[Federal Register Volume 65, Number 250 (Thursday, December 28, 2000)]
[Rules and Regulations]
[Pages 82462-82829]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-32678]
[[Page 82461]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
Standards for Privacy of Individually Identifiable Health Information;
Final Rule
��Federal Register / Vol. 65 , No. 250 / Thursday, December 28, 2000 /
Rules and Regulations��
[[Page 82462]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
Rin: 0991-AB08
Standards for Privacy of Individually Identifiable Health
Information
AGENCY: Office of the Assistant Secretary for Planning and Evaluation,
DHHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This rule includes standards to protect the privacy of
individually identifiable health information. The rules below, which
apply to health plans, health care clearinghouses, and certain health
care providers, present standards with respect to the rights of
individuals who are the subjects of this information, procedures for
the exercise of those rights, and the authorized and required uses and
disclosures of this information.
The use of these standards will improve the efficiency and
effectiveness of public and private health programs and health care
services by providing enhanced protections for individually
identifiable health information. These protections will begin to
address growing public concerns that advances in electronic technology
and evolution in the health care industry are resulting, or may result,
in a substantial erosion of the privacy surrounding individually
identifiable health information maintained by health care providers,
health plans and their administrative contractors. This rule implements
the privacy requirements of the Administrative Simplification subtitle
of the Health Insurance Portability and Accountability Act of 1996.
DATES: The final rule is effective on February 26, 2001.
FOR FURTHER INFORMATION CONTACT: Kimberly Coleman, 1-866-OCR-PRIV (1-
866-627-7748) or TTY 1-866-788-4989.
SUPPLEMENTARY INFORMATION: Availability of copies, and electronic
access.
Copies: To order copies of the Federal Register containing this
document, send your request to: New Orders, Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date
of the issue requested and enclose a check or money order payable to
the Superintendent of Documents, or enclose your Visa or Master Card
number and expiration date. Credit card orders can also be placed by
calling the order desk at (202) 512-1800 or by fax to (202) 512-2250.
The cost for each copy is $8.00. As an alternative, you can view and
photocopy the Federal Register document at most libraries designated as
Federal Depository Libraries and at many other public and academic
libraries throughout the country that receive the Federal Register.
Electronic Access: This document is available electronically at
http://aspe.hhs.gov/admnsimp/ as well as at the web site of the
Government Printing Office at http://www.access.gpo.gov/su_docs/aces/aces140.html.
I. Background
Table of Contents
Sec.
160.101 Statutory basis and purpose.
160.102 Applicability.
160.103 Definitions.
160.104 Modifications.
160.201 Applicability
160.202 Definitions.
160.203 General rule and exceptions.
160.204 Process for requesting exception determinations.
160.205 Duration of effectiveness of exception determinations.
160.300 Applicability.
160.302 Definitions.
160.304 Principles for achieving compliance.
(a) Cooperation.
(b) Assistance.
160.306 Complaints to the Secretary.
(a) Right to file a complaint.
(b) Requirements for filing complaints.
(c) Investigation.
160.308 Compliance reviews.
160.310 Responsibilities of covered entities.
(a) Provide records and compliance reports.
(b) Cooperate with complaint investigations and compliance
reviews.
(c) Permit access to information.
160.312 Secretarial action regarding complaints and compliance
reviews.
(a) Resolution where noncompliance is indicated.
(b) Resolution when no violation is found.
164.102 Statutory basis.
164.104 Applicability.
164.106 Relationship to other parts.
164.500 Applicability.
164.501 Definitions.
164.502 Uses and disclosures of protected health information:
general rules.
(a) Standard.
(b) Standard: minimum necessary.
(c) Standard: uses and disclosures of protected health
information subject to an agreed upon restriction.
(d) Standard: uses and disclosures of de-identified protected
health information.
(e) Standard: disclosures to business associates.
(f) Standard: deceased individuals.
(g) Standard: personal representatives.
(h) Standard: confidential communications.
(i) Standard: uses and disclosures consistent with notice.
(j) Standard: disclosures by whistleblowers and workforce member
crime victims.
164.504 Uses and disclosures: organizational requirements.
(a) Definitions.
(b) Standard: health care component.
(c) Implementation specification: application of other
provisions.
(d) Standard: affiliated covered entities.
(e) Standard: business associate contracts.
(f) Standard: requirements for group health plans.
(g) Standard: requirements for a covered entity with multiple
covered functions.
164.506 Consent for uses or disclosures to carry out treatment,
payment, or health care operations.
(a) Standard: consent requirement.
(b) Implementation specifications: general requirements.
(c) Implementation specifications: content requirements.
(d) Implementation specifications: defective consents.
(e) Standard: resolving conflicting consents and authorizations.
(f) Standard: joint consents.
164.508 Uses and disclosures for which an authorization is
required.
(a) Standard: authorizations for uses and disclosures.
(b) Implementation specifications: general requirements.
(c) Implementation specifications: core elements and
requirements.
(d) Implementation specifications: authorizations requested by a
covered entity for its own uses and disclosures.
(e) Implementation specifications: authorizations requested by a
covered entity for disclosures by others.
(f) Implementation specifications: authorizations for uses and
disclosures of protected health information created for research
that includes treatment of the individual.
164.510 Uses and disclosures requiring an opportunity for the
individual to agree or to object.
(a) Standard: use and disclosure for facility directories.
(b) Standard: uses and disclosures for involvement in the
individual's care and notification purposes.
164.512 Uses and disclosures for which consent, an authorization,
or opportunity to agree or object is not required.
(a) Standard: uses and disclosures required by law.
(b) Standard: uses and disclosures for public health activities.
(c) Standard: disclosures about victims of abuse, neglect or
domestic violence.
(d) Standard: uses and disclosures for health oversight
activities.
(e) Standard: disclosures for judicial and administrative
proceedings.
(f) Standard: disclosures for law enforcement purposes.
(g) Standard: uses and disclosures about decedents.
(h) Standard: uses and disclosures for cadaveric organ, eye or
tissue donation purposes.
[[Page 82463]]
(i) Standard: uses and disclosures for research purposes.
(j) Standard: uses and disclosures to avert a serious threat to
health or safety.
(k) Standard: uses and disclosures for specialized government
functions.
(l) Standard: disclosures for workers' compensation.
164.514 Other requirements relating to uses and disclosures of
protected health information.
(a) Standard: de-identification of protected health information.
(b) Implementation specifications: requirements for de-
identification of protected health information.
(c) Implementation specifications: re-identification.
(d) Standard: minimum necessary requirements.
(e) Standard: uses and disclosures of protected health
information for marketing.
(f) Standard: uses and disclosures for fundraising.
(g) Standard: uses and disclosures for underwriting and related
purposes.
(h) Standard: verification requirements
164.520 Notice of privacy practices for protected health
information.
(a) Standard: notice of privacy practices.
(b) Implementation specifications: content of notice.
(c) Implementation specifications: provision of notice.
(d) Implementation specifications: joint notice by separate
covered entities.
(e) Implementation specifications: documentation.
164.522 Rights to request privacy protection for protected health
information.
(a) Standard: right of an individual to request restriction of
uses and disclosures.
(b) Standard: confidential communications requirements.
164.524 Access of individuals to protected health information.
(a) Standard: access to protected health information.
(b) Implementation specifications: requests for access and timely
action.
(c) Implementation specifications: provision of access.
(d) Implementation specifications: denial of access.
(e) Implementation specification: documentation.
164.526 Amendment of protected health information.
(a) Standard: right to amend.
(b) Implementation specifications: requests for amendment and
timely action.
(c) Implementation specifications: accepting the amendment.
(d) Implementation specifications: denying the amendment.
(e) Implementation specification: actions on notices of
amendment.
(f) Implementation specification: documentation.
164.528 Accounting of disclosures of protected health information.
(a) Standard: right to an accounting of disclosures of protected
health information.
(b) Implementation specifications: content of the accounting.
(c) Implementation specifications: provision of the accounting.
(d) Implementation specification: documentation.
164.530 Administrative requirements.
(a) Standard: personnel designations.
(b) Standard: training.
(c) Standard: safeguards.
(d) Standard: complaints to the covered entity.
(e) Standard: sanctions
(f) Standard: mitigation.
(g) Standard: refraining from intimidating or retaliatory acts.
(h) Standard: waiver of rights.
(i) Standard: policies and procedures.
(j) Standard: documentation.
(k) Standard: group health plans.
164.532 Transition provisions.
(a) Standard: effect of prior consents and authorizations.
(b) Implementation specification: requirements for retaining
effectiveness of prior consents and authorizations.
164.534 Compliance dates for initial implementation of the privacy
standards.
(a) Health care providers.
(b) Health plans.
(c) Health care clearinghouses.
Purpose of the Administrative Simplification Regulations
This regulation has three major purposes: (1) To protect and
enhance the rights of consumers by providing them access to their
health information and controlling the inappropriate use of that
information; (2) to improve the quality of health care in the U.S. by
restoring trust in the health care system among consumers, health care
professionals, and the multitude of organizations and individuals
committed to the delivery of care; and (3) to improve the efficiency
and effectiveness of health care delivery by creating a national
framework for health privacy protection that builds on efforts by
states, health systems, and individual organizations and individuals.
This regulation is the second final regulation to be issued in the
package of rules mandated under title II subtitle F section 261-264 of
the Health Insurance Portability and Accountability Act of 1996
(HIPAA), Public Law 104-191, titled ``Administrative Simplification.''
Congress called for steps to improve ``the efficiency and effectiveness
of the health care system by encouraging the development of a health
information system through the establishment of standards and
requirements for the electronic transmission of certain health
information.'' To achieve that end, Congress required the Department to
promulgate a set of interlocking regulations establishing standards and
protections for health information systems. The first regulation in
this set, Standards for Electronic Transactions 65 FR 50312, was
published on August 17, 2000 (the ``Transactions Rule''). This
regulation establishing Standards for Privacy of Individually
Identifiable Health Information is the second final rule in the
package. A rule establishing a unique identifier for employers to use
in electronic health care transactions, a rule establishing a unique
identifier for providers for such transactions, and a rule establishing
standards for the security of electronic information systems have been
proposed. See 63 FR 25272 and 25320 (May 7, 1998); 63 FR 32784 (June
16, 1998); 63 FR 43242 (August 12, 1998). Still to be proposed are
rules establishing a unique identifier for health plans for electronic
transactions, standards for claims attachments, and standards for
transferring among health plans appropriate standard data elements
needed for coordination of benefits. (See section C, below, for a more
detailed explanation of the statutory mandate for these regulations.)
In enacting HIPAA, Congress recognized the fact that administrative
simplification cannot succeed if we do not also protect the privacy and
confidentiality of personal health information. The provision of high-
quality health care requires the exchange of personal, often-sensitive
information between an individual and a skilled practitioner. Vital to
that interaction is the patient's ability to trust that the information
shared will be protected and kept confidential. Yet many patients are
concerned that their information is not protected. Among the factors
adding to this concern are the growth of the number of organizations
involved in the provision of care and the processing of claims, the
growing use of electronic information technology, increased efforts to
market health care and other products to consumers, and the increasing
ability to collect highly sensitive information about a person's
current and future health status as a result of advances in scientific
research.
Rules requiring the protection of health privacy in the United
States have been enacted primarily by the states. While virtually every
state has enacted one or more laws to safeguard privacy, these laws
vary significantly from state to state and typically apply to only part
of the health care system. Many states have adopted laws that protect
the health information relating to certain health conditions such as
mental illness, communicable diseases, cancer, HIV/AIDS, and other
stigmatized conditions. An examination of state health privacy laws and
regulations,
[[Page 82464]]
however, found that ``state laws, with a few notable exceptions, do not
extend comprehensive protections to people's medical records.'' Many
state rules fail to provide such basic protections as ensuring a
patient's legal right to see a copy of his or her medical record. See
Health Privacy Project, ``The State of Health Privacy: An Uneven
Terrain,'' Institute for Health Care Research and Policy, Georgetown
University (July 1999) (http://www.healthprivacy.org) (the ``Georgetown
Study'').
Until now, virtually no federal rules existed to protect the
privacy of health information and guarantee patient access to such
information. This final rule establishes, for the first time, a set of
basic national privacy standards and fair information practices that
provides all Americans with a basic level of protection and peace of
mind that is essential to their full participation in their care. The
rule sets a floor of ground rules for health care providers, health
plans, and health care clearinghouses to follow, in order to protect
patients and encourage them to seek needed care. The rule seeks to
balance the needs of the individual with the needs of the society. It
creates a framework of protection that can be strengthened by both the
federal government and by states as health information systems continue
to evolve.
Need for a National Health Privacy Framework
The Importance of Privacy
Privacy is a fundamental right. As such, it must be viewed
differently than any ordinary economic good. The costs and benefits of
a regulation must, of course, be considered as a means of identifying
and weighing options. At the same time, it is important not to lose
sight of the inherent meaning of privacy: it speaks to our individual
and collective freedom.
A right to privacy in personal information has historically found
expression in American law. All fifty states today recognize in tort
law a common law or statutory right to privacy. Many states
specifically provide a remedy for public revelation of private facts.
Some states, such as California and Tennessee, have a right to privacy
as a matter of state constitutional law. The multiple historical
sources for legal rights to privacy are traced in many places,
including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen
Alderman & Caroline Kennedy, The Right to Privacy (1995).
Throughout our nation's history, we have placed the rights of the
individual at the forefront of our democracy. In the Declaration of
Independence, we asserted the ``unalienable right'' to ``life, liberty
and the pursuit of happiness.'' Many of the most basic protections in
the Constitution of the United States are imbued with an attempt to
protect individual privacy while balancing it against the larger social
purposes of the nation.
To take but one example, the Fourth Amendment to the United States
Constitution guarantees that ``the right of the people to be secure in
their persons, houses, papers and effects, against unreasonable
searches and seizures, shall not be violated.'' By referring to the
need for security of ``persons'' as well as ``papers and effects'' the
Fourth Amendment suggests enduring values in American law that relate
to privacy. The need for security of ``persons'' is consistent with
obtaining patient consent before performing invasive medical
procedures. The need for security in ``papers and effects'' underscores
the importance of protecting information about the person, contained in
sources such as personal diaries, medical records, or elsewhere. As is
generally true for the right of privacy in information, the right is
not absolute. The test instead is what constitutes an ``unreasonable''
search of the papers and effects.
The United States Supreme Court has upheld the constitutional
protection of personal health information. In Whalen v. Roe, 429 U.S.
589 (1977), the Court analyzed a New York statute that created a
database of persons who obtained drugs for which there was both a
lawful and unlawful market. The Court, in upholding the statute,
recognized at least two different kinds of interests within the
constitutionally protected ``zone of privacy.'' ``One is the individual
interest in avoiding disclosure of personal matters,'' such as this
regulation principally addresses. This interest in avoiding disclosure,
discussed in Whalen in the context of medical information, was found to
be distinct from a different line of cases concerning ``the interest in
independence in making certain kinds of important decisions.''
Individuals' right to privacy in information about themselves is
not absolute. It does not, for instance, prevent reporting of public
health information on communicable diseases or stop law enforcement
from getting information when due process has been observed. But many
people believe that individuals should have some right to control
personal and sensitive information about themselves. Among different
sorts of personal information, health information is among the most
sensitive. Many people believe that details about their physical self
should not generally be put on display for neighbors, employers, and
government officials to see. Informed consent laws place limits on the
ability of other persons to intrude physically on a person's body.
Similar concerns apply to intrusions on information about the person.
Moving beyond these facts of physical treatment, there is also
significant intrusion when records reveal details about a person's
mental state, such as during treatment for mental health. If, in
Justice Brandeis' words, the ``right to be let alone'' means anything,
then it likely applies to having outsiders have access to one's
intimate thoughts, words, and emotions. In the recent case of Jaffee v.
Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held that statements
made to a therapist during a counseling session were protected against
civil discovery under the Federal Rules of Evidence. The Court noted
that all fifty states have adopted some form of the psychotherapist-
patient privilege. In upholding the federal privilege, the Supreme
Court stated that it ``serves the public interest by facilitating the
appropriate treatment for individuals suffering the effects of a mental
or emotional problem. The mental health of our citizenry, no less than
its physical health, is a public good of transcendent importance.''
Many writers have urged a philosophical or common-sense right to
privacy in one's personal information. Examples include Alan Westin,
Privacy and Freedom (1967) and Janna Malamud Smith, Private Matters: In
Defense of the Personal Life (1997). These writings emphasize the link
between privacy and freedom and privacy and the ``personal life,'' or
the ability to develop one's own personality and self-expression.
