providing public benefits. Where a health plan that
is a government program provides public benefits, such as SCHIP and
Medicaid, and where eligibility for, or enrollment in, the health plan
is determined by an agency other than the agency administering the
health plan, or where the protected health information used to
determine enrollment or eligibility in the health plan is collected by
an agency other than the agency administering the health plan, and the
joint activities are authorized by law, no business associate contract
is required with respect to the collection and sharing of individually
identifiable health information for the performance of the authorized
functions by the health plan and the agency other than the agency
administering the health plan. We note that the phrase ``government
programs providing public benefits'' refers to programs offering
benefits to specified members of the public and not to programs that
offer benefits only to employees or retirees of government agencies.
We note that we do not consider a financial institution to be
acting on behalf of a covered entity, and therefore no business
associate contract is required, when it processes consumer-conducted
financial transactions by debit, credit or other payment card,
[[Page 82505]]
clears checks, initiates or processes electronic funds transfers, or
conducts any other activity that directly facilitates or effects the
transfer of funds for compensation for health care. A typical consumer-
conducted payment transaction is when a consumer pays for health care
or health insurance premiums using a check or credit card. In these
cases, the identity of the consumer is always included and some health
information (e.g., diagnosis or procedure) may be implied through the
name of the health care provider or health plan being paid. Covered
entities that initiate such payment activities must meet the minimum
necessary disclosure requirements described in the preamble to
Sec. 164.514.
In the final rule, we reduce the extent to which a covered entity
must monitor the actions of its business associate and we make it
easier for covered entities to identify the circumstances that will
require them to take actions to correct a business associate's material
violation of the contract, in the following ways. We delete the
proposed language requiring covered entities to ``take reasonable steps
to ensure'' that each business associate complies with the rule's
requirements. Additionally, we now require covered entities to take
reasonable steps to cure a breach or terminate the contract for
business associate behaviors only if they know of a material violation
by a business associate. In implementing this standard, we will view a
covered entity that has substantial and credible evidence of a
violation as knowing of such violation. While this standard relieves
the covered entity of the need to actively monitor its business
associates, a covered entity nonetheless is expected to investigate
when they receive complaints or other information that contain
substantial and credible evidence of violations by a business
associate, and it must act upon any knowledge of such violation that it
possesses. We note that a whistleblowing disclosure by a business
associate of a covered entity that meets the requirements of
Sec. 164.502(j)(1) does not put the covered entity in violation of this
rule, and the covered entity has no duty to correct or cure, or to
terminate the relationship.
We also qualify the requirement for terminating contracts with non-
compliant business associates. The final rule still requires that the
business associate contract authorize the covered entity to terminate
the contract, if the covered entity determines that the business
associate has violated a material term of the contract, and it requires
the covered entity to terminate the contract if steps to cure such a
material breach fail. The rule now stipulates, however, that if the
covered entity is unable to cure a material breach of the business
associate's obligation under the contract, it is expected to terminate
the contract, when feasible. This qualification has been added to
accommodate circumstances where terminating the contract would be
unreasonably burdensome on the covered entity, such as when there are
no viable alternatives to continuing a contract with that particular
business associate. It does not mean, for instance, that the covered
entity can choose to continue the contract with a non-compliant
business associate merely because it is more convenient or less costly
than contracts with other potential business associates. We also
require that if a covered entity determines that it is not feasible to
terminate a non-compliant business associate, the covered entity must
notify the Secretary.
We retain all of the requirements for a business associate contract
that were listed in proposed Sec. 164.506(e)(2), with some
modifications. See Sec. 164.504(e)(2).
We retain the requirement that the business associate contract must
provide that the business associate will not use or further disclose
the information other than as permitted or required by the contract or
as required by law. We do not mean by this requirement that the
business associate contract must specify each and every use and
disclosure of protected health information permitted to the business
associate. Rather, the contract must state the purposes for which the
business associate may use and disclose protected health information,
and must indicate generally the reasons and types of persons to whom
the business associate may make further disclosures. For example,
attorneys often need to provide information to potential witnesses,
opposing counsel, and others in the course of their representation of a
client. The business associate contract pursuant to which protected
health information is provided to its attorney may include a general
statement permitting the attorney to disclose protected health
information to these types of people, within the scope of its
representation of the covered entity.
We retain the requirement that a business associate contract may
not authorize a business associate to use or further disclose protected
health information in a manner that would violate the requirements of
this subpart if done by the covered entity, but we add two exceptions.
First, we permit a covered entity to authorize a business associate to
use and disclose protected health information it receives in its
capacity as a business associate for its proper management and
administration and to carry out its legal responsibilities. The
contract must limit further disclosures of the protected health
information for these purposes to those that are required by law and to
those for which the business associate obtains reasonable assurances
that the protected health information will be held confidentially and
that it will be notified by the person to whom it discloses the
protected health information of any breaches of confidentiality.
Second, we permit a covered entity to authorize the business
associate to provide data aggregation services to the covered entity.
As discussed above in Sec. 164.501, data aggregation, with respect to
protected health information received by a business associate in its
capacity as the business associate of a covered entity, is the
combining of such protected health information by the business
associate with protected health information received by the business
associate in its capacity as a business associate of another covered
entity, to permit the creation of data for analyses that relate to the
health care operations of the respective covered entities. We added
this service to the business associate definition to clarify the
ability of covered entities to contract with business associates to
undertake quality assurance and comparative analyses that involve the
protected health information of more than one contracting covered
entity. We except data aggregation from the general requirement that a
business associate contract may not authorize a business associate to
use or further disclose protected health information in a manner that
would violate the requirements of this subpart if done by the covered
entity in order to permit the combining or aggregation of protected
health information received in its capacity as a business associate of
different covered entities when it is performing this service. In many
cases, the combining of this information for the respective health care
operations of the covered entities is not something that the covered
entities could do--a covered entity cannot generally disclose protected
health information to another covered entity for the disclosing covered
entity's health care operations. However, we permit covered entities
that enter into business associate contracts with a business associate
for data aggregation to permit the business associate to combine or
aggregate the protected health information they
[[Page 82506]]
disclose to the business associate for their respective health care
operations.
We note that there may be other instances in which a business
associate may combine or aggregate protected health information
received in its capacity as a business associate of different covered
entities, such as when it is performing health care operations on
behalf of covered entities that participate in an organized health care
arrangement. A business associate that is performing payment functions
on behalf of different covered entities also may combine protected
health information when it is necessary, such as when the covered
entities share financial risk or otherwise jointly bill for services.
In the final rule we clarify that the business associate contract
must require the business associate to make available protected health
information for amendment and to incorporate such amendments. The
business associate contract must also require the business associate to
make available the information required to provide an accounting of
disclosures. We provide more flexibility to the requirement that all
protected health information be returned by the business associate upon
termination of the contract. The rule now stipulates that if feasible,
the protected health information should be destroyed or returned at the
end of a contract. Accordingly, a contract with a business associate
must state that if there are reasons that the return or destruction of
the information is not feasible and the information must be retained
for specific reasons and uses, such as for future audits, privacy
protections must continue after the contract ends, for as long as the
business associate retains the information. The contract also must
state that the uses of information after termination of the contract
must be limited to the specific set of uses or disclosures that make it
necessary for the business associate to retain the information.
We also remove the requirement that business associate contracts
contain a provision stating that individuals whose protected health
information is disclosed under the contract are intended third-party
beneficiaries of the contract. Third party beneficiary or similar
responsibilities may arise under these business associate arrangements
by operation of state law; we do not intend in this rule to affect the
operation of such state laws.
We modify the requirement that a business associate contract
require the business associate to ensure that agents abide by the
provisions of the business associate contract. We clarify that agents
includes subcontractors, and we note that a business associate contract
must make the business associate responsible for ensuring that any
person to whom it delegates a function, activity or service which is
within its business associate contract with the covered entity agrees
to abide by the restrictions and conditions that apply to the business
associate under the contract. We note that a business associate will
need to consider the purpose for which protected health information is
being disclosed in determining whether the recipient must be bound to
the restrictions and conditions of the business associate contract.
When the disclosure is a delegation of a function, activity or service
that the business associate has agreed to perform for a covered entity,
the recipient who undertakes such a function steps into the shoes of
the business associate and must be bound to the restrictions and
conditions. When the disclosure is to a third party who is not
performing business associate functions, activities or services for on
behalf of the covered entity, but is the type of disclosure that the
covered entity itself could make without giving rise to a business
associate relationship, the business associate is not required to
ensure that the restrictions or conditions of the business associate
contract are maintained.
For example, if a business associate acts as the billing agent of a
health care provider, and discloses protected health information on
behalf of the hospital to health plans, the business associate has no
responsibility with respect to further uses or disclosures by the
health plan. In the example above, where a covered entity has a
business associate contract with a lawyer, and the lawyer discloses
protected health information to an expert witness in preparation for
litigation, the lawyer again would have no responsibility under this
subpart with respect to uses or disclosures by the expert witness,
because such witness is not undertaking the functions, activities or
services that the business associate lawyer has agreed to perform.
However, if a covered entity contracts with a third party administrator
to provide claims management, and the administrator delegates
management of the pharmacy benefits to a third party, the business
associate third party administrator must ensure that the pharmacy
manager abides by the restrictions and conditions in the business
associate contract between the covered entity and the third party
administrator.
We provide in Sec. 164.504(c)(3) several methods other than a
business associate contract that will satisfy the requirement for
satisfactory assurances under this section. First, when a government
agency is a business associate of another government agency that is a
covered entity, we permit memorandum of understanding between the
agencies to constitute satisfactory assurance for the purposes of this
rule, if the memorandum accomplishes each of the objectives of the
business associate contract. We recognize that the relationships of
government agencies are often organized as a matter of law, and that it
is not always feasible for one agency to contract with another for all
of the purposes provided for in this section. We also recognize that it
may be incorrect to view one government agency as ``acting on behalf
of'' the other government agency; under law, each agency may be acting
to fulfill a statutory mission. We note that in some instances, it may
not be possible for the agencies to include the right to terminate the
arrangement because the relationship may be established under law. In
such instances, the covered entity government agency would need to
fulfill the requirement to report known violations of the memorandum to
the Secretary.
Where the covered entity is a government agency, we consider the
satisfactory assurances requirement to be satisfied if other law
contains requirements applicable to the business associate that
accomplish each of the objectives of the business associate contract.
We recognize that in some cases, covered entities that are government
agencies may be able to impose the requirements of this section
directly on the persons acting as their business associates. We also
recognize that often one government agency is acting as a business
associate of another government agency, and either party may have the
legal authority to establish the requirements of this section by
regulation. We believe that imposing these requirements directly on
business associates provides greater protection than we can otherwise
provide under this section, and so we recognize such other laws as
sufficient to substitute for a business associate contract.
We also recognize that there may be some circumstances where the
relationship between covered entities and business associates is
otherwise mandated by law. In the final rule, we provide that where a
business associate is required by law to act as a business associate to
a covered entity, the covered entity may disclose protected health
information to the business associate to the extent necessary to comply
with the legal mandate without
[[Page 82507]]
meeting the requirement to have a business associate contract (or, in
the case of government agencies, a memorandum of understanding or law
pertaining to the business associate) if it makes a good faith attempt
the obtain satisfactory assurances required by this section and, if
unable to do so, documents the attempt and the reasons that such
assurances cannot be obtained. This provision addresses situations
where law requires one party to act as the business associate of
another party. The fact that the parties have contractual obligations
that may be enforceable is not sufficient to meet the required by law
test in this provision.
This provision recognizes that in some instances the law requires
that a government agency act as a business associate of a covered
entity. For example, the United States Department of Justice is
required by law to defend tort suits brought against certain covered
entities; in such circumstances, however, the United States, and not
the individual covered entity, is the client and is potentially liable.
In such situations, covered entities must be able to disclose protected
health information needed to carry out the representation, but the
particular requirements that would otherwise apply to a business
associate relationship may not be possible to obtain. Subsection (iii)
makes clear that, where the relationship is required by law, the
covered entity complies with the rule if it attempts, in good faith, to
obtain satisfactory assurances as are required by this paragraph and,
if such attempt fails, documents the attempts and the reasons that such
assurances cannot be obtained.
The operation of the final rule maintains the construction
discussed in the preamble to the NPRM that a business associate
(including a business associate that is a covered entity) that has
business associate contracts with more than one covered entity
generally may not use or disclose the protected health information that
it creates or receives in its capacity as a business associate of one
covered entity for the purposes of carrying out its responsibilities as
a business associate of another covered entity, unless doing so would
be a lawful use or disclosure for each of the covered entities and the
business associate's contract with each of the covered entities permits
the business associate to undertake the activity. For example, a
business associate performing a function under health care operations
on behalf of an organized health care arrangement would be permitted to
combine or aggregate the protected health information obtained from
covered entities participating in the arrangement to the extent
necessary to carry out the authorized activity and in conformance with
its business associate contracts. As described above, a business
associate providing data aggregation services to different covered
entities also could combine and use the protected health information of
the covered entities to assist with their respective health care
operations. A covered entity that is undertaking payment activities on
behalf of different covered entities also may use or disclose protected
health information obtained as a business associate of one covered
entity when undertaking such activities as a business associate of
another covered entity where the covered entities have authorized the
activities and where they are necessary to secure payment for the
entities. For example, when a group of providers share financial risk
and contract with a business associate to conduct payment activities on
their behalf, the business associate may use the protected health
information received from the covered entities to assist them in
managing their shared risk arrangement.
Finally, we note that the requirements imposed by this provision
are intended to extend privacy protection to situations in which a
covered entity discloses substantial amounts of protected health
information to other persons so that those persons can perform
functions or activities on its behalf or deliver specified services to
it. A business associate contract basically requires the business
associate to maintain the confidentiality of the protected health
information that it receives and generally to use and disclose such
information for the purposes for which it was provided. This
requirement does not interfere with the relationship between a covered
entity and business associate, or require the business associate to
subordinate its professional judgment to that of a covered entity.
Covered entities may rely on the professional judgment of their
business associates as to the type and amount of protected health
information that is necessary to carry out a permitted activity. The
requirements of this provision are aimed at securing the continued
confidentiality of protected health information disclosed to third
parties that are serving the covered entity's interests.
Section 164.504(f)--Group Health Plans
Covered entities under HIPAA include health care clearinghouses,
health care providers and health plans. Specifically included in the
definition of ``health plan'' are group health plans (as defined in
section 2791(a) of the Public Health Service Act) with 50 or more
participants or those of any size that are administered by an entity
other than the employer who established and maintains the plan. These
group health plans may be fully insured or self-insured. Neither
employers nor other group health plan sponsors are defined as covered
entities. However, employers and other plan sponsors--particularly
those sponsors with self-insured group health plans--may perform
certain functions that are integrally related to or similar to the
functions of group health plans and, in carrying out these functions,
often require access to individual health information held by the group
health plan.
Most group health plans are also regulated under the Employee
Retirement Income Security Act of 1974 (ERISA). Under ERISA, a group
health plan must be a separate legal entity from its plan sponsor.
ERISA-covered group health plans usually do not have a corporate
presence, in other words, they may not have their own employees and
sometimes do not have their own assets (i.e., they may be fully insured
or the benefits may be funded through the general assets of the plan
sponsor, rather than through a trust). Often, the only tangible
evidence of the existence of a group health plan is the contractual
agreement that describes the rights and responsibilities of covered
participants, including the benefits that are offered and the eligible
recipients.
ERISA requires the group health plan to identify a ``named
fiduciary,'' a person responsible for ensuring that the plan is
operated and administered properly and with ultimate legal
responsibility for the plan. If the plan documents under which the
group health plan was established and is maintained permit, the named
fiduciary may delegate certain responsibilities to trustees and may
hire advisors to assist it in carrying out its functions. While
generally the named fiduciary is an individual, it may be another
entity. The plan sponsor or employees of the plan sponsor are often the
named fiduciaries. These structural and operational relationships
present a problem in our ability to protect health information from
being used inappropriately in employment-related decisions. On the one
hand, the group health plan, and any health insurance issuer or HMO
providing health insurance or health coverage to the group health plan,
are covered entities under the regulation and may only disclose
protected health information as authorized under the
[[Page 82508]]
regulation or with individual consent. On the other hand, plan sponsors
may need access to protected health information to carry out
administration functions on behalf of the plan, but under circumstances
in which securing individual consent is impractical. We note that we
sometimes refer in the rule and preamble to health insurance issuers
and HMOs that provide health insurance or health coverage to a group
health plan as health insurance issuers or HMOs with respect to a group
health plan.
The proposed rule used the health care component approach for
employers and other plan sponsors. Under this approach, only the
component of an employer or other plan sponsor would be treated as a
covered entity. The component of the plan sponsor would have been able
to use protected health information for treatment, payment, and health
care operations, but not for other purposes, such as discipline, hiring
and firing, placement and promotions. We have modified the final rule
in a number of ways.
In the final rule, we recognize plan sponsors' legitimate need for
health information in certain situations while, at the same time,
protecting health information from being used for employment-related
functions or for other functions related to other employee benefit
plans or other benefits provided by the plan sponsor. We do not attempt
to directly regulate employers or other plan sponsors, but pursuant to
our authority to regulate health plans, we place restrictions on the
flow of information from covered entities to non-covered entities.
The final rule permits group health plans, and allows them to
authorize health insurance issuers or HMOs with respect to the group
health plan, to disclose protected health information to plan sponsors
if the plan sponsors voluntarily agree to use and disclose the
information only as permitted or required by the regulation. The
information may be used only for plan administration functions
performed on behalf of the group health plan which are specified in
plan documents. The group health plan is not required to have a
business associate contract with the plan sponsor to disclose the
protected health information or allow the plan sponsor to create
protected health information on its behalf, if the conditions of
Sec. 164.504(e) are met.
In order for the group health plan to disclose protected health
information to a plan sponsor, the plan documents under which the plan
was established and is maintained must be amended to: (1) Describe the
permitted uses and disclosures of protected health information; (2)
specify that disclosure is permitted only upon receipt of a
certification from the plan sponsor that the plan documents have been
amended and the plan sponsor has agreed to certain conditions regarding
the use and disclosure of protected health information; and (3) provide
adequate firewalls to: identify the employees or classes of employees
who will have access to protected health information; restrict access
solely to the employees identified and only for the functions performed
on behalf of the group health plan; and provide a mechanism for
resolving issues of noncompliance.
Any employee of the plan sponsor who receives protected health
information for payment, health care operations or other matters
related to the group health plan must be identified in the plan
documents either by name or function. We assume that since individuals
employed by the plan sponsor may change frequently, the group health
plan would likely describe such individuals in a general manner. Any
disclosure to employees or classes of employees not identified in the
plan documents is not a permissible disclosure. To the extent a group
health plan does have its own employees separate from the plan
sponsor's employees, as the workforce of a covered entity (i.e. the
group health plan), they also are bound by the permitted uses and
disclosures of this rule.
The certification that must be given to the group health plan must
state that the plan sponsor agrees to: (1) Not use or further disclose
protected health information other than as permitted or required by the
plan documents or as required by law; (2) ensure that any
subcontractors or agents to whom the plan sponsor provides protected
health information agree to the same restrictions; (3) not use or
disclose the protected health information for employment-related
actions; (4) report to the group health plan any use or disclosure that
is inconsistent with the plan documents or this regulation; (5) make
the protected health information accessible to individuals; (6) allow
individuals to amend their information; (7) provide an accounting of
its disclosures; (8) make its practices available to the Secretary for
determining compliance; (9) return and destroy all protected health
information when no longer needed, if feasible; and (10) ensure that
the firewalls have been established.
We have included this certification requirement in part, as a way
to reduce the burden on health insurance issuers and HMOs. Without a
certification, health insurance issuers and HMOs would need to review
the plan documents in order to ensure that the amendments have been
made before they could disclose protected health information to plan
sponsors. The certification, however, is a simple statement that the
amendments have been made and that the plan sponsor has agreed to
certain restrictions on the use and disclosure of protected health
information. The receipt of the certification therefore, is sufficient
basis for the health insurance issuer or HMO to disclose protected
health information to the plan sponsor.
Many activities included in the definitions of health care
operations and payment are commonly referred to as plan administration
functions in the ERISA group health plan context. For purposes of this
rule, plan administration activities are limited to activities that
would meet the definition of payment or health care operations, but do
not include functions to modify, amend, or terminate the plan or
solicit bids from prospective issuers. Plan administration functions
include quality assurance, claims processing, auditing, monitoring, and
management of carve-out plans--such as vision and dental. Under the
final rule, ``plan administration'' does not include any employment-
related functions or functions in connection with any other benefits or
benefit plans, and group health plans may not disclose information for
such purposes absent an authorization from the individual. For purposes
of this rule, enrollment functions performed by the plan sponsor on
behalf of its employees are not considered plan administration
functions.
Plan sponsors have access to protected health information only to
the extent group health plans have access to protected health
information and plan sponsors are permitted to use or disclose
protected health information only as would be permitted by group health
plans. That is, a group health plan may permit a plan sponsor to have
access to or to use protected health information only for purposes
allowed by the regulation.
As explained above, where a group health plan purchases insurance
or coverage from a health insurance issuer or HMO, the provision of
insurance or coverage by the health insurance issuer or HMO to the
group health plan does not make the health insurance issuer or HMO a
business associate. In such case, the activities of the health
insurance issuer or HMO are on their own behalf and not on the behalf
of the group
[[Page 82509]]
health plan. We note that where a group health plan contracts with a
health insurance issuer or HMO to perform functions or activities or to
provide services that are in addition to or not directly related to the
provision of insurance, the health insurance issuer or HMO may be a
business associate with respect to those additional functions,
activities, or services. In addition, group health plans that provide
health benefits only through an insurance contract and do not create,
maintain, or receive protected health information (except for summary
information described below or information that merely states whether
an individual is enrolled in or has been disenrolled from the plan) do
not have to meet the notice requirements of Sec. 164.520 or the
administrative requirements of Sec. 164.530, except for the
documentation requirement in Sec. 164.530(j), because these
requirements are satisfied by the issuer or HMO that is providing
benefits under the group health plan. A group health plan, however, may
not permit a health insurance issuer or HMO to disclose protected
health information to a plan sponsor unless the notice required in
164.520 indicate such disclosure may occur.
The final rule also permits a health plan that is providing
insurance to a group health plan to provide summary information to the
plan sponsor to permit the plan sponsor to solicit premium bids from
other health plans or for the purpose of modifying, amending, or
terminating the plan. The rule provides that summary information is
information that summarizes claims history, claims expenses, or types
of claims experienced by individuals for whom the plan sponsor has
provided health benefits under a group health plan, provided that
specified identifiers are not included. Summary information may be
disclosed under this provision even if it does not meet the definition
of de-identified information. As part of the notice requirements in
Sec. 164.520, health plans must inform individuals that they may
disclose protected health information to plan sponsors. The provision
to allow summaries of claims experience to be disclosed to plan
sponsors that purchase insurance will allow them to shop for
replacement coverage, and get meaningful bids from prospective issuers.
It also permits a plan sponsor to get summary information as part of
its consideration of whether or not to change the benefits that are
offered or employees or whether or not to terminate a group health
plan.
We note that a plan sponsor may perform enrollment functions on
behalf of its employees without meeting the conditions above and
without using the standard transactions described in the Transactions
Rule.
Section 164.504(g)--Multiple Covered Function Entities
Although not addressed in the proposed rule, this final rule also
recognizes that a covered entity may as a single legal entity,
affiliated entity, or other arrangement combine the functions or
operations of health care providers, health plans and health care
clearinghouses (for example, integrated health plans and health care
delivery systems may function as both health plans and health care
providers). The rule permits such covered entities to use or disclose
the protected health information of its patients or members for all
covered entity functions, consistent with the other requirements of
this rule. The health care component must meet the requirements of this
rule that apply to a particular type of covered entity when it is
functioning as that entity; e.g., when a health care component is
operating as a health care provider it must meet the requirements of
this rule applicable to a health care provider. However, such covered
entities may not use or disclose the protected health information of an
individual who is not involved in a particular covered entity function
for that function, and such information must be segregated from any
joint information systems. For example, an HMO may integrate data about
health plan members and clinic services to members, but a health care
system may not share information about a patient in its hospital with
its health plan if the patient is not a member of the health plan.
Section 164.506--Uses and Disclosures for Treatment, Payment, and
Health Care Operations
Introduction: ``Consent'' versus ``Authorization''
In the proposed rule, we used the term ``authorization'' to
describe the individual's written permission for a covered entity to
use and disclose protected health information, regardless of the
purpose of the use or disclosure. Authorization would have been
required for all uses and disclosures that were not otherwise permitted
or required under the NPRM.
We proposed to permit covered entities, subject to limited
exceptions for psychotherapy notes and research information unrelated
to treatment, to use and disclose protected health information to carry
out treatment, payment, and health care operations without
authorization. See proposed Sec. 164.506(a)(1).
We also proposed to prohibit covered entities from requiring
individuals to sign authorizations for uses and disclosures of
protected health information for treatment, payment, and health care
operations, unless required by other applicable law. See proposed
Sec. 164.508(a)(iv). We instead proposed requiring covered entities to
produce a notice describing their information practices, including
practices with respect to uses and disclosures to carry out treatment,
payment, and health care operations.
In the final rule, we retain the requirement for covered entities
to obtain the individual's written permission (an ``authorization'')
for uses and disclosures of protected health information that are not
otherwise permitted or required under the rule. However, under the
final rule, we add a second type of written permission for use or
disclosure of protected health information: a ``consent'' for uses and
disclosures to carry out treatment, payment, and health care
operations. In the final rule, we permit, and in some cases require,
covered entities to obtain the individual's written permission for the
covered entity to use or disclose protected health information other
than psychotherapy notes to carry out treatment, payment, and health
care operations. We refer to this written permission as a ``consent.''
The ``consent'' and the ``authorization'' do not overlap. The
requirement to obtain a ``consent'' applies in different circumstances
than the requirement to obtain an authorization. In content, a consent
and an authorization differ substantially from one another.
As described in detail below, a ``consent'' allows use and
disclosure of protected health information only for treatment, payment,
and health care operations. It is written in general terms and refers
the individual to the covered entity's notice for further information
about the covered entity's privacy practices. It allows use and
disclosure of protected health information by the covered entity
seeking the consent, not by other persons. Most persons who obtain a
consent will be health care providers; health plans and health care
clearinghouses may also seek a consent. The consent requirements appear
in Sec. 164.506 and are described in this section of the preamble.
With a few exceptions, an ``authorization'' allows use and
disclosure of protected health information for purposes other than
treatment, payment, and health care
[[Page 82510]]
operations. In order to make uses and disclosures that are not covered
by the consent requirements and not otherwise permitted or required
under the final rule, covered entities must obtain the individual's
``authorization.'' An ``authorization'' must be written in specific
terms. It may allow use and disclosure of protected health information
by the covered entity seeking the authorization, or by a third party.
In some instances, a covered entity may not refuse to treat or cover
individuals based on the fact that they refuse to sign an
authorization. See Sec. 164.508 and the corresponding preamble
discussion regarding authorization requirements.
Section 164.506(a)--Consent Requirements
We make significant changes in the final rule with respect to uses
and disclosures of protected health information to carry out treatment,
payment, and health care operations. We do not prohibit covered
entities from seeking an individual's written permission for use or
disclosure of protected health information to carry out treatment,
payment, or health care operations.
Except as described below, we instead require covered health care
providers to obtain the individual's consent prior to using or
disclosing protected health information to carry out treatment,
payment, or health care operations. If the covered provider does not
obtain the individual's consent, the provider is prohibited from using
or disclosing protected health information about the individual for
purposes of treating the individual, obtaining payment for health care
delivered to the individual, or for the provider's health care
operations. See Sec. 164.506(a)(1).
We except two types of health care providers from this consent
requirement. First, covered health care providers that have an indirect
treatment relationship with an individual are not required to obtain
the individual's consent prior to using or disclosing protected health
information about the individual to carry out treatment, payment, and
health care operations. An ``indirect treatment relationship'' is
defined in Sec. 164.501 and described in the corresponding preamble.
These providers may use and disclose protected health information as
otherwise permitted under the rule and consistent with their notice of
privacy practices (see Sec. 164.520 regarding notice requirements and
Sec. 164.502(i) regarding requirements to adhere to the notice). For
example, a covered provider that provides consultation services to
another provider without seeing the patient would have an indirect
treatment relationship with that patient and would not be required to
obtain the patient's consent to use protected health information about
the patient for the consultation. These covered providers are, however,
permitted to obtain consent, as described below.
Second, covered health care providers that create or receive
protected health information in the course of providing health care to
inmates of a correctional institution are not required to obtain the
inmate's consent prior to using or disclosing protected health
information about the inmate to carry out treatment, payment, and
health care operations. See Sec. 164.501 and the corresponding preamble
discussion regarding the definitions of ``correctional institution''
and ``inmate.'' These providers may use and disclose protected health
information as otherwise permitted under the rule. These providers are
permitted, however, to obtain consent, as described below.
In addition, we permit covered health care providers to use and
disclose protected health information, without consent, to carry out
treatment, payment, and health care operations, if the protected health
information was created or received in certain treatment situations. In
the treatment situations described in Sec. 164.506(a)(3) and
immediately below, the covered health care provider must attempt to
obtain the individual's consent. If the covered provider is unable to
obtain consent, but documents the attempt and the reason consent was
not obtained, the covered provider may, without consent, use and
disclose the protected health information resulting from the treatment
as otherwise permitted under the rule. All other protected health
information about that individual that the covered health care provider
creates or receives, however, is subject to the consent requirements.
This exception to the consent requirement applies to protected
health information created or received in any of three treatment
situations. First, the exception applies to protected health
information created or received in emergency treatment situations. In
these situations, covered providers must attempt to obtain the consent
as soon as reasonably practicable after the delivery of the emergency
treatment. Second, the exception applies to protected health
information created or received in situations where the covered health
care provider is required by law to treat the individual (for example,
certain publicly funded providers) and the covered health care provider
attempts to obtain such consent. Third, the exception applies to
protected health information created or received in treatment
situations where there are substantial barriers to communicating with
the individual and, in the exercise of professional judgment, the
covered provider clearly infers from the circumstances the individual's
consent to receive treatment. For example, there may be situations in
which a mentally incapacitated individual seeks treatment from a health
care provider but is unable to provide informed consent to undergo such
treatment and does not have a personal representative available to
provide such consent on the individual's behalf. If the covered
provider, in her professional judgment, believes she can legally
provide treatment to that individual, we also permit the provider to
use and disclose protected health information resulting from the
treatment without the individual's consent. We intend covered health
care providers that legally provide treatment without the individual's
consent to that treatment to be able to use and disclose protected
health information resulting from that treatment to carry out
treatment, payment, or health care operations without obtaining the
individual's consent for such use or disclosure. We do not intend to
impose unreasonable barriers to individuals' ability to receive, and
health care providers' ability to provide, health care.
Under Sec. 164.506(a)(4), covered health care providers that have
an indirect treatment relationship with an individual, as well as
health plans and health care clearinghouses, may elect to seek consent
for their own uses and disclosures to carry out treatment, payment, and
health care operations. If such a covered entity seeks consent for
these purposes, the consent must meet the minimum requirements
described below.
If a covered health care provider with an indirect treatment
relationship, a health plan, or a health care clearinghouse does not
seek consent, the covered entity may use or disclose protected health
information to carry out treatment, payment, and health care operations
as otherwise permitted under the rule and consistent with its notice of
privacy practices (see Sec. 164.520 regarding notice requirements and
Sec. 164.502(i) regarding requirements to adhere to the notice).
If a covered health care provider with an indirect treatment
relationship, a health plan, or a health care clearinghouse does ask an
individual to sign a consent, and the individual does not do so, the
covered entity is
[[Page 82511]]
prohibited under Sec. 164.502(a)(1) from using or disclosing protected
health information for the purpose(s) included in the consent. A
covered entity that seeks a consent must adhere to the individual's
decision.
In Sec. 164.506(a)(5), we specify that a consent obtained by one
covered entity is not effective to permit another covered entity to use
or disclose protected health information, unless the consent is a joint
consent. See Sec. 164.506(f) and the corresponding preamble discussion
below regarding joint consents. A consent provides the individual's
permission only for the covered entity that obtains the consent to use
or disclose protected health information for treatment, payment, and
health care operations. A consent under this section does not operate
to authorize another covered entity to use or disclose protected health
information, except where the other covered entity is operating as a
business associate. We note that, where a covered entity is acting as a
business associate of another covered entity, the business associate
covered entity is acting for or on behalf of the principal covered
entity, and its actions for or on behalf of the principal covered
entity are authorized by the consent obtained by the principal covered
entity. Thus, under this section, a health plan can obtain a consent
that permits the health plan and its business associates to use and
disclose protected health information that the health plan and its
business associates create or receive. That consent cannot, however,
permit another covered entity (that is not a business associate) to
disclose protected health information to the health plan or to any
other person.
If a covered entity wants to obtain the individual's permission for
another covered entity to disclose protected health information to it
for treatment, payment, or health care operations purposes, it must
seek an authorization in accordance with Sec. 164.508(e). For example,
when a covered provider asks the individual for written permission to
obtain the individual's medical record from another provider for
treatment purposes, it must do so with an authorization, not a consent.
Since the permission is for disclosure of protected health information
by another person, a consent may not be used.
Section 164.506(b)--Consent General Requirements
In the final rule, we permit a covered health care provider to
condition the provision of treatment on the receipt of the individual's
consent for the covered provider to use and disclose protected health
information to carry out treatment, payment, and health care
operations. Covered providers may refuse to treat individuals who do
not consent to uses and disclosures for these purposes. See
Sec. 164.506(b)(1). We note that there are exceptions to the consent
requirements for covered health care providers that are required by law
to treat individuals. See Sec. 164.506(a)(3), described above.
Similarly, in the final rule, we permit health plans to condition
an individual's enrollment in the health plan on the receipt of the
individual's consent for the health plan to use and disclose protected
health information to carry out treatment, payment, and health care
operations, if the consent is sought in conjunction with the enrollment
process. If the health plan seeks the individual's consent outside of
the enrollment process, the health plan may not condition any services
on obtaining such consent.
Under Sec. 164.520, covered entities must produce a notice of
privacy practices. A consent may not be combined in a single document
with the notice of privacy practices. See Sec. 164.506(b)(3).
Under Sec. 164.506(b)(4), consents for uses and disclosures of
protected health information to carry out treatment, payment, and
health care operations may be combined in a single document covering
all three types of activities and may be combined with other types of
legal permission from the individual. For example, a consent to use or
disclose protected health information under this rule may be combined
with an informed consent to receive treatment, a consent to assign
payment of benefits to a provider, or narrowly tailored consents
required under state law for the use or disclosure of specific types of
protected health information (e.g., state laws requiring specific
consent for any sharing of information related to HIV/AIDS).
Within a single consent document, the consent for use and
disclosure of protected health information required or permitted under
this rule must be visually and organizationally separate from the other
consents or authorizations and must be separately signed by the
individual and dated.
Where research includes treatment of the individual, a consent
under this rule may be combined with the authorization for the use or
disclosure of protected health information created for the research, in
accordance with Sec. 164.508(f). (This is the only case in which an
authorization under Sec. 164.508 of this rule may be combined with a
consent under Sec. 164.506 of this rule. See Sec. 164.508(b)(3).) The
covered entity that is creating protected health information for the
research may elect to combine the consent required under this section
with the research-related authorization required under Sec. 164.508(f).
For example, a covered health care provider that provides health care
to an individual for research purposes and for non-research purposes
must obtain a consent under this section for all of the protected
health information it maintains. In addition, it must obtain an
authorization in accordance with Sec. 164.508(f) which describes how it
will use and disclose the protected health information it creates for
the research for purposes of treatment, payment, and health care
operations. Section 164.506(b)(4) permits the covered entity to satisfy
these two requirements with a single document. See Sec. 164.508(f) and
the corresponding preamble discussion for a more detailed description
of research authorization requirements.
Under Sec. 164.506(b)(5), individuals may revoke a consent in
writing at any time, except to the extent that the covered entity has
taken action in reliance on the consent. Upon receipt of the written
revocation, the covered entity must stop processing the information for
use or disclosure, except to the extent that it has taken action in
reliance on the consent. A covered health care provider may refuse,
under this rule, to continue to treat an individual that revokes his or
her consent. A health plan may disenroll an individual that revokes a
consent that was sought in conjunction with the individual's enrollment
in the health plan.
Covered entities must document and retain any signed consent as
required by Sec. 164.530(j).
Section 164.506(c)--Consent Content Requirements
Under Sec. 164.506(c), the consent must be written in plain
language. See the preamble discussion regarding notice of privacy
practices for a description of plain language requirements. We do not
provide a model consent in this rule. We will provide further guidance
on drafting consent documents prior to the compliance date.
Under Sec. 164.506(c)(1), the consent must inform the individual
that protected health information may be used and disclosed by the
covered entity to carry out treatment, payment, or health care
operations. The covered entity must determine which of these elements
(use and/or disclosure; treatment, payment, and/or health care
operations) to include in the consent
[[Page 82512]]
document, as appropriate for the covered entity's practices.
For covered health care providers that are required to obtain
consent, the requirement applies only to the extent the covered
provider uses or discloses protected health information. For example,
if all of a covered provider's health care operations are conducted by
members of the covered provider's own workforce, the covered provider
may choose to obtain consent only for uses, not disclosures, of
protected health information to carry out health care operations. If an
individual pays out of pocket for all services received from the
covered provider and the provider will not disclose any information
about the patient to a third party payor, the provider may choose not
to obtain the individual's consent to disclose information for payment
purposes. In order for a covered provider to be able to use and
disclose information for all three purposes, however, all three
purposes must be included in the consent.
Under Secs. 164.506(c)(2) and (3), the consent must refer the
individual to the covered entity's notice for additional information
about the uses and disclosures of information described in the consent.
The consent must also indicate that the individual has the right to
review the notice prior to signing the consent. If the covered entity
has reserved the right to change its privacy practices in accordance
with Sec. 164.520(b)(1)(v)(C), the consent must indicate that the terms
of the notice may change and must describe how the individual may
obtain a revised notice. See Sec. 164.520 and the corresponding
preamble discussion regarding notice requirements.
Under Sec. 164.506(c)(4), the consent must inform individuals that
they have the right to request restrictions on uses and disclosures of
protected health information for treatment, payment, and health care
operations purposes. It must also state that the covered entity is not
required to agree to an individual's request, but that if the covered
entity does agree to the request, the restriction is binding on the
covered entity. See Sec. 164.522(a) regarding the right to request
restrictions.
Under Sec. 164.506(c)(5), the consent must indicate that the
individual has the right to revoke the consent in writing, except to
the extent that the covered entity has taken action in reliance on the
consent.
Under Sec. 164.506(c)(6), the consent must include the individual's
signature and the date of signature. Once we adopt the standards for
electronic signature, another of the required administrative
simplification standards we are required to adopt under HIPAA, an
electronic signature that meets those standards will be sufficient
under this rule. We do not require any verification of the individual's
identity or authentication of the individual's signature. We expect
covered health care providers that are required to obtain consent to
employ the same level of scrutiny to these signatures as they do to the
signature obtained on a document regarding the individual's consent to
undergo treatment by the provider.
Section 164.506(d)--Defective Consents
Under Sec. 164.506(d), there is no ``consent'' within the meaning
of the rule if the completed document lacks a required element or if
the individual has revoked the consent in accordance with
Sec. 164.506(b)(5).
Section 164.506(e)--Resolving Conflicting Consents and Authorizations
Situations may arise where a covered entity that has obtained the
individual's consent for the covered entity to use or disclose
protected health information to carry out treatment, payment, or health
care operations is asked to disclose protected health information
pursuant to another written legal permission from the individual, such
as an authorization, that was obtained by another person. Under
Sec. 164.506(e), when the terms of a covered entity's consent conflict
with the terms of another written legal permission from the individual
to use or disclose protected health information (such as a consent
obtained under state law by another covered entity or an
authorization), the covered entity must adhere to the more restrictive
document. By conflict, we mean that the consent and authorization
contain inconsistencies. In implementing this section, we note that the
consent under this section references the notice provided to the
individual and the individual's right to request restrictions. In
determining whether the covered entity's consent conflicts with another
written legal permission provided by the individual, the covered entity
must consider any limitations on its uses or disclosures resulting from
the notice provided to the individual or from restrictions to which it
has agreed. For example, a covered nursing home may elect to ask the
patient to sign an authorization for the patient's covered primary care
physician to forward the patient's medical records to the nursing home.
The physician may have previously obtained the individual's consent for
disclosure for treatment purposes. If the authorization obtained by the
nursing home grants permission for the physician to disclose particular
types of information, such as genetic information, but the consent
obtained by the physician excludes such information or the physician
has agreed to a restriction on that type of information, the physician
may not disclose that information. The physician must adhere to the
more restrictive written legal permission from the individual.
When a conflict between a consent and another written legal
permission from the individual exists, as described above, the covered
entity may attempt to resolve the conflict with the individual by
either obtaining a new consent from the individual or by having a
discussion or otherwise communicating with the individual to determine
the individual's preference regarding the use or disclosure. If the
individual's preference is communicated orally, the covered entity must
document the individual's preference and act in accordance with that
preference. In the example described above, the primary care physician
could ask the patient to sign a new consent that would permit the
disclosure of the genetic information. Alternatively, the physician
could ask the patient whether the patient intended for the genetic
information to be disclosed to the nursing home. If the patient
confirms that he or she intended for the genetic information to be
shared, the physician can document that fact (e.g., by making a
notation in the medical record) and disclose the information to the
nursing home.
We believe covered entities will rarely be faced with conflicts
between consents and other written legal permission from the individual
for uses and disclosures to carry out treatment, payment, and health
care operations. Under Sec. 164.506(a)(5), we specify that a consent
only permits the covered entity that obtains the consent to use or
disclose protected health information. A consent obtained by one
covered entity is not effective to permit another different covered
entity to use or disclose protected health information. Conflicting
consents obtained by covered entities, therefore, are not possible. We
expect authorizations that permit another covered entity to use and
disclose protected health information for treatment, payment, and
health care operations purposes will rarely be necessary, because we
expect covered entities that maintain protected health information to
obtain consents that permit them to make anticipated uses and
disclosures for these purposes. Nevertheless, covered entities are
permitted under Sec. 164.508(e) to obtain
[[Page 82513]]
authorization for another covered entity to use or disclose protected
health information to carry out treatment, payment, and health care
operations. We recognize these authorizations may be useful to
demonstrate an individual's intent and relationship to the intended
recipient of the information. For example, these authorizations may be
useful in situations where a health plan wants to obtain information
from one provider in order to determine payment of a claim for services
provided by a different provider (e.g., information from a primary care
physician that is necessary to determine payment of services provided
by a specialist) or where an individual's new physician wants to obtain
the individual's medical records from prior physicians. Other persons
not covered by this rule may also seek authorizations and state law may
require written permission for specific types of information, such as
information related to HIV/AIDS or to mental health. Because an
individual may sign conflicting documents over time, we clarify that
the covered entity maintaining the protected health information to be
used or disclosed must adhere to the more restrictive permission the
individual has granted, unless the covered entity resolves the conflict
with the individual.
Section 164.506(f)--Joint Consents
Covered entities that participate in an organized health care
arrangement and that develop a joint notice under Sec. 164.520(d) may
develop a joint consent in which the individual consents to the uses
and disclosures of protected health information by each of the covered
entities in the arrangement to carry out treatment, payment, and/or
health care operations. The joint consent must identify with reasonable
specificity the covered entities, or class of covered entities, to
which the joint consent applies and must otherwise meet the consent
requirements. If an individual revokes a joint consent, the covered
entity that receives the revocation must inform the other entities
covered by the joint consent of the revocation as soon as practicable.
If any one of the covered entities included in the joint consent
obtains the individual's consent, as required above, the consent
requirement is met for all of the other covered entities to which the
consent applies. For example, a covered hospital and the clinical
laboratory and emergency departments with which it participates in an
organized health care arrangement may produce a joint notice and obtain
a joint consent. If the covered hospital obtains the individual's joint
consent upon admission, and some time later the individual is
readmitted through the associated emergency department, the emergency
department's consent requirement will already have been met. These
joint consents are the only type of consent by which one covered entity
can obtain the individual's permission for another covered entity to
use or disclose protected health information to carry out treatment,
payment, or health care operations.
Effect of Consent
These consents, as well as the authorizations described in
Sec. 164.508, should not be construed to waive, directly or indirectly,
any privilege granted under federal, state, or local law or procedure.
Consents obtained under this regulation are not appropriate for the
disposition of more technical and legal proceedings and may not comport
with procedures and standards of federal, state, or local judicial
practice. For example, state courts and other decision-making bodies
may choose to examine more closely the circumstances and propriety of
such consent and may adopt more protective standards for application in
their proceedings. In the judicial setting, as in the legislative and
executive settings, states may provide for greater protection of
privacy. Additionally, both the Congress and the Secretary have
established a general approach to protecting from explicit preemption
state laws that are more protective of privacy than the protections set
forth in this regulation.
Section 164.508--Uses and Disclosures for Which an Authorization Is
Required
Section 164.508(a)--Standard
We proposed to require covered entities to obtain the individual's
authorization for all uses and disclosures of protected health
information not otherwise permitted or required under the proposed
rule. Uses and disclosures that would have been permitted without
individual authorization included uses and disclosures for national
priority purposes such as public health, law enforcement, and research
(see proposed Sec. 164.510) and uses and disclosures of protected
health information, other than psychotherapy notes and research
information unrelated to treatment, for purposes of treatment, payment,
and health care operations (see proposed Sec. 164.506). We also
proposed to require covered entities to disclose protected health
information to the individual for inspection and copying (see proposed
Sec. 164.514) and to the Secretary as required for enforcement of the
rule (see proposed Sec. 164.522). Individual authorization would not
have been required for these uses and disclosures.
We proposed to require covered entities to obtain the individual's
authorization for all other uses and disclosures of protected health
information. Under proposed Sec. 164.508(a), uses and disclosures that
would have required individual authorization included, but were not
limited to, the following:
Use for marketing of health and non-health items and
services by the covered entity;
Disclosure by sale, rental, or barter;
Use and disclosure to non-health related divisions of the
covered entity, e.g., for use in marketing life or casualty insurance
or banking services;
Disclosure, prior to an individual's enrollment in a
health plan, to the health plan or health care provider for making
eligibility or enrollment determinations relating to the individual or
for underwriting or risk rating determinations;
Disclosure to an employer for use in employment
determinations; and
Use or disclosure for fundraising.
In the preamble to the proposed rule, we stated that covered
entities would be bound by the terms of authorizations. Uses or
disclosures by the covered entity for purposes inconsistent with the
statements made in the authorization would have constituted a violation
of the rule.
In the final rule, under Sec. 164.508(a), as in the proposed rule,
covered entities must have authorization from individuals before using
or disclosing protected health information for any purpose not
otherwise permitted or required by this rule. Specifically, except for
psychotherapy notes (see below), covered entities are not required to
obtain the individual's authorization to use or disclose protected
health information to carry out treatment, payment, and health care
operations. (Covered entities may, however, be required to obtain the
individual's consent for these uses and disclosures. See the preamble
regarding Sec. 164.506 for a discussion of ``consent'' versus
``authorization''.) We also do not require covered entities to obtain
the individual's authorization for uses and disclosures of protected
health information permitted under Secs. 164.510 or 164.512, for
disclosures to the individual, or for required disclosures to the
Secretary under subpart C of part 160 of this subchapter for
enforcement of this rule.
In the final rule, we clarify that covered entities are bound by
the
[[Page 82514]]
statements provided on the authorization; use or disclosure by the
covered entity for purposes inconsistent with the statements made in
the authorization constitutes a violation of this rule.
Unlike the proposed rule, we do not include in the regulation
examples of the types of uses and disclosures that require individual
authorization. We eliminated two examples from the proposed list due to
potential confusion as to our intent: disclosure by sale, rental, or
barter and use and disclosure to non-health related divisions of the
covered entity. We recognize that covered entities sometimes make these
types of uses and disclosures for purposes that are permitted under the
rule without authorization. For example, a covered health care provider
may sell its accounts receivable to a collection agency for payment
purposes and a health plan may disclose protected health information to
its life insurance component for payment purposes. We do not intend to
require authorization for uses and disclosures made by sale, rental, or
barter or for disclosures made to non-health related divisions of the
covered entity, if those uses or disclosures could otherwise be made
without authorization under this rule. As with any other use or
disclosure, however, uses and disclosures of protected health
information for these purposes do require authorization if they are not
otherwise permitted under the rule.
We also eliminated the remaining proposed examples from the final
rule due to concern that these examples might be misinterpreted as an
exhaustive list of all of the uses and disclosures that require
individual authorization. We discuss the examples here, however, to
clarify the interaction of the authorization requirements and the
provisions of the rule that permit uses and disclosures without
authorization and/or with consent. Uses and disclosures for which
covered entities must have the individual's authorization include, but
are not limited to, the following activities.
Marketing
As in the proposed rule, covered entities must obtain the
individual's authorization before using or disclosing protected health
information for marketing purposes. In the final rule, we add a new
definition of marketing (see Sec. 164.501). For more detail on what
activities constitute marketing, see Sec. 164.501, definition of
``marketing,'' and Sec. 164.514(e).
Pre-Enrollment Underwriting
As in the proposed rule, covered entities must obtain the
individual's authorization to use or disclose protected health
information for the purpose of making eligibility or enrollment
determinations relating to an individual or for underwriting or risk
rating determinations, prior to the individual's enrollment in a health
plan (that is, for purposes of pre-enrollment underwriting). For
example, if an individual applies for new coverage with a health plan
in the non-group market and the health plan wants to review protected
health information from the individual's covered health care providers
before extending an offer of coverage, the individual first must
authorize the covered providers to share the information with the
health plan. If the individual applies for renewal of existing
coverage, however, the health plan would not need to obtain an
authorization to review its existing claims records about that
individual, because this activity would come within the definition of
health care operations and be permissible. We also note that under
Sec. 164.504(f), a group health plan and a health insurance issuer that
provides benefits with respect to a group health plan are permitted in
certain circumstances to disclose summary health information to the
plan sponsor for the purpose of obtaining premium bids. Because these
disclosures fall within the definition of health care operations, they
do not require authorization.
Employment Determinations
As in the proposed rule, covered entities must obtain the
individual's authorization to use or disclose protected health
information for employment determinations. For example, a covered
health care provider must obtain the individual's authorization to
disclose the results of a pre-employment physical to the individual's
employer. The final rule provides that a covered entity may condition
the provision of health care that is solely for the purpose of creating
protected health information for disclosure to a third party on the
provision of authorization for the disclosure of the information to the
third party.
Fundraising
Under the proposed regulation, we would have required authorization
before a covered entity could have used or disclosed protected health
information for fundraising. In the final rule, we narrow the
circumstances under which covered entities must obtain the individual's
authorization to use or disclose protected health information for
fundraising purposes. As provided in Sec. 164.514(f) and described in
detail in the corresponding preamble, authorization is not required
when a covered entity uses or discloses demographic information and
information about the dates of health care provided to an individual
for the purpose of raising funds for its own benefit, nor when it
discloses such information to an institutionally related foundation to
raise funds for the covered entity.
Any use or disclosure for fundraising purposes that does not meet
the requirements of Sec. 164.514(f) and does not fall within the
definition of health care operations (see Sec. 164.501), requires
authorization. Specifically, covered entities must obtain the
individual's authorization to use or disclose protected health
information to raise funds for any entity other than the covered
entity. For example, a covered entity must have the individual's
authorization to use protected health information about the individual
to solicit funds for a non-profit organization that engages in
research, education, and awareness efforts about a particular disease.
Psychotherapy Notes
In the NPRM, we proposed different rules with respect to
psychotherapy notes than we proposed with respect to all other
protected health information. The proposed rule would have required
covered entities to obtain an authorization for any use or disclosure
of psychotherapy notes to carry out treatment, payment, or health care
operations, unless the use was by the person who created the
psychotherapy notes. With respect to all other protected health
information, we proposed to prohibit covered entities from requiring
authorization for uses and disclosures for these purposes.
We significantly revise our approach to psychotherapy notes in the
final rule. With a few exceptions, covered entities must obtain the
individual's authorization to use or disclose psychotherapy notes to
carry out treatment, payment, or health care operations. A covered
entity must obtain the individual's consent, but not an authorization,
for the person who created the psychotherapy notes to use the notes to
carry out treatment and for the covered entity to use or disclose
psychotherapy notes for conducting training programs in which students,
trainees, or practitioners in mental health learn under supervision to
[[Page 82515]]
practice or improve their skills in group, joint, family, or individual
counseling. A covered entity may also use psychotherapy notes to defend
a legal action or other proceeding brought by the individual pursuant
to a consent, without a specific authorization. We note that, while
this provision allows disclosure of these records to the covered
entity's attorney to defend against the action or proceeding,
disclosure to others in the course of a judicial or administrative
proceeding is governed by Sec. 164.512(e). This special provision is
necessary because disclosure of protected health information for
purposes of legal representatives may be made under the general consent
as part of ``health care operations.'' Because we require an
authorization for disclosure of psychotherapy notes for ``health care
operations,'' an exception is needed to allow covered entities to use
protected health information about an individual to defend themselves
against an action threatened or brought by that individual without
asking that individual for authorization to do so. Otherwise, a consent
under Sec. 164.506 is not sufficient for the use or disclosure of
psychotherapy notes to carry out treatment, payment, or health care
operations. Authorization is required. We anticipate these
authorizations will rarely be necessary, since psychotherapy notes do
not include information that covered entities typically need for
treatment, payment, or other types of health care operations.
In the NPRM, we proposed to permit covered entities to use and
disclose psychotherapy notes for all other purposes permitted or
required under the rule without authorization. In the final rule, we
specify a more limited set of uses and disclosures of psychotherapy
notes that covered entities are permitted to make without
authorization. An authorization is not required for use or disclosure
of psychotherapy notes when required for enforcement purposes, in
accordance with subpart C of part 160 of this subchapter; when mandated
by law, in accordance with Sec. 164.512(a); when needed for oversight
of the health care provider who created the psychotherapy notes, in
accordance with Sec. 164.512(d); when needed by a coroner or medical
examiner, in accordance with Sec. 164.512(g)(1); or when needed to
avert a serious and imminent threat to health or safety, in accordance
with Sec. 164.512(j)(1)(i). We also provide transition provisions in
Sec. 164.532 regarding the effect of express legal permission obtained
from an individual prior to the compliance date of this rule.
Section 164.508(b)--Implementation Specifications for Authorizations
Valid and Defective Authorizations
We proposed to require a minimum set of elements for authorizations
requested by the individual and an additional set of elements for
authorizations requested by a covered entity. We would have permitted
covered entities to use and disclose protected health information
pursuant to authorizations containing the applicable required elements.
We would have prohibited covered entities from acting on an
authorization if the submitted document had any of the following
defects:
The expiration date had passed;
The form had not been filled out completely;
The covered entity knew the authorization had been
revoked;
The completed form lacked a required element; or
The covered entity knew the information on the form was
false.
In Sec. 164.508(b)(1) of the final rule, we specify that an
authorization containing the applicable required elements (as described
below) is a valid authorization. We clarify that a valid authorization
may contain additional, non-required elements, provided that these
elements are not inconsistent with the required elements. Covered
entities are not required to use or disclose protected health
information pursuant to a valid authorization. Our intent is to clarify
that a covered entity that uses or discloses protected health
information pursuant to an authorization meeting the applicable
requirements will be in compliance with this rule.
We retain the provision prohibiting covered entities from acting on
an authorization if the submitted document had any of the listed
defects, with a few changes. First, in Sec. 164.508(c)(1)(iv) we
specify that an authorization may expire upon a certain event or on a
specific date. For example, a valid authorization may state that it
expires upon acceptance or rejection of an application for insurance or
upon the termination of employment (for example, in an authorization
for disclosure of protected health information for fitness-for-duty
purposes) or similar event. The expiration event must, however, be
related to the individual or the purpose of the use or disclosure. An
authorization that purported to expire on the date when the stock
market reached a specified level would not be valid. Under
Sec. 164.508(b)(2)(i), if the expiration event is known by the covered
entity to have occurred, the authorization is defective. Second, we
clarify that certain compound authorizations, as described below, are
defective. We also clarify that authorizations that are not completely
filled out with respect to the required elements are defective.
Finally, we clarify that an authorization with information that the
covered entity knows to be false is defective only if the information
is material.
As under the proposed regulation, an authorization that the covered
entity knows has been revoked is not a valid authorization. We note
that, although an authorization must be revoked in writing, the covered
entity may not always ``know'' that an authorization has been revoked.
The writing required for an individual to revoke an authorization may
not always trigger the ``knowledge'' required for a covered entity to
consider an authorization defective. Conversely, a copy of the written
revocation is not required before a provider ``knows'' that an
authorization has been revoked.
Many authorizations will be obtained by persons other than the
covered entity. If the individual revokes an authorization by writing
to that other person, and neither the individual nor the other person
informs the covered entity of the revocation, the covered entity will
not ``know'' that the authorization has been revoked. For example, a
government agency may obtain an individual's authorization for ``all
providers who have seen the individual in the past year'' to disclose
protected health information to the agency for purposes of determining
eligibility for benefits. The individual may revoke the authorization
by writing to the government agency requesting such revocation. We
cannot require the agency to inform all covered entities to whom it has
presented the authorization that the authorization has been revoked. If
a covered entity does not know of the revocation, the covered entity
will not violate this rule by acting pursuant to the authorization. At
the same time, if the individual does inform the covered entity of the
revocation, even orally, the covered entity ``knows'' that the
authorization has been revoked and can no longer treat the
authorization as valid under this rule. Thus, in this example, if the
individual tells a covered entity that the individual has revoked the
authorization, the covered entity ``knows'' of the revocation and must
consider the authorization defective under Sec. 164.508(b)(2).
[[Page 82516]]
Compound Authorizations
Except for authorizations requested in connection with a clinical
trial, we proposed to prohibit covered entities from combining an
authorization for use or disclosure of protected health information for
purposes other than treatment, payment, or health care operations with
an authorization or consent for treatment (e.g., an informed consent to
receive care) or payment (e.g., an assignment of benefits).
We clarify the prohibition on compound authorizations in the final
rule. Other than as described below, Sec. 164.508(b)(3) prohibits a
covered entity from acting on an authorization required under this rule
that is combined with any other document, including any other written
legal permission from the individual. For example, an authorization
under this rule may not be combined with a consent for use or
disclosure of protected health information under Sec. 164.506, with the
notice of privacy practices under Sec. 164.520, with any other form of
written legal permission for the use or disclosure of protected health
information, with an informed consent to participate in research, or
with any other form of consent or authorization for treatment or
payment.
There are three exceptions to this prohibition. First, under
Sec. 164.508(f) (described in more detail, below), an authorization for
the use or disclosure of protected health information created for
research that includes treatment of the individual may be combined with
a consent for the use or disclosure of that protected health
information to carry out treatment, payment, or health care operations
under Sec. 164.506 and with other documents as provided in
Sec. 164.508(f). Second, authorizations for the use or disclosure of
psychotherapy notes for multiple purposes may be combined in a single
document, but may not be combined with authorizations for the use or
disclosure of other protected health information. Third, authorizations
for the use or disclosure of protected health information other than
psychotherapy notes may be combined, provided that the covered entity
has not conditioned the provision of treatment, payment, enrollment, or
eligibility on obtaining the authorization. If a covered entity
conditions any of these services on obtaining an authorization from the
individual, as permitted in Sec. 164.508(b)(4) and described below, the
covered entity must not combine the authorization with any other
document.
The following are examples of valid compound authorizations: an
authorization for the disclosure of information created for clinical
research combined with a consent for the use or disclosure of other
protected health information to carry out treatment, payment, and
health care operations, and the informed consent to participate in the
clinical research; an authorization for disclosure of psychotherapy
notes for both treatment and research purposes; and an authorization
for the disclosure of the individual's demographic information for both
marketing and fundraising purposes. Examples of invalid compound
authorizations include: an authorization for the disclosure of
protected health information for treatment, for research, and for
determining payment of a claim for benefits, when the covered entity
will refuse to pay the claim if the individual does not sign the
authorization; or an authorization for the disclosure of psychotherapy
notes combined with an authorization to disclose any other protected
health information.
Prohibition on Conditioning Treatment, Payment, Eligibility, or
Enrollment
We proposed to prohibit covered entities from conditioning
treatment or payment on the provision by the individual of an
authorization, except when the authorization was requested in
connection with a clinical trial. In the case of authorization for use
or disclosure of psychotherapy notes or research information unrelated
to treatment, we proposed to prohibit covered entities from
conditioning treatment, payment, or enrollment in a health plan on
obtaining such an authorization.
We retain this basic approach but refine its application in the
final rule. In addition to the general prohibition on conditioning
treatment and payment, covered entities are also prohibited (with
certain exceptions described below) from conditioning eligibility for
benefits or enrollment in a health plan on obtaining an authorization.
This prohibition extends to all authorizations, not just authorizations
for use or disclosure of psychotherapy notes. This prohibition is
intended to prevent covered entities from coercing individuals into
signing an authorization for a use or disclosure that is not necessary
to carry out the primary services that the covered entity provides to
the individual. For example, a health care provider could not refuse to
treat an individual because the individual refused to authorize a
disclosure to a pharmaceutical manufacturer for the purpose of
marketing a new product.
We clarify the proposed research exception to this prohibition.
Covered entities seeking authorization in accordance with
Sec. 164.508(f) to use or disclose protected health information created
for the purpose of research that includes treatment of the individual,
including clinical trials, may condition the research-related treatment
on the individual's authorization. Permitting use of protected health
information is part of the decision to receive care through a clinical
trial, and health care providers conducting such trials should be able
to condition research-related treatment on the individual's willingness
to authorize the use or disclosure of his or her protected health
information for research associated with the trial.
In addition, we permit health plans to condition eligibility for
benefits and enrollment in the health plan on the individual's
authorization for the use or disclosure of protected health information
for purposes of eligibility or enrollment determinations relating to
the individual or for its underwriting or risk-rating determinations.
We also permit health plans to condition payment of a claim for
specified benefits on the individual's authorization for the disclosure
of information maintained by another covered entity to the health plan,
if the disclosure is necessary to determine payment of the claim. These
exceptions do not apply, however, to authorization for the use or
disclosure of psychotherapy notes. Health plans may not condition
payment, eligibility, or enrollment on the receipt of an authorization
for the use or disclosure of psychotherapy notes, even if the health
plan intends to use the information for underwriting or payment
purposes.
Finally, when a covered entity provides treatment for the sole
purpose of providing information to a third party, the covered entity
may condition the treatment on the receipt of an authorization to use
or disclose protected health information related to that treatment. For
example, a covered health care provider may have a contract with an
employer to provide fitness-for-duty exams to the employer's employees.