Smith, for instance, states:
The bottom line is clear. If we continually, gratuitously,
reveal other people's privacies, we harm them and ourselves, we
undermine the richness of the personal life, and we fuel a social
atmosphere of mutual exploitation. Let me put it another way: Little
in life is as precious as the freedom to say and do things with
people you love that you would not say or do if someone else were
present. And few experiences are as fundamental to liberty and
autonomy as maintaining control over when, how, to whom, and where
you disclose personal material. Id. at 240-241.
In 1890, Louis D. Brandeis and Samuel D. Warren defined the right
to privacy as ``the right to be let alone.'' See L. Brandeis, S.
Warren, ``The Right
[[Page 82465]]
To Privacy,'' 4 Harv.L.Rev. 193. More than a century later, privacy
continues to play an important role in Americans' lives. In their book,
The Right to Privacy, (Alfred A. Knopf, New York, 1995) Ellen Alderman
and Caroline Kennedy describe the importance of privacy in this way:
Privacy covers many things. It protects the solitude necessary
for creative thought. It allows us the independence that is part of
raising a family. It protects our right to be secure in our own
homes and possessions, assured that the government cannot come
barging in. Privacy also encompasses our right to self-determination
and to define who we are. Although we live in a world of noisy self-
confession, privacy allows us to keep certain facts to ourselves if
we so choose. The right to privacy, it seems, is what makes us
civilized.
Or, as Cavoukian and Tapscott observed the right of privacy is: ``the
claim of individuals, groups, or institutions to determine for
themselves when, how, and to what extent information about them is
communicated.'' See A. Cavoukian, D. Tapscott, ``Who Knows:
Safeguarding Your Privacy in a Networked World,'' Random House (1995).
Increasing Public Concern About Loss of Privacy
Today, it is virtually impossible for any person to be truly ``let
alone.'' The average American is inundated with requests for
information from potential employers, retail shops, telephone marketing
firms, electronic marketers, banks, insurance companies, hospitals,
physicians, health plans, and others. In a 1998 national survey, 88
percent of consumers said they were ``concerned'' by the amount of
information being requested, including 55 percent who said they were
``very concerned.'' See Privacy and American Business, 1998 Privacy
Concerns & Consumer Choice Survey (http://www.pandab.org). These
worries are not just theoretical. Consumers who use the Internet to
make purchases or request ``free'' information often are asked for
personal and financial information. Companies making such requests
routinely promise to protect the confidentiality of that information.
Yet several firms have tried to sell this information to other
companies even after promising not to do so.
Americans' concern about the privacy of their health information is
part of a broader anxiety about their lack of privacy in an array of
areas. A series of national public opinion polls conducted by Louis
Harris & Associates documents a rising level of public concern about
privacy, growing from 64 percent in 1978 to 82 percent in 1995. Over 80
percent of persons surveyed in 1999 agreed with the statement that they
had ``lost all control over their personal information.'' See Harris
Equifax, Health Information Privacy Study (1993) (http://www.epic.org/privacy/medical/polls.html). A Wall Street Journal/ABC poll on
September 16, 1999 asked Americans what concerned them most in the
coming century. ``Loss of personal privacy'' was the first or second
concern of 29 percent of respondents. All other issues, such a
terrorism, world war, and global warming had scores of 23 percent or
less.
This growing concern stems from several trends, including the
growing use of interconnected electronic media for business and
personal activities, our increasing ability to know an individual's
genetic make-up, and, in health care, the increasing complexity of the
system. Each of these trends brings the potential for tremendous
benefits to individuals and society generally. At the same time, each
also brings new potential for invasions of our privacy.
Increasing Use of Interconnected Electronic Information Systems
Until recently, health information was recorded and maintained on
paper and stored in the offices of community-based physicians, nurses,
hospitals, and other health care professionals and institutions. In
some ways, this imperfect system of record keeping created a false
sense of privacy among patients, providers, and others. Patients'
health information has never remained completely confidential. Until
recently, however, a breach of confidentiality involved a physical
exchange of paper records or a verbal exchange of information. Today,
however, more and more health care providers, plans, and others are
utilizing electronic means of storing and transmitting health
information. In 1996, the health care industry invested an estimated
$10 billion to $15 billion on information technology. See National
Research Council, Computer Science and Telecommunications Board, ``For
the Record: Protecting Electronic Health Information,'' (1997). The
electronic information revolution is transforming the recording of
health information so that the disclosure of information may require
only a push of a button. In a matter of seconds, a person's most
profoundly private information can be shared with hundreds, thousands,
even millions of individuals and organizations at a time. While the
majority of medical records still are in paper form, information from
those records is often copied and transmitted through electronic means.
This ease of information collection, organization, retention, and
exchange made possible by the advances in computer and other electronic
technology affords many benefits to individuals and to the health care
industry. Use of electronic information has helped to speed the
delivery of effective care and the processing of billions of dollars
worth of health care claims. Greater use of electronic data has also
increased our ability to identify and treat those who are at risk for
disease, conduct vital research, detect fraud and abuse, and measure
and improve the quality of care delivered in the U.S. The National
Research Council recently reported that ``the Internet has great
potential to improve Americans'' health by enhancing communications and
improving access to information for care providers, patients, health
plan administrators, public health officials, biomedical researchers,
and other health professionals.'' See ``Networking Health:
Prescriptions for the Internet,'' National Academy of Sciences (2000).
At the same time, these advances have reduced or eliminated many of
the financial and logistical obstacles that previously served to
protect the confidentiality of health information and the privacy
interests of individuals. And they have made our information available
to many more people. The shift from paper to electronic records, with
the accompanying greater flows of sensitive health information, thus
strengthens the arguments for giving legal protection to the right to
privacy in health information. In an earlier period where it was far
more expensive to access and use medical records, the risk of harm to
individuals was relatively low. In the potential near future, when
technology makes it almost free to send lifetime medical records over
the Internet, the risks may grow rapidly. It may become cost-effective,
for instance, for companies to offer services that allow purchasers to
obtain details of a person's physical and mental treatments. In
addition to legitimate possible uses for such services, malicious or
inquisitive persons may download medical records for purposes ranging
from identity theft to embarrassment to prurient interest in the life
of a celebrity or neighbor. The comments to the proposed privacy rule
indicate that many persons believe that they have a right to live in
society without having these details of their lives laid open to
unknown and possibly hostile eyes. These technological changes, in
short, may provide a reason for institutionalizing
[[Page 82466]]
privacy protections in situations where the risk of harm did not
previously justify writing such protections into law.
The growing level of trepidation about privacy in general, noted
above, has tracked the rise in electronic information technology.
Americans have embraced the use of the Internet and other forms of
electronic information as a way to provide greater access to
information, save time, and save money. For example, 60 percent of
Americans surveyed in 1999 reported that they have a computer in their
home; 82 percent reported that they have used a computer; 64 percent
say they have used the Internet; and 58 percent have sent an e-mail.
Among those who are under the age of 60, these percentages are even
higher. See ``National Survey of Adults on Technology,'' Henry J.
Kaiser Family Foundation (February, 2000). But 59 percent of Americans
reported that they worry that an unauthorized person will gain access
to their information. A recent survey suggests that 75 percent of
consumers seeking health information on the Internet are concerned or
very concerned about the health sites they visit sharing their personal
health information with a third party without their permission. Ethics
Survey of Consumer Attitudes about Health Web Sites, California Health
Care Foundation, at 3 (January, 2000).
Unless public fears are allayed, we will be unable to obtain the
full benefits of electronic technologies. The absence of national
standards for the confidentiality of health information has made the
health care industry and the population in general uncomfortable about
this primarily financially-driven expansion in the use of electronic
data. Many plans, providers, and clearinghouses have taken steps to
safeguard the privacy of individually identifiable health information.
Yet they must currently rely on a patchwork of State laws and
regulations that are incomplete and, at times, inconsistent. States
have, to varying degrees, attempted to enhance confidentiality by
establishing laws governing at least some aspects of medical record
privacy. This approach, though a step in the right direction, is
inadequate. These laws fail to provide a consistent or comprehensive
legal foundation of health information privacy. For example, there is
considerable variation among the states in the type of information
protected and the scope of the protections provided. See Georgetown
Study, at Executive Summary; Lawrence O. Gostin, Zita Lazzarrini,
Kathleen M. Flaherty, Legislative Survey of State Confidentiality Laws,
with Specific Emphasis on HIV and Immunization, Report to Centers for
Disease Control, Council of State and Territorial Epidemiologists, and
Task Force for Child Survival and Development, Carter Presidential
Center (1996) (Gostin Study).
Moreover, electronic health data is becoming increasingly
``national''; as more information becomes available in electronic form,
it can have value far beyond the immediate community where the patient
resides. Neither private action nor state laws provide a sufficiently
comprehensive and rigorous legal structure to allay public concerns,
protect the right to privacy, and correct the market failures caused by
the absence of privacy protections (see discussion below of market
failure under section V.C). Hence, a national policy with consistent
rules is necessary to encourage the increased and proper use of
electronic information while also protecting the very real needs of
patients to safeguard their privacy.
Advances in Genetic Sciences
Recently, scientists completed nearly a decade of work unlocking
the mysteries of the human genome, creating tremendous new
opportunities to identify and prevent many of the leading causes of
death and disability in this country and around the world. Yet the
absence of privacy protections for health information endanger these
efforts by creating a barrier of distrust and suspicion among
consumers. A 1995 national poll found that more than 85 percent of
those surveyed were either ``very concerned'' or ``somewhat concerned''
that insurers and employers might gain access to and use genetic
information. See Harris Poll, 1995 #34. Sixty-three percent of the
1,000 participants in a 1997 national survey said they would not take
genetic tests if insurers and employers could gain access to the
results. See ``Genetic Information and the Workplace,'' Department of
Labor, Department of Health and Human Services, Equal Employment
Opportunity Commission, January 20, 1998. ``In genetic testing studies
at the National Institutes of Health, thirty-two percent of eligible
people who were offered a test for breast cancer risk declined to take
it, citing concerns about loss of privacy and the potential for
discrimination in health insurance.'' Sen. Leahy's comments for March
10, 1999 Introduction of the Medical Information Privacy and Security
Act.
The Changing Health Care System
The number of entities who are maintaining and transmitting
individually identifiable health information has increased
significantly over the last 10 years. In addition, the rapid growth of
integrated health care delivery systems requires greater use of
integrated health information systems. The health care industry has
been transformed from one that relied primarily on one-on-one
interactions between patients and clinicians to a system of integrated
health care delivery networks and managed care providers. Such a system
requires the processing and collection of information about patients
and plan enrollees (for example, in claims files or enrollment
records), resulting in the creation of databases that can be easily
transmitted. This dramatic change in the practice of medicine brings
with it important prospects for the improvement of the quality of care
and reducing the cost of that care. It also, however, means that
increasing numbers of people have access to health information. And, as
health plan functions are increasingly outsourced, a growing number of
organizations not affiliated with our physicians or health plans also
have access to health information.
According to the American Health Information Management Association
(AHIMA), an average of 150 people ``from nursing staff to x-ray
technicians, to billing clerks'' have access to a patient's medical
records during the course of a typical hospitalization. While many of
these individuals have a legitimate need to see all or part of a
patient's records, no laws govern who those people are, what
information they are able to see, and what they are and are not allowed
to do with that information once they have access to it. According to
the National Research Council, individually identifiable health
information frequently is shared with:
Consulting physicians;
Managed care organizations;
Health insurance companies
Life insurance companies;
Self-insured employers;
Pharmacies;
Pharmacy benefit managers;
Clinical laboratories;
Accrediting organizations;
State and Federal statistical agencies; and
Medical information bureaus.
Much of this sharing of information is done without the knowledge of
the patient involved. While many of these functions are important for
smooth functioning of the health care system, there are no rules
governing how that
[[Page 82467]]
information is used by secondary and tertiary users. For example, a
pharmacy benefit manager could receive information to determine whether
an insurance plan or HMO should cover a prescription, but then use the
information to market other products to the same patient. Similarly,
many of us obtain health insurance coverage though our employer and, in
some instances, the employer itself acts as the insurer. In these
cases, the employer will obtain identifiable health information about
its employees as part of the legitimate health insurance functions such
as claims processing, quality improvement, and fraud detection
activities. At the same time, there is no comprehensive protection
prohibiting the employer from using that information to make decisions
about promotions or job retention.
Public concerns reflect these developments. A 1993 Lou Harris poll
found that 75 percent of those surveyed worry that medical information
from a computerized national health information system will be used for
many non-health reasons, and 38 percent are very concerned. This poll,
taken during the health reform efforts of 1993, showed that 85 percent
of respondents believed that protecting the confidentiality of medical
records is ``absolutely essential'' or ``very essential'' in health
care reform. An ACLU Poll in 1994 also found that 75 percent of those
surveyed are concerned a ``great deal'' or a ``fair amount''' about
insurance companies putting medical information about them into a
computer information bank to which others have access. Harris Equifax,
Health Information Privacy Study 2,33 (1993) http://www.epic.org/privacy/medical/poll.html. Another survey found that 35 percent of
Fortune 500 companies look at people's medical records before making
hiring and promotion decisions. Starr, Paul. ``Health and the Right to
Privacy,'' American Journal of Law and Medicine, 1999. Vol 25, pp. 193-
201.
Concerns about the lack of attention to information privacy in the
health care industry are not merely theoretical. In the absence of a
national legal framework of health privacy protections, consumers are
increasingly vulnerable to the exposure of their personal health
information. Disclosure of individually identifiable information can
occur deliberately or accidentally and can occur within an organization
or be the result of an external breach of security. Examples of recent
privacy breaches include:
A Michigan-based health system accidentally posted the
medical records of thousands of patients on the Internet (The Ann Arbor
News, February 10, 1999).
A Utah-based pharmaceutical benefits management firm used
patient data to solicit business for its owner, a drug store
(Kiplingers, February 2000).
An employee of the Tampa, Florida, health department took
a computer disk containing the names of 4,000 people who had tested
positive for HIV, the virus that causes AIDS (USA Today, October 10,
1996).
The health insurance claims forms of thousands of patients
blew out of a truck on its way to a recycling center in East Hartford,
Connecticut (The Hartford Courant, May 14, 1999).
A patient in a Boston-area hospital discovered that her
medical record had been read by more than 200 of the hospital's
employees (The Boston Globe, August 1, 2000).
A Nevada woman who purchased a used computer discovered
that the computer still contained the prescription records of the
customers of the pharmacy that had previously owned the computer. The
pharmacy data base included names, addresses, social security numbers,
and a list of all the medicines the customers had purchased. (The New
York Times, April 4, 1997 and April 12, 1997).
A speculator bid $4000 for the patient records of a family
practice in South Carolina. Among the businessman's uses of the
purchased records was selling them back to the former patients. (New
York Times, August 14, 1991).
In 1993, the Boston Globe reported that Johnson and
Johnson marketed a list of 5 million names and addresses of elderly
incontinent women. (ACLU Legislative Update, April 1998).
A few weeks after an Orlando woman had her doctor perform
some routine tests, she received a letter from a drug company promoting
a treatment for her high cholesterol. (Orlando Sentinel, November 30,
1997).
No matter how or why a disclosure of personal information is made,
the harm to the individual is the same. In the face of industry
evolution, the potential benefits of our changing health care system,
and the real risks and occurrences of harm, protection of privacy must
be built into the routine operations of our health care system.
Privacy Is Necessary To Secure Effective, High Quality Health Care
While privacy is one of the key values on which our society is
built, it is more than an end in itself. It is also necessary for the
effective delivery of health care, both to individuals and to
populations. The market failures caused by the lack of effective
privacy protections for health information are discussed below (see
section V.C below). Here, we discuss how privacy is a necessary
foundation for delivery of high quality health care. In short, the
entire health care system is built upon the willingness of individuals
to share the most intimate details of their lives with their health
care providers.
The need for privacy of health information, in particular, has long
been recognized as critical to the delivery of needed medical care.
More than anything else, the relationship between a patient and a
clinician is based on trust. The clinician must trust the patient to
give full and truthful information about their health, symptoms, and
medical history. The patient must trust the clinician to use that
information to improve his or her health and to respect the need to
keep such information private. In order to receive accurate and
reliable diagnosis and treatment, patients must provide health care
professionals with accurate, detailed information about their personal
health, behavior, and other aspects of their lives. The provision of
health information assists in the diagnosis of an illness or condition,
in the development of a treatment plan, and in the evaluation of the
effectiveness of that treatment. In the absence of full and accurate
information, there is a serious risk that the treatment plan will be
inappropriate to the patient's situation.
Patients also benefit from the disclosure of such information to
the health plans that pay for and can help them gain access to needed
care. Health plans and health care clearinghouses rely on the provision
of such information to accurately and promptly process claims for
payment and for other administrative functions that directly affect a
patient's ability to receive needed care, the quality of that care, and
the efficiency with which it is delivered.
Accurate medical records assist communities in identifying
troubling public health trends and in evaluating the effectiveness of
various public health efforts. Accurate information helps public and
private payers make correct payments for care received and lower costs
by identifying fraud. Accurate information provides scientists with
data they need to conduct research. We cannot improve the quality of
health care without information about which treatments work, and which
do not.
Individuals cannot be expected to share the most intimate details
of their lives unless they have confidence that such information will
not be used or
[[Page 82468]]
shared inappropriately. Privacy violations reduce consumers' trust in
the health care system and institutions that serve them. Such a loss of
faith can impede the quality of the health care they receive, and can
harm the financial health of health care institutions.
Patients who are worried about the possible misuse of their
information often take steps to protect their privacy. Recent studies
show that a person who does not believe his privacy will be protected
is much less likely to participate fully in the diagnosis and treatment
of his medical condition. A national survey conducted in January 1999
found that one in five Americans believe their health information is
being used inappropriately. See California HealthCare Foundation,
``National Survey: Confidentiality of Medical Records'' (January, 1999)
(http://www.chcf.org). More troubling is the fact that one in six
Americans reported that they have taken some sort of evasive action to
avoid the inappropriate use of their information by providing
inaccurate information to a health care provider, changing physicians,
or avoiding care altogether. Similarly, in its comments on our proposed
rule, the Association of American Physicians and Surgeons reported 78
percent of its members reported withholding information from a
patient's record due to privacy concerns and another 87 percent
reported having had a patient request to withhold information from
their records. For an example of this phenomenon in a particular
demographic group, see Drs. Bearman, Ford, and Moody, ``Foregone Health
Care among Adolescents,'' JAMA, vol. 282, no. 23 (999); Cheng, T.L., et
al., ``Confidentiality in Health Care: A Survey of Knowledge,
Perceptions, and Attitudes among High School Students,'' JAMA, vol.
269, no. 11 (1993), at 1404-1407.
The absence of strong national standards for medical privacy has
widespread consequences. Health care professionals who lose the trust
of their patients cannot deliver high-quality care. In 1999, a
coalition of organizations representing various stakeholders including
health plans, physicians, nurses, employers, disability and mental
health advocates, accreditation organizations as well as experts in
public health, medical ethics, information systems, and health policy
adopted a set of ``best principles'' for health care privacy that are
consistent with the standards we lay out here. (See the Health Privacy
Working Group, ``Best Principles for Health Privacy'' (July, 1999)
(Best Principles Study). The Best Principles Study states that--
To protect their privacy and avoid embarrassment, stigma, and
discrimination, some people withhold information from their health
care providers, provide inaccurate information, doctor-hop to avoid
a consolidated medical record, pay out-of-pocket for care that is
covered by insurance, and--in some cases--avoid care altogether.
Best Principles Study, at 9. In their comments on our proposed rule,
numerous organizations representing health plans, health providers,
employers, and others acknowledged the value of a set of national
privacy standards to the efficient operation of their practices and
businesses.
Breaches of Health Privacy Harm More Than Our Health Status
A breach of a person's health privacy can have significant
implications well beyond the physical health of that person, including
the loss of a job, alienation of family and friends, the loss of health
insurance, and public humiliation. For example:
A banker who also sat on a county health board gained
access to patients' records and identified several people with cancer
and called in their mortgages. See the National Law Journal, May 30,
1994.
A physician was diagnosed with AIDS at the hospital in
which he practiced medicine. His surgical privileges were suspended.
See Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super.
597.
A candidate for Congress nearly saw her campaign derailed
when newspapers published the fact that she had sought psychiatric
treatment after a suicide attempt. See New York Times, October 10,
1992, Section 1, page 25.
A 30-year FBI veteran was put on administrative leave
when, without his permission, his pharmacy released information about
his treatment for depression. (Los Angeles Times, September 1, 1998)
Consumer Reports found that 40 percent of insurers disclose personal
health information to lenders, employers, or marketers without customer
permission. ``Who's reading your Medical Records,'' Consumer Reports,
October 1994, at 628, paraphrasing Sweeny, Latanya, ``Weaving
Technology and Policy Together to Maintain Confidentiality,'' The
Journal Of Law Medicine and Ethics (Summer & Fall 1997) Vol. 25,
Numbers 2,3.
The answer to these concerns is not for consumers to withdraw from
society and the health care system, but for society to establish a
clear national legal framework for privacy. By spelling out what is and
what is not an allowable use of a person's identifiable health
information, such standards can help to restore and preserve trust in
the health care system and the individuals and institutions that
comprise that system. As medical historian Paul Starr wrote: ``Patients
have a strong interest in preserving the privacy of their personal
health information but they also have an interest in medical research
and other efforts by health care organizations to improve the medical
care they receive. As members of the wider community, they have an
interest in public health measures that require the collection of
personal data.'' (P. Starr, ``Health and the Right to Privacy,''
American Journal of Law & Medicine, 25, nos. 2&3 (1999) 193-201). The
task of society and its government is to create a balance in which the
individual's needs and rights are balanced against the needs and rights
of society as a whole.
National standards for medical privacy must recognize the sometimes
competing goals of improving individual and public health, advancing
scientific knowledge, enforcing the laws of the land, and processing
and paying claims for health care services. This need for balance has
been recognized by many of the experts in this field. Cavoukian and
Tapscott described it this way: ``An individual's right to privacy may
conflict with the collective rights of the public * * *. We do not
suggest that privacy is an absolute right that reigns supreme over all
other rights. It does not. However, the case for privacy will depend on
a number of factors that can influence the balance--the level of harm
to the individual involved versus the needs of the public.''
The Federal Response
There have been numerous federal initiatives aimed at protecting
the privacy of especially sensitive personal information over the past
several years--and several decades. While the rules below are likely
the largest single federal initiative to protect privacy, they are by
no means alone in the field. Rather, the rules arrive in the context of
recent legislative activity to grapple with advances in technology, in
addition to an already established body of law granting federal
protections for personal privacy.
In 1965, the House of Representatives created a Special
Subcommittee on Invasion of Privacy. In 1973, this Department's
predecessor agency, the Department of Health, Education and Welfare
issued The Code of Fair Information Practice Principles establishing an
important baseline for
[[Page 82469]]
information privacy in the U.S. These principles formed the basis for
the federal Privacy Act of 1974, which regulates the government's use
of personal information by limiting the disclosure of personally-
identifiable information, allows consumers access to information about
them, requires federal agencies to specify the purposes for collecting
personal information, and provides civil and criminal penalties for
misuse of information.
In the last several years, with the rapid expansion in electronic
technology--and accompanying concerns about individual privacy--laws,
regulations, and legislative proposals have been developed in areas
ranging from financial privacy to genetic privacy to the safeguarding
of children on-line. For example, the Children's Online Privacy
Protection Act was enacted in 1998, providing protection for children
when interacting at web-sites. In February, 2000, President Clinton
signed Executive Order 13145, banning the use of genetic information in
federal hiring and promotion decisions. The landmark financial
modernization bill, signed by the President in November, 1999, likewise
contained financial privacy protections for consumers. There also has
been recent legislative activity on establishing legal safeguards for
the privacy of individuals' Social Security numbers, and calls for
regulation of on-line privacy in general.
These most recent laws, regulations, and legislative proposals come
against the backdrop of decades of privacy-enhancing statutes passed at
the federal level to enact safeguards in fields ranging from government
data files to video rental records. In the 1970s, individual privacy
was paramount in the passage of the Fair Credit Reporting Act (1970),
the Privacy Act (1974), the Family Educational Rights and Privacy Act
(1974), and the Right to Financial Privacy Act (1978). These key laws
were followed in the next decade by another series of statutes,
including the Privacy Protection Act (1980), the Electronic
Communications Privacy Act (1986), the Video Privacy Protection Act
(1988), and the Employee Polygraph Protection Act (1988). In the last
ten years, Congress and the President have passed additional legal
privacy protection through, among others, the Telephone Consumer
Protection Act (1991), the Driver's Privacy Protection Act (1994), the
Telecommunications Act (1996), the Children's Online Privacy Protection
Act (1998), the Identity Theft and Assumption Deterrence Act (1998),
and Title V of the Gramm-Leach-Bliley Act (1999) governing financial
privacy.
In 1997, a Presidential advisory commission, the Advisory
Commission on Consumer Protection and Quality in the Health Care
Industry, recognized the need for patient privacy protection in its
recommendations for a Consumer Bill of Rights and Responsibilities
(November 1997). In 1997, Congress enacted the Balanced Budget Act
(Public Law 105-34), which added language to the Social Security Act
(18 U.S.C. 1852) to require Medicare+Choice organizations to establish
safeguards for the privacy of individually identifiable patient
information. Similarly, the Veterans Benefits section of the U.S. Code
provides for confidentiality of medical records in cases involving drug
abuse, alcoholism or alcohol abuse, HIV infection, or sickle cell
anemia (38 U.S.C. 7332).
As described in more detail in the next section, Congress
recognized the importance of protecting the privacy of health
information by enacting the Health Insurance Portability and
Accountability Act of 1996. The Act called on Congress to enact a
medical privacy statute and asked the Secretary of Health and Human
Services to provide Congress with recommendations for protecting the
confidentiality of health care information. The Congress further
recognized the importance of such standards by providing the Secretary
with authority to promulgate regulations on health care privacy in the
event that lawmakers were unable to act within the allotted three
years.
Finally, it also is important for the U.S. to join the rest of the
developed world in establishing basic medical privacy protections. In
1995, the European Union (EU) adopted a Data Privacy Directive
requiring its 15 member states to adopt consistent privacy laws by
October 1998. The EU urged all other nations to do the same or face the
potential loss of access to information from EU countries.
Statutory Background
History of the Privacy Component of the Administrative Simplification
Provisions
The Congress addressed the opportunities and challenges presented
by the rapid evolution of health information systems in the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Public
Law 104-191, which was enacted on August 21, 1996. Sections 261 through
264 of HIPAA are known as the Administrative Simplification provisions.
The major part of these Administrative Simplification provisions are
found at section 262 of HIPAA, which enacted a new part C of title XI
of the Social Security Act (hereinafter we refer to the Social Security
Act as the ``Act'' and we refer to all other laws cited in this
document by their names).
In section 262, Congress primarily sought to facilitate the
efficiencies and cost savings for the health care industry that the
increasing use of electronic technology affords. Thus, section 262
directs HHS to issue standards to facilitate the electronic exchange of
information with respect to financial and administrative transactions
carried out by health plans, health care clearinghouses, and health
care providers who transmit information electronically in connection
with such transactions.
At the same time, Congress recognized the challenges to the
confidentiality of health information presented by the increasing
complexity of the health care industry, and by advances in health
information systems technology and communications. Section 262 thus
also directs HHS to develop standards to protect the security,
including the confidentiality and integrity, of health information.
Congress has long recognized the need for protection of health
information privacy generally, as well as the privacy implications of
electronic data interchange and the increased ease of transmitting and
sharing individually identifiable health information. Congress has been
working on broad health privacy legislation for many years and, as
evidenced by the self-imposed three year deadline included in the
HIPAA, discussed below, believes it can and should enact such
legislation. A significant portion of the first Administrative
Simplification section debated on the floor of the Senate in 1994 (as
part of the Health Security Act) consisted of privacy provisions. In
the version of the HIPAA passed by the House of Representatives in
1996, the requirement for the issuance of privacy standards was located
in the same section of the bill (section 1173) as the requirements for
issuance of the other HIPAA Administrative Simplification standards. In
conference, the requirement for privacy standards was moved to a
separate section in the same part of HIPAA, section 264, so that
Congress could link the Privacy standards to Congressional action.
Section 264(b) requires the Secretary of HHS to develop and submit
to the Congress recommendations for:
The rights that an individual who is a subject of
individually identifiable health information should have.
[[Page 82470]]
The procedures that should be established for the exercise
of such rights.
The uses and disclosures of such information that should
be authorized or required.
The Secretary's Recommendations were submitted to the Congress on
September 11, 1997. Section 264(c)(1) provides that:
If legislation governing standards with respect to the privacy
of individually identifiable health information transmitted in
connection with the transactions described in section 1173(a) of the
Social Security Act (as added by section 262) is not enacted by
[August 21, 1999], the Secretary of Health and Human Services shall
promulgate final regulations containing such standards not later
than [February 21, 2000]. Such regulations shall address at least
the subjects described in subsection (b).
As the Congress did not enact legislation regarding the privacy of
individually identifiable health information prior to August 21, 1999,
HHS published proposed rules setting forth such standards on November
3, 1999, 64 FR 59918, and is now publishing the mandated final
regulation.
These privacy standards have been, and continue to be, an integral
part of the suite of Administrative Simplification standards intended
to simplify and improve the efficiency of the administration of our
health care system.
The Administrative Simplification Provisions, and Regulatory Actions to
Date
Part C of title XI consists of sections 1171 through 1179 of the
Act. These sections define various terms and impose several
requirements on HHS, health plans, health care clearinghouses, and
health care providers who conduct the identified transactions
electronically.
The first section, section 1171 of the Act, establishes definitions
for purposes of part C of title XI for the following terms: code set,
health care clearinghouse, health care provider, health information,
health plan, individually identifiable health information, standard,
and standard setting organization.
Section 1172 of the Act makes the standard adopted under part C
applicable to: (1) Health plans, (2) health care clearinghouses, and
(3) health care providers who transmit health information in electronic
form in connection with transactions referred to in section 1173(a)(1)
of the Act (hereinafter referred to as the ``covered entities'').
Section 1172 also contains procedural requirements concerning the
adoption of standards, including the role of standard setting
organizations and required consultations, summarized in subsection F
and section VI, below.
Section 1173 of the Act requires the Secretary to adopt standards
for transactions, and data elements for such transactions, to enable
health information to be exchanged electronically. Section 1173(a)(1)
describes the transactions to be promulgated, which include the nine
transactions listed in section 1173(a)(2) and other transactions
determined appropriate by the Secretary. The remainder of section 1173
sets out requirements for the specific standards the Secretary is to
adopt: Unique health identifiers, code sets, security standards,
electronic signatures, and transfer of information among health plans.
Of particular relevance to this proposed rule is section 1173(d), the
security standard provision. The security standard authority applies to
both the transmission and the maintenance of health information, and
requires the entities described in section 1172(a) to maintain
reasonable and appropriate safeguards to ensure the integrity and
confidentiality of the information, protect against reasonably
anticipated threats or hazards to the security or integrity of the
information or unauthorized uses or disclosures of the information, and
to ensure compliance with part C by the entity's officers and
employees.
In section 1174 of the Act, the Secretary is required to establish
standards for all of the above transactions, except claims attachments,
by February 21, 1998. The statutory deadline for the claims attachment
standard is February 21, 1999.
As noted above, a proposed rule for most of the transactions was
published on May 7, 1998, and the final Transactions Rule was
promulgated on August 17, 2000. The delay was caused by the deliberate
consensus building process, working with industry, and the large number
of comments received (about 17,000). In addition, in a series of
Notices of Proposed Rulemakings, HHS published other proposed
standards, as described above. Each of these steps was taken in concert
with the affected professions and industries, to ensure rapid adoption
and compliance.
Generally, after a standard is established, it may not be changed
during the first year after adoption except for changes that are
necessary to permit compliance with the standard. Modifications to any
of these standards may be made after the first year, but not more
frequently than once every 12 months. The Secretary also must ensure
that procedures exist for the routine maintenance, testing,
enhancement, and expansion of code sets and that there are crosswalks
from prior versions.
Section 1175 of the Act prohibits health plans from refusing to
process, or from delaying processing of, a transaction that is
presented in standard format. It also establishes a timetable for
compliance: each person to whom a standard or implementation
specification applies is required to comply with the standard within 24
months (or 36 months for small health plans) of its adoption. A health
plan or other entity may, of course, comply voluntarily before the
effective date. The section also provides that compliance with
modifications to standards or implementation specifications must be
accomplished by a date designated by the Secretary, which date may not
be earlier than 180 days from the notice of change.