The provider may refuse to conduct the exam if an individual refuses to
authorize the provider to disclose the results of the exam to the
employer. Similarly, a covered health care provider may have a contract
with a life insurer to provide pre-enrollment physicals to applicants
for life insurance coverage. The provider may refuse to conduct the
physical if an individual refuses to authorize the provider to disclose
the results of the physical to the life insurer.
[[Page 82517]]
Revocation of Authorizations
We proposed to allow individuals to revoke an authorization at any
time, except to the extent that the covered entity had taken action in
reliance on the authorization.
We retain this provision, but specify that the individual must
revoke the authorization in writing. When an individual revokes an
authorization, a covered entity that knows of such revocation must stop
making uses and disclosures pursuant to the authorization to the
greatest extent practical. A covered entity may continue to use and
disclose protected health information in accordance with the
authorization only to the extent the covered entity has taken action in
reliance on the authorization. For example, a covered entity is not
required to retrieve information that it has already disclosed in
accordance with the authorization. (See above for discussion of how
written revocation of an authorization and knowledge of that revocation
may differ.)
We also include an additional exception. Under Sec. 164.508(b)(5),
individuals do not have the right to revoke an authorization if the
authorization was obtained as a condition of obtaining insurance
coverage and other applicable law provides the insurer that obtained
the authorization with the right to contest a claim under the policy.
We intend this exception to permit insurers to obtain necessary
protected health information during contestability periods under state
law. For example, an individual may not revoke an authorization for the
disclosure of protected health information to a life insurer for the
purpose of investigating material misrepresentation if the individual's
policy is still subject to the contestability period.
Documentation
In the final rule, we clarify that a covered entity must document
and retain any signed authorization as required by Sec. 164.530(j) (see
below).
Section 164.508(c)--Core Elements and Requirements
We proposed to require authorizations requested by individuals to
contain a minimum set of elements: a description of the information to
be used or disclosed; the name of the covered entity, or class of
entities or persons, authorized to make the use or disclosure; the name
or types of recipient(s) of the information; an expiration date; the
individual's signature and date of signature; if signed by a
representative, a description of the representative's authority or
relationship to the individual; a statement regarding the individual's
right to revoke the authorization; and a statement that the information
may no longer be protected by the federal privacy law. We proposed a
model authorization form that entities could have used to satisfy the
authorization requirements. If the model form was not used, we proposed
to require covered entities to use authorization forms written in plain
language.
We modify the proposed approach, by eliminating the distinction
between authorizations requested by the individuals and authorizations
requested by others. Instead, we prescribe a minimum set of elements
for authorizations and certain additional elements when the
authorization is requested by a covered entity for its own use or
disclosure of protected health information it maintains or for receipt
of protected health information from another covered entity to carry
out treatment, payment, or health care operations.
The core elements are required for all authorizations, not just
authorizations requested by individuals. Individuals seek disclosure of
protected health information about them to others in many
circumstances, such as when applying for life or disability insurance,
when government agencies conduct suitability investigations, and in
seeking certain job assignments when health status is relevant. Another
common instance is tort litigation, when an individual's attorney needs
individually identifiable health information to evaluate an injury
claim and asks the individual to authorize disclosure of records
relating to the injury to the attorney. In each of these situations,
the individual may go directly to the covered entity and ask it to send
the relevant information to the intended recipient. Alternatively, the
intended recipient may ask the individual to complete a form, which the
recipient will submit to the covered entity on the individual's behalf,
that authorizes the covered entity to disclose the information. Whether
the authorization is submitted to the covered entity by the individual
or by another person on the individual's behalf, the covered entity
maintaining protected health information may not use or disclose it
pursuant to an authorization unless the authorization meets the
following requirements.
First, the authorization must include a description of the
information to be used or disclosed, with sufficient specificity to
allow the covered entity to know which information the authorization
references. For example, the authorization may include a description of
``laboratory results from July 1998'' or ``all laboratory results'' or
``results of MRI performed in July 1998.'' The covered entity can then
use or disclose that information and only that information. If the
covered entity does not understand what information is covered by the
authorization, the use or disclosure is not permitted unless the
covered entity clarifies the request.
There are no limitations on the information that can be authorized
for disclosure. If an individual wishes to authorize a covered entity
to disclose his or her entire medical record, the authorization can so
specify. In order for the covered entity to disclose the entire medical
record, the authorization must be specific enough to ensure that the
individual has a clear understanding that the entire record will be
disclosed. For example, if the Social Security Administration seeks
authorization for release of all health information to facilitate the
processing of benefit applications, then the description on the
authorization form must specify ``all health information'' or the
equivalent.
In some instances, a covered entity may be reluctant to undertake
the effort to review the record and select portions relevant to the
request (or redact portions not relevant). In such circumstances,
covered entities may provide the entire record to the individual, who
may then redact and release the more limited information to the
requestor. This rule does not require a covered entity to disclose
information pursuant to an individual's authorization.
Second, the authorization must include the name or other specific
identification of the person(s) or class of persons that are authorized
to use or disclose the protected health information. If an
authorization permits a class of covered entities to disclose
information to an authorized person, the class must be stated with
sufficient specificity so that a covered entity presented with the
authorization will know with reasonable certainty that the individual
intended the covered entity to release protected health information.
For example, a covered licensed nurse practitioner presented with an
authorization for ``all physicians'' to disclose protected health
information could not know with reasonable certainty that the
individual intended for the practitioner to be included in the
authorization.
Third, the authorization must include the name or other specific
identification of the person(s) or class of persons to
[[Page 82518]]
whom the covered entity is authorized to make the use or disclosure.
The authorization must identify these persons with sufficient
specificity to reasonably permit a covered entity responding to the
authorization to identify the authorized user or recipient of the
protected health information. Often, individuals provide authorizations
to third parties, who present them to one or more covered entities. For
example, an authorization could be completed by an individual and given
to a government agency, authorizing the agency to receive medical
information from any health care provider that has treated the
individual within a defined period of time. Such an authorization is
permissible (subject to the other requirements of this part) if it
sufficiently identifies the government entity that is authorized to
receive the disclosed protected health information.
Fourth, the authorization must state an expiration date or event.
This expiration date or event must either be a specific date (e.g.,
January 1, 2001), a specific time period (e.g., one year from the date
of signature), or an event directly relevant to the individual or the
purpose of the use or disclosure (e.g., for the duration of the
individual's enrollment with the health plan that is authorized to make
the use or disclosure). We note that the expiration date or event is
subject to otherwise applicable and more stringent law. For example,
the National Association of Insurance Commissioners' Insurance
Information and Privacy Protection Model Act, adopted in at least
fifteen states, specifies that authorizations signed for the purpose of
collecting information in connection with an application for a life,
health, or disability insurance policy are permitted to remain valid
for no longer than thirty months. In those states, the longest such an
authorization may remain in effect is therefore thirty months,
regardless of the expiration date or event indicated on the form.
Fifth, the authorization must state that the individual has the
right to revoke an authorization in writing, except to the extent that
action has been taken in reliance on the authorization or, if
applicable, during a contestability period. The authorization must
include instructions on how the individual may revoke the
authorization. For example, the person obtaining the authorization from
the individual can include an address where the individual can send a
written request for revocation.
Sixth, the authorization must inform the individual that, when the
information is used or disclosed pursuant to the authorization, it may
be subject to re-disclosure by the recipient and may no longer be
protected by this rule.
Seventh, the authorization must include the individual's signature
and the date of the signature. Once we adopt the standards for
electronic signature, another of the required administrative
simplification standards we are required to adopt under HIPAA, an
electronic signature that meets those standards will be sufficient
under this rule. We do not require verification of the individual's
identity or authentication of the individual's signature.
Finally, if the authorization is signed by a personal
representative of the individual, the representative must indicate his
or her authority to act for the individual.
As in the proposed rule, the authorization must be written in plain
language. See the preamble discussion regarding notice of privacy
practices (Sec. 164.520) for a discussion of the plain language
requirement. We do not provide a model authorization in this rule. We
will provide further guidance on this issue prior to the compliance
date.
Section 164.508(d)--Authorizations Requested by a Covered Entity for
Its Own Uses and Disclosures
We proposed to require covered entities to include additional
elements in authorizations initiated by the covered entity. Before a
covered entity could use or disclose protected health information of an
individual pursuant to a request the covered entity made, we proposed
to require the entity to obtain an authorization containing the minimum
elements described above and the following additional elements: except
for authorizations requested for clinical trials, a statement that the
entity will not condition treatment or payment on the individual's
authorization; a description of the purpose of the requested use or
disclosure; a statement that the individual may inspect or copy the
information to be used or disclosed and may refuse to sign the
authorization; and, if the use or disclosure of the requested
information will result in financial gain to the entity, a statement
that such gain will result.
We additionally proposed to require covered entities, when
requesting an individual's authorization, to request only the minimum
amount of information necessary to accomplish the purpose for which the
request was made. We also proposed to require covered entities to
provide the individual with a copy of the executed authorization.
We retain the proposed approach, but apply these additional
requirements when the covered entity requests the individual's
authorization for the entity's own use or disclosure of protected
health information maintained by the covered entity itself. For
example, a health plan may ask individuals to authorize the plan to
disclose protected health information to a subsidiary to market life
insurance to the individual. A pharmaceutical company may also ask a
covered provider to recruit patients for drug research; if the covered
provider asks patients to sign an authorization for the provider to
disclose protected health information to the pharmaceutical company for
this research, this is also an authorization requested by a covered
entity for disclosure of protected health information maintained by the
covered entity. When covered entities initiate the authorization by
asking individuals to authorize the entity to use or disclose protected
health information that the entity maintains, the authorization must
include all of the elements required above as well as several
additional elements.
Authorizations requested by covered entities for the covered
entity's own use or disclosure of protected health information must
state, as applicable under Sec. 164.508(b)(4), that the covered entity
will not condition treatment, payment, enrollment, or eligibility on
the individual's authorization for the use or disclosure. For example,
if a health plan asks an individual to sign an authorization for the
health plan to disclose protected health information to a non-profit
advocacy group for the advocacy group's fundraising purposes, the
authorization must contain a statement that the health plan will not
condition treatment, payment, enrollment in the health plan, or
eligibility for benefits on the individual providing the authorization.
Authorizations requested by covered entities for their own uses and
disclosures of protected health information must also identify each
purpose for which the information is to be used or disclosed. The
required statement of purpose(s) must provide individuals with the
facts they need to make an informed decision whether to allow release
of the information. We prohibit the use of broad or blanket
authorizations requesting the use or disclosure of protected health
information for a wide range of unspecified purposes. Both the
information that is to be used or disclosed and the specific purpose(s)
for such uses or disclosures must be stated in the authorization.
[[Page 82519]]
Authorizations requested by covered entities for their own uses and
disclosures must also advise individuals of certain rights available to
them under this rule. The authorization must state that the individual
may inspect or copy the information to be used or disclosed as provided
in Sec. 164.524 regarding access for inspection and copying and that
the individual may refuse to sign the authorization.
We alter the proposed requirements with respect to authorizations
for which the covered entity will receive financial gain. When the
covered entity initiates the authorization and the covered entity will
receive direct or indirect remuneration from a third party (rather than
financial gain, as proposed) in exchange for using or disclosing the
protected health information, the authorization must include a
statement that such remuneration will result. For example, a health
plan may wish to sell or rent its enrollee mailing list or a
pharmaceutical company may offer a covered provider a discount on its
products if the provider obtains authorization to disclose the
demographic information of patients with certain diagnoses so that the
company can market new drugs to them directly. In each case, the
covered entity must obtain the individual's authorization, and the
authorization must include a statement that the covered entity will
receive remuneration.
In Sec. 164.508(d)(2), we continue to require a covered entity that
requests an authorization for its own use or disclosure of protected
health information to provide the individual with a copy of the signed
authorization. While we eliminate from this section the provision
requiring covered entities to obtain authorization for use or
disclosure of the minimum necessary protected health information,
Sec. 164.514(d)(4) requires covered entities to request only the
minimum necessary protected health information to accomplish the
purpose for which the request is made. This requirement applies to
these authorizations, as well as other requests.
Section 164.508(e)--Authorizations Requested by a Covered Entity for
Disclosures by Others
In the proposed rule, we would have prohibited all covered entities
from requiring the individual's written legal permission (as proposed,
an ``authorization'') for the use or disclosure of protected health
information to carry out treatment, payment, or health care operations.
We generally eliminate this prohibition in the final rule, except to
specify that a consent obtained by one covered entity is not effective
to permit another covered entity to use or disclose protected health
information. See Sec. 164.506(a)(5) and the corresponding preamble
discussion.
In the final rule, if a covered entity seeks the individual's
written legal permission to obtain protected health information about
the individual from another covered entity for any purpose, it must
obtain the individual's authorization for the covered entity that
maintains the protected health information to make the disclosure. If
the authorization is for the purpose of obtaining protected health
information for purposes other than treatment, payment, or health care
operations, the authorization need only contain the core elements
required by Sec. 164.508(c) and described above.
If the authorization, however, is for the purpose of obtaining
protected health information to carry out treatment, payment, or health
care operations, the authorization must meet the requirements of
Sec. 164.508(e). We expect such authorizations will rarely be
necessary, because we expect covered entities that maintain protected
health information to obtain consents that permit them to make
anticipated uses and disclosures for these purposes. An authorization
obtained by another covered entity that authorizes the covered entity
maintaining the protected health information to make a disclosure for
the same purpose, therefore, would be unnecessary.
We recognize, however, that these authorizations may be useful to
demonstrate an individual's intent and relationship to the intended
recipient of the information when the intent or relationship is not
already clear. For example, a long term care insurer may need
information from an individual's health care providers about the
individual's ability to perform activities of daily living in order to
determine payment of a long term care claim. The providers that hold
the information may not be providing the long term care and may not,
therefore, be aware of the individual's coverage under the policy or
that the individual is receiving long term care services. An
authorization obtained by the long term care insurer will help to
demonstrate these facts to the providers holding the information, which
will make them more confident that the individual intends for the
information to be shared. Similarly, an insurer with subrogation
obligations may need health information from the enrollee's providers
to assess or prosecute the claim. A patient's new physician may also
need medical records from the patient's prior providers in order to
treat the patient. Without an authorization that demonstrates the
patient's intent for the information to be shared, the covered entity
that maintains the protected health information may be reluctant to
provide the information, even if that covered entity's consent permits
such disclosure to occur.
These authorizations may also be useful to accomplish clinical
coordination and integration among covered entities that do not meet
the definitions of affiliated covered entities or organized health care
arrangements. For example, safety-net providers that participate in the
Community Access Program (CAP) may not qualify as organized health care
arrangements but may want to share protected health information with
each other in order to develop and expand integrated systems of care
for uninsured people. An authorization under this section would permit
such providers to receive protected health information from other CAP
participants to engage in such activities.
Because of such concerns, we permit a covered entity to request the
individual's authorization to obtain protected health information from
another covered entity to carry out treatment, payment, and health care
operations. In these situations, the authorization must contain the
core elements described above and must also describe each purpose of
the requested disclosure.
With one exception, the authorization must also indicate that the
authorization is voluntary. It must state that the individual may
refuse to sign the authorization and that the covered entity requesting
the authorization will not condition the provision of treatment,
payment, enrollment in the health plan, or eligibility for benefits on
obtaining the individual's authorization. If the authorization is for a
disclosure of information that is necessary to determine payment of a
claim for specified benefits, however, the health plan requesting the
authorization may condition the payment of the claim on obtaining the
authorization from the individual. See Sec. 164.508(b)(4)(iii). In this
case, the authorization does not have to state that the health plan
will not condition payment on obtaining the authorization.
The covered entity requesting the authorization must provide the
individual with a copy of the signed authorization. We note that the
covered entity requesting the authorization is also subject to the
requirements in
[[Page 82520]]
Sec. 164.514 to request only the minimum necessary information needed
for the purpose of the authorization.
We additionally note that, when the covered entity that maintains
the protected health information has already obtained a consent for
disclosure of protected health information to carry out treatment,
payment, and/or health care operations under Sec. 164.506, and that
consent conflicts with an authorization obtained by another covered
entity under Sec. 164.508(e), the covered entity maintaining the
protected health information is bound by the more restrictive document.
See Sec. 164.506(e) and the corresponding preamble discussion for
further explanation.
Section 164.508(f)--Authorizations for Uses and Disclosures of
Protected Health Information Created for Research that Includes
Treatment of Individuals
In the proposed rule, we would have required individual
authorization for any use or disclosure of research information
unrelated to treatment. In the final rule, we eliminate the special
rules for this category of information and, instead, require covered
entities to obtain an authorization for the use or disclosure of
protected health information the covered entity creates for the purpose
of research that includes treatment of individuals, except as otherwise
permitted by Sec. 164.512(i).
The intent of this provision is to permit covered entities that
conduct research involving treatment to bind themselves to a more
limited scope of uses and disclosures of research information than they
would otherwise be permitted to make with non-research information.
Rather than creating a single definition of ``research information,''
we allow covered entities the flexibility to define that subset of
protected health information they create during clinical research that
is not necessary for treatment, payment, or health care operations and
that the covered entity will use or disclose under more limited
circumstances than it uses or discloses other protected health
information. In designing their authorizations, we expect covered
entities to be mindful of the often highly sensitive nature of research
information and the impact of individuals' privacy concerns on their
willingness to participate in research.
Covered entities seeking authorization to use or disclose protected
health information they create for the purpose of research that
includes treatment of individuals, including clinical trials, must
include in the authorization (in addition to the applicable elements
required above) a description of the extent to which some or all of the
protected health information created for the research will also be used
or disclosed for purposes of treatment, payment, and health care
operations. For example, if the covered entity intends to seek
reimbursement from the individual's health plan for the routine costs
of care associated with the research protocol, it must explain in the
authorization the types of information that it will provide to the
health plan for this purpose. This information, and the circumstances
under which disclosures will be made for treatment, payment, and health
care operations, may be more limited than the information and
circumstances described in the covered entity's general consent and
notice of privacy practices. To the extent the covered entity limits
itself to a subset of uses or disclosures that are otherwise
permissible under the rule and the covered entity's consent and notice,
the covered entity is bound by the statements made in the research-
related authorization. In these circumstances, the authorization must
indicate that the authorization, not the general consent and notice,
controls.
If the covered entity's primary interaction with the individual is
through the research, the covered entity may combine the general
consent for treatment, payment, and health care operations required
under Sec. 164.506 with this research authorization and need not obtain
an additional consent under Sec. 164.506. If the entity has already
obtained, or intends to obtain, a separate consent as required under
Sec. 164.506, the research authorization must refer to that consent and
state that the practices described in the research-related
authorization are binding on the covered entity as to the information
covered by the research-related authorization. The research-related
authorization may also be combined in the same document as the informed
consent for participation in the research. This is an exception to the
general rule in Sec. 164.508(b)(3) that an authorization under this
section may not be combined with any other document (see above).
The covered entity must also include in the authorization a
description of the extent to which it will not use or disclose the
protected health information it obtains in connection with the research
protocol for purposes that are permitted without individual
authorization under this rule (under Secs. 164.510 and 164.512). To the
extent that the entity limits itself to a subset of uses or disclosures
that are otherwise permissible under the rule and the entity's notice,
the entity is bound by the statements made in the research
authorization. In these circumstances, the authorization must indicate
that the authorization, not the notice, controls. The covered entity
may not, however, purport to preclude itself from making uses or
disclosures that are required by law or that are necessary to avert a
serious and imminent threat to health or safety.
In some instances, the covered entity may wish to make a use or
disclosure of the research information that it did not include in its
general consent or notice or for which authorization is required under
this rule. To the extent the entity includes uses or disclosures in the
research authorization that are otherwise not permissible under the
rule and the entity's consent and notice of information practices, the
entity must include all of the elements required by Secs. 164.508(c)
and (d) in the research-related authorization. The covered entity is
bound by these statements.
Research that involves the delivery of treatment to participants
sometimes relies on existing health information, such as to determine
eligibility for the trial. We note that under Sec. 164.508(b)(3)(iii),
the covered entity may combine the research-related authorization
required under Sec. 164.508(f) with any other authorization for the use
or disclosure of protected health information (other than psychotherapy
notes), provided that the covered entity does not condition the
provision of treatment on the individual signing the authorization. For
example, a covered health care provider that had a treatment
relationship with an individual prior to the individual's enrollment in
a clinical trial, but that is now providing research-related treatment
to the individual, may elect to request a compound authorization from
the individual: an authorization under Sec. 164.508(d) for the provider
to use the protected health information it created prior to the
initiation of the research that involves treatment, combined with an
authorization under Sec. 164.508(f) regarding use and disclosure of
protected health information the covered provider will create for the
purpose of the clinical trial. This compound authorization would be
valid, provided the covered provider did not condition the research-
related treatment on obtaining the authorization required under
Sec. 164.508(f), as permitted in Sec. 164.508(b)(4)(i).
However, we anticipate that covered entities will almost always, if
not always, condition the provision of research-related treatment on
the individual signing the authorization under Sec. 164.508(f) for the
covered
[[Page 82521]]
entity's use or disclosure of protected health information created for
the research. Therefore, we expect that the vast majority of covered
providers who wish to use or disclose protected health information
about an individual that will be created for research that includes
treatment and wish to use existing protected health information about
that individual for the research that includes treatment, will be
required to obtain two authorizations from the individual: (1) an
authorization for the use and disclosure of protected health
information to be created for the research that involves treatment of
the individual (as required under Sec. 164.508(f)), and (2) an
authorization for the use of existing protected health information for
the research that includes treatment of the individual (as required
under Sec. 164.508(d)).
Effect of Authorization
As noted in the discussion about consents in the preamble to
Sec. 164.506, authorizations under this rule should not be construed to
waive, directly or indirectly, any privilege granted under federal,
state, or local laws or procedures.
Section 164.510--Uses and Disclosures Requiring an Opportunity for
the Individual To Agree or To Object
Introduction
Section 164.510 of the NPRM proposed the uses and disclosures of
protected health information that covered entities could make for
purposes other than treatment, payment, or health care operations and
for which an individual authorization would not have been required.
These allowable uses and disclosures were designed to permit and
promote key national health care priorities, and to promote the smooth
operation of the health care system. In each of these areas, the
proposal permitted, but would not have required, covered entities to
use or disclose protected health information.
We proposed to require covered entities to obtain the individual's
oral agreement before making a disclosure to a health care facility's
directory or to the individual's next-of-kin or to another person
involved in the individual's health care. Because there is an
expectation in these two areas that individuals will have some input
into a covered entity's decision to use or disclose protected health
information, we decided to place disclosures to health facility
directories and to persons involved in an individual's care in a
separate section. In the final rule, requirements regarding disclosure
of protected health information for facility directories and to others
involved in an individual's care are included in Sec. 164.510(a) and
Sec. 164.510(b), respectively. In the final rule, we include in
Sec. 164.510(b) provisions to address a type of disclosure not
addressed in the NPRM: disclosures to entities providing relief and
assistance in disasters such as floods, fires, and terrorist attacks.
Requirements for most of the remaining categories of disclosures
addressed in proposed Sec. 164.510 of the NPRM are included in a new
Sec. 164.512 of the final rule, as discussed below.
Section 164.510 of the final rule addresses situations in which the
interaction between the covered entity and the individual is relatively
informal and agreements are made orally, without written authorizations
for use or disclosure. In general, under the final rule, to disclose or
use protected health information for these purposes, covered entities
must inform individuals in advance and must provide a meaningful
opportunity for the individual to prevent or restrict the disclosure.
In exceptional circumstances, where even this informal discussion
cannot practicably take place, covered entities are permitted to make
decisions regarding disclosure or use based on the exercise of
professional judgment of what is in the individual's best interest.
Section 164.510(a)--Use and Disclosure for Facility Directories
The NPRM proposed to allow covered health care providers to
disclose through an inpatient facility's directory a patient's name,
location in the facility, and general health condition, provided that
the individual had agreed to the disclosure. The NPRM would have
allowed this agreement to be oral. Pursuant to the NPRM, when making
decisions about incapacitated individuals, a covered health care
provider could have disclosed such information at the entity's
discretion and consistent with good medical practice and any prior
expressions of patient preference of which the covered entity was
aware.
The preamble to the NPRM listed several factors that we encouraged
covered entities to take into account when making decisions about
whether to include an incapacitated patient's information in the
directory. These factors included: (1) Whether disclosing that an
individual is in the facility could reasonably cause harm or danger to
the individual (e.g., if it appeared that an unconscious patient had
been abused and disclosing the information could give the attacker
sufficient information to seek out the person and repeat the abuse);
(2) whether disclosing a patient's location within a facility
implicitly would give information about the patient's condition (e.g.,
whether a patient's room number revealed that he or she was in a
psychiatric ward); (3) whether it was necessary or appropriate to give
information about patient status to family or friends (e.g., if giving
information to a family member about an unconscious patient could help
a physician administer appropriate medications); and (4) whether an
individual had, prior to becoming incapacitated, expressed a preference
not to be included in the directory. The preamble stated that if a
covered entity learned of such a preference, it would be required to
act in accordance with the preference.
The preamble to the NPRM said that when individuals entered a
facility in an incapacitated state and subsequently gained the ability
to make their own decisions, health facilities should ask them within a
reasonable time period for permission to include their information in
the facility's directory.
In the final rule, we change the NPRM's opt-in authorization
requirement to an opt-out approach for inclusion of patient information
in a health care facility's directory. The final rule allows covered
health care providers--which in this case are health care facilities--
to include patient information in their directory only if: (1) They
inform incoming patients of their policies regarding the directory; (2)
they give patients a meaningful opportunity to opt out of the directory
listing or to restrict some or all of the uses and disclosures that can
be included in the directory; and (3) the patient does not object to
being included in the directory. A patient must be allowed, for
example, to have his or her name and condition included in the
directory while not having his or her religious affiliation included.
The facility's notice and the individual's opt-out or restriction may
be oral.
Under the final rule, subject to the individual's right to object,
or known prior expressed preferences, a covered health care provider
may disclose the following information to persons who inquire about the
individual by name: (1) The individual's general condition in terms
that do not communicate specific medical information about the
individual (e.g., fair, critical, stable, etc.); and (2) location in
the facility. This approach represents a slight change to the NPRM,
which did not require members of the general public to ask for a
patient by name in order to obtain directory information and which,
[[Page 82522]]
in fact, would have allowed covered entities to disclose the
individual's name as part of directory information.
Under the final rule, we also establish provisions for disclosure
of directory information to clergy that are slightly different from
those which apply for disclosure to the general public. Subject to the
individual's right to object or restrict the disclosure, the final rule
permits a covered entity to disclose to a member of the clergy: (1) The
individual's name; (2) the individual's general condition in terms that
do not communicate specific medical information about the individual;
(3) the individual's location in the facility; and (4) the individual's
religious affiliation. A disclosure of directory information may be
made to members of the clergy even if they do not inquire about an
individual by name. We note that the rule in no way requires a covered
health care provider to inquire about the religious affiliation of an
individual, nor must individuals supply that information to the
facility. Individuals are free to determine whether they want their
religious affiliation disclosed to clergy through facility directories.
We believe that allowing clergy to access patient information
pursuant to this section does not violate the Establishment Clause of
the First Amendment, which prohibits laws ``respecting an establishment
of religion.'' Courts traditionally turn to the Lemon test when
evaluating laws that might raise Establishment Clause concerns. A law
does not violate the Clause if it has a secular purpose, is not
primarily to advance religion, and does not cause excessive government
entanglement with religion. The privacy regulation passes this test
because its purpose is to protect the privacy of individuals--
regardless of their religious affiliation--and it does not cause
excessive government entanglement.
More specifically, although this section provides a special rule
for members of the clergy, it does so as an accommodation to patients
who seek to engage in religious conduct. For example, restricting the
disclosure of an individual's religious affiliation, room number, and
health status to a priest could cause significant delay that would
inhibit the ability of a Catholic patient to obtain sacraments provided
during the last rites. We believe this accommodation does not violate
the Establishment Clause, because it avoids a government-imposed
restriction on the disclosure of information that could
disproportionately affect the practice of religion. In that way, it is
no different from accommodations upheld by the U.S. Supreme Court, such
as exceptions to laws banning the use of alcohol in religious
ceremonies.
The final rule expands the circumstances under which health care
facilities can disclose specified health information to the patient
directory without the patient's agreement. Besides allowing such
disclosures when patients are incapacitated, as the NPRM would have
allowed, the final rule allows such disclosures in emergency treatment
circumstances. For example, when a patient is conscious and capable of
making a decision, but is so seriously injured that asking permission
to include his or her information in the directory would delay
treatment such that the patient's health would be jeopardized, health
facilities can make decisions about including the patient's information
in the directory according to the same rules that apply when the
patient is incapacitated. The final rule modifies the NPRM requirements
for cases in which an incapacitated patient is admitted to a health
care facility. Whereas the NPRM would have allowed health care
providers to disclose an incapacitated patient's information to the
facility's directory ``at its discretion and consistent with good
medical practice and any prior expressions of preference of which the
covered entity [was] aware,'' the final rule states that in these
situations (and in other emergency treatment circumstances), covered
health care providers must make the decision on whether to include the
patient's information in the facility's directory in accordance with
professional judgment as to the patient's best interest. In addition,
when making decisions involving incapacitated patients and patients in
emergency situations, covered health care providers may decide to
include some portions of the patient's information (such as name) but
not other information (such as location in the facility) in order to
protect patient interests.
As in the preamble to the NPRM, we encourage covered health care
providers to take into account the four factors listed above when
making decisions about whether to include patient information in a
health care facility's directory when patients are incapacitated or are
in an emergency treatment circumstance. In addition, we retain the
requirement stated in the preamble of the NPRM that if a covered health
care provider learns of an incapacitated patient's prior expression of
preference not to be included in a facility's directory, the facility
must not include the patient's information in the directory. For cases
involving patients admitted to a health care facility in an
incapacitated or emergency treatment circumstance who during the course
of their stay become capable of decisionmaking, the final rule takes an
approach similar to that described in the NPRM. The final rule states
that when an individual who was incapacitated or in an emergency
treatment circumstance upon admission to an inpatient facility and
whose condition stabilizes such that he or she is capable of
decisionmaking, a covered health care provider must, when it becomes
practicable, inform the individual about its policies regarding the
facility's directory and provide the opportunity to object to the use
or disclosure of protected health information about themselves for the
directory.
Section 164.510(b)--Uses and Disclosures for Involvement in the
Individual's Care and Notification Purposes
In cases involving an individual with the capacity to make health
care decisions, the NPRM would have allowed covered entities to
disclose protected health information about the individual to a next-
of-kin, to other family members, or to close personal friends of the
individual if the individual had agreed orally to such disclosure. If
such agreement could not practicably or reasonably be obtained (e.g.,
when the individual was incapacitated), the NPRM would have allowed
disclosure of protected health information that was directly relevant
to the person's involvement in the individual's health care, consistent
with good health professional practices and ethics. The NPRM defined
next-of-kin as defined under state law.
Under the final rule, we specify that covered entities may disclose
to a person involved in the current health care of the individual (such
as a family member, other relative, close personal friend, or any other
person identified by the individual) protected health information
directly related to the person's involvement in the current health care
of an individual or payment related to the individual's health care.
Such persons involved in care and other contact persons might include,
for example: blood relatives; spouses; roommates; boyfriends and
girlfriends; domestic partners; neighbors; and colleagues. Inclusion of
this list is intended to be illustrative only, and it is not intended
to change current practices with respect to: (1) Involvement of other
persons in individuals' treatment decisions; (2) informal information-
sharing among individuals involved in a person's care; or (3) sharing
of protected health
[[Page 82523]]
information to contact persons during a disaster. The final rule also
includes new language stating that covered entities may use or disclose
protected health information to notify or assist in notification of
family members, personal representatives, or other persons responsible
for an individual's care with respect to an individual's location,
condition, or death. These provisions allow, for example, covered
entities to notify a patient's adult child that his father has suffered
a stroke and to tell the person that the father is in the hospital's
intensive care unit.
The final rule includes separate provisions for situations in which
the individual is present and for when the individual is not present at
the time of disclosure. When the individual is present and has the
capacity to make his or her own decisions, a covered entity may
disclose protected health information only if the covered entity: (1)
Obtains the individual's agreement to disclose to the third parties
involved in their care; (2) provides the individual with an opportunity
to object to such disclosure and the individual does not express an
objection; or (3) reasonably infers from the circumstances, based on
the exercise of professional judgment, that the individual does not
object to the disclosure. Situations in which covered providers may
infer an individual's agreement to disclose protected health
information pursuant to option (3) include, for example, when a patient
brings a spouse into the doctor's office when treatment is being
discussed, and when a colleague or friend has brought the individual to
the emergency room for treatment.
We proposed that when a covered entity could not practicably obtain
oral agreement to disclose protected health information to next-of-kin,
relatives, or those with a close personal relationship to the
individual, the covered entity could make such disclosures consistent
with good health professional practice and ethics. In such instances,
we proposed that covered entities could disclose only the minimum
information necessary for the friend or relative to provide the
assistance he or she was providing. For example, health care providers
could not disclose to a friend or relative simply driving a patient
home from the hospital extensive information about the patient's
surgery or past medical history when the friend or relative had no need
for this information.
The final rule takes a similar approach. Under the final rule, when
an individual is not present (for example, when a friend of a patient
seeks to pick up the patient's prescription at a pharmacy) or when the
opportunity to agree or object to the use or disclosure cannot
practicably be provided due to the individual's incapacity or an
emergency circumstance, covered entities may, in the exercise of
professional judgment, determine whether the disclosure is in the
individual's best interests and if so, disclose only the protected
health information that is directly relevant to the person's
involvement with the individual's health care. For example, this
provision allows covered entities to inform relatives or others
involved in a patient's care, such as the person who accompanied the
individual to the emergency room, that a patient has suffered a heart
attack and to provide updates on the patient's progress and prognosis
when the patient is incapacitated and unable to make decisions about
such disclosures. In addition, this section allows covered entities to
disclose functional information to individuals assisting in a patient's
care; for example, it allows hospital staff to give information about a
person's mobility limitations to a friend driving the patient home from
the hospital. It also allows covered entities to use professional
judgment and experience with common practice to make reasonable
inferences of the individual's best interest in allowing a person to
act on an individual's behalf to pick up filled prescriptions, medical
supplies, X-rays, or other similar forms of protected health
information. Thus, under this provision, pharmacists may release a
prescription to a patient's friend who is picking up the prescription
for him or her. Section 164.510(b) is not intended to disrupt most
covered entities' current practices or state law with respect to these
types of disclosures.
This provision is intended to allow disclosures directly related to
a patient's current condition and should not be construed to allow, for
example, disclosure of extensive information about the patient's
medical history that is not relevant to the patient's current condition
and that could prove embarrassing to the patient. In addition, if a
covered entity suspects that an incapacitated patient is a victim of
domestic violence and that a person seeking information about the
patient may have abused the patient, covered entities should not
disclose information to the suspected abuser if there is reason to
believe that such a disclosure could cause the patient serious harm. In
all of these situations regarding possible disclosures of protected
health information about an patient who is not present or is unable to
agree to such disclosures due to incapacity or other emergency
circumstance, disclosures should be in accordance with the exercise of
professional judgment as to the patient's best interest.
This section is not intended to provide a loophole for avoiding the
rule's other requirements, and it is not intended to allow disclosures
to a broad range of individuals, such as journalists who may be curious
about a celebrity's health status. Rather, it should be construed
narrowly, to allow disclosures to those with the closest relationships
with the patient, such as family members, in circumstances when a
patient is unable to agree to disclosure of his or her protected health
information. Furthermore, when a covered entity cannot practicably
obtain an individual's agreement before disclosing protected health
information to a relative or to a person involved in the individual's
care and is making decisions about such disclosures consistent with the
exercise of professional judgment regarding the individual's best
interest, covered entities must take into account whether such a
disclosure is likely to put the individual at risk of serious harm.
Like the NPRM, the final rule does not require covered entities to
verify the identity of relatives or other individuals involved in the
individual's care. Rather, the individual's act of involving the other
persons in his or her care suffices as verification of their identity.
For example, the fact that a person brings a family member into the
doctor's office when treatment information will be discussed
constitutes verification of the involved person's identity for purposes
of this rule. Likewise, the fact that a friend arrives at a pharmacy
and asks to pick up a specific prescription for an individual
effectively verifies that the friend is involved in the individual's
care, and the rule allows the pharmacist to give the filled
prescription to the friend.
We also clarify that the final rule does not allow covered entities
to assume that an individual's agreement at one point in time to
disclose protected health information to a relative or to another
person assisting in the individual's care implies agreement to disclose
protected health information indefinitely in the future. We encourage
the exercise of professional judgment in determining the scope of the
person's involvement in the individual's care and the time period for
which the individual is agreeing to the other person's involvement. For
example, if a friend simply picks up a patient from the hospital but
has played no other role
[[Page 82524]]
in the individual's care, hospital staff should not call the friend to
disclose lab test results a month after the initial encounter with the
friend. However, if a patient routinely brings a spouse into the
doctor's office when treatment is discussed, a physician can infer that
the spouse is playing a long-term role in the patient's care, and the
rule allows disclosure of protected health information to the spouse
consistent with his or her role in the patient's care, for example,
discussion of treatment options.
The NPRM did not specifically address situations in which disaster
relief organizations may seek to obtain protected health information
from covered entities to help coordinate the individual's care, or to
notify family or friends of an individual's location or general
condition in a disaster situation. In the final rule, we account for
disaster situations in this paragraph. Specifically, we allow covered
entities to use or disclose protected health information without
individual agreement to federal, state, or local government agencies
engaged in disaster relief activities, as well as to private disaster
relief or disaster assistance organizations (such as the Red Cross)
authorized by law or by their charters to assist in disaster relief
efforts, to allow these organizations to carry out their
responsibilities in a specific disaster situation. Covered entities may
make these disclosures to disaster relief organizations, for example,
so that these organizations can help family members, friends, or others
involved in the individual's care to locate individuals affected by a
disaster and to inform them of the individual's general health
condition. This provision also allows disclosure of information to
disaster relief or disaster assistance organizations so that these
organizations can help individuals obtain needed medical care for
injuries or other health conditions caused by a disaster.
We encourage disaster relief organizations to protect the privacy
of individual health information to the extent practicable in a
disaster situation. However, we recognize that the nature of disaster
situations often makes it impossible or impracticable for disaster
relief organizations and covered entities to seek individual agreement
or authorization before disclosing protected health information
necessary for providing disaster relief. Thus, we note that we do not
intend to impede disaster relief organizations in their critical
mission to save lives and reunite loved ones and friends in disaster
situations.
Section 164.512--Uses and Disclosures for Which Consent, an
Authorization, or Opportunity To Agree or Object Is Not Required
Introduction
The final rule's requirements regarding disclosures for directory
information and to family members or others involved in an individual's
care are in a section separate from that covering disclosures allowed
for other national priority purposes. In the final rule, we place most
of the other disclosures for national priority purposes in a new
Sec. 164.512.
As in the NPRM, in Sec. 164.512 of the final rule, we allow covered
entities to make these national priority uses and disclosures without
individual authorization. As in the NPRM, these uses and disclosures
are discretionary. Covered entities are free to decide whether or not
to use or disclose protected health information for any or all of the
permitted categories. However, as in the NPRM, nothing in the final
rule provides authority for a covered entity to restrict or refuse to
make a use or disclosure mandated by other law.
The new Sec. 164.512 includes paragraphs on: Uses and disclosures
required by law; uses and disclosures for public health activities;
disclosures about victims of abuse, neglect, or domestic violence; uses
and disclosures for health oversight activities; disclosures for
judicial and administrative proceedings; disclosures for law
enforcement purposes; uses and disclosures about decedents; uses and
disclosures for cadaveric donation of organs, eyes, or tissues; uses
and disclosures for research purposes; uses and disclosures to avert a
serious threat to health or safety (which we had called ``emergency
circumstances'' in the NPRM); uses and disclosures for specialized
government functions (referred to as ``specialized classes'' in the
NPRM); and disclosures to comply with workers' compensation laws.
Section 164.512(c) in the final rule, which addresses uses and
disclosures regarding adult victims of abuse, neglect and domestic
violence, is new, although it incorporates some provisions from
proposed Sec. 164.510 of the NPRM. In the final rule we also eliminate
proposed Sec. 164.510(g) on government health data systems and proposed
Sec. 164.510(i) on banking and payment processes. These changes are
discussed below.
Approach to Use of Protected Health Information
Proposed Sec. 164.510 of the NPRM included specific subparagraphs
addressing uses of protected health information by covered entities
that were also public health agencies, health oversight agencies,
government entities conducting judicial or administrative proceedings,
or government heath data systems. Such covered entities could use
protected health information in all instances for which they could
disclose the information for these purposes. In the final rule, as
discussed below, we retain this language in the paragraphs on public
health activities and health oversight. However, we eliminate this
clause with respect to uses of protected health information for
judicial and administrative proceedings, because we no longer believe
that there would be any situations in which a covered entity would also
be a judicial or administrative tribunal. Proposed Sec. 164.510(e) of
the NPRM, regarding disclosure of protected health information to
coroners, did not include such a provision. In the final rule we have
added it because we believe there are situations in which a covered
entity, for example, a public hospital conducting post-mortem
investigations, may need to use protected health information for the
same purposes for which it would have disclosed the information to a
coroner.
While the right to request restrictions under Sec. 164.522 and the
consents required under Sec. 164.506 do not apply to the use and
disclosure of protected health information under Sec. 164.512, we do
not intend to preempt any state or other restrictions, or any right to
enforce such agreements or consents under other law.
We note that a covered entity may use or disclose protected health
information as permitted by and in accordance with one of the
paragraphs of Sec. 164.512, regardless of whether that use or
disclosure fails to meet the requirements for use or disclosure under a
different paragraph in Sec. 164.512 or elsewhere in the rule.
Verification for Disclosures Under Sec. 164.512
In Sec. 164.510(a) of the NPRM, we proposed that covered entities
verify the identity and authority of persons to whom they made
disclosure under the section. In the final rule, we generally have
retained the proposed requirements. Verification requirements are
discussed in Sec. 164.514 of the final rule.
Section 164.512(a)--Uses and Disclosures Required by Law
In the NPRM we would have allowed covered entities to use or
disclose protected health information without individual authorization
where such use
[[Page 82525]]
or disclosure was required by other law, as long as the use or
disclosure met all relevant requirements of such law. However, a
legally mandated use or disclosure which fell into one or more of the
national priority purposes expressly identified in proposed
Sec. 164.510 of the NPRM would have been subject to the terms and
conditions specified by the applicable paragraph of proposed
Sec. 164.510. Thus, a disclosure required by law would have been
allowed only to the extent it was not otherwise prohibited or
restricted by another provision in proposed Sec. 164.510. For example,
mandatory reporting to law enforcement officials would not have been
allowed unless such disclosures conformed to the requirements of
proposed Sec. 164.510(f) of the NPRM, on uses and disclosures for law
enforcement purposes. As explained in the NPRM, this provision was not
intended to obstruct access to information deemed important enough by
federal, state or other government authorities to require it by law.
In Sec. 164.512(a) of the final rule, we retain the proposed
approach, and we permit covered entities to comply with laws requiring
the use or disclosure of protected health information, provided the use
or disclosure meets and is limited to the relevant requirements of such
other laws. To more clearly address where the substantive and
procedural requirements of other provisions in this section apply, we
have deleted the general sentence from the NPRM which stated that the
provision ``does not apply to uses or disclosures that are covered by
paragraphs (b) through (m)'' of proposed Sec. 164.510. Instead, in
Sec. 164.512 (a)(2) we list the specific paragraphs that have
additional requirements with which covered entities must comply. They
are disclosures about victims of abuse, neglect or domestic violence
(Sec. 164.512(c)), for judicial and administrative proceedings
(Sec. 164.512(e)), and for law enforcement purposes (Sec. 164.512(f)).
We include a new definition of ``required by law.'' See Sec. 164.501.
We clarify that the requirements provided for in Sec. 164.514(h)
relating to verification apply to disclosures under this paragraph.
Those provisions require covered entities to verify the identity and
authority of persons to whom they make disclosures. We note that the
minimum necessary requirements of Sec. 164.514(d) do not apply to
disclosures made under this paragraph.
We note that this rule does not affect what is required by other
law, nor does it compel a covered entity to make a use or disclosure of
protected health information required by the legal demands or reporting
requirements listed in the definition of ``required by law.'' Covered
entities will not be sanctioned under this rule for responding in good
faith to such legal process and reporting requirements. However,
nothing in this rule affects, either by expanding or contracting, a
covered entity's right to challenge such process or reporting
requirements under other laws. The only disclosures of protected health
information compelled by this rule are disclosures to an individual (or
the personal representative of an individual) or to the Secretary for
the purposes of enforcing this rule.
Uses and disclosures permitted under this paragraph must be limited
to the protected health information necessary to meet the requirements
of the law that compels the use or disclosure. For example, disclosures
pursuant to an administrative subpoena are limited to the protected
health information authorized to be disclosed on the face of the
subpoena.
Section 164.512(b)--Uses and Disclosures for Public Health Activities
The NPRM would have allowed covered entities to disclose protected
health information without individual authorization to: (1) A public
health authority authorized by law to collect or receive such
information for the purpose of preventing or controlling disease,
injury, or disability, including, but not limited to, the reporting of
disease, injury, vital events such as birth or death, and the conduct
of public health surveillance, public health investigations, and public
health interventions; (2) a public health authority or other
appropriate authority authorized by law to receive reports of child
abuse or neglect; (3) a person or entity other than a governmental
authority that could demonstrate or demonstrated that it was acting to
comply with requirements or direction of a public health authority; or
(4) a person who may have been exposed to a communicable disease or may
otherwise be at risk of contracting or spreading a disease or condition
and was authorized by law to be notified as necessary in the conduct of
a public health intervention or investigation.
In the final rule, we broaden the scope of permissible disclosures
pursuant to item (1) listed above. We narrow the scope of disclosures
permissible under item (3) of this list, and we add language to clarify
the scope of permissible disclosures with respect to item (4) on the
list. We broaden the scope of allowable disclosures regarding item (1)
by allowing covered entities to disclose protected health information
not only to U.S. public health authorities but also, at the direction
of a public health authority, to an official of a foreign government
agency that is acting in collaboration with a public health authority.
For example, we allow covered entities to disclose protected health
information to a foreign government agency that is collaborating with
the Centers for Disease Control and Prevention to limit the spread of
infectious disease.
We narrow the conditions under which covered entities may disclose
protected health information to non-government entities. We allow
covered entities to disclose protected health information to a person
subject to the FDA's jurisdiction, for the following activities: to
report adverse events (or similar reports with respect to food or
dietary supplements), product defects or problems, or biological
product deviations, if the disclosure is made to the person required or
directed to report such information to the FDA; to track products if
the disclosure is made to a person required or directed by the FDA to
track the product; to enable product recalls, repairs, or replacement,
including locating and notifying individuals who have received products
regarding product recalls, withdrawals, or other problems; or to
conduct post-marketing surveillance to comply with requirements or at
the direction of the FDA.
The terms included in Sec. 164.512(b)(iii) are intended to have
both their commonly understood meanings, as well as any specialized
meanings, pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 321
et seq.) or the Public Health Service Act (42 U.S.C. 201 et seq.). For
example, ``post-marketing surveillance'' is intended to mean activities
related to determining the safety or effectiveness of a product after
it has been approved and is in commercial distribution, as well as
certain Phase IV (post-approval) commitments by pharmaceutical
companies. With respect to devices, ``post-marketing surveillance'' can
be construed to refer to requirements of section 522 of the Food, Drug,
and Cosmetic Act regarding certain implanted, life-sustaining, or life-
supporting devices. The term ``track'' includes, for example, tracking
devices under section 519(e) of the Food, Drug, and Cosmetic Act, units
of blood or other blood products, as well as trace-backs of
contaminated food.
In Sec. 164.512(b)(iii), the term ``required'' refers to
requirements in statute, regulation, order, or other
[[Page 82526]]
legally binding authority exercised by the FDA. The term ``directed,''
as used in this section, includes other official agency communications
such as guidance documents.
We note that under this provision, a covered entity may disclose
protected health information to a non-governmental organization without
individual authorization for inclusion in a private data base or
registry only if the disclosure is otherwise for one of the purposes
described in this provision (e.g., for tracking products pursuant to
FDA direction or requirements, for post-marketing surveillance to
comply with FDA requirements or direction.)
To make a disclosure that is not for one of these activities,
covered entities must obtain individual authorization or must meet the
requirements of another provision of this rule. For example, covered
entities may disclose protected health information to employers for
inclusion in a workplace surveillance database only: with individual
authorization; if the disclosure is required by law; if the disclosure
meets the requirements of Sec. 164.512(b)(v); or if the disclosure
meets the conditions of another provision of this regulation, such as
Sec. 154.512(i) relating to research. Similarly, if a pharmaceutical
company seeks to create a registry containing protected health
information about individuals who had taken a drug that the
pharmaceutical company had developed, covered entities may disclose
protected health information without authorization to the
pharmaceutical company pursuant to FDA requirements or direction. If
the pharmaceutical company's registry is not for any of these purposes,
covered entities may disclose protected health information to it only
with patient authorization, if required by law, or if disclosure meets
the conditions of another provision of this rule.
The final rule continues to permit covered entities to disclose
protected health information without individual authorization directly
to public health authorities, such as the Food and Drug Administration,
the Occupational Safety and Health Administration, the Centers for
Disease Control and Prevention, as well as state and local public
health departments, for public health purposes as specified in the
NPRM.
The final rule retains the NPRM provision allowing covered entities
to disclose protected health information to public health authorities
or other appropriate government authorities authorized by law to
receive reports of child abuse or neglect. In addition, we clarify the
NPRM's provision regarding disclosure of protected health information
to persons who may have been exposed to a communicable disease or who
may otherwise be at risk of contracting or spreading a disease or
condition. Under the final rule, covered entities may disclose
protected health information to such individuals when the covered
entity or public health authority is authorized by law to notify these
individuals as necessary in the conduct of a public health intervention
or investigation.
In addition, as in the NPRM, under the final rule, a covered entity
that is acting as a public health authority--for example, a public
hospital conducting infectious disease surveillance in its role as an
arm of the public health department--may use protected health
information in all cases for which it is allowed to disclose such
information for public health activities as described above.
The proposed rule did not contain a specific provision relating to
disclosures by covered health care providers to employers concerning
work-related injuries or illnesses or workplace medical surveillance.
Under the proposed rule, a covered entity would have been permitted to
disclose protected health information without individual authorization
for public health purposes to private person if the person could
demonstrate that it was acting to comply with requirements or at the
direction of a public health authority.
As discussed above, in the final rule we narrow the scope of this
paragraph as it applies to disclosures to persons other than public
health authorities. To ensure that covered health care providers may
make disclosures of protected health information without individual
authorization to employers when appropriate under federal and state
laws addressing work-related injuries and illnesses or workplace
medical surveillance, we include a new provision in the final rule. The
provision permits covered health care providers who provide health care
as a workforce member of or at the request of an employer to disclose
to that employer protected health information concerning work-related
injuries or illnesses or workplace medical surveillance in situations
where the employer has a duty under the Occupational Safety and Health
Act, the Federal Mine Safety and Health Act, or under a similar state
law, to keep records on or act on such information. For example, OSHA
regulations in 29 CFR part 1904 require employers to record work-
related injuries and illnesses if medical treatment is necessary; MSHA
regulations at 30 CFR part 50 require mine operators to report injuries
and illnesses experienced by miners. Similarly, OSHA rules require
employers to monitor employees' exposure to certain substances and to
remove employees from exposure when toxic thresholds have been met. To
obtain the relevant health information necessary to determine whether
an injury or illness should be recorded, or whether an employee must be
medically removed from exposure at work, employers must refer employees
to health care providers for examination and testing.
OSHA and MSHA rules do not impose duties directly upon health care
providers to disclose health information pertaining to recordkeeping
and medical monitoring requirements to employers. Rather, these rules
operate on the presumption that health care providers who provide
services at the request of an employer will be able to disclose to the
employer work-related health information necessary for the employer to
fulfill its compliance obligations. This new provision permits covered
entities to make disclosures necessary for the effective functioning of
OSHA and MSHA requirements, or those of similar state laws, by
permitting a health care provider to make disclosures without the
authorization of the individual concerning work-related injuries or
illnesses or workplace medical surveillance in situations where the
employer has a duty under OSHA and MSHA requirements, or under a
similar state laws, to keep records on or act on such information.
We require health care providers who make disclosures to employers
under this provision to provide notice to individuals that it discloses
protected health information to employers relating to the medical
surveillance of the workplace and work-related illnesses and injuries.
The notice required under this provision is separate from the notice
required under Sec. 164.520. The notice required under this provision
may be met giving a copy of the notice to the individual at the time it
provides the health care services, or, if the health care services are
provided on the work site of the employer, by posting the notice in a
prominent place at the location where the health care services are
provided.
This provision applies only when a covered health care provider
provides health care services as a workforce member of or at the
request of an employer and for the purposes discussed above. The
provision does not affect the application of this rule to other health
care provided to
[[Page 82527]]
individuals or to their relationship with health care providers that
they select.
Section 164.512(c)--Disclosures About Victims of Abuse, Neglect or
Domestic Violence
The NPRM included two provisions related to disclosures about
persons who are victims of abuse. In the NPRM, we would have allowed
covered entities to report child abuse to a public health authority or
other appropriate authority authorized by law to receive reports of
child abuse or neglect. In addition, under proposed Sec. 164.510(f)(3)
of the NPRM, we would have allowed covered entities to disclose
protected health information about a victim of a crime, abuse or other
harm to a law enforcement official under certain circumstances. The
NPRM recognized that most, if not all, states had laws that mandated
reporting of child abuse or neglect to the appropriate authorities.
Moreover, HIPAA expressly carved out state laws on child abuse and
neglect from preemption or any other interference. The NPRM further
acknowledged that most, but not all, states had laws mandating the
reporting of abuse, neglect or exploitation of the elderly or other
vulnerable adults. We did not intend to impede reporting in compliance
with these laws.
The final rule includes a new paragraph, Sec. 164.512(c), which
allows covered entities to report protected health information to
specified authorities in abuse situations other than those involving
child abuse and neglect. In the final rule, disclosures of protected
health information related to child abuse continues to be addressed in
the paragraph allowing disclosure for public health activities
(Sec. 164.512(b)), as described above. Because HIPAA addresses child
abuse specifically in connection with a state's public health
activities, we believe it would not be appropriate to include child
abuse-related disclosures in this separate paragraph on abuse. State
laws continue to apply with respect to child abuse, and the final rule
does not in any way interfere with a covered entity's ability to comply
with these laws.
In the final rule, we address disclosures about other victims of
abuse, neglect and domestic violence in Sec. 164.512(c) rather than in
the law enforcement paragraph. Section 164.512(c) establishes
conditions for disclosure of protected health information in cases
involving domestic violence other than child abuse (e.g., spousal
abuse), as well as those involving abuse or neglect (e.g., abuse of
nursing home residents or residents of facilities for the mentally
retarded). This paragraph addresses reports to law enforcement as well
as to other authorized public officials. The provisions of this
paragraph supersede the provisions of Sec. 164.512(a) and
Sec. 164.512(f)(1)(i) to the extent that those provisions address the
subject matter of this paragraph.
Under the circumstances described below, the final rule allows
covered entities to disclose protected health information about an
individual whom the covered entity reasonably believes to be a victim
of abuse, neglect, or domestic violence. In this paragraph, references
to ``individual'' should be construed to mean the individual believed
to be the victim. The rule allows such disclosure to any governmental
authority authorized by law to receive reports of such abuse, neglect,
or domestic violence. These entities may include, for example, adult
protective or social services agencies, state survey and certification
agencies, ombudsmen for the aging or those in long-term care
facilities, and law enforcement or oversight.
The final rule specifies three circumstances in which disclosures
of protected health information is allowed in order to report abuse,
neglect or domestic violence. First, this paragraph allows disclosure
of protected health information related to abuse if required by law and
the disclosure complies with and is limited to the relevant
requirements of such law. As discussed below, the final rule requires
covered entities that make such disclosures pursuant to a state's
mandatory reporting law to inform the individual of the report.
Second, this paragraph allows covered entities to disclose
protected health information related to abuse if the individual has
agrees to such disclosure. When considering the possibility of
disclosing protected health information in an abuse situation pursuant
to this section, we encourage covered entities to seek the individual's
agreement whenever possible.
Third, this paragraph allows covered entities to disclose protected
health information about an individual without the individual's
agreement if the disclosure is expressly authorized by statute or
regulation and either: (1) The covered entity, in the exercise of its
professional judgment, believes that the disclosure is necessary to
prevent serious harm to the individual or to other potential victims;
or (2) if the individual is unable to agree due to incapacity, a law
enforcement or other public official authorized to received the report
represents that the protected health information for which disclosure
is sought is not intended to be used against the individual, and that
an immediate enforcement activity that depends on the disclosure would
be materially and adversely affected by waiting until the individual is
able to agree to the disclosure.
We emphasize that disclosure under this third part of the paragraph
also may be made only if it is expressly authorized by statute or
regulation. We use this formulation, rather than the broader ``required
by law,'' because of the heightened privacy and safety concerns in
these situations. We believe it appropriate to defer to other public
determinations regarding reporting of this information only where a
legislative or executive body has determined the reporting to be of
sufficient importance to warrant enactment of a law or promulgation of
a regulation. Law and regulations reflect a clear decision to authorize
the particular disclosure of protected health information, and reflect
greater public accountability (e.g., through the required public
comment process or because enacted by elected representatives).
For example, a Wisconsin law (Wis. Stat Sec. 46.90(4)) states that
any person may report to a county agency or state official that he or
she believes that abuse or neglect has occurred. Pursuant to
Sec. 164.512(c)(1)(iii), a covered entity may make a report only if the
specific type or subject matter of the report (e.g., abuse or neglect
of the elderly) is included in the law authorizing the report, and such
a disclosure may only be made to a public authority specifically
identified in the law authorizing the report. Furthermore, we note that
disclosures under this part of the paragraph are further limited to two
circumstances. In the first case, a covered entity, in the exercise of
professional judgment, must believe that the disclosure is necessary to
prevent serious harm to the individual or to other potential victims.
The second case addresses situations in which an individual who is a
victim of abuse, neglect or domestic violence is unable to agree due to
incapacity and a law enforcement or other public official authorized to
receive the report represents that the protected health information for
which disclosure is sought is not intended to be used against the
individual and that an immediate law enforcement activity that depends
on the disclosure would be materially and adversely affected by waiting
until the individual if able to agree to the disclosure. We note that,
in this second case, a covered entity may exercise discretion,
consistent with professional judgment as to the patient's
[[Page 82528]]
best interest, in deciding whether to make the requested disclosure.
The rules governing disclosure in this third set of circumstances
are different from those governing disclosures pursuant to
Sec. 164.512(f)(3) regarding disclosure to law enforcement about
victims of crime and other harm. We believe that in abuse situations--
to a greater extent than in situations involving crime victims in
general--there is clear potential for abusers to cause further serious
harm to the victim or to others, such as other family members in a
household or other residents of a nursing home. The provisions allowing
reporting of abuse when authorized by state law, as described above,
are consistent with principles articulated by the AMA's Council on
Ethical and Judicial Affairs, which state that when reporting abuse is
voluntary under state law, it is justified when necessary to prevent
serious harm to a patient. Through the provisions of Sec. 164.512(c),
we recognize the unique circumstances surrounding abuse and domestic
violence, and we seek to provide an appropriate balance between
individual privacy interests and important societal interests such as
preventing serious harm to other individuals. We note that here we are
relying on covered entities, in the exercise of professional judgment,
to determine what is in the best interests of the patient.
Finally, we require covered entities to inform the individual in
all of the situations described above that the covered entity has
disclosed protected health information to report abuse, neglect, or
domestic violence. We allow covered entities to provide this
information orally. We do not require written notification, nor do we
encourage it, due to the sensitivity of abuse situations and the
potential for the abuser to cause further harm to the individual if,
for example, a covered entity sends written notification to the home of
the individual and the abuser. Whenever possible, covered entities
should inform the individual at the same time that they determine abuse
has occurred and decide that the abuse should be reported. In cases
involving patient incapacity, we encourage covered entities to inform
the individual of such disclosures as soon as it is practicable to do
so.
The rule provides two exceptions to the requirement to inform the
victim about a report to a government authority, one based on concern
for future harm and one based on past harm. First, a covered entity
need not inform the victim if the covered entity, in the exercise of
professional judgment, believes that informing the individual would
place the individual at risk of serious harm. We believe that this
exception is necessary to address the potential for future harm, either
physical or emotional, that the individual may face from knowing that
the report has been made. Second, a covered entity may choose not to
meet the requirement for informing the victim, if the covered entity
actually would be informing a personal representative (such as a parent
of a minor) and the covered entity reasonably believes that such person
is responsible for the abuse, neglect, or other injury that has already
occurred and that informing that person would not be in the
individual's best interests.
Section 164.512(d)--Uses and Disclosures for Health Oversight
Activities
Under Sec. 164.510(c) of the NPRM, we proposed to permit covered
entities to disclose protected health information to health oversight
agencies for oversight activities authorized by law, including audit,
investigation, inspection, civil, criminal, or administrative
proceeding or action, or other activity necessary for appropriate
oversight of: (i) the health care system; (ii) government benefit
programs for which health information is relevant to beneficiary
eligibility; or (iii) government regulatory programs for which health
information is necessary for determining compliance with program
standards.
In Sec. 164.512(d) of the final rule, we modify the proposed
language to include civil and criminal investigations. In describing
``other activities necessary for oversight'' of particular entities, we
add the phrase ``entities subject to civil rights laws for which health
information is necessary for determining compliance.'' In addition, in
the final rule, we add ``licensure or disciplinary actions'' to the
list of oversight activities authorized by law for which covered
entities may disclose protected health information to health oversight
agencies. The NPRM's definition of ``health oversight agency'' (in
proposed Sec. 164.504) included this phrase, but it was inadvertently
excluded from the regulation text at proposed Sec. 164.510(c). We make
this change in the regulation text of the final rule to conform to the
NPRM's definition of health oversight agency and to reflect the full
range of activities for which we intend to allow covered entities to
disclose protected health information to health oversight agencies.
The NPRM would have allowed, but would not have required, covered
entities to disclose protected health information to public oversight
agencies and to private entities acting under grant of authority from
or under contract with oversight agencies for oversight purposes
without individual authorization for health oversight activities
authorized by law. When a covered entity was also an oversight agency,
it also would have been permitted to use protected health information
in all cases in which it would have been allowed to disclose such
information for health oversight purposes. The NPRM would not have
established any new administrative or judicial process prior to
disclosure for health oversight, nor would it have permitted
disclosures forbidden by other law. The proposed rule also would not
have created any new right of access to health records by oversight
agencies, and it could not have been used as authority to obtain
records not otherwise legally available to the oversight agency.