Section 1176 of the Act establishes civil monetary penalties for
violation of the provisions in part C of title XI of the Act, subject
to several limitations. Penalties may not be more than $100 per person
per violation and not more than $25,000 per person for violations of a
single standard for a calendar year. The procedural provisions of
section 1128A of the Act apply to actions taken to obtain civil
monetary penalties under this section.
Section 1177 establishes penalties for any person that knowingly
uses a unique health identifier, or obtains or discloses individually
identifiable health information in violation of the part. The penalties
include: (1) A fine of not more than $50,000 and/or imprisonment of not
more than 1 year; (2) if the offense is ``under false pretenses,'' a
fine of not more than $100,000 and/or imprisonment of not more than 5
years; and (3) if the offense is with intent to sell, transfer, or use
individually identifiable health information for commercial advantage,
personal gain, or malicious harm, a fine of not more than $250,000 and/
or imprisonment of not more than 10 years.
Under section 1178 of the Act, the requirements of part C, as well
as any standards or implementation specifications adopted thereunder,
preempt contrary state law. There are three exceptions to this general
rule of preemption: State laws that the Secretary determines are
necessary for certain purposes set forth in the statute; state laws
that the Secretary determines address controlled substances; and state
laws relating to the privacy of
[[Page 82471]]
individually identifiable health information that are contrary to and
more stringent than the federal requirements. There also are certain
areas of state law (generally relating to public health and oversight
of health plans) that are explicitly carved out of the general rule of
preemption and addressed separately.
Section 1179 of the Act makes the above provisions inapplicable to
financial institutions (as defined by section 1101 of the Right to
Financial Privacy Act of 1978) or anyone acting on behalf of a
financial institution when ``authorizing, processing, clearing,
settling, billing, transferring, reconciling, or collecting payments
for a financial institution.''
Finally, as explained above, section 264 requires the Secretary to
issue standards with respect to the privacy of individually
identifiable health information. Section 264 also contains a preemption
provision that provides that contrary provisions of state laws that are
more stringent than the federal standards, requirements, or
implementation specifications will not be preempted.
Our Approach to This Regulation
Balance
A number of facts informed our approach to this regulation.
Determining the best approach to protecting privacy depends on where we
start, both with respect to existing legal expectations and also with
respect to the expectations of individuals, health care providers,
payers and other stakeholders. From the comments we received on the
proposed rule, and from the extensive fact finding in which we engaged,
a confused picture developed. We learned that stakeholders in the
system have very different ideas about the extent and nature of the
privacy protections that exist today, and very different ideas about
appropriate uses of health information. This leads us to seek to
balance the views of the different stakeholders, weighing the varying
interests on each particular issue with a view to creating balance in
the regulation as a whole.
For example, we received hundreds of comments explaining the
legitimacy of various uses and disclosure of health information. We
agree that many uses and disclosures of health information are
``legitimate,'' but that is not the end of the inquiry. Neither
privacy, nor the important social goals described by the commenters,
are absolutes. In this regulation, we are asking health providers and
institutions to add privacy into the balance, and we are asking
individuals to add social goals into the balance.
The vast difference among regulated entities also informed our
approach in significant ways. This regulation applies to solo
practitioners, and multi-national health plans. It applies to
pharmacies and information clearinghouses. These entities differ not
only in the nature and scope of their businesses, but also in the
degree of sophistication of their information systems and information
needs. We therefore designed the core requirements of this regulation
to be flexible and ``scalable.'' This is reflected throughout the rule,
particularly in the implementation specifications for making the
minimum necessary uses and disclosures, and in the administrative
policies and procedures requirements.
We also are informed by the rapid evolution in industry
organization and practice. Our goal is to enhance privacy protections
in ways that do not impede this evolution. For example, we received
many comments asking us to assign a status under this regulation based
on a label or title. For example, many commenters asked whether
``disease management'' is a ``health care operation,'' or whether a
``pharmacy benefits manager'' is a covered entity. From the comments
and our fact-finding, however, we learned that these terms do not have
consistent meanings today; rather, they encompass diverse activities
and information practices. Further, the statutory definitions of key
terms such as health care provider and health care clearinghouse
describe functions, not specific types of persons or entities. To
respect both the Congressional approach and industry evolution, we
design the rule to follow activities and functions, not titles and
labels.
Similarly, many comments asked whether a particular person would be
a ``business associate'' under the rule, based on the nature of the
person's business. Whether a business associate arrangement must exist
under the rule, however, depends on the relationship between the
entities and the services being performed, not on the type of persons
or companies involved.
Our approach is also significantly informed by the limited
jurisdiction conferred by HIPAA. In large part, we have the authority
to regulate those who create and disclose health information, but not
many key stakeholders who receive that health information from a
covered entity. Again, this led us to look to the balance between the
burden on covered entities and need to protect privacy in determining
our approach to such disclosures. In some instances, we approach this
dilemma by requiring covered entities to obtain a representation or
documentation of purpose from the person requesting information. While
there would be advantages to legislation regulating such third persons
directly, we cannot justify abandoning any effort to enhance privacy.
It also became clear from the comments and our fact-finding that we
have expectations as a society that conflict with individuals' views
about the privacy of health information. We expect the health care
industry to develop treatment protocols for the delivery of high
quality health care. We expect insurers and the government to reduce
fraud in the health care system. We expect to be protected from
epidemics, and we expect medical research to produce miracles. We
expect the police to apprehend suspects, and we expect to pay for our
care by credit card. All of these activities involve disclosure of
health information to someone other than our physician.
While most commenters support the concept of health privacy in
general, many go on to describe activities that depend on the
disclosure of health information and urge us to protect those
information flows. Section III, in which we respond to the comments,
describes our approach to balancing these conflicting expectations.
Finally, we note that many commenters were concerned that this
regulation would lessen current privacy protections. It is important to
understand this regulation as a new federal floor of privacy
protections that does not disturb more protective rules or practices.
Nor do we intend this regulation to describe a set of a ``best
practices.'' Rather, this regulation describes a set of basic consumer
protections and a series of regulatory permissions for use and
disclosure of health information. The protections are a mandatory
floor, which other governments and any covered entity may exceed. The
permissions are just that, permissive--the only disclosures of health
information required under this rule are to the individual who is the
subject of the information or to the Secretary for enforcement of this
rule. We expect covered entities to rely on their professional ethics
and use their own best judgements in deciding which of these
permissions they will use.
Combining Workability With New Protections
This rule establishes national minimum standards to protect the
privacy of individually identifiable health information in prescribed
[[Page 82472]]
settings. The standards address the many varied uses and disclosures of
individually identifiable health information by health plans, certain
health care providers and health care clearinghouses. The complexity of
the standards reflects the complexity of the health care marketplace to
which they apply and the variety of subjects that must be addressed.
The rule applies not only to the core health care functions relating to
treating patients and reimbursing health care providers, but also to
activities that range from when individually identifiable health
information should be available for research without authorization to
whether a health care provider may release protected health information
about a patient for law enforcement purposes. The number of discrete
provisions, and the number of commenters requesting that the rule
recognize particular activities, is evidence of the significant role
that individually identifiable health information plays in many vital
public and private concerns.
At the same time, the large number of comments from individuals and
groups representing individuals demonstrate the deep public concern
about the need to protect the privacy of individually identifiable
health information. The discussion above is rich with evidence about
the importance of protecting privacy and the potential adverse
consequences to individuals and their health if such protections are
not extended.
The need to balance these competing interests--the necessity of
protecting privacy and the public interest in using identifiable health
information for vital public and private purposes--in a way that is
also workable for the varied stakeholders causes much of the complexity
in the rule. Achieving workability without sacrificing protection means
some level of complexity, because the rule must track current practices
and current practices are complex. We believe that the complexity
entailed in reflecting those practices is better public policy than a
perhaps simpler rule that disturbed important information flows.
Although the rule taken as a whole is complicated, we believe that
the standards are much less complex as they apply to particular actors.
What a health plan or covered health care provider must do to comply
with the rule is clear, and the two-year delayed implementation
provides a substantial period for trade and professional associations,
working with their members, to assess the effects of the standards and
develop policies and procedures to come into compliance with them. For
individuals, the system may look substantially more complicated
because, for the first time, we are ensuring that individuals will
receive detailed information about how their individually identifiable
health information may be used and disclosed. We also provide
individuals with additional tools to exercise some control over those
uses and disclosures. The additional complexity for individuals is the
price of expanding their understanding and their rights.
The Department will work actively with members of the health care
industry, representatives of individuals and others during the
implementation of this rule. As stated elsewhere, our focus is to
develop broader understanding of how the standards work and to
facilitate compliance. We intend to provide guidance and check lists as
appropriate, particularly to small businesses affected by the rule. We
also will work with trade and professional associations to develop
guidance and provide technical assistance so that they can help their
members understand and comply with these new standards. If this effort
is to succeed, the various public and private participants inside and
outside of the health care system will need to work together to assure
that the competing interests described above remain in balance and that
an ethic that recognizes their importance is established.
Enforcement
The Secretary has decided to delegate her responsibility under this
regulation to the Department's Office for Civil Rights (OCR). OCR will
be responsible for enforcement of this regulation. Enforcement
activities will include working with covered entities to secure
voluntary compliance through the provision of technical assistance and
other means; responding to questions regarding the regulation and
providing interpretations and guidance; responding to state requests
for exception determinations; investigating complaints and conducting
compliance reviews; and, where voluntary compliance cannot be achieved,
seeking civil monetary penalties and making referrals for criminal
prosecution.
Consent
Current Law and Practice
The issue that drew the most comments overall is the question of
when individuals' permission should be obtained prior to use or
disclosure of their health information. We learned that individuals'
views and the legal view of ``consent'' for use and disclosure of
health information are different and in many ways incompatible.
Comments from individuals revealed a common belief that, today, people
must be asked permission for each and every release of their health
information. Many believe that they ``own'' the health records about
them. However, current law and practice do not support this view.
Current privacy protection practices are determined in part by the
standards and practices that the professional associations have adopted
for their members. Professional codes of conduct for ethical behavior
generally can be found as opinions and guidelines developed by
organizations such as the American Medical Association, American
Nurses' Association, the American Hospital Association, the American
Psychiatric Association, and the American Dental Association. These are
generally issued though an organization's governing body. The codes do
not have the force of law, but providers often recognize them as
binding rules.
Our review of professional codes of ethics revealed partial, but
loose, support for individuals' expectations of privacy. For example,
the American Medical Association's Code of Ethics recognizes both the
right to privacy and the need to balance it against societal needs. It
reads in part: ``conflicts between a patient's right to privacy and a
third party's need to know should be resolved in favor of the patient,
except where that would result in serious health hazard or harm to the
patient or others.'' AMA Policy No 140.989. See also, Mass. Med.
Society, Patient Privacy and Confidentiality (1996), at 14:
Patients enter treatment with the expectation that the
information they share will be used exclusively for their clinical
care. Protection of our patients' confidences is an integral part of
our ethical training.
These codes, however, do not apply to many who obtain information
from providers. For example, the National Association of Insurance
Commissioners model code, ``Health Information Privacy Model Act''
(1998), applies to insurers but has not been widely adopted. Codes of
ethics are also often written in general terms that do not provide
guidance to providers and plans confronted with specific questions
about protecting health information.
State laws are a crucial means of protecting health information,
and today state laws vary dramatically. Some states defer to the
professional codes of conduct, others provide general guidelines for
privacy protection, and
[[Page 82473]]
others provide detailed requirements relating to the protection of
information relating to specific diseases or to entire classes of
information. Cf., D.C. Code Ann. Sec. 2-3305.14(16) and Haw. Rev. Stat.
323C, et seq. In general, state statutes and case law addressing
consent to use of health information do not support the public's strong
expectations regarding consent for use and disclosure of health
information. Only about half of the states have a general law that
prohibits disclosure of health information without patient
authorization and some of these are limited to hospital medical
records.
Even when a state has a law limiting disclosure of health
information, the law typically exempts many types of disclosure from
the authorization requirement. Georgetown Study, Key Findings; Lisa
Dahm, ``50-State Survey on Patient Health Care Record
Confidentiality,'' American Health Lawyers Association (1999). One of
the most common exemptions from a consent requirement is disclosure of
health information for treatment and related purposes. See, e.g.,
Wis.Stat. Sec. 164.82; Cal. Civ. Code 56:10; National Conference of
Commissioners on Uniform State Laws, Uniform Health-Care Information
Act, Minneapolis, MN, August 9, 1985. Some states include utilization
review and similar activities in the exemption. See, e.g., Ariz. Rev.
Stat. Sec. 12-2294. Another common exemption from consent is disclosure
of health information for purposes of obtaining payment. See, e.g.,
Fla. Stat. Ann. Sec. 455.667; Tex. Rev. Civ. Stat. Art. 4495,
Sec. 5.08(h); 410 Ill. Comp. Stat. 50/3(d). Other common exemptions
include disclosures for emergency care, and for disclosures to
government authorities (such as a department of public health). See
Gostin Study, at 1-2; 48-51. Some states also exempt disclosure to law
enforcement officials (e.g., Massachusetts, Ch. 254 of the Acts of
2000), coroners (Wis. Stat. Sec. 146.82), and for such purposes as
business operations, oversight, research, and for directory
information. Under these exceptions, providers can disclose health
information without any consent or authorization from the patient. When
states require specific, written authorization for disclosure of health
information, the authorizations are usually only required for certain
types of disclosures or certain types of information, and one
authorization can suffice for multiple disclosures over time.
The states that do not have laws prohibiting disclosure of health
information impose no specific requirements for consent or
authorization prior to release of health information. There may,
however, be other controls on release of health information. For
instance, most health care professional licensure laws include general
prohibitions against ``breaches of confidentiality.'' In some states,
patients can hold providers accountable for some unauthorized
disclosures of health information about them under various tort
theories, such as invasion of privacy and breach of a confidential
relationship. While these controls may affect certain disclosure
practices, they do not amount to a requirement that a provider obtain
authorization for each and every disclosure of health information.
Further, patients are typically not given a choice; they must sign
the ``consent'' in order to receive care. As the Georgetown Study
points out, ``In effect, the authorization may function more as a
waiver of consent--the patient may not have an opportunity to object to
any disclosures.'' Georgetown Study, Key Findings.
In the many cases where neither state law nor professional ethical
standards exist, the only privacy protection individuals have is
limited to the policies and procedures that the health care entity
adopts. Corporate privacy policies are often proprietary. While several
professional associations attached their privacy principles to their
comments, health care entities did not. One study we found indicates
that these policies are not adequate to provide appropriate privacy
protections and alleviate public concern. The Committee on Maintaining
Privacy and Security in Health Care Applications of the National
Information Infrastructure made multiple findings highlighting the need
for heightened privacy and security, including:
Finding 5: The greatest concerns regarding the privacy of health
information derives from widespread sharing of patient information
throughout the health care industry and the inadequate federal and
state regulatory framework for systematic protection of health
information.
For the Record: Protecting Electronic Health Information,
National Academy Press, Washington DC, 1997.
Consent Under This Rule
In the NPRM, we expressed concern about the coercive nature of
consents currently obtained by providers and plans relating to the use
and disclosure of health information. We also expressed concern about
the lack of information available to the patient during the process,
and the fact that patients often were not even presented with a copy of
the consent that they have signed. These and other concerns led us to
propose that covered entities be permitted to use and disclose
protected health information for treatment, payment and health care
operations without the express consent of the subject individual.
In the final rule, we alter our proposed approach and require, in
most instances, that health care providers who have a direct treatment
relationship with their patients obtain the consent of their patients
to use and disclose protected health information for treatment, payment
and health care operations. While our concern about the coerced nature
of these consents remains, many comments that we received from
individuals, health care professionals, and organizations that
represent them indicated that both patients and practitioners believe
that patient consent is an important part of the current health care
system and should be retained.
Providing and obtaining consent clearly has meaning for patients
and practitioners. Patient advocates argued that the act of signing
focuses the patient's attention on the substance of the transaction and
provides an opportunity for the patient to ask questions about or seek
modifications in the provider's practices. Many health care
practitioners and their representatives argued that seeking a patient's
consent to disclose confidential information is an ethical requirement
that strengthens the physician-patient relationship. Both practitioners
and patients argued that the approach proposed in the NPRM actually
reduced patient protections by eliminating the opportunity for patients
to agree to how their confidential information would be used and
disclosed.
While we believe that the provisions in the NPRM that provided for
detailed notice to the patient and the right to request restrictions
would have provided an opportunity for patients and providers to
discuss and negotiate over information practices, it is clear from the
comments that many practitioners and patients believe the approach
proposed in the NPRM is not an acceptable replacement for the patient
providing consent.
To encourage a more informed interaction between the patient and
the provider during the consent process, the final rule requires that
the consent form that is presented to the patient be accompanied by a
notice that contains a detailed discussion of the provider's health
information practices. The consent form must reference the notice and
also must inform the patient that he
[[Page 82474]]
or she has the right to ask the health care provider to request certain
restrictions as to how the information of the patient will be used or
disclosed. Our goal is to provide an opportunity for and to encourage
more informed discussions between patients and providers about how
protected health information will be used and disclosed within the
health care system.
We considered and rejected other approaches to consent, including
those that involved individuals providing a global consent to uses and
disclosures when they sign up for insurance. While such approaches do
require the patient to provide consent, it is not really an informed
one or a voluntary one. It is also unclear how a consent obtained at
the enrollment stage would be meaningfully communicated to the many
providers who create the health information in the first instance. The
ability to negotiate restrictions or otherwise have a meaningful
discussion with the front-line provider would be independent of, and
potentially in conflict with, the consent obtained at the enrollment
stage. In addition, employers today are moving toward simplified
enrollment forms, using check-off boxes and similar devices. The
opportunity for any meaningful consideration or interaction at that
point is slight. For these and other reasons, we decided that, to the
extent a consent can accomplish the goal sought by individuals and
providers, it must be focused on the direct interaction between an
individual and provider.
The comments and fact-finding indicate that our approach will not
significantly change the administrative aspect of consent as it exists
today. Most direct treatment providers today obtain some type of
consent for some uses and disclosures of health information. Our
regulation will ensure that those consents cover the routine uses and
disclosures of health information, and provide an opportunity for
individuals to obtain further information and have further discussion,
should they so desire.
Administrative Costs
Section 1172(b) of the Act provides that ``[a]ny standard adopted
under this part [part C of title XI of the Act] shall be consistent
with the objective of reducing the administrative costs of providing
and paying for health care.'' The privacy and security standards are
the platform on which the remaining standards rest; indeed, the design
of part C of title XI makes clear that the various standards are
intended to function together. Thus, the costs of privacy and security
are properly attributable to the suite of administrative simplification
regulations as a whole, and the cost savings realized should likewise
be calculated on an aggregated basis, as is done below. Because the
privacy standards are an integral and necessary part of the suite of
Administrative Simplification standards, and because that suite of
standards will result in substantial administrative cost savings, the
privacy standards are ``consistent with the objective of reducing the
administrative costs of providing and paying for health care.''
As more fully discussed in the Regulatory Impact and Regulatory
Flexibility analyses below, we recognize that these privacy standards
will entail substantial initial and ongoing administrative costs for
entities subject to the rules. It is also the case that the privacy
standards, like the security standards authorized by section 1173(d) of
the Act, are necessitated by the technological advances in information
exchange that the remaining Administrative Simplification standards
facilitate for the health care industry. The same technological
advances that make possible enormous administrative cost savings for
the industry as a whole have also made it possible to breach the
security and privacy of health information on a scale that was
previously inconceivable. The Congress recognized that adequate
protection of the security and privacy of health information is a sine
qua non of the increased efficiency of information exchange brought
about by the electronic revolution, by enacting the security and
privacy provisions of the law. Thus, as a matter of policy as well as
law, the administrative standards should be viewed as a whole in
determining whether they are ``consistent with'' the objective of
reducing administrative costs.
Consultations
The Congress required the Secretary to consult with specified
groups in developing the standards under sections 262 and 264. Section
264(d) of HIPAA specifically requires the Secretary to consult with the
National Committee on Vital and Health Statistics (NCVHS) and the
Attorney General in carrying out her responsibilities under the
section. Section 1172(b)(3) of the Act, which was enacted by section
262, requires that, in developing a standard under section 1172 for
which no standard setting organization has already developed a
standard, the Secretary must, before adopting the standard, consult
with the National Uniform Billing Committee (NUBC), the National
Uniform Claim Committee (NUCC), the Workgroup for Electronic Data
Interchange (WEDI), and the American Dental Association (ADA). Section
1172(f) also requires the Secretary to rely on the recommendations of
the NCVHS and consult with other appropriate federal and state agencies
and private organizations.
We engaged in the required consultations including the Attorney
General, NUBC, NUCC, WEDI and the ADA. We consulted with the NCVHS in
developing the Recommendations, upon which this proposed rule is based.
We continued to consult with this committee by requesting the committee
to review the proposed rule and provide comments prior to its
publication, and by reviewing transcripts of its public meeting on
privacy and related topics. We consulted with representatives of the
National Congress of American Indians, the National Indian Health
Board, and the self governance tribes. We also met with representatives
of the National Governors' Association, the National Conference of
State Legislatures, the National Association of Public Health
Statistics and Information Systems, and a number of other state
organizations to discuss the framework for the proposed rule, issues of
special interests to the states, and the process for providing comments
on the proposed rule.
Many of these groups submitted comments to the proposed rule, and
those were taken into account in developing the final regulation.
In addition to the required consultations, we met with numerous
individuals, entities, and agencies regarding the regulation, with the
goal of making these standards as compatible as possible with current
business practices, while still enhancing privacy protection. During
the open comment period, we met with dozens of groups.
Relevant federal agencies participated in the interagency working
groups that developed the NPRM and the final regulation, with
additional representatives from all operating divisions and many staff
offices of HHS. The following federal agencies and offices were
represented on the interagency working groups: the Department of
Justice, the Department of Commerce, the Social Security
Administration, the Department of Defense, the Department of Veterans
Affairs, the Department of Labor, the Office of Personnel Management,
and the Office of Management and Budget.
[[Page 82475]]
II. Section-by-Section Description of Rule Provisions
Part 160--Subpart A--General Provisions
Part 160 applies to all the administrative simplification
regulations. We include the entire regulation text in this rule, not
just those provisions relevant to this Privacy regulation. For example,
the term ``trading partner'' is defined here, for use in the Health
Insurance Reform: Standards for Electronic Transactions regulation,
published at 65 FR 50312, August 17, 2000 (the ``Transactions Rule'').
It does not appear in the remainder of this Privacy rule.
Sections 160.101 and 160.104 of Subpart A of part 160 were
promulgated in the Transactions Rule, and we do not change them here.
We do, however, make changes and additions to Sec. 160.103, the
definitions section of Subpart A. The definitions that were promulgated
in the Transactions Rule and that remain unchanged here are: Act, ANSI,
covered entity, compliance date, group health plan, HCFA, HHS, health
care provider, health information, health insurance issuer, health
maintenance organization, modify or modification, Secretary, small
health plan, standard setting organization, and trading partner
agreement. Of these terms, we discuss further in this preamble only
covered entity and health care provider.
Section 160.102--Applicability
The proposed rule stated that the subchapter (Parts 160, 162, and
164) applies to the entities set out at section 1172(a) of the Act:
Health plans, health care clearinghouses, and health care providers who
transmit any health information in electronic form in connection with a
transaction covered by the subchapter. The final rule adds a provision
(Sec. 160.102(b)) clarifying that to the extent required under section
201(a)(5) of HIPAA, nothing in the subchapter is to be construed to
diminish the authority of any Inspector General. This was done in
response to comment, to clarify that the administrative simplification
rules, including the rules below, do not conflict with the cited
provision of HIPAA.
Section 160.103--Definitions
Business Associate
We proposed to define the term ``business partner'' to mean, with
respect to a covered entity, a person to whom the covered entity
discloses protected health information so that the person can carry
out, assist with the performance of, or perform on behalf of, a
function or activity for the covered entity. ``Business partner'' would
have included contractors or other persons who receive protected health
information from the covered entity (or from another business partner
of the covered entity) for the purposes described in the previous
sentence, including lawyers, auditors, consultants, third-party
administrators, health care clearinghouses, data processing firms,
billing firms, and other covered entities. ``Business partner'' would
have excluded persons who are within the covered entity's workforce, as
defined in this section.
This rule reflects the change in the name from ``business partner''
to ``business associate,'' included in the Transactions Rule.
In the final rule, we change the definition of ``business
associate'' to clarify the circumstances in which a person is acting as
a business associate of a covered entity. The changes clarify that the
business association occurs when the right to use or disclose the
protected health information belongs to the covered entity, and another
person is using or disclosing the protected health information (or
creating, obtaining and using the protected health information) to
perform a function or activity on behalf of the covered entity. We also
clarify that providing specified services to a covered entity creates a
business associate relationship if the provision of the service
involves the disclosure of protected health information to the service
provider. In the proposed rule, we had included a list of persons that
were considered to be business partners of the covered entity. However,
it is not always clear whether the provision of certain services to a
covered entity is ``for'' the covered entity or whether the service
provider is acting ``on behalf of'' the covered entity. For example, a
person providing management consulting services may need protected
health information to perform those services, but may not be acting
``on behalf of'' the covered entity. This we believe led to some
general confusion among the commenters as to whether certain
arrangements fell within the definition of a business partner under the
proposed rule. The construction of the final rule clarifies that the
provision of the specified services gives rise to a business associate
relationship if the performance of the service involves disclosure of
protected health information by the covered entity to the business
associate. The specified services are legal, actuarial, accounting,
consulting, management, administrative accreditation, data aggregation,
and financial services. The list is intended to include the types of
services commonly provided to covered entities where the disclosure of
protected health information is routine to the performance of the
service, but when the person providing the service may not always be
acting ``on behalf of'' the covered entity.
In the final rule, we reorganize the list of examples of the
functions or activities that may be conducted by business associates.
We place a part of the proposed list in the portion of the definition
that addresses when a person is providing functions or activities for
or on behalf of a covered entity. We place other parts of the list in
the portion of the definition that specifies the services that give
rise to a business associate relationship, as discussed above. We also
have expanded the examples to provide additional guidance and in
response to questions from commenters.
We have added data aggregation to the list of services that give
rise to a business associate relationship. Data aggregation, as
discussed below, is where a business associate in its capacity as the
business associate of one covered entity combines the protected health
information of such covered entity with protected health information
received by the business associate in its capacity as a business
associate of another covered entity in order to permit the creation of
data for analyses that relate to the health care operations of the
respective covered entities. Adding this service to the business
associate definition clarifies the ability of covered entities to
contract with business associates to undertake quality assurance and
comparative analyses that involve the protected health information of
more than one contracting covered entity. For example, a state hospital
association could act as a business associate of its member hospitals
and could combine data provided to it to assist the hospitals in
evaluating their relative performance in areas such as quality,
efficiency and other patient care issues. As discussed below, however,
the business associate contracts of each of the hospitals would have to
permit the activity, and the protected health information of one
hospital could not be disclosed to another hospital unless the
disclosure is otherwise permitted by the rule.
The definition also states that a business associate may be a
covered entity, and that business associate excludes a person who is
part of the covered entity's workforce.
We also clarify in the final rule that a business association
arises with
[[Page 82476]]
respect to a covered entity when a person performs functions or
activities on behalf of, or provides the specified services to or for,
an organized health care health care arrangement in which the covered
entity participates. This change recognizes that where covered entities
participate in certain joint arrangements for the financing or delivery
of health care, they often contract with persons to perform functions
or to provide services for the joint arrangement. This change is
consistent with changes made in the final rule to the definition of
health care operations, which permits covered entities to use or
disclose protected health information not only for their own health
care operations, but also for the operations of an organized health
care arrangement in which the covered entity participates. By making
these changes, we avoid the confusion that could arise in trying to
determine whether a function or activity is being provided on behalf of
(or if a specified service is being provided to or for) a covered
entity or on behalf of or for a joint enterprise involving the covered
entity. The change clarifies that in either instance the person
performing the function or activity (or providing the specified
service) is a business associate.
We also add language to the final rule that clarifies that the mere
fact that two covered entities participate in an organized health care
arrangement does not make either of the covered entities a business
associate of the other covered entity. The fact that the entities
participate in joint health care operations or other joint activities,
or pursue common goals through a joint activity, does not mean that one
party is performing a function or activity on behalf of the other party
(or is providing a specified services to or for the other party).
In general under this provision, actions relating to the protected
health information of an individual undertaken by a business associate
are considered, for the purposes of this rule, to be actions of the
covered entity, although the covered entity is subject to sanctions
under this rule only if it has knowledge of the wrongful activity and
fails to take the required actions to address the wrongdoing. For
example, if a business associate maintains the medical records or
manages the claims system of a covered entity, the covered entity is
considered to have protected health information and the covered entity
must ensure that individuals who are the subject of the information can
have access to it pursuant to Sec. 164.524.
The business associate relationship does not describe all
relationships between covered entities and other persons or
organizations. While we permit uses or disclosures of protected health
information for a variety of purposes, business associate contracts or
other arrangements are only required for those cases in which the
covered entity is disclosing information to someone or some
organization that will use the information on behalf of the covered
entity, when the other person will be creating or obtaining protected
health information on behalf of the covered entity, or when the
business associate is providing the specified services to the covered
entity and the provision of those services involves the disclosure of
protected health information by the covered entity to the business
associate. For example, when a health care provider discloses protected
health information to health plans for payment purposes, no business
associate relationship is established. While the covered provider may
have an agreement to accept discounted fees as reimbursement for
services provided to health plan members, neither entity is acting on
behalf of or providing a service to the other.
Similarly, where a physician or other provider has staff privileges
at an institution, neither party to the relationship is a business
associate based solely on the staff privileges because neither party is
providing functions or activities on behalf of the other. However, if a
party provides services to or for the other, such as where a hospital
provides billing services for physicians with staff privileges, a
business associate relationship may arise with respect to those
services. Likewise, where a group health plan purchases insurance or
coverage from a health insurance issuer or HMO, the provision of
insurance by the health insurance issuer or HMO to the group health
plan does not make the issuer a business associate. In such case, the
activities of the health insurance issuer or HMO are on their own
behalf and not on the behalf of the group health plan. We note that
where a group health plan contracts with a health insurance issuer or
HMO to perform functions or activities or to provide services that are
in addition to or not directly related to the provision of insurance,
the health insurance issuer or HMO may be a business associate with
respect to those additional functions, activities or services. We also
note that covered entities are permitted to disclose protected health
information to oversight agencies that act to provide oversight of
federal programs and the health care system. These oversight agencies
are not performing services for or on behalf of the covered entities
and so are not business associates of the covered entities. Therefore
HCFA, the federal agency that administers Medicare, is not required to
enter into a business associate contract in order to disclose protected
health information to the Department's Office of Inspector General.
We do not require a covered entity to enter into a business
associate contract with a person or organization that acts merely as a
conduit for protected health information (e.g., the US Postal Service,
certain private couriers and their electronic equivalents). A conduit
transports information but does not access it other than on a random or
infrequent basis as may be necessary for the performance of the
transportation service, or as required by law. Since no disclosure is
intended by the covered entity and the probability of exposure of any
particular protected health information to a conduit is very small, we
do not consider a conduit to be a business associate of the covered
entity.
We do not consider a financial institution to be acting on behalf
of a covered entity, and therefore no business associate contract is
required, when it processes consumer-conducted financial transactions
by debit, credit or other payment card, clears checks, initiates or
processes electronic funds transfers, or conducts any other activity
that directly facilitates or effects the transfer of funds for
compensation for health care. A typical consumer-conducted payment
transaction is when a consumer pays for health care or health insurance
premiums using a check or credit card. In these cases the identity of
the consumer is always included and some health information (e.g.,
diagnosis or procedure) may be implied through the name of the health
care provider or health plan being paid. Covered entities that initiate
such payment activities must meet the minimum necessary disclosure
requirements described in the preamble to Sec. 164.514.
Covered Entity
We provided this definition in the NPRM for convenience of
reference and proposed it to mean the entities to which part C of title
XI of the Act applies. These are the entities described in section
1172(a)(1): Health plans, health care clearinghouses, and health care
providers who transmit any health information in electronic form in
connection with a transaction referred
[[Page 82477]]
to in section 1173(a)(1) of the Act (a ``standard transaction'').
We note that health care providers who do not submit HIPAA
transactions in standard form become covered by this rule when other
entities, such as a billing service or a hospital, transmit standard
electronic transactions on their behalf. A provider could not
circumvent these requirements by assigning the task to its business
associate since the business associate would be considered to be acting
on behalf of the provider. See the definition of ``business
associate.''
Where a public agency is required or authorized by law to
administer a health plan jointly with another entity, we consider each
agency to be a covered entity with respect to the health plan functions
it performs. Unlike private sector health plans, public plans are often
required by or expressly authorized by law to jointly administer health
programs that meet the definition of ``health plan'' under this
regulation. In some instances the public entity is required or
authorized to administer the program with another public agency. In
other instances, the public entity is required or authorized to
administer the program with a private entity. In either circumstance,
we note that joint administration does not meet the definition of
``business associate'' in Sec. 164.501. Examples of joint
administration include state and federal administration of the Medicaid
and SCHIP program, or joint administration of a Medicare+Choice plan by
the Health Care Financing Administration and the issuer offering the
plan.