The final rule retains this approach to health oversight. As in the
NPRM, the final rule provides that when a covered entity is also an
oversight agency, it is allowed to use protected health information in
all cases in which it is allowed to disclose such information for
health oversight purposes. For example, if a state insurance department
is acting as a health plan in operating the state's Medicaid managed
care program, the final rule allows the insurance department to use
protected health information in all cases for which the plan can
disclose the protected health information for health oversight
purposes. For example, the state insurance department in its capacity
as the state Medicaid managed care plan can use protected health
information in the process of investigating and disciplining a state
Medicaid provider for attempting to defraud the Medicaid system. As in
the NPRM, the final rule does not establish any new administrative or
judicial process prior to disclosure for health oversight, nor does it
prohibit covered entities from making any disclosures for health
oversight that are otherwise required by law. Like the NPRM, it does
not create any new right of access to health records by oversight
agencies and it cannot be used as authority to obtain records not
otherwise legally available to the oversight agency.
Overlap Between Law Enforcement and Oversight
Under the NPRM, the proposed definitions of law enforcement and
oversight, and the rules governing disclosures for these purposes
[[Page 82529]]
overlapped. Specifically, this overlap occurred because: (1) The NPRM
preamble, but not the NPRM regulation text, indicated that agencies
conducting both oversight and law enforcement activities would be
subject to the oversight requirements when conducting oversight
activities; and (2) the NPRM addressed some disclosures for
investigations of health care fraud in the law enforcement paragraph
(proposed Sec. 164.510(f)(5)(i)), while health care fraud
investigations are central to the purpose of health care oversight
agencies (covered under proposed Sec. 164.510(c)). In the final rule,
we make substantial changes to these provisions, in an attempt to
prevent confusion.
In Sec. 164.512(d)(2), we include explicit decision rules
indicating when an investigation is considered law enforcement and when
an investigation is considered oversight under this regulation. An
investigation or activity is not considered health oversight for
purposes of this rule if: (1) The individual is the subject of the
investigation or activity; and (2) The investigation or activity does
not arise out of and is not directly related to: (a) The receipt of
health care; (b) a claim for public benefits related to health; or (c)
qualification for, or receipt of public benefits or services where a
patient's health is integral to the claim for benefits or services. In
such cases, where the individual is the subject of the investigation
and the investigation does not relate to issues (a) through (c), the
rules regarding disclosure for law enforcement purposes (see
Sec. 164.512(f)) apply. For the purposes of this rule, we intend for
investigations regarding issues (a) through (c) above to mean
investigations of health care fraud.
Where the individual is not the subject of the activity or
investigation, or where the investigation or activity relates to the
subject matter in (a) through (c) of the preceding sentence, a covered
entity may make a disclosure pursuant to Sec. 164.512(d)(1). For
example, when the U.S. Department of Labor's Pension and Welfare
Benefits Administration (PWBA) needs to analyze protected health
information about health plan enrollees in order to conduct an audit or
investigation of the health plan (i.e., the enrollees are not subjects
of the investigation) to investigate potential fraud by the plan, the
health plan may disclose protected health information to the PWBA under
the health oversight rules. These rules and distinctions are discussed
in greater detail in our responses to comments.
To clarify further that health oversight disclosure rules apply
generally in health care fraud investigations (subject to the exception
described above), in the final rule, we eliminate proposed
Sec. 164.510(f)(5)(i), which would have established requirements for
disclosure related to health care fraud for law enforcement purposes.
All disclosures of protected health information that would have been
permitted under proposed Sec. 164.510(f)(5)(i) are permitted under
Sec. 164.512(d).
In the final rule, we add new language (Sec. 164.512(d)(3)) to
address situations in which health oversight activities are conducted
in conjunction with an investigation regarding a claim for public
benefits not related to health (e.g., claims for Food Stamps). In such
situations, for example, when a state Medicaid agency is working with
the Food Stamps program to investigate suspected fraud involving
Medicaid and Food Stamps, covered entities may disclose protected
health information to the entities conducting the joint investigation
under the health oversight provisions of the rule.
In the proposed rule, the definitions of ``law enforcement
proceeding'' and ``oversight activity'' both included the phrase
``criminal, civil, or administrative proceeding.'' For reasons
explained below, the final rule retains this phrase in both
definitions. The final rule does not attempt to distinguish between
these activities based on the agency undertaking them or the applicable
enforcement procedures. Rather, as described above, the final rule
carves out certain activities which must always be considered law
enforcement for purposes of disclosure of protected health information
under this rule.
Additional Considerations
We note that covered entities are permitted to initiate disclosures
that are permitted under this paragraph. For example, a covered entity
could disclose protected health information in the course of reporting
suspected health care fraud to a health oversight agency.
We delete language in the NPRM that would have allowed disclosure
under this section only to law enforcement officials conducting or
supervising an investigation, official inquiry, or a criminal, civil or
administrative proceeding authorized by law. In some instances, a
disclosure by a covered entity under this section will initiate such an
investigation or proceeding, but it will not already be ongoing at the
time the disclosure is made.
Section 164.512(e)--Disclosures and Uses for Judicial and
Administrative Proceedings
Section 164.512(e) addresses when a covered entity is permitted to
disclose protected health information in response to requests for
protected health information that are made in the course of judicial
and administrative proceedings--for example, when a non-party health
care provider receives a subpoena (under Federal Rule of Civil
Procedure Rule 45 or similar provision) for medical records from a
party to a law suit. In the NPRM we would have allowed covered entities
to disclose protected health information in the course of any judicial
or administrative proceeding: (1) In response to an order of a court or
administrative tribunal; or (2) where an individual was a party to the
proceeding and his or her medical condition or history was at issue and
the disclosure was pursuant to lawful process or otherwise authorized
by law. Under the NPRM, if the request for disclosure of protected
health information was accompanied by a court order, a covered entity
could have disclosed that protected health information which the court
order authorized to be disclosed. If the request for disclosure of
protected health information were not accompanied by a court order,
covered entities could not have disclosed the information requested
unless a request authorized by law had been made by the agency
requesting the information or by legal counsel representing a party to
litigation, with a written statement certifying that the protected
health information requested concerned a litigant to the proceeding and
that the health condition of the litigant was at issue at the
proceeding.
In Sec. 164.512(e) of the final rule, we permit covered entities to
disclose protected health information in a judicial or administrative
proceeding if the request for such protected health information is made
through or pursuant to an order from a court or administrative tribunal
or in response to a subpoena or discovery request from, or other lawful
process by a party to the proceeding. When a request is made pursuant
to an order from a court or administrative tribunal, a covered entity
may disclose the information requested without additional process. For
example, a subpoena issued by a court constitutes a disclosure which is
required by law as defined in this rule, and nothing in this rule is
intended to interfere with the ability of the covered entity to comply
with such subpoena.
[[Page 82530]]
However, absent an order of, or a subpoena issued by, a court or
administrative tribunal, a covered entity may respond to a subpoena or
discovery request from, or other lawful process by, a party to the
proceeding only if the covered entity obtains either: (1) Satisfactory
assurances that reasonable efforts have been made to give the
individual whose information has been requested notice of the request;
or (2) satisfactory assurances that the party seeking such information
has made reasonable efforts to secure a protective order that will
guard the confidentiality of the information. In meeting the first
test, a covered entity is considered to have received satisfactory
assurances from the party seeking the information if that party
demonstrates that it has made a good faith effort (such as by sending a
notice to the individual's last known address) to provide written
notice to the individual whose information is the subject of the
request, that the written notice included sufficient information about
the proceeding to permit the individual to raise an objection, and that
the time for the individual to raise objections to the court or
administrative tribunal has elapsed and no objections were filed or any
objections filed by the individual have been resolved.
Unless required to do so by other law, the covered entity is not
required to explain the procedures (if any) available for the
individual to object to the disclosure. Under the rule, the individual
exercises the right to object before the court or other body having
jurisdiction over the proceeding, and not to the covered entity. The
provisions in this paragraph are not intended to disrupt current
practice whereby an individual who is a party to a proceeding and has
put his or her medical condition at issue will not prevail without
consenting to the production of his or her protected health
information. In such cases, we presume that parties will have ample
notice and an opportunity to object in the context of the proceeding in
which the individual is a party.
As described above, in this paragraph we also permit a covered
entity to disclose protected health information in response to a
subpoena, discovery request, or other lawful process if the covered
entity receives satisfactory assurances that the party seeking the
information has made reasonable efforts to seek a qualified protective
order that would protect the privacy of the information. A ``qualified
protective order'' means an order of a court or of an administrative
tribunal or a stipulation that: (1) Prohibits the parties from using or
disclosing the protected health information for any purpose other than
the litigation or proceeding for which the records are requested; and
(2) requires the return to the covered entity or destruction of the
protected health information (including all copies made) at the end of
the litigation or proceeding. Satisfactory assurances of reasonable
efforts to secure a qualified protective order are a statement and
documentation that the parties to the dispute have agreed to a
protective order and that it has been submitted to the court or
administrative tribunal with jurisdiction, or that the party seeking
the protected health information has requested a qualified protective
order from such court or tribunal. We encourage the development of
``model'' protective orders that will facilitate adherence with this
subpart.
In the final rule we also permit the covered entity itself to
satisfy the requirement to make reasonable efforts to notify the
individual whose information has been requested or to seek a qualified
protective order. We intend this to be a permissible activity for
covered entities: we do not require covered entities to undertake these
efforts in response to a subpoena, discovery request, or similar
process (other than an order from a court or administrative tribunal).
If a covered entity receives such a request without receiving the
satisfactory assurances described above from the party requesting the
information, the covered entity is free to object to the disclosure and
is not required to undertake the reasonable efforts itself.
We clarify that the provisions of this paragraph do not supersede
or otherwise invalidate other provisions of this rule that permit uses
and disclosures of protected health information. For example, the fact
that protected health information is the subject of a matter before a
court or tribunal does not prevent its disclosure under another
provision of the rule, such as Secs. 164.512(b), 164.512(d), or
164.512(f), even if a public agency's method of requesting the
information is pursuant to an administrative proceeding. For example,
where a public agency commences a disciplinary action against a health
professional, and requests protected health information as part of its
investigation, the disclosure made be made to the agency under
paragraph (d) of this section (relating to health oversight) even if
the method of making the request is through the proceeding. As with any
request for disclosure under this section, the covered entity will need
to verify the authority under which the request is being made, and we
expect that public agencies will identify their authority when making
such requests. We note that covered entities may reasonably rely on
assertions of authority made by government agencies.
Additional Considerations
Where a disclosure made pursuant to this paragraph is required by
law, such as in the case of an order from a court or administrative
tribunal, the minimum necessary requirements in Sec. 164.514(d) do not
apply to disclosures made under this paragraph. A covered entity making
a disclosure under this paragraph, however, may of course disclose only
that protected health information that is within the scope of the
permitted disclosure. For instance, in response to an order of a court
or administrative tribunal, the covered entity may disclose only the
protected health information that is expressly authorized by such an
order. Where a disclosure is not considered under this rule to be
required by law, the minimum necessary requirements apply, and the
covered entity must make reasonable efforts to limit the information
disclosed to that which is reasonably necessary to fulfill the request.
A covered entity is not required to second guess the scope or purpose
of the request, or take action to resist the request because they
believe that it is over broad. In complying with the request, however,
the covered entity must make reasonable efforts not to disclose more
information than is requested. For example, a covered entity may not
provide a party free access to its medical records under the theory
that the party can identify the information necessary for the request.
In some instances, it may be appropriate for a covered entity,
presented with a relatively broad discovery request, to permit access
to a relatively large amount of information in order for a party to
identify the relevant information. This is permissible as long as the
covered entity makes reasonable efforts to circumscribe the access as
appropriate.
The NPRM indicated that when a covered entity was itself a
government agency, the covered entity could use protected health
information in all cases in which it would have been allowed to
disclose such information in the course of any judicial or
administrative proceeding. As explained above, the final rule does not
include this provision.
[[Page 82531]]
Section 164.512(f)--Disclosure for Law Enforcement Purposes
Disclosures Pursuant to Process and as Otherwise Required by Law
In the NPRM we would have allowed covered entities to disclose
protected health information without individual authorization as
required by other law. However, as explained above, if a legally
mandated use or disclosure fell into one or more of the national
priority purposes expressly identified in other paragraphs of proposed
Sec. 164.510, the disclosure would have been subject to the terms and
conditions specified by the applicable paragraph of proposed
Sec. 164.510. For example, mandatory reporting to law enforcement
officials would not have been allowed unless such disclosures conformed
to the requirements of proposed Sec. 164.510(f) of the NPRM. Proposed
Sec. 164.510(f) did not explicitly recognize disclosures required by
other laws, and it would not have permitted covered entities to comply
with some state and other mandatory reporting laws that require covered
entities to disclose protected health information to law enforcement
officials, such as the reporting of gun shot wounds, stab wounds, and/
or burn injuries.
We did not intend to preempt generally state and other mandatory
reporting laws, and in Sec. 164.512(f)(1)(i) of the final rule, we
explicitly permit covered entities to disclose protected health
information for law enforcement purposes as required by other law. This
provision permits covered entities to comply with these state and other
laws. Under this provision, to the extent that a mandatory reporting
law falls under the provisions of Sec. 164.512(c)(1)(i) regarding
reporting of abuse, neglect, or domestic violence, the requirements of
those provisions supersede.
In the final rule, we specify that covered entities may disclose
protected health information pursuant to this provision in compliance
with and as limited by the relevant requirements of legal process or
other law. In the NPRM, for the purposes of this portion of the law
enforcement paragraph, we proposed to define ``law enforcement inquiry
or proceeding'' as an investigation or official proceeding inquiring
into a violation of or failure to comply with law; or a criminal, civil
or administrative proceeding arising from a violation of or failure to
comply with law. In the final rule, we do not include this definition
in Sec. 164.512(f), because it is redundant with the definition of
``law enforcement official'' in Sec. 164.501.
Proposed Sec. 164.510(f)(1) of the NPRM would have authorized
disclosure of protected health information to a law enforcement
official conducting or supervising a law enforcement inquiry or
proceeding authorized by law pursuant to process, under three
circumstances.
First, we proposed to permit such disclosures pursuant to a
warrant, subpoena, or other order issued by a judicial officer that
documented a finding by the officer. The NPRM did not specify
requirements for the nature of the finding. In the final rule, we
eliminate the requirement for a ``finding,'' and we make changes to the
list of orders in response to which covered entities may disclose under
this provision. Under the final rule, covered entities may disclose
protected health information in compliance with and as limited by
relevant requirements of: a court order or court-ordered warrant, or a
subpoena or summons issued by a judicial officer. We made this change
to the list to conform to the definition of ``required by law'' in
Sec. 164.501.
Second, we proposed to permit such disclosures pursuant to a state
or federal grand jury subpoena. In the final rule, we leave this
provision of the NPRM unchanged.
Third, we proposed to permit such disclosures pursuant to an
administrative request, including an administrative subpoena or
summons, a civil investigative demand, or similar process, under
somewhat stricter standards than exist today for such disclosures. We
proposed to permit a covered entity to disclose protected health
information pursuant to an administrative request only if the request
met three conditions, as follows: (i) The information sought was
relevant and material to a legitimate law enforcement inquiry; (ii) the
request was as specific and narrowly drawn as reasonably practicable;
and (iii) de-identified information could not reasonably have been used
to meet the purpose of the request.
The final rules generally adopts this provision of the NPRM. In the
final rule, we modify the list of orders in response to which covered
entities may disclose protected health information, to include
administrative subpoenas or summons, civil or authorized investigative
demands, or similar process authorized by law. We made this change to
the list to conform with the definition of ``required by law'' in
Sec. 164.501. In addition, we slightly modify the second of the three
conditions under which covered entities may respond to such requests,
to allow disclosure if the request is specific and is limited in scope
to the extent reasonably practicable in light of the purpose for which
the information is sought.
Limited Information for Identification and Location Purposes
The NPRM would have allowed covered entities to disclose ``limited
identifying information'' for purposes of identifying a suspect,
fugitive, material witness, or missing person, in response to a law
enforcement request. We proposed to define ``limited identifying
information'' as (i) name; (ii) address; (iii) Social Security number;
(iv) date of birth; (v) place of birth; (vi) type of injury or other
distinguishing characteristic; and (vii) date and time of treatment.
The final rules generally adopts this provision of the NPRM with a
few modifications. In the final rule, we expand the circumstances under
which limited information about suspects, fugitives, material
witnesses, and missing persons may be disclosed, to include not only
cases in which law enforcement officials are seeking to identify such
individuals, but also cases in which law enforcement officials are
seeking to locate such individuals. In addition, the final rule
modifies the list of data elements that may be disclosed under this
provision, in several ways. We expand the list of elements that may be
disclosed under these circumstances, to include ABO blood type and Rh
factor, as well as date and time of death, if applicable. We remove
``other distinguishing characteristic'' from the list of items that may
be disclosed for the location and identification purposes described in
this paragraph, and instead allow covered entities to disclose only a
description of distinguishing physical characteristics, such as scars
and tattoos, height, weight, gender, race, hair and eye color, and the
presence or absence of facial hair such as a beard or moustache. In
addition, in the final rule, protected health information associated
with the following cannot be disclosed pursuant to Sec. 164.512(f)(2):
DNA data and analyses; dental records; or typing, samples or analyses
of tissues or bodily fluids other than blood (e.g., saliva). If a
covered entity discloses additional information under this provision,
the covered entity will be out of compliance and subject to sanction.
We clarify our intent not to allow covered entities to initiate
disclosures of limited identifying information to law enforcement in
the absence of a law enforcement request; a covered entity may disclose
protected health information under this provision only in response to a
request from law enforcement. We allow a ``law enforcement official's
request'' to be
[[Page 82532]]
made orally or in writing, and we intend for it to include requests by
a person acting on behalf of law enforcement, for example, requests by
a media organization making a television or radio announcement seeking
the public's assistance in identifying a suspect. Such a request also
may include a ``Wanted'' poster and similar postings.
Disclosure About a Victim of Crime
The NPRM would have allowed covered entities to disclose protected
health information about a victim of a crime, abuse or other harm to a
law enforcement official, if the law enforcement official represented
that: (i) The information was needed to determine whether a violation
of law by a person other than the victim had occurred; and (ii)
immediate law enforcement activity that depended on obtaining the
information may have been necessary.
The final rule modifies the conditions under which covered entities
can disclose protected health information about victims. In addition,
as discussed above, the final rule includes a new Sec. 164.512(c),
which establishes conditions for disclosure of protected health
information about victims of abuse, neglect or domestic violence. In
addition, as discussed above, we have added Sec. 164.512(f)(1)(i) to
this paragraph to explicitly recognize that in some cases, covered
entities' disclosure of protected health information is mandated by
state or other law. The rule's requirements for disclosure in
situations not covered under mandatory reporting laws are different
from the rule's provisions regarding disclosure pursuant to a mandatory
reporting law.
The final rule requires covered entities to obtain individual
agreement as a condition of disclosing the protected health information
about victims to law enforcement, unless the disclosure is permitted
under Sec. 164.512(b) or (c) or Sec. 164.512(f)(1) above. The required
agreement may be obtained orally, and does not need to meet the
requirements of Sec. 164.508 of this rule (regarding authorizations).
The rule waives the requirement for individual agreement if the victim
is unable to agree due to incapacity or other emergency circumstance
and: (1) The law enforcement official represents that the protected
health information is needed to determine whether a violation of law by
a person other than the victim has occurred and the information is not
intended to be used against the victim; (2) the law enforcement
official represents that immediate law enforcement activity that
depends on such disclosure would be materially and adversely affected
by waiting until the individual is able to agree to the disclosure; and
(3) the covered entity, in the exercise of professional judgment,
determines that the disclosure is in the individual's best interests.
We intend that assessing the individual's best interests includes
taking into account any further risk of harm to the individual. This
provision does not allow covered entities to initiate disclosures of
protected health information to law enforcement; the disclosure must be
in response to a request from law enforcement.
We do not intend to create a new legal duty on the part of covered
entities with respect to the safety of their patients. Rather, we
intend to ensure that covered entities can continue to exercise their
professional judgment in these circumstances, on a case-by-case basis,
as they do today.
In some cases, a victim may also be a fugitive or suspect. For
example, an individual may receive a gunshot wound during a robbery and
seek treatment in a hospital emergency room. In such cases, when law
enforcement officials are requesting protected health information
because the individual is a suspect (and thus the information may be
used against the individual), covered entities may disclose the
protected health information pursuant to Sec. 164.512(f)(2) regarding
suspects and not pursuant to Sec. 164.512(f)(3) regarding victims.
Thus, in these situations, covered entities may disclose only the
limited identifying information listed in Sec. 164.512(f)(2)--not all
of the protected health information that may be disclosed under
Sec. 164.512(f)(3).
The proposed rule did not address whether a covered entity could
disclose protected health information to a law enforcement official to
alert the official of the individual's death.
Disclosures About Decedents
In the final rule, we add a new provision Sec. 164.512(f)(4) in
which we permit covered entities to disclose protected health
information about an individual who has died to a law enforcement
official for the purpose of alerting law enforcement of the death if
the covered entity has a suspicion that such death may have resulted
from criminal conduct. In such circumstances consent of the individual
is not available and it may be difficult to determine the identity of a
personal representative and gain consent for disclosure of protected
health information. Permitting disclosures in this circumstance will
permit law enforcement officials to begin their investigation into the
death more rapidly, increasingly the likelihood of success.
Intelligence and National Security Activities
Section 164.510(f)(4) of the NPRM would have allowed covered
entities to disclose protected health information to a law enforcement
official without individual authorization for the conduct of lawful
intelligence activities conducted pursuant to the National Security Act
of 1947 (50 U.S.C. 401 et seq.) or in connection with providing
protective services to the President or other individuals pursuant to
section 3056 of title 18, United States Code. In the final rule, we
move provisions regarding disclosures of protected health information
for intelligence and protective services activities to Sec. 164.512(k)
regarding uses and disclosures for specialized government functions.
Criminal Conduct on the Premises of a Covered Entity
The NPRM would have allowed covered entities on their own
initiative to disclose to law enforcement officials protected health
information that the covered entity believed in good faith constituted
evidence of criminal conduct that arose out of and was directly related
to: (A) The receipt of health care or payment for health care,
including a fraudulent claim for health care; (B) qualification for or
receipt of benefits, payments, or services based on a fraudulent
statement or material misrepresentation of the health of the
individual; that occurred on the covered entity's premises or was
witnessed by a member of the covered entity's workforce.
In the final rule, we modify this provision substantially, by
eliminating language allowing disclosures already permitted in other
sections of the regulation. The proposed provision overlapped with
other sections of the NPRM, in particular proposed Sec. 164.510(c)
regarding disclosure for health oversight activities. In the final
regulation, we clarify that this provision applies only to disclosures
to law enforcement officials of protected health information that the
covered entity believes in good faith constitutes evidence of a crime
committed on the premises. We eliminate proposed Sec. 164.510(f)(5)(i)
regarding health care fraud from the law enforcement section, because
all disclosures that would have been allowed under that provision are
allowed under Sec. 164.512(d) of the final rule (health oversight).
Similarly, in the final rule, we eliminate proposed
[[Page 82533]]
Sec. 164.510(f)(5)(iii) on disclosure of protected health information
to law enforcement officials regarding criminal activity witnessed by a
member of a health plan workforce. All disclosures that would have been
permitted by that provision are included in Sec. 164.512(f)(5), which
allows disclosure of information to report a crime committed on the
covered entity's premises, and by Sec. 164.502, which provides that a
covered entity is not in violation of the rule when a member of its
workforce or person working for a business associate uses or discloses
protected health information while acting as a ``whistle blower.''
Thus, Sec. 164.512(f)(5) allows covered entities to disclose health
information only on the good faith belief that it constitutes evidence
of a crime on their premises. The preamble to the NPRM said that if the
covered entity disclosed protected health information in good faith but
was wrong in its belief that the information was evidence of a
violation of law, the covered entity would not be subject to sanction
under this regulation. The final rule retains this approach.
Reporting Crime in Emergencies
The proposed rule did not address disclosures by emergency medical
personnel to a law enforcement official intended to alert law
enforcement about the commission of a crime. Because the provisions of
proposed rule were limited to individually identifiable health
information that was reduced to electronic form, many communications
that occur between emergency medical personnel and law enforcement
officials at the scene of a crime would not have been covered by the
proposed provisions.
In the final rule we include a new provision Sec. 164.512(f)(6)
that addresses ``911'' calls for emergency medical technicians as well
as other emergency health care in response to a medical emergency. The
final rule permits a covered health care provider providing emergency
health care in response to a medical emergency, other than such
emergency on the premises of the covered health care provider, to
disclose protected health information to a law enforcement official if
such disclosure appears necessary to alert law enforcement to (1) the
commission and nature of a crime, (2) the location of such crime or of
the victim(s) of such crime, and (3) the identity, description, and
location of the perpetrator of such crime. A disclosure is not
permitted under this section if health care provider believes that the
medical emergency is the result of abuse, neglect, or domestic violence
of the individual in need of emergency health care. In such cases,
disclosures to law enforcement would be governed by paragraph (c) of
this section.
This added provision recognizes the special role of emergency
medical technicians and other providers who respond to medical
emergencies. In emergencies, emergency medical personnel often arrive
on the scene before or at the same time as police officers,
firefighters, and other emergency response personnel. In these cases,
providers may be in the best position, and sometimes be the only ones
in the position, to alert law enforcement about criminal activity. For
instance, providers may be the first persons aware that an individual
has been the victim of a battery or an attempted murder. They may also
be in the position to report in real time, through use of radio or
other mechanism, information that may immediately contribute to the
apprehension of a perpetrator of a crime.
We note that disclosure under this provision is at the discretion
of the health care provider. Disclosures in some instances may be
governed more strictly, such as by applicable ethical standards and
state and local laws.
Finally, the NPRM also included a proposed Sec. 164.510(f)(5),
which duplicated proposed Sec. 164.510(f)(3). The final rule does not
include this duplicate provision.
Additional Considerations
As stated in the NPRM, this paragraph is not intended to limit or
preclude a covered entity from asserting any lawful defense or
otherwise contesting the nature or scope of the process when the
procedural rules governing the proceeding so allow. At the same time,
it is not intended to create a basis for appealing to federal court
concerning a request by state law enforcement officials. Each covered
entity will continue to have available legal procedures applicable in
the appropriate jurisdiction to contest such requests where warranted.
As was the case with the NPRM, this rule does not create any new
affirmative requirement for disclosure of protected health information.
Similarly, this section is not intended to limit a covered entity from
disclosing protected health information to law enforcement officials
where other sections of the rule permit such disclosure, e.g., as
permitted by Sec. 164.512(j) to avert an imminent threat to health or
safety, for health oversight activities, to coroners or medical
examiners, and in other circumstances permitted by the rule. For
additional provisions permitting covered entities to disclose protected
health information to law enforcement officials, see
Sec. 164.512(j)(1)(i) and (ii).
Under the NPRM and under the final rule, to obtain protected health
information, law enforcement officials must comply with whatever other
law is applicable. In certain circumstances, while this provision could
authorize a covered entity to disclose protected health information to
law enforcement officials, there could be additional applicable
statutes or rules that further govern the specific disclosure. If the
preemption provisions of this regulation do not apply, the covered
entity must comply with the requirements or limitations established by
such other law, regulation or judicial precedent. See Secs. 160.201
through 160.205. For example, if state law permits disclosure only
after compulsory process with court review, a provider or payor is not
allowed to disclose information to state law enforcement officials
unless the officials have complied with that requirement. Similarly,
disclosure of substance abuse patient records subject to, 42 U.S.C.
290dd-2, and the implementing regulations, 42 CFR part 2, continue to
be governed by those provisions.
In some instances, disclosure of protected health information to
law enforcement officials will be compelled by other law, for example,
by compulsory judicial process or compulsory reporting laws (such as
laws requiring reporting of wounds from violent crimes, suspected child
abuse, or suspected theft of controlled substances). As discussed
above, disclosure of protected health information under such other
mandatory law is permitted under Sec. 164.512(a).
In the responses to comments we clarify that items such as cells
and tissues are not protected health information, but that analyses of
them is. The same treatment would be given other physical items, such
as clothing, weapons, or a bloody knife. We note, however, that while
these items are not protected health information and may be disclosed,
some communications that could accompany the disclosure will be
protected health information under the rule. For example, if a person
provides cells to a researcher, and tells the researcher that these are
an identified individual's cancer cells, that accompanying statement is
protected health information about that individual. Similarly, if a
person provides a bullet to law enforcement, and tells law enforcement
that the bullet was extracted from an identified
[[Page 82534]]
individual, the person has disclosed the fact that the individual was
treated for a wound, and the additional statement is a disclosure of
protected health information.
To be able to make the additional statement accompanying the
provision of the bullet, a covered entity must look to the rule to find
a provision under which a disclosure may be made to law enforcement.
Section 164.512(f) of the rule addresses disclosures for law
enforcement purposes. Under Sec. 164.512(f)(1), the additional
statement may be disclosed to a law enforcement official if required by
law or with appropriate process. Under Sec. 164.512(f)(2), we permit
covered entities to disclose limited identifying information without
legal process in response to a request from a law enforcement official
for the purpose of identifying or locating a suspect, fugitive,
material witness, or missing person. Thus, in the case of bullet
described above, the covered entity may, in response to a law
enforcement request, provide the extracted bullet and such additional
limited identifying information as is permitted under
Sec. 164.512(f)(2).
Section 164.512(g)--Uses and Disclosures About Decedents
In the NPRM we proposed to allow covered entities to disclose
protected health information without individual authorization to
coroners and medical examiners, consistent with applicable law, for
identification of a deceased person or to determine cause of death.
In Sec. 164.512(g) of the final rule, we permit covered entities to
disclose protected health information to coroners, medical examiners,
and funeral directors as part of a new paragraph on disclosures related
to death. The final rule retains the NPRM approach regarding disclosure
of protected health information to coroners and medical examiners, and
it allows the information disclosed to coroners and medical examiners
to include identifying information about other persons that may be
included in the individual's medical record. Redaction of such names is
not required prior to disclosing the individual's record to coroners or
medical examiners. Since covered entities may also perform duties of a
coroner or medical examiner, where a covered entity is itself a coroner
or medical examiner, the final rule permits the covered entity to use
protected health information in all cases in which it is permitted to
disclose such information for its duties as a coroner or medical
examiner.
Section 164.512(g) allows covered entities to disclose protected
health information to funeral directors, consistent with applicable
law, as necessary to carry out their duties with respect to a decedent.
For example, the rule allows hospitals to disclose to funeral directors
the fact that an individual has donated an organ or tissue, because
this information has implications for funeral home staff duties
associated with embalming. When necessary for funeral directors to
carry out their duties, covered entities may disclose protected health
information prior to and in reasonable anticipation of the individual's
death.
Whereas the NPRM did not address the issue of disclosure of
psychotherapy notes without individual authorization to coroners and
medical examiners, the final rule allows such disclosures.
The NPRM did not include in proposed Sec. 164.510(e) language
stating that where a covered entity was itself a coroner or medical
examiner, it could use protected health information for the purposes of
engaging in a coroner's or a medical examiner's activities. The final
rule includes such language to address situations such as where a
public hospital performs medical examiner functions. In such cases, the
hospital's on-staff coroners can use protected health information while
conducting post-mortem investigations, and other hospital staff can
analyze any information associated with these investigations, for
example, as part of the process of determining the cause of the
individual's death.
Section 164.512(h)--Uses and Disclosures for Cadaveric Donation of
Organs, Eyes, or Tissues
In the NPRM we proposed to include the procurement or banking of
blood, sperm, organs, or any other tissue for administration to
patients in the definition of ``health care'' (described in proposed
Sec. 160.103). The NPRM's proposed approach did not differentiate
between situations in which the donor was competent to consent to the
donation--for example, when an individual is donating blood, sperm, a
kidney, or a liver or lung lobe--and situations in which the donor was
deceased, for example, when cadaveric organs and tissues were being
donated. We also proposed to allow use and disclosure of protected
health information for treatment without consent.
In the final rule, we take a different approach. In
Sec. 164.512(h), we permit covered entities to disclose protected
health information without individual authorization to organ
procurement organizations or other entities engaged in the procurement,
banking, or transplantation of cadaveric organs, eyes, or tissue for
donation and transplantation. This provision is intended to address
situations in which an individual has not previously indicated whether
he or she seeks to donate organs, eyes, or tissues (and therefore
authorized release of protected health information for this purpose).
In such situations, this provision is intended to allow covered
entities to initiate contact with organ and tissue donation and
transplantation organizations to facilitate transplantation of
cadaveric organs, eyes, and tissues.
Disclosures and Uses for Government Health Data Systems
In the NPRM we proposed to permit covered entities to disclose
protected health information to a government agency, or to a private
entity acting on behalf of a government agency, for inclusion in a
government health data system collecting health data for analysis in
support of policy, planning, regulatory, or management functions
authorized by law. The NPRM stated that when a covered entity was
itself a government agency collecting health data for these functions,
it could use protected health information in all cases for which it was
permitted to disclose such information to government health data
systems.
In the final rule, we eliminate the provision that would have
allowed covered entities to disclose protected health information to
government health data systems without authorization. Thus, under the
final rule, covered entities cannot disclose protected health
information without authorization to government health data systems--or
to private health data systems--unless the disclosure is permissible
under another provision of the rule.
Disclosures for Payment Processes
In the NPRM we proposed to permit covered entities to disclose, in
connection with routine banking activities or payment by debit, credit,
or other payment card, or other payment means, the minimum amount of
protected health information necessary to complete a banking or payment
activity to financial institutions or to entities acting on behalf of
financial institutions to authorize, process, clear, settle, bill,
transfer, reconcile, or collect payments for financial institutions.
The preamble to the NPRM clarified the proposed rule's intent
regarding disclosure of diagnostic and treatment information along with
payment
[[Page 82535]]
information to financial institutions. The preamble to the proposed
rule said that diagnostic and treatment information never was necessary
to process a payment transaction. The preamble said we believed that in
most cases, the permitted disclosure would include only: (1) The name
and address of the account holder; (2) the name and address of the
payor or provider; (3) the amount of the charge for health services;
(4) the date on which health services were rendered; (5) the expiration
date for the payment mechanism, if applicable; and (6) the individual's
signature. The preamble noted that the proposed regulation text did not
include an exclusive list of information that could lawfully be
disclosed to process payments, and it solicited comments on whether
more elements would be needed for banking and payment transactions and
on whether including a specific list of protected health information
that could be disclosed was an appropriate approach.
The preamble also noted that under section 1179 of HIPAA, certain
activities of financial institutions were exempt from this rule, to the
extent that these activities constituted authorizing, processing,
clearing, settling, billing, transferring, reconciling, or collecting
payments for health care or health plan premiums.
In the final rule, we eliminate the NPRM's provision on ``banking
and payment processes.'' All disclosures that would have been allowed
pursuant to proposed Sec. 164.510(i) are allowed under Sec. 164.502(a)
of the final rule, regarding disclosure for payment purposes.
Section 164.512(i)--Uses and Disclosures for Research Purposes
The NPRM would have permitted covered entities to use and disclose
protected health information for research--regardless of funding
source--without individual authorization, provided that the covered
entity obtained documentation of the following:
(1) A waiver, in whole or in part, of authorization for the use or
disclosure of protected health information was approved by an
Institutional Review Board (IRB) or a privacy board that was composed
as stipulated in the proposed rule;
(2) The date of approval of the waiver, in whole or in part, of
authorization by an IRB or privacy board;
(3) The IRB or privacy board had determined that the waiver, in
whole or in part satisfied the following criteria:
(i) The use or disclosure of protected health information involves
no more than minimal risk to the subjects;
(ii) The waiver will not adversely affect the rights and welfare of
the subjects;
(iii) The research could not practicably be conducted without the
waiver;
(iv) Whenever appropriate, the subjects will be provided with
additional pertinent information after participation;
(v) The research could not practicably be conducted without access
to and use of the protected health information;
(vi) The research is of sufficient importance so as to outweigh the
intrusion of the privacy of the individual whose information is subject
to the disclosure;
(vii) There is an adequate plan to protect the identifiers from
improper use and disclosure; and
(viii) There is an adequate plan to destroy the identifiers at the
earliest opportunity consistent with the conduct of the research,
unless there is a health or research justification for retaining the
identifiers; and
(4) The written documentation was signed by the chair of, as
applicable, the IRB or the privacy board.
The NPRM also proposed that IRBs and privacy boards be permitted to
adopt procedures for ``expedited review'' similar to those provided in
the Common Rule (Common Rule Sec. ____.110) for records research that
involved no more than minimal risk. However, this provision for
expedited review was not included in the proposed regulation text.
The board that would determine whether the research protocol met
the eight specified criteria for waiving the patient authorization
requirements (described above), could have been an IRB constituted as
required by the Common Rule, or a privacy board, whose proposed
composition is described below. The NPRM proposed no requirements for
the location or sponsorship of the IRB or privacy board. Under the
NPRM, the covered entity could have created such a board and could have
relied on it to review research proposals for uses and disclosures of
protected health information for research. A covered entity also could
have relied on the necessary documentation from an outside researcher's
own university IRB or privacy board. In addition, a covered entity
could have engaged the services of an outside IRB or privacy board to
obtain the necessary documentation.
Absent documentation that the requirements described above had been
met, the NPRM would have required individuals' authorization for the
use or disclosure of protected health information for research,
pursuant to the authorization requirements in proposed Sec. 164.508.
For research conducted with patient authorization, documentation of IRB
or privacy board approval would not have been required.
The final rule retains the NPRM's proposed framework for permitting
uses and disclosures of protected health information for research
purposes, although we are making several important changes for the
final rule. These changes are discussed below:
Documentation Requirements of IRB or Privacy Board Approval of Waiver
The final rule retains these documentation requirements, but
modifies some of them and includes two additional documentation
requirements. The final rule's modifications to the NPRM's proposed
documentation requirements are described first, followed by a
description of the three documentation requirements added in the final
rule.
The final rule makes the following modifications to the NPRM's
proposed documentation requirements for the waiver of individual
authorization:
1. IRB and privacy board membership. The NPRM stipulated that to
meet the requirements of proposed Sec. 164.510(j), the documentation
would need to indicate that the IRB had been composed as required by
the Common Rule (Sec. ____.107), and the privacy board had been
composed as follows: ``(A) Has members with varying backgrounds and
appropriate professional competency as necessary to review the research
protocol; (B) Includes at least one member who is not affiliated with
the entity conducting the research, or related to a person who is
affiliated with such entity; and (C) Does not have any member
participating in a review of any project in which the member has a
conflict of interest'' (Sec. 164.510(j)(1)(ii)).
The final rule modifies the first of the requirements for the
composition of a privacy board to focus on the effect of the research
protocol on the individual's privacy rights and related interests.
Therefore, under the final rule, the required documentation must
indicate that the privacy board has members with varying backgrounds
and appropriate professional competency as necessary to review the
effect of the research protocol on the individual's privacy rights and
related interests.
In addition, the final rule further restricts the NPRM's proposed
requirement that the privacy board include at least one member who was
[[Page 82536]]
not affiliated with the entity conducting the research, or related to a
person who is affiliated with such entity. Under the final rule, the
board must include at least one member who is not affiliated with the
covered entity, not affiliated with any entity conducting or sponsoring
the research, and not related to any person who is affiliated with such
entities.
The other documentation requirements for the composition of an IRB
and privacy board remain the same.
2. Waiver of authorization criteria. The NPRM proposed to prohibit
the use or disclosure of protected health information for research
without individual authorization as stipulated in proposed Sec. 164.508
unless the covered entity had documentation indicating that an IRB or
privacy board had determined that the following waiver criteria had
been met:
(i) The use or disclosure of protected health information involves
no more than minimal risk to the subjects;
(ii) The waiver will not adversely affect the rights and welfare of
the subjects;
(iii) The research could not practicably be conducted without the
waiver;
(iv) Whenever appropriate, the subjects will be provided with
additional pertinent information after participation;
(v) The research could not be practicably be conducted without
access to and use of the protected health information;
(vi) The research is of sufficient importance so as to outweigh the
intrusion of the privacy of the individual whose information is subject
to the disclosure;
(vii) There is an adequate plan to protect the identifiers from
improper use and disclosure; and
(viii) There is an adequate plan to destroy the identifiers at the
earliest opportunity consistent with the conduct of the research,
unless there is a health or research justification for retaining the
identifiers.
The final rule continues to permit the documentation of IRB or
privacy board approval of a waiver of an authorization as required by
Sec. 164.508, to indicate that only some or all of the Sec. 164.508
authorization requirements have been waived. In addition, the final
rule clarifies that the documentation of IRB or privacy board approval
may indicate that the authorization requirements have been altered.
Also, for all of the proposed waiver of authorization criteria that
used the term ``subject,'' we replace this term with the term
``individual'' in the final rule.
In addition, the final rule (1) eliminates proposed waiver
criterion iv, (2) modifies proposed waiver criteria ii, iii, vi, and
viii, and (3) adds a waiver criterion.
Proposed waiver criterion ii (waiver criterion
Sec. 164.512(i)(2)(ii)(B) in the final rule) is revised as follows to
focus more narrowly on the privacy interests of individuals, and to
clarify that it also pertains to alterations of individual
authorization: ``the alteration or waiver will not adversely affect the
privacy rights and the welfare of the individuals.'' Under criterion
Sec. 164.512(i)(2)(ii)(B), the question is whether the alteration or
waiver of individual authorization would adversely affect the privacy
rights and the welfare of individuals, not whether the research project
itself would adversely affect the privacy rights or the welfare of
individuals.
Proposed waiver criterion iii (waiver criterion
Sec. 164.512(i)(2)(ii)(C) in the final rule) is revised as follows to
clarify that it also pertains to alterations of individual
authorization: ``the research could not practicably be conducted
without the alteration or waiver.''
Proposed waiver criterion vi (waiver criterion
Sec. 164.512(i)(2)(ii)(E) in the final rule) is revised as follows to
be more consistent with one of the Common Rule's requirements for the
approval of human subjects research (Common Rule, Sec. ____.111(a)(2)):
``the privacy risks to individuals whose protected health information
is to be used or disclosed are reasonable in relation to anticipated
benefits if any to individuals, and the importance of the knowledge
that may reasonably be expected to result from the research.'' Under
criterion Sec. 164.512(i)(2)(ii)(E), the question is whether the risks
to an individual's privacy from participating in the research are
reasonable in relation to the anticipated benefits from the research.
This criterion is unlike waiver criterion Sec. 164.512(i)(2)(ii)(B) in
that it focuses on the privacy risks and benefits of the research
project more broadly, not on the waiver of individual authorization.
Proposed waiver criterion viii (waiver criterion
Sec. 164.512(i)(2)(ii)(G) in the final rule) is revised as follows:
``there is an adequate plan to destroy the identifiers at the earliest
opportunity consistent with the conduct of the research, unless there
is a health or research justification for retaining the identifiers, or
such retention is otherwise required by law.''
In addition, the final rule includes another waiver criterion:
waiver criterion Sec. 164.512(i)(2)(ii)(H). The NPRM proposed no
restriction on a researcher's further use or disclosure of protected
health information that had been received under proposed
Sec. 164.510(j). The final rule requires that the covered entity obtain
written agreement from the person or entity receiving protected health
information under Sec. 164.512(i) not to re-use or disclose protected
health information to any other person or entity, except: (1) As
required by law, (2) for authorized oversight of the research project,
or (3) for other research for which the use or disclosure of protected
health information would be permitted by this subpart. For instance, in
assessing whether this criterion has been met, we encourage IRBs and
privacy boards to obtain adequate assurances that the protected health
information will not be disclosed to an individual's employer for
employment decisions without the individual's authorization.
3. Required signature. The rule broadens the types of individuals
who are permitted to sign the required documentation of IRB or privacy
board approval. The final rule requires the documentation of the
alteration or waiver of authorization to be signed by (1) the chair of,
as applicable, the IRB or the privacy board, or (2) a member of the IRB
or privacy board, as applicable, who is designated by the chair to sign
the documentation.
Furthermore, the final rule makes the following three additions to
the proposed documentation requirements for the alteration or waiver of
authorization:
1. Identification of the IRB or privacy board. The NPRM did not
propose that the documentation of waiver include a statement
identifying the IRB or privacy board that approved the waiver of
authorization. In the final rule we require that such a statement be
included in the documentation of alteration or waiver of individual
authorization. By this requirement we mean that the name of the IRB or
privacy board must be included in such documentation, not the names of
individual members of the board.
2. Description of protected health information approved for use or
disclosure. The NPRM did not propose that the documentation of waiver
include a description of the protected health information that the IRB
or privacy board had approved for use or disclosure without individual
authorization. In considering waiver of authorization criterion
Sec. 164.512(i)(2)(ii)(D), we expect the IRB or privacy board to
consider the amount of information that is minimally needed for the
study. The final rule requires that the documentation of IRB or
[[Page 82537]]
privacy board approval of the alteration or waiver of authorization
describe the protected health information for which use or access has
been determined to be necessary for the research by the IRB or privacy
board. For example, if the IRB or privacy board approves only the use
or disclosure of certain information from patients' medical records,
and not patients' entire medical record, this must be stated on the
document certifying IRB or privacy board approval.
3. Review and approval procedures. The NPRM would not have required
documentation of IRBs' or privacy boards' review and approval
procedures. In the final rule, the documentation of the alteration or
waiver of authorization must state that the alteration or waiver has
been reviewed and approved by: (1) an IRB that has followed the voting
requirements stipulated in the Common Rule (Sec. ____.108(b)), or the
expedited review procedures as stipulated in Sec. ____.110(b); or (2) a
privacy board that has reviewed the proposed research at convened
meetings at which a majority of the privacy board members are present,
including at least one member who is not affiliated with the covered
entity, not affiliated with any entity conducting or sponsoring the
research, and not related to any person who is affiliated with any such
entities, and the alteration or waiver of authorization is approved by
the majority of privacy board members present at the meeting, unless an
expedited review procedure is used.
For documentation of IRB approval that used an expedited review
procedure, the covered entity must ensure that the documentation
indicates that the IRB followed the expedited review requirements of
the Common Rule (Sec. ____.110). For documentation of privacy board
approval that used an expedited review procedure, the covered entity
must ensure that the documentation indicates that the privacy board met
the expedited review requirements of the privacy rule. In the final
rule, a privacy board may use an expedited review procedure if the
research involves no more than minimal risk to the privacy of the
individuals who are the subject of the protected health information for
which disclosure is being sought. If a privacy board elects to use an
expedited review procedure, the review and approval of the alteration
or waiver of authorization may be carried out by the chair of the
privacy board, or by one or more members of the privacy board as
designated by the chair. Use of the expedited review mechanism permits
review by a single member of the IRB or privacy board, but continues to
require that the covered entity obtain documentation that all of the
specified waiver criteria have been met.
Reviews Preparatory to Research
Under the NPRM, if a covered entity used or disclosed protected
health information for research, but the researcher did not record the
protected health information in a manner that persons could be
identified, such an activity would have constituted a research use or
disclosure that would have been subject to either the individual
authorization requirements of proposed Sec. 164.508 or the
documentation of the waiver of authorization requirements of proposed
Sec. 164.510(j).
The final rule permits the use and disclosure of protected health
information for research without requiring authorization or
documentation of the alteration or waiver of authorization, if the
research is conducted in such a manner that only de-identified
protected health information is recorded by the researchers and the
protected health information is not removed from the premises of the
covered entity. For such uses and disclosures of protected health
information, the final rule requires that the covered entity obtain
from the researcher representations that use or disclosure is sought
solely to review protected health information as necessary to prepare a
research protocol or for similar purposes preparatory to research, no
protected health information is to be removed from the covered entity
by the researcher in the course of the review, and the protected health
information for which use or access is sought is necessary for the
research purposes. The intent of this provision is to permit covered
entities to use and disclose protected health information to assist in
the development of a research hypothesis and aid in the recruitment of
research participants. We understand that researchers sometimes require
access to protected health information to develop a research protocol,
and to determine whether a specific covered entity has protected health
information of prospective research participants that would meet the
eligibility criteria for enrollment into a research study. Therefore,
this provision permits covered entities to use and disclose protected
health information for these preliminary research activities without
individual authorization and without documentation that an IRB or
privacy board has altered or waived individual authorization.
Research on Protected Health Information of the Deceased
The NPRM would have permitted the use and disclosure of protected
health information of deceased persons for research without the
authorization of a legal representative, and without the requirement
for written documentation of IRB or privacy board approval in proposed
Sec. 164.510(j). In the final rule, we retain the exception for uses
and disclosures for research purposes but in addition require that the
covered entity take certain protective measures prior to release of the
decedent's protected health information for such purposes.
Specifically, the final rule requires that the covered entity obtain
representation that the use or disclosure is sought solely for research
on the protected health information of decedent, and representation
that the protected health information for which use or disclosure is
sought is necessary for the research purposes. In addition, the final
rule allows covered entities to request from the researcher
documentation of the death of the individuals about whom protected
health information is being sought.
Good Faith Reliance
The final rule clarifies that covered entities are allowed to rely
on the IRB's or privacy board's representation that the research
proposal meets the documentation requirements of Sec. 164.512(i)(1)(i)
and the minimum necessary requirements of Sec. 164.514.
In addition, when using or disclosing protected health information
for reviews preparatory to research (Sec. 164.512(i)(1)(ii)) or for
research solely on the protected health information of decedents
(Sec. 164.512)(1)(iii)), the final rule clarifies that the covered
entity may rely on the requesting researcher's representation that the
purpose of the request is for one of these two purpose, and that the
request meets the minimum necessary requirements of Sec. 164.514.
Therefore, the covered entity has not violated the rule if the
requesting researcher misrepresents his or her intended use of the
protected health information to the covered entity.
Additional Research Provisions
Research Including Treatment
To the extent that a researcher provided treatment to persons as
part of a research study, the NPRM would have covered such researchers
as health care providers for purposes of that treatment, and required
that the researcher comply with all of the provisions of the rule that
[[Page 82538]]
would be applicable to health care providers. The final rule retains
this requirement.
Individual Access to Research Information
Under proposed Sec. 164.514, the NPRM would have applied the
proposed provision regarding individuals' access to records to research
that includes the delivery of treatment. The NPRM proposed an exception
to individuals' right to access protected health information for
clinical trials, where (1) protected health information was obtained by
a covered entity in the course of clinical trial, (2) the individual
agreed to the denial of access when consenting to participate in the
trial (if the individual's consent to participate was obtained), and
(3) the trial was still in progress.
Section 164.524 of the final rule retains this exception to access
for research that includes treatment. In addition, the final rule
requires that participants in such research be informed that their
right of access to protected health information about them will be
reinstated once the research is complete.
Obtaining the Individual's Authorization for Research
The NPRM would have required covered entities obtaining
individuals' authorization for the use or disclosure of information for
research to comply with the requirements applicable to individual
authorization for the release of protected health information (proposed
Sec. 164.508(a)(2)). If an individual had initiated the use or
disclosure of his/her protected health information for research, or any
other purpose, the covered entity would have been required to obtain a
completed authorization for the use or disclosure of protected health
information as proposed in Sec. 164.508(c).
The final rule retains these requirements for research conducted
with authorization, as required by Sec. 164.508. In addition, for the
use and disclosure of protected health information created by a covered
entity for the purpose, in whole or in part, of research that includes
treatment of the individual, the covered entity must meet the
requirements of Sec. 164.508(f).
Interaction with the Common Rule
The NPRM stated that the proposed rule would not override the
Common Rule. Where both the NPRM and the Common Rule would have applied
to research conducted by the covered entity--either with or without
individuals' authorization--both sets of regulations would have needed
to be followed. This statement remains true in the final rule. In
addition, we clarify that FDA's human subjects regulations must also be
followed if applicable.
Section 164.512(j)--Uses and Disclosures to Avert a Serious Threat to
Health or Safety
In the NPRM we proposed to allow covered entities to use or
disclose protected health information without individual
authorization--consistent with applicable law and ethics standards--
based on a reasonable belief that use or disclosure of the protected
health information was necessary to prevent or lessen a serious and
imminent threat to health or safety of an individual or of the public.
Pursuant to the NPRM, covered entities could have used or disclosed
protected health information in these emergency circumstances to a
person or persons reasonably able to prevent or lessen the threat,
including the target of the threat. The NPRM stated that covered
entities that made disclosures in these circumstances were presumed to
have acted under a reasonable belief if the disclosure was made in good
faith, based on credible representation by a person with apparent
knowledge or authority. The NPRM did not include verification
requirements specific to this paragraph.
In Sec. 164.512(j) of the final rule, we retain the NPRM's approach
to uses and disclosures made to prevent or lessen serious and imminent
threats to health or safety, as well as its language regarding the
presumption of good faith. We also clarify that: (1) Rules governing
these situations, which the NPRM referred to as ``emergency
circumstances,'' are not intended to apply to emergency care treatment,
such as health care delivery in a hospital emergency room; and (2) the
``presumption of good faith belief'' is intended to apply only to this
provision and not to all disclosures permitted without individual
authorization. The final rule allows covered entities to use or
disclose protected health information without an authorization on their
own initiative in these circumstances, when necessary to prevent or
lessen a serious and imminent threat, consistent with other applicable
ethical or legal standards.
The rule's approach is consistent with the ``duty to warn'' third
persons at risk, which has been established through case law. In
Tarasoff v. Regents of the University of California (17 Cal. 3d 425
(1976)), the Supreme Court of California found that when a therapist's
patient had made credible threats against the physical safety of a
specific person, the therapist had an obligation to use reasonable care
to protect the intended victim of his patient against danger, including
warning the victim of the danger. Many states have adopted, through
either statutory or case law, versions of the Tarasoff duty to warn.
The rule is not intended to create a duty to warn or disclose. Rather,
it permits disclosure to avert a serious and imminent threat to health
or safety consistent with other applicable legal or ethical standards.
If disclosure in these circumstances is prohibited by state law, this
rule would not allow the disclosure.
As indicated above, in some situations (for example, when a person
is both a fugitive and a victim and thus covered entities could
disclose protected health information pursuant either to
Sec. 164.512(f)(2) regarding fugitives or to Sec. 164.512(f)(3)
establishing conditions for disclosure about victims), more than one
section of this rule potentially could apply with respect to a covered
entity's potential disclosure of protected health information.
Similarly, in situations involving a serious and imminent threat to
public health or safety, law enforcement officials may be seeking
protected health information from covered entities to locate a
fugitive. In the final rule, we clarify that if a situation fits one
section of the rule (for example, Sec. 164.512(j) on serious and
imminent threats to health or safety), covered entities may disclose
protected health information pursuant to that section, regardless of
whether the disclosure also could be made pursuant to another section
(e.g., Sec. 164.512(f)), regarding disclosure to law enforcement
officials).
The proposed rule did not address situations in which covered
entities could make disclosures to law enforcement officials about oral
statements admitting participation in violent conduct or about
escapees.
In the final rule we permit, but do not require, covered entities
to use or disclose protected health information, consistent with
applicable law and standards of ethical conduct, in specific situations
in which the covered entity, in good faith, believes the use or
disclosure is necessary to permit law enforcement authorities to
identify or apprehend an individual. Under paragraph (j)(1)(ii)(A) of
this section, a covered entity may take such action because of a
statement by an individual admitting participation in a violent crime
that the covered entity reasonably believes may have resulted in
serious physical harm to the victim. The
[[Page 82539]]
protected health information that is disclosed in this case is limited
to the statement and to the protected health information included under
the limited identifying and location information in Sec. 164.512(f)(2),
such as name, address, and type of injury. Under paragraph
(j)(1)(ii)(B) of this section, a covered entity may take such action
where it appears from all the circumstances that the individual has
escaped from a correctional institution or from lawful custody.
A disclosure may not be made under paragraph (j)(1)(ii)(A) for a
statement admitting participation in a violent crime if the covered
entity learns the information in the course of counseling or therapy.
Similarly, such a disclosure is not permitted if the covered entity
learns the information in the course of treatment to affect the
propensity to commit the violent crimes that are described in the
individual's statements. We do not intend to discourage individuals
from speaking accurately in the course of counseling or therapy
sessions, or to discourage other treatment that specifically seeks to
reduce the likelihood that someone who has acted violently in the past
will do so again in the future. This prohibition on disclosure is
triggered once an individual has made a request to initiate or be
referred to such treatment, therapy, or counseling.
The provision permitting use and disclosure has been added in light
of the broadened definition in the final rule of protected health
information. Under the NPRM, protected health information meant
individually identifiable health information that is or has been
electronically transmitted or electronically maintained by a covered
entity. Under the final rule, protected health information includes
information transmitted by electronic media as well as such information
transmitted or maintained in any other form or medium. The new
definition includes oral statements to covered entities as well as
individually identifiable health information transmitted ``in any other
form.''
The definition of protected health information, for instance, would
now apply to a statement by a patient that is overheard by a hospital
security guard in a waiting room. Such a statement would have been
outside the scope of the proposed rule (unless it was memorialized in
an electronic record), but is within the scope of the final rule. For
the example with the hospital guard, the new provision permitting
disclosure of a statement by an individual admitting participation in a
violent crime would have the same effect as the proposed rule--the
statement could be disclosed to law enforcement, so long as the other
aspects of the regulation are followed. Similarly, where it appears
from all the circumstances that the individual has escaped from prison,
the expanded definition of protected health information should not
prevent the covered entity from deciding to report this information to
law enforcement.
The disclosures that covered entities may elect to make under this
paragraph are entirely at their discretion. These disclosures to law
enforcement are in addition to other disclosure provisions in the rule.
For example, under paragraph Sec. 164.512(f)(2) of this section, a
covered entity may disclose limited categories of protected health
information in response to a request from a law enforcement official
for the purpose of identifying or locating a suspect, fugitive,
material witness, or missing person. Paragraph Sec. 164.512(f)(1) of
this section permits a covered entity to make disclosures that are
required by other laws, such as state mandatory reporting laws, or are
required by legal process such as court orders or grand jury subpoena.
Section 164.512(k)--Uses and Disclosures for Specialized Government
Functions
Application to Military Services
In the NPRM we would have permitted a covered entity providing
health care to Armed Forces personnel to use and disclose protected
health information for activities deemed necessary by appropriate
military command authorities to assure the proper execution of the
military mission, where the appropriate military authority had
published by notice in the Federal Register (In the NPRM, we proposed
that the Department of Defense would publish this Federal Register
notice in the future.) The final rule takes a similar approach while
making some modifications to the NPRM. One modification concerns the
information that will be required in the Federal Register notice. The
NPRM would have required a listing of (i) appropriate military command
authorities; (ii) the circumstances for which use or disclosure without
individual authorization would be required; and (iii) activities for
which such use or disclosure would occur in order to assure proper
execution of the military mission. In the final rule, we eliminate the
third category and also slightly modify language in the second category
to read: ``the purposes for which the protected health information may
be used or disclosed.''
An additional modification concerns the rule's application to
foreign military and diplomatic personnel. The NPRM would have excluded
foreign diplomatic and military personnel, as well as their dependents,
from the proposed definition of ``individual,'' thereby excluding any
protected health information created about these personnel from the
NPRM's privacy protections. Foreign military and diplomatic personnel
affected by this provision include, for example, allied military
personnel who are in the United States for training. The final rule
applies a more limited exemption to foreign military personnel only
(Foreign diplomatic personnel will have the same protections granted to
all other individuals under the rule). Under the final rule, foreign
military personnel are not excluded from the definition of
``individual.'' Covered entities will be able to use and disclose
protected health information of foreign military personnel to their
appropriate foreign military authority for the same purposes for which
uses and disclosures are permitted for U.S. Armed Forces personnel
under the notice to be published in the Federal Register. Foreign
military personnel do have the same rights of access, notice, right to
request privacy protection, copying, amendment, and accounting as do
other individuals pursuant to Secs. 164.520-164.526 (sections on
access, notice, right to request privacy protection for protected
health information, amendment, inspection, copying) of the rule.
The NPRM likewise would have exempted overseas foreign national
beneficiaries from the proposed rule's requirements by excluding them
from the definition of ``individual.'' Under the final rule, these
beneficiaries no longer are exempt from the definition of
``individual.'' However, the rule's provisions do not apply to the
individually identifiable health information of overseas foreign
nationals who receive care provided by the Department of Defense, other
federal agencies, or by non-governmental organizations incident to U.S.
sponsored missions or operations.
The final rule includes a new provision to address separation or
discharge from military service. The preamble to the NPRM noted that
upon completion of individuals' military service, DOD and the
Department of Transportation routinely transfer entire military service
records, including protected health information to the Department of
Veterans Affairs so that
[[Page 82540]]
the file can be retrieved quickly if the individuals or their
dependents apply for veterans benefits. The NPRM would have required
consent for such transfers. The final rule no longer requires consent
in such situations. Thus, under the final rule, a covered entity that
is a component of DOD or the Department of Transportation may disclose
to DVA the protected health information of an Armed Forces member upon
separation or discharge from military service for the purpose of a
determination by DVA of the individual's eligibility for or entitlement
to benefits under laws administered by the Secretary of Veterans
Affairs.
Department of Veterans Affairs
Under the NPRM, a covered entity that is a component of the
Department of Veterans Affairs could have used and disclosed protected
health information to other components of the Department that determine
eligibility for, or entitlement to, or that provide benefits under the
laws administered by the Secretary of Veterans Affairs. In the final
rule, we retain this approach.
Application to Intelligence Community
The NPRM would have provided an exemption from its proposed
requirements to the intelligence community. As defined in section 4 of
the National Security Act, 50 U.S.C. 401a, the intelligence community
includes: the Office of the Director of Central Intelligence Agency;
the Office of the Deputy Director of Central Intelligence; the National
Intelligence Council and other such offices as the Director may
designate; the Central Intelligence Agency; the National Security
Agency; the Defense Intelligence Agency; the National Imagery and
Mapping Agency ; the National Reconnaissance Office; other offices
within the DOD for the collection of specialized national intelligence
through reconnaissance programs; the intelligence elements of the Army,
the Navy, the Air Force, the Marine Corps, the Federal Bureau of
Investigation, the Department of the Treasury, and the Department of
Energy; the Bureau of Intelligence and Research of the Department of
State; and such other elements of any other department or agency as may
be designated by the President, or designated jointly by the Director
of Central Intelligence and the head of the department or agency
concerned, as an element of the intelligence community. It would have
allowed a covered entity to use without individual authorization
protected health information of employees of the intelligence
community, and of their dependents, if such dependents were being
considered for posting abroad. The final rule does not include such an
exemption. Rather, the final rule does not except intelligence
community employees and their dependents from the general rule
requiring an authorization in order for protected health information to
be used and disclosed.
National Security and Intelligence Activities
The NPRM included a provision, in Sec. 164.510(f)--Disclosure for
Law Enforcement Purposes--that would allow covered entities to disclose
protected health information without consent for the conduct of lawful
intelligence activities under the National Security Act, and in
connection with providing protective services to the President or to
foreign heads of state pursuant to 18 U.S.C. 3056 and 22 U.S.C.
2709(a)(3) respectively. The final rule preserves these exemptions,
with slight modifications, but moves them from proposed Sec. 164.510(f)
to Sec. 164.512(k). It also divides this area into two paragraphs--one
called ``National Security and Intelligence Activities'' and the second
called ``Protective services for the President and Others.''
The final rule, with modifications, allows a covered entity to
disclose protected health information to an authorized federal official
for the conduct of lawful intelligence, counter-intelligence, and other
national security activities authorized by the National Security Act
and implementing authority (e.g., Executive Order 1233). The references
to ``counter-intelligence and other national security activities'' are
new to the final rule. The reference to ``implementing authority (e.g.
Executive Order 12333)'' is also new. The final rule also adds
specificity to the provision on protective services. It states that a
covered entity may disclose protected health information to authorized
federal officials for the provision of protective services to the
President or other persons as authorized by 18 U.S.C. 3056, or to
foreign heads of state or other persons as authorized by 22 U.S.C.
2709(a)(3), or for the conduct of investigations authorized by 18
U.S.C. 871 and 879.
Application to the State Department
The final rule creates a narrower exemption for Department of State
for uses and disclosures of protected health information (1) for
purposes of a required security clearance conducted pursuant to
Executive Orders 10450 and 12698; (2) as necessary to meet the
requirements of determining worldwide availability or availability for
mandatory service abroad under Sections 101(a)(4) and 504 of the
Foreign Service Act; and (3) for a family member to accompany a Foreign
Service Officer abroad, consistent with Section 101(b)(5) and 904 of
the Foreign Service Act.
Regarding security clearances, nothing prevents any employer from
requiring that individuals provide authorization for the purpose of
obtaining a security clearance. For the Department of State, however,
the final rule provides a limited exemption that allows a component of
the Department of State without an authorization to (1) use protected
health information to make medical suitability determinations and (2)
to disclose whether or not the individual was determined to be
medically suitable to authorized officials in the Department of State
for the purpose of a security clearance investigation conducted
pursuant to Executive Order 10450 and 12698.
Sections 101(a)(4) and 504 of the Foreign Service Act require that
Foreign Service members be available to serve in assignments throughout
the world. The final rule permits disclosures to officials who need
protected health information to determine availability for duty
worldwide.
Section 101(b)(5) of the Foreign Service Act requires the
Department of State to mitigate the impact of hardships, disruptions,
and other unusual conditions on families of Foreign Service Officers.
Section 904 requires the Department to establish a health care program
to promote and maintain the physical and mental health of Foreign
Service member family members. The final rule permits disclosure of
protected health information to officials who need protected health
information for a family member to accompany a Foreign Service member
abroad.
This exemption does not permit the disclosure of specific medical
conditions, diagnoses, or other specific medical information. It
permits only the disclosure of the limited information needed to
determine whether the individual should be granted a security clearance
or whether the Foreign Service member of his or her family members
should be posted to a certain overseas assignment.
Application to Correctional Facilities
The NPRM would have excluded the individually identifiable health
information of correctional facility inmates and detention facility
detainees from the definition of protected health information. Thus,
none of the NPRM's
[[Page 82541]]
proposed privacy protections would have applied to correctional
facility inmates or to detention facility detainees while they were in
these facilities or after they had been released.
The final rule takes a different approach. First, to clarify that
we are referring to individuals who are incarcerated in correctional
facilities that are part of the criminal justice system or in the
lawful custody of a law enforcement official--and not to individuals
who are ``detained'' for non-criminal reasons, for example, in
psychiatric institutions--Sec. 164.512(k) covers disclosure of
protected health information to correctional institutions or law
enforcement officials having such lawful custody. In addition, where a
covered health care provider is also a health care component of a
correctional institution, the final rule permits the covered entity to
use protected health information in all cases in which it is permitted
to disclose such information.
We define correctional institution as defined pursuant to 42 U.S.C.
13725(b)(1), as a ``prison, jail, reformatory, work farm, detention
center, or halfway house, or any other similar institution designed for
the confinement or rehabilitation of criminal offenders.'' The rules
regarding disclosure and use of protected health information specified
in Sec. 164.512(k) cover individuals who are in transitional homes, and
other facilities in which they are required by law to remain for
correctional reasons and from which they are not allowed to leave. This
section also covers individuals who are confined to psychiatric
institutions for correctional reasons and who are not allowed to leave;
however, it does not apply to disclosure of information about
individuals in psychiatric institutions for treatment purposes only,
who are not there due to a crime or under a mandate from the criminal
justice system. The disclosure rules described in this section do not
cover release of protected health information about individuals in
pretrial release, probation, or on parole, such persons are not
considered to be incarcerated in a correctional facility.
As described in Sec. 164.512(k), correctional facility inmates'
individually identifiable health information is not excluded from the
definition of protected health information. When individuals are
released from correctional facilities, they will have the same privacy
rights that apply to all other individuals under this rule.
Section 164.512(k) of the final rule states that while individuals
are in a correctional facility or in the lawful custody of a law
enforcement official, covered entities (for example, the prison's
clinic) can use or disclose protected health information about these
individuals without authorization to the correctional facility or the
law enforcement official having custody as necessary for: (1) The
provision of health care to such individuals; (2) the health and safety
of such individual or other inmates; (3) the health and safety of the
officers of employees of or others at the correctional institution; and
(4) the health and safety of such individuals and officers or other
persons responsible for the transporting of inmates or their transfer
from one institution or facility to another; (5) law enforcement on the
premises of the correctional institution; and (6) the administration
and maintenance of the safety, security, and good order of the
correctional institution. This section is intended to allow, for
example, a prison's doctor to disclose to a van driver transporting a
criminal that the individual is a diabetic and frequently has seizures,
as well as information about the appropriate action to take if the
individual has a seizure while he or she is being transported.
We permit covered entities to disclose protected health information
about these individuals if the correctional institution or law
enforcement official represents that the protected health information
is necessary for these purposes. Under 164.514(h), a covered entity may
reasonably rely on the representation of such public officials.
Application to Public Benefits Programs Required to Share Eligibility
Information
We create a new provision for covered entities that are a
government program providing public benefits. This provision allows the
following disclosures of protected health information.
First, where other law requires or expressly authorizes information
relating to the eligibility for, or enrollment in more than one public
program to be shared among such public programs and/or maintained in a
single or combined data system, a public agency that is administering a
health plan may maintain such a data base and may disclose information
relating to such eligibility or enrollment in the health plan to the
extent authorized by such other law.
Where another public entity has determined that the appropriate
balance between the need for efficient administration of public
programs and public funds and individuals' privacy interests is to
allow information sharing for these limited purposes, we do not upset
that determination. For example, section 1137 of the Social Security
Act requires a variety of public programs, including the Social
Security program, state medicaid programs, the food stamp program,
certain unemployment compensation programs, and others, to participate
in a joint income and eligibility verification system. Similarly,
section 222 of the Social Security Act requires the Social Security
Administration to provide information to certain state vocational
rehabilitation programs for eligibility purposes. In some instances, it
is a covered entity that first collects or creates the information that
is then disclosed for these systems. We do not prohibit those
disclosures.
This does not authorize these entities to share information for
claims determinations or ongoing administration of these public
programs. This provision is limited to the agencies and activities
described above.
Second, Sec. 164.512(k)(6) permits a covered entity that is a
government agency administering a government program providing public
benefits to disclose protected health information relating to the
program to another covered entity that is a government agency
administering a government program providing public benefits if the
programs serve the same or similar populations and the disclosure of
protected health information is necessary to coordinate the covered
functions of such programs.
The second provision permits covered entities that are government
program providing public benefits that serve the same or similar
populations to share protected health information for the purposes of
coordinating covered functions of the programs and for general
management and administration relating to the covered functions of the
programs. Often, similar government health programs are administered by
different government agencies. For example, in some states, the
Medicaid program and the State Children's Health Insurance Program are
administered by different agencies, although they serve similar
populations. Many states coordinate eligibility for these two programs,
and sometimes offer services through the same delivery systems and
contracts. This provision would permit the covered entities
administering these programs to share protected health information of
program participants to coordinate enrollment and services and to
generally improve the health care operations of the programs. We note
that this provision does not authorize the
[[Page 82542]]
agencies to use or disclose the protected health information that is
shared for purposes other than as provided for in this paragraph.
Section 164.512(l)--Disclosures For Workers' Compensation
The NPRM did not contain special provisions permitting covered
entities to disclose protected health information for the purpose of
complying with workers' compensation and similar laws. Under HIPAA,
workers' compensation and certain other forms of insurance (such as
automobile or disability insurance) are ``excepted benefits.''
Insurance carriers that provide this coverage are not covered entities
even though they provide coverage for health care services. To carry
out their insurance functions, these non-covered insurers typically
seek individually identifiable health information from covered health
care providers and group health plans. In drafting the proposed rule,
the Secretary was faced with the challenge of trying to carry out the
statutory mandate of safeguarding the privacy of individually
identifiable health information by regulating the flow of such
information from covered entities while at the same time respecting the
Congressional intent to shield workers' compensation carriers and other
excepted benefit plans from regulation as covered entities.
In the proposed rule we allowed covered entities to disclose
protected health information without individual consent for purposes of
treatment, payment or health care operations--even when the disclosure
was to a non-covered entity such as a workers' compensation carrier. In
addition, we allowed protected health information to be disclosed if
required by state law for purposes of determining eligibility for
coverage or fitness for duty. The proposed rule also required that
whenever a covered entity disclosed protected health information to a
non-covered entity, even though authorized under the rule, the
individual who was the subject of the information must be informed that
the protected health information was no longer subject to privacy
protections.
Like other disclosures under the proposed rule, the information
provided to workers' compensation carriers for treatment, payment or
health care operations was subject to the minimum necessary standard.
However, to the extent that protected health information was disclosed
to the carrier because it was required by law, it was not subject to
the minimum necessary standard. In addition, individuals were entitled
to an accounting when protected health information was disclosed for
purposes other than treatment, payment or health care operations.
In the final rule, we include a new provision in this section that
clarifies the ability of covered entities to disclose protected health
information without authorization to comply with workers' compensation
and similar programs established by law that provide benefits for work-
related illnesses or injuries without regard to fault. Although most
disclosures for workers' compensation would be permissible under other
provisions of this rule, particularly the provisions that permit
disclosures for payment and as required by law, we are aware of the
significant variability among workers' compensation and similar laws,
and include this provision to ensure that existing workers'
compensation systems are not disrupted by this rule. We note that the
minimum necessary standard applies to disclosures under this paragraph.
Under this provision, a covered entity may disclose protected
health information regarding an individual to a party responsible for
payment of workers' compensation benefits to the individual, and to an
agency responsible for administering and/or adjudicating the
individual's claim for workers' compensation benefits. For purposes of
this paragraph, workers' compensation benefits include benefits under
programs such as the Black Lung Benefits Act, the federal Employees'
Compensation Act, the Longshore and Harbor Workers' Compensation Act,
and the Energy Employees' Occupational Illness Compensation Program
Act.
Additional Considerations
We have included a general authorization for disclosures under
workers' compensation systems to be consistent with the intent of
Congress, which defined workers' compensation carriers as excepted
benefits under HIPAA. We recognize that there are significant privacy
issues raised by how individually identifiable health information is
used and disclosed in workers' compensation systems, and believe that
states or the federal government should enact standards that address
those concerns.
Section 164.514--Other Procedural Requirements Relating To Uses and
Disclosures of Protected Health Information
Section 164.514(a)-(c)--De-identification
In Sec. 164.506(d) of the NPRM, we proposed that the privacy
standards would apply to ``individually identifiable health
information,'' and not to information that does not identify the
subject individual. The statute defines individually identifiable
health information as certain health information:
(i) Which identifies the individual, or
(ii) With respect to which there is a reasonable basis to believe
that the information can be used to identify the individual.
As we pointed out in the NPRM, difficulties arise because, even
after removing obvious identifiers (e.g., name, social security number,
address), there is always some probability or risk that any information
about an individual can be attributed to that individual.
The NPRM proposed two alternative methods for determining when
sufficient identifying information has been removed from a record to
render the information de-identified and thus not subject to the rule.
First, the NPRM proposed the establishment of a ``safe harbor'': if all
of a list of 19 specified items of information had been removed, and
the covered entity had no reason to believe that the remaining
information could be used to identify the subject of the information
(alone or in combination with other information), the covered entity
would have been presumed to have created de-identified information.
Second, the NPRM proposed an alternative method so that covered
entities with sufficient statistical experience and expertise could
remove or encrypt a combination of information different from the
enumerated list, using commonly accepted scientific and statistical
standards for disclosure avoidance. Such covered entities would have
been able to include information from the enumerated list of 19 items
if they (1) believed that the probability of re-identification was very
low, and (2) removed additional information if they had a reasonable
basis to believe that the resulting information could be used to re-
identify someone.
We proposed that covered entities and their business partners be
permitted to use protected health information to create de-identified
health information using either of these two methods. Covered entities
would have been permitted to further use and disclose such de-
identified information in any way, provided that they did not disclose
the key or other mechanism that would have enabled the information to
be re-identified, and provided that they reasonably believed that such
use or disclosure of de-identified information would not have resulted
in the use or
[[Page 82543]]
disclosure of protected health information.
A number of examples were provided of how valuable such de-
identified information would be for various purposes. We expressed the
hope that covered entities, their business partners, and others would
make greater use of de-identified health information than they do
today, when it is sufficient for the purpose, and that such practice
would reduce the burden and the confidentiality concerns that result
from the use of individually identifiable health information for some
of these purposes.
In Secs. 164.514(a)-(c) of this final rule, we make several
modifications to the provisions for de-identification. First, we
explicitly adopt the statutory standard as the basic regulatory
standard for whether health information is individually identifiable
health information under this rule. Information is not individually
identifiable under this rule if it does not identify the individual, or
if the covered entity has no reasonable basis to believe it can be used
to identify the individual. Second, in the implementation
specifications we reformulate the two ways in which a covered entity
can demonstrate that it has met the standard.
One way a covered entity may demonstrate that it has met the
standard is if a person with appropriate knowledge and experience
applying generally accepted statistical and scientific principles and
methods for rendering information not individually identifiable makes a
determination that the risk is very small that the information could be
used, either by itself or in combination with other available
information, by anticipated recipients to identify a subject of the
information. The covered entity must also document the analysis and
results that justify the determination. We provide guidance regarding
this standard in our responses to the comments we received on this
provision.
We also include an alternate, safe harbor, method by which covered
entities can demonstrate compliance with the standard. Under the safe
harbor, a covered entity is considered to have met the standard if it
has removed all of a list of enumerated identifiers, and if the covered
entity has no actual knowledge that the information could be used alone
or in combination to identify a subject of the information. We note
that in the NPRM, we had proposed that to meet the safe harbor, a
covered entity must have ``no reason to believe'' that the information
remained identifiable after the enumerated identifiers were removed. In
the final rule, we have changed the standard to one of actual knowledge
in order to provide greater certainty to covered entities using the
safe harbor approach.
In the safe harbor, we explicitly allow age and some geographic
location information to be included in the de-identified information,
but all dates directly related to the subject of the information must
be removed or limited to the year, and zip codes must be removed or
aggregated (in the form of most 3-digit zip codes) to include at least
20,000 people. Extreme ages of 90 and over must be aggregated to a
category of 90+ to avoid identification of very old individuals. Other
demographic information, such as gender, race, ethnicity, and marital
status are not included in the list of identifiers that must be
removed.
The intent of the safe harbor is to provide a means to produce some
de-identified information that could be used for many purposes with a
very small risk of privacy violation. The safe harbor is intended to
involve a minimum of burden and convey a maximum of certainty that the
rules have been met by interpreting the statutory ``reasonable basis to
believe that the information can be used to identify the individual''
to produce an easily followed, cook book approach.
Covered entities may use codes and similar means of marking records
so that they may be linked or later re-identified, if the code does not
contain information about the subject of the information (for example,
the code may not be a derivative of the individual's social security
number), and if the covered entity does not use or disclose the code
for any other purpose. The covered entity is also prohibited from
disclosing the mechanism for re-identification, such as tables,
algorithms, or other tools that could be used to link the code with the
subject of the information.
Language to clarify that covered entities may contract with
business associates to perform the de-identification has been added to
the section on business associates.
Section 164.514(d)--Minimum Necessary
The proposed rule required a covered entity to make all reasonable
efforts not to use or disclose more than the minimum amount of
protected health information necessary to accomplish the intended
purpose of the use or disclosure (proposed Sec. 164.506(b)).
The proposed minimum necessary standard did not apply to uses or
disclosures that were made by covered entities at the request of the
individual, either to allow the individual access to protected health
information about him or her or pursuant to an authorization initiated
by the individual. The requirement also did not apply to uses and
disclosures made: pursuant to the compliance and enforcement provisions
of the rule; as required by law and permitted by the regulation without
individual authorization; by a covered health care provider to a health
plan, when the information was requested for audit and related
purposes. Finally, the standard did not apply to the HIPAA
administrative simplification transactions.
The proposed implementation specifications would have required a
covered entity to have procedures to: (i) Identify appropriate persons
within the entity to determine what information should be used or
disclosed consistent with the minimum necessary standard; (ii) ensure
that those persons make the minimum necessary determinations, when
required; and (iii) within the limits of the entity's technological
capabilities, provide for the making of such determinations
individually. The proposal allowed a covered entity, when making
disclosures to public officials that were permitted without individual
authorization but not required by other law, to reasonably rely on the
representations of such officials that the information requested was
the minimum necessary for the stated purpose(s).
The preamble provided further guidance. The preamble explained that
covered entities could not have general policies of approving all
requests (or all requests of a particular type) without carefully
considering certain criteria (see ``Criteria,'' below) as well as other
information specific to the request. The minimum necessary
determination would have needed to be consistent with and directly
related to the purpose of the use or disclosure. Where there was
ambiguity regarding the information to be used or disclosed, the
preamble directed covered entities to interpret the ``minimum
necessary'' standard to ``require'' the covered entity to make some
effort to limit the amount of protected health information used/
disclosed.
The proposal would have required the minimum necessary
determination to take into consideration the ability of a covered
entity to delimit the amount of information used or disclosed. The
preamble noted that these determinations would have to be made under a
reasonableness standard: covered entities would be required to make
reasonable efforts and to incur reasonable expense to limit the use or
[[Page 82544]]
disclosure. The ``reasonableness'' of limiting particular uses or
disclosures was to be determined based on the following factors (which
were not included in the regulatory text):
a. The extent to which the use or disclosure would extend the
number of persons with access to the protected health information.
b. The likelihood that further uses or disclosures of the protected
health information could occur.
c. The amount of protected health information that would be used or
disclosed.
d. The importance of the use or disclosure.
e. The potential to achieve substantially the same purpose with de-
identified information. For disclosures, each covered entity would have
been required to have policies for determining when protected health
information must be stripped of identifiers.
f. The technology available to limit the amount of protected health
information used/disclosed.
g. The cost of limiting the use/disclosure.
h. Any other factors that the covered entity believed were relevant
to the determination.
The proposal shifted the ``minimum necessary'' burden off of
covered providers when they were being audited by a health plan. The
preamble explained that the duty would have been shifted to the payor
to request the minimum necessary information for the audit purpose,
although the regulatory text did not include such a requirement.
Outside of the audit context, the preamble stated that a health plan
would be required, when requesting a disclosure, to limit its requests
to the information required to achieve the purpose of the request; the
regulation text did not include this requirement.
The preamble stated that disclosure of an entire medical record, in
response to a request for something other than the entire medical
record, would presumptively violate the minimum necessary standard.
This final rule significantly modifies the proposed requirements
for implementing the minimum necessary standard. For all uses and many
disclosures and requests for disclosures from other covered entities,
we require covered entities to implement policies and procedures for
``minimum necessary'' uses and disclosures. Implementation of such
policies and procedures is required in lieu of making the ``minimum
necessary'' determination for each separate use or disclosure as
discussed in the proposal. Disclosures to or requests by a health care
provider for treatment purposes are not subject to the standard (see
Sec. 164.502).
Specifically (and as further described below), the proposed
requirement for individual review of all uses of protected health
information is replaced with a requirement for covered entities to
implement policies and procedures that restrict access and uses based
on the specific roles of members of the covered entity's workforce.
Routine disclosures also are not subject to individual review; instead,
covered entities must implement policies and procedures to limit the
protected health information in routine disclosures to the minimum
necessary to achieve the purpose of that type of disclosure. The
proposed exclusion of disclosures to health plans for audit purposes is
deleted and replaced with a general requirement that covered entities
must limit requests to other covered entities for individually
identifiable health information to what is reasonably necessary for the
use or disclosure intended. The other exclusions from the standard are
unchanged from the proposed rule (e.g., for individuals' access to
information about themselves, pursuant to an authorization initiated by
the individual, for enforcement of this rule, as required by law).
The language of the basic ``standard'' itself is largely unchanged;
covered entities must make reasonable efforts to use or disclose or to
request from another covered entity, only the minimum amount of
protected health information required to achieve the purpose of a
particular use or disclosure. We delete the word ``all'' from the
``reasonable efforts'' that covered entities must take in making a
``minimum necessary'' determination. The implementation specifications
are significantly modified, and differ based on whether the activity is
a use or disclosure.
Similarly, a ``minimum necessary'' disclosure for oversight
purposes in accordance with Sec. 164.512(d) could include large numbers
of records to allow oversight agencies to perform statistical analyses
to identify deviations in payment or billing patterns, and other data
analyses.
Uses of Protected Health Information
A covered entity must implement policies and procedures to identify
the persons or classes of persons in the entity's workforce who need
access to protected health information to carry out their duties, the
category or categories of protected health information to which such
persons or classes need access, and the conditions, as appropriate,
that would apply to such access. Covered entities must also implement
policies and procedures to limit access to only the identified persons,
and only to the identified protected health information. The policies
and procedures must be based on reasonable determinations regarding the
persons or classes of persons who require protected health information,
and the nature of the health information they require, consistent with
their job responsibilities.
For example, a hospital could implement a policy that permitted
nurses access to all protected health information of patients in their
ward while they are on duty. A health plan could permit its
underwriting analysts unrestricted access to aggregate claims
information for rate setting purposes, but require documented approval
from its department manager to obtain specific identifiable claims
records of a member for the purpose of determining the cause of
unexpected claims that could influence renewal premium rate setting.
The ``minimum necessary'' standard is intended to reflect and be
consistent with, not override, professional judgment and standards. For
example, we expect that covered entities will implement policies that
allow persons involved in treatment to have access to the entire
record, as needed.
Disclosures of Protected Health Information
For any type of disclosure that is made on a routine, recurring
basis, a covered entity must implement policies and procedures (which
may be standard protocols) that permit only the disclosure of the
minimum protected health information reasonably necessary to achieve
the purpose of the disclosure. Individual review of each disclosure is
not required. Instead, under Sec. 164.514(d)(3), these policies and
procedures must identify the types of protected health information to
be disclosed, the types of persons who would receive the protected
health information, and the conditions that would apply for such
access. We recognize that specific disclosures within a type may vary,
and require that the policies address what is the norm for the type of
disclosure involved. For example, a covered entity may decide to
participate in research studies and therefore establish a protocol to
minimize the information released for such purposes, e.g., by requiring
researchers requesting disclosure of data contained in paper-based
records to review the paper records on-site and to
[[Page 82545]]
abstract only the information relevant to the research. Covered
entities must develop policies and procedures (which may be standard
protocols) to apply to disclosures to routinely hired types of business
associates. For instance, a standard protocol could describe the subset
of information that may be disclosed to medical transcription services.
For non-routine disclosures, a covered entity must develop
reasonable criteria for determining, and limiting disclosure to, only
the minimum amount of protected health information necessary to
accomplish the purpose of the disclosure. They also must establish and
implement procedures for reviewing such requests for disclosures on an
individual basis in accordance with these criteria.
Disclosures to health care providers for treatment purposes are not
subject to these requirements.
Covered entities' policies and procedures must provide that
disclosure of an entire medical record will not be made except pursuant
to policies which specifically justify why the entire medical record is
needed. For instance, disclosure of all protected health information to
an accreditation group would not necessarily violate the regulation,
because the entire record may be the ``minimum necessary'' for its
purpose; covered entities may establish policies allowing for and
justifying such a disclosure. Disclosure of the entire medical record
absent such documented justification is a presumptive violation of this
rule.
Requests for Protected Health Information
For requests for protected health information from other covered
entities made on a routine, recurring basis, the requesting covered
entities' policies and procedures may establish standard protocols
describing what information is reasonably necessary for the purposes
and limiting their requests to only that information, in lieu of making
this determination individually for each request. For all other
requests, the policies and procedures must provide for review of the
requests on an individualized basis. A request by a covered entity may
be made in order to obtain information that will subsequently be
disclosed to a third party, for example, to obtain information that
will then be disclosed to a business associate for quality assessment
purposes; such requests are subject to this requirement.
Covered entities' policies and procedures must provide that
requests for an entire medical record will not be made except pursuant
to policies which specifically justify why the entire medical record is
needed. For instance, a health plan's request for all protected health
information from an applicant for insurance would not necessarily
violate the regulation, because the entire record may be the ``minimum
necessary'' for its purpose. Covered entities may establish policies
allowing for and justifying such a request. A request for the entire
medical record absent such documented justification is a presumptive
violation of this rule.
Reasonable Reliance
A covered entity may reasonably rely on the assertion of a
requesting covered entity that it is requesting the minimum protected
health information necessary for the stated purpose. A covered entity
may also rely on the assertions of a professional (such as attorneys
and accountants) who is a member of its workforce or its business
associate regarding what protected health information he or she needs
in order to provide professional services to the covered entity when
such person represents that the information requested is the minimum
necessary. As we proposed in the NPRM, covered entities making
disclosures to public officials that are permitted under Sec. 164.512
may rely on the representation of a public official that the
information requested is the minimum necessary.
Uses and Disclosures for Research
In making a minimum necessary determination regarding the use or
disclosure of protected health information for research purposes, a
covered entity may reasonably rely on documentation from an IRB or
privacy board describing the protected health information needed for
research and consistent with the requirements of Sec. 164.512(i),
``Uses and Disclosures for Research Purposes.'' A covered entity may
also reasonably rely on a representation made by the requestor that the
information is necessary to prepare a research protocol or for research
on decedents. The covered entity must ensure that the representation or
documentation of IRB or privacy board approval it obtains from a
researcher describes with sufficient specificity the protected health
information necessary for the research. Covered entities must use or
disclose such protected health information in a manner that minimizes
the scope of the use or disclosure.
Standards for Electronic Transactions
We clarify that under Sec. 164.502(b)(2)(v), covered entities are
not required to apply the minimum necessary standard to the required or
situational data elements specified in the implementation guides for
HIPAA administrative simplification standard transactions in the
Transactions Rule. The standard does apply for uses or disclosures in
standard transactions that are made at the option of the covered
entity.
Section 164.514(e)--Marketing
In the proposed rule, we would have required covered entities to
obtain the individual's authorization in order to use or disclose
protected health information to market health and non-health items and
services.
We have made a number of changes in the final rule that relate to
marketing. In the final rule, we retain the general rule that covered
entities must obtain the individual's authorization before making uses
or disclosures of protected health information for marketing. However,
we add a new definition of ``marketing'' that clarifies that certain
activities, such as communications made by a covered entity for the
purpose of describing the products and services it provides, are not
marketing. See Sec. 164.501 and the associated preamble regarding the
definition of marketing. In the final rule we also permit covered
entities to use and disclose protected health information for certain
marketing activities without individual authorization, subject to
conditions enumerated at Sec. 164.514(e).
First, Sec. 164.514(e) permits a covered entity to use or disclose
protected health information without individual authorization to make a
marketing communication if the communication occurs in a face-to-face
encounter with the individual. This provision would permit a covered
entity to discuss any services and products, including those of a
third-party, without restriction during a face-to-face communication. A
covered entity also could give the individual sample products or other
information in this setting.
Second, we permit a covered entity to use or disclose protected
health information without individual authorization to make marketing
communications involving products or services of only nominal value.
This provision ensures that covered entities do not violate the rule
when they distribute calendars, pens and other merchandise that
generally promotes the covered entity.
Third, we permit a covered entity to use or disclose protected
health information without individual authorization to make marketing
communications about the health-
[[Page 82546]]
related products or services of the covered entity or of a third party
if the communication: (1) Identifies the covered entity as the party
making the communication; (2) to the extent that the covered entity
receives direct or indirect remuneration from a third-party for making
the communication, prominently states that fact; (3) except in the case
of a general communication (such as a newsletter), contains
instructions describing how the individual may opt-out of receiving
future communications about health-related products and services; and
(4) where protected health information is used to target the
communication about a product or service to individuals based on their
health status or health condition, explains why the individual has been
targeted and how the product or service relates to the health of the
individual. The final rule also requires a covered entity to make a
determination, prior to using or disclosing protected health
information to target a communication to individuals based on their
health status or condition, that the product or service may be
beneficial to the health of the type or class of individual targeted to
receive the communication.
This third provision accommodates the needs of health care entities
to be able to discuss their own health-related products and services,
or those of third parties, as part of their everyday business and as
part of promoting the health of their patients and enrollees. The
provision is restricted to uses by covered entities or disclosures to
their business associates pursuant to a contract that requires
confidentiality, ensuring that protected health information is not
distributed to third parties. To provide individuals with a better
understanding of how their protected health information is being used
for marketing, the provision requires that the communication identify
that the covered entity is the source of the communication; a covered
entity may not send out information about the product of a third party
without disclosing to the individual where the communication
originated. We also require covered entities to disclose any direct or
indirect remuneration from third parties. This requirement permits
individuals to better understand why they are receiving a
communication, and to weigh the extent to which their information is
being used to promote their health or to enrich the covered entity.
Covered entities also are required to include in their communication
(unless it is a general newsletter or similar device) how the
individual may prevent further communications about health-related
products and services. This provision enhances individuals' control
over how their information is being used. Finally, where a covered
entity targets communications to individuals on the basis of their
health status or condition, we require that the entity make a
determination that the product or service being communicated may be
beneficial to the health of the type of individuals targeted, and that
the communication to the targeted individuals explain why they have
been targeted and how the product or service relates to their health.
This final provision balances the advantages that accrue from health
care entities informing their patients and enrollees of new or valuable
health products with individuals' expectations that their protected
health information will be used to promote their health.
Section 164.514(f)--Fundraising
We proposed in the NPRM to require covered entities to obtain
authorization from an individual in order to use the individual's
protected health information for fundraising activities.
As noted in Sec. 164.501, in the final rule we define fundraising
on behalf of a covered entity to be a health care operation. In
Sec. 164.514, we permit a covered entity to use protected health
information without individual authorization for fundraising on behalf
of itself, provided that it limits the information that it uses to
demographic information about the individual and the dates that it has
provided service to the individual (see the Sec. 164.501 discussion of
``health care operations''). In addition, we require fundraising
materials to explain how the individual may opt out of any further
fundraising communications, and covered entities are required to honor
such requests. We permit a covered entity to disclose the limited
protected health information to a business associate for fundraising on
its own behalf. We also permit a covered entity to disclose the
information to an institutionally related foundation.
By ``institutionally related foundation,'' we mean a foundation
that qualifies as a nonprofit charitable foundation under section
501(c)(3) of the Internal Revenue Code and that has in its charter
statement of charitable purposes an explicit linkage to the covered
entity. An institutionally related foundation may, as explicitly stated
in its charter, support the covered entity as well as other covered
entities or health care providers in its community. For example, a
covered hospital may disclose for fundraising on its own behalf the
specified protected health information to a nonprofit foundation
established for the specific purpose of raising funds for the hospital
or to a foundation that has as its mission the support of the members
of a particular hospital chain that includes the covered hospital. The
term does not include an organization with a general charitable
purpose, such as to support research about or to provide treatment for
certain diseases, that may give money to a covered entity, because its
charitable purpose is not specific to the covered entity.
Section 164.514(g)--Underwriting
As described under the definition of ``health care operations''
(Sec. 164.501), protected health information may be used or disclosed
for underwriting and other activities relating to the creation,
renewal, or replacement of a contract of health insurance or health
benefits. This final rule includes a requirement, not included in the
NPRM, that health plans receiving such information for these purposes
may not use or disclose it for any other purpose, except as may be
required by law, if the insurance or benefits contract is not placed
with the health plan.
Section 164.514(h)--Verification of Identity and Authority of Persons
Requesting Protected Health Information
Disclosure of Protected Health Information
We reorganize the provision regarding verification of identity of
individuals requesting protected health information to improve clarity,
but we retain the substance of requirements proposed in the NPRM in
Sec. 164.518(c), as follows.
The covered entity must establish and use written policies and
procedures (which may be standard protocols) that are reasonably
designed to verify the identity and authority of the requestor where
the covered entity does not know the person requesting the protected
health information. The knowledge of the person may take the form of a
known place of business, address, phone or fax number, as well a known
human being. Where documentation, statements or representations,
whether oral or written, from the person requesting the protected
health information is a condition of disclosure under this rule or
other law, this verification must involve obtaining such documentation
statement, or representation. In such a case, additional verification
is only required where this regulation (or other law)
[[Page 82547]]
requires additional proof of authority and identity.
The NPRM proposed that covered entities would be permitted to rely
on the required documentation of IRB or privacy board approval to
constitute sufficient verification that the person making the request
was a researcher and that the research is authorized. The final rule
retains this provision.
For most disclosures, verifying the authority for the request means
taking reasonable steps to verify that the request is lawful under this
regulation. Additional proof is required by other provisions of this
regulation where the request is made pursuant to Sec. 164.512 for
national priority purposes. Where the person requesting the protected
health information is a public official, covered entities must verify
the identity of the requester by examination of reasonable evidence,
such as a written statement of identity on agency letterhead, an
identification badge, or similar proof of official status. Similarly,
covered entities are required to verify the legal authority supporting
the request by examination of reasonable evidence, such as a written
request provided on agency letterhead that describes the legal
authority for requesting the release. Where Sec. 164.512 explicitly
requires written evidence of legal process or other authority before a
disclosure may be made, a public official's proof of identity and the
official's oral statement that the request is authorized by law are not
sufficient to constitute the required reasonable evidence of legal
authority; under these provisions, only the required written evidence
will suffice.
In some circumstances, a person or entity acting on behalf of a
government agency may make a request for disclosure of protected health
information under these subsections. For example, public health
agencies may contract with a nonprofit agency to collect and analyze
certain data. In such cases, the covered entity is required to verify
the requestor's identity and authority through examination of
reasonable documentation that the requestor is acting on behalf of the
government agency. Reasonable evidence includes a written request
provided on agency letterhead that describes the legal authority for
requesting the release and states that the person or entity is acting
under the agency's authority, or other documentation, including a
contract, a memorandum of understanding, or purchase order that
confirms that the requestor is acting on behalf of the government
agency.
In some circumstances, identity or authority will be verified as
part of meeting the underlying requirements for disclosure. For
example, a disclosure under Sec. 164.512(j)(1)(i) to avert an imminent
threat to safety is lawful only if made in the good faith belief that
the disclosure is necessary to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public, and to a
person reasonably able to prevent or lessen the threat. If these
conditions are met, no further verification is needed. In such
emergencies, the covered entity is not required to demand written proof
that the person requesting the protected health information is legally
authorized. Reasonable reliance on verbal representations are
appropriate in such situations.
Similarly, disclosures permitted under Sec. 164.510(a) for facility
directories may be made to the general public; the covered entity's
policies and procedures do not need to address verifying the identity
and authority for these disclosures. In Sec. 164.510(b) we do not
require verification of identity for persons assisting in an
individual's care or for notification purposes. For disclosures when
the individual is not present, such as when a friend is picking up a
prescription, we allow the covered entity to use professional judgment
and experience with common practice to make reasonable inferences.
Under Sec. 164.524, a covered entity is required to give
individuals access to protected health information about them (under
most circumstances). Under the general verification requirements of
Sec. 164.514(h), the covered entity is required to take reasonable
steps to verify the identity of the individual making the request. We
do not mandate particular identification requirements (e.g., drivers
licence, photo ID), but rather leave this to the discretion of the
covered entity. The covered entity must also establish and document
procedures for verification of identity and authority of personal
representatives, if not known to the entity. For example, a health care
provider can require a copy of a power of attorney, or can ask
questions to determine that an adult acting for a young child has the
requisite relationship to the child.
In Subpart C of Part 160, we require disclosure to the Secretary
for purposes of enforcing this regulation. When a covered entity is
asked by the Secretary to disclose protected health information for
compliance purposes, the covered entity must verify the same
information that it is required to verify for any other law enforcement
or oversight request for disclosure.
Use of Protected Health Information
The proposed rule's verification requirements applied to any person
requesting protected health information, whether for a use or a
disclosure. In the final regulation, the verification provisions apply
only to disclosures of protected health information. The requirements
in Sec. 164.514(d), for implementation of policies and procedures for
``minimum necessary'' uses of protected health information, are
sufficient to ensure that only appropriate persons within a covered
entity will have access to protected health information.
Section 164.520--Notice of Privacy Practices for Protected Health
Information
Section 164.520(a)--Right to Notice
We proposed to establish a right for individuals to receive
adequate notice of how covered health care providers and health plans
use and disclose protected health information, and of the individual's
rights with respect to that information.
In the final regulation, we retain the general right for
individuals to receive and the requirement for covered entities to
produce a notice of privacy practices, with significant modifications
to the content and distribution requirements.
We also modify the requirements with respect to certain covered
entities. First, in Sec. 164.500(b)(2), we clarify that a health care
clearinghouse that creates or receives protected health information
other than as a business associate of a covered entity must produce a
notice. If a health care clearinghouse creates or receives protected
health information only as a business associate of other covered
entities, it is not required to produce a notice.
Second, in Sec. 164.520(a)(2), we clarify the notice requirements
with respect to group health plans. Individuals who receive health
benefits under a group health plan other than through insurance are
entitled to a notice from the group health plan; self-insured group
health plans must maintain a notice that meets the requirements of this
section and must provide the notice in accordance with the requirements
of Sec. 164.520(c). At a minimum, the self-insured group health plan's
notice must describe the group health plan's privacy practices with
respect to the protected health information it creates or receives
through its self-insured arrangements. For example, if a group health
plan maintains both fully-insured and self-insured arrangements, the
group health plan must, at a minimum, maintain and provide a notice
that describes its
[[Page 82548]]
privacy practices with respect to protected health information it
creates or receives through the self-insured arrangements. This notice
would be distributed to all participants in the self-insured
arrangements (in accordance with Sec. 164.520(c)(1)) and would also be
available on request to other persons, including participants in the
fully-insured arrangements.
Individuals who receive health benefits under a group health plan
through an insurance contract (i.e., a fully-insured group health plan)
are entitled to a notice from the issuer or HMO through which they
receive their health benefits. The health insurance issuer or HMO must
maintain and provide the notice in accordance with Sec. 164.520(c)(1).
In addition, some fully-insured group health plans are required to
maintain and provide a notice of the group health plan's privacy
practices. If a group health plan provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and the group health plan creates or receives protected health
information in addition to summary information (as defined in
Sec. 164.504(a)) and information about individuals' enrollment in or
disenrollment from a health insurance issuer or HMO offered by the
group health plan, the group health plan must maintain a notice that
meets the requirements of this section and must provide the notice upon
request of any person. The group health plan is not required to meet
the other distribution requirements of Sec. 164.520(c)(1). Individuals
enrolled in such group health plans have the right to notice of the
health insurance issuer or HMO's privacy practices and, on request, to
notice of the group health plan's privacy practices. If the group
health plan, however, provides health benefits solely through an
insurance contract with a health insurance issuer or HMO, and the only
protected health information the group health plan creates or receives
is summary information (as defined in Sec. 164.504(a)) and information
about individuals' enrollment in or disenrollment from a health
insurance issuer or HMO offered by the group health plan, the group
health plan is not required to maintain or provide a notice under this
section. In this case, the individuals enrolled in the group health
plan would receive notice of the health insurance issuer or HMO's
privacy practices, but would not be entitled to notice of the group
health plan's privacy practices.
Third, in Sec. 164.520(a)(3), we clarify that inmates do not have a
right to notice under this section and a correctional institution that
is a covered entity is not required to produce a notice. No person,
including a current or former inmate, has the right to notice of such a
covered entity's privacy practices.
Section 164.520(b)--Content of Notice
We proposed to require the notice to be written in plain language
and contain each of the following elements: a description of the uses
and disclosures expected to be made without individual authorization;
statements that other uses and disclosures would be made only with the
individual's authorization and that the individual could revoke such
authorization; descriptions of the rights to request restrictions,
inspect and copy protected health information, amend or correct
protected health information, and receive an accounting of disclosures
of protected health information; statements about the entity's legal
requirements to protect privacy, provide notice, and adhere to the
notice; a statement about how individuals would be informed of changes
to the entity's policies and procedures; instructions on how to make
complaints with the entity or Secretary; the name and telephone number
of a contact person or office; and the date the notice was produced. We
provided a model notice of information policies and procedures for
covered health care providers.
In Sec. 164.520(b), and immediately below in this preamble, we
describe the notice content requirements for the final rule. As
described in detail, below, we make substantial changes to the uses and
disclosures of protected health information that must be described in
the notice. Unlike the proposed rule, we do not include a model notice.
We intend to develop further guidance on notice requirements prior to
the compliance date of this rule. In this section of the final rule, we
also refer to the covered entity's privacy ``practices,'' rather than
its ``policies and procedures.'' The purpose of this change in
vocabulary is to clarify that a covered entity's ``policies and
procedures'' is a detailed documentation of all of the entity's privacy
practices as required under this rule, not just those described in the
notice. For example, we require covered entities to have policies and
procedures implementing the requirements for ``minimum necessary'' uses
and disclosures of protected health information, but these policies and
procedures need not be reflected in the entity's notice. Similarly, we
require covered entities to have policies and procedures for assuring
individuals access to protected health information about them. While
such policies and procedures will need to include documentation of the
designated record sets subject to access, who is authorized to
determine when information will be withheld from an individual, and
similar details, the notice need only explain generally that
individuals have the right to inspect and copy information about them,
and tell individuals how to exercise that right.
A covered entity that adopts and follows the notice content and
distribution requirements described below will have provided adequate
notice. However, the requirements for the content of the notice are not
intended to be exclusive. As with the rest of the rule, we specify
minimum requirements, not best practices. Covered entities may want to
include more detail. We note that all federal agencies must still
comply with the Privacy Act of 1974. This means that federal agencies
that are covered entities or have covered health care components must
comply with the notice requirements of the Privacy Act as well as those
included in this rule.
In addition, covered entities may want or be required to produce
more than one notice in order to satisfy the notice content
requirements under this rule. For example, a covered entity that
conducts business in multiple states with different laws regarding the
uses and disclosures that the covered entity is permitted to make
without authorization may be required to produce a different notice for
each state. A covered entity that conducts business both as part of an
organized health care arrangement or affiliated covered entity and as
an independent enterprise (e.g., a physician who sees patients through
an on-call arrangement with a hospital and through an independent
private practice) may want to adopt different privacy practices with
respect to each line of business; such a covered entity would be
required to produce a different notice describing the practices for
each line of business. Covered entities must produce notices that
accurately describe the privacy practices that are relevant to the
individuals receiving the notice.
Required Elements
Plain Language
As in the proposed rule, we require the notice to be written in
plain language. A covered entity can satisfy the plain language
requirement if it makes a reasonable effort to: organize material to
serve the needs of the reader; write short sentences in the active
voice, using ``you'' and other pronouns; use common, everyday words in
sentences; and divide material into short sections.
[[Page 82549]]
We do not require particular formatting specifications, such as
easy-to-read design features (e.g., lists, tables, graphics,
contrasting colors, and white space), type face, and font size.
However, the purpose of the notice is to inform the recipients about
their rights and how protected health information collected about them
may be used or disclosed. Recipients who cannot understand the covered
entity's notice will miss important information about their rights
under this rule and about how the covered entity is protecting health
information about them. One of the goals of this rule is to create an
environment of open communication and transparency with respect to the
use and disclosure of protected health information. A lack of clarity
in the notice could undermine this goal and create misunderstandings.
Covered entities have an incentive to make their notice statements
clear and concise. We believe that the more understandable the notice
is, the more confidence the public will have in the covered entity's
commitment to protecting the privacy of health information.
It is important that the content of the notice be communicated to
all recipients and therefore we encourage the covered entity to
consider alternative means of communicating with certain populations.
We note that any covered entity that is a recipient of federal
financial assistance is generally obligated under Title VI of the Civil
Rights Act of 1964 to provide material ordinarily distributed to the
public in the primary languages of persons with limited English
proficiency in the recipients' service areas. Specifically, this Title
VI obligation provides that, where a significant number or proportion
of the population eligible to be served or likely to be directly
affected by a federally assisted program needs service or information
in a language other than English in order to be effectively informed of
or participate in the program, the recipient shall take reasonable
steps, considering the scope of the program and the size and
concentration of such population, to provide information in languages
appropriate to such persons. For covered entities not subject to Title
VI, the Title VI standards provide helpful guidance for effectively
communicating the content of their notices to non-English speaking
populations.
We also encourage covered entities to be attentive to the needs of
individuals who cannot read. For example, an employee of the covered
entity could read the notice to individuals upon request or the notice
could be incorporated into a video presentation that is played in the
waiting area.
Header
Unlike the proposed rule, covered entities must include prominent
and specific language in the notice that indicates the importance of
the notice. This is the only specific language we require covered
entities to include in the notice. The header must read, ``THIS NOTICE
DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT
CAREFULLY.''
Uses and Disclosures
We proposed to require covered entities to describe in plain
language the uses and disclosures of protected health information, and
the covered entity's policies and procedures with respect to such uses
and disclosures, that the health plan or covered provider expected to
make without individual authorization. The covered provider or health
plan would have had to distinguish between those uses and disclosures
required by law and those permitted but not required by law.
We also proposed to require covered health care providers and
health plans to state in the notice that all other uses and disclosures
would be made only with the individual's authorization and that such
authorization could be revoked. The notice would also have been
required to state that the individual could request restrictions on
certain uses and disclosures and that the covered entity would not be
required to agree to such a request.
We significantly modify these requirements in the final rule.
Covered entities must describe all uses and disclosures of protected
health information that they are permitted or required to make under
this rule without authorization, including those uses and disclosures
subject to the consent requirements under Sec. 164.506. If other
applicable law prohibits or materially limits the covered entity's
ability to make any uses or disclosures that would otherwise be
permitted under the rule, the covered entity must describe only the
uses and disclosures permitted under the more stringent law.
Covered entities must separately describe each purpose for which
they are permitted to use or disclose protected health information
under this rule without authorization, and must do so in sufficient
detail to place the individual on notice of those uses and disclosures.
With respect to uses and disclosures to carry out treatment, payment,
and health care operations, the description must include at least one
example of the types of uses and disclosures that the covered entity is
permitted to make. This requirement is intended to inform individuals
of all the uses and disclosures that the covered entity is legally
required or permitted to make under applicable law, even if the covered
entity does not anticipate actually making such uses and disclosures.
We do not require covered entities to distinguish in their notices
between those uses and disclosures required by law and those permitted
but not required by law.
Unlike the proposed rule, we additionally require covered entities
that wish to contact individuals for any of the following activities to
list these activities in the notice: providing appointment reminders,
describing or recommending treatment alternatives, providing
information about health-related benefits and services that may be of
interest to the individual, or soliciting funds to benefit the covered
entity. If the covered entity does not include these statements in its
notice, it is prohibited from using or disclosing protected health
information for these activities without authorization. See
Sec. 164.502(i).
In addition, if a group health plan, or a health insurance issuer
or HMO with respect to a group health plan, wants the option to
disclose protected health information to a group health plan sponsor
without authorization as permitted under Sec. 164.504(f), the group
health plan, health insurance issuer or HMO must describe that practice
in its notice.
As in the proposed rule, the notice must state that all other uses
and disclosures will be made only with the individual's authorization
and that the individual has the right to revoke such authorization.
We anticipate this requirement will lead to significant
standardization of the notice. This language could be the same for
every covered entity of a particular type within a state, territory, or
other locale. We encourage states, state professional associations, and
other organizations to develop model language to assist covered
entities in preparing their notices.
Individual Rights
As in the proposed rule, covered entities must describe
individuals' rights under the rule and how individuals may exercise
those rights with respect to the covered entity. Covered entities must
describe each of the following rights, as provided under the rule: the
right to request restrictions
[[Page 82550]]
on certain uses and disclosures, including a statement that the covered
entity is not required to agree to a requested restriction
(Sec. 164.522(a)); the right to receive confidential communications of
protected health information (Sec. 164.522(b)); the right to inspect
and copy protected health information (Sec. 164.524); the right to
amend protected health information (Sec. 164.526); and the right to an
accounting of disclosures of protected health information
(Sec. 164.528). We additionally require the notice to describe the
right of an individual, including an individual that has agreed to
receive the notice electronically, to obtain a paper copy of the notice
upon request.
Covered Entity's Duties
As in the proposed rule, covered entities must state in the notice
that they are required by law to maintain the privacy of protected
health information, to provide a notice of their legal duties and
privacy practices, and to abide by the terms of the notice currently in
effect. In the final rule, we additionally require the covered entity,
if it wishes to reserve the right to change its privacy practices and
apply the revised practices to protected health information previously
created or received, to make a statement to that effect and describe
how it will provide individuals with a revised notice. (See below for a
more detailed discussion of a covered entity's responsibilities when it
changes its privacy practices.)
Complaints
As in the proposed rule, a covered entity's notice must inform
individuals about how they can lodge complaints with the covered entity
if they believe their privacy rights have been violated. See
Sec. 164.530(d) and the corresponding preamble discussion for the
requirements on covered entities for receiving complaints. The notice
must also state that individuals may file complaints with the
Secretary. In the final rule, we additionally require the notice to
include a statement that the individual will not suffer retaliation for
filing a complaint.
Contact
As in the proposed rule, the notice must identify a point of
contact where the individual can obtain additional information about
any of the matters identified in the notice.
Effective Date
The notice must include the date the notice went into effect,
rather than the proposed requirement to include the date the notice was
produced. The effective date cannot be earlier than the date on which
the notice was first printed or otherwise published. Covered entities
may wish to highlight or otherwise emphasize any material modifications
that it has made, in order to help the individual recognize such
changes.
Optional Elements
As described above, we proposed to require covered entities to
describe the uses and disclosures of protected health information that
the covered entity in fact expected to make without the individual's
authorization. We did not specify any optional elements.
While the final rule requires covered entities to describe all of
the types of uses and disclosures permitted or required by law (not
just those that the covered entity intends to make), we also permit and
encourage covered entities to include optional elements that describe
the actual, more limited, uses and disclosures they intend to make
without authorization. We anticipate that some covered entities will
want to distinguish themselves on the basis of their more stringent
privacy practices. For example, covered health care providers who
routinely treat patients with particularly sensitive conditions may
wish to assure their patients that, even though the law permits them to
disclose information for a wide array of purposes, the covered health
care provider will only disclose information in very specific
circumstances, as required by law, and to avert a serious and imminent
threat to health or safety. A covered entity may not include statements
in the notice that purport to limit the entity's ability to make uses
or disclosures that are required by law or necessary to avert a serious
and imminent threat to health or safety.
As described above, if the covered entity wishes to reserve the
right to change its privacy practices with respect to the more limited
uses and disclosures and apply the revised practices to protected
health information previously created or received, it must make a
statement to that effect and describe how it will provide individuals
with a revised notice. (See below for a more detailed discussion of a
covered entity's responsibilities when it changes its privacy
practices.)
Revisions to the Notice
We proposed to require a covered entity to adhere to the terms of
its notice, and would have permitted it to change its information
policies and procedures at any time. We would have required covered
health care providers and health plans to update the notice to reflect
material changes to the information policies and procedures described
in the notice. Changes to the notice would have applied to all
protected health information held by the covered entity, including
information collected under prior notices. That is, we would not have
require covered entities to segregate their records according to the
notice in effect at the time the record was created. We proposed to
prohibit covered entities from implementing a change to an information
policy or procedure described in the notice until the notice was
updated to reflect the change, unless a compelling reason existed to
make a use or disclosure or take other action that the notice would not
have permitted. In these situations, we proposed to require covered
entities to document the compelling reason and, within 30 days of the
use, disclosure, or other action, change its notice to permit the
action.
As in the proposed rule, covered entities are required to adhere to
the terms of the notice currently in effect. See Sec. 164.502(i). When
a covered entity materially changes any of the uses or disclosures, the
individual's rights, the covered entity's legal duties, or other
privacy practices described in its notice, it must promptly revise its
notice accordingly. See Sec. 164.520(b)(3). (Pursuant to
Sec. 164.530(i), it must also revise its policies and procedures.)
Except when required by law, a material change to any term in the
notice may not be implemented prior to the effective date of the notice
in which such material change is reflected. In the final rule, however,
we revise the circumstances under and extent to which the covered
entity may revise the practices stated in the notice and apply the new
practices to protected health information it created or received under
prior notice.
Under Sec. 164.530(i), a covered entity that wishes to change its
practices over time without segregating its records according to the
notice in effect at the time the records were created must reserve the
right to do so in its notice. For example, a covered hospital that
states in its notice that it will only make public health disclosures
required by law, and that does not reserve the right to change this
practice, is prohibited from making any discretionary public health
disclosures of protected health information created or received during
the effective period of that notice. If the covered hospital wishes at
some point in the future to make discretionary disclosures for public
health purposes, it must revise its notice to so state, and
[[Page 82551]]
must segregate its records so that protected health information created
or received under the prior notice is not disclosed for discretionary
public health purposes. This hospital may then make discretionary
public health disclosures of protected health information created or
received after the effective date of the revised notice.
If a second covered hospital states in its notice that it will only
make public health disclosures required by law, but does reserve the
right to change its practices, it is prohibited from making any
discretionary public health disclosures of protected health information
created or received during the effective period of that notice. If this
hospital wishes at some point in the future to make discretionary
disclosures for public health purposes, it must revise its notice to so
state, but need not segregate its records. As of the effective date of
the revised notice, it may disclose any protected health information,
including information created or received under the prior notice, for
discretionary public health purposes.
Section 164.530(i) and the corresponding discussion in this
preamble describes requirements for revision of a covered entity's
privacy policies and procedures, including the privacy practices
reflected in its notice.
Section 164.520(c)--Provision of Notice
As in the proposed rule, all covered entities that are required to
produce a notice must provide the notice upon request of any person.
The requestor does not have to be a current patient or enrollee. We
intend the notice to be a public document that people can use in
choosing between covered entities.
For health plans, we proposed to require health plans to distribute
the notice to individuals covered by the health plan as of the
compliance date; after the compliance date, at enrollment in the health
plan; after enrollment, within 60 days of a material revision to the
content of the notice; and no less frequently than once every three
years.
As in the proposed rule, under the final rule health plans must
provide the notice to all health plan enrollees as of the compliance
date. After the compliance date, health plans must provide the notice
to all new enrollees at the time of enrollment and to all enrollees
within 60 days of a material revision to the notice. Of course, the
term ``enrollees'' includes participants and beneficiaries in group
health plans.
Unlike the proposed rule, we do not require health plans to
distribute the notice every three years. Instead, health plans must
notify enrollees no less than once every three years about the
availability of the notice and how to obtain a copy.
We also clarify that, in each of these circumstances, if a named
insured and one or more dependents are covered by the same policy, the
health plan can satisfy the distribution requirement with respect to
the dependents by sending a single copy of the notice to the named
insured. For example, if an employee of a firm and her three dependents
are all covered under a single health plan policy, that health plan can
satisfy the initial distribution requirement by sending a single copy
of the notice to the employee rather than sending four copies, each
addressed to a different member of the family.
We further clarify that if a health plan has more than one notice,
it satisfies its distribution requirement by providing the notice that
is relevant to the individual or other person requesting the notice.
For example, a health insurance issuer may have contracts with two
different group health plans. One contract specifies that the issuer
may use and disclose protected health information about the
participants in the group health plan for research purposes without
authorization (subject to the requirements of this rule) and one
contract specifies that the issuer must always obtain authorizations
for these uses and disclosures. The issuer accordingly develops two
notices reflecting these different practices and satisfies its
distribution requirements by providing the relevant notice to the
relevant group health plan participants.
We proposed to require covered health care providers with face-to-
face contact with individuals to provide the notice to all such
individuals at the first service delivery to the individual during the
one year period after the compliance date. After this one year period,
covered providers with face-to-face contact with individuals would have
been required to distribute the notice to all new patients at the first
service delivery. Covered providers without face-to-face contact with
individuals would have been required to provide the notice in a
reasonable period of time following first service delivery.
We proposed to require all covered providers to post the notice in
a clear and prominent location where it would be reasonable to expect
individuals seeking services from the covered provider to be able to
read the notice. We would have required revisions to be posted
promptly.
In the final rule, we vary the distribution requirements according
to whether the covered health care provider has a direct treatment
relationship with an individual, rather than whether the covered health
care provider has face-to-face contact with an individual. See
Sec. 164.501 and the corresponding discussion in this preamble
regarding the definition of indirect treatment relationship.
Covered health care providers that have direct treatment
relationships with individuals must provide the notice to such
individuals as of the first service delivery after the compliance date.
This requirement applies whether the first service is delivered
electronically or in person. Covered providers may satisfy this
requirement by sending the notice to all of their patients at once, by
giving the notice to each patient as he or she comes into the
provider's office or facility or contacts the provider electronically,
or by some combination of these approaches. Covered providers that
maintain a physical service delivery site must prominently post the
notice where it is reasonable to expect individuals seeking service
from the provider to be able to read the notice. The notice must also
be available on site for individuals to take on request. In the event
of a revision to the notice, the covered provider must promptly post
the revision and make it available on site.
Covered health care providers that have indirect treatment
relationships with individuals are only required to produce the notice
upon request, as described above.
The proposed rule was silent regarding electronic distribution of
the notice. Under the final rule, a covered entity that maintains a web
site describing the services and benefits it offers must make its
privacy notice prominently available through the site.
A covered entity may satisfy the applicable distribution
requirements described above by providing the notice to the individual
electronically, if the individual agrees to receiving materials from
the covered entity electronically and the individual has not withdrawn
his or her agreement. If the covered entity knows that the electronic
transmission has failed, the covered entity must provide a paper copy
of the notice to the individual.
If an individual's first service delivery from a covered provider
occurs electronically, the covered provider must provide electronic
notice automatically and contemporaneously in response to the
individual's first request for service. For example, the first time an
individual requests to fill a prescription through a covered internet
pharmacy, the pharmacy must automatically and contemporaneously provide
the individual with the
[[Page 82552]]
pharmacy's notice of privacy practices. An individual that receives a
covered entity's notice electronically retains the right to request a
paper copy of the notice as described above. This right must be
described in the notice.
We note that the Electronic Signatures in Global and National
Commerce Act (Pub. L. 106-229) may apply to documents required under
this rule to be provided in writing. We do not intend to affect the
application of that law to documents required under this rule.
Section 164.520(d)--Joint Notice by Separate Covered Entities
The proposed rule was silent regarding the ability of legally
separate covered entities to produce a single notice.
In the final rule, we allow covered entities that participate in an
organized health care arrangement to comply with this section by
producing a single notice that describes their combined privacy
practices. See Sec. 164.501 and the corresponding preamble discussion
regarding the definition of organized health care arrangement. (We note
that, under Sec. 164.504(d), covered entities that are under common
ownership or control may designate themselves as a single affiliated
covered entity. Joint notice requirements do not apply to such
entities. Single affiliated covered entities must produce a single
notice, consistent with the requirements described above for any other
covered entity. Covered entities under common ownership or control that
elect not to designate themselves as a single affiliated covered
entity, however, may elect to produce a joint notice if they meet the
definition of an organized health care arrangement.)
The joint notice must meet all of the requirements described above.
The covered entities must agree to abide by the terms of the notice
with respect to protected health information created or received by the
covered entities as part of their participation in the organized health
care arrangement. In addition, the joint notice must reasonably
identify the covered entities, or class of covered entities, to which
the joint notice applies and the service delivery sites, or classes of
service delivery sites, to which the joint notice applies. If the
covered entities participating in the organized health care arrangement
will share protected health information with each other as necessary to
carry out treatment, payment, or health care operations relating to the
arrangement, that fact must be stated in the notice.
Typical examples where this policy may be useful are health care
facilities where physicians and other providers who have offices
elsewhere also provide services at the facility (e.g. hospital staff
privileges, physicians visiting their patients at a residential
facility). In these cases, a single notice may cover both the physician
and the facility, if the above conditions are met. The physician is
required to have a separate notice covering the privacy practices at
the physician's office if those practices are different than the
practices described in the joint notice.
If any one of the covered entities included in the joint notice
distributes the notice to an individual, as required above, the
distribution requirement is met for all of the covered entities
included in the joint notice.
Section 164.520(e)--Documentation
As in the proposed rule, we establish documentation requirements
for covered entities subject to this provision. In the final rule, we
specify that covered entities must retain copies of the notice(s) they
issue in accordance with Sec. 164.530(j). See Sec. 164.530(j) and the
corresponding preamble discussion for further description of the
documentation requirements.
Section 164.522--Rights To Request Privacy Protection for Protected
Health Information
Section 164.522(a)--Right of An Individual To Request Restriction of
Uses and Disclosures
We proposed that individuals have the right to request that a
covered health care provider restrict the use or disclosure of
protected health information for treatment, payment, or health care
operations. Providers would not have been required to agree to
requested restrictions. However, a covered provider that agreed to a
restriction could not use or disclose protected health information
inconsistent with the restriction. The requirement would not have
applied to permissible uses or disclosures under proposed Sec. 164.510,
including uses and disclosures in emergency circumstances under
proposed Sec. 164.510(k); when the health care services provided were
emergency services; or to required disclosures to the Secretary under
proposed Sec. 164.522. We would have required covered providers to have
procedures for individuals to request restrictions, for agreed-upon
restrictions to be documented, for the provider to honor such
restrictions, and for notification of the existence of a restriction to
others to whom such protected health information is disclosed.
In the final rule, we retain the general right of an individual to
request that uses and disclosures of protected health information be
restricted and the requirement for covered entities to adhere to
restrictions to which they have agreed. However, we include some
significant changes and clarifications.
Under the final rule, we extend the right to request restrictions
to health plans and to health care clearinghouses that create or
receive protected health information other than as a business associate
of another covered entity. All covered entities must permit individuals
to request that uses and disclosures of protected health information to
carry out treatment, payment, and health care operations be restricted
and must adhere to restrictions to which they have agreed. A covered
entity is not required to agree to a restriction. We note that
restrictions between an individual and a covered entity for these or
other purposes may be otherwise enforceable under other law.