Health Care
We proposed to define ``health care'' to mean the provision of
care, services, or supplies to a patient and to include any: (1)
Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or
palliative care, counseling, service, or procedure with respect to the
physical or mental condition, or functional status, of a patient or
affecting the structure or function of the body; (2) sale or dispensing
of a drug, device, equipment, or other item pursuant to a prescription;
or (3) procurement or banking of blood, sperm, organs, or any other
tissue for administration to patients.
The final rule revises both the NPRM definition and the definition
as provided in the Transactions Rule, to now mean ``care, services, or
supplies related to the health of an individual. Health care includes
the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative,
maintenance, or palliative care, and counseling, service, assessment,
or procedure with respect to the physical or mental condition, or
functional status, of an individual or that affects the structure or
function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item
in accordance with a prescription.
We delete the term ``providing'' from the definition to delineate
more clearly the relationship between ``treatment,'' as the term is
defined in Sec. 164.501, and ``health care.'' Other key revisions
include adding the term ``assessment'' in subparagraph (1) and deleting
proposed subparagraph (3) from the rule. Therefore the procurement or
banking of organs, blood (including autologous blood), sperm, eyes or
any other tissue or human product is not considered to be health care
under this rule and the organizations that perform such activities
would not be considered health care providers when conducting these
functions. As described in Sec. 164.512(h), covered entities are
permitted to disclose protected health information without individual
authorization, consent, or agreement (see below for explanation of
authorizations, consents, and agreements) as necessary to facilitate
cadaveric donation.
Health Care Clearinghouse
In the NPRM, we defined ``health care clearinghouse'' as a public
or private entity that processes or facilitates the processing of
nonstandard data elements of health information into standard data
elements. The entity receives health care transactions from health care
providers or other entities, translates the data from a given format
into one acceptable to the intended payor or payors, and forwards the
processed transaction to appropriate payors and clearinghouses. Billing
services, repricing companies, community health management information
systems, community health information systems, and ``value-added''
networks and switches would have been considered to be health care
clearinghouses for purposes of this part, if they perform the functions
of health care clearinghouses as described in the preceding sentences.
In the final regulation, we modify the definition of health care
clearinghouse to reflect changes in the definition published in the
Transactions Rule. The definition in the final rule is:
Health care clearinghouse means a public or private entity,
including billing services, repricing companies, community health
management information systems or community health information systems,
and ``value-added'' networks and switches, that does either of the
following functions:
(1) Processes or facilitates the processing of health information
received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard
transaction.
(2) Receives a standard transaction from another entity and
processes or facilitates the processing of health information into
nonstandard format or nonstandard data content for the receiving
entity.
We note here that the term health care clearinghouse may have other
meanings and connotations in other contexts, but the regulation defines
it specifically, and an entity is considered a health care
clearinghouse only to the extent that it meets the criteria in this
definition. Telecommunications entities that provide connectivity or
mechanisms to convey information, such as telephone companies and
Internet Service Providers, are not health care clearinghouses as
defined in the rule unless they actually carry out the functions
outlined in our definition. Value added networks and switches are not
health care clearinghouses unless they carry out the functions outlined
in the definition. The examples of entities in our proposed definition
we continue to consider to be health care clearinghouses, as well as
any other entities that meet that definition, to the extent that they
perform the functions in the definition.
In order to fall within this definition of clearinghouse, the
covered entity must perform the clearinghouse function on health
information received from some other entity. A department or component
of a health plan or health care provider that transforms nonstandard
information into standard data elements or standard transactions (or
vice versa) is not a clearinghouse for purposes of this rule, unless it
also performs these functions for another entity. As described in more
detail in Sec. 164.504(d), we allow affiliates to perform clearinghouse
functions for each other without triggering the definition of
``clearinghouse'' if the conditions in Sec. 164.504(d) are met.
Health Care Provider
We proposed to define health care provider to mean a provider of
services as defined in section 1861(u) of the Act, a provider of
medical or health services as defined in section 1861(s) of the Act,
and any other person or organization who furnishes, bills, or is paid
for health care services or supplies in the normal course of business.
[[Page 82478]]
In the final rule, we delete the term ``services and supplies,'' in
order to eliminate redundancy within the definition. The definition
also reflects the addition of the applicable U.S.C. citations (42
U.S.C. 1395x(u) and 42 U.S.C. 1395x(s), respectively) for the
referenced provisions of the Act that were promulgated in the
Transactions Rule.
To assist the reader, we also provide here excerpts from the
relevant sections of the Act. (Refer to the U.S.C. sections cited above
for complete definitions in sections 1861(u) and 1861(s).) Section
1861(u) of the Act defines a ``provider of services,'' to include, for
example,
a hospital, critical access hospital, skilled nursing facility,
comprehensive outpatient rehabilitation facility, home health
agency, hospice program, or, for purposes of section 1814(g) (42
U.S.C. 1395f(g)) and section 1835(e) (42 U.S.C. 1395n(e)), a fund.''
Section 1861(s) of the Act defines the term, ``medical and other
health services,'' and includes a list of covered items or services,
as illustrated by the following excerpt:
(s) Medical and other health services. The term ``medical and
other health services'' means any of the following items or
services:
(1) Physicians' services;
(2) (A) services and supplies * * * furnished as an incident to
a physician's professional service, or kinds which are commonly
furnished in physicians' offices and are commonly either rendered
without charge or included in the physicians' bills;
(B) hospital services * * * incident to physicians' services
rendered to outpatients and partial hospitalization services
incident to such services;
(C) diagnostic services which are--
(i) furnished to an individual as an outpatient by a hospital or
by others under arrangements with them made by a hospital, and
(ii) ordinarily furnished by such hospital (or by others under
such arrangements) to its outpatients for the purpose of diagnostic
study;
(D) outpatient physical therapy services and outpatient
occupational therapy services;
(E) rural health clinic services and federally qualified health
center services;
(F) home dialysis supplies and equipment, self-care home
dialysis support services, and institutional dialysis services and
supplies;
(G) antigens * * * prepared by a physician * * * for a
particular patient, including antigens so prepared which are
forwarded to another qualified person * * * for administration to
such patient, * * * by or under the supervision of another such
physician;
(H)(i) services furnished pursuant to a contract under section
1876 (42 U.S.C. 1395mm) to a member of an eligible organization by a
physician assistant or by a nurse practitioner * * * and such
services and supplies furnished as an incident to his service to
such a member * * * and
(ii) services furnished pursuant to a risk-sharing contract
under section 1876(g) (42 U.S.C. 1395mm(g)) to a member of an
eligible organization by a clinical psychologist * * * or by a
clinical social worker * * * (and) furnished as an incident to such
clinical psychologist's services or clinical social worker's
services * * *;
(I) blood clotting factors, for hemophilia patients * * *;
(J) prescription drugs used in immunosuppressive therapy
furnished, to an individual who receives an organ transplant for
which payment is made under this title (42 U.S.C. 1395 et seq.), but
only in the case of (certain) drugs furnished * * *
(K)(i) services which would be physicians' services if furnished
by a physician * * * and which are performed by a physician
assistant * * *; and
(ii) services which would be physicians' services if furnished
by a physician * * * and which are performed by a nurse * * *;
(L) certified nurse-midwife services;
(M) qualified psychologist services;
(N) clinical social worker services * * *;
(O) erythropoietin for dialysis patients * * *;
(P) prostate cancer screening tests * * *;
(Q) an oral drug (which is approved by the Federal Food and Drug
Administration) prescribed for use as an anti-cancer
chemotherapeutic agent for a given indication, and containing an
active ingredient (or ingredients) * * *;
(R) colorectal cancer screening tests * * *;
(S) diabetes outpatient self-management training services * * *;
and
(T) an oral drug (which is approved by the federal Food and Drug
Administration) prescribed for use as an acute anti-emetic used as
part of an anti-cancer chemotherapeutic regimen * * *
(3) diagnostic X-ray tests * * * furnished in a place of
residence used as the patient's home * * * ;
(4) X-ray, radium, and radioactive isotope therapy, including
materials and services of technicians;
(5) surgical dressings, and splints, casts, and other devices
used for reduction of fractures and dislocations;
(6) durable medical equipment;
(7) ambulance service where the use of other methods of
transportation is contraindicated by the individual's condition * *
* ;
(8) prosthetic devices (other than dental) which replace all or
part of an internal body organ (including colostomy bags and
supplies directly related to colostomy care), * * * and including
one pair of conventional eyeglasses or contact lenses furnished
subsequent to each cataract surgery * * * [;]
(9) leg, arm, back, and neck braces, and artificial legs, arms,
and eyes, including replacements if required * * * ;
(10) (A) pneumococcal vaccine and its administration * * *; and
(B) hepatitis B vaccine and its administration * * *, and
(11) services of a certified registered nurse anesthetist * * *;
(12) * * * extra-depth shoes with inserts or custom molded shoes
with inserts for an individual with diabetes, if * * *;
(13) screening mammography * * *;
(14) screening pap smear and screening pelvic exam; and
(15) bone mass measurement * * *. (etc.)
Health Plan
We proposed to define ``health plan'' essentially as section
1171(5) of the Act defines it. Section 1171 of the Act refers to
several definitions in section 2791 of the Public Health Service Act,
42 U.S.C. 300gg-91, as added by Public Law 104-191.
As defined in section 1171(5), a ``health plan'' is an individual
plan or group health plan that provides, or pays the cost of, medical
care. We proposed that this definition include, but not be limited to
the 15 types of plans (e.g., group health plan, health insurance
issuer, health maintenance organization) listed in the statute, as well
as any combination of them. Such term would have included, when applied
to public benefit programs, the component of the government agency that
administers the program. Church plans and government plans would have
been included to the extent that they fall into one or more of the
listed categories.
In the proposed rule, ``health plan'' included the following,
singly or in combination:
(1) A group health plan, defined as an employee welfare benefit
plan (as currently defined in section 3(1) of the Employee Retirement
Income and Security Act of 1974, 29 U.S.C. 1002(1)), including insured
and self-insured plans, to the extent that the plan provides medical
care (as defined in section 2791(a)(2) of the Public Health Service
Act, 42 U.S.C. 300gg-91(a)(2)), including items and services paid for
as medical care, to employees or their dependents directly or through
insurance or otherwise, that:
(i) Has 50 or more participants; or
(ii) Is administered by an entity other than the employer that
established and maintains the plan.
(2) A health insurance issuer, defined as an insurance company,
insurance service, or insurance organization that is licensed to engage
in the business of insurance in a state and is subject to state or
other law that regulates insurance.
(3) A health maintenance organization, defined as a federally
qualified health maintenance organization, an organization recognized
as a health maintenance organization under state law, or a similar
organization regulated for solvency under state law in the same manner
and to the same extent as such a health maintenance organization.
(4) Part A or Part B of the Medicare program under title XVIII of
the Act.
(5) The Medicaid program under title XIX of the Act.
[[Page 82479]]
(6) A Medicare supplemental policy (as defined in section
1882(g)(1) of the Act, 42 U.S.C. 1395ss).
(7) A long-term care policy, including a nursing home fixed-
indemnity policy.
(8) An employee welfare benefit plan or any other arrangement that
is established or maintained for the purpose of offering or providing
health benefits to the employees of two or more employers.
(9) The health care program for active military personnel under
title 10 of the United States Code.
(10) The veterans health care program under 38 U.S.C. chapter 17.
(11) The Civilian Health and Medical Program of the Uniformed
Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).
(12) The Indian Health Service program under the Indian Health Care
Improvement Act (25 U.S.C. 1601, et seq.).
(13) The Federal Employees Health Benefits Program under 5 U.S.C.
chapter 89.
(14) An approved state child health plan for child health
assistance that meets the requirements of section 2103 of the Act.
(15) A Medicare Plus Choice organization as defined in 42 CFR
422.2, with a contract under 42 CFR part 422, subpart K.
In addition to the 15 specific categories, we proposed that the
list include any other individual plan or group health plan, or
combination thereof, that provides or pays for the cost of medical
care. The Secretary would determine which plans that meet these
criteria would to be considered health plans for the purposes of this
rule.
Consistent with the other titles of HIPAA, our proposed definition
did not include certain types of insurance entities, such as workers'
compensation and automobile insurance carriers, other property and
casualty insurers, and certain forms of limited benefits coverage, even
when such arrangements provide coverage for health care services.
In the final rule, we add two provisions to clarify the types of
policies or programs that we do not consider to be a health plan.
First, the rule excepts any policy, plan or program to the extent that
it provides, or pays for the cost of, excepted benefits, as defined in
section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1). We note
that, while coverage for on-site medical clinics is excluded from
definition of ``health plans,'' such clinics may meet the definition of
``health care provider'' and persons who work in the clinic may also
meet the definition of health care provider.'' Second, many commenters
were confused by the statutory inclusion as a health plan of any
``other individual or group plan that provides or pays the cost of
medical care;'' they questioned how the provision applied to many
government programs. We therefore clarify that while many government
programs (other than the programs specified in the statute) provide or
pay the cost of medical care, we do not consider them to be individual
or group plans and therefore, do not consider them to be health plans.
Government funded programs that do not have as their principal purpose
the provision of, or payment for, the cost of health care but which do
incidentally provide such services are not health plans (for example,
programs such as the Special Supplemental Nutrition Program for Women,
Infants and Children (WIC) and the Food Stamp Program, which provide or
pay for nutritional services, are not considered to be health plans).
Government funded programs that have as their principal purpose the
provision of health care, either directly or by grant, are also not
considered to be health plans. Examples include the Ryan White
Comprehensive AIDS Resources Emergency Act, government funded health
centers and immunization programs. We note that some of these may meet
the rule's definition of health care provider.
We note that in certain instances eligibility for or enrollment in
a health plan that is a government program providing public benefits,
such as Medicaid or SCHIP, is determined by an agency other than the
agency that administers the program, or individually identifiable
health information used to determine enrollment or eligibility in such
a health plan is collected by an agency other than the agency that
administers the health plan. In these cases, we do not consider an
agency that is not otherwise a covered entity, such as a local welfare
agency, to be a covered entity because it determines eligibility or
enrollment or collects enrollment information as authorized by law. We
also do not consider the agency to be a business associate when
conducting these functions, as we describe further in the business
associate discussion above.
The definition in the final rule also reflects the following
changes promulgated in the Transactions Rule:
(1) Exclusion of nursing home fixed-indemnity policies;
(2) Addition of the word ``issuer'' to Medicare supplemental
policy, and long-term care policy;
(3) Addition or revision of the relevant statutory cites where
appropriate;
(4) Deletion of the term ``or assisted'' when referring to
government programs;
(5) Replacement of the word ``organization'' with ``program'' when
referring to Medicare + Choice;
(6) Deletion of the term ``health'' when referring to a group plan
in subparagraph (xvi);
(7) Extraction of the definitions of ``group health plan,''
``health insurance issuer,'' and ``health maintenance organization''
into Part 160 as distinct definitions;
(8) In the definition of ``group health plan,'' deletion of the
term ``currently'' from the reference to the statutory cite of ERISA,
addition of the relevant statutory cite for the term ``participant,''
and addition of the term ``reimbursement;''
(9) In the definition of ``health insurance issuer,'' addition of
the relevant statutory cite, deletion of the term ``or other law''
after ``state law,'' addition of health maintenance organizations for
consistency with the statute, and clarification that the term does not
include a group health plan; and
(10) In the definition of ``health maintenance organization,''
addition of the relevant statutory cite.
Finally, we add to this definition a high risk pool that is a
mechanism established under state law to provide health insurance
coverage or comparable coverage to eligible individuals. High risk
pools are designed mainly to provide health insurance coverage for
individuals who, due to health status or pre-existing conditions,
cannot obtain insurance through the individual market or who can do so
only at very high premiums. Some states use their high risk pool as an
alternative mechanism under section 2744 of HIPAA. We do not reference
the definition of ``qualified high risk pool'' in HIPAA because that
definition includes the requirements for a state to use its risk pool
as its alternative mechanism under HIPAA. Some states may have high
risk pools, but do not use them as their alternative mechanism and
therefore may not meet the definition in HIPAA. We want to make clear
that state high risk pools are covered entities under this rule whether
or not they meet the definition of a qualified high risk pool under
section 2744. High risk pools, as described in this rule, do not
include any program established under state law solely to provide
excepted benefits. For example, a state program established to provide
workers' compensation coverage is not
[[Page 82480]]
considered to be a high risk pool under the rule.