Under Sec. 164.522(a)(1)(i)(B), the right to request restrictions
applies to disclosures to persons assisting in the individual's care
under Sec. 164.510(b). An individual may request that a covered entity
agree not to disclose protected health information to persons assisting
with the individual's care, even if such disclosure is permissible in
accordance with Sec. 164.510(b). For example, if an individual requests
that a covered entity never disclose protected health information to a
particular family member, and the covered entity agrees to that
restriction, the covered entity is prohibited from disclosing protected
health information to that family member, even if the disclosure would
otherwise be permissible under Sec. 164.510(b). We note that
individuals additionally have the opportunity to agree or object to
disclosures to persons assisting in the individual's care under
Sec. 164.510(b)(2). The individual retains the right to agree or object
to such disclosures under Sec. 164.510(b)(2), in accordance with the
standards of that provision, regardless of whether the individual has
requested a restriction under Sec. 164.522(a). See Sec. 164.510(b) and
the corresponding preamble discussion regarding the individual's right
to agree or object to disclosures to persons assisting in the
individual's care.
In Secs. 164.522(a)(1)(iii) and (iv) we clarify the requirements
with respect to emergency treatment situations. In emergency treatment
situations, a covered entity that has agreed to a restriction may use,
or disclose to a health care provider, restricted protected health
information that is
[[Page 82553]]
necessary to provide the emergency treatment. If the covered entity
discloses restricted protected health information to a health care
provider for emergency treatment purposes, it must request that the
provider not further use or disclose the information. We expect covered
entities to consider the need for access to protected health
information for treatment purposes when considering a request for a
restriction, to discuss this need with the individual making the
request for restriction, and to agree to restrictions that will not
foreseeably impede the individual's treatment. Therefore, we expect
covered entities will rarely need to use or disclose restricted
protected health information in emergency treatment situations. We do
not intend, however, to adversely impact the delivery of health care.
We therefore provide a means for the use and disclosure of restricted
protected health information in emergency treatment situations, where
an unexpected need for the information could arise and there is
insufficient time to secure the individual's permission to use or
disclose the restricted information.
In Sec. 164.522(a)(1)(v) we clarify that restrictions are not
effective under this rule to prevent uses and disclosures required by
Sec. 164.502(a)(2)(ii) or permitted under Sec. 164.510(a) (regarding
facility directories) or Sec. 164.512 (regarding uses and disclosures
for which consent, individual authorization, or opportunity to agree or
object is not required). Covered entities are permitted to agree to
such restrictions, but if they do so, the restrictions are not
enforceable under this rule. For example, a provider who makes a
disclosure under Sec. 164.512(j)(1)(i) relating to serious and imminent
threats will not be in violation of this rule even if the disclosure is
contrary to a restriction agreed to under this paragraph.
In Sec. 164.522(a)(2) we clarify a covered entity's ability to
terminate a restriction to which it has agreed. A covered entity may
terminate a restriction with the individual's written or oral
agreement. If the individual's agreement is obtained orally, the
covered entity must document that agreement. A note in the medical
record or similar notation is sufficient documentation. If the
individual agrees to terminate the restriction, the covered entity may
use and disclose protected health information as otherwise permitted
under the rule. If the covered entity wants to terminate the
restriction without the individual's agreement, it may only terminate
the restriction with respect to protected health information it creates
or receives after it informs the individual of the termination. The
restriction continues to apply to protected health information created
or received prior to informing the individual of the termination. That
is, any protected health information that had been collected before the
termination may not be used or disclosed in a way that is inconsistent
with the restriction, but any information that is collected after
informing the individual of the termination of the restriction may be
used or disclosed as otherwise permitted under the rule.
In Sec. 164.522(a)(3), we clarify that a covered entity must
document a restriction to which it has agreed. We do not require a
specific form of documentation; a note in the medical record or similar
notation is sufficient. The documentation must be retained for six
years from the date it was created or the date it was last in effect,
whichever is later, in accordance with Sec. 164.530(j).
We eliminate the requirement from the NPRM for covered entities to
inform persons to whom they disclose protected health information of
the existence of any restriction on that information. A restriction is
only binding on the covered entity that agreed to the restriction. We
encourage covered entities to inform others of the existence of a
restriction when it is appropriate to do so. We note, however, that
disclosure of the existence of a restriction often amounts to a de
facto disclosure of the restricted information itself. If a restriction
does not permit a covered entity to disclose protected health
information to a particular person, the covered entity must carefully
consider whether disclosing the existence of the restriction to that
person would also violate the restriction.
Section 164.522(b)--Confidential Communications Requirements
In the NPRM, we did not directly address the issue of whether an
individual could request that a covered entity restrict the manner in
which it communicated with the individual. As described above, the NPRM
would have provided individuals with the right to request that health
care providers restrict uses and disclosures of protected health
information for treatment, payment and health care operations, but
would not have required providers to agree to such a restriction.
In the final rule, we require covered entities to permit
individuals to request that the covered entity provide confidential
communications of protected health information about the individual.
The requirement applies to communications from the covered entity to
the individual, and also communications from the covered entity that
would otherwise be sent to the named insured of an insurance policy
that covers the individual as a dependent of the named insured.
Individuals may request that the covered entity send such
communications by alternative means or at alternative locations. For
example, an individual who does not want his or her family members to
know about a certain treatment may request that the provider
communicate with the individual about that treatment at the
individual's place of employment, by mail to a designated address, or
by phone to a designated phone number. Similarly, an individual may
request that the provider send communications in a closed envelope
rather than a post card, as an ``alternative means.'' Covered health
care providers must accommodate all reasonable requests. Health plans
must accommodate all reasonable requests, if the individual clearly
states that the disclosure of all or part of the protected health
information could endanger the individual. For example, if an
individual requests that a health plan send explanations of benefits
about particular services to the individual's work rather than home
address because the individual is concerned that a member of the
individual's household (e.g., the named insured) might read the
explanation of benefits and become abusive towards the individual, the
health plan must accommodate the request.
The reasonableness of a request made under this paragraph must be
determined by a covered entity solely on the basis of the
administrative difficulty of complying with the request and as
otherwise provided in this section. A covered health care provider or
health plan cannot refuse to accommodate a request based on its
perception of the merits of the individual's reason for making the
request. A covered health care provider may not require the individual
to provide a reason for the request as a condition of accommodating the
request. As discussed above, a health plan is not required to
accommodate a request unless the individual indicates that the
disclosure could endanger the individual. If the individual indicates
such endangerment, however, the covered entity cannot further consider
the individual's reason for making the request in determining whether
it must accommodate the request.
A covered health care provider or health plan may refuse to
accommodate a request, however, if the individual has
[[Page 82554]]
not provided information as to how payment, if applicable, will be
handled, or if the individual has not specified an alternative address
or method of contact.
Section 164.524--Access of Individuals to Protected Health
Information
Section 164.524(a)--Right of Access
In the NPRM, we proposed to establish a right for individuals to
access (i.e., inspect and obtain a copy of) protected health
information about them maintained by a covered provider or health plan,
or its business partners, in a designated record set.
As in the proposed rule, in the final rule we provide that
individuals have a right of access to protected health information that
is maintained in a designated record set. This right applies to health
plans, covered health care providers, and health care clearinghouses
that create or receive protected health information other than as a
business associate of another covered entity (see Sec. 164.500(b)). In
the final rule, however, we modify the definition of designated record
set. For a discussion of the significant changes made to the definition
of designated record set, see Sec. 164.501 and the corresponding
preamble.
Under the revised definition, individuals have a right of access to
any protected health information that is used, in whole or in part, to
make decisions about individuals. This information includes, for
example, information used to make health care decisions or information
used to determine whether an insurance claim will be paid. Covered
entities often incorporate the same protected health information into a
variety of different data systems, not all of which will be utilized to
make decisions about individuals. For example, information systems that
are used for quality control or peer review analyses may not be used to
make decisions about individuals. In that case, the information systems
would not fall within the definition of designated record set. We do
not require entities to grant an individual access to protected health
information maintained in these types of information systems.
Duration of the Right of Access
As in the proposed rule, covered entities must provide access to
individuals for as long as the protected health information is
maintained in a designated record set.
Exceptions to the Right of Access
In the NPRM, we proposed to establish a right for individuals to
access any protected health information maintained in a designated
record set. Though we proposed to permit covered entities to deny
access in certain situations relating to the particular individual
requesting access, we did not specifically exclude any protected health
information from the right of access.
In the final rule, we specify three types of information to which
individuals do not have a right of access, even if the information is
maintained in a designated record set. They are psychotherapy notes,
information compiled in reasonable anticipation of, or for use in, a
civil, criminal, or administrative action or proceeding, and certain
protected health information maintained by a covered entity that is
subject to or exempted from the Clinical Laboratory Improvements
Amendments of 1988 (CLIA). Covered entities may, but are not required
to, provide access to this information.
First, unlike the proposed rule, we specify that individuals do not
have a right of access to psychotherapy notes.
Second, individuals do not have a right of access to information
compiled in reasonable anticipation of, or for use in, a civil,
criminal, or administrative action or proceeding. In the NPRM, we would
have permitted covered entities to deny a request for access to
protected health information complied in reasonable anticipation of, or
for use in, a legal proceeding. We change the language in the final
rule to clarify that a legal proceeding includes civil, criminal, and
administrative actions and proceedings. In the final rule, we clarify
that an individual does not have a right to this information by
including it in the list of exceptions rather than stating that a
covered entity may deny access to this information. Under this
exception, the covered entity may deny access to any information that
relates specifically to legal preparations but may not deny access to
the individual's underlying health information. We do not intend to
require covered entities to provide access to documents protected by
attorney work-product privilege nor do we intend to alter rules of
discovery.
Third, unlike the proposed rule, individuals do not have a right of
access to protected health information held by clinical laboratories if
CLIA prohibits such access. CLIA states that clinical laboratories may
provide clinical laboratory test records and reports only to
``authorized persons,'' as defined primarily by state law. The
individual who is the subject of the information is not always included
in this set of authorized persons. When an individual is not an
authorized person, this restriction effectively prohibits the clinical
laboratory from providing an individual access to this information. We
do not intend to preempt CLIA and, therefore, do not require covered
clinical laboratories to provide an individual access to this
information if CLIA prohibits them from doing so. We note, however,
that individuals have the right of access to this information if it is
maintained by a covered health care provider, clearinghouse, or health
plan that is not subject to CLIA.
Finally, unlike the proposed rule, individuals do not have access
to protected health information held by certain research laboratories
that are exempt from the CLIA regulations. The CLIA regulations
specifically exempt the components or functions of ``research
laboratories that test human specimens but do not report patient
specific results for the diagnosis, prevention or treatment of any
disease or impairment of, or the assessment of the health of individual
patients.'' 42 CFR 493.3(a)(2). If subject to the access requirements,
these laboratories, or the applicable components of them, would be
forced to comply with the CLIA regulations once they provided an
individual with the access under this privacy rule. Therefore, to
alleviate this additional regulatory burden, we have exempted these
laboratories, or the relevant components of them, from the access
requirements of this regulation.
Grounds for Denial of Access
In the NPRM we proposed to permit covered health care providers and
health plans to deny an individual access to inspect and copy protected
health information about them for five reasons: (1) a licensed health
care professional determined the inspection and copying was reasonably
likely to endanger the life or physical safety of the individual or
another person; (2) the information was about another person (other
than a health care provider) and a licensed health care professional
determined the inspection and copying was reasonably likely to cause
substantial harm to that other person; (3) the information was obtained
under a promise of confidentiality from someone other than a health
care provider and the inspection and copying was likely to reveal the
source of the information; (4) the information was obtained by a
covered provider in the course of a clinical trial, the individual
agreed to the denial of access in consenting to participate in the
trial, and the trial was in progress; and (5) the information was
compiled in reasonable anticipation of, or for use in, a legal
[[Page 82555]]
proceeding. In the NPRM, covered entities would not have been permitted
to use these grounds to deny individuals access to protected health
information that was also subject to the Privacy Act.
In the final rule, we retain all of these grounds for denial, with
some modifications. One of the proposed grounds for denial (regarding
legal proceedings) is retained as an exception to the right of access.
(See discussion above.) We also include additional grounds for denial
and create a right for individuals to request review of certain
denials.
There are five types of denials covered entities may make without
providing the individual with a right to have the denial reviewed.
First, a covered entity may deny an individual access to any
information that is excepted from the right of access under
Sec. 164.524(a)(1). (See discussion above.)
Second, we add a new provision that permits a covered entity that
is a correctional institution or covered health care provider acting
under the direction of a correctional institution to deny an inmate's
request to obtain a copy of protected health information if obtaining a
copy would jeopardize the health, safety, security, custody, or
rehabilitation of the individual or other inmates or the safety of any
officer, employee or other person at the correctional institution or
responsible for the transporting of the inmate. This ground for denial
is restricted to an inmate's request to obtain a copy of protected
health information. If an inmate requests inspection of protected
health information, the request must be granted unless one of the other
grounds for denial applies. The purpose for this exception, and the
reason that the exception is limited to denying an inmate a copy and
not to denying a right to inspect, is to give correctional institutions
the ability to maintain order in these facilities and among inmates
without denying an inmate the right to review his or her protected
health information.
Third, as in the proposed rule, a covered entity may deny an
individual access to protected health information obtained by a covered
provider in the course of research that includes treatment of the
research participants, while such research is in progress. For this
exception to apply, the individual must have agreed to the denial of
access in conjunction with the individual's consent to participate in
the research and the covered provider must have informed the individual
that the right of access will be reinstated upon completion of the
research. If either of these conditions is not met, the individual has
the right to inspect and copy the information (subject to the other
exceptions we provide here). In all cases, the individual has the right
to inspect and copy the information after the research is complete.
As with all the grounds for denial, covered entities are not
required to deny access under the research exception. We expect all
researchers to maintain a high level of ethical consideration for the
welfare of research participants and provide access in appropriate
circumstances. For example, if a participant has a severe adverse
reaction, disclosure of information during the course of the research
may be necessary to give the participant adequate information for
proper treatment decisions.
Fourth, we clarify the ability of a covered entity to deny
individuals access to protected health information that is also subject
to the Privacy Act. In the final rule, we specify that a covered entity
may deny an individual access to protected health information that is
contained in records that are subject to the Privacy Act if such denial
is permitted under the Privacy Act. This ground for denial exists in
addition to the other grounds for denial available under this rule. If
an individual requests access to protected health information that is
also subject to the Privacy Act, a covered entity may deny access to
that information for any of the reasons permitted under the Privacy Act
and for any of the reasons permitted under this rule.
Fifth, as in the proposed rule, a covered entity may deny an
individual access to protected health information if the covered entity
obtained the requested information from someone other than a health
care provider under a promise of confidentiality and such access would
be reasonably likely to reveal the source of the information. This
provision is intended to preserve a covered entity's ability to
maintain an implicit or explicit promise of confidentiality. A covered
entity may not, however, deny access to protected health information
when the information has been obtained from a health care provider. An
individual is entitled to have access to all information about him or
her generated by the health care system (apart from the other
exceptions we provide here). Confidentiality promises to health care
providers should not interfere with that access.
As in the proposed rule, a covered entity may deny access to
protected health information under certain circumstances in which the
access may harm the individual or others. In the final rule, we specify
that a covered entity may only deny access for these reasons if the
covered entity provides the individual with a right to have the denial
reviewed. (See below for a discussion of the right to review.)
There are three types of denials for which covered entities must
provide the individual with a right to review. A denial under these
provisions requires a determination by a licensed health care
professional (such as a physician, physician's assistant, or nurse)
based on an assessment of the particular circumstances and current
professional medical standards of harm. Therefore, when the request is
made to a health plan or clearinghouse, the covered entity will need to
consult with a licensed health care professional before denying access
under this provision.
First, as in the proposed rule, covered entities may deny
individuals access to protected health information about them if a
licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely
to endanger the life or physical safety of the individual or another
person. The most commonly cited example is when an individual exhibits
suicidal or homicidal tendencies. If a licensed health care
professional determines that an individual exhibits such tendencies and
that permitting inspection or copying of some of the individual's
protected health information is reasonably likely to result in the
individual committing suicide, murder, or other physical violence, then
the health care professional may deny the individual access to that
information. Under this reason for denial, covered entities may not
deny access on the basis of the sensitivity of the health information
or the potential for causing emotional or psychological harm.
Second, as in the proposed rule, covered entities may deny an
individual access to protected health information if the information
requested makes reference to someone other than the individual (and
other than a health care provider) and a licensed health care
professional has determined, in the exercise of professional judgment,
that the access requested is reasonably likely to cause serious harm to
that other person. On some occasions when health information about one
person is relevant to the care of another, a physician may incorporate
it into the latter's record, such as information from group therapy
sessions and information about illnesses with a genetic component. This
provision permits a covered entity to withhold information in such
cases if
[[Page 82556]]
the release of such information is reasonably likely to cause
substantial physical, emotional, or psychological harm.
Third, we add a new provision regarding denial of access requested
by personal representatives. Under Sec. 164.502(g), a person that is a
personal representative of an individual may exercise the rights of the
individual, including the right to inspect and copy protected health
information about the individual that is relevant to such person's
representation. The provision permits covered entities to refuse to
treat a personal representative as the individual, generally, if the
covered entity has a reasonable belief that the individual has been or
will be subjected to domestic violence, abuse or neglect by the
personal representative, or that treating the personal representative
as the individual may endanger the individual and, in its professional
judgment, the covered entity decides that it is not in the best
interest of the individual to treat such person as the personal
representative.
In addition to that provision, we add a new provision at
Sec. 164.524(a)(3)(iii) to clarify that a covered entity may deny a
request to inspect or copy protected health information if the
information is requested by a personal representative of the individual
and a licensed health care professional has determined that, in the
exercise of professional judgment, such access is reasonably likely to
cause substantial harm to the individual who is the subject of the
information or to another person. The health care professional need not
have a reasonable belief that the personal representative has abused or
neglected the individuals and the harm that is likely to result need
not be limited to the individual who is the subject of the requested
protected health information. Therefore, a covered entity can recognize
a person as a personal representative but deny such person access to
protected health information as a personal representative.
We do not intend these provisions to create a legal duty for the
covered entity to review all of the relevant protected health
information before releasing it. Rather, we are preserving the
flexibility and judgment of covered entities to deny access under
appropriate circumstances. Denials are not mandatory; covered entities
may always elect to provide requested health information to the
individual. For each request by an individual, the covered entity may
provide all of the information requested or evaluate the requested
information, consider the circumstances surrounding the individual's
request, and make a determination as to whether that request should be
granted or denied, in whole or in part, in accordance with one of the
reasons for denial under this rule. We intend to create narrow
exceptions to the right of access and we expect covered entities to
employ these exceptions rarely, if at all. Covered entities may only
deny access for the reasons specifically provided in the rule.
Review of a Denial of Access
In the NPRM, we proposed to require covered entities, when denying
an individual's request for access, to inform the individual of how to
make a complaint to the covered entity and the Secretary.
We retain in the final rule the proposed approach (see below). In
addition, if the covered entity denies the request on the basis of one
of the reviewable grounds for denial described above, the individual
has the right to have the denial reviewed by a licensed health care
professional who is designated by the covered entity to act as a
reviewing official and who did not participate in the original decision
to deny access. The covered entity must provide access in accordance
with the reviewing official's determination. ( See below for further
description of the covered entity's requirements under
Sec. 164.524(d)(4) if the individual requests a review of denial of
access.)
Section 164.524(b)--Requests for Access and Timely Action
In the NPRM, we proposed to require covered health care providers
and health plans to provide a means for individuals to request access
to protected health information about them. We proposed to require
covered health care providers and health plans to take action on a
request for access as soon as possible, but not later than 30 days
following the request.
As in the proposed rule, the final rule requires covered entities
to permit an individual to request access to inspect or to obtain a
copy of the protected health information about the individual that is
maintained in a designated record set. We additionally permit covered
entities to require individuals to make requests for access in writing,
if the individual is informed of this requirement.
In the final rule, we eliminate the requirement for the covered
entity to act on a request as soon as possible. We recognize that
circumstances may arise in which an individual will request access on
an expedited basis. We encourage covered entities to have procedures in
place for handling such requests. The time limitation is intended to be
an outside deadline, rather than an expectation.
In the final rule, covered entities must act on a request for
access within 30 days of receiving the request if the information is
maintained or accessible on-site. Covered entities must act on a
request for access within 60 days of receiving the request if the
information is not maintained or accessible on-site. If the covered
entity is unable to act on a request within the applicable deadline, it
may extend the deadline by no more than 30 days by providing the
individual with a written statement of the reasons for the delay and
the date by which the covered entity will complete its action on the
request. This written statement describing the extension must be
provided within the standard deadline. A covered entity may only extend
the deadline once per request for access. This provision permits a
covered entity to take a total of up to 60 days to act on a request for
access to information maintained on-site and up to 90 days to act on a
request for access to information maintained off-site.
The requirements for a covered entity to comply with or deny a
request for access, in whole or in part, are described below.
Section 164.524(c)--Provision of Access
In the NPRM, we proposed to require covered health care providers
and health plans, upon accepting a request for access, to notify the
individual of the decision and of any steps necessary to fulfill the
request; to provide the information requested in the form or format
requested, if readily producible in such form or format; and to
facilitate the process of inspection and copying.
We generally retain the proposed approach in the final rule. If a
covered entity accepts a request, in whole or in part, it must notify
the individual of the decision and provide the access requested.
Individuals have the right both to inspect and to copy protected health
information in a designated record set. The individual may choose
whether to inspect the information, to copy the information, or to do
both.
In the final rule, we clarify that if the same protected health
information is maintained in more than one designated record set or at
more than one location, the covered entity is required to produce the
information only once per request for access. We intend this provision
to reduce covered entities' burden in complying with requests without
reducing individuals' access to protected health information. We note
that summary information and reports
[[Page 82557]]
are not the same as the underlying information on which the summary or
report was based. Individuals have the right to obtain access both to
summaries and to the underlying information. An individual retains the
right of access to the underlying information even if the individual
requests access to, or production of, a summary. (See below regarding
requests for summaries.)
The covered entity must provide the information requested in the
form or format requested if it is readily producible in such form or
format. For example, if the covered entity maintains health information
electronically and the individual requests an electronic copy, the
covered entity must accommodate such request, if possible.
Additionally, we specify that if the information is not available in
the form or format requested, the covered entity must produce a readily
readable hard copy of the information or another form or format to
which the individual and covered entity can agree. If the individual
agrees, including agreeing to any associated fees (see below), the
covered entity may provide access to a summary of information rather
than all protected health information in designated record sets.
Similarly, a covered entity may provide an explanation in addition to
the protected health information, if the individual agrees in advance
to the explanation and any associated fees.
The covered entity must provide the access requested in a timely
manner, as described above, and arrange for a mutually convenient time
and place for the individual to inspect the protected health
information or obtain a copy. If the individual requests that the
covered entity mail a copy of the information, the covered entity must
do so, and may charge certain fees for copying and mailing. For
requests to inspect information that is maintained electronically, the
covered entity may print a copy of the information and allow the
individual to view the print-out on-site. Covered entities may discuss
the request with the individual as necessary to facilitate the timely
provision of access. For example, if the individual requested a copy of
the information by mail, but the covered entity is able to provide the
information faster by providing it electronically, the covered entity
may discuss this option with the individual.
We proposed in the NPRM to permit the covered entity to charge a
reasonable, cost-based fee for copying the information.
We clarify this provision in the final rule. If the individual
requests a copy of protected health information, a covered entity may
charge a reasonable, cost-based fee for the copying, including the
labor and supply costs of copying. If hard copies are made, this would
include the cost of paper. If electronic copies are made to a computer
disk, this would include the cost of the computer disk. Covered
entities may not charge any fees for retrieving or handling the
information or for processing the request. If the individual requests
the information to be mailed, the fee may include the cost of postage.
Fees for copying and postage provided under state law, but not for
other costs excluded under this rule, are presumed reasonable. If such
per page costs include the cost of retrieving or handling the
information, such costs are not acceptable under this rule.
If the individual requests an explanation or summary of the
information provided, and agrees in advance to any associated fees, the
covered entity may charge for preparing the explanation or summary as
well.
The inclusion of a fee for copying is not intended to impede the
ability of individuals to copy their records. Rather, it is intended to
reduce the burden on covered entities. If the cost is excessively high,
some individuals will not be able to obtain a copy. We encourage
covered entities to limit the fee for copying so that it is within
reach of all individuals.
We do not intend to affect the fees that covered entities charge
for providing protected health information to anyone other than the
individual. For example, we do not intend to affect current practices
with respect to the fees one health care provider charges for
forwarding records to another health care provider for treatment
purposes.
Section 164.524(d)--Denial of Access
We proposed in the NPRM to require a covered health care provider
or health plan that elects to deny a request for inspection or copying
to make any other protected health information requested available to
the individual to the extent possible, consistent with the denial.
In the final rule, we clarify the proposed approach. A covered
entity that denies access, in whole or in part, must, to the extent
possible, give the individual access to any other protected health
information requested after excluding the protected health information
to which the covered entity has a ground to deny access. We intend
covered entities to redact or otherwise exclude only the information
that falls within one or more of the denial criteria described above
and to permit inspection and copying of all remaining information, to
the extent it is possible to do so.
We also proposed to require covered providers and health plans,
upon denying a request for access in whole or in part, to provide the
individual with a written statement in plain language of the basis for
the denial and how the individual could make a complaint to the covered
entity or the Secretary.
We retain the proposed approach. A covered entity that denies
access, in whole or in part, must provide the individual with a written
denial in plain language that explains the basis for the denial. The
written denial could include a direct reference to the section of the
regulation relied upon for the denial, but the regulatory citation
alone does not sufficiently explain the reason for the denial. The
written denial must also describe how the individual can complain to
the covered entity and the Secretary and must include the name or title
and the telephone number of the covered entity's contact person or
office that is responsible for receiving complaints.
In the final rule, we impose two additional requirements when the
covered entity denies access, in whole or in part. First, if a covered
entity denies a request on the basis of one of the reviewable grounds
for denial, the written denial must describe the individual's right to
a review of the denial and how the individual may exercise this right.
Second, if the covered entity denies the request because it does not
maintain the requested information, and the covered entity knows where
the requested information is maintained, the covered entity must inform
the individual where to direct the request for access.
Finally, we specify a covered entity's responsibilities when an
individual requests a review of a denial. If the individual requests a
review of a denial made under Sec. 164.524(a)(3), the covered entity
must designate a licensed health care professional to act as the
reviewing official. This reviewing official must not have been involved
in the original decision to deny access. The covered entity must
promptly refer a request for review to the designated reviewing
official. The reviewing official must determine, within a reasonable
period of time, whether or not to deny the access requested based on
the standards in Sec. 164.524(a)(3). The covered entity must promptly
provide the individual with written notice of the reviewing official's
decision and otherwise carry out the decision in accordance with the
requirements of this section.
[[Page 82558]]
Section 164.524(e)--Policies, Procedures, and Documentation
As in the proposed rule, we establish documentation requirements
for covered entities that are subject to this provision. In accordance
with Sec. 164.530(j), the covered entity must retain documentation of
the designated record sets that are subject to access by individuals
and the titles of the persons or offices responsible for receiving and
processing requests for access by individuals.
Section 164.526--Amendment of Protected Health Information
Section 164.526(a)--Right to Amend
In proposed Sec. 164.516, we proposed to establish the individual's
right to request a covered health care provider or health plan to amend
or correct protected health information about the individual for as
long as the covered entity maintains the information.
In Sec. 164.526 of the final rule, we retain the general proposed
approach, but establish an individual's right to have the covered
entity amend, rather than amend or correct, protected health
information. This right applies to protected health information and
records in a designated record set for as long as the information is
maintained in the designated record set. In the final rule, covered
health care providers, health plans, and health care clearinghouses
that create or receive protected health information other than as a
business associate must comply with these requirements.
Denial of Amendment
We proposed to permit a covered health care provider or health plan
to deny a request for amendment if it determined that the protected
health information that was the subject of the request was not created
by the covered provider or health plan, would not be available for
inspection and copying under proposed Sec. 164.514, or was accurate and
complete. A covered entity would have been permitted, but not required,
to deny a request if any of these conditions were met.
As in the proposed rule, the final rule permits a covered entity to
deny a request for amendment if the covered entity did not create the
protected health information or record that is the subject of the
request for amendment. We add one exception to this provision: if the
individual provides a reasonable basis to believe that the originator
of the protected health information is no longer available to act on
the requested amendment, the covered entity must address the request
for amendment as though the covered entity had created the information.
As in the proposed rule, a covered entity also may deny a request
for amendment if the protected health information that is the subject
of the request for amendment is not part of a designated record set or
would not otherwise be available for inspection under Sec. 164.524. We
eliminate the ability to deny a request for amendment if the
information or record that is the subject of the request would not be
available for copying under the rule. Under Sec. 164.524(a)(2)(ii), an
inmate may be denied a copy of protected health information about the
inmate. We intend to preserve an inmate's ability to request amendments
to information, even if a copy of the information would not be
available to the inmate, subject to the other exceptions provided in
this section.
Finally, as in the proposed rule, a covered entity may deny a
request for amendment if the covered entity determines that the
information in dispute is accurate and complete. We draw this concept
from the Privacy Act of 1974, governing records held by federal
agencies, which permits an individual to request correction or
amendment of a record ``which the individual believes is not accurate,
relevant, timely, or complete.'' (5 U.S.C. 552a(d)(2)). We adopt the
standards of ``accuracy'' and ``completeness'' and draw on the
clarification and analysis of these terms that have emerged in
administrative and judicial interpretations of the Privacy Act during
the last 25 years. We note that for federal agencies that are also
covered entities, this rule does not diminish their present obligations
under the Privacy Act of 1974.
This right is not intended to interfere with medical practice or to
modify standard business record keeping practices. Perfect records are
not required. Instead, a standard of reasonable accuracy and
completeness should be used. In addition, this right is not intended to
provide a procedure for substantive review of decisions such as
coverage determinations by payors. It is intended only to affect the
content of records, not the underlying truth or correctness of
materials recounted therein. Attempts under the Privacy Act of 1974 to
use this mechanism as a basis for collateral attack on agency
determinations have generally been rejected by the courts. The same
results are intended here.
Section 164.526(b)--Requests for Amendment and Timely Action
We proposed to require covered health care providers and health
plans to provide a means for individuals to request amendment of
protected health information about them. Under the NPRM, we would have
required covered health care providers and health plans to take action
on a request for amendment or correction within 60 days of the request.
As in the proposed rule, covered entities must permit individuals
to request that the covered entity amend protected health information
about them. We also permit certain specifications for the form and
content of the request. If a covered entity informs individuals of such
requirements in advance, a covered entity may require individuals to
make requests for amendment in writing and to provide a reason to
support a requested amendment. If the covered entity imposes such a
requirement and informs individuals of the requirement in advance, the
covered entity is not required to act on an individual's request that
does not meet the requirements.
We retain the requirement for covered entities to act on a request
for amendment within 60 days of receipt of the request. In the final
rule, we specify the nature of the action the covered entity must take
within the time frame. The covered entity must inform the individual,
as described below, that the request has been either accepted or
denied, in whole or in part. It must also take certain actions pursuant
to its decision to accept or deny the request, as described below. If
the covered entity is unable to meet the deadline, the covered entity
may extend the deadline by no more than 30 days. The covered entity
must inform the individual in writing, within the initial 60-day
period, of the reason for the delay and the date by which the covered
entity will complete its action on the request. A covered entity may
only extend the deadline one time per request for amendment.
Section 164.526(c)--Accepting the Amendment
If a covered health care provider or health plan accepted a request
for amendment, in whole or in part, we proposed to require the covered
entity to make the appropriate change. The covered entity would have
had to identify the challenged entries as amended or corrected and
indicate the location of the amended or corrected information.
[[Page 82559]]
We also proposed to require the covered provider or health plan to
make reasonable efforts to notify certain entities of the amendment: 1)
entities the individual identified as needing to be notified and 2)
entities the covered provider or health plan knew had received the
erroneous or incomplete information and who may have relied, or could
foreseeably rely, on such information to the detriment of the
individual.
The covered provider or health plan would also have been required
to notify the individual of the decision to amend the information.
As in the proposed rule, if a covered entity accepts an
individual's request for amendment or correction, it must make the
appropriate amendment. In the final rule, we clarify that, at a
minimum, the covered entity must identify the records in the designated
record set that are affected by the amendment and must append or
otherwise provide a link to the location of the amendment. We do not
require covered entities to expunge any protected health information.
Covered entities may expunge information if doing so is consistent with
other applicable law and the covered entity's record keeping practices.
We alter some of the required procedures for informing the
individual and others of the accepted amendment. As in the proposed
rule, the covered entity must inform individuals about accepted
amendments. In the final rule, the covered entity must obtain the
individual's agreement to have the amended information shared with
certain persons. If the individual agrees, the covered entity must make
reasonable efforts to provide a copy of the amendment within a
reasonable time to: (1) Persons the individual identifies as having
received protected health information about the individual and needing
the amendment; and (2) persons, including business associates, that the
covered entity knows have the unamended information and who may have
relied, or could foreseeably rely, on the information to the detriment
of the individual. For example, a covered entity must make reasonable
efforts to inform a business associate that uses protected health
information to make decisions about individuals about amendments to
protected health information used for such decisions.
Section 164.526(d)--Denying the Amendment
If a covered health care provider or health plan denied a request
for amendment, in whole or in part, we proposed to require the covered
entity to provide the individual with a written statement in plain
language of the basis for the denial, a description of how the
individual could submit a written statement of disagreement with the
denial, and a description of how the individual could make a complaint
with the covered entity and the Secretary.
We proposed to require covered health care providers and health
plans to have procedures to permit the individual to file a written
statement of disagreement with the denial and to include the covered
entity's statement of denial and the individual's statement of
disagreement with any subsequent disclosure of the disputed
information. Covered entities would have been permitted to establish a
limit to the length of the individual's statement of disagreement and
to summarize the statement if necessary. We also proposed to permit
covered entities to provide a rebuttal to the individual's statement
with future disclosures.
As in the proposed rule, if a covered entity denies a request for
amendment, it must provide the individual with a statement of denial
written in plain language. The written denial must include the basis
for the denial, how the individual may file a written statement
disagreeing with the denial, and how the individual may make a
complaint to the covered entity and the Secretary.
In the final rule, we additionally require the covered entity to
inform individuals of their options with respect to future disclosures
of the disputed information in order to ensure that an individual is
aware of his or her rights. The written denial must state that if the
individual chooses not to file a statement of disagreement, the
individual may request that the covered entity include the individual's
request for amendment and the covered entity's denial of the request
with any future disclosures of the protected health information that is
the subject of the requested amendment.
As in the proposed rule, the covered entity must permit the
individual to submit a written statement disagreeing with the denial
and the basis of such disagreement. The covered entity may reasonably
limit the length of a statement of disagreement and may prepare a
written rebuttal to the individual's statement of disagreement. If the
covered entity prepares a rebuttal, it must provide a copy to the
individual.
The covered entity must identify the record or protected health
information that is the subject of the disputed amendment and append or
otherwise link the following information to the designated record set:
the individual's request for amendment, the covered entity's denial of
the request, the individual's statement of disagreement (if any), and
the covered entity's rebuttal (if any). If the individual submits a
written statement of disagreement, all of the appended or linked
information, or an accurate summary of it, must be included with any
subsequent disclosure of the protected health information to which the
disagreement relates. If the individual does not submit a written
statement of disagreement, the covered entity must include the appended
or linked information only if the individual requests that the covered
entity do so.
In the final rule, we clarify that when a subsequent disclosure is
a standard transaction adopted under the Transactions Rule that cannot
accommodate the additional materials described above, the covered
entity may separately disclose the additional material to the recipient
of the transaction.
Section 164.526(e)--Actions on Notices of Amendment
We proposed to require any covered entity that received a
notification of amendment to have procedures in place to make the
amendment in any of its designated record sets and to notify its
business associates, if appropriate, of amendments.
We retain the proposed approach in the final rule. If a covered
entity receives a notification of amended protected health information
from another covered entity as described above, the covered entity must
make the necessary amendment to protected health information in
designated record sets it maintains. In addition, covered entities must
require their business associates who receive such notifications to
incorporate any necessary amendments to designated record sets
maintained on the covered entity's behalf. (See Sec. 164.504 regarding
business associate requirements.)
Section 164.526(f)--Policies, Procedures, and Documentation
As in the proposed rule, we establish documentation requirements
for covered entities subject to this provision. In accordance with
Sec. 164.530(j), the covered entity must document the titles of the
persons or offices responsible for receiving and processing requests
for amendment.
Sec. 164.528--Accounting of Disclosures of Protected Health
Information
Right to an Accounting of Disclosures
We proposed in the NPRM to grant individuals a right to receive an
[[Page 82560]]
accounting of all disclosures of protected health information about
them by a covered entity for purposes other than treatment, payment,
and health care operations. We proposed this right to exist for as long
as the covered entity maintained the protected health information.
We also proposed that individuals would not have a right to an
accounting of disclosures to health oversight or law enforcement
agencies if the agency provided a written request for exclusion for a
specified time period and the request stated that access by the
individual during that time period would be reasonably likely to impede
the agency's activities.
We generally retain the proposed approach in the final rule. As in
the proposed rule, individuals have a right to receive an accounting of
disclosures made by a covered entity, including disclosures by or to a
business associate of the covered entity, for purposes other than
treatment, payment, and health care operations, subject to certain
exceptions as discussed below.
We revise the duration of this right under the final rule.
Individuals have a right to an accounting of the applicable disclosures
that have been made in the 6 year period prior to the date of a request
for an accounting. We additionally clarify in Sec. 164.528(b)(1) that
an individual may request, and a covered entity may then provide, an
accounting of disclosures for a period of time less than 6 years from
the date of the request. For example, an individual could request an
accounting only of disclosures that occurred during the year prior to
the request.
In the final rule, we exclude several additional types of
disclosures from the accounting requirement. Covered entities are not
required to include in the accounting disclosures to the individual as
provided in Sec. 164.502; disclosures for facility directories,
disclosures to persons involved in the individual's care, or other
disclosures for notification purposes as provided in Sec. 164.510;
disclosures for national security or intelligence purposes as provided
in Sec. 164.512(k)(2); disclosures to correctional institutions or law
enforcement officials as provided in Sec. 164.512(k)(5); or any
disclosures that were made by the covered entity prior to the
compliance date of the rule for that covered entity.
We retain the time-limited exclusion for disclosures to health
oversight and law enforcement agencies, but require rather than permit
the exclusion for the specified time period. Covered entities must
exclude disclosures to a health oversight agency or law enforcement
official from the accounting for the time period specified by the
applicable agency or official if the agency or official provides the
covered entity with a statement that inclusion of the disclosure(s) in
the accounting to the individual during that time period would be
reasonably likely to impede the agency or official's activities. The
agency or official's statement must specifically state how long the
information must be excluded. At the expiration of that period, the
covered entity is required to include the disclosure(s) in an
accounting for the individual. If the agency or official's statement is
made orally, the covered entity must document the identity of the
agency or official who made the statement and must exclude the
disclosure(s) for no longer than 30 days from the date of the oral
statement, unless a written statement is provided during that time. If
the agency or official provides a written statement, the covered entity
must exclude the disclosure(s) for the time period specified in the
written statement.
Content of the Accounting
We proposed in the NPRM to require the accounting to include all
disclosures as described above, including disclosures authorized by the
individual. The accounting would have been required to contain the date
of each disclosure; the name and address of the organization or person
who received the protected health information; a brief description of
the information disclosed; and copies of all requests for disclosures.
For disclosures other than those made at the request of the individual,
the accounting would have also included the purpose for which the
information was disclosed.
We generally retain the proposed approach in the final rule, but do
not require covered entities to make copies of authorizations or other
requests for disclosures available with the accounting. Instead, we
require the accounting to contain a brief statement of the purpose of
the disclosure. The statement must reasonably inform the individual of
the basis for the disclosure. In lieu of the statement of purpose, a
covered entity may include a copy of the individual's authorization
under Sec. 164.508 or a copy of a written request for disclosure, if
any, under Sec. 164.502(a)(2)(ii) or Sec. 164.512. We also clarify that
covered entities are only required to include the address of the
recipient of the disclosed protected health information if the covered
entity knows the address.
We add a provision allowing for a summary accounting of recurrent
disclosures. For multiple disclosures to the same recipient pursuant to
a single authorization under Sec. 164.508 or for a single purpose under
Secs. 164.502(a)(2)(ii) or 164.512, the covered entity may provide a
summary accounting addressing the series of disclosures rather than a
detailed accounting of each disclosure in the series. In this
circumstance, a covered entity may limit the accounting of the series
of disclosures to the following information: the information otherwise
required above for the first disclosure in the series during the
accounting period; the frequency, periodicity, or number of disclosures
made during the accounting period; and the date of the most recent
disclosure in the series. For example, if under Sec. 164.512(b), a
covered entity discloses the same protected health information to a
public health authority for the same purpose every month, it can
account for those disclosures by including in the accounting the date
of the first disclosure, the public health authority to whom the
disclosures were made and the public health authority's address, a
brief description of the information disclosed, a brief description of
the purpose of the disclosures, the fact that the disclosures were made
every month during the accounting period, and the date of the most
recent disclosure.
Provision of the Accounting
We proposed in the NPRM to require covered entities to provide
individuals with an accounting of disclosures as soon as possible, but
not later than 30 days following receipt of the request for the
accounting.
In the final rule, we eliminate the requirement for the covered
entity to act as soon as possible. We recognize that circumstances may
arise in which an individual will request an accounting on an expedited
basis. We encourage covered entities to implement procedures for
handling such requests. The time limitation is intended to be an
outside deadline, rather than an expectation. We expect covered
entities always to be attentive to the circumstances surrounding each
request and to respond in an appropriate time frame.
In the final rule, covered entities must provide a requested
accounting no later than 60 days after receipt of the request. If the
covered entity is unable to meet the deadline, the covered entity may
extend the deadline by no more than 30 days. The covered entity must
inform the individual in writing, within the standard 60-day deadline,
of the reason for the delay and the date by which the covered entity
will provide the request.
[[Page 82561]]
A covered entity may only extend the deadline one time per request for
accounting.
The NPRM did not address whether a covered entity could charge a
fee for the accounting of disclosures.
In the final rule, we provide that individuals have a right to
receive one free accounting per 12 month period. For each additional
request by an individual within the 12 month period, the covered entity
may charge a reasonable, cost-based fee. If it imposes such a fee, the
covered entity must inform the individual of the fee in advance and
provide the individual with an opportunity to withdraw or modify the
request in order to avoid or reduce the fee.
Procedures and Documentation
As in the proposed rule, we establish documentation requirements
for covered entities subject to this provision. In accordance with
Sec. 164.530(j), for disclosures that are subject to the accounting
requirement, the covered entity must retain documentation of the
information required to be included in the accounting. The covered
entity must also retain a copy of any accounting provided and must
document the titles of the persons or offices responsible for receiving
and processing requests for an accounting.
Section 164.530--Administrative Requirements
Designation of a Privacy Official and Contact Person
In Sec. 164.518(a) of the NPRM, we proposed that covered entities
be required to designate an individual as the covered entity's privacy
official, responsible for the implementation and development of the
entity's privacy policies and procedures. We also proposed that covered
entities be required to designate a contact person to receive
complaints about privacy and provide information about the matters
covered by the entity's notice. We indicated that the contact person
could be, but was not required to be, the person designated as the
privacy official. We proposed to leave implementation details to the
discretion of the covered entity. We expected implementation to vary
widely depending on the size and nature of the covered entity, with
small offices assigning this as an additional duty to an existing staff
person, and large organizations creating a full-time privacy official.
In proposed Sec. 164.512, we also proposed to require the covered plan
or provider's privacy notice to include the name of a contact person
for privacy matters.
The final regulation retains the requirements for a privacy
official and contact person as specified in the NPRM. These
designations must be documented. The designation of privacy official
and contact person positions within affiliated entities will depend on
how the covered entity chooses to designate the covered entity(ies)
under Sec. 164.504(b). If a subsidiary is defined as a covered entity
under this regulation, then a separate privacy official and contact
person is required for that covered entity. If several subsidiaries are
designated as a single covered entity, pursuant to Sec. 164.504(b),
then together they need have only a single privacy officer and contact
person. If several covered entities share a notice for services
provided on the same premises, pursuant to Sec. 164.520(d), that notice
need designate only one privacy official and contact person for the
information collected under that notice.
These requirements are consistent with the approach recommended by
the Joint Commission on Accreditation of Healthcare Organizations, and
the National Committee for Quality Assurance, in its paper ``Protecting
Personal Health Information; A framework for Meeting the Challenges in
a Managed Care Environment.'' This paper notes that ``accountability is
enhanced by having focal points who are responsible for assessing
compliance with policies and procedures * * * '' (p. 29)
Training
In Sec. 164.518(b) of the NPRM we proposed to require that covered
entities provide training on the entities' policies and procedures to
all members of the workforce likely to have access to protected health
information. Each entity would be required to provide initial training
by the date on which this rule became applicable. After that date, each
covered entity would have to provide training to new members of the
workforce within a reasonable time after joining the entity. In
addition, we proposed that when a covered entity made material changes
in its privacy policies or procedures, it would be required to retrain
those members of the workforce whose duties were related to the change
within a reasonable time of making the change.
The NPRM would have required that, upon completion of the training,
the trainee would be required to sign a statement certifying that he or
she received the privacy training and would honor all of the entity's
privacy policies and procedures. Entities would determine the most
effective means of achieving this training requirement for their
workforce. We also proposed that, at least every three years after the
initial training, covered entities would be required to have each
member of the workforce sign a new statement certifying that he or she
would honor all of the entity's privacy policies and procedures. The
covered entity would have been required to document its policies and
procedures for complying with the training requirements.
The final regulation requires covered entities to train all members
of their workforce on the policies and procedures with respect to
protected health information required by this rule, as necessary and
appropriate for the members of the workforce to carry out their
functions within the covered entity. We do not change the proposed time
lines for training existing and new members of the workforce, or for
training due to material changes in the covered entity's policies and
procedures. We eliminate both the requirement for employees to sign a
certification following training and the triennial re-certification
requirement. Covered entities are responsible for implementing policies
and procedures to meet these requirements and for documenting that
training has been provided.
Safeguards
In Sec. 164.518(c) of the NPRM, we proposed to require covered
entities to put in place administrative, technical, and physical
safeguards to protect the privacy of protected health information. We
made reference in the preamble to similar requirements proposed for
certain electronic information in the Notice of Proposed Rulemaking
entitled the Security and Electronic Signature Standards (HCFA-0049-P).
We stated that we were proposing parallel and consistent requirements
for safeguarding the privacy of protected health information. In
Sec. 164.518(c)(3) of the NPRM, we required covered entities to have
safeguards to ensure that information was not used in violation of the
requirements of this subpart or by people who did not have proper
authorization to access the information.
We do not change the basic proposed requirements that covered
entities have administrative, technical and physical safeguards to
protect the privacy of protected health information. We combine the
proposed requirements into a single standard that requires covered
entities to safeguard protected health information from accidental or
intentional use or disclosure that is a violation of the requirements
of this rule
[[Page 82562]]
and to protect against the inadvertent disclosure of protected health
information to persons other than the intended recipient. Limitations
on access to protected health information by the covered entities
workforce will also be covered by the policies and procedures for
``minimum necessary'' use of protected health information, pursuant to
Sec. 164.514(d). We expect these provisions to work in tandem.
We do not prescribe the particular measures that covered entities
must take to meet this standard, because the nature of the required
policies and procedures will vary with the size of the covered entity
and the type of activities that the covered entity undertakes. (That
is, as with other provisions of this rule, this requirement is
``scalable.'') Examples of appropriate safeguards include requiring
that documents containing protected health information be shredded
prior to disposal, and requiring that doors to medical records
departments (or to file cabinets housing such records) remain locked
and limiting which personnel are authorized to have the key or pass-
code. We intend this to be a common sense, scalable, standard. We do
not require covered entities to guarantee the safety of protected
health information against all assaults. Theft of protected health
information may or may not signal a violation of this rule, depending
on the circumstances and whether the covered entity had reasonable
policies to protect against theft. Organizations such as the
Association for Testing and Materials (ASTM) and the American Health
Information Management Association (AHIMA) have developed a body of
recommended practices for handling of protected health information that
covered entities may find useful.
We note that the proposed HIPAA Security Standards would require
covered entities to safeguard the privacy and integrity of health
information. For electronic information, compliance with both
regulations will be required.
In Sec. 164.518(c)(2) of the NPRM we proposed requirements for
verification procedures to establish identity and authority for
permitted disclosures of protected health information.
In the final rule, this material has been moved to Sec. 164.514(h).
Use or Disclosure of Protected Health Information by Whistleblowers
In Sec. 164.518(c)(4) of the NPRM, this provision was entitled
``Implementation Specification: Disclosures by whistleblowers.'' It is
now retitled ``Disclosures by whistleblowers,'' with certain changes,
and moved to Sec. 164.502(j)(1).
Complaints to the Covered Entity
In Sec. 164.518(d) of the NPRM, we proposed to require covered
entities to have a mechanism for receiving complaints from individuals
regarding the health plan's or provider's compliance with the
requirements of this proposed rule. We did not require that the health
plan or provider develop a formal appeals mechanism, nor that ``due
process'' or any similar standard be applied. Additionally, there was
no requirement to respond in any particular manner or time frame.
We proposed two basic requirements for the complaint process.
First, the covered health plan or health care provider would be
required to identify in the notice of information practices a contact
person or office for receiving complaints. Second, the health plan or
provider would be required to maintain a record of the complaints that
are filed and a brief explanation of their resolution, if any.
In the final rule, we retain the requirement for an internal
complaint process for compliance with this rule, including the two
basic requirements of identifying a contact person and documenting
complaints received and their dispositions, if any. We expand the scope
of complaints that covered entities must have a means of receiving to
include complaints concerning violations of the covered entity's
privacy practices, not just violations of the rule. For example, a
covered entity must have a mechanism for receiving a complaint that
patient information is used at a nursing station in a way that it can
also be viewed by visitors to the hospital, regardless of whether the
practices at the nursing stations might constitute a violation of this
rule.
Sanctions
In Sec. 164.518(e) of the NPRM, we proposed to require all covered
entities to develop, and apply when appropriate, sanctions against
members of its workforce who failed to comply with privacy policies or
procedures of the covered entity or with the requirements of the rule.
Covered entities would be required to develop and impose sanctions
appropriate to the nature of the violation. The preamble stated that
the type of sanction applied would vary depending on factors such as
the severity of the violation, whether the violation was intentional or
unintentional, and whether the violation indicated a pattern or
practice of improper use or disclosure of protected health information.
Sanctions could range from a warning to termination. The NPRM preamble
language also stated that covered entities would be required to apply
sanctions against business associates that violated the proposed rule.
In the final rule, we retain the requirement for sanctions against
members of a covered entity's workforce. We also require a covered
entity to have written policies and procedures for the application of
appropriate sanctions for violations of this subpart and to document
those sanctions. These sanctions do not apply to whistleblower
activities that meet the provisions of Sec. 164.502(j) or complaints,
investigations, or opposition that meet the provisions of
Sec. 164.530(g)(2). We eliminate language regarding business associates
from this section. Requirements with respect to business associates are
stated in Sec. 164.504.
Duty To Mitigate
In proposed Sec. 164.518(f), we would have required covered
entities to have policies and procedures for mitigating, to the extent
practicable, any deleterious effect of a use or disclosure of protected
health information in violation of the requirements of this subpart.
The NPRM preamble also included specific language applying this
requirement to harm caused by members of the covered entity's workforce
and business associates.
With respect to business associates, the NPRM preamble but not the
NPRM rule text, stated that covered entities would have a duty to take
reasonable steps in response to breaches of contract terms. Covered
entities generally would not be required to monitor the activities of
their business associates, but would be required to take steps to
address problems of which they become aware, and, where the breach was
serious or repeated, would also be required to monitor the business
associate's performance to ensure that the wrongful behavior had been
remedied. Termination of the arrangement would be required only if it
became clear that a business associate could not be relied upon to
maintain the privacy of protected health information provided to it.
In the final rule, we clarify this requirement by imposing a duty
for covered entities to mitigate any harmful effect of a use or
disclosure of protected health information that is known to the covered
entity. We apply the duty to mitigate to a violation of the covered
entity's policies and procedures, not just a violation of the
requirements of the subpart. We resolve the ambiguities in the NPRM by
imposing this duty on covered entities for harm caused by
[[Page 82563]]
either members of their workforce or by their business associates.
We eliminate the language regarding potential breaches of business
associate contracts from this section. All other requirements with
respect to business associates are stated in Sec. 164.504.
Refraining from Intimidating or Retaliatory Acts
In Sec. 164.522(d)(4) of the NPRM, in the Compliance and
Enforcement section, we proposed that one of the responsibilities of a
covered entity would be to refrain from intimidating or retaliatory
acts. Specifically, the rule provided that ``[a] covered entity may not
intimidate, threaten, coerce, discriminate against, or take other
retaliatory action against any individual for the filing of a complaint
under this section, for testifying, assisting, participating in any
manner in an investigation, compliance review, proceeding or hearing
under this Act, or opposing any act or practice made unlawful by this
subpart.''
In the final rule, we continue to require that entities refrain
from intimidating or retaliatory acts; however, the provisions have
been moved to the Administrative Requirements provisions in
Sec. 164.530. This change is not just clerical; in making this change,
we apply this provision to the privacy rule alone rather than to all
the HIPAA administrative simplification rules. (The compliance and
enforcement provisions that were in Sec. 164 are now in Part 160,
Subpart C.)
We continue to prohibit retaliation against individuals for filing
a complaint with the Secretary, but also prohibit retaliation against
any other person who files such a complaint. This is the case because
the term ``individual'' is generally limited to the person who is the
subject of the information. The final rule prohibits retaliation
against persons, not just individuals, for testifying, assisting, or
participating in an investigation, compliance review, proceeding or
hearing under Part C of Title XI. The proposed regulation referenced
the ``Act,'' which is defined in Part 160 as the Social Security Act.
Because we only intend to protect activities such as participation in
investigations and hearings under the Administrative Simplification
provisions of HIPAA, the final rule references Part C of Title XI of
the Social Security Act.
The proposed rule would have prohibited retaliatory actions against
individuals for opposing any act or practice made unlawful by this
subpart. The final rule retains this provision, but applies it to any
person, only if the person ``has a good faith belief that the practice
opposed is unlawful, the manner of the opposition is reasonable and
does not involve a disclosure of protected health information in
violation of this subpart.'' The final rule provides additional
protections, which had been included in the preamble to the proposed
rule. Specifically, we prohibit retaliatory actions against individuals
who exercise any right, or participate in any process established by
the privacy rule (Part 164 Subpart E), and include as an example the
filing of a complaint with the covered entity.
Waiver of Rights
In the final regulation, but not in the proposed regulation, we
provide that a covered entity may not require individuals to waive
their rights to file a complaint with the Secretary or their other
rights under this rule as a condition of the provision of treatment,
payment, enrollment in a health plan or eligibility for benefits. This
provision ensures that covered entities do not take away the rights
that individuals have been provided in Parts 160 and 164.
Requirements for Policies and Procedures, and Documentation
Requirements
In Sec. 164.520 of the NPRM, we proposed to require covered
entities to develop and document their policies and procedures for
implementing the requirements of the rule. In the final regulation we
retain this approach, but specify which standards must be documented in
each of the relevant sections. In this section, we state the general
administrative requirements applicable to all policies and procedures
required throughout the regulation.
In Sec. 164.530(i), (j), and (k) of the final rule, we amend the
NPRM language in several respects. In Sec. 164.530(i) we require that
the policies and procedures be reasonably designed to comply with the
standards, implementation specifications, and other requirements of the
relevant part of the regulation, taking into account the size of the
covered entity and the nature of the activities undertaken by the
covered entity that relate to protected health information. However, we
clarify that the requirements that policies and procedures be
reasonably designed may not be interpreted to permit or excuse any
action that violates the privacy regulation. Where the covered entity
has stated in its notice that it reserves the right to change
information practices, we allow the new practice to apply to
information created or collected prior to the effective date of the new
practice and establish requirements for making this change. We also
establish the conditions for making changes if the covered entity has
not reserved the right to change its practices.
We require covered entities to modify in a prompt manner their
policies and procedures to comply with changes in relevant law and,
where the change also affects the practices stated in the notice, to
change the notice. We make clear that nothing in our requirements
regarding changes to policies and procedures or changes to the notice
may be used by a covered entity to excuse a failure to comply with
applicable law.
In Sec. 164.530(j), we require that the policies and procedures
required throughout the regulation be maintained in writing, and that
any other communication, action, activity, or designation that must be
documented under this regulation be documented in writing. We note that
``writing'' includes electronic storage; paper records are not
required. We also note that, if a covered entity is required to
document the title of a person, we mean the job title or similar
description of the relevant position or office.
We require covered entities to retain any documentation required
under this rule for at least six years (the statute of limitations
period for the civil penalties) from the date of the creation of the
documentation, or the date when the document was last in effect, which
ever is later. This generalizes the NPRM provision to cover all
documentation required under the rule. The language on ``last was in
effect'' is a change from the NPRM which was worded ``unless a longer
period applies under this subpart.''
This approach is consistent with the approach recommended by the
Joint Commission on Accreditation of Healthcare Organizations, and the
National Committee for Quality Assurance, in its paper ``Protecting
Personal Health Information; A framework for Meeting the Challenges in
a Managed Care Environment.'' This paper notes that ``MCOs [Managed
Care Organizations] should have clearly defined policies and procedures
for dealing with confidentiality issues.'' (p. 29).
Standards for Certain Group Health Plans
We add a new provision (Sec. 164.530(k)) to clarify the
administrative responsibilities of group health plans that offer
benefits through issuers and HMOs. Specifically, a group health plan
that provides benefits solely through an issuer or HMO, and that does
not create, receive or maintain protected health
[[Page 82564]]
information other than summary health information or information
regarding enrollment and disenrollment, is not subject to the
requirements of this section regarding designation of a privacy
official and contact person, workforce training, safeguards,
complaints, mitigation, or policies and procedures. Such a group health
plan is only subject to the requirements of this section regarding
documentation with respect to its plan documents. Issuers and HMOs are
covered entities under this rule, and thus have independent obligations
to comply with this section with respect to the protected health
information they maintain about the enrollees in such group health
plans. The group health plans subject to this provision will have only
limited protected health information. Therefore, imposing these
requirements on the group health plan would impose burdens not
outweighed by a corresponding enhancement in privacy protections.
Section 164.532--Transition Provisions
In the NPRM, we did not address the effect of the regulation on
consents and authorizations covered entities obtained prior to the
compliance date of the regulation.
In the final rule, we clarify that, in certain circumstances, a
covered entity may continue to rely upon consents, authorizations, or
other express legal permissions obtained prior to the compliance date
of this regulation to use or disclose protected health information even
if these consents, authorizations, or permissions do not meet the
requirements set forth in Secs. 164.506 or 164.508.
We realize that a covered entity may wish to rely upon a consent,
authorization, or other express legal permission obtained from an
individual prior to the compliance date of this regulation which
permits the use or disclosure of individually identifiable health
information for activities that come within treatment, payment, or
health care operations (as defined in Sec. 164.501), but that do not
meet the requirements for consents set forth in Sec. 164.506. In the
final rule, we permit a covered entity to rely upon such consent,
authorization, or permission to use or disclose protected health
information that it created or received before the applicable
compliance date of the regulation to carry out the treatment, payment,
or health care operations as long as it meets two requirements. First,
the covered entity may not make any use or disclosure that is expressly
excluded from the consent, authorization, or permission. Second, the
covered entity must comply with all limitations expressed in the
consent, authorization, or permission. Thus, we do not require a
covered entity to obtain a consent that meets the requirements of
Sec. 164.506 to use or disclose this previously obtained protected
health information as long as the use or disclosure is consistent with
the requirements of this section. However, a covered entity will need
to obtain a consent that meets the requirements of Sec. 164.506 to the
extent that it is required to obtain a consent under Sec. 164.506 from
an individual before it may use or disclose any protected health
information it creates or receives after the date by which it must
comply with this rule.
Similarly, we recognize that a covered entity may wish to rely upon
a consent, authorization, or other express legal permission obtained
from an individual prior to the applicable compliance date of this
regulation that specifically permits the covered entity to use or
disclose individually identifiable health information for activities
other than to carry out treatment, payment, or health care operations.
In the final rule, we permit a covered entity to rely upon such a
consent, authorization, or permission to use or disclose protected
health information that it created or received before the applicable
compliance date of the regulation for the specific activities described
in the consent, authorization, or permission as long as the covered
entity complies with two requirements. First, the covered entity may
not make any use or disclosure that is expressly excluded from the
consent, authorization, or permission. Second, the covered entity must
comply with all limitations expressed in the consent, authorization, or
permission. Thus, we do not required a covered entity to obtain an
authorization that meets the requirements of Sec. 164.508 to use or
disclose this previously obtained protected health information so long
as the use or disclosure is consistent with the requirements of this
section. However, a covered entity will need to obtain an authorization
that meets the requirements of Sec. 164.508, to the extent that it is
required to obtain an authorization under this rule, from an individual
before it may use or disclose any protected health information it
creates or receives after the date by which it must comply with this
rule.
Additionally, the final rule acknowledges that covered entities may
wish to rely upon consents, authorizations, or other express legal
permission obtained from an individual prior to the applicable
compliance date for a specific research project that includes the
treatment of individuals, such as clinical trials. These consents,
authorizations, or permissions may specifically permit a use or
disclosure of individually identifiable health information for purposes
of the project. Alternatively, they may be general consents to
participate in the project. A covered entity may use or disclose
protected health information it created or received before or after to
the applicable compliance date of this rule for purposes of the project
provided that the covered entity complies with all limitations
expressed in the consent, authorization, or permission.
If, pursuant to this section, a covered entity relies upon a
previously obtained consent, authorization, or other express legal
permission and agrees to a request for a restriction by an individual
under Sec. 164.522(a), any subsequent use or disclosure under that
consent, authorization, or permission must comply with the agreed upon
restriction as well.
We believe it is necessary to grandfather in previously obtained
consents, authorizations, or other express legal permissions in these
circumstances to ensure that important functions of the health care
system are not impeded. We link the effectiveness of such consents,
authorizations, or permissions in these circumstances to the applicable
compliance date to give covered entities sufficient notice of the
requirements set forth in Secs. 164.506 and 164.508.
The rule does not change the past effectiveness of consents,
authorizations, or other express legal permissions that do not come
within this section. This means that uses or disclosures of
individually identifiable health information made prior to the
compliance date of this regulation are not subject to sanctions, even
if they were made pursuant to documents or permissions that do not meet
the requirements of this rule or were made without permission. This
rule alters only the future effectiveness of the previously obtained
consents, authorizations, or permissions. Covered entities are not
required to rely upon these consents, authorizations, or permissions
and may obtain new consents or authorizations that meet the applicable
requirements of Secs. 164.506 and 164.508.
When reaching this decision, we considered requiring all covered
entities to obtain new consents or authorizations consistent with the
requirements of Secs. 164.506 and 164.508 before they would be able to
use or disclose protected health information obtained
[[Page 82565]]
after the compliance date of these rules. We rejected this option
because we recognize that covered entities may not always be able to
obtain new consents or authorizations consistent with the requirements
of Secs. 164.506 and 164.508 from all individuals upon whose
information they rely. We also refrained from impeding the rights of
covered entities to exercise their interests in the records they have
created. We do not require covered entities with existing records or
databases to destroy or remove the protected health information for
which they do not have valid consents or authorizations that meet the
requirements of Secs. 164.506 and 164.508. Covered entities may rely
upon the consents, authorizations, or permissions they obtained from
individuals prior to the applicable compliance date of this regulation
consistent with the constraints of those documents and the requirements
discussed above.
We note that if a covered entity obtains before the applicable
compliance date of this regulation a consent that meets the
requirements of Sec. 164.506, an authorization that meets the
requirements of Sec. 164.508, or an IRB or privacy board waiver of
authorization that meets the requirements of Sec. 164.512(i), the
consent, authorization, or waiver is effective for uses or disclosures
that occur after the compliance date and that are consistent with the
terms of the consent, authorization, or waiver.
Section 164.534--Compliance Dates for Initial Implementation of the
Privacy Standards
In the NPRM, we provided that a covered entity must be in
compliance with this subpart not later than 24 months following the
effective date of this rule, except that a covered entity that is a
small health plan must be in compliance with this subpart not later
than 36 months following the effective date of the rule.
The final rule did not make any substantive changes. The format is
changed so as to more clearly present the various compliance dates. The
final rule lists the types of covered entities and then the various
dates that would apply to each of these entities.
III. Section-by-Section Discussion of Comments
The following describes the provisions in the final regulation, and
the changes we make to the proposed provisions section-by-section.
Following each section are our responses to the comments to that
section. This section of the preamble is organized to follow the
corresponding section of the final rule, not the NPRM.
General Comments
We received many comments on the rule overall, not to a particular
provision. We respond to those comments here. Similar comments, but
directed to a specific provision in the proposed rule, are answered
below in the corresponding section of this preamble.
Comments on the Need for Privacy Standards, and Effects of this
Regulation on Current Protections
Comment: Many commenters expressed the opinion that federal
legislation is necessary to protect the privacy of individuals' health
information. One comment advocated Congressional efforts to provide a
comprehensive federal health privacy law that would integrate the
substance abuse regulations with the privacy regulation.
Response: We agree that comprehensive privacy legislation is
urgently needed. This administration has urged the Congress to pass
such legislation. While this regulation will improve the privacy of
individuals' health information, only legislation can provide the full
array of privacy protection that individuals need and deserve.
Comment: Many commenters noted that they do not go to a physician,
or do not completely share health information with their physician,
because they are concerned about who will have access to that
information. Many physicians commented on their patients' reluctance to
share information because of fear that their information will later be
used against them.
Response: We agree that strong federal privacy protections are
necessary to enhance patients' trust in the health care system.
Comment: Many commenters expressed concerns that this regulation
will allow access to health information by those who today do not have
such access, or would allow their physician to disclose information
which may not lawfully be disclosed today. Many of these commenters
stated that today, they consent to every disclosure of health
information about them, and that absent their consent the privacy of
their health information is ``absolute.'' Others stated that, today,
health information is disclosed only pursuant to a judicial order.
Several commenters were concerned that this regulation would override
stronger state privacy protection.
Response: This regulation does not, and cannot, reduce current
privacy protections. The statutory language of the HIPAA specifically
mandates that this regulation does not preempt state laws that are more
protective of privacy.
As discussed in more detail in later this preamble, while many
people believe that they must be asked permission prior to any release
of health information about them, current laws generally do not impose
such a requirement. Similarly, as discussed in more detail later in
this preamble, judicial review is required today only for a small
proportion of releases of health information.
Comment: Many commenters asserted that today, medical records
``belong'' to patients. Others asserted that patients own their medical
information and health care providers and insurance companies who
maintain health records should be viewed as custodians of the patients'
property.
Response: We do not intend to change current law regarding
ownership of or responsibility for medical records. In developing this
rule we reviewed current law on this and related issues, and built on
that foundation.
Under state laws, medical records are often the property of the
health care provider or medical facility that created them. Some state
laws also provide patients with access to medical records or an
ownership interest in the health information in medical records.
However, these laws do not divest the health care provider or the
medical facility of its ownership interest in medical records. These
statutes typically provide a patient the right to inspect or copy
health information from the medical record, but not the right to take
the provider's original copy of an item in the medical record. If a
particular state law provides greater ownership rights, this regulation
leaves such rights in place.
Comment: Some commenters argued that the use and disclosure of
sensitive personal information must be strictly regulated, and
violation of such regulations should subject an entity to significant
penalties and sanctions.
Response: We agree, and share the commenters' concern that the
penalties in the HIPAA statute are not sufficient to fully protect
individuals' privacy interests. The need for stronger penalties is
among the reasons we believe Congress should pass comprehensive privacy
legislation.
Comment: Many commenters expressed the opinion that the proposed
ruled should provide stricter privacy protections.
[[Page 82566]]
Response: We received nearly 52,000 comments on the proposed
regulation, and make substantial changes to the proposal in response to
those comments. Many of these changes will strengthen the protections
that were proposed in the NPRM.
Comment: Many comments express concerns that their health
information will be given to their employers.
Response: We agree that employer access to health information is a
particular concern. In this final regulation, we make significant
changes to the NPRM that clarify and provide additional safeguards
governing when and how the health plans covered by this regulation may
disclose health information to employers.
Comment: Several commenters argued that individuals should be able
to sue for breach of privacy.
Response: We agree, but do not have the legislative authority to
grant a private right of action to sue under this statute. Only
Congress can grant that right.
Objections to Government Access to Protected Health Information
Comment: Many commenters urged the Department not to create a
government database of health information, or a tracking system that
would enable the government to track individuals health information.
Response: This regulation does not create such a database or
tracking system, nor does it enable future creation of such a database.
This regulation describes the ways in which health plans, health care
clearinghouses, and certain health care providers may use and disclose
identifiable health information with and without the individual's
consent.
Comment: Many commenters objected to government access to or
control over their health information, which they believe the proposed
regulation would provide.
Response: This regulation does not increase current government
access to health information. This rule sets minimum privacy standards.
It does not require disclosure of health information, other than to the
subject of the records or for enforcement of this rule. Health plans
and health care providers are free to use their own professional ethics
and judgement to adopt stricter policies for disclosing health
information.
Comment: Some commenters viewed the NPRM as creating fewer hurdles
for government access to protected health information than for access
to protected health information by private organizations. Some health
care providers commented that the NPRM would impose substantial new
restrictions on private sector use and disclosure of protected health
information, but would make government access to protected health
information easy. One consumer advocacy group made the same
observation.
Response: We acknowledge that many of the national priority
purposes for which we allow disclosure of protected health information
without consent or authorization are for government functions, and that
many of the governmental recipients of such information are not
governed by this rule. It is the role of government to undertake
functions in the broader public interest, such as public health
activities, law enforcement, identification of deceased individuals
through coroners' offices, and military activities. It is these public
purposes which can sometimes outweigh an individual's privacy interest.
In this rule, we specify the circumstances in which that balance is
tipped toward the public interest with respect to health information.
We discuss the rationale behind each of these permitted disclosures in
the relevant preamble sections below.
Miscellaneous Comments
Comment: Many commenters objected to the establishment of a unique
identifier for health care or other purposes.
Response: This regulation does not create an identifier. We assume
these comments refer to the unique health identifier that Congress
directed the Secretary to promulgate under section1173(b) of the Social
Security Act, added by section 262 of the HIPAA. Because of the public
concerns about such an identifier, in the summer of 1998 Vice President
Gore announced that the Administration would not promulgate such a
regulation until comprehensive medical privacy protections were in
place. In the fall of that year, Congress prohibited the Department
from promulgating such an identifier, and that prohibition remains in
place. The Department has no plans to promulgate a unique health
identifier.
Comment: Many commenters asked that we withdraw the proposed
regulation and not publish a final rule.
Response: Under section 264 of the HIPAA, the Secretary is required
by Congress to promulgate a regulation establishing standards for
health information privacy. Further, for the reasons explained
throughout this preamble above, we believe that the need to protect
health information privacy is urgent and that this regulation is in the
public's interest.
Comment: Many commenters express the opinion that their consent
should be required for all disclosure of their health information.
Response: We agree that consent should be required prior to release
of health information for many purposes, and impose such a requirement
in this regulation. Requiring consent prior to all release of health
information, however, would unduly jeopardize public safety and make
many operations of the health care system impossible. For example,
requiring consent prior to release of health information to a public
health official who is attempting to track the source of an outbreak or
epidemic could endanger thousands of lives. Similarly, requiring
consent before an oversight official could audit a health plan would
make detection of health care fraud all but impossible; it could take
health plans months or years to locate and obtain the consent of all
current and past enrollees, and the health plan would not have a strong
incentive to do so. These uses of medical information are clearly in
the public interest.
In this regulation, we must balance individuals' privacy interests
against the legitimate public interests in certain uses of health
information. Where there is an important public interest, this
regulation imposes procedural safeguards that must be met prior to
release of health information, in lieu of a requirement for consent. In
some instances the procedural safeguards consist of limits on the
circumstances in which information may be disclosed, in others the
safeguards consist of limits on what information may be disclosed, and
in other cases we require some form of legal process (e.g., a warrant
or subpoena) prior to release of health information. We also allow
disclosure of health information without consent where other law
mandates the disclosures. Where such other law exists, another public
entity has made the determination that the public interests outweigh
the individual's privacy interests, and we do not upset that
determination in this regulation. In short, we tailor the safeguards to
match the specific nature of the public purpose. The specific
safeguards are explained in each section of this regulation below.
Comment: Many comments address matters not relevant to this
regulation, such as alternative fuels, hospital reimbursement, and gulf
war syndrome.
Response: These and similar matters are not relevant to this
regulation and will not be addressed further.
[[Page 82567]]
Comment: A few commenters questioned why this level of detail is
needed in response to the HIPAA Congressional mandate.
Response: This level of detail is necessary to ensure that
individuals' rights with respect to their health information are clear,
while also ensuring that information necessary for important public
functions, such as protecting public health, promoting biomedical
research, fighting health care fraud, and notifying family members in
disaster situations, will not be impaired by this regulation. We
designed this rule to reflect current practices and change some of
them. The comments and our fact finding revealed the complexity of
current health information practices, and we believe that the
complexity entailed in reflecting those practices is better public
policy than a perhaps simpler rule that disturbed important information
flows.
Comment: A few comments stated that the goal of administrative
simplification should never override the privacy of individuals.
Response: We believe that privacy is a necessary component of
administrative simplification, not a competing interest.
Comment: At least one commenter said that the goal of
administrative simplification is not well served by the proposed rule.
Response: Congress recognized that privacy is a necessary component
of administrative simplification. The standardization of electronic
health information mandated by the HIPAA that make it easier to share
that information for legitimate purposes also make the inappropriate
sharing of that information easier. For this reason, Congress included
a mandate for privacy standards in this section of the HIPAA. Without
appropriate privacy protections, public fear and instances of abuse
would make it impossible for us to take full advantage of the
administrative and costs benefits inherent in the administrative
simplification standards.
Comment: At least one commenter asked us to require
psychotherapists to assert any applicable legal privilege on patients'
behalf when protected health information is requested.
Response: Whether and when to assert a claim of privilege on a
patient's behalf is a matter for other law and for the ethics of the
individual health care provider. This is not a decision that can or
should be made by the federal government.
Comment: One commenter called for HHS to consider the privacy
regulation in conjunction with the other HIPAA standards. In
particular, this comment focused on the belief that the Security
Standards should be compatible with the existing and emerging health
care and information technology industry standards.
Response: We agree that both this regulation and the final Security
Regulation should be compatible with existing and emerging technology
industry standards. This regulation is ``technology neutral.'' We do
not mandate the use of any particular technologies, but rather set
standards which can be met through a variety of means.
Comment: Several commenters claimed that the statutory authority
given under HIPAA cannot provide meaningful privacy protections because
many entities with access to protected health information, such as
employers, worker's compensation carriers, and life insurance
companies, are not covered entities. These commenters expressed support
for comprehensive legislation to close many of the existing loopholes.
Response: We agree with the commenters that comprehensive
legislation is necessary to provide full privacy protection and have
called for members of Congress to pass such legislation to prevent
unauthorized and potentially harmful uses and disclosures of
information.
Part 160--Subpart A--General Provisions
Section 160.103--Definitions
Business Associate
The response to comments on the definition of ``business partner,''
renamed in this rule as ``business associate,'' is included in the
response to comments on the requirements for business associates in the
preamble discussion of Sec. 164.504.
Covered Entity
Comment: A number of commenters urged the Department to expand or
clarify the definition of ``covered entity'' to include certain
entities other than health care clearinghouses, health plans, and
health care providers who conduct standard transactions. For example,
several commenters asked that the Department generally expand the scope
of the rule to cover all entities that receive or maintain individually
identifiable health information; others specifically urged the
Department to cover employers, marketing firms, and legal entities that
have access to individually identifiable health information. Some
commenters asked that life insurance and casualty insurance carriers be
considered covered entities for purposes of this rule. One commenter
recommended that Pharmacy Benefit Management (PBM) companies be
considered covered entities so that they may use and disclose protected
health information without authorization.
In addition, a few commenters asked the Department to clarify that
the definition includes providers who do not directly conduct
electronic transactions if another entity, such as a billing service or
hospital, does so on their behalf.
Response: We understand that many entities may use and disclose
individually identifiable health information. However, our jurisdiction
under the statute is limited to health plans, health care
clearinghouses, and health care providers who transmit any health
information electronically in connection with any of the standard
financial or administrative transactions in section 1173(a) of the Act.
These are the entities referred to in section 1173(a)(1) of the Act and
thus listed in Sec. 160.103 of the final rule. Consequently, once
protected health information leaves the purview of one of these covered
entities, their business associates, or other related entities (such as
plan sponsors), the information is no longer afforded protection under
this rule. We again highlight the need for comprehensive federal
legislation to eliminate such gaps in privacy protection.
We also provide the following clarifications with regard to
specific entities.
We clarify that employers and marketing firms are not covered
entities. However, employers may be plan sponsors of a group health
plan that is a covered entity under the rule. In such a case, specific
requirements apply to the group health plan. See the preamble on
Sec. 164.504 for a discussion of specific ``firewall'' and other
organizational requirements for group health plans and their employer
sponsors. The final rule also contains provisions addressing when an
insurance issuer providing benefits under a group health plan may
disclose summary health information to a plan sponsor.
With regard to life and casualty insurers, we understand that such
benefit providers may use and disclose individually identifiable health
information. However, Congress did not include life insurers and
casualty insurance carriers as ``health plans'' for the purposes of
this rule and therefore they are not covered entities. See the
discussion regarding the definition of ``health plan'' and excepted
benefits.
[[Page 82568]]
In addition, we clarify that a PBM is a covered entity only to the
extent that it meets the definition of one or more of the entities
listed in Sec. 160.102. When providing services to patients through
managed care networks, it is likely that a PBM is acting as a business
associate of a health plan, and may thus use and disclose protected
health information pursuant to the relevant provisions of this rule.
PBMs may also be business associates of health care providers. See the
preamble sections on Secs. 164.502, 164.504, and 164.506 for
discussions of the specific requirements related to business associates
and consent.
Lastly, we clarify that health care providers who do not submit
HIPAA transactions in standard form become covered by this rule when
other entities, such as a billing service or a hospital, transmit
standard electronic transactions on their behalf. The provider could
not circumvent these requirements by assigning the task to a
contractor.
Comment: Many commenters urged the Department to restrict or
clarify the definition of ``covered entity'' to exclude certain
entities, such as department-operated hospitals (public hospitals);
state Crime Victim Compensation Programs; employers; and certain lines
of insurers, such as workers' compensation insurers, property and
casualty insurers, reinsurers, and stop-loss insurers. One commenter
expressed concern that clergy, religious practitioners, and other
faith-based service providers would have to abide by the rule and asked
that the Department exempt prayer healing and non-medical health care.
Response: The Secretary provides the following clarifications in
response to these comments. To the extent that a ``department-operated
hospital'' meets the definition of a ``health care provider'' and
conducts any of the standard transactions, it is a covered entity for
the purposes of this rule. We agree that a state Crime Victim
Compensation Program is not a covered entity if it is not a health care
provider that conducts standard transactions, health plan, or health
care clearinghouse. Further, as described above, employers are not
covered entities.
In addition, we agree that workers' compensation insurers, property
and casualty insurers, reinsurers, and stop-loss insurers are not
covered entities, as they do not meet the statutory definition of
``health plan.'' See further discussion in the preamble on Sec. 160.103
regarding the definition of ``health plan.'' However, activities
related to ceding, securing, or placing a contract for reinsurance,
including stop-loss insurance, are health care operations in the final
rule. As such, reinsurers and stop-loss insurers may obtain protected
health information from covered entities.
Also, in response to the comment regarding religious practitioners,
the Department clarifies that ``health care'' as defined under the rule
does not include methods of healing that are solely spiritual.
Therefore, clergy or other religious practitioners that provide solely
religious healing services are not health care providers within the
meaning of this rule, and consequently not covered entities for the
purposes of this rule.
Comment: A few commenters expressed general uncertainty and
requested clarification as to whether certain entities were covered
entities for the purposes of this rule. One commenter was uncertain as
to whether the rule applies to certain social service entities, in
addition to clinical social workers that the commenter believes are
providers. Other commenters asked whether researchers or non-
governmental entities that collect and analyze patient data to monitor
and evaluate quality of care are covered entities. Another commenter
requested clarification regarding the definition's application to
public health agencies that also are health care providers as well as
how the rule affects public health agencies in their data collection
from covered entities.
Response: Whether the professionals described in these comments are
covered by this rule depends on the activities they undertake, not on
their profession or degree. The definitions in this rule are based on
activities and functions, not titles. For example, a social service
worker whose activities meet this rule's definition of health care will
be a health care provider. If that social service worker also transmits
information in a standard HIPAA transaction, he or she will be a
covered health entity under this rule. Another social service worker
may provide services that do not meet the rule's definition of health
care, or may not transmit information in a standard transaction. Such a
social service worker is not a covered entity under this rule.
Similarly, researchers in and of themselves are not covered entities.
However, researchers may also be health care providers if they provide
health care. In such cases, the persons, or entities in their role as
health care providers may be covered entities if they conduct standard
transactions.
With regard to public health agencies that are also health care
providers, the health care provider ``component'' of the agency is the
covered entity if that component conducts standard transactions. See
discussion of ``health care components'' below. As to the data
collection activities of a public health agency, the final rule in
Sec. 164.512(b) permits a covered entity to disclose protected health
information to public health authorities under specified circumstances,
and permits public health agencies that are also covered entities to
use protected health information for these purposes. See
Sec. 164.512(b) for further details.
Comment: A few commenters requested that the Department clarify
that device manufacturers are not covered entities. They stated that
the proposal did not provide enough guidance in cases where the
``manufacturer supplier'' has only one part of its business that acts
as the ``supplier,'' and additional detail is needed about the
relationship of the ``supplier component'' of the company to the rest
of the business. Similarly, another commenter asserted that drug,
biologics, and device manufacturers should not be covered entities
simply by virtue of their manufacturing activities.
Response: We clarify that if a supplier manufacturer is a Medicare
supplier, then it is a health care provider, and it is a covered entity
if it conducts standard transactions. Further, we clarify that a
manufacturer of supplies related to the health of a particular
individual, e.g., prosthetic devices, is a health care provider because
the manufacturer is providing ``health care'' as defined in the rule.
However, that manufacturer is a covered entity only if it conducts
standard transactions. We do not intend that a manufacturer of supplies
that are generic and not customized or otherwise specifically designed
for particular individuals, e.g., ace bandages for a hospital, is a
health care provider. Such a manufacturer is not providing ``health
care'' as defined in the rule and is therefore not a covered entity. We
note that, even if such a manufacturer is a covered entity, it may be
an ``indirect treatment provider'' under this rule, and thus not
subject to all of the rule's requirements.
With regard to a ``supplier component,'' the final rule addresses
the status of the unit or unit(s) of a larger entity that constitute a
``health care component.'' See further discussion under Sec. 164.504 of
this preamble.
Finally, we clarify that drug, biologics, and device manufacturers
are not health care providers simply by virtue of their manufacturing
activities. The manufacturer must be providing health care consistent
with the final
[[Page 82569]]
rule's definition in order to be considered a health care provider.
Comment: A few commenters asked that the Department clarify that
pharmaceutical manufacturers are not covered entities. It was explained
that pharmaceutical manufacturers provide support and guidance to
doctors and patients with respect to the proper use of their products,
provide free products for doctors to distribute to patients, and
operate charitable programs that provide pharmaceutical drugs to
patients who cannot afford to buy the drugs they need.
Response: A pharmaceutical manufacturer is only a covered entity if
the manufacturer provides ``health care'' according to the rule's
definition and conducts standard transactions. In the above case, a
pharmaceutical manufacturer that provides support and guidance to
doctors and patients regarding the proper use of their products is
providing ``health care'' for the purposes of this rule, and therefore,
is a health care provider to the extent that it provides such services.
The pharmaceutical manufacturer that is a health care provider is only
a covered entity, however, if it conducts standard transactions. We
note that this rule permits a covered entity to disclose protected
health information to any person for treatment purposes, without
specific authorization from the individual. Therefore, a covered health
care provider is permitted to disclose protected health information to
a pharmaceutical manufacturer for treatment purposes. Providing free
samples to a health care provider does not in itself constitute health
care. For further analysis of pharmacy assistance programs, see
response to comment on Sec. 164.501, definition of ``payment.''
Comment: Several commenters asked about the definition of ``covered
entity'' and its application to health care entities within larger
organizations.
Response: A detailed discussion of the final rule's organizational
requirements and firewall restrictions for ``health care components''
of larger entities, as well as for affiliated, and other entities is
found at the discussion of Sec. 164.504 of this preamble. The following
responses to comments provide additional information with respect to
particular ``component entity'' circumstances.
Comment: Several commenters asked that we clarify the definition of
covered entity to state that with respect to persons or organizations
that provide health care or have created health plans but are primarily
engaged in other unrelated businesses, the term ``covered entity''
encompasses only the health care components of the entity. Similarly,
others recommended that only the component of a government agency that
is a provider, health plan, or clearinghouse should be considered a
covered entity.
Other commenters requested that we revise proposed Sec. 160.102 to
apply only to the component of an entity that engages in the
transactions specified in the rule. Commenters stated that companies
should remain free to employ licensed health care providers and to
enter into corporate relationships with provider institutions without
fear of being considered to be a covered entity. Another commenter
suggested that the regulation not apply to the provider-employee or
employer when neither the provider nor the company are a covered
entity.
Some commenters specifically argued that the definition of
``covered entity'' did not contemplate an integrated health care system
and one commenter stated that the proposal would disrupt the multi-
disciplinary, collaborative approach that many take to health care
today by treating all components as separate entities. Commenters,
therefore, recommended that the rule treat the integrated entity, not
its constituent parts, as the covered entity.
A few commenters asked that the Department further clarify the
definition with respect to the unique organizational models and
relationships of academic medical centers and their parent universities
and the rules that govern information exchange within the institution.
One commenter asked whether faculty physicians who are paid by a
medical school or faculty practice plan and who are on the medical
staff of, but not paid directly by, a hospital are included within the
covered entity. Another commenter stated that it appears that only the
health center at an academic institution is the covered entity.
Uncertainty was also expressed as to whether other components of the
institution that might create protected health information only
incidentally through the conduct of research would also be covered.
Response: The Department understands that in today's health care
industry, the relationships among health care entities and non-health
care organizations are highly complex and varied. Accordingly, the
final rule gives covered entities some flexibility to segregate or
aggregate its operations for purposes of the application of this rule.
The new component entity provision can be found at Secs. 164.504(b)-
(c). In response to the request for clarification on whether the rule
would apply to a research component of the covered entity, we point out
that if the research activities fall outside of the health care
component they would not be subject to the rule. One organization may
have one or several ``health care component(s)'' that each perform one
or more of the health care functions of a covered entity, i.e., health
care provider, health plan, health care clearinghouse. In addition, the
final rule permits covered entities that are affiliated, i.e., share
common ownership or control, to designate themselves, or their health
care components, together to be a single covered entity for purposes of
the rule.
It appears from the comments that there is not a common
understanding of the meaning of ``integrated delivery system.''
Arrangements that apply this label to themselves operate and share
information many different ways, and may or may not be financially or
clinically integrated. In some cases, multiple entities hold themselves
out as one enterprise and engage together in clinical or financial
activities. In others, separate entities share information but do not
provide treatment together or share financial risk. Many health care
providers participate in more than one such arrangement.
Therefore, we do not include a separate category of ``covered
entity'' under this rule for ``integrated delivery systems'' but
instead accommodate the operations of these varied arrangements through
the functional provisions of the rule. For example, covered entities
that operate as ``organized health care arrangements'' as defined in
this rule may share protected health information for the operation of
such arrangement without becoming business associates of one another.
Similarly, the regulation does not require a business associate
arrangement when protected health information is shared for purposes of
providing treatment. The application of this rule to any particular
``integrated system'' will depend on the nature of the common
activities the participants in the system perform. When the
participants in such an arrangement are ``affiliated'' as defined in
this rule, they may consider themselves a single covered entity (see
Sec. 164. 504).
The arrangements between academic health centers, faculty practice
plans, universities, and hospitals are similarly diverse. We cannot
describe a blanket rule that covers all such arrangements. The
application of this rule will depend on the purposes for which the
participants in such arrangements share protected health information,
whether some or all participants are under common ownership or control,
and similar matters. We note that physicians who have staff privileges
at a covered
[[Page 82570]]
hospital do not become part of that hospital covered entity by virtue
of having such privileges.
We reject the recommendation to apply the rule only to components
of an entity that engage in the transactions. This would omit as
covered entities, for example, the health plan components that do not
directly engage in the transactions, including components that engage
in important health plan functions such as coverage determinations and
quality review. Indeed, we do not believe that the statute permits this
result with respect to health plans or health care clearinghouses as a
matter of negative implication from section 1172(a)(3). We clarify that
only a health care provider must conduct transactions to be a covered
entity for purposes of this rule.
We also clarify that health care providers (such as doctors or
nurses) who work for a larger organization and do not conduct
transactions on their own behalf are workforce members of the covered
entity, not covered entities themselves.
Comment: A few commenters asked the Department to clarify the
definition to provide that a multi-line insurer that sells insurance
coverages, some of which do and others which do not meet the definition
of ``health plan,'' is not a covered entity with respect to actions
taken in connection with coverages that are not ``health plans.''
Response: The final rule clarifies that the requirements below
apply only to the organizational unit or units of the organization that
are the ``health care component'' of a covered entity, where the
``covered functions'' are not the primary functions of the entity.
Therefore, for a multi-line insurer, the ``health care component'' is
the insurance line(s) that conduct, or support the conduct of, the
health care function of the covered entity. Also, it should be noted
that excepted benefits, such as life insurance, are not included in the
definition of ``health plan.'' (See preamble discussion of
Sec. 164.504).
Comment: A commenter questioned whether the Health Care Financing
Administration (HCFA) is a covered entity and how HCFA will share data
with Medicare managed care organizations. The commenter also questioned
why the regulation must apply to Medicaid since the existing Medicaid
statute requires that states have privacy standards in place. It was
also requested that the Department provide a definition of ``health
plan'' to clarify that state Medicaid Programs are considered as such.
Response: HCFA is a covered entity because it administers Medicare
and Medicaid, which are both listed in the statute as health plans.
Medicare managed care organizations are also covered entities under
this regulation. As noted elsewhere in this preamble, covered entities
that jointly administer a health plan, such as Medicare + Choice, are
both covered entities, and are not business associates of each other by
virtue of such joint administration.
We do not exclude state Medicaid programs. Congress explicitly
included the Medicaid program as a covered health plan in the HIPAA
statute.
Comment: A commenter asked the Department to provide detailed
guidance as to when providers, plans, and clearinghouses become covered
entities. The commenter provided the following example: if a provider
submits claims only in paper form, and a coordination of benefits (COB)
transaction is created due to other insurance coverage, will the
original provider need to be notified that the claim is now in
electronic form, and that it has become a covered entity? Another
commenter voiced concern as to whether physicians who do not conduct
electronic transactions would become covered entities if another entity
using its records downstream transmits information in connection with a
standard transaction on their behalf.
Response: We clarify that health care providers who submit the
transactions in standard electronic form, health plans, and health care
clearinghouses are covered entities if they meet the respective
definitions. Health care providers become subject to the rule if they
conduct standard transactions. In the above example, the health care
provider would not be a covered entity if the coordination of benefits
transaction was generated by a payor.
We also clarify that health care providers who do not submit
transactions in standard form become covered by this rule when other
entities, such as a billing service or a hospital, transmit standard
electronic transactions on the providers' behalf. However, where the
downstream transaction is not conducted on behalf of the health care
provider, the provider does not become a covered entity due to the
downstream transaction.
Comment: Several commenters discussed the relationship between
section 1179 of the Act and the privacy regulations. One commenter
suggested that HHS retain the statement that a covered entity means
``the entities to which part C of title XI of the Act applies.'' In
particular, the commenter observed that section 1179 of the Act
provides that part C of title XI of the Act does not apply to financial
institutions or to entities acting on behalf of such institutions that
are covered by the section 1179 exemption. Thus, under the definition
of covered entity, they comment that financial institutions and other
entities that come within the scope of the section 1179 exemption are
appropriately not covered entities.
Other commenters maintained that section 1179 of the Act means that
the Act's privacy requirements do not apply to the request for, or the
use or disclosure of, information by a covered entity with respect to
payment: (a) For transferring receivables; (b) for auditing; (c) in
connection with--(i) a customer dispute; or (ii) an inquiry from or to
a customer; (d) in a communication to a customer of the entity
regarding the customer's transactions payment card, account, check, or
electronic funds transfer; (e) for reporting to consumer reporting
agencies; or (f) for complying with: (i) a civil or criminal subpoena;
or (ii) a federal or state law regulating the entity. These companies
expressed concern that the proposed rule did not include the full text
of section 1179 when discussing the list of activities that were exempt
from the rule's requirements. Accordingly, they recommended including
in the final rule either a full listing of or a reference to section
1179's full list of exemptions. Furthermore, these firms opposed
applying the proposed rule's minimum necessary standard for disclosure
of protected health information to financial institutions because of
section 1179.
These commenters suggest that in light of section 1179, HHS lacks
the authority to impose restrictions on financial institutions and
other entities when they engage in activities described in that
section. One commenter expressed concern that even though proposed
Sec. 164.510(i) would have permitted covered entities to disclose
certain information to financial institutions for banking and payment
processes, it did not state clearly that financial institutions and
other entities described in section 1179 are exempt from the rule's
requirements.
Response: We interpret section 1179 of the Act to mean that
entities engaged in the activities of a financial institution, and
those acting on behalf of a financial institution, are not subject to
this regulation when they are engaged in authorizing, processing,
clearing, settling, billing, transferring, reconciling, or collecting
payments for a financial institution. The statutory reference to 12
U.S.C. 3401 indicates that Congress chose to adopt the definition of
financial institutions found
[[Page 82571]]
in the Right to Financial Privacy Act, which defines financial
institutions as any office of a bank, savings bank, card issuer,
industrial loan company, trust company, savings association, building
and loan, homestead association, cooperative bank, credit union, or
consumer finance institution located in the United States or one of its
Territories. Thus, when we use the term ``financial institution'' in
this regulation, we turn to the definition with which Congress provided
us. We interpret this provision to mean that when a financial
institution, or its agent on behalf of the financial institution,
conducts the activities described in section 1179, the privacy
regulation will not govern the activity.
If, however, these activities are performed by a covered entity or
by another entity, including a financial institution, on behalf of a
covered entity, the activities are subject to this rule. For example,
if a bank operates the accounts payable system or other ``back office''
functions for a covered health care provider, that activity is not
described in section 1179. In such instances, because the bank would
meet the rule's definition of ``business associate,'' the provider must
enter into a business associate contract with the bank before
disclosing protected health information pursuant to this relationship.
However, if the same provider maintains an account through which he/she
cashes checks from patients, no business associate contract would be
necessary because the bank's activities are not undertaken for or on
behalf of the covered entity, and fall within the scope of section
1179. In part to give effect to section 1179, in this rule we do not
consider a financial institution to be acting on behalf of a covered
entity when it processes consumer-conducted financial transactions by
debit, credit or other payment card, clears checks, initiates or
processes electronic funds transfers, or conducts any other activity
that directly facilitates or effects the transfer of funds for
compensation for health care.
We do not agree with the comment that section 1179 of the Act means
that the privacy regulation's requirements cannot apply to the
activities listed in that section; rather, it means that the entities
expressly mentioned, financial institutions (as defined in the Right to
Financial Privacy Act), and their agents that engage in the listed
activities for the financial institution are not within the scope of
the regulation. Nor do we interpret section 1179 to support an
exemption for disclosures to financial institutions from the minimum
necessary provisions of this regulation.
Comment: One commenter recommended that HHS include a definition of
``entity'' in the final rule because HIPAA did not define it. The
commenter explained that in a modern health care environment, the
organization acting as the health plan or health care provider may
involve many interrelated corporate entities and that this could lead
to difficulties in determining what ``entities'' are actually subject
to the regulation.
Response: We reject the commenter's suggestion. We believe it is
clear in the final rule that the entities subject to the regulation are
those listed at Sec. 160.102. However, we acknowledge that how the rule
applies to integrated or other complex health systems needs to be
addressed; we have done so in Sec. 164.504 and in other provisions,
such as those addressing organized health care arrangements.
Comment: The preamble should clarify that self-insured group health
and workmen's compensation plans are not covered entities or business
partners.
Response: In the preamble to the proposed rule we stated that
certain types of insurance entities, such as workers' compensation,
would not be covered entities under the rule. We do not change this
position in this final rule. The statutory definition of health plan
does not include workers' compensation products, and the regulatory
definition of the term specifically excludes them. However, HIPAA
specifically includes most group health plans within the definition of
``health plan.''
Comment: A health insurance issuer asserted that health insurers
and third party administrators are usually required by employers to
submit reports describing the volume, amount, payee, basis for services
rendered, types of claims paid and services for which payment was
requested on behalf of it covered employees. They recommended that the
rule permit the disclosure of protected health information for such
purposes.
Response: We agree that health plans should be able to disclose
protected health information to employers sponsoring health plans under
certain circumstances. Section 164.504(f) explains the conditions under
which protected health information may be disclosed to plan sponsors.
We believe that this provision gives sponsors access to the information
they need, but protects individual's information to the extent possible
under our legislative authority.
Group Health Plan
For response to comments relating to ``group health plan,'' see the
response to comments on ``health plan'' below and the response to
comments on Sec. 164.504.
Health Care
Comment: A number of commenters asked that we include disease
management activities and other similar health improvement programs,
such as preventive medicine, health education services and maintenance,
health and case management, and risk assessment, in the definition of
``health care.'' Commenters maintained that the rule should avoid
limiting technological advances and new health care trends intended to
improve patient ``health care.''
Response: Review of these and other comments, and our fact-finding,
indicate that there are multiple, different, understandings of the
definition of these terms. Therefore, rather than create a blanket rule
that includes such terms in or excludes such terms from the definition
of ``health care,'' we define health care based on the underlying
activities that constitute health care. The activities described by
these commenters are considered ``health care'' under this rule to the
extent that they meet this functional definition. Listing activities by
label or title would create the risk that important activities would be
left out and, given the lack of consensus on what these terms mean,
could also create confusion.
Comment: Several commenters urged that the Department clarify that
the activities necessary to procure and distribute eyes and eye tissue
will not be hampered by the rule. Some of these commenters explicitly
requested that we include ``eyes and eye tissue'' in the list of
procurement biologicals as well as ``eye procurement'' in the
definition of ``health care.'' In addition, it was argued that
``administration to patients'' be excluded in the absence of a clear
definition. Also, commenters recommended that the definition include
other activities associated with the transplantation of organs, such as
processing, screening, and distribution.
Response: We delete from the definition of ``health care''
activities related to the procurement or banking of blood, sperm,
organs, or any other tissue for administration to patients. We do so
because persons who make such donations are not seeking to be treated,
diagnosed, or assessed or otherwise seeking health care for themselves,
but are seeking to contribute to the health care of others. In
addition, the nature of
[[Page 82572]]
these activities entails a unique kind of information sharing and
tracking necessary to safeguard the nation's organ and blood supply,
and those seeking to donate are aware that this information sharing
will occur. Consequently, such procurement or banking activities are
not considered health care and the organizations that perform such
activities are not considered health care providers for purposes of
this rule.
With respect to disclosure of protected health information by
covered entities to facilitate cadaveric organ and tissue donation, the
final rule explicitly permits a covered entity to disclose protected
health information without authorization, consent, or agreement to
organ procurement organizations or other entities engaged in the
procurement, banking, or transplantation of cadaveric organs, eyes, or
tissue for the purpose of facilitating donation and transplantation.
See Sec. 164.512(h). We do not include blood or sperm banking in this
provision because, for those activities, there is direct contact with
the donor, and thus opportunity to obtain the individual's
authorization.
Comment: A large number of commenters urged that the term
``assessment'' be included in the list of services in the definition,
as ``assessment'' is used to determine the baseline health status of an
individual. It was explained that assessments are conducted in the
initial step of diagnosis and treatment of a patient. If assessment is
not included in the list of services, they pointed out that the
services provided by occupational health nurses and employee health
information may not be covered.
Response: We agree and have added the term ``assessment'' to the
definition to clarify that this activity is considered ``health care''
for the purposes of the rule.
Comment: One commenter asked that we revise the definition to
explicitly exclude plasmapheresis from paragraph (3) of the definition.
It was explained that plasmapheresis centers do not have direct access
to health care recipients or their health information, and that the
limited health information collected about plasma donors is not used to
provide health care services as indicated by the definition of health
care.
Response: We address the commenters' concerns by removing the
provision related to procurement and banking of human products from the
definition.
Health Care Clearinghouse
Comment: The largest set of comments relating to health care
clearinghouses focused on our proposal to exempt health care
clearinghouses from the patient notice and access rights provisions of
the regulation. In our NPRM, we proposed to exempt health care
clearinghouses from certain provisions of the regulation that deal with
the covered entities' notice of information practices and consumers'
rights to inspect, copy, and amend their records. The rationale for
this exemption was based on our belief that health care clearinghouses
engage primarily in business-to-business transactions and do not
initiate or maintain direct relationships with individuals. We proposed
this position with the caveat that the exemptions would be void for any
health care clearinghouse that had direct contact with individuals in a
capacity other than that of a business partner. In addition, we
indicated that, in most instances, clearinghouses also would be
considered business partners under this rule and would be bound by
their contracts with covered plans and providers. They also would be
subject to the notice of information practices developed by the plans
and providers with whom they contract.
Commenters stated that, although health care clearinghouses do not
have direct contact with individuals, they do have individually
identifiable health information that may be subject to misuse or
inappropriate disclosure. They expressed concern that we were proposing
to exempt health care clearinghouses from all or many aspects of the
regulation. These commenters suggested that we either delete the
exemption or make it very narrow, specific and explicit in the final
regulatory text.
Clearinghouse commenters, on the other hand, were in agreement with
our proposal, including the exemption provision and the provision that
the exemption is voided when the entity does have direct contact with
individuals. They also stated that a health care clearinghouse that has
a direct contact with individuals is no longer a health care
clearinghouse as defined and should be subject to all requirements of
the regulation.
Response: In the final rule, where a clearinghouse creates or
receives protected health information as a business associate of
another covered entity, we maintain the exemption for health care
clearinghouses from certain provisions of the regulation dealing with
the notice of information practices and patient's direct access rights
to inspect, copy and amend records (Secs. 164.524 and 164.526), on the
grounds that a health care clearinghouse is engaged in business-to-
business operations, and is not dealing directly with individuals.
Moreover, as business associates of plans and providers, health care
clearinghouses are bound by the notices of information practices of the
covered entities with whom they contract.
Where a health care clearinghouse creates or receives protected
health information other than as a business associate, however, it must
comply with all the standards, requirements, and implementation
specifications of the rule. We describe and delimit the exact nature of
the exemption in the regulatory text. See Sec. 164.500(b). We will
monitor developments in this sector should the basic business-to-
business relationship change.
Comment: A number of comments relate to the proposed definition of
health care clearinghouse. Many commenters suggested that we expand the
definition. They suggested that additional types of entities be
included in the definition of health care clearinghouse, specifically
medical transcription services, billing services, coding services, and
``intermediaries.'' One commenter suggested that the definition be
expanded to add entities that receive standard transactions, process
them and clean them up, and then send them on, without converting them
to any standard format. Another commenter suggested that the health
care clearinghouse definition be expanded to include entities that do
not perform translation but may receive protected health information in
a standard format and have access to that information. Another
commenter stated that the list of covered entities should include any
organization that receives or maintains individually identifiable
health information. One organization recommended that we expand the
health care clearinghouse definition to include the concept of a
research data clearinghouse, which would collect individually
identifiable health information from other covered entities to generate
research data files for release as de-identified data or with
appropriate confidentiality safeguards. One commenter stated that HHS
had gone beyond Congressional intent by including billing services in
the definition.
Response: We cannot expand the definition of ``health care
clearinghouse'' to cover entities not covered by the definition of this
term in the statute. In the final regulation, we
[[Page 82573]]
make a number of changes to address public comments relating to
definition. We modify the definition of health care clearinghouse to
conform to the definition published in the Transactions Rule (with the
addition of a few words, as noted above). We clarify in the preamble
that, while the term ``health care clearinghouse'' may have other
meanings and connotations in other contexts, for purposes of this
regulation an entity is considered a health care clearinghouse only to
the extent that it actually meets the criteria in our definition.
Entities performing other functions but not meeting the criteria for a
health care clearinghouse are not clearinghouses, although they may be
business associates. Billing services are included in the regulatory
definition of ``health care clearinghouse,'' if they perform the
specified clearinghouse functions. Although we have not added or
deleted any entities from our original definition, we will monitor
industry practices and may add other entities in the future as changes
occur in the health system.
Comment: Several commenters suggested that we clarify that an
entity acting solely as a conduit through which individually
identifiable health information is transmitted or through which
protected health information flows but is not stored is not a covered
entity, e.g., a telephone company or Internet Service Provider. Other
commenters indicated that once a transaction leaves a provider or plan
electronically, it may flow through several entities before reaching a
clearinghouse. They asked that the regulation protect the information
in that interim stage, just as the security NPRM established a chain of
trust arrangement for such a network. Others noted that these
``conduit'' entities are likely to be business partners of the
provider, clearinghouse or plan, and we should clarify that they are
subject to business partner obligations as in the proposed Security
Rule.
Response: We clarify that entities acting as simple and routine
communications conduits and carriers of information, such as telephone
companies and Internet Service Providers, are not clearinghouses as
defined in the rule unless they carry out the functions outlined in our
definition. Similarly, we clarify that value added networks and
switches are not health care clearinghouses unless they carry out the
functions outlined in the definition, and clarify that such entities
may be business associates if they meet the definition in the
regulation.
Comment: Several commenters, including the large clearinghouses and
their trade associations, suggested that we not treat health care
clearinghouses as playing a dual role as covered entity and business
partner in the final rule because such a dual role causes confusion as
to which rules actually apply to clearinghouses. In their view, the
definition of health care clearinghouse is sufficiently clear to stand
alone and identify a health care clearinghouse as a covered entity, and
allows health care clearinghouses to operate under one consistent set
of rules.
Response: For reasons explained in Sec. 164.504 of this preamble,
we do not create an exception to the business associate requirements
when the business associate is also a covered entity. We retain the
concept that a health care clearinghouse may be a covered entity and a
business associate of a covered entity under the regulation. As
business associates, they would be bound by their contracts with
covered plans and providers.
Health Care Provider
Comment: One commenter pointed out that the preamble referred to
the obligations of providers and did not use the term, ``covered
entity,'' and thus created ambiguity about the obligations of health
care providers who may be employed by persons other than covered
entities, e.g., pharmaceutical companies. It was suggested that a
better reading of the statute and rule is that where neither the
provider nor the company is a covered entity, the rule does not impose
an obligation on either the provider-employee or the employer.
Response: We agree. We use the term ``covered entity'' whenever
possible in the final rule, except for the instances where the final
rule treats the entities differently, or where use of the term ``health
care provider'' is necessary for purposes of illustrating an example.
Comment: Several commenters stated that the proposal's definition
was broad, unclear, and/or confusing. Further, we received many
comments requesting clarification as to whether specific entities or
persons were ``health care providers'' for the purposes of our rule.
One commenter questioned whether affiliated members of a health care
group (even though separate legal entities) would be considered as one
primary health care provider.
Response: We permit legally distinct covered entities that share
common ownership or control to designate themselves together to be a
single covered entity. Such organizations may promulgate a single
shared notice of information practices and a consent form. For more
detailed information, see the preamble discussion of Sec. 164.504(d).
We understand the need for additional guidance on whether specific
entities or persons are health care providers under the final rule. We
provide guidance below and will provide additional guidance as the rule
is implemented.
Comment: One commenter observed that sections 1171(3), 1861(s) and
1861(u) of the Act do not include pharmacists in the definition of
health care provider or pharmacist services in the definition of
``medical or other health services,'' and questioned whether
pharmacists were covered by the rule.
Response: The statutory definition of ``health care provider'' at
section 1171(3) includes ``any other person or organization who
furnishes, bills, or is paid for health care in the normal course of
business.'' Pharmacists' services are clearly within this statutory
definition of ``health care.'' There is no basis for excluding
pharmacists who meet these statutory criteria from this regulation.
Comment: Some commenters recommended that the scope of the
definition be broadened or clarified to cover additional persons or
organizations. Several commenters argued for expanding the reach of the
health care provider definition to cover entities such as state and
local public health agencies, maternity support services (provided by
nutritionists, social workers, and public health nurses and the Special
Supplemental Nutrition Program for Women, Infants and Children), and
those companies that conduct cost-effectiveness reviews, risk
management, and benchmarking studies. One commenter queried whether
auxiliary providers such as child play therapists, and speech and
language therapists are considered to be health care providers. Other
commenters questioned whether ``alternative'' or ``complementary''
providers, such as naturopathic physicians and acupuncturists would be
considered health care providers covered by the rule.
Response: As with other aspects of this rule, we do not define
``health care provider'' based on the title or label of the
professional. The professional activities of these kinds of providers
vary; a person is a ``health care provider'' if those activities are
consistent with the rule's definition of ``health care provider.''
Thus, health care providers include persons, such as those noted by the
commenters, to the extent that they meet the definition. We note that
health care providers are only
[[Page 82574]]
subject to this rule if they conduct certain transactions. See the
definition of ``covered entity.''
However companies that conduct cost-effectiveness reviews, risk
management, and benchmarking studies are not health care providers for
the purposes of this rule unless they perform other functions that meet
the definition. These entities would be business associates if they
perform such activities on behalf of a covered entity.
Comment: Another commenter recommended that the Secretary expand
the definition of health care provider to cover health care providers
who transmit or ``or receive'' any health care information in
electronic form.
Response: We do not accept this suggestion. Section 1172(a)(3)
states that providers that ``transmit'' health information in
connection with one of the HIPAA transactions are covered, but does not
use the term ``receive'' or a similar term.
Comment: Some comments related to online companies as health care
providers and covered entities. One commenter argued that there was no
reason ``why an Internet pharmacy should not also be covered'' by the
rule as a health care provider. Another commenter stated that online
health care service and content companies, including online medical
record companies, should be covered by the definition of health care
provider. Another commenter pointed out that the definitions of covered
entities cover ``Internet providers who `bill' or are `paid' for health
care services or supplies, but not those who finance those services in
other ways, such as through sale of identifiable health information or
advertising.'' It was pointed out that thousands of Internet sites use
information provided by individuals who access the sites for marketing
or other purposes.
Response: We agree that online companies are covered entities under
the rule if they otherwise meet the definition of health care provider
or health plan and satisfy the other requirements of the rule, i.e.,
providers must also transmit health information in electronic form in
connection with a HIPAA transaction. We restate here the language in
the preamble to the proposed rule that ``An individual or organization
that bills and/or is paid for health care services or supplies in the
normal course of business, such as * * * an ``online'' pharmacy
accessible on the Internet, is also a health care provider for purposes
of this statute'' (64 FR 59930).
Comment: We received many comments related to the reference to
``health clinic or licensed health care professional located at a
school or business in the preamble's discussion of ``health care
provider.'' It was stated that including ``licensed health care
professionals located at a school or business'' highlights the need for
these individuals to understand they have the authority to disclose
information to the Social Security Administration (SSA) without
authorization.
However, several commenters urged HHS to create an exception for or
delete that reference in the preamble discussion to primary and
secondary schools because of employer or business partner
relationships. One federal agency suggested that the reference
``licensed health care professionals located at a [school]'' be deleted
from the preamble because the definition of health care provider does
not include a reference to schools. The commenter also suggested that
the Secretary consider: adding language to the preamble to clarify that
the rules do not apply to clinics or school health care providers that
only maintain records that have been excepted from the definition of
protected health information, adding an exception to the definition of
covered entities for those schools, and limiting paperwork requirements
for these schools. Another commenter argued for deleting references to
schools because the proposed rule appeared to supersede or create
ambiguity as to the Family Educational Rights and Privacy Act (FERPA),
which gives parents the right to access ``education'' and health
records of their unemancipated minor children. However, in contrast,
one commenter supported the inclusion of health care professionals who
provide services at schools or businesses.
Response: We realize that our discussion of schools in the NPRM may
have been confusing. Therefore, we address these concerns and set forth
our policy regarding protected health information in educational
agencies and institutions in the ``Relationship to Other Federal Laws''
discussion of FERPA, above.
Comment: Many commenters urged that direct contact with the patient
be necessary for an entity to be considered a health care provider.
Commenters suggested that persons and organizations that are remote to
the patient and have no direct contact should not be considered health
care providers. Several commenters argued that the definition of health
care provider covers a person that provides health care services or
supplies only when the provider furnishes to or bills the patient
directly. It was stated that the Secretary did not intend that
manufacturers, such as pharmaceutical, biologics, and device
manufacturers, health care suppliers, medical-surgical supply
distributors, health care vendors that offer medical record
documentation templates and that typically do not deal directly with
the patient, be considered health care providers and thus covered
entities. However, in contrast, one commenter argued that, as an in
vitro diagnostics manufacturer, it should be covered as a health care
provider.
Response: We disagree with the comments that urged that direct
dealings with an individual be a prerequisite to meeting the definition
of health care provider. Many providers included in the statutory
definition of provider, such as clinical labs, do not have direct
contact with patients. Further, the use and disclosure of protected
health information by indirect treatment providers can have a
significant effect on individuals' privacy. We acknowledge, however,
that providers who treat patients only indirectly need not have the
full array of responsibilities as direct treatment providers, and
modify the NPRM to make this distinction with respect to several
provisions (see, for example Sec. 164.506 regarding consent). We also
clarify that manufacturers and health care suppliers who are considered
providers by Medicare are providers under this rule.
Comment: Some commenters suggested that blood centers and plasma
donor centers that collect and distribute source plasma not be
considered covered health care providers because the centers do not
provide ``health care services'' and the blood donors are not
``patients'' seeking health care. Similarly, commenters expressed
concern that organ procurement organizations might be considered health
care providers.
Response: We agree and have deleted from the definition of ``health
care'' the term ``procurement or banking of blood, sperm, organs, or
any other tissue for administration to patients.'' See prior discussion
under ``health care.''
Comment: Several commenters proposed to restrict coverage to only
those providers who furnished and were paid for services and supplies.
It was argued that a salaried employee of a covered entity, such as a
hospital-based provider, should not be covered by the rule because that
provider would be subject both directly to the rule as a covered entity
and indirectly as an employee of a covered entity.
Response: The ``dual'' direct and indirect situation described in
these comments can arise only when a health
[[Page 82575]]
care provider conducts standard HIPAA transactions both for itself and
for its employer. For example, when the services of a provider such as
a hospital-based physician are billed through a standard HIPAA
transaction conducted for the employer, in this example the hospital,
the physician does not become a covered provider. Only when the
provider uses a standard transaction on its own behalf does he or she
become a covered health care provider. Thus, the result is typically as
suggested by this commenter. When a hospital-based provider is not paid
directly, that is, when the standard HIPAA transaction is not on its
behalf, it will not become a covered provider.
Comment: Other commenters argued that an employer who provides
health care services to its employees for whom it neither bills the
employee nor pays for the health care should not be considered health
care providers covered by the proposed rule.
Response: We clarify that the employer may be a health care
provider under the rule, and may be covered by the rule if it conducts
standard transactions. The provisions of Sec. 164.504 may also apply.
Comment: Some commenters were confused about the preamble
statement: ``in order to implement the principles in the Secretary's
Recommendations, we must impose any protections on the health care
providers that use and disclose the information, rather than on the
researcher seeking the information,'' with respect to the rule's policy
that a researcher who provides care to subjects in a trial will be
considered a health care provider. Some commenters were also unclear
about whether the individual researcher providing health care to
subjects in a trial would be considered a health care provider or
whether the researcher's home institution would be considered a health
care provider and thus subject to the rule.
Response: We clarify that, in general, a researcher is also a
health care provider if the researcher provides health care to subjects
in a clinical research study and otherwise meets the definition of
``health care provider'' under the rule. However, a health care
provider is only a covered entity and subject to the rule if that
provider conducts standard transactions. With respect to the above
preamble statement, we meant that our jurisdiction under the statute is
limited to covered entities. Therefore, we cannot apply any
restrictions or requirements on a researcher in that person's role as a
researcher. However, if a researcher is also a health care provider
that conducts standard transactions, that researcher/provider is
subject to the rule with regard to its provider activities.
As to applicability to a researcher/provider versus the
researcher's home institution, we provide the following guidance. The
rule applies to the researcher as a covered entity if the researcher is
a health care provider who conducts standard transactions for services
on his or her own behalf, regardless of whether he or she is part of a
larger organization. However, if the services and transactions are
conducted on behalf of the home institution, then the home institution
is the covered entity for purposes of the rule and the researcher/
provider is a workforce member, not a covered entity.
Comment: One commenter expressed confusion about those instances
when a health care provider was a covered entity one day, and one who
``works under a contract'' for a manufacturer the next day.
Response: If persons are covered under the rule in one role, they
are not necessarily covered entities when they participate in other
activities in another role. For example, that person could be a covered
health care provider in a hospital one day but the next day read
research records for a different employer. In its role as researcher,
the person is not covered, and protections do not apply to those
research records.
Comment: One commenter suggested that the Secretary modify proposed
Sec. 160.102, to add the following clause at the end (after (c))
(regarding health care provider), ``With respect to any entity whose
primary business is not that of a health plan or health care provider
licensed under the applicable laws of any state, the standards,
requirements, and implementation specifications of this subchapter
shall apply solely to the component of the entity that engages in the
transactions specified in [Sec. ] 160.103.'' (Emphasis added.) Another
commenter also suggested that the definition of ``covered entity'' be
revised to mean entities that are ``primarily or exclusively engaged in
health care-related activities as a health plan, health care provider,
or health care clearinghouse.''
Response: The Secretary rejects these suggestions because they will
impermissibly limit the entities covered by the rule. An entity that is
a health plan, health care provider, or health care clearinghouse meets
the statutory definition of covered entity regardless of how much time
is devoted to carrying out health care-related functions, or regardless
of what percentage of their total business applies to health care-
related functions.
Comment: Several commenters sought to distinguish a health care
provider from a business partner as proposed in the NPRM. For example,
a number of commenters argued that disease managers that provide
services ``on behalf of'' health plans and health care providers, and
case managers (a variation of a disease management service) are
business partners and not ``health care providers.'' Another commenter
argued that a disease manager should be recognized (presumably as a
covered entity) because of its involvement from the physician-patient
level through complex interactions with health care providers.
Response: To the extent that a disease or case manager provides
services on behalf of or to a covered entity as described in the rule's
definition of business associate, the disease or case manager is a
business associate for purposes of this rule. However, if services
provided by the disease or case manager meet the definition of
treatment and the person otherwise meets the definition of ``health
care provider,'' such a person is a health care provider for purposes
of this rule.
Comment: One commenter argued that pharmacy employees who assist
pharmacists, such as technicians and cashiers, are not business
partners.
Response: We agree. Employees of a pharmacy that is a covered
entity are workforce members of that covered entity for purposes of
this rule.
Comment: A number of commenters requested that we clarify the
definition of health care provider (``* * * who furnishes, bills, or is
paid for health care services or supplies in the normal course of
business'') by defining the various terms ``furnish'', ``supply'', and
``in the normal course of business.'' For instance, it was stated that
this would help employers recognize when services such as an employee
assistance program constituted health care covered by the rule.
Response: Although we understand the concern expressed by the
commenters, we decline to follow their suggestion to define terms at
this level of specificity. These terms are in common use today, and an
attempt at specific definition would risk the inadvertent creations of
conflict with industry practices. There is a significant variation in
the way employers structure their employee assistance programs (EAPs)
and the type of services that they provide. If the EAP provides direct
treatment to individuals, it may be a health care provider.
[[Page 82576]]
Health Information
The response to comments on health information is included in the
response to comments on individually identifiable health information,
in the preamble discussion of Sec. 164.501.
Health Plan
Comment: One commenter suggested that to eliminate any ambiguity,
the Secretary should clarify that the catch-all category under the
definition of health plan includes ``24-hour coverage plans'' (whether
insured or self-insured) that integrate traditional employee health
benefits coverage and workers' compensation coverage for the treatment
of on-the-job injuries and illnesses under one program. It was stated
that this clarification was essential if the Secretary persisted in
excluding workers' compensation from the final rule.
Response: We understand concerns that such plans may use and
disclose individually identifiable health information. We therefore
clarify that to the extent that 24-hour coverage plans have a health
care component that meets the definition of ``health plan'' in the
final rule, such components must abide by the provisions of the final
rule. In the final rule, we have added a new provision to Sec. 164.512
that permits covered entities to disclose information under workers'
compensation and similar laws. A health plan that is a 24-hour plan is
permitted to make disclosures as necessary to comply with such laws.
Comment: A number of commenters urged that certain types of
insurance entities, such as workers' compensation and automobile
insurance carriers, property and casualty insurance health plans, and
certain forms of limited benefits coverage, be included in the
definition of ``health plan.'' It was argued that consumers deserve the
same protection with respect to their health information, regardless of
the entity using it, and that it would be inequitable to subject health
insurance carriers to more stringent standards than other types of
insurers that use individually identifiable health information.
Response: The Congress did not include these programs in the
definition of a ``health plan'' under section 1171 of the Act. Further,
HIPAA's legislative history shows that the House Report's (H. Rep. 104-
496) definition of ``health plan'' originally included certain benefit
programs, such as workers' compensation and liability insurance, but
was later amended to clarify the definition and remove these programs.
Thus, since the statutory definition of a health plan both on its face
and through legislative history evidence Congress' intention to exclude
such programs, we do not have the authority to require that these
programs comply with the standards. We have added explicit language to
the final rule which excludes the excepted benefit programs, as defined
in section 2971(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1).
Comment: Some commenters urged HHS to include entities such as stop
loss insurers and reinsurers in the definition of ``health plan.'' It
was observed that such entities have come to play important roles in
managed care delivery systems. They asserted that increasingly,
capitated health plans and providers contract with their reinsurers and
stop loss carriers to medically manage their high cost outlier cases
such as organ and bone marrow transplants, and therefore should be
specifically cited as subject to the regulations.
Response: Stop-loss and reinsurers do not meet the statutory
definition of health plan. They do not provide or pay for the costs of
medical care, as described in the statute, but rather insure health
plans and providers against unexpected losses. Therefore, we cannot
include them as health plans in the regulation.
Comment: A commenter asserted that there is a significant
discrepancy between the effect of the definition of ``group health
plan'' as proposed in Sec. 160.103, and the anticipated impact in the
cost estimates of the proposed rule at 64 FR 60014. Paragraph (1) of
the proposed definition of ``health plan'' defined a ``group health
plan'' as an ERISA-defined employee welfare benefit plan that provides
medical care and that: ``(i) Has 50 or more participants, or (ii) Is
administered by an entity other than the employer that established and
maintains the plan[.]'' (emphasis added) According to this commenter,
under this definition, the only insured or self-insured ERISA plans
that would not be regulated ``health plans'' would be those that have
less than 50 participants and are self administered.
The commenter presumed that the we had intended to exclude from the
definition of ``health plan'' (and from coverage under the proposed
rule) all ERISA plans that are small (less than 50 participants) or are
administered by a third party, whether large or small, based on the
statement at 64 FR 60014, note 18. That footnote stated that the
Department had ``not included the 3.9 million `other' employer-health
plans listed in HCFA's administrative simplification regulations
because these plans are administered by a third party. The proposed
regulation will not regulate the employer plans but will regulate the
third party administrators of the plan.'' The commenter urged us not to
repeat the statutory definition, and to adopt the policy implied in the
footnote.
Response: We agree with the commenter's observation that footnote
18 (64 FR 60014) was inconsistent with the proposed definition. We
erred in drafting that note. The definition of ``group health plan'' is
adopted from the statutory definition at section 1171(5)(A), and
excludes from the rule as ``health plans'' only the few insured or
self-insured ERISA plans that have less than 50 participants and are
self administered. We reject the commenter's proposed change to the
definition as inconsistent with the statute.
Comment: A number of insurance companies asked that long term care
insurance policies be excluded from the definition of ``health plan.''
It was argued that such policies do not provide sufficiently
comprehensive coverage of the cost of medical care, and are limited
benefit plans that provide or pay for the cost of custodial and other
related services in connection with a long term, chronic illness or
disability.
These commenters asserted that HIPAA recognizes this nature of long
term care insurance, observing that, with respect to HIPAA's
portability requirements, Congress enacted a series of exclusions for
certain defined types of health plan arrangements that do not typically
provide comprehensive coverage. They maintained that Congress
recognized that long term care insurance is excluded, so long as it is
not a part of a group health plan. Where a long term care policy is
offered separately from a group health plan it is considered an
excepted benefit and is not subject to the portability and guarantee
issue requirements of HIPAA. Although this exception does not appear in
the Administrative Simplification provisions of HIPAA, it was asserted
that it is guidance with respect to the treatment of long term care
insurance as a limited benefit coverage and not as coverage that is so
``sufficiently comprehensive'' that it is to be treated in the same
manner as a typical, comprehensive major medical health plan
arrangement.