Implementation Specification
This definition was adopted in the Transactions Rule and is
minimally revised here. We add the words ``requirements or'' before the
word ``instructions.'' The word ``instructions'' is appropriate in the
context of the implementation specifications adopted in the
Transactions Rule, which are generally a series of instructions as to
how to use particular electronic forms. However, that word is not
apropos in the context of the rules below. In the rules below, the
implementation specifications are specific requirements for how to
comply with a given standard. The change to this definition thus ties
in to this regulatory framework.
Standard
This definition was adopted in the Transactions Rule and we have
modified it to make it clearer. We also add language reflecting section
264 of the statute, to clarify that the standards adopted by this rule
meet this definition.
State
We modify the definition of state as adopted in the Transactions
Rule to clarify that this term refers to any of the several states.
Transaction
We change the term ``exchange'' to the term ``transmission'' in the
definition of Transaction to clarify that these transactions may be
one-way communications.
Workforce
We proposed in the NPRM to define workforce to mean employees,
volunteers, trainees, and other persons under the direct control of a
covered entity, including persons providing labor on an unpaid basis.
The definition in the final rule reflects one revision established
in the Transactions Rule, which replaces the term ``including persons
providing labor on an unpaid basis'' with the term ``whether or not
they are paid by the covered entity.'' In addition, we clarify that if
the assigned work station of persons under contract is on the covered
entity's premises and such persons perform a substantial proportion of
their activities at that location, the covered entity may choose to
treat them either as business associates or as part of the workforce,
as explained in the discussion of the definition of business associate.
If there is no business associate contract, we assume the person is a
member of the covered entity's workforce. We note that independent
contractors may or may not be workforce members. However, for
compliance purposes we will assume that such personnel are members of
the workforce if no business associate contract exists.
Part 160--Subpart B--Preemption of State Laws
Statutory Background
Section 1178 of the Act establishes a ``general rule'' that state
law provisions that are contrary to the provisions or requirements of
part C of title XI or the standards or implementation specifications
adopted or established thereunder are preempted by the federal
requirements. The statute provides three exceptions to this general
rule: (1) In section 1178(a)(2)(A)(i), for state laws that the
Secretary determines are necessary to prevent fraud and abuse, ensure
appropriate state regulation of insurance and health plans, for state
reporting on health care delivery, and other purposes; (2) in section
1178(a)(2)(A)(ii), for state laws that address controlled substances;
and (3) in section 1178(a)(2)(B), for state laws relating to the
privacy of individually identifiable health information that as
provided for by the related provision of section 264(c)(2) of HIPAA,
are contrary to and more stringent than the federal requirements.
Section 1178 also carves out, in sections 1178(b) and 1178(c), certain
areas of state authority that are not limited or invalidated by the
provisions of part C of title XI: these areas relate to public health
and state regulation of health plans.
The NPRM proposed a new Subpart B of the proposed part 160. The new
Subpart B, which would apply to all standards, implementation
specifications, and requirements adopted under HIPAA, would consist of
four sections. Proposed Sec. 160.201 provided that the provisions of
Subpart B applied to exception determinations and advisory opinions
issued by the Secretary under section 1178. Proposed Sec. 160.202 set
out proposed definitions for four terms: (1) ``Contrary,'' (2) ``more
stringent,'' (3) ``relates to the privacy of individually identifiable
health information,'' and (4) ``state law.'' The definition of
``contrary'' was drawn from case law concerning preemption. A seven-
part set of specific criteria, drawn from fair information principles,
was proposed for the definition of ``more stringent.'' The definition
of ``relates to the privacy of individually identifiable health
information'' was also based on case law. The definition of ``state
law'' was drawn from the statutory definition of this term elsewhere in
HIPAA. We note that state action having the force and effect of law may
include common law. We eliminate the term ``decision'' from the
proposed rule because it is redundant.
Proposed Sec. 160.203 proposed a general rule reflecting the
statutory general rule and exceptions that generally mirrored the
statutory language of the exceptions. The one substantive addition to
the statutory exception language was with respect to the statutory
exception, ``for other purposes.'' The following language was added:
``for other purposes related to improving the Medicare program, the
Medicaid program, or the efficiency and effectiveness of the health
care system.''
Proposed Sec. 160.204 proposed two processes, one for the making of
exception determinations, relating to determinations under section
1178(a)(2)(A) of the Act, the other for the rendering of advisory
opinions, with respect to section 1178(a)(2)(B) of the Act. The
processes proposed were similar in the following respects: (1) Only the
state could request an exception determination or advisory opinion, as
applicable; (2) both required the request to contain the same
information, except that a request for an exception determination also
had to set out the length of time the requested exception would be in
effect, if less than three years; (3) both sets of requirements
provided that requests had to be submitted to the Secretary as required
by the Secretary, and until the Secretary's determination was made, the
federal standard, requirement or implementation specification remained
in effect; (4) both sets of requirements provided that the Secretary's
decision would be effective intrastate only; (5) both sets of
requirements provided that any change to either the federal or state
basis for the Secretary's decision would require a new request, and the
federal standard, implementation specification, or requirement would
remain in effect until the Secretary acted favorably on the new
request; (6) both sets of requirements provided that the Secretary
could seek changes to the federal rules or urge states or other
organizations to seek changes; and (7) both sets of requirements
provided for annual publication of Secretarial decisions. In addition,
the process for exception determinations provided for a maximum
effective period of three years for such determinations.
The following changes have been made to subpart B in the final
rules. First, Sec. 160.201 now expressly
[[Page 82481]]
implements section 1178. Second, the definition of ``more stringent''
has been changed by eliminating the criterion relating to penalties and
by framing the criterion under paragraph (1) more generally. Also, we
have clarified that the term ``individual'' means the person who is the
subject of the individually identifiable health information, since the
term ``individual'' is defined this way only in subpart E of part 164,
not in part 160. Third, the definition of ``state law'' has been
changed by substituting the words ``statute, constitutional provision''
for the word ``law,'' the words ``common law'' for the word
``decision,'' and adding the words ``force and'' before the word
``effect'' in the proposed definition. Fourth, in Sec. 160.203, several
criteria relating to the statutory grounds for exception determinations
have been further spelled out: (1) The words `` related to the
provision of or payment for health care'' have been added to the
exception for fraud and abuse; (2) the words ``to the extent expressly
authorized by statute or regulation'' have been added to the exception
for state regulation of health plans; (3) the words ``of serving a
compelling need related to public health, safety, or welfare, and,
where a standard, requirement, or implementation specification under
part 164 of this subchapter is at issue, where the Secretary determines
that the intrusion into privacy is warranted when balanced against the
need to be served'' have been added to the general exception ``for
other purposes''; and (4) the statutory provision regarding controlled
substances has been elaborated on as follows: ``Has as its principal
purpose the regulation of the manufacture, registration, distribution,
dispensing, or other control of any controlled substance, as defined at
21 U.S.C. 802, or which is deemed a controlled substance by state
law.''
The most extensive changes have been made to proposed Sec. 160.204.
The provision for advisory opinions has been eliminated. Section
160.204 now sets out only a process for requesting exception
determinations. In most respects, this process is the same as proposed.
However, the proposed restriction of the effect of exception
determinations to wholly intrastate transactions has been eliminated.
Section 160.204(a) has been modified to allow any person, not just a
state, to submit a request for an exception determination, and
clarifies that requests from states may be made by the state's chief
elected official or his or her designee. Proposed Sec. 160.204(a)(3)
stated that if it is determined that the federal standard, requirement,
or implementation specification in question meets the exception
criteria as well as or better than the state law for which the
exception is requested, the request will be denied; this language has
been deleted. Thus, the criterion for granting or denying an exception
request is whether the applicable exception criterion or criteria are
met.
A new Sec. 160.205 is also adopted, replacing part of what was
proposed at proposed Sec. 160.204. The new Sec. 160.205 sets out the
rules relating to the effectiveness of exception determinations.
Exception determinations are effective until either the underlying
federal or state laws change or the exception is revoked, by the
Secretary, based on a determination that the grounds supporting the
exception no longer exist. The proposed maximum of three years has been
eliminated.
Relationship to Other Federal Laws
Covered entities subject to these rules are also subject to other
federal statutes and regulations. For example, federal programs must
comply with the statutes and regulations that govern them. Pursuant to
their contracts, Medicare providers must comply with the requirements
of the Privacy Act of 1974. Substance abuse treatment facilities are
subject to the Substance Abuse Confidentiality provisions of the Public
Health Service Act, section 543 and its regulations. And, health care
providers in schools, colleges, and universities may come within the
purview of the Family Educational Rights and Privacy Act. Thus, covered
entities will need to determine how the privacy regulation will affect
their ability to comply with these other federal laws.
Many commenters raised questions about how different federal
statutes and regulations intersect with the privacy regulation. While
we address specific concerns in the response to comments later in the
preamble, in this section, we explore some of the general interaction
issues. These summaries do not identify all possible conflicts or
overlaps of the privacy regulation and other federal laws, but should
provide general guidance for complying with both the privacy regulation
and other federal laws. The summaries also provide examples of how
covered entities can analyze other federal laws when specific questions
arise. HHS may consult with other agencies concerning the
interpretation of other federal laws as necessary.
Implied Repeal Analysis
When faced with the need to determine how different federal laws
interact with one another, we turn to the judiciary's approach. Courts
apply the implied repeal analysis to resolve tensions that appear to
exist between two or more statutes. While the implication of a
regulation-on-regulation conflict is unclear, courts agree that
administrative rules and regulations that do not conflict with express
statutory provisions have the force and effect of law. Thus, we believe
courts would apply the standard rules of interpretation that apply to
statutes to address questions of interpretation with regard to
regulatory conflicts.
When faced with two potentially conflicting statutes, courts
attempt to construe them so that both are given effect. If this
construction is not possible, courts will look for express language in
the later statute, or an intent in its legislative history, indicating
that Congress intended the later statute to repeal the earlier one. If
there is no expressed intent to repeal the earlier statute, courts will
characterize the statutes as either general or specific. Ordinarily,
later, general statutes will not repeal the special provisions of an
earlier, specific statute. In some cases, when a later, general statute
creates an irreconcilable conflict or is manifestly inconsistent with
the earlier, specific statute in a manner that indicates a clear and
manifest Congressional intent to repeal the earlier statute, courts
will find that the later statute repeals the earlier statute by
implication. In these cases, the latest legislative action may prevail
and repeal the prior law, but only to the extent of the conflict.
There should be few instances in which conflicts exist between a
statute or regulation and the rules below. For example, if a statute
permits a covered entity to disclose protected health information and
the rules below permit such a disclosure, no conflict arises; the
covered entity could comply with both and choose whether or not to
disclose the information. In instances in which a potential conflict
appears, we would attempt to resolve it so that both laws applied. For
example, if a statute or regulation permits dissemination of protected
health information, but the rules below prohibit the use or disclosure
without an authorization, we believe a covered entity would be able to
comply with both because it could obtain an authorization under
Sec. 164.508 before disseminating the information under the other law.
Many apparent conflicts will not be true conflicts. For example, if
a conflict
[[Page 82482]]
appears to exist because a previous statute or regulation requires a
specific use or disclosure of protected health information that the
rules below appear to prohibit, the use or disclosure pursuant to that
statute or regulation would not be a violation of the privacy
regulation because Sec. 164.512(a) permits covered entities to use or
disclose protected health information as required by law.
If a statute or regulation prohibits dissemination of protected
health information, but the privacy regulation requires that an
individual have access to that information, the earlier, more specific
statute would apply. The interaction between the Clinical Laboratory
Improvement Amendments regulation is an example of this type of
conflict. From our review of several federal laws, it appears that
Congress did not intend for the privacy regulation to overrule existing
statutory requirements in these instances.
Examples of Interaction
We have summarized how certain federal laws interact with the
privacy regulation to provide specific guidance in areas deserving
special attention and to serve as examples of the analysis involved. In
the Response to Comment section, we have provided our responses to
specific questions raised during the comment period.
The Privacy Act
The Privacy Act of 1974, 5 U.S.C. 552a, prohibits disclosures of
records contained in a system of records maintained by a federal agency
(or its contractors) without the written request or consent of the
individual to whom the record pertains. This general rule is subject to
various statutory exceptions. In addition to the disclosures explicitly
permitted in the statute, the Privacy Act permits agencies to disclose
information for other purposes compatible with the purpose for which
the information was collected by identifying the disclosure as a
``routine use'' and publishing notice of it in the Federal Register.
The Act applies to all federal agencies and certain federal contractors
who operate Privacy Act systems of records on behalf of federal
agencies.
Some federal agencies and contractors of federal agencies that are
covered entities under the privacy rules are subject to the Privacy
Act. These entities must comply with all applicable federal statutes
and regulations. For example, if the privacy regulation permits a
disclosure, but the disclosure is not permitted under the Privacy Act,
the federal agency may not make the disclosure. If, however, the
Privacy Act allows a federal agency the discretion to make a routine
use disclosure, but the privacy regulation prohibits the disclosure,
the federal agency will have to apply its discretion in a way that
complies with the regulation. This means not making the particular
disclosure.
The Freedom of Information Act
FOIA, 5 U.S.C. 552, provides for public disclosure, upon the
request of any person, of many types of information in the possession
of the federal government, subject to nine exemptions and three
exclusions. For example, Exemption 6 permits federal agencies to
withhold ``personnel and medical files and similar files the disclosure
of which would constitute a clearly unwarranted invasion of personal
privacy.'' 5 U.S.C. 552(b)(6).
Uses and disclosures required by FOIA come within Sec. 164.512(a)
of the privacy regulation that permits uses or disclosures required by
law if the uses or disclosures meet the relevant requirements of the
law. Thus, a federal agency must determine whether it may apply an
exemption or exclusion to redact the protected health information when
responding to a FOIA request. When a FOIA request asks for documents
that include protected health information, we believe the agency, when
appropriate, must apply Exemption 6 to preclude the release of medical
files or otherwise redact identifying details before disclosing the
remaining information.
We offer the following analysis for federal agencies and federal
contractors who operate Privacy Act systems of records on behalf of
federal agencies and must comply with FOIA and the privacy regulation.
If presented with a FOIA request that would result in the disclosure of
protected health information, a federal agency must first determine if
FOIA requires the disclosure or if an exemption or exclusion would be
appropriate. We believe that generally a disclosure of protected health
information, when requested under FOIA, would come within FOIA
Exemption 6. We recognize, however, that the application of this
exemption to information about deceased individuals requires a
different analysis than that applicable to living individuals because,
as a general rule, under the Privacy Act, privacy rights are
extinguished at death. However, under FOIA, it is entirely appropriate
to consider the privacy interests of a decedent's survivors under
Exemption 6. See Department of Justice FOIA Guide 2000, Exemption 6:
Privacy Considerations. Covered entities subject to FOIA must evaluate
each disclosure on a case-by-case basis, as they do now under current
FOIA procedures.
Federal Substance Abuse Confidentiality Requirements
The federal confidentiality of substance abuse patient records
statute, section 543 of the Public Health Service Act, 42 U.S.C. 290dd-
2, and its implementing regulation, 42 CFR part 2, establish
confidentiality requirements for patient records that are maintained in
connection with the performance of any federally-assisted specialized
alcohol or drug abuse program. Substance abuse programs are generally
programs or personnel that provide alcohol or drug abuse treatment,
diagnosis, or referral for treatment. The term ``federally-assisted''
is broadly defined and includes federally conducted or funded programs,
federally licensed or certified programs, and programs that are tax
exempt. Certain exceptions apply to information held by the Veterans
Administration and the Armed Forces.
There are a number of health care providers that are subject to
both these rules and the substance abuse statute and regulations. In
most cases, a conflict will not exist between these rules. These
privacy rules permit a health care provider to disclose information in
a number of situations that are not permitted under the substance abuse
regulation. For example, disclosures allowed, without patient
authorization, under the privacy rule for law enforcement, judicial and
administrative proceedings, public health, health oversight, directory
assistance, and as required by other laws would generally be prohibited
under the substance abuse statute and regulation. However, because
these disclosures are permissive and not mandatory, there is no
conflict. An entity would not be in violation of the privacy rules for
failing to make these disclosures.