Another commenter offered a different perspective observing that
there are some long-term care policies--that do not pay for medical
care and therefore are not ``health plans.'' It was noted that most
long-term care policies are reimbursement policies--that is,
[[Page 82577]]
they reimburse the policyholder for the actual expenses that the
insured incurs for long-term care services. To the extent that these
constitute ``medical care,'' this commenter presumed that these
policies would be considered ``health plans.'' Other long-term care
policies, they pointed out, simply pay a fixed dollar amount when the
insured becomes chronically ill, without regard to the actual cost of
any long-term care services received, and thus are similar to fixed
indemnity critical illness policies. The commenter suggested that while
there was an important distinction between indemnity based long-term
care policies and expenses based long-term care policies, it may be
wise to exclude all long-term care policies from the scope of the rule
to achieve consistency with HIPAA.
Response: We disagree. The statutory language regarding long-term
care policies in the portability title of HIPAA is different from the
statutory language regarding long-term care policies in the
Administrative Simplification title of HIPAA. Section 1171(5)(G) of the
Act means that issuers of long-term care policies are considered health
plans for purposes of administrative simplification. We also interpret
the statute as authorizing the Secretary to exclude nursing home fixed-
indemnity policies, not all long-term care policies, from the
definition of ``health plan,'' if she determines that these policies do
not provide ``sufficiently comprehensive coverage of a benefit'' to be
treated as a health plan (see section 1171 of the Act). We interpret
the term ``comprehensive'' to refer to the breadth or scope of coverage
of a policy. ``Comprehensive'' policies are those that cover a range of
possible service options. Since nursing home fixed indemnity policies
are, by their own terms, limited to payments made solely for nursing
facility care, we have determined that they should not be included as
health plans for the purposes of the HIPAA regulations. The Secretary,
therefore, explicitly excluded nursing home fixed-indemnity policies
from the definition of ``health plan'' in the Transactions Rule, and
this exclusion is thus reflected in this final rule. Issuers of other
long-term care policies are considered to be health plans under this
rule and the Transactions Rule.
Comment: One commenter was concerned about the potential impact of
the proposed regulations on ``unfunded health plans,'' which the
commenter described as programs used by smaller companies to provide
their associates with special employee discounts or other membership
incentives so that they can obtain health care, including prescription
drugs, at reduced prices. The commenter asserted that if these discount
and membership incentive programs were covered by the regulation, many
smaller employers might discontinue offering them to their employees,
rather than deal with the administrative burdens and costs of complying
with the rule.
Response: Only those special employee discounts or membership
incentives that are ``employee welfare benefit plans'' as defined in
section 3(1) of the Employee Retirement Income Security Act of 1974, 29
U.S.C. 1002(1), and provide ``medical care'' (as defined in section
2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(2)),
are health plans for the purposes of this rule. Discount or membership
incentive programs that are not group health plans are not covered by
the rule.
Comment: Several commenters agreed with the proposal to exclude
``excepted benefits'' such as disability income insurance policies,
fixed indemnity critical illness policies, and per diem long-term care
policies from the definition of ``health plan,'' but were concerned
that the language of the proposed rule did not fully reflect this
intent. They asserted that clarification was necessary in order to
avoid confusion and costs to both consumers and insurers.
One commenter stated that, while HHS did not intend for the rule to
apply to every type of insurance coverage that paid for medical care,
the language of the proposed rule did not bear this out. The problem,
it was asserted, is that under the proposed rule any insurance policy
that pays for ``medical care'' would technically be a ``health plan.''
It was argued that despite the statements in the narrative, there are
no provisions that would exempt any of the ``excepted benefits'' from
the definition of ``health care.'' It was stated that:
Although (with the exception of long-term care insurance), the
proposed rule does not include the `excepted benefits' in its list
of sixteen examples of a health plan (proposed 45 CFR 160.104), it
does not explicitly exclude them either. Because these types of
policies in some instances pay benefits that could be construed as
payments for medical care, we are concerned by the fact that they
are not explicitly excluded from the definition of `health plan' or
the requirements of the proposed rule.''
Several commenters proposed that HHS adopt the same list of
``excepted benefits'' contained in 29 U.S.C. 1191b, suggesting that
they could be adopted either as exceptions to the definition of
``health plan'' or as exceptions to the requirements imposed on
``health plans.'' They asserted that this would promote consistency in
the federal regulatory structure for health plans.
It was suggested that HHS clarify whether the definition of health
plan, particularly the ``group health plan'' and ``health insurance
issuer'' components, includes a disability plan or disability insurer.
It was noted that a disability plan or disability insurer may cover
only income lost from disability and, as mentioned above, some
rehabilitation services, or a combination of lost income,
rehabilitation services and medical care. The commenter suggested that
in addressing this coverage issue, it may be useful to refer to the
definitions of group health plan, health insurance issuer and medical
care set forth in Part I of HIPAA, which the statutory provisions of
the Administrative Simplification subtitle expressly reference. See 42
U.S.C. 1320d(5)(A) and (B).
Response: We agree that the NPRM may have been ambiguous regarding
the types of plans the rule covers. To remedy this confusion, we have
added language that specifically excludes from the definition any
policy, plan, or program providing or paying the cost of the excepted
benefits, as defined in section 2971(c)(1) of the PHS Act, 42 U.S.C.
300gg-91(c)(1). As defined in the statute, this includes but is not
limited to benefits under one or more (or any combination thereof) of
the following: coverage only for accident, or disability income
insurance, or any combination thereof; liability insurance, including
general liability insurance and automobile liability insurance; and
workers' compensation or similar insurance.
However, the other excepted benefits as defined in section
2971(c)(2) of the PHS Act, 42 U.S.C. 300gg-91(c)(2), such as limited
scope dental or vision benefits, not explicitly excepted from the
regulation could be considered ``health plans'' under paragraph
(1)(xvii) of the definition of ``health plan'' in the final rule if and
to the extent that they meet the criteria for the definition of
``health plan.'' Such plans, unlike the programs and plans listed at
section 2971(c)(1), directly and exclusively provide health insurance,
even if limited in scope.
Comment: One commenter recommended that the Secretary clarify that
``health plan'' does not include property and casualty benefit
providers. The commenter stated that the clarifying language is needed
given the ``catchall'' category of entities defined as ``any other
individual plan or group health plan, or combination thereof, that
[[Page 82578]]
provides or pays for the cost of medical care,'' and asserted that
absent clarification there could be serious confusion as to whether
property and casualty benefit providers are ``health plans'' under the
rule.
Response: We agree and as described above have added language to
the final rule to clarify that the ``excepted benefits'' as defined
under 42 U.S.C. 300gg-91(c)(1), which includes liability programs such
as property and casualty benefit providers, are not health plans for
the purposes of this rule.
Comment: Some commenters recommended that the Secretary replace the
term ``medical care'' with ``health care.'' It was observed that
``health care'' was defined in the proposal, and that this definition
was used to define what a health care provider does. However, they
observed that the definition of ``health plan'' refers to the provision
of or payment for ``medical care,'' which is not defined. Another
commenter recommended that HHS add the parenthetical phrase ``as such
term is defined in section 2791 of the Public Health Service Act''
after the phrase ``medical care.''
Response: We disagree with the first recommendation. We understand
that the term ``medical care'' can be easily confused with the term
``health care.'' However, the two terms are not synonymous. The term
``medical care'' is a statutorily defined term and its use is critical
in making a determination as to whether a health plan is considered a
``health plan'' for purposes of administrative simplification. In
addition, since the term ``medical care'' is used in the regulation
only in the context of the definition of ``health plan'' and we believe
that its inclusion in the regulatory text may cause confusion, we did
not add a definition of ``medical care'' in the final rule. However,
consistent with the second recommendation above, the statutory cite for
``medical care'' was added to the definition of ``health plan'' in the
Transactions Rule, and thus is reflected in this final rule.
Comment: A number of commenters urged that the Secretary define
more narrowly what characteristics would make a government program that
pays for specific health care services a ``health plan.'' Commenters
argued that there are many ``payment'' programs that should not be
included, as discussed below, and that if no distinctions were made,
``health plan'' would mean the same as ``purchaser'' or even ``payor.''
Commenters asserted that there are a number of state programs that
pay for ``health care'' (as defined in the rule) but that are not
health plans. They said that examples include the WIC program (Special
Supplemental Nutrition Program for Women, Infants, and Children) which
pays for nutritional assessment and counseling, among other services;
the AIDS Client Services Program (including AIDS prescription drug
payment) under the federal Ryan White Care Act and state law; the
distribution of federal family planning funds under Title X of the
Public Health Services Act; and the breast and cervical health program
which pays for cancer screening in targeted populations. Commenters
argued that these are not insurance plans and do not fall within the
``health plan'' definition's list of examples, all of which are either
insurance or broad-scope programs of care under a contract or statutory
entitlement. However, paragraph (16) in that list opens the door to
broader interpretation through the catchall phrase, ``any other
individual or group plan that provides or pays for the cost of medical
care.'' Commenters assert that clarification is needed.
A few commenters stated that other state agencies often work in
partnership with the state Medicaid program to implement certain
Medicaid benefits, such as maternity support services and prenatal
genetics screening. They concluded that while this probably makes parts
of the agency the ``business partner'' of a covered entity, they were
uncertain whether it also makes the same agency parts a ``health plan''
as well.
Response: We agree with the commenters that clarification is needed
as to the rule's application to government programs that pay for health
care services. Accordingly, in the final rule we have excepted from the
definition of ``health plan'' a government funded program which does
not have as its principal purpose the provision of, or payment for, the
cost of health care or which has as its principal purpose the
provision, either directly or by grant, of health care. For example,
the principal purpose of the WIC program is not to provide or pay for
the cost of health care, and thus, the WIC program is not a health plan
for purposes of this rule. The program of health care services for
individuals detained by the INS provides health care directly, and so
is not a health plan. Similarly, the family planning program authorized
by Title X of the Public Health Service Act pays for care exclusively
through grants, and so is not a health plan under this rule. These
programs (the grantees under the Title X program) may be or include
health care providers and may be covered entities if they conduct
standard transactions.
We further clarify that, where a public program meets the
definition of ``health plan,'' the government agency that administers
the program is the covered entity. Where two agencies administer a
program jointly, they are both a health plan. For example, both the
Health Care Financing Administration and the insurers that offers a
Medicare+Choice plan are ``health plans'' with respect to Medicare
beneficiaries. An agency that does not administer a program but which
provides services for such a program is not a covered entity by virtue
of providing such services. Whether an agency providing services is a
business associate of the covered entity depends on whether its
functions for the covered entity meet the definition of business
associate in Sec. 164.501 and, in the example described by this
comment, in particular on whether the arrangement falls into the
exception in Sec. 164.504(e)(1)(ii)(C) for government agencies that
collect eligibility or enrollment information for covered government
programs.
Comment: Some commenters expressed support for retaining the
category in paragraph (16) of the proposal's definition: ``Any other
individual or group health plan, or combination thereof, that provides
or pays for the cost of medical care.'' Others asked that the Secretary
clarify this category. One commenter urged that the final rule clearly
define which plans would meet the criteria for this category.
Response: As described in the proposed rule, this category
implements the language at the beginning of the statutory definition of
the term ``health plan'': ``The term `health plan' means an individual
or group plan that provides, or pays the cost of, medical care * * *
Such term includes the following, and any combination thereof * * *''
This statutory language is general, not specific, and as such, we are
leaving it general in the final rule. However, as described above, we
add explicit language which excludes certain ``excepted benefits'' from
the definition of ``health plan'' in an effort to clarify which plans
are not health plans for the purposes of this rule. Therefore, to the
extent that a certain benefits plan or program otherwise meets the
definition of ``health plan'' and is not explicitly excepted, that
program or plan is considered a ``health plan'' under paragraph
(1)(xvii) of the final rule.
Comment: A commenter explained that HIPAA defines a group health
plan by expressly cross-referencing the statutory sections in the PHS
Act and the Employee Retirement Income
[[Page 82579]]
Security Act of 1974 (ERISA), 29 U.S.C. 1001, et seq., which define the
terms ``group health plan,'' ``employee welfare benefit plan'' and
``participant.'' See 29 U.S.C. 1002(l) (definition of ``employee
welfare benefit plan,'' which is the core of the definition of group
health plan under both ERISA and the PHS Act); 29 U.S.C. 100217)
(definition of participant); 29 U.S.C. 1193(a) (definition of ``group
health plan,'' which is identical to that in section 2791(a) of the PHS
Act).
It was pointed out that the preamble and the text of the proposed
rule both limit the definition of all three terms to their current
definitions. The commenter reasoned that since the ERISA definitions
may change over time through statutory amendment, Department of Labor
regulations or judicial interpretation, it would not be clear what
point in time is to be considered current. Therefore, they suggested
deleting references to ``current'' or ``currently'' in the preamble and
in the regulation with respect to these three ERISA definitions.
In addition, the commenter stated that as the preamble to the NPRM
correctly reflected, HIPAA expressly cross-references ERISA's
definition of ``participant'' in section 3(7) of ERISA, 29 U.S.C.
1002(7). 42 U.S.C. 1320d(5)(A). The text of the privacy regulation,
however, omits this cross-reference. It was suggested that the
reference to section 3(7) of ERISA, defining ``participant,'' be
included in the regulation.
Finally, HIPAA incorporates the definition of a group health plan
as set forth in section 2791(a) of the PHS Act, 42 U.S.C. 300gg-
91(a)(l). That definition refers to the provision of medical care
``directly or through insurance, reimbursement, or otherwise.'' The
word ``reimbursement'' is omitted in both the preamble and the text of
the regulation; the commenter suggested restoring it to both.
Response: We agree. These changes were made to the definition of
``health plan'' as promulgated in the Transactions Rule, and are
reflected in this final rule.
Small Health Plan
Comment: One commenter recommended that we delete the reference to
$5 million in the definition and instead define a ``small health plan''
as a health plan with fewer than 50 participants. It was stated that
using a dollar limitation to define a ``small health plan'' is not
meaningful for self-insured plans and some other types of health plan
coverage arrangements. A commenter pointed out that the general
definition of a health plan refers to ``50 or more participants,'' and
that using a dollar factor to define a ``small health plan'' would be
inconsistent with this definition.
Response: We disagree. The Small Business Administration (SBA)
promulgates size standards that indicate the maximum number of
employees or annual receipts allowed for a concern (13 CFR 121.105) and
its affiliates to be considered ``small.'' The size standards
themselves are expressed either in number of employees or annual
receipts (13 CFR 121.201). The size standards for compliance with
programs of other agencies are those for SBA programs which are most
comparable to the programs of such other agencies, unless otherwise
agreed by the agency and the SBA (13 CFR 121.902). With respect to the
insurance industry, the SBA has specified that annual receipts of $5
million is the maximum allowed for a concern and its affiliates to be
considered small (13 CFR 121.201). Consequently, we retain the
proposal's definition in the final rule to be consistent with SBA
requirements.
We understand there may be some confusion as to the meaning of
``annual receipts'' when applied to a health plan. For our purposes,
therefore, we consider ``pure premiums'' to be equivalent to ``annual
receipts.''
Workforce
Comment: Some commenters requested that we exclude ``volunteers''
from the definition of workforce. They stated that volunteers are
important contributors within many covered entities, and in particular
hospitals. They argued that it was unfair to ask that these people
donate their time and at the same time subject them to the penalties
placed upon the paid employees by these regulations, and that it would
discourage people from volunteering in the health care setting.
Response: We disagree. We believe that differentiating those
persons under the direct control of a covered entity who are paid from
those who are not is irrelevant for the purposes of protecting the
privacy of health information, and for a covered entity's management of
its workforce. In either case, the person is working for the covered
entity. With regard to implications for the individual, persons in a
covered entity's workforce are not held personally liable for violating
the standards or requirements of the final rule. Rather, the Secretary
has the authority to impose civil monetary penalties and in some cases
criminal penalties for such violations on only the covered entity.
Comment: One commenter asked that the rule clarify that employees
administering a group health or other employee welfare benefit plan on
their employers' behalf are considered part of the covered entity's
workforce.
Response: As long as the employees have been identified by the
group health plan in plan documents as performing functions related to
the group health plan (consistent with the requirements of
Sec. 164.504(f)), those employees may have access to protected health
information. However, they are not permitted to use or disclose
protected health information for employment-related purposes or in
connection with any other employee benefit plan or employee benefit of
the plan sponsor.
Part 160--Subpart B--Preemption of State Law
We summarize and respond below to comments received in the
Transactions rulemaking on the issue of preemption, as well as those
received on this topic in the Privacy rulemaking. Because no process
was proposed in the Transactions rulemaking for granting exceptions
under section 1178(a)(2)(A), a process for making exception
determinations was not adopted in the Transactions Rule. Instead, since
a process for making exception determinations was proposed in the
Privacy rulemaking, we decided that the comments received in the
Transactions rulemaking should be considered and addressed in
conjunction with the comments received on the process proposed in the
Privacy rulemaking. See 65 FR 50318 for a fuller discussion.
Accordingly, we discuss the preemption comments received in the
Transactions rulemaking where relevant below.
Comment: The majority of comments on preemption addressed the
subject in general terms. Numerous comments, particularly from plans
and providers, argued that the proposed preemption provisions were
burdensome, ineffective, or insufficient, and that complete federal
preemption of the ``patchwork'' of state privacy laws is needed. They
also argued that the proposed preemption provisions are likely to
invite litigation. Various practical arguments in support of this
position were made. Some of these comments recognized that the
Secretary's authority under section 1178 of the Act is limited and
acknowledged that the Secretary's proposals were within her statutory
authority. One commenter suggested that the exception determination
process would result in a very costly and laborious and sometimes
inconsistent analysis of the occasions in which state law would
[[Page 82580]]
survive federal preemption, and thus suggested the final privacy
regulations preempt state law with only limited exceptions, such as
reporting child abuse. Many other comments, however, recommended
changing the proposed preemption provisions to preempt state privacy
laws on as blanket a basis as possible.
One comment argued that the assumption that more stringent privacy
laws are better is not necessarily true, citing a 1999 GAO report
finding evidence that the stringent state confidentiality laws of
Minnesota halted the collection of comparative information on health
care quality.
Several comments in this vein were also received in the
Transactions rulemaking. The majority of these comments took the
position that exceptions to the federal standards should either be
prohibited or discouraged. It was argued that granting exceptions to
the standards, particularly the transactions standards, would be
inconsistent with the statute's objective of promoting administrative
simplification through the use of uniform transactions.
Many other commenters, however, endorsed the ``federal floor''
approach of the proposed rules. (These comments were made in the
context of the proposed privacy regulations.) These comments argued
that this approach was preferable because it would not impair the
effectiveness of state privacy laws that are more protective of
privacy, while raising the protection afforded medical information in
states that do not enact laws that are as protective as the rules
below. Some comments argued, however, that the rules should give even
more deference to state law, questioning in particular the definitions
and the proposed addition to the ``other purposes'' criterion for
exception determinations in this regard.
Response: With respect to the exception process provided for by
section 1178(a)(2)(A), the contention that the HIPAA standards should
uniformly control is an argument that should be addressed to the
Congress, not this agency. Section 1178 of the Act expressly gives the
Secretary authority to grant exceptions to the general rule that the
HIPAA standards preempt contrary state law in the circumstances she
determines come within the provisions at section 1178(a)(2)(A). We
agree that the underlying statutory goal of standardizing financial and
administrative health care transactions dictates that exceptions should
be granted only on narrow grounds. Nonetheless, Congress clearly
intended to accommodate some state laws in these areas, and the
Department is not free to disregard this Congressional choice. As is
more fully explained below, we have interpreted the statutory criteria
for exceptions under section 1178(a)(2)(A) to balance the need for
relative uniformity with respect to the HIPAA standards with state
needs to set certain policies in the statutorily defined areas.
The situation is different with respect to state laws relating to
the privacy of protected health information. Many of the comments
arguing for uniform standards were particularly concerned with
discrepancies between the federal privacy standards and various state
privacy requirements. Unlike the situation with respect to the
transactions standards, where states have generally not entered the
field, all states regulate the privacy of some medical information to a
greater or lesser extent. Thus, we understand the private sector's
concern at having to reconcile differing state and federal privacy
requirements.
This is, however, likewise an area where the policy choice has been
made by Congress. Under section 1178(a)(2)(B) of the Act and section
264(c)(2) of HIPAA, provisions of state privacy laws that are contrary
to and more stringent than the corresponding federal standard,
requirement, or implementation specification are not preempted. The
effect of these provisions is to let the law that is most protective of
privacy control (the ``federal floor'' approach referred to by many
commenters), and this policy choice is one with which we agree. Thus,
the statute makes it impossible for the Secretary to accommodate the
requests to establish uniformly controlling federal privacy standards,
even if doing so were viewed as desirable.
Comment: Numerous comments stated support for the proposal at
proposed Subpart B to issue advisory opinions with respect to the
preemption of state laws relating to the privacy of individually
identifiable health information. A number of these comments appeared to
assume that the Secretary's advisory opinions would be dispositive of
the issue of whether or not a state law was preempted. Many of these
commenters suggested what they saw as improvements to the proposed
process, but supported the proposal to have the Department undertake
this function.
Response: Despite the general support for the advisory opinion
proposal, we decided not to provide specifically for the issuance of
such opinions. The following considerations led to this decision.
First, the assumption by commenters that an advisory opinion would
establish what law applied in a given situation and thereby simplify
the task of ascertaining what legal requirements apply to a covered
entity or entities is incorrect. Any such opinion would be advisory
only. Although an advisory opinion issued by the Department would
indicate to covered entities how the Department would resolve the legal
conflict in question and would apply the law in determining compliance,
it would not bind the courts. While we assume that most courts would
give such opinions deference, the outcome could not be guaranteed.
Second, the thousands of questions raised in the public comment
about the interpretation, implications, and consequences of all of the
proposed regulatory provisions have led us to conclude that significant
advice and technical assistance about all of the regulatory
requirements will have to be provided on an ongoing basis. We recognize
that the preemption concerns that would have been addressed by the
proposed advisory opinions were likely to be substantial. However,
there is no reason to assume that they will be the most substantial or
urgent of the questions that will most likely need to be addressed. It
is our intent to provide as much technical advice and assistance to the
regulated community as we can with the resources available. Our concern
is that setting up an advisory opinion process for just one of the many
types of issues that will have to be addressed will lead to a non-
optimal allocation of those resources. Upon careful consideration,
therefore, we have decided that we will be better able to prioritize
our workload and be better able to be responsive to the most urgent and
substantial questions raised to the Department, if we do not provide
for a formal advisory opinion process on preemption as proposed.
Comment: A few commenters argued that the Privacy Rule should
preempt state laws that would impose more stringent privacy
requirements for the conduct of clinical trials. One commenter asserted
that the existing federal regulations and guidelines for patient
informed consent, together with the proposed rule, would adequately
protect patient privacy.
Response: The Department does not have the statutory authority
under HIPAA to preempt state laws that would impose more stringent
privacy requirements on covered entities. HIPAA provides that the rule
promulgated by the Secretary may not preempt state laws that are in
conflict
[[Page 82581]]
with the regulatory requirements and that provide greater privacy
protections.
Section 160.201--Applicability
Comment: Several commenters indicated that the guidance provided by
the definitions at proposed Sec. 160.202 would be of substantial
benefit both to regulated entities and to the public. However, these
commenters argued that the applicability of such definitions would be
too limited as drafted, since proposed Sec. 160.201 provided that the
definitions applied only to ``determinations and advisory opinions
issued by the Secretary pursuant to 42 U.S.C. 1320d-7.'' The commenters
stated that it would be far more helpful to make the definitions in
proposed Sec. 160.202 more broadly applicable, to provide general
guidance on the issue of preemption.
Response: We agree with the comments on this issue, and have
revised the applicability provision of subpart B below accordingly.
Section 160.201 below sets out that Subpart B implements section 1178.
This means, in our view, that the definitions of the statutory terms at
Sec. 160.202 are legislative rules that apply when those statutory
terms are employed, whether by HHS, covered entities, or the courts.
Section 160.202--Definitions
Contrary
Comment: Some commenters asserted that term ``contrary'' as defined
at Sec. 160.202 was overly broad and that its application would be
time-consuming and confusing for states. These commenters argued that,
under the proposed definition, a state would be required to examine all
of its laws relating to health information privacy in order to
determine whether or not its law were contrary to the requirements
proposed. It was also suggested that the definition contain examples of
how it would work in practical terms.
A few commenters, however, argued that the definition of
``contrary'' as proposed was too narrow. One commenter argued that the
Secretary erred in her assessment of the case law analyzing what is
known as ``conflict preemption'' and which is set forth in shorthand in
the tests set out at Sec. 160.202.
Response: We believe that the definition proposed represents a
policy that is as clear as is feasible and which can be applied
nationally and uniformly. As was noted in the preamble to the proposed
rules (at 64 FR 59997), the tests in the proposed definition of
``contrary'' are adopted from the jurisprudence of ``conflict
preemption.'' Since preemption is a judicially developed doctrine, it
is reasonable to interpret this term as indicating that the statutory
analysis should tie in to the analytical formulations employed by the
courts. Also, while the court-developed tests may not be as clear as
commenters would like, they represent a long-term, thoughtful
consideration of the problem of defining when a state/federal conflict
exists. They will also, we assume, generally be employed by the courts
when conflict issues arise under the rules below. We thus see no
practical alternative to the proposed definition and have retained it
unchanged. With respect to various suggestions for shorthand versions
of the proposed tests, such as the arguably broader term ``inconsistent
with,'' we see no operational advantages to such terms.
Comment: One comment asked that the Department clarify that if
state law is not preempted, then the federal law would not also apply.
Response: This comment raises two issues, both of which deserve
discussion. First, a state law may not be preempted because there is no
conflict with the analogous federal requirement; in such a situation,
both laws can, and must, be complied with. We thus do not accept this
suggestion, to the extent that it suggests that the federal law would
give way in this situation. Second, a state law may also not be
preempted because it comes within section 1178(a)(2)(B), section
1178(b), or section 1178(c); in this situation, a contrary federal law
would give way.
Comment: One comment urged the Department to take the position that
where state law exists and no analogous federal requirement exists, the
state requirement would not be ``contrary to'' the federal requirement
and would therefore not trigger preemption.
Response: We agree with this comment.
Comment: One commenter criticized the definition as unhelpful in
the multi-state transaction context. For example, it was asked whether
the issue of whether a state law was ``contrary to'' should be
determined by the law of the state where the treatment is provided,
where the claim processor is located, where the payment is issued, or
the data maintained, assuming all are in different states.
Response: This is a choice of law issue, and, as is discussed more
fully below, is a determination that is routinely made today in
connection with multi-state transactions. See discussion below under
Exception Determinations (Criteria for Exception Determinations).
State Law
Comment: Comments noted that the definition of ``state law'' does
not explicitly include common law and recommended that it be revised to
do so or to clarify that the term includes evidentiary privileges
recognized at state law. Guidance concerning the impact of state
privileges was also requested.
Response: As requested, we clarify that the definition of ``state
law'' includes common law by including the term ``common law.'' In our
view, this phrase encompasses evidentiary privileges recognized at
state law (which may also, we note, be embodied in state statutes).
Comment: One comment criticized this definition as unwieldy, in
that locating state laws pertaining to privacy is likely to be
difficult. It was noted that Florida, for example, has more than 60
statutes that address health privacy.
Response: To the extent that state laws currently apply to covered
entities, they have presumably determined what those laws require in
order to comply with them. Thus, while determining which laws are
``contrary'' to the federal requirements will require additional work
in terms of comparing state law with the federal requirements, entities
should already have acquired the knowledge of state law needed for this
task in the ordinary course of doing business.
Comment: The New York City Department of Health noted that in many
cases, provisions of New York State law are inapplicable within New
York City, because the state legislature has recognized that the local
code is tailored to the particular needs of the City. It urged that the
New York City Code be treated as state law, for preemption purposes.
Response: We agree that, to the extent a state treats local law as
substituting for state law it could be considered to be ``state law''
for purposes of this definition. If, however, a local law is local in
scope and effect, and a tier of state law exists over the same subject
matter, we do not think that the local law could or should be treated
as ``state law'' for preemption purposes. We do not have sufficient
information to assess the situation raised by this comment with respect
to this principle, and so express no opinion thereon.
More Stringent
Comment: Many commenters supported the policy in the proposed
definition of ``individual'' at proposed Sec. 164.502, which would have
permitted unemancipated minors to exercise, on
[[Page 82582]]
their own behalf, rights granted to individuals in cases where they
consented to the underlying health care. Commenters stated, however,
that the proposed preemption provision would leave in place state laws
authorizing or prohibiting disclosure to parents of the protected
health information of their minor children and would negate the
proposed policy for the treatment of minors under the rule. The
comments stated that such state laws should be treated like other state
laws, and preempted to the extent that they are less protective of the
privacy of minors.
Other commenters supported the proposed preemption provision--not
to preempt a state law to the extent it authorizes or prohibits
disclosure of protected health information regarding a minor to a
parent.
Response: Laws regarding access to health care for minors and
confidentiality of their medical records vary widely; this regulation
recognizes and respects the current diversity of state law in this
area. Where states have considered the balance involved in protecting
the confidentiality of minors' health information and have explicitly
acted, for example, to authorize disclosure, defer the decision to
disclose to the discretion of the health care provider, or prohibit
disclosure of minor's protected health information to a parent, the
rule defers to these decisions to the extent that they regulate such
disclosures.
Comment: The proposed definition of ``more stringent'' was
criticized as affording too much latitude to for granting exceptions
for state laws that are not protective of privacy. It was suggested
that the test should be ``most protective of the individual's
privacy.''
Response: We considered adopting this test. However, for the
reasons set out at 64 FR 59997, we concluded that this test would not
provide sufficient guidance. The comments did not address the concerns
we raised in this regard in the preamble to the proposed rules, and we
continue to believe that they are valid.
Comment: A drug company expressed concern with what it saw as the
expansive definition of this term, arguing that state governments may
have less experience with the special needs of researchers than federal
agencies and may unknowingly adopt laws that have a deleterious effect
on research. A provider group expressed concern that allowing stronger
state laws to prevail could result in diminished ability to get enough
patients to complete high quality clinical trials.
Response: These concerns are fundamentally addressed to the
``federal floor'' approach of the statute, not to the definition
proposed: even if the definition of ``more stringent'' were narrowed,
these concerns would still exist. As discussed above, since the
``federal floor'' approach is statutory, it is not within the
Secretary's authority to change the dynamics that are of concern.
Comment: One comment stated that the proposed rule seemed to
indicate that the ``more stringent'' and ``contrary to'' definitions
implied that these standards would apply to ERISA plans as well as to
non-ERISA plans.
Response: The concern underlying this comment is that ERISA plans,
which are not now subject to certain state laws because of the
``field'' preemption provision of ERISA but which are subject to the
rules below, will become subject to state privacy laws that are ``more
stringent'' than the federal requirements, due to the operation of
section 1178(a)(2)(B), together with section 264(c)(2). We disagree
that this is the case. While the courts will have the final say on
these questions, it is our view that these sections simply leave in
place more stringent state laws that would otherwise apply; to the
extent that such state laws do not apply to ERISA plans because they
are preempted by ERISA, we do not think that section 264(c)(2)
overcomes the preemption effected by section 514(a) of ERISA. For more
discussion of this point, see 64 FR 60001.
Comment: The Lieutenant Governor's Office of the State of Hawaii
requested a blanket exemption for Hawaii from the federal rules, on the
ground that its recently enacted comprehensive health privacy law is,
as a whole, more stringent than the proposed federal standards. It was
suggested that, for example, special weight should be given to the
severity of Hawaii's penalties. It was suggested that a new definition
(``comprehensive'') be added, and that ``more stringent'' be defined in
that context as whether the state act or code as a whole provides
greater protection.
An advocacy group in Vermont argued that the Vermont legislature
was poised to enact stronger and more comprehensive privacy laws and
stated that the group would resent a federal prohibition on that.
Response: The premise of these comments appears to be that the
provision-by-provision approach of Subpart B, which is expressed in the
definition of the term ``contrary'', is wrong. As we explained in the
preamble to the proposed rules (at 64 FR 59995), however, the statute
dictates a provision-by-provision comparison of state and federal
requirements, not the overall comparison suggested by these comments.
We also note that the approach suggested would be practically and
analytically problematic, in that it would be extremely difficult, if
not impossible, to determine what is a legitimate stopping point for
the provisions to be weighed on either the state side or the federal
side of the scale in determining which set of laws was the ``more
stringent.'' We accordingly do not accept the approach suggested by
these comments.
With respect to the comment of the Vermont group, nothing in the
rules below prohibits or places any limits on states enacting stronger
or more comprehensive privacy laws. To the extent that states enact
privacy laws that are stronger or more comprehensive than contrary
federal requirements, they will presumably not be preempted under
section 1178(a)(2)(B). To the extent that such state laws are not
contrary to the federal requirements, they will act as an overlay on
the federal requirements and will have effect.
Comment: One comment raised the issue of whether a private right of
action is a greater penalty, since the proposed federal rule has no
comparable remedy.
Response: We have reconsidered the proposed ``penalty'' provision
of the proposed definition of ``more stringent'' and have eliminated
it. The HIPAA statute provides for only two types of penalties: fines
and imprisonment. Both types of penalties could be imposed in addition
to the same type of penalty imposed by a state law, and should not
interfere with the imposition of other types of penalties that may be
available under state law. Thus, we think it is unlikely that there
would be a conflict between state and federal law in this respect, so
that the proposed criterion is unnecessary and confusing. In addition,
the fact that a state law allows an individual to file a lawsuit to
protect privacy does not conflict with the HIPAA penalty provisions.
Relates to the Privacy of Individually Identifiable Health Information
Comment: One comment criticized the definition of this term as too
narrow in scope and too uncertain. The commenter argued that
determining the specific purpose of a state law may be difficult and
speculative, because many state laws have incomplete, inaccessible, or
non-existent legislative histories. It was suggested that the
definition be revised by deleting the word ``specific'' before the word
``purpose.'' Another commenter argued
[[Page 82583]]
that the definition of this term should be narrowed to minimize reverse
preemption by more stringent state laws. One commenter generally
supported the proposed definition of this term.
Response: We are not accepting the first comment. The purpose of a
given state enactment should be ascertainable, if not from legislative
history or a purpose statement, then from the statute viewed as a
whole. The same should be true of state regulations or rulings. In any
event, it seems appropriate to restrict the field of state laws that
may potentially trump the federal standards to those that are clearly
intended to establish state public policy and operate in the same area
as the federal standards. To the extent that the definition in the
rules below does this, we have accommodated the second comment. We
note, however, that we do not agree that the definition should be
further restricted to minimize ``reverse preemption,'' as suggested by
this comment, as we believe that state laws that are more protective of
privacy than contrary federal standards should remain, in order to
ensure that the privacy of individuals' health information receives the
maximum legal protection available.
Sections 160.203 and 160.204--Exception Determinations and Advisory
Opinions
Most of the comments received on proposed Subpart B lumped together
the proposed process for exception determinations under section
1178(a)(2)(A) with the proposed process for issuing advisory opinions
under section 1178(a)(2)(B), either because the substance of the
comment applied to both processes or because the commenters did not
draw a distinction between the two processes. We address these general
comments in this section.
Comment: Numerous commenters, particularly providers and provider
groups, recommended that exception determinations and advisory opinions
not be limited to states and advocated allowing all covered entities
(including individuals, providers and insurers), or private sector
organizations, to request determinations and opinions with respect to
preemption of state laws. Several commenters argued that limiting
requests to states would deny third party stakeholders, such as life
and disability income insurers, any means of resolving complex
questions as to what rule they are subject to. One commenter noted that
because it is an insurer who will be liable if it incorrectly analyzes
the interplay between laws and reaches an incorrect conclusion, there
would be little incentive for the states to request clarification. It
would also cause large administrative burdens which, it was stated,
would be costly and confusing. It was also suggested that the request
for the exception be made to the applicable state's attorney general or
chief legal officer, as well as the Secretary. Various changes to the
language were suggested, such as adding that ``a covered entity, or any
other entity impacted by this rule'' be allowed to submit the written
request.
Response: We agree, and have changed Sec. 164.204(a) below
accordingly.
The decision to eliminate advisory opinions makes this issue moot
with respect to those opinions.
Comment: Several commenters noted that it was unclear under the
proposed rule which state officials would be authorized to request a
determination.
Response: We agree that the proposed rule was unclear in this
respect. The final rule clarifies who may make the request for a state,
with respect to exception determinations. See, Sec. 160.204(a). The
language adopted should ensure that the Secretary receives an
authoritative statement from the state. At the same time, this language
provides states with flexibility, in that the governor or other chief
elected official may choose to designate other state officials to make
such requests.
Comment: Many commenters recommended that a process be established
whereby HHS performs an initial state-by-state critical analysis to
provide guidance on which state laws will not be preempted; most
suggested that such an analysis (alternatively referred to as a
database or clearinghouse) should be completed before providers would
be required to come into compliance. Many of these comments argued that
the Secretary should bear the cost for the analyses of state law,
disagreeing with the premise stated in the preamble to the proposed
rules that it is more efficient for the private market to complete the
state-by-state review. Several comments also requested that HHS
continue to maintain and monitor the exception determination process,
and update the database over time in order to provide guidance and
certainty on the interaction of the federal rules with newly enacted or
amended state laws that are produced after the final rule. Some
comments recommended that each state be required to certify agreement
with the HHS analyses.
In contrast, one hospital association noted concerns that the
Secretary would conduct a nationwide analysis of state laws. The
comment stated that implementation would be difficult since much of the
law is a product of common law, and such state-specific research should
only be attempted by experienced health care attorneys in each
jurisdiction.
Response: These comments seem to be principally concerned with
potential conflicts between state privacy laws and the privacy
standards, because, as is more fully explained below, preemption of
contrary state laws not relating to privacy is automatic unless the
Secretary affirmatively acts under section 1178(a)(2)(A) to grant an
exception. We recognize that the provisions of sections 1178(b) (state
public health laws), and 1178(c) (state regulation of health plans)
similarly preserve state laws in those areas, but very little of the
public comment appeared to be concerned with these latter statutory
provisions. Accordingly, we respond below to what we see as the
commenters' main concern.
The Department will not do the kind of global analysis requested by
many of these comments. What these comments are in effect seeking is a
global advisory opinion as to when the federal privacy standards will
control and when they will not. We understand the desire for certainty
underlying these comments. Nonetheless, the reasons set out above as
the basis for our decision not to establish a formal advisory opinion
process apply equally to these requests. We also do not agree that the
task of evaluating the requirements below in light of existing state
law is unduly burdensome or unreasonable. Rather, it is common for new
federal requirements to necessitate an examination by the regulated
entities of the interaction between existing state law and the federal
requirements incident to coming into compliance.
We agree, however, that the case is different where the Secretary
has affirmatively acted, either through granting an exception under
section 1178(a)(2)(A) or by making a specific determination about the
effect of a particular state privacy law in, for example, the course of
determining an entity's compliance with the privacy standards. As is
discussed below, the Department intends to make notice of exception
determinations that it makes routinely available.
We do not agree with the comments suggesting that compliance by
covered entities be delayed pending completion of an analysis by the
Secretary and that states be required to certify agreement with the
Secretary's analysis, as we are not institutionalizing the advisory
opinion/analysis process upon which these comments are predicated.
[[Page 82584]]
Furthermore, with respect to the suggestion regarding delaying the
compliance date, Congress provided in section 1175(b) of the Act for a
delay in when compliance is required to accommodate the needs of
covered entities to address implementation issues such as those raised
by these comments. With respect to the suggestion regarding requiring
states to certify their agreement with the Secretary's analysis, we
have no authority to do this.
Comment: Several commenters criticized the proposed provision for
annual publication of determinations and advisory opinions in the
Federal Register as inadequate. They suggested that more frequent
notices should be made and the regulation be changed accordingly, to
provide for publication either quarterly or within a few days of a
determination. A few commenters suggested that any determinations made,
or opinions issued, by the Secretary be published on the Department's
website within 10 days or a few days of the determination or opinion.
Response: We agree that the proposed provision for annual
publication was inadequate and have accordingly deleted it. Subpart B
contains no express requirement for publication, as the Department is
free to publish its determinations absent such a requirement. It is our
intention to publish notice of exception determinations on a periodic
basis in the Federal Register. We will also consider other avenues of
making such decisions publicly available as we move into the
implementation process.
Comment: A few commenters argued that the process for obtaining an
exception determination or an advisory opinion from the Secretary will
result in a period of time in which there is confusion as to whether
state or federal law applies. The proposed regulations say that the
federal provisions will remain effective until the Secretary makes a
determination concerning the preemption issue. This means that, for
example, a state law that was enacted and enforced for many years will
be preempted by federal law for the period of time during which it
takes the Secretary to make a determination. Then if the Secretary
determines that the state law is not preempted, the state law will
again become effective. Such situations will result in confusion and
unintended violations of the law. One of the commenters suggested that
requests for exceptions be required only when a challenge is brought
against a particular state law, and that a presumption of validity
should lie with state laws. Another commenter, however, urged that
``instead of the presumption of preemption, the state laws in question
would be presumed to be subject to the exception unless or until the
Secretary makes a determination to the contrary.''
Response: It is true that the effect of section 1178(a)(2)(A) is
that the federal standards will preempt contrary state law and that
such preemption will not be removed unless and until the Secretary acts
to grant an exception under that section (assuming, of course, that
another provision of section 1178 does not apply). We do not agree,
however, that confusion should result, where the issue is whether a
given state law has been preempted under section 1178(a)(2)(A). Because
preemption is automatic with respect to state laws that do not come
within the other provisions of section 1178 (i.e., sections
1178(a)(2)(B), 1178(b), and 1178(c)), such state laws are preempted
until the Secretary affirmatively acts to preserve them from preemption
by granting an exception under section 1178(a)(2)(A).
We cannot accept the suggestion that a presumption of validity
attach to state laws, and that states not be required to request
exceptions except in very narrow circumstances. The statutory scheme is
the opposite: The statute effects preemption in the section
1178(a)(2)(A) context unless the Secretary affirmatively acts to except
the contrary state law in question.
With respect to preemption under sections 1178(b) and 1178(c) (the
carve-outs for state public health laws and state regulation of health
plans), we do not agree that preemption is likely to be a major cause
of uncertainty. We have deferred to Congressional intent by crafting
the permissible releases for public health, abuse, and oversight
broadly. See, Secs. 164.512(b)--(d) below. Since there must first be a
conflict between a state law and a federal requirement in order for an
issue of preemption to even arise, we think that, as a practical
matter, few preemption questions should arise with respect to sections
1178(b) and 1178(c).
With respect to preemption of state privacy laws under section
1178(a)(2)(B), however, we agree that the situation may be more
difficult to ascertain, because the Secretary does not determine the
preemption status of a state law under that section, unlike the
situation with respect to section 1178(a)(2)(A). We have tried to
define the term ``more stringent'' to identify and particularize the
factors to be considered by courts to those relevant to privacy
interests. The more specific (than the statute) definition of this term
at Sec. 160.202 below should provide some guidance in making the
determination as to which law prevails. Ambiguity in the state of the
law might also be a factor to be taken into account in determining
whether a penalty should be applied.
Comment: Several comments recommended that exception determinations
or advisory opinions encompass a state act or code in its entirety (in
lieu of a provision-specific evaluation) if it is considered more
stringent as a whole than the regulation. It was argued that since the
provisions of a given law are typically interconnected and related,
adopting or overriding them on a provision-by-provision basis would
result in distortions and/or unintended consequences or loopholes. For
example, when a state law includes authorization provisions, some of
which are consistent with the federal requirements and some which are
not, the cleanest approach is to view the state law as inconsistent
with the federal requirements and thus preempted in its entirety.
Similarly, another comment suggested that state confidentiality laws
written to address the specific needs of individuals served within a
discreet system of care be considered as a whole in assessing whether
they are as stringent or more stringent than the federal requirements.
Another comment requested explicit clarification that state laws with a
broader scope than the regulation will be viewed as more stringent and
be allowed to stand.
Response: We have not adopted the approach suggested by these
comments. As discussed above with respect to the definition of the term
``more stringent,'' it is our view that the statute precludes the
approach suggested. We also suggest that this approach ignores the fact
that each separate provision of law usually represents a nuanced policy
choice to, for example, permit this use or prohibit that disclosure;
the aggregated approach proposed would fail to recognize and weigh such
policy choices.
Comment: One comment recommended that the final rule: permit
requests for exception determinations and advisory opinions as of the
date of publication of the final rule, require the Secretary to notify
the requestor within a specified short period of time of all additional
information needed, and prohibit enforcement action until the Secretary
issues a response.
Response: With respect to the first recommendation, we clarify that
requests for exception determinations may be made at any time; since
the process for issuing advisory opinions has not been adopted, this
recommendation is moot as it pertains
[[Page 82585]]
to advisory opinions. With respect to the second recommendation, we
will undertake to process exception requests as expeditiously as
possible, but, for the reasons discussed below in connection with the
comments relating to setting deadlines for those determinations, we
cannot commit at this time to a ``specified short period of time''
within which the Secretary may request additional information. We see
no reason to agree to the third recommendation. Because contrary state
laws for which an exception is available only under section
1178(a)(2)(A) will be preempted by operation of law unless and until
the Secretary acts to grant an exception, there will be an
ascertainable compliance standard for compliance purposes, and
enforcement action would be appropriate where such compliance did not
occur.
Sections 160.203(a) and 160.204(a)--Exception Determinations
Section 160.203(a)--Criteria for Exception Determinations
Comment: Numerous comments criticized the proposed criteria for
their substance or lack thereof. A number of commenters argued that the
effectiveness language that was added to the third statutory criterion
made the exception so massive that it would swallow the rule. These
comments generally expressed concern that laws that were less
protective of privacy would be granted exceptions under this language.
Other commenters criticized the criteria generally as creating a large
loophole that would let state laws that do not protect privacy trump
the federal privacy standards.
Response: We agree with these comments. The scope of the statutory
criteria is ambiguous, but they could be read so broadly as to largely
swallow the federal protections. We do not think that this was
Congress's intent. Accordingly, we have added language to most of the
statutory criteria clarifying their scope. With respect to the criteria
at 1178(a)(2)(A)(i), this clarifying language generally ties the
criteria more specifically to the concern with protecting and making
more efficient the health care delivery and payment system that
underlies the Administrative Simplification provisions of HIPAA, but,
with respect to the catch-all provision at section
1178(a)(2)(A)(i)(IV), also requires that privacy interests be balanced
with such concerns, to the extent relevant. We require that exceptions
for rules to ensure appropriate state regulation of insurance and
health plans be stated in a statute or regulation, so that such
exceptions will be clearly tied to statements of priorities made by
publicly accountable bodies (e.g., through the public comment process
for regulations, and by elected officials through statutes). With
respect to the criterion at section 1178(a)(2)(A)(ii), we have further
delineated what ``addresses controlled substances'' means. The language
provided, which builds on concepts at 21 U.S.C. 821 and the Medicare
regulations at 42 CFR 1001.2, delineates the area within which the
government traditionally regulates controlled substances, both civilly
and criminally; it is our view that HIPAA was not intended to displace
such regulation.
Comment: Several commenters urged that the request for
determination by the Secretary under proposed Sec. 160.204(a) be
limited to cases where an exception is absolutely necessary, and that
in making such a determination, the Secretary should be required to
make a determination that the benefits of granting an exception
outweigh the potential harm and risk of disclosure in violation of the
regulation.
Response: We have not further defined the statutory term
``necessary'', as requested. We believe that the determination of what
is ``necessary'' will be fact-specific and context dependent, and
should not be further circumscribed absent such specifics. The state
will need to make its case that the state law in question is
sufficiently ``necessary'' to accomplish the particular statutory
ground for exception that it should trump the contrary federal
standard, requirement, or implementation specification.
Comment: One commenter noted that a state should be required to
explain whether it has taken any action to correct any less stringent
state law for which an exception has been requested. This commenter
recommended that a section be added to proposed Sec. 160.204(a) stating
that ``a state must specify what, if any, action has been taken to
amend the state law to comply with the federal regulations.'' Another
comment, received in the Transactions rulemaking, took the position
that exception determinations should be granted only if the state
standards in question exceeded the national standards.
Response: The first and last comments appear to confuse the ``more
stringent'' criterion that applies under section 1178(a)(2)(B) of the
Act with the criteria that apply to exceptions under section
1178(a)(2)(A). We are also not adopting the language suggested by the
first comment, because we do not agree that states should necessarily
have to try to amend their state laws as a precondition to requesting
exceptions under section 1178(a)(2)(A). Rather, the question should be
whether the state has made a convincing case that the state law in
question is sufficiently necessary for one of the statutory purposes
that it should trump the contrary federal policy.
Comment: One commenter stated that exceptions for state laws that
are contrary to the federal standards should not be preempted where the
state and federal standards are found to be equal.
Response: This suggestion has not been adopted, as it is not
consistent with the statute. With respect to the administrative
simplification standards in general, it is clear that the intent of
Congress was to preempt contrary state laws except in the limited areas
specified as exceptions or carve-outs. See, section 1178. This
statutory approach is consistent with the underlying goal of
simplifying health care transactions through the adoption of uniform
national standards. Even with respect to state laws relating to the
privacy of medical information, the statute shields such state laws
from preemption by the federal standards only if they are ``more''
stringent than the related federal standard or implementation
specification.
Comment: One commenter noted that determinations would apply only
to transactions that are wholly intrastate. Thus, any element of a
health care transaction that would implicate more than one state's law
would automatically preclude the Secretary's evaluation as to whether
the laws were more or less stringent than the federal requirement.
Other commenters expressed confusion about this proposed requirement,
noting that providers and plans operate now in a multi-state
environment.
Response: We agree with the commenters and have dropped the
proposed requirement. As noted by the commenters, health care entities
now typically operate in a multi-state environment, so already make the
choice of law judgements that are necessary in multi-state
transactions. It is the result of that calculus that will have to be
weighed against the federal standards, requirements, and implementation
specifications in the preemption analysis.
Comment: One comment received in the Transactions rulemaking
suggested that the Department should allow exceptions to the standard
transactions to accommodate abbreviated transactions between state
agencies, such as claims between a public health department and the
state Medicaid
[[Page 82586]]
agency. Another comment requested an exception for Home and Community
Based Waiver Services from the transactions standards.
Response: The concerns raised by these comments would seem to be
more properly addressed through the process established for maintaining
and modifying the transactions standards. If the concerns underlying
these comments cannot be addressed in this manner, however, there is
nothing in the rules below to preclude states from requesting
exceptions in such cases. They will then have to make the case that one
or more grounds for exception applies.
Section 160.204(a)--Process for Exception Determinations--Comments and
Responses
Comment: Several comments received in the Transactions rulemaking
stated that the process for applying for and granting exception
determinations (referred to as ``waivers'' by some) needed to be
spelled out in the final rule.
Response: We agree with these comments. As noted above, since no
process was proposed in the Transactions rulemaking, a process for
making exception determinations was not adopted in those final rules.
Subpart B below adopts a process for making exception determinations,
which responds to these comments.
Comment: Comments stated that the exception process would be
burdensome, unwieldy, and time-consuming for state agencies as well as
the Department. One comment took the position that states should not be
required to submit exception requests to the Department under proposed
Sec. 160.203(a), but could provide documentation that the state law
meets one of the conditions articulated in proposed Sec. 160.203.
Response: We disagree that the process adopted at Sec. 164.204
below will be burdensome, unwieldy, or time-consuming. The only thing
the regulation describes is the showings that a requestor must make as
part of its submission, and all are relevant to the issue to be
determined by the Secretary. How much information is submitted is,
generally speaking, in the requestor's control, and the regulation
places no restrictions on how the requestor obtains it, whether by
acting directly, by working with providers and/or plans, or by working
with others. With respect to the suggestion that states not be required
to submit exception requests, we disagree that this suggestion is
either statutorily authorized or advisable. We read this comment as
implicitly suggesting that the Secretary must proactively identify
instances of conflict and evaluate them. This suggestion is, thus, at
bottom the same as the many suggestions that we create a database or
compendium of controlling law, and it is rejected for the same reasons.
Comment: Several comments urged that all state requests for non-
preemption include a process for public participation. These comments
believe that members of the public and other interested stakeholders
should be allowed to submit comments on a state's request for
exception, and that these comments should be reviewed and considered by
the Secretary in determining whether the exception should be granted.
One comment suggested that the Secretary at least give notice to the
citizens of the state prior to granting an exception.
Response: The revision to Sec. 160.204(a), to permit requests for
exception determinations by any person, responds to these comments.
Comment: Many commenters noted that the lack of a clear and
reasonable time line for the Secretary to issue an exception
determination would not provide sufficient assurance that the questions
regarding what rules apply will be resolved in a time frame that will
allow business to be conducted properly, and argued that this would
increase confusion and uncertainty about which statutes and regulations
should be followed. Timeframes of 60 or 90 days were suggested. One
group suggested that, if a state does not receive a response from HHS
within 60 days, the waiver should be deemed approved.
Response: The workload prioritization and management considerations
discussed above with respect to advisory opinions are also relevant
here and make us reluctant to agree to a deadline for making exception
determinations. This is particularly true at the outset, since we have
no experience with such requests. We therefore have no basis for
determining how long processing such requests will take, how many
requests we will need to process, or what resources will be available
for such processing. We agree that states and other requesters should
receive timely responses and will make every effort to make
determinations as expeditiously as possible, but we cannot commit to
firm deadlines in this initial rule. Once we have experience in
handling exception requests, we will consult with states and others in
regard to their experiences and concerns and their suggestions for
improving the Secretary's expeditious handling of such requests.
We are not accepting the suggestion that requests for exception be
deemed approved if not acted upon in some defined time period. Section
1178(a)(2)(A) requires a specific determination by the Secretary. The
suggested policy would not be consistent with this statutory
requirement. It is also inadvisable from a policy standpoint, in that
it would tend to maximize exceptions. This would be contrary to the
underlying statutory policy in favor of uniform federal standards.
Comment: One commenter took exception to the requirement for states
to seek a determination from the Department that a provision of state
law is necessary to prevent fraud and abuse or to ensure appropriate
state regulation of insurance plans, contending that this mandate could
interfere with the Insurance Commissioners' ability to do their jobs.
Another commenter suggested that the regulation specifically recognize
the broad scope of state insurance department activities, such as
market conduct examinations, enforcement investigations, and consumer
complaint handling.
Response: The first comment raises an issue that lies outside our
legal authority to address, as section 1178(a)(2)(A) clearly mandates
that the Secretary make a determination in these areas. With respect to
the second comment, to the extent these concerns pertain to health
plans, we believe that the provisions at Sec. 164.512 relating to
oversight and disclosures required by law should address the concerns
underlying this comment.
Section 160.204(a)(4)--Period of Effectiveness of Exception
Determinations
Comment: Numerous commenters stated that the proposed three year
limitation on the effectiveness of exception determinations would pose
significant problems and should be limited to one year, since a one
year limitation would provide more frequent review of the necessity for
exceptions. The commenters expressed concern that state laws which
provide less privacy protection than the federal regulation would be
given exceptions by the Secretary and thus argued that the exceptions
should be more limited in duration or that the Secretary should require
that each request, regardless of duration, include a description of the
length of time such an exception would be needed.
One state government commenter, however, argued that the 3 year
limit should be eliminated entirely, on the ground that requiring a
redetermination
[[Page 82587]]
every three years would be burdensome for the states and be a waste of
time and resources for all parties. Other commenters, including two
state agencies, suggested that the exemption should remain effective
until either the state law or the federal regulation is changed.
Another commenter suggested that the three year sunset be deleted and
that the final rule provide for automatic review to determine if
changes in circumstance or law would necessitate amendment or deletion
of the opinion. Other recommendations included deeming the state law as
continuing in effect upon the submission of a state application for an
exemption rather than waiting for a determination by the Secretary that
may not occur for a substantial period of time.
Response: We are persuaded that the proposed 3 year limit on
exception determinations does not make sense where neither law
providing the basis for the exception has changed in the interim. We
also agree that where either law has changed, a previously granted
exception should not continue. Section 160.205(a) below addresses these
concerns.
Sections 160.203(b) and 160.204(b)--Advisory Opinions
Section 160.203(b)--Effect of Advisory Opinions
Comment: Several commenters questioned whether or not DHHS has
standing to issue binding advisory opinions and recommended that the
Department clarify this issue before implementation of this regulation.
One respondent suggested that the Department clarify in the final rule
the legal issues on which it will opine in advisory opinion requests,
and state that in responding to requests for advisory opinions the
Department will not opine on the preemptive force of ERISA with respect
to state laws governing the privacy of individually identifiable health
information, since interpretations as to the scope and extent of
ERISA's preemption provisions are outside of the Department's
jurisdictional authority.
One commenter asked whether a state could enforce a state law which
the Secretary had indicated through an advisory opinion is preempted by
federal law. This commenter also asked whether the state would be
subject to penalties if it chose to continue to enforce its own laws.
Response: As discussed above, in part for reasons raised by these
comments, the Department has decided not to have a formal process for
issuing advisory opinions, as proposed.
Several of these concerns, however, raise issues of broader concern
that need to be addressed. First, we disagree that the Secretary lacks
legal authority to opine on whether or not state privacy laws are
preempted. The Secretary is charged by law with determining compliance,
and where state law and the federal requirements conflict, a
determination of which law controls will have to be made in order to
determine whether the federal standard, requirement, or implementation
specification at issue has been violated. Thus, the Secretary cannot
carry out her enforcement functions without making such determinations.
It is further reasonable that, if the Secretary makes such
determinations, she can make those determinations known, for whatever
persuasive effect they may have.
The questions as to whether a state could enforce, or would be
subject to penalties if it chose to continue to enforce, its own laws
following a denial by the Secretary of an exception request under
Sec. 160.203 or a holding by a court of competent jurisdiction that a
state privacy law had been preempted by a contrary federal privacy
standard raise several issues. First, a state law is preempted under
the Act only to the extent that it applies to covered entities; thus, a
state is free to continue to enforce a ``preempted'' state law against
non-covered entities to which the state law applies. If there is a
question of coverage, states may wish to establish processes to
ascertain which entities within their borders are covered entities
within the meaning of these rules. Second, with respect to covered
entities, if a state were to try to enforce a preempted state law
against such entities, it would presumably be acting without legal
authority in so doing. We cannot speak to what remedies might be
available to covered entities to protect themselves against such
wrongful state action, but we assume that covered entities could seek
judicial relief, if all else failed. With respect to the issue of
imposing penalties on states, we do not see this as likely. The only
situation that we can envision in which penalties might be imposed on a
state would be if a state agency were itself a covered entity and
followed a preempted state law, thereby violating the contrary federal
standard, requirement, or implementation specification.
Section 160.204(b)--Process for Advisory Opinions
Comment: Several commenters stated that it was unclear whether a
state would be required to submit a request for an advisory opinion in
order for the law to be considered more stringent and thus not
preempted. The Department should clarify whether a state law could be
non-preempted even without such an advisory opinion. Another commenter
requested that the final rule explicitly state that the stricter rule
always applies, whether it be state or federal, and regardless of
whether there is any conflict between state and federal law.
Response: The elimination of the proposed process for advisory
opinions renders moot the first question. Also, the preceding response
clarifies that which law preempts in the privacy context (assuming that
the state law and federal requirement are ``contrary'') is a matter of
which one is the ``more stringent.'' This is not a matter which the
Secretary will ultimately determine; rather, this is a question about
which the courts will ultimately make the final determination. With
respect to the second comment, we believe that Sec. 160.203(b) below
responds to this issue, but we would note that the statute already
provides for this.
Comment: Several commenters supported the decision to limit the
parties who may request advisory opinions to the state. These
commenters did not believe that insurers should be allowed to request
an advisory opinion and open every state law up to challenge and
review.
Several commenters requested that guidance on advisory opinions be
provided in all circumstances, not only at the Secretary's discretion.
It was suggested that proposed Sec. 160.204(b)(2)(iv) be revised to
read as follows: ``A state may submit a written request to the
Secretary for an advisory opinion under this paragraph. The request
must include the following information: the reasons why the state law
should or should not be preempted by the federal standard, requirement,
or implementation specification, including how the state law meets the
criteria at Sec. 160.203(b).''
Response: The decision not to have a formal process for issuing
advisory opinions renders these issues moot.
Sections 160.203(c) and 160.203(d)--Statutory Carve-Outs
Comment: Several commenters asked that the Department provide more
specific examples itemizing activities traditionally regulated by the
state that could constitute ``carve-out'' exceptions. These commenters
also requested that the Department include language in the regulation
stating that if a state law falls within several different exceptions,
the state chooses which determination exception shall apply.
[[Page 82588]]
Response: We are concerned that itemizing examples in this way
could leave out important state laws or create inadvertent negative
implications that laws not listed are not included. However, as
explained above, we have designed the types of activities that are
permissive disclosures for public health under Sec. 164.512(b) below in
part to come within the carve-out effected by section 1178(b); while
the state regulatory activities covered by section 1178(c) will
generally come within Sec. 164.512(d) below. With respect to the
comments asking that a state get to ``choose'' which exception it comes
under, we have in effect provided for this with respect to exceptions
under section 1178(a)(2)(A), by giving the state the right to request
an exception under that section. With respect to exceptions under
section 1178(a)(2)(B), those exceptions occur by operation of law, and
it is not within the Secretary's power to ``let'' the state choose
whether an exception occurs under that section.
Comment: Several commenters took the position that the Secretary
should not limit the procedural requirements in proposed
Sec. 160.204(a) to only those applications under proposed
Sec. 160.203(a). They urged that the requirements of proposed
Sec. 160.204(a) should also apply to preemption under sections
1178(a)(2)(B), 1178(b) and 1178(c). It was suggested that the rules
should provide for exception determinations with respect to the matters
covered by these provisions of the statute; such additional provisions
would provide clear procedures for states to follow and ensure that
requests for exceptions are adequately documented.
A slightly different approach was taken by several commenters, who
recommended that proposed Sec. 160.204(b) be amended to clarify that
the Secretary will also issue advisory opinions as to whether a state
law constitutes an exception under proposed Secs. 160.203(c) and
160.203(d). This change would, they argued, give states the same
opportunity for guidance that they have under Sec. 160.203(a) and (b),
and as such, avoid costly lawsuits to preserve state laws.
Response: We are not taking either of the recommended courses of
action. With respect to the recommendation that we expand the exception
determination process to encompass exceptions under sections
1178(a)(2)(B), 1178(b), and 1178(c), we do not have the authority to
grant exceptions under these sections. Under section 1178, the
Secretary has authority to make exception determinations only with
respect to the matters covered by section 1178(a)(2)(A); contrary state
laws coming within section 1178(a)(2)(B) are preempted if not more
stringent, while if a contrary state law comes within section 1178(b)
or section 1178(c), it is not preempted. These latter statutory
provisions operate by their own terms. Thus, it is not within the
Secretary's authority to establish the determination process which
these comments seek.
With respect to the request seeking advisory opinions in the
section 1178(b) and 1178(c) situations, we agree that we have the
authority to issue such opinions. However, the considerations described
above that have led us not to adopt a formal process for issuing
advisory opinions in the privacy context apply with equal force and
effect here.
Comment: One commenter argued that it would be unnecessarily
burdensome for state health data agencies (whose focus is on the cost
of healthcare or improving Medicare, Medicaid, or the healthcare
system) to obtain a specific determination from the Department for an
exception under proposed Sec. 160.203(c). States should be required
only to notify the Secretary of their own determination that such
collection is necessary. It was also argued that cases where the
statutory carve-outs apply should not require a Secretarial
determination.
Response: We clarify that no Secretarial determination is required
for activities that fall into one of the statutory carve-outs. With
respect to data collections for state health data agencies, we note
that provision has been made for many of these activities in several
provisions of the rules below, such as the provisions relating to
disclosures required by law (Sec. 164.512(a)), disclosures for
oversight (Sec. 164.512(d)), and disclosures for public health
(Sec. 164.512(b)). Some disclosures for Medicare and Medicaid purposes
may also come within the definition of health care operations. A fuller
discussion of this issue appears in connection with Sec. 164.512 below.
Constitutional Comments and Responses
Comment: Several commenters suggested that as a general matter the
rule is unconstitutional.
Response: We disagree that the rule is unconstitutional. The
particular grounds for this conclusion are set out with respect to
particular constitutional issues in the responses below. With respect
to the comments that simply made this general assertion, the lack of
detail of the comments makes a substantive response impossible.
Article II
Comment: One commenter contended that the Secretary improperly
delegated authority to private entities by requiring covered entities
to enter into contracts with, monitor, and take action for violations
of the contract against their business partners. These comments assert
that the selection of these entities to ``enforce'' the regulations
violates the Executive Powers Clause and the Appointments and Take Care
Clauses.
Response: We reject the assertion that the business associate
provisions constitute an improper delegation of executive power to
private entities. HIPAA provides HHS with authority to enforce the
regulation against covered entities. The rules below regulate only the
conduct of the covered entity; to the extent a covered entity chooses
to conduct its funding through a business associate, those functions
are still functions of the covered entity. Thus, no improper delegation
has occurred because what is being regulated are the actions of the
covered entity, not the actions of the business associate in its
independent capacity.
We also reject the suggestion that the business associates
provisions constitute an improper appointment of covered entities to
enforce the regulation and violate the Take Care Clause. Because the
Secretary has not delegated authority to covered entities, the
inference that she has appointed covered entities to exercise such
authority misses the mark.
Commerce Clause
Comment: A few commenters suggested that the privacy regulation
regulates activities that are not in interstate commerce and which are,
therefore, beyond the powers the U.S. Constitution gives the federal
government.
Response: We disagree. Health care providers, health plans, and
health care clearinghouses are engaged in economic and commercial
activities, including the exchange of individually identifiable health
information electronically across state lines. These activities
constitute interstate commerce. Therefore, they come within the scope
of Congress' power to regulate interstate commerce.
Nondelegation Doctrine
Comment: Some commenters objected to the manner by which Congress
provided the Secretary authority to promulgate this regulation. These
comments asserted that Congress violated the nondelegation doctrine by
(1) not providing an ``intelligible principle'' to guide the agency,
(2) not
[[Page 82589]]
establishing ``ascertainable standards,'' and (3) improperly permitting
the Secretary to make social policy decisions.
Response: We disagree. HIPAA clearly delineates Congress' general
policy to establish strict privacy protections for individually
identifiable health information to encourage electronic transactions.
Congress also established boundaries limiting the Secretary's
authority. Congress established these limitations in several ways,
including by calling for privacy standards for ``individually
identifiable health information''; specifying that privacy standards
must address individuals' rights regarding their individually
identifiable health information, the procedures for exercising those
rights, and the particular uses and disclosures to be authorized or
required; restricting the direct application of the privacy standards
to ``covered entities,'' which Congress defined; requiring consultation
with the National Committee on Vital and Health Statistics and the
Attorney General; specifying the circumstances under which the federal
requirements would supersede state laws; and specifying the civil and
criminal penalties the Secretary could impose for violations of the
regulation. These limitations also serve as ``ascertainable standards''
upon which reviewing courts can rely to determine the validity of the
exercise of authority.
Although Congress could have chosen to impose expressly an
exhaustive list of specifications that must be met in order to achieve
the protective purposes of the HIPAA, it was entirely permissible for
Congress to entrust to the Secretary the task of providing these
specifications based on her experience and expertise in dealing with
these complex and technical matters.
We disagree with the comments that Congress improperly delegated
Congressional policy choices to her. Congress clearly decided to create
federal standards protecting the privacy of ``individually identifiable
health information'' and not to preempt state laws that are more
stringent. Congress also determined over whom the Secretary would have
authority, the type of information protected, and the minimum level of
regulation.
Separation of Powers
Comment: Some commenters asserted that the federal government may
not preempt state laws that are not as strict as the privacy regulation
because to do so would violate the separation of powers in the U.S.
Constitution. One comment suggested that the rules raised a substantial
constitutional issue because, as proposed, they permitted the Secretary
to make determinations on preemption, which is a role reserved for the
judiciary.
Response: We disagree. We note that this comment only pertains to
determinations under section 1178(a)(2)(A); as discussed above, the
rules below provide for no Secretarial determinations with respect to
state privacy laws coming within section 1178(a)(2)(B). With respect to
determinations under section 1178(a)(2)(A), however, the final rules,
like the proposed rules, provide that at a state's request the
Secretary may make certain determinations regarding the preemptive
effect of the rules on a particular state law. As usually the case with
any administrative decisions, these are subject to judicial review
pursuant to the Administrative Procedure Act.
First Amendment
Comment: Some comments suggested that the rules violated the First
Amendment. They asserted that if the rule included Christian Science
practitioners as covered entities it would violate the separation of
church and state doctrine.
Response: We disagree. The First Amendment does not always prohibit
the federal government from regulating secular activities of religious
organizations. However, we address concerns relating to Christian
Science practitioners more fully in the response to comments discussion
of the definition of ``covered entity'' in Sec. 160.103.
Fourth Amendment
Comment: Many comments expressed Fourth Amendment concerns about
various proposed provisions. These comments fall into two categories--
general concerns about warrantless searches and specific concerns about
administrative searches. Several comments argued that the proposed
regulations permit law enforcement and government officials access to
protected health information without first requiring a judicial search
warrant or an individual's consent. These comments rejected the
applicability of any of the existing exceptions permitting warrantless
searches in this context. Another comment argued that federal and state
police should be able to obtain personal medical records only with the
informed consent of an individual. Many of these comments also
expressed concern that protected health information could be provided
to government or private agencies for inclusion in a governmental
health data system.
Response: We disagree that the provisions of these rules that
permit disclosures for law enforcement purposes and governmental health
data systems generally violate the Fourth Amendment. The privacy
regulation does not create new access rights for law enforcement.
Rather, it refrains from placing a significant barrier in front of
access rights that law enforcement currently has under existing legal
authority. While the regulation may permit a covered entity to make
disclosures in specified instances, it does not require the covered
entity make the disclosure. Thus, because we are not modifying existing
law regarding disclosures to law enforcement officials, except to
strengthen the requirements related to requests already authorized
under law, and are not requiring any such disclosures, the privacy
regulation does not infringe upon individual's Fourth Amendment rights.
We discuss the rationale underlying the permissible disclosures to law
enforcement officials more fully in the preamble discussion relating to
Sec. 164.512(f).
We note that the proposed provision relating to disclosures to
government health data systems has been eliminated in the final rule.
However, to the extent that the comments can be seen as raising concern
over disclosure of protected health information to government agencies
for public health, health oversight, or other purposes permitted by the
final rule, the reasoning in the previous paragraph applies.
Comment: One commenter suggested that the rules violate the Fourth
Amendment by requiring covered entities to provide access to the
Secretary to their books, records, accounts, and facilities to ensure
compliance with these rules. The commenter also suggested that the
requirement that covered entities enter into agreements with their
business partners to make their records available to the Secretary for
inspection as well also violates the warrant requirement of the Fourth
Amendment.
Response: We disagree. These requirements are consistent with U.S.
Supreme Court cases holding that warrantless administrative searches of
commercial property are not per se violations of the Fourth Amendment.
The provisions requiring that covered entities provide access to
certain material to determine compliance with the regulation come
within the well-settled exception regarding closely regulated
businesses and industries to the warrant requirement. From state and
local licensure laws to the federal fraud and abuse statutes and
regulations, the health care industry is one of the most
[[Page 82590]]
tightly regulated businesses in the country. Because the industry has
such an extensive history of government oversight and involvement,
those operating within it have no reasonable expectation of privacy
from the government such that a warrant would be required to determine
compliance with the rules.
In addition, the cases cited by the commenters concern unannounced
searches of the premises and facilities of particular entities. Because
our enforcement provisions only provide for the review of books,
records, and other information and only during normal business hours
with notice, except for exceptional situations, this case law does not
apply.
As for business associates, they voluntarily enter into their
agreements with covered entities. This agreement, therefore, functions
as knowing and voluntary consents to the search (even assuming it could
be understood to be a search) and obviates the need for a warrant.
Fifth Amendment
Comment: Several comments asserted that the proposed rules violated
the Fifth Amendment because in the commenters' views they authorized
the taking of privacy property without just compensation or due process
of law.
Response: We disagree. The rules set forth below do not address the
issue of who owns an individual's medical record. Instead, they address
what uses and disclosures of protected health information may be made
by covered entities with or without a consent or authorization. As
described in response to a similar comment, medical records have been
the property of the health care provider or medical facility that
created them, historically. In some states, statutes directly provide
these entities with ownership. These laws are limited by laws that
provide patients or their representatives with access to the records or
that provide the patient with an ownership interest in the information
within the records. As we discuss, the final rule is consistent with
current state law that provides patients access to protected health
information, but not ownership of medical records. State laws that
provide patients with greater access would remain in effect. Therefore,
because patients do not own their records, no taking can occur. As for
their interest in the information, the final rule retains their rights.
As for covered entities, the final rule does not take away their
ownership rights or make their ownership interest in the protected
health information worthless. Therefore, no taking has occurred in
these situations either.
Ninth and Tenth Amendments
Comment: Several comments asserted that the proposed rules violated
the Ninth and Tenth Amendments. One commenter suggested that the Ninth
Amendment prohibits long and complicated regulations. Other commenters
suggested that the proposed rules authorized the compelled disclosure
of individually identifiable health information in violation of State
constitutional provisions, such as those in California and Florida.
Similarly, a couple of commenters asserted that the privacy rules
violate the Tenth Amendment.
Response: We disagree. The Ninth and Tenth Amendments address the
rights retained by the people and acknowledge that the States or the
people are reserved the powers not delegated to the federal government
and not otherwise prohibited by the Constitution. Because HHS is
regulating under a delegation of authority from Congress in an area
that affects interstate commerce, we are within the powers provided to
Congress in the Constitution. Nothing in the Ninth Amendment, or any
other provision of the Constitution, restricts the length or complexity
of any law. Additionally, we do not believe the rules below
impermissibly authorize behavior that violates State constitutions.
This rule requires disclosure only to the individual or to the
Secretary to enforce this rule. As noted in the preamble discussion of
``Preemption,'' these rules do not preempt State laws, including
constitutional provisions, that are contrary to and more stringent, as
defined at Sec. 160.502, than these rules. See the discussion of
``Preemption'' for further clarification. Therefore, if these State
constitutions are contrary to the rule below and provide greater
protection, they remain in full force; if they do not, they are
preempted, in accordance with the Supremacy Clause of the Constitution.
Right to Privacy
Comment: Several comments suggested that the proposed regulation
would violate the right to privacy guaranteed by the First, Fourth,
Fifth, and Ninth Amendments because it would permit covered entities to
disclose protected health information without the consent of the
individual.
Response: These comments did not provide specific facts or legal
basis for the claims. We are, thus, unable to provide a substantive
response to these particular comments. However, we note that the rule
requires disclosures only to the individual or to the Secretary to
determine compliance with this rule. Other uses or disclosures under
this rule are permissive, not required. Therefore, if a particular use
or disclosure under this rule is viewed as interfering with a right
that prohibited the use or disclosure, the rule itself is not what
requires the use or disclosure.
Void for Vagueness
Comment: One comment suggested that the Secretary's use of a
``reasonableness'' standard is unconstitutionally vague. Specifically,
this comment objected to the requirement that covered entities use
``reasonable'' efforts to use or disclose the minimum amount of
protected health information, to ensure that business partners comply
with the privacy provisions of their contracts, to notify business
partners of any amendments or corrections to protected health
information, and to verify the identity of individuals requesting
information, as well as charge only a ``reasonable'' fee for inspecting
and copying health information. This comment asserted that the
Secretary provided ``inadequate guidance'' as to what qualifies as
``reasonable.''
Response: We disagree with the comment's suggestion that by
applying a ``reasonableness'' standard, the regulation has failed to
provide for ``fair warning'' or ``fair enforcement.'' The
``reasonableness'' standard is well-established in law; for example, it
is the foundation of the common law of torts. Courts also have
consistently held as constitutional statutes that rely upon a
``reasonableness'' standard. Our reliance upon a ``reasonableness''
standard, thus, provides covered entities with constitutionally
sufficient guidance.
Criminal Intent
Comment: One comment argued that the regulation's reliance upon a
``reasonableness'' standard criminalizes ``unreasonable efforts''
without requiring criminal intent or mens rea.
Response: We reject this suggestion because HIPAA clearly provides
the criminal intent requirement. Specifically, HIPPA provides that a
``person who knowingly and in violation of this part--(1) uses or
causes to be used a unique health identifier; (2) obtains individually
identifiable health information relating to an individual; or (3)
discloses individually identifiable health information to another
person, shall be punished as provided in subsection (b).'' HIPAA
section 1177 (emphasis added). Subsection (b) also relies on a
knowledge standard in
[[Page 82591]]
outlining the three levels of criminal sanctions. Thus, Congress, not
the Secretary, established the mens rea by including the term
``knowingly'' in the criminal penalty provisions of HIPAA.
Data Collection
Comment: One commenter suggested that the U.S. Constitution
authorized the collection of data on individuals only for the purpose
of the census.
Response: While it might be true that the U.S. Constitution
expressly discusses the national census, it does not forbid federal
agencies from collecting data for other purposes. The ability of
agencies to collect non-census data has been upheld by the courts.
Relationship to Other Federal Laws
Comment: We received several comments that sought clarification of
the interaction of various federal laws and the privacy regulation.
Many of these comments simply listed federal laws and regulations with
which the commenter currently must comply. For example, commenters
noted that they must comply with regulations relating to safety, public
health, and civil rights, including Medicare and Medicaid, the
Americans with Disabilities Act, the Family and Medical Leave Act, the
Federal Aviation Administration regulations, the Department of
Transportation regulations, the Federal Highway Administration
regulations, the Occupational Safety and Health Administration
regulations, and the Environmental Protection Agency regulations, and
alcohol and drug free workplace rules. These commenters suggested that
the regulation state clearly and unequivocally that uses or disclosures
of protected health information for these purposes were permissible.
Some suggested modifying the definition of health care operations to
include these uses specifically. Another suggestion was to add a
section that permitted the transmission of protected health information
to employers when reasonably necessary to comply with federal, state,
or municipal laws and regulations, or when necessary for public or
employee safety and health.
Response: Although we sympathize with entities' needs to evaluate
the existing laws with which they must comply in light of the
requirements of the final regulation, we are unable to respond
substantially to comments that do not pose specific questions. We
offer, however, the following guidance: if an covered entity is
required to disclose protected health information pursuant to a
specific statutory or regulatory scheme, the covered entity generally
will be permitted under Sec. 164.512(a) to make these disclosures
without a consent or authorization; if, however, a statute or
regulation merely suggests a disclosure, the covered entity will need
to determine if the disclosure comes within another category of
permissible disclosure under Secs. 164.510 or 164.512 or,
alternatively, if the disclosure would otherwise come within
Sec. 164.502. If not, the entity will need to obtain a consent or
authorization for the disclosure.
Comment: One commenter sought clarification as to when a disclosure
is considered to be ``required'' by another law versus ``permitted'' by
that law.
Responses: We use these terms according to their common usage. By
``required by law,'' we mean that a covered entity has a legal
obligation to disclose the information. For example, if a statute
states that a covered entity must report the names of all individuals
presenting with gun shot wounds to the emergency room or else be fined
$500 for each violation, a covered entity would be required by law to
disclose the protected health information necessary to comply with this
mandate. The privacy regulation permits this type of disclosure, but
does not require it. Therefore, if a covered entity chose not to comply
with the reporting statute it would violate only the reporting statute
and not the privacy regulation.
On the other hand, if a statute stated that a covered entity may or
is permitted to report the names of all individuals presenting with gun
shot wounds to the emergency room and, in turn, would receive $500 for
each month it made these reports, a covered entity would not be
permitted by Sec. 164.512(a) to disclose the protected health
information. Of course, if another permissible provision applied to
these facts, the covered entity could make the disclosure under that
provision, but it would not be considered to be a disclosure. See
discussion under Sec. 164.512(a) below.
Comment: Several commenters suggested that the proposed rule was
unnecessarily duplicative of existing regulations for federal programs,
such as Medicare, Medicaid, and the Federal Employee Health Benefit
Program.
Response: Congress specifically subjected certain federal programs,
including Medicare, Medicaid, and the Federal Employee Health Benefit
Program to the privacy regulation by including them within the
definition of ``health plan.'' Therefore, covered entities subject to
requirements of existing federal programs will also have to comply with
the privacy regulation.
Comment: One comment asserts that the regulation would not affect
current federal requirements if the current requirements are weaker
than the requirements of the privacy regulation. This same commenter
suggested that current federal requirements will trump both state law
and the proposed regulation, even if Medicaid transactions remain
wholly intrastate.
Response: We disagree. As noted in our discussion of ``Relationship
to Other Federal Laws,'' each law or regulation will need to be
evaluated individually. We similarly disagree with the second assertion
made by the commenter. The final rule will preempt state laws only in
specific instances. For a more detailed analysis, see the preamble
discussion of ``Preemption.''
Administrative Subpoenas
Comment: One comment stated that the final rule should not impose
new standards on administrative subpoenas that would conflict with
existing laws or administrative or judicial rules that establish
standards for issuing subpoenas. Nor should the final rule conflict
with established standards for the conduct of administrative, civil, or
criminal proceedings, including the rules regarding the discovery of
evidence. Other comments sought further restrictions on access to
protected health information in this context.
Response: Section 164.512(e) below addresses disclosures for
judicial and administrative proceedings. The final rules generally do
not interfere with these existing processes to the extent an individual
served with a subpoena, court order, or other similar process is able
to raise objections already available. See the discussion below under
Sec. 164.512(e) for a fuller response.
Americans with Disabilities Act
Comment: Several comments discussed the intersection between the
proposed Privacy Rule and the Americans with Disabilities Act (``ADA'')
and sections 503 and 504 of the Rehabilitation Act of 1973. One comment
suggested that the final rule explicitly allows disclosures authorized
by the Americans with Disabilities Act without an individual's
authorization, because this law, in the commenter's view, provides more
than adequate protection for the confidentiality of medical records in
the employment context. The comment noted that under these laws
employers may receive information related to fitness for duty, pre-
employment physicals, routine examinations, return to work
examinations, examinations following other types of absences,
examinations triggered by specific events, changes in
[[Page 82592]]
circumstances, requests for reasonable accommodations, leave requests,
employee wellness programs, and medical monitoring.
Other commenters suggested that the ADA requires the disclosure of
protected health information to employers so that the employee may take
advantage of the protections of these laws. They suggested that the
final rules clarify that employment may be conditioned on obtaining an
authorization for disclosure of protected health information for lawful
purposes and provide guidance concerning the interaction of the ADA
with the final regulation's requirements. Several commenters wanted
clarification that the privacy regulation would not permit employers to
request or use protected health information in violation of the ADA.
Response: We disagree with the comment that the final rule should
allow disclosures of protected health information authorized by the ADA
without the individual's authorization. We learned from the comments
that access to and use of protected health information by employers is
of particular concern to many people. With regard to employers, we do
not have statutory authority to regulate them. Therefore, it is beyond
the scope of this regulation to prohibit employers from requesting or
obtaining protected health information. Covered entities may disclose
protected health information about individuals who are members of an
employer's workforce with an authorization. Nothing in the privacy
regulation prohibits employers from obtaining that authorization as a
condition of employment. We note, however, that employers must comply
with other laws that govern them, such as nondiscrimination laws. For
example, if an employer receives a request for a reasonable
accommodation, the employer may require reasonable documentation about
the employee's disability and the functional limitations that require
the reasonable accommodation, if the disability and the limitations are
not obvious. If the individual provides insufficient documentation and
does not provide the missing information in a timely manner after the
employer's subsequent request, the employer may require the individual
to go to an appropriate health professional of the employer's choice.
In this situation, the employee does not authorize the disclosure of
information to substantiate the disability and the need for reasonable
accommodation, the employer need not provide the accommodation.
We agree that this rule does not permit employers to request or use
protected health information in violation of the ADA or other
antidiscrimination laws.
Appropriations Laws
Comment: One comment suggested that the penalty provisions of
HIPAA, if extended to the privacy regulation, would require the
Secretary to violate ``Appropriations Laws'' because the Secretary
could be in the position of assessing penalties against her own and
other federal agencies in their roles as covered entities. Enforcing
penalties on these entities would require the transfer of agency funds
to the General Fund.
Response: We disagree. Although we anticipate achieving voluntary
compliance and resolving any disputes prior to the actual assessment of
penalties, the Department of Justice's Office of Legal Counsel has
determined in similar situations that federal agencies have authority
to assess penalties against other federal agencies and that doing so is
not in violation of the Anti-Deficiency Act, 31 U.S.C. 1341.
Balanced Budget Act of 1997
Comment: One comment expressed concern that the regulation would
place tremendous burdens on providers already struggling with the
effects of the Balanced Budget Act of 1997.
Response: We appreciate the costs covered entities face when
complying with other statutory and regulatory requirements, such as the
Balanced Budget Act of 1997. However, HHS cannot address the impact of
the Balanced Budget Act or other statutes in the context of this
regulation.
Comment: Another comment stated that the regulation is in direct
conflict with the Balanced Budget Act of 1997 (``BBA''). The comment
asserts that the regulation's compliance date conflicts with the BBA,
as well as Generally Acceptable Accounting Principles. According to the
comment, covered entities that made capital acquisitions to ensure
compliance with the year 2000 (``Y2K'') problem would not be able to
account for the full depreciation of these systems until 2005. Because
HIPAA requires compliance before that time, the regulation would force
premature obsolescence of this equipment because while it is Y2K
compliant, it may be HIPAA non-compliant.
Response: This comment raises two distinct issues--(1) the
investment in new equipment and (2) the compliance date. With regard to
the first issue, we reject the comment's assertion that the regulation
requires covered entities to purchase new information systems or
information technology equipment, but realize that some covered
entities may need to update their equipment. We have tried to minimize
the costs, while responding appropriately to Congress' mandate for
privacy rules. We have dealt with the cost issues in detail in the
``Regulatory Impact Analysis'' section of this Preamble. With regard to
the second issue, Congress, not the Secretary, established the
compliance data at section 1175(b) of the Act.
Civil Rights of Institutionalized Persons Act
Comment: A few comments expressed concern that the privacy
regulation would inadvertently hinder the Department of Justice Civil
Rights Divisions' investigations under the Civil Rights of
Institutionalized Persons Act (``CRIPA''). These comments suggested
clearly including civil rights enforcement activities as health care
oversight.
Response: We agree with this comment. We do not intend for the
privacy rules to hinder CRIPA investigations. Thus, the final rule
includes agencies that are authorized by law to ``enforce civil rights
laws for which health information is relevant'' in the definition of
``health oversight agency'' at Sec. 164.501. Covered entities are
permitted to disclose protected health information to health oversight
agencies under Sec. 164.512(d) without an authorization. Therefore, we
do not believe the final rule should hinder the Department of Justice's
ability to conduct investigations pursuant to its authority in CRIPA.
Clinical Laboratory Improvement Amendments
Comment: One comment expressed concern that the proposed definition
of health care operations did not include activities related to the
quality control clinical studies performed by laboratories to
demonstrate the quality of patient test results. Because the Clinical
Laboratory Improvement Amendments of 1988 (``CLIA'') requires these
studies that the comment asserted require the use of protected health
information, the comment suggested including this specific activity in
the definition of ``health care operations.''
Response: We do not intend for the privacy regulation to impede the
ability of laboratories to comply with the requirements of CLIA.
Quality control activities come within the definition of ``health care
operations'' in Sec. 164.501 because they come within the meaning of
the term ``quality assurance activities.'' To the extent they would not
come within health care operations, but
[[Page 82593]]
are required by CLIA, the privacy regulation permits clinical
laboratories that are regulated by CLIA to comply with mandatory uses
and disclosures of protected health information pursuant to
Sec. 164.512(a).
Comment: One comment stated that the proposed regulation's right of
access for inspection and copying provisions were contrary to CLIA in
that CLIA permits laboratories to disclose lab test results only to
``authorized persons.'' This comment suggested that the final rule
include language adopting this restriction to ensure that patients not
obtain laboratory test results before the appropriate health care
provider has reviewed and explained those results to the patients.
A similar comment stated that the lack of preemption of state laws
could create problems for clinical laboratories under CLIA.
Specifically, this comment noted that CLIA permits clinical
laboratories to perform tests only upon the written or electronic
request of, and to provide the results to, an ``authorized person.''
State laws define who is an ``authorized person.'' The comment
expressed concern as to whether the regulation would preempt state laws
that only permit physicians to receive test results.
Response: We agree that CLIA controls in these cases. Therefore, we
have amended the right of access, Sec. 164.524(a), so that a covered
entity that is subject to CLIA does not have to provide access to the
individual to the extent such access would be prohibited by law.
Because of this change, we believe the preemption concern is moot.
Controlled Substance Act
Comment: One comment expressed concern that the privacy regulation
as proposed would restrict the Drug Enforcement Agency's (``the DEA'')
enforcement of the Controlled Substances Act (``CSA''). The comment
suggested including enforcement activities in the definition of
``health oversight agency.''
Response: In our view, the privacy regulation should not impede the
DEA's ability to enforce the CSA. First, to the extent the CSA requires
disclosures to the DEA, these disclosures would be permissible under
Sec. 164.512(a). Second, some of the DEA's CSA activities come within
the exception for health oversight agencies which permits disclosures
to health oversight agencies for:
Activities authorized by law, including audits; civil,
administrative, or criminal investigations; inspections * * * civil,
administrative, or criminal proceedings or actions; and other
activity necessary for appropriate oversight of the health care
system.
Therefore, to the extent the DEA is enforcing the CSA, disclosures
to it in its capacity as a health oversight agency are permissible
under Sec. 164.512(d). Alternatively, CSA required disclosures to the
DEA for law enforcement purposes are permitted under Sec. 164.512(f).
When acting as a law enforcement agency under the CSA, the DEA may
obtain the information pursuant to Sec. 164.512(f). Thus, we do not
agree that the privacy regulation will impede the DEA's enforcement of
the CSA. See the preamble discussion of Sec. 164.512 for further
explanation.
Comment: One commenter suggested clarifying the provisions allowing
disclosures that are ``required by law'' to ensure that the mandatory
reporting requirements the CSA imposes on covered entities, including
making available reports, inventories, and records of transactions, are
not preempted by the regulation.
Response: We agree that the privacy regulation does not alter
covered entities' obligations under the CSA. Because the CSA requires
covered entities manufacturing, distributing, and/or dispensing
controlled substances to maintain and provide to the DEA specific
records and reports, the privacy regulation permits these disclosures
under Sec. 164.512(a). In addition, when the DEA seeks documents to
determine an entity's compliance with the CSA, such disclosures are
permitted under Sec. 164.512(d).
Comment: The same commenter expressed concern that the proposed
privacy regulation inappropriately limits voluntary reporting and would
prevent or deter employees of covered entities from providing the DEA
with information about violations of the CSA.
Response: We agree with the general concerns expressed in this
comment. We do not believe the privacy rules will limit voluntary
reporting of violations of the CSA. The CSA requires certain entities
to maintain several types of records that may include protected health
information. Although reports that included protected health
information may be restricted under these rules, reporting the fact
that an entity is not maintaining proper reports is not. If it were
necessary to obtain protected health information during the
investigatory stages following such a voluntary report, the DEA would
be able to obtain the information in other ways, such as by following
the administrative procedures outlined in Sec. 164.512(e).
We also agree that employees of covered entities who report
violations of the CSA should not be subjected to retaliation by their
employers. Under Sec. 164.502(j), we specifically state that a covered
entity is not considered to have violated the regulation if a workforce
member or business associate in good faith reports violations of laws
or professional standards by covered entities to appropriate
authorities. See discussion of Sec. 164.502(j) below.
Department of Transportation
Comment: Several commenters stated that the Secretary should
recognize in the preamble that it is permissible for employers to
condition employment on an individual's delivering a consent to certain
medical tests and/or examinations, such as drug-free workplace programs
and Department of Transportation (``DOT'')-required physical
examinations. These comments also suggested that employers should be
able to receive certain information, such as pass/fail test and
examination results, fitness-to-work assessments, and other legally
required or permissible physical assessments without obtaining an
authorization. To achieve this goal, these comments suggested defining
``health information'' to exclude information such as information about
how much weight a specific employee can lift.
Response: We reject the suggestion to define ``health
information,'' which Congress defined in HIPAA, so that it excludes
individually identifiable health information that may be relevant to
employers for these types of examinations and programs. We do not
regulate employers. Nothing in the rules prohibit employers from
conditioning employment on an individual signing the appropriate
consent or authorization. By the same token, however, the rules below
do not relieve employers from their obligations under the ADA and other
laws that restrict the disclosure of individually identifiable health
information.
Comment: One commenter asserted that the proposed regulation
conflicts with the DOT guidelines regarding positive alcohol and drug
tests that require the employer be notified in writing of the results.
This document contains protected health information. In addition, the
treatment center records must be provided to the Substance Abuse
Professional (``SAP'') and the employer must receive a report from SAP
with random drug testing recommendations.
Response: It is our understanding that DOT requires drug testing of
all applicants for employment in safety-sensitive positions or
individuals being transferred to such positions.
[[Page 82594]]
Employers, pursuant to DOT regulations, may condition an employee's
employment or position upon first obtaining an authorization for the
disclosure of results of these tests to the employer. Therefore, we do
not believe the final rules conflict with the DOT requirements, which
do not prohibit obtaining authorizations before such information is
disclosed to employers.
Developmental Disabilities Act
Comment: One commenter urged HHS to ensure that the regulation
would not impede access to individually identifiable health information
to entities that are part of the Protection and Advocacy System to
investigate abuse and neglect as authorized by the Developmental
Disabilities Bill of Rights Act.
Response: The Developmental Disabilities Assistance and Bill of
Rights Act of 2000 (``DD Act'') mandates specific disclosures of
individually identifiable health information to Protection and Advocacy
systems designated by the chief elected official of the states and
Territories. Therefore, covered entities may make these disclosures
under Sec. 164.512(a) without first obtaining an individual's
authorization, except in those circumstances in which the DD Act
requires the individual's authorization. Therefore, the rules below
will not impede the functioning of the existing Protection and Advocacy
System.
Employee Retirement Income Security Act of 1974
Comment: Several commenters objected to the fact that the NPRM did
not clarify the scope of preemption of state laws under the Employee
Retirement Income Security Act of 1974 (ERISA). These commenters
asserted that the final rule must state that ERISA preempts all state
laws (including those relating to the privacy of individually
identifiable health information) so that multistate employers could
continue to administer their group health plans using a single set of
rules. In contrast, other commenters criticized the Department for its
analysis of the current principles governing ERISA preemption of state
law, pointing out that the Department has no authority to interpret
ERISA.
Response: This Department has no authority to issue regulations
under ERISA as requested by some of these commenters, so the rule below
does not contain the statement requested. See the discussion of this
point under ``Preemption'' above.
Comment: One commenter requested that the final rule clarify that
section 264(c)(2) of HIPAA does not save state laws that would
otherwise be preempted by the Federal Employees Health Benefits
Program. The commenter noted that in the NPRM this statement was made
with respect to Medicare and ERISA, but not the law governing the
FEHBP.
Response: We agree with this comment. The preemption analysis set
out above with respect to ERISA applies equally to the Federal
Employees Health Benefit Program.
Comment: One commenter noted that the final rule should clarify the
interplay between state law, the preemption standards in Subtitle A of
Title I of HIPAA (Health Care Access, Portability and Renewability),
and the preemption standards in the privacy requirements in Subtitle F
of Title II of HIPAA (Administrative Simplification).
Response: The NPRM described only the preemption standards that
apply with respect to the statutory provisions of HIPAA that were
implemented by the proposed rule. We agree that the preemption
standards in Subtitle A of Title I of HIPAA are different. Congress
expressly provided that the preemption provisions of Title I apply only
to Part 7, which addresses portability, access, and renewability
requirements for Group Health Plans. To the extent state laws contain
provisions regarding portability, access, or renewability, as well as
privacy requirements, a covered entity will need to evaluate the
privacy provisions under the Title II preemption provisions, as
explained in the preemption provisions of the rules, and the other
provisions under the Title I preemption requirements.
European Union Privacy Directive and U.S. Safe Harbors
Comment: Several comments stated that the privacy regulation should
be consistent with the European Union's Directive on Data Protection.
Others sought guidance as to how to comply with both the E.U. Directive
on Data Protection and the U.S. Safe Harbor Privacy Principles.
Response: We appreciate the need for covered entities obtaining
personal data from the European Union to understand how the privacy
regulation intersects with the Data Protection Directive. We have
provided guidance as to this interaction in the ``Other Federal Laws''
provisions of the preamble.
Comment: A few comments expressed concern that the proposed
definition of ``individual'' excluded foreign military and diplomatic
personnel and their dependents, as well as overseas foreign national
beneficiaries. They noted that the distinctions are based on
nationality and are inconsistent with the stance of the E.U. Directive
on Data Protection and the Department of Commerce's assurances to the
European Commission.
Response: We agree with the general principle that privacy
protections should protect every person, regardless of nationality. As
noted in the discussion of the definition of ``individual,'' the final
regulation's definition does not exclude foreign military and
diplomatic personnel, their dependents, or overseas foreign national
beneficiaries from the definition of individual. As described in the
discussion of Sec. 164.512 below, the final rule applies to foreign
diplomatic personnel and their dependents like all other individuals.
Foreign military personnel receive the same treatment under the final
rule as U.S. military personnel do, as discussed with regard to
Sec. 164.512 below. Overseas foreign national beneficiaries to the
extent they receive care for the Department of Defense or a source
acting on behalf of the Department of Defense remain generally excluded
from the final rules protections. For a more detailed explanation, see
Sec. 164.500.
Fair Credit Reporting Act
Comment: A few commenters requested that we exclude information
maintained, used, or disclosed pursuant to the Fair Credit Reporting
Act (``FCRA'') from the requirements of the privacy regulation. These
commenters noted that the protection in the privacy regulation
duplicate those in the FCRA.
Response: Although we realize that some overlap between FCRA and
the privacy rules may exist, we have chosen not to remove information
that may come within the purview of FCRA from the scope of our rules
because FCRA's focus is not the same as our Congressional mandate to
protect individually identifiable health information.
To the extent a covered entity seeks to engage in collection
activities or other payment-related activities, it may do so pursuant
to the requirements of this rule related to payment. See discussion of
Secs. 164.501 and 164.502 below.
We understand that some covered entities may be part of, or contain
components that are, entities which meet the definition of ``consumer
reporting agencies.'' As such, these entities are subject to the FCRA.
As described in the preamble to Sec. 164.504, covered entities must
designate what parts of their organizations will be treated as covered
entities for the
[[Page 82595]]
purpose of these privacy rules. The covered entity component will need
to comply with these rules, while the components that are consumer
reporting agencies will need to comply with FCRA.
Comment: One comment suggested that the privacy regulation would
conflict with the FCRA if the regulation's requirement applied to
information disclosed to consumer reporting agencies.
Response: To the extent a covered entity is required to disclose
protected health information to a consumer reporting agency, it may do
so under Sec. 164.512(a). See also discussion under the definition of
``payment'' below.
Fair Debt Collection and Practices Act
Comment: Several comments expressed concern that health plans and
health care providers be able to continue using debt collectors in
compliance with the Fair Debt Collections Practices Act and related
laws.
Response: In our view, health plans and health care providers will
be able to continue using debt collectors. Using the services of a debt
collector to obtain payment for the provision of health care comes
within the definition of ``payment'' and is permitted under the
regulation. Thus, so long as the use of debt collectors is consistent
with the regulatory requirements (such as, providers obtain the proper
consents, the disclosure is of the minimum amount of information
necessary to collect the debt, the provider or health plan enter into a
business associate agreement with the debt collector, etc.), relying
upon debt collectors to obtain reimbursement for the provision of
health care would not be prohibited by the regulation.
Family Medical Leave Act
Comment: One comment suggested that the proposed regulation
adversely affects the ability of an employer to determine an employee's
entitlement to leave under the Family Medical Leave Act (``FMLA'') by
affecting the employer's right to receive medical certification of the
need for leave, additional certifications, and fitness for duty
certification at the end of the leave. The commenter sought
clarification as to whether a provider could disclose information to an
employer without first obtaining an individual's consent or
authorization. Another commenter suggested that the final rule
explicitly exclude from the rule disclosures authorized by the FMLA,
because, in the commenter's view, it provides more than adequate
protection for the confidentiality of medical records in the employment
context.
Response: We disagree that the FMLA provides adequate privacy
protections for individually identifiable health information. As we
understand the FMLA, the need for employers to obtain protected health
information under the statute is analogous to the employer's need for
protected health information under the ADA. In both situations,
employers may need protected health information to fulfill their
obligations under these statutes, but neither statute requires covered
entities to provide the information directly to the employer. Thus,
covered entities in these circumstances will need an individual's
authorizations before the disclosure is made to the employer.
Federal Common Law
Comment: One commenter did not want the privacy rules to interfere
with the federal common law governing collective bargaining agreements
permitting employers to insist on the cooperation of employees with
medical fitness evaluations.
Response: We do not seek to interfere with legal medical fitness
evaluations. These rules require a covered entity to have an
individual's authorization before the information resulting from such
evaluations is disclosed to the employer unless another provision of
the rule applies. We do not prohibit employers from conditioning
employment, accommodations, or other benefits, when legally permitted
to do so, upon the individual/employee providing an authorization that
would permit the disclosure of protected health information to
employers by covered entities. See Sec. 164.508(b)(4) below.
Federal Educational Rights and Privacy Act
Comment: A few commenters supported the exclusion of ``education
records'' from the definition of ``protected health information.''
However, one commenter requested that ``treatment records'' of students
who are 18 years or older attending post-secondary education
institutions be excluded from the definition of ``protected health
information'' as well to avoid confusion.
Response: We agree with these commenters. See ``Relationship to
Other Federal Laws'' for a description of our exclusion of FERPA
``education records'' and records defined at 20 U.S.C.
1232g(a)(4)(B)(iv), commonly referred to as ``treatment records,'' from
the definition of ``protected health information.''
Comment: One comment suggested that the regulation should not apply
to any health information that is part of an ``education record'' in
any educational agency or institution, regardless of its FERPA status.
Response: We disagree. As noted in our discussion of ``Relationship
of Other Federal Laws,'' we exclude education records from the
definition of protected health information because Congress expressly
provided privacy protections for these records and explained how these
records should be treated in FERPA.
Comment: One commenter suggested eliminating the preamble language
that describes school nurses and on-site clinics as acting as providers
and subject to the privacy regulation, noting that this language is
confusing and inconsistent with the statements provided in the preamble
explicitly stating that HIPAA does not preempt FERPA.
Response: We agree that this language may have been confusing. We
have provided a clearer expression of when schools may be required to
comply with the privacy regulation in the ``Relationship to Other
Federal Laws'' section of the preamble.
Comment: One commenter suggested adding a discussion of FERPA to
the ``Relationship to Other Federal Laws'' section of the preamble.
Response: We agree and have added FERPA to the list of federal laws
discussed in ``Relationship to Other Federal Laws'' section of the
preamble.
Comment: One commenter stated that school clinics should not have
to comply with the ``ancillary'' administrative requirements, such as
designating a privacy official, maintaining documentation of their
policies and procedures, and providing the Secretary of HHS with
access.
Response: We disagree. Because we have excluded education records
and records described at 20 U.S.C. 1232g(a)(4)(B)(iv) held by
educational agencies and institutions subject to FERPA from the
definition of protected health information, only non-FERPA schools
would be subject to the administrative requirements. Most of these
school clinics will also not be covered entities because they are not
engaged in HIPAA transactions and these administrative requirements
will not apply to them. However, to the extent a school clinic is
within the definition of a health care provider, as Congress defined
the term, and the school clinic is engaged in HIPAA transactions, it
will be a covered entity and must comply with the rules below.
[[Page 82596]]
Comment: Several commenters expressed concern that the privacy
regulation would eliminate the parents' ability to have access to
information in their children's school health records. Because the
proposed regulation suggests that school-based clinics keep health
records separate from other educational files, these comments argued
that the regulation is contrary to the spirit of FERPA, which provides
parents with access rights to their children's educational files.
Response: As noted in the ``Relationship to Other Federal Laws''
provision of the preamble, to the extent information in school-based
clinics is not protected health information because it is an education
record, the FERPA access requirements apply and this regulation does
not. For more detail regarding the rule's application to unemancipated
minors, see the preamble discussion about ``Personal Representatives.''
Federal Employees Compensation Act
Comment: One comment noted that the Federal Employees Compensation
Act (``FECA'') requires claimants to sign a release form when they file
a claim. This commenter suggested that the privacy regulation should
not place additional restrictions on this type of release form.
Response: We agree. In the final rule, we have added a new
provision, Sec. 164.512(l), that permits covered entities to make
disclosures authorized under workers' compensation and similar laws.
This provision would permit covered entities to make disclosures
authorized under FECA and not require a different release form.
Federal Employees Health Benefits Program
Comment: A few comments expressed concern about the preemption
effect on FEHBP and wanted clarification that the privacy regulation
does not alter the existing preemptive scope of the program.
Response: We do not intend to affect the preemptive scope of the
FEHBP. The Federal Employee Health Benefit Act of 1998 preempts any
state law that ``relates to'' health insurance or plans. 5 U.S.C.
8902(m). The final rule does not attempt to alter the preemptive scope
Congress has provided to the FEHBP.
Comment: One comment suggested that in the context of FEHBP HHS
should place the enforcement responsibilities of the privacy regulation
with Office of Personnel Management, as the agency responsible for
administering the program.
Response: We disagree. Congress placed enforcement with the
Secretary. See section 1176 of the Act.
Federal Rules of Civil Procedure
Comment: A few comments suggested revising proposed Sec. 164.510(d)
so that it is consistent with the existing discovery procedure under
the Federal Rules of Civil Procedure or local rules.
Response: We disagree that the rules regarding disclosures and uses
of protected health information for judicial and administrative
procedures should provide only those protections that exist under
existing discovery rules. Although the current process may be
appropriate for other documents and information requested during the
discovery process, the current system, as exemplified by the Federal
Rules of Civil Procedure, does not provide sufficient protection for
protected health information. Under current discovery rules, private
attorneys, government officials, and others who develop such requests
make the initial determinations as to what information or documentation
should be disclosed. Independent third-party review, such as that by a
court, only becomes necessary if a person of whom the request is made
refuses to provide the information. If this happens, the person seeking
discovery must obtain a court order or move to compel discovery. In our
view this system does not provide sufficient protections to ensure that
unnecessary and unwarranted disclosures of protected health information
does not occur. For a related discuss, see the preamble regarding
``Disclosures for Judicial and Administrative Proceedings'' under
Sec. 164.512(e).
Federal Rules of Evidence
Comment: Many comments requested clarification that the privacy
regulation does not conflict or interfere with the federal or state
privileges. In particular, one of these comments suggested that the
final regulation provide that disclosures for a purpose recognized by
the regulation not constitute a waiver of federal or state privileges.
Response: We do not intend for the privacy regulation to interfere
with federal or state rules of evidence that create privileges.
Consistent with The Uniform Health-Care Information Act drafted by the
National Conference of Commissioners on Uniform State Laws, we do not
view a consent or an authorization to function as a waiver of federal
or state privileges. For further discussion of the effect of consent or
authorization on federal or state privileges, see preamble discussions
in Secs. 164.506 and 164.508.
Comment: Other comments applauded the Secretary's references to
Jaffee v. Redman, 518 U.S. 1 (1996), which recognized a
psychotherapist-patient privilege, and asked the Secretary to
incorporate expressly this privilege into the final regulation.
Response: We agree that the psychotherapist-patient relationship is
an important one that deserves protection. However, it is beyond the
scope our mandate to create specific evidentiary privileges. It is also
unnecessary because the United States Supreme Court has adopted this
privilege.
Comment: A few comments discussed whether one remedy for violating
the privacy regulation should be to exclude or suppress evidence
obtained in violation of the regulation. One comment supported using
this penalty, while another opposed it.
Response: We do not have the authority to mandate that courts apply
or not apply the exclusionary rule to evidence obtained in violation of
the regulation. This issue is in the purview of the courts.
Federal Tort Claims Act
Comment: One comment contended that the proposed regulation's
requirement mandating covered entities to name the subjects of
protected health information disclosed under a business partner
contract as third party intended beneficiaries under the contract would
have created an impermissible right of action against the government
under the Federal Tort Claims Act (``FTCA'').
Response: Because we have deleted the third party beneficiary
provisions from the final rules, this comment is moot.
Comment: Another comment suggested the regulation would hamper the
ability of federal agencies to disclose protected health information to
their attorneys, the Department of Justice, during the initial stages
of the claims brought under the FTCA.
Response: We disagree. The regulation applies only to federal
agencies that are covered entities. To the extent an agency is not a
covered entity, it is not subject to the regulation; to the extent an
agency is a covered entity, it must comply with the regulation. A
covered entity that is a federal agency may disclose relevant
information to its attorneys, who are business associates, for purposes
of health care operations, which includes uses or disclosures for legal
functions. See Sec. 164.501 (definitions of ``business associate'' and
``health care operations''). The final rule provides specific
provisions describing how federal agencies may provide
[[Page 82597]]
adequate assurances for these types of disclosures of protected health
information. See Sec. 164.504(e)(3).
Food and Drug Administration
Comment: A few comments expressed concerns about the use of
protected health information for reporting activities to the Food and
Drug Administration (``FDA''). Their concern focused on the ability to
obtain or disclose protected health information for pre-and post-
marketing adverse event reports, device tracking, and post-marketing
safety and efficacy evaluation.
Response: We agree with this comment and have provided that covered
entities may disclose protected health information to persons subject
to the jurisdiction of the FDA, to comply with the requirements of, or
at the direction of, the FDA with regard to reporting adverse events
(or similar reports with respect to dietary supplements), the tracking
of medical devices, other post-marketing surveillance, or other similar
requirements described at Sec. 164.512(b).
Foreign Standards
Comment: One comment asked how the regulation could be enforced
against foreign countries (or presumably entities in foreign countries)
that solicit medical records from entities in the United States.
Response: We do not regulate solicitations of information. To the
extent a covered entity wants to comply with a request for disclosure
of protected health information to foreign countries or entities within
foreign countries, it will need to comply with the privacy rules before
making the disclosure. If the covered entity fails to comply with the
rules, it will be subject to enforcement proceedings.
Freedom of Information Act
Comment: One comment asserted that the proposed privacy regulation
conflicts with the Freedom of Information Act (``FOIA''). The comment
argued that the proposed restriction on disclosures by agencies would
not come within one of the permissible exemptions to the FOIA. In
addition, the comment noted that only in exceptional circumstances
would the protected health information of deceased individuals come
within an exemption because, for the most part, death extinguishes an
individual's right to privacy.
Response: Section 164.512(a) below permits covered entities to
disclose protected health information when such disclosures are
required by other laws as long as they follow the requirements of those
laws. Therefore, the privacy regulation will not interfere with the
ability of federal agencies to comply with FOIA, when it requires the
disclosure.
We disagree, however, that most protected health information will
not come within Exemption 6 of FOIA. See the discussion above under
``Relationship to Other Federal Laws'' for our review of FOIA.
Moreover, we disagree with the comment's assertion that the protected
health information of deceased individuals does not come within
Exemption 6. Courts have recognized that a deceased individual's
surviving relatives may have a privacy interest that federal agencies
may consider when balancing privacy interests against the public
interest in disclosure of the requested information. Federal agencies
will need to consider not only the privacy interests of the subject of
the protected health information in the record requested, but also,
when appropriate, those of a deceased individual's family consistent
with judicial rulings.
If an agency receives a FOIA request for the disclosure of
protected health information of a deceased individual, it will need to
determine whether or not the disclosure comes within Exemption 6. This
evaluation must be consistent with the court's rulings in this area. If
the exemption applies, the federal agency will not have to release the
information. If the federal agency determines that the exemption does
not apply, may release it under Sec. 164.512(a) of this regulation.
Comment: One commenter expressed concern that our proposal to
protect the individually identifiable health information about the
deceased for two years following death would impede public interest
reporting and would be at odds with many state Freedom of Information
laws that make death records and autopsy reports public information.
The commenter suggested permitting medical information to be available
upon the death of an individual or, at the very least, that an appeals
process be permitted so that health information trustees would be
allowed to balance the interests in privacy and in public disclosure
and release or not release the information accordingly.
Response: These rules permit covered entities to make disclosures
that are required by state Freedom of Information Act (FOIA) laws under
Sec. 164.512(a). Thus, if a state FOIA law designates death records and
autopsy reports as public information that must be disclosed, a covered
entity may disclose it without an authorization under the rule. To the
extent that such information is required to be disclosed by FOIA or
other law, such disclosures are permitted under the final rule. In
addition, to the extent that death records and autopsy reports are
obtainable from non-covered entities, such as state legal authorities,
access to this information is not impeded by this rule.
If another law does not require the disclosure of death records and
autopsy reports generated and maintained by a covered entity, which are
protected health information, covered entities are not allowed to
disclose such information except as permitted or required by the final
rule, even if another entity discloses them.
Comment: One comment sought clarification of the relationship
between the Freedom of Information Act, the Privacy Act, and the
privacy rules.
Response: We have provided this analysis in the ``Relationship to
Other Federal Laws'' section of the preamble in our discussion of the
Freedom of Information Act.
Gramm-Leach-Bliley
Comments: One commenter noted that the Financial Services
Modernization Act, also known as Gramm-Leach-Bliley (``GLB''), requires
financial institutions to provide detailed privacy notices to
individuals. The commenter suggested that the privacy regulation should
not require financial institutions to provide additional notice.
Response: We disagree. To the extent a covered entity is required
to comply with the notice requirements of GLB and those of our rules,
the covered entity must comply with both. We will work with the FTC and
other agencies implementing GLB to avoid unnecessary duplication. For a
more detailed discussion of GLB and the privacy rules, see the
``Relationship to Other Federal Laws'' section of the preamble.
Comment: A few commenters asked that the Department clarify that
financial institutions, such as banks, that serve as payors are covered
entities. The comments explained that with the enactment of the Gramm-
Leach-Bliley Act, banks are able to form holding companies that will
include insurance companies (that may be covered entities). They
recommended that banks be held to the rule's requirements and be
required to obtain authorization to conduct non-payment activities,
such as for the marketing of health and non-health items and services
or the use and disclosure to non-health related divisions of the
covered entity.
[[Page 82598]]
Response: These comments did not provide specific facts that would
permit us to provide a substantive response. An organization will need
to determine whether it comes within the definition of ``covered
entity.'' An organization may also need to consider whether or not it
contains a health care component. Organizations that are uncertain
about the application of the regulation to them will need to evaluate
their specific facts in light of this rule.
Inspector General Act
Comment: One comment requested the Secretary to clarify in the
preamble that the privacy regulation does not preempt the Inspector
General Act.
Response: We agree that to the extent the Inspector General Act
requires uses or disclosures of protected health information, the
privacy regulation does not preempt it. The final rule provides that to
the extent required under section 201(a)(5) of the Act, nothing in this
subchapter should be construed to diminish the authority of any
Inspector General, including the authority provided in the Inspector
General Act of 1978. See discussion of Sec. 160.102 above.
Medicare and Medicaid
Comment: One comment suggested possible inconsistencies between the
regulation and Medicare/Medicaid requirements, such as those under the
Quality Improvement System for Managed Care. This commenter asked that
HHS expand the definition of health care operations to include health
promotion activities and avoid potential conflicts.
Response: We disagree that the privacy regulation would prohibit
managed care plans operating in the Medicare or Medicaid programs from
fulfilling their statutory obligations. To the extent a covered entity
is required by law to use or disclose protected health information in a
particular manner, the covered entity may make such a use or disclosure
under Sec. 164.512(a). Additionally, quality assessment and improvement
activities come within the definition of ``health care operations.''
Therefore, the specific example provided by the commenter would seem to
be a permissible use or disclosure under Sec. 164.502, even if it were
not a use or disclosure ``required by law.''
Comment: One commenter stated that Medicare should not be able to
require the disclosure of psychotherapy notes because it would destroy
a practitioner's ability to treat patients effectively.
Response: If the Title XVIII of the Social Security Act requires
the disclosure of psychotherapy notes, the final rule permits, but does
not require, a covered entity to make such a disclosure under
Sec. 164.512(a). If, however, the Social Security Act does not require
such disclosures, Medicare does not have the discretion to require the
disclosure of psychotherapy notes as a public policy matter because the
final rule provides that covered entities, with limited exceptions,
must obtain an individual's authorization before disclosing
psychotherapy notes. See Sec. 164.508(a)(2).
National Labor Relations Act
Comment: A few comments expressed concern that the regulation did
not address the obligation of covered entities to disclose protected
health information to collective bargaining representatives under the
National Labor Relations Act.
Response: The final rule does not prohibit disclosures that covered
entities must make pursuant to other laws. To the extent a covered
entity is required by law to disclose protected health information to
collective bargaining representatives under the NLRA, it may to so
without an authorization. Also, the definition of ``health care
operations'' at Sec. 164.501 permits disclosures to employee
representatives for purposes of grievance resolution.
Organ Donation
Comment: One commenter expressed concern about the potential impact
of the regulation on the organ donation program under 42 CFR part 482.
Response: In the final rule, we add provisions allowing the use or
disclosure of protected health information to organ procurement
organizations or other entities engaged in the procurement, banking, or
transplantation of cadaveric organs, eyes, or tissue for the purpose of
facilitating donation and transplantation. See Sec. 164.512(h).
Privacy Act Comments
Comment: One comment suggested that the final rule unambiguously
permit the continued operation of the statutorily established or
authorized discretionary routine uses permitted under the Privacy Act
for both law enforcement and health oversight.
Response: We disagree. See the discussion of the Privacy Act in
``Relationship to Other Federal Laws'' above.
Public Health Services Act
Comment: One comment suggested that the Public Health Service Act
places more stringent rules regarding the disclosure of information on
Federally Qualified Health Centers than the proposed privacy regulation
suggested. Therefore, the commenter suggested that the final rule
exempt Federally Qualified Health Centers from the rules requirements
Response: We disagree. Congress expressly included Federally
Qualified Health Centers, a provider of medical or other health
services under the Social Security Act section 1861(s), within its
definition of health care provider in section 1171 of the Act;
therefore, we cannot exclude them from the regulation.
Comment: One commenter noted that no conflicts existed between the
proposed rule and the Public Health Services Act.
Response: As we discuss in the ``Relationship to Other Federal
Laws'' section of the preamble, the Public Health Service Act contains
explicit confidentiality requirements that are so general as not to
create problems of inconsistency. We recognized, however, that in some
cases, that law or its accompanying regulations may contain greater
restrictions. In those situations, a covered entity's ability to make
what are permissive disclosures under this privacy regulation would be
limited by those laws.
Reporting Requirement
Comment: One comment noted that federal agencies must provide
information to certain entities pursuant to various federal statutes.
For example, federal agencies must not withhold information from a
Congressional oversight committee or the General Accounting Office.
Similarly, some federal agencies must provide the Bureau of the Census
and the National Archives and Records Administration with certain
information. This comment expressed concern that the privacy regulation
would conflict with these requirements. Additionally, the commenter
asked whether the privacy notice would need to contain these uses and
disclosures and recommended that a general statement that these federal
agencies would disclose protected health information when required by
law be considered sufficient to meet the privacy notice requirements.
Response: To the extent a federal agency acting as a covered entity
is required by federal statute to disclose protected health
information, the regulation permits the disclosure as required by law
under Sec. 164.512(a). The notice provisions at
Sec. 164.520(b)(1)(ii)(B) require covered entities to provide a brief
description of the purposes for which the covered
[[Page 82599]]
entity is permitted or required by the rules to use or disclose
protected health information without an individual's written
authorization. If these statutes require the disclosures, covered
entities subject to the requirement may make the disclosure pursuant to
Sec. 164.512(a). Thus, their notice must include a description of the
category of these disclosures. For example, a general statement such as
the covered entity ``will disclose your protected health information to
comply with legal requirements'' should suffice.
Comment: One comment stressed that the final rule should not
inadvertently preempt mandatory reporting laws duly enacted by federal,
state, or local legislative bodies. This commenter also suggested that
the final rule not prevent the reporting of violations to law
enforcement agencies.
Response: We agree. Like the proposed rule, the final rule permits
covered entities to disclose protected health information when required
by law under Sec. 164.512(a). To the extent a covered entity is
required by law to make a report to law enforcement agencies or is
otherwise permitted to make a disclosure to a law enforcement agency as
described in Sec. 164.512(f), it may do so without an authorization.
Alternatively, a covered entity may always request that individuals
authorize these disclosures.
Security Standards
Comment: One comment called for HHS to consider the privacy
regulation in conjunction with the other HIPAA standards. In
particular, this comment focused on the belief that the security
standards should be compatible with the existing and emerging health
care and information technology industry standards.
Response: We agree that the security standards and the privacy
rules should be compatible with one another and are working to ensure
that the final rules in both areas function together. Because we are
addressing comments regarding the privacy rules in this preamble, we
will consider the comment about the security standard as we finalize
that set of rules.
Substance Abuse Confidentiality Statute and Regulations
Comment: Several commenters noted that many health care providers
are bound by the federal restrictions governing alcohol and drug abuse
records. One commenter noted that the NPRM differed substantially from
the substance abuse regulations and would have caused a host of
practical problems for covered entities. Another commenter, however,
supported the NPRM's analysis that stated that more stringent
provisions of the substance abuse provisions would apply. This
commenter suggested an even stronger approach of including in the text
a provision that would preserve existing federal law. Yet, one comment
suggested that the regulation as proposed would confuse providers by
making it difficult to determine when they may disclose information to
law enforcement because the privacy regulation would permit disclosures
that the substance abuse regulations would not.
Response: We appreciate the need of some covered entities to
evaluate the privacy rules in light of federal requirements regarding
alcohol and drug abuse records. Therefore, we provide a more detailed
analysis in the ``Relationship to Other Federal Laws'' section of the
preamble.
Comment: Some of these commenters also noted that state laws
contain strict confidentiality requirements. A few commenters suggested
that HHS reassess the regulations to avoid inconsistencies with state
privacy requirements, implying that problems exist because of conflicts
between the federal and state laws regarding the confidentiality of
substance abuse information.
Response: As noted in the preamble section discussing preemption,
the final rules do not preempt state laws that provide more privacy
protections. For a more detailed analysis of the relationship between
state law and the privacy rules, see the ``Preemption'' provisions of
the preamble.
Tribal Law
Comments: One commenter suggested that the consultation process
with tribal governments described in the NPRM was inadequate under
Executive Order No. 13084. In addition, the commenter expressed concern
that the disclosures for research purposes as permitted by the NPRM
would conflict with a number of tribal laws that offer individuals
greater privacy rights with respect to research and reflects cultural
appropriateness. In particular, the commenter referenced the Health
Research Code for the Navajo Nation which creates a entity with broader
authority over research conducted on the Navajo Nation than the local
IRB and requires informed consent by study participants. Other laws
mentioned by the commenter included the Navajo Nation Privacy and
Access to Information Act and a similar policy applicable to all health
care providers within the Navajo Nation. The commenter expressed
concern that the proposed regulation research provisions would override
these tribal laws.
Response: We disagree with the comment that the consultation with
tribal governments undertaken prior to the proposed regulation is
inadequate under Executive Order No. 13084. As stated in the proposed
regulation, the Department consulted with representatives of the
National Congress of American Indians and the National Indian Health
Board, as well as others, about the proposals and the application of
HIPAA to the Tribes, and the potential variations based on the
relationship of each Tribe with the IHS for the purpose of providing
health services. In addition, Indian and tribal governments had the
opportunity to, and did, submit substantive comments on the proposed
rules.
Additionally, disclosures permitted by this regulation do not
conflict with the policies as described by this commenter. Disclosures
for research purposes under the final rule, as in the proposed
regulation, are permissive disclosures only. The rule describes the
outer boundaries of permissible disclosures. A covered health care
provider that is subject to the tribal laws of the Navajo Nation must
continue to comply with those tribal laws. If the tribal laws impose
more stringent privacy standards on disclosures for research, such as
requiring informed consent in all cases, nothing in the final rule
would preclude compliance with those more stringent privacy standards.
The final rule does not interfere with the internal governance of the
Navajo Nation or otherwise adversely affect the policy choices of the
tribal government with respect to the cultural appropriateness of
research conducted in the Navajo Nation.
TRICARE
Comment: One comment expressed concern regarding the application of
the ``minimum necessary'' standard to investigations of health care
providers under the TRICARE (formerly the CHAMPUS) program. The comment
also expressed concern that health care providers would be able to
avoid providing their records to such investigators because the
proposed Sec. 164.510 exceptions were not mandatory disclosures.
Response: In our view, neither the minimum necessary standard nor
the final Secs. 164.510 and 164.512 permissive disclosures will impede
such investigations. The regulation requires covered entities to make
all reasonable efforts not to disclose more than the minimum amount of
protected health
[[Page 82600]]
information necessary to accomplish the intended purpose of the use or
disclosure. This requirement, however, does not apply to uses or
disclosures that are required by law. See Sec. 164.502(b)(2)(iv). Thus,
if the disclosure to the investigators is required by law, the minimum
necessary standard will not apply. Addi