Similarly, provisions in the substance abuse regulation provide for
permissive disclosures in case of medical emergencies, to the FDA, for
research activities, for audit and evaluation activities, and in
response to certain court orders. Because these are permissive
disclosures, programs subject to both the privacy rules and the
substance abuse rule are able to comply with both rules even if the
privacy rules restrict these types of disclosures. In addition, the
privacy rules generally require that an individual be given access to
his or her own health information. Under the substance abuse
[[Page 82483]]
regulation, programs may provide such access, so there is no conflict.
The substance abuse regulation requires notice to patients of the
substance abuse confidentiality requirements and provides for written
consent for disclosure. While the privacy rules have requirements that
are somewhat different, the program may use notice and authorization
forms that include all the elements required by both regulations. The
substance abuse rule provides a sample notice and a sample
authorization form and states that the use of these forms would be
sufficient. While these forms do not satisfy all of the requirements of
the privacy regulation, there is no conflict because the substance
abuse regulation does not mandate the use of these forms.
Employee Retirement Income Security Act of 1974
ERISA was enacted in 1974 to regulate pension and welfare employee
benefit plans established by private sector employers, unions, or both,
to provide benefits to their workers and dependents. Under ERISA, plans
that provide ``through the purchase of insurance or otherwise * * *
medical, surgical, or hospital care or benefits, or benefits in the
event of sickness, accident, disability, [or] death'' are defined as
employee welfare benefit plans. 29 U.S.C. 1002(1). In 1996, HIPAA
amended ERISA to require portability, nondiscrimination, and
renewability of health benefits provided by group health plans and
group health insurance issuers. Numerous, although not all, ERISA plans
are covered under the rules proposed below as ``health plans.''
Section 514(a) of ERISA, 29 U.S.C. 1144(a), preempts all state laws
that ``relate to'' any employee benefit plan. However, section 514(b)
of ERISA, 29 U.S.C. 1144(b)(2)(A), expressly saves from preemption
state laws that regulate insurance. Section 514(b)(2)(B) of ERISA, 29
U.S.C. 1144(b)(2)(B), provides that an ERISA plan is deemed not to be
an insurer for the purpose of regulating the plan under the state
insurance laws. Thus, under the deemer clause, states may not treat
ERISA plans as insurers subject to direct regulation by state law.
Finally, section 514(d) of ERISA, 29 U.S.C. 1144(d), provides that
ERISA does not ``alter, amend, modify, invalidate, impair, or supersede
any law of the United States.''
We considered whether the preemption provision of section 264(c)(2)
of HIPAA would give effect to state laws that would otherwise be
preempted by section 514(a) of ERISA. As discussed above, our reading
of the statutes together is that the effect of section 264(c)(2) is
only to leave in place state privacy protections that would otherwise
apply and that are more stringent than the federal privacy protections.
Many health plans covered by the privacy regulation are also
subject to ERISA requirements. Our discussions and consultations have
not uncovered any particular ERISA requirements that would conflict
with the rules.
The Family Educational Rights and Privacy Act
FERPA, as amended, 20 U.S.C. 1232g, provides parents of students
and eligible students (students who are 18 or older) with privacy
protections and rights for the records of students maintained by
federally funded educational agencies or institutions or persons acting
for these agencies or institutions. We have excluded education records
covered by FERPA, including those education records designated as
education records under Parts B, C, and D of the Individuals with
Disabilities Education Act Amendments of 1997, from the definition of
protected health information. For example, individually identifiable
health information of students under the age of 18 created by a nurse
in a primary or secondary school that receives federal funds and that
is subject to FERPA is an education record, but not protected health
information. Therefore, the privacy regulation does not apply. We
followed this course because Congress specifically addressed how
information in education records should be protected in FERPA.
We have also excluded certain records, those described at 20 U.S.C.
1232g(a)(4)(B)(iv), from the definition of protected health information
because FERPA also provided a specific structure for the maintenance of
these records. These are records (1) of students who are 18 years or
older or are attending post-secondary educational institutions, (2)
maintained by a physician, psychiatrist, psychologist, or recognized
professional or paraprofessional acting or assisting in that capacity,
(3) that are made, maintained, or used only in connection with the
provision of treatment to the student, and (4) that are not available
to anyone, except a physician or appropriate professional reviewing the
record as designated by the student. Because FERPA excludes these
records from its protections only to the extent they are not available
to anyone other than persons providing treatment to students, any use
or disclosure of the record for other purposes, including providing
access to the individual student who is the subject of the information,
would turn the record into an education record. As education records,
they would be subject to the protections of FERPA.
These exclusions are not applicable to all schools, however. If a
school does not receive federal funds, it is not an educational agency
or institution as defined by FERPA. Therefore, its records that contain
individually identifiable health information are not education records.
These records may be protected health information. The educational
institution or agency that employs a school nurse is subject to our
regulation as a health care provider if the school nurse or the school
engages in a HIPAA transaction.
While we strongly believe every individual should have the same
level of privacy protection for his/her individually identifiable
health information, Congress did not provide us with authority to
disturb the scheme it had devised for records maintained by educational
institutions and agencies under FERPA. We do not believe Congress
intended to amend or preempt FERPA when it enacted HIPAA.
With regard to the records described at 20 U.S.C.
1232g(a)(4)(b)(iv), we considered requiring health care providers
engaged in HIPAA transactions to comply with the privacy regulation up
to the point these records were used or disclosed for purposes other
than treatment. At that point, the records would be converted from
protected health information into education records. This conversion
would occur any time a student sought to exercise his/her access
rights. The provider, then, would need to treat the record in
accordance with FERPA's requirements and be relieved from its
obligations under the privacy regulation. We chose not to adopt this
approach because it would be unduly burdensome to require providers to
comply with two different, yet similar, sets of regulations and
inconsistent with the policy in FERPA that these records be exempt from
regulation to the extent the records were used only to treat the
student.
Gramm-Leach-Bliley
In 1999, Congress passed Gramm-Leach-Bliley (GLB), Pub. L. 106-102,
which included provisions, section 501 et seq., that limit the ability
of financial institutions to disclose ``nonpublic personal
information'' about consumers to non-affiliated third parties and
require financial institutions to provide customers with their privacy
policies and practices with respect to nonpublic
[[Page 82484]]
personal information. In addition, Congress required seven agencies
with jurisdiction over financial institutions to promulgate regulations
as necessary to implement these provisions. GLB and its accompanying
regulations define ``financial institutions'' as including institutions
engaged in the financial activities of bank holding companies, which
may include the business of insuring. See 15 U.S.C. 6809(3); 12 U.S.C.
1843(k). However, Congress did not provide the designated federal
agencies with the authority to regulate health insurers. Instead, it
provided states with an incentive to adopt and have their state
insurance authorities enforce these rules. See 15 U.S.C. 6805. If a
state were to adopt laws consistent with GLB, health insurers would
have to determine how to comply with both sets of rules.
Thus, GLB has caused concern and confusion among health plans that
are subject to our privacy regulation. Although Congress remained
silent as to its understanding of the interaction of GLB and HIPAA's
privacy provisions, the Federal Trade Commission and other agencies
implementing the GLB privacy provisions noted in the preamble to their
GLB regulations that they ``would consult with HHS to avoid the
imposition of duplicative or inconsistent requirements.'' 65 Fed. Reg.
33646, 33648 (2000). Additionally, the FTC also noted that ``persons
engaged in providing insurance'' would be within the enforcement
jurisdiction of state insurance authorities and not within the
jurisdiction of the FTC. Id.
Because the FTC has clearly stated that it will not enforce the GLB
privacy provisions against persons engaged in providing insurance,
health plans will not be subject to dual federal agency jurisdiction
for information that is both nonpublic personal information and
protected health information. If states choose to adopt GLB-like laws
or regulations, which may or may not track the federal rules
completely, health plans would need to evaluate these laws under the
preemption analysis described in subpart B of Part 160.
Federally Funded Health Programs
These rules will affect various federal programs, some of which may
have requirements that are, or appear to be, inconsistent with the
requirements of these regulations. These programs include those
operated directly by the federal government (such as health programs
for military personnel and veterans) as well as programs in which
health services or benefits are provided by the private sector or by
state or local governments, but which are governed by various federal
laws (such as Medicare, Medicaid, and ERISA).
Congress explicitly included some of these programs in HIPAA,
subjecting them directly to the privacy regulation. Section 1171 of the
Act defines the term ``health plan'' to include the following federally
conducted, regulated, or funded programs: Group plans under ERISA that
either have 50 or more participants or are administered by an entity
other than the employer who established and maintains the plan;
federally qualified health maintenance organizations; Medicare;
Medicaid; Medicare supplemental policies; the health care program for
active military personnel; the health care program for veterans; the
Civilian Health and Medical Program of the Uniformed Services
(CHAMPUS); the Indian health service program under the Indian Health
Care Improvement Act, 25 U.S.C. 1601, et seq.; and the Federal
Employees Health Benefits Program. There also are many other federally
conducted, regulated, or funded programs in which individually
identifiable health information is created or maintained, but which do
not come within the statutory definition of ``health plan.'' While
these latter types of federally conducted, regulated, or assisted
programs are not explicitly covered by part C of title XI in the same
way that the programs listed in the statutory definition of ``health
plan'' are covered, the statute may nonetheless apply to transactions
and other activities conducted under such programs. This is likely to
be the case when the federal entity or federally regulated or funded
entity provides health services; the requirements of part C may apply
to such an entity as a ``health care provider.'' Thus, the issue of how
different federal requirements apply is likely to arise in numerous
contexts.
There are a number of authorities under the Public Health Service
Act and other legislation that contain explicit confidentiality
requirements, either in the enabling legislation or in the implementing
regulations. Many of these are so general that there would appear to be
no problem of inconsistency, in that nothing in those laws or
regulations would appear to restrict the provider's ability to comply
with the privacy regulation's requirements.
There may, however, be authorities under which either the
requirements of the enabling legislation or of the program regulations
would impose requirements that differ from these rules.
For example, regulations applicable to the substance abuse block
grant program funded under section 1943(b) of the Public Health Service
Act require compliance with 42 CFR part 2, and, thus, raise the issues
identified above in the substance abuse confidentiality regulations
discussion. There are a number of federal programs which, either by
statute or by regulation, restrict the disclosure of patient
information to, with minor exceptions, disclosures ``required by law.''
See, for example, the program of projects for prevention and control of
sexually transmitted diseases funded under section 318(e)(5) of the
Public Health Service Act (42 CFR 51b.404); the regulations
implementing the community health center program funded under section
330 of the Public Health Service Act (42 CFR 51c.110); the regulations
implementing the program of grants for family planning services under
title X of the Public Health Service Act (42 CFR 59.15); the
regulations implementing the program of grants for black lung clinics
funded under 30 U.S.C. 437(a) (42 CFR 55a.104); the regulations
implementing the program of maternal and child health projects funded
under section 501 of the Act (42 CFR 51a.6); the regulations
implementing the program of medical examinations of coal miners (42 CFR
37.80(a)). These legal requirements would restrict the grantees or
other entities providing services under the programs involved from
making many of the disclosures that Secs. 164.510 or 164.512 would
permit. In some cases, permissive disclosures for treatment, payment,
or health care operations would also be limited. Because Secs. 164.510
and 164.512 are merely permissive, there would not be a conflict
between the program requirements, because it would be possible to
comply with both. However, entities subject to both sets of
requirements would not have the total range of discretion that they
would have if they were subject only to this regulation.
Food, Drug, and Cosmetic Act
The Food, Drug, and Cosmetic Act, 21 U.S.C. 301, et seq., and its
accompanying regulations outline the responsibilities of the Food and
Drug Administration with regard to monitoring the safety and
effectiveness of drugs and devices. Part of the agency's responsibility
is to obtain reports about adverse events, track medical devices, and
engage in other types of post marketing surveillance. Because many of
these reports contain protected health information, the information
within them may come within the purview of the privacy rules.
[[Page 82485]]
Although some of these reports are required by the Food, Drug, and
Cosmetic Act or its accompanying regulations, other types of reporting
are voluntary. We believe that these reports, while not mandated, play
a critical role in ensuring that individuals receive safe and effective
drugs and devices. Therefore, in Sec. 164.512(b)(1)(iii), we have
provided that covered entities may disclose protected health
information to a person subject to the jurisdiction of the Food and
Drug Administration for specified purposes, such as reporting adverse
events, tracking medical devices, or engaging in other post marketing
surveillance. We describe the scope and conditions of such disclosures
in more detail in Sec. 164.512(b).
Clinical Laboratory Improvement Amendments
CLIA, 42 U.S.C. 263a, and the accompanying regulations, 42 CFR part
493, require clinical laboratories to comply with standards regarding
the testing of human specimens. This law requires clinical laboratories
to disclose test results or reports only to authorized persons, as
defined by state law. If a state does not define the term, the federal
law defines it as the person who orders the test.
We realize that the person ordering the test is most likely a
health care provider and not the individual who is the subject of the
protected health information included within the result or report.
Under this requirement, therefore, a clinical laboratory may be
prohibited by law from providing the individual who is the subject of
the test result or report with access to this information.
Although we believe individuals should be able to have access to
their individually identifiable health information, we recognize that
in the specific area of clinical laboratory testing and reporting, the
Health Care Financing Administration, through regulation, has provided
that access may be more limited. To accommodate this requirement, we
have provided at Sec. 164.524(1)(iii) that covered entities maintaining
protected health information that is subject to the CLIA requirements
do not have to provide individuals with a right of access to or a right
to inspect and obtain a copy of this information if the disclosure of
the information to the individual would be prohibited by CLIA.
Not all clinical laboratories, however, will be exempted from
providing individuals with these rights. If a clinical laboratory
operates in a state in which the term ``authorized person'' is defined
to include the individual, the clinical laboratory would have to
provide the individual with these rights. Similarly, if the individual
was the person who ordered the test and an authorized person included
such a person, the laboratory would be required to provide the
individual with these rights.
Additionally, CLIA regulations exempt the components or functions
of ``research laboratories that test human specimens but do not report
patient specific results for the diagnosis, prevention or treatment of
any disease or impairment of, or the assessment of the health of
individual patients'' from the CLIA regulatory scheme. 42 CFR
493.3(a)(2). If subject to the access requirements of this regulation,
such entities would be forced to meet the requirements of CLIA from
which they are currently exempt. To eliminate this additional
regulatory burden, we have also excluded covered entities that are
exempt from CLIA under that rule from the access requirement of this
regulation.
Although we are concerned about the lack of immediate access by the
individual, we believe that, in most cases, individuals who receive
clinical tests will be able to receive their test results or reports
through the health care provider who ordered the test for them. The
provider will receive the information from the clinical laboratory.
Assuming that the provider is a covered entity, the individual will
have the right of access and right to inspect and copy this protected
health information through his or her provider.
Other Mandatory Federal or State Laws
Many federal laws require covered entities to provide specific
information to specific entities in specific circumstances. If a
federal law requires a covered entity to disclose a specific type of
information, the covered entity would not need an authorization under
Sec. 164.508 to make the disclosure because the final rule permits
covered entities to make disclosures that are required by law under
Sec. 164.512(a). Other laws, such as the Social Security Act (including
its Medicare and Medicaid provisions), the Family and Medical Leave
Act, the Public Health Service Act, Department of Transportation
regulations, the Environmental Protection Act and its accompanying
regulations, the National Labor Relations Act, the Federal Aviation
Administration, and the Federal Highway Administration rules, may also
contain provisions that require covered entities or others to use or
disclose protected health information for specific purposes.
When a covered entity is faced with a question as to whether the
privacy regulation would prohibit the disclosure of protected health
information that it seeks to disclose pursuant to a federal law, the
covered entity should determine if the disclosure is required by that
law. In other words, it must determine if the disclosure is mandatory
rather than merely permissible. If it is mandatory, a covered entity
may disclose the protected health information pursuant to
Sec. 164.512(a), which permits covered entities to disclose protected
health information without an authorization when the disclosure is
required by law. If the disclosure is not required (but only permitted)
by the federal law, the covered entity must determine if the disclosure
comes within one of the other permissible disclosures. If the
disclosure does not come within one of the provisions for permissible
disclosures, the covered entity must obtain an authorization from the
individual who is the subject of the information or de-identify the
information before disclosing it.
If another federal law prohibits a covered entity from using or
disclosing information that is also protected health information, but
the privacy regulation permits the use or disclosure, a covered entity
will need to comply with the other federal law and not use or disclose
the information.
Federal Disability Nondiscrimination Laws
The federal laws barring discrimination on the basis of disability
protect the confidentiality of certain medical information. The
information protected by these laws falls within the larger definition
of ``health information'' under this privacy regulation. The two
primary disability nondiscrimination laws are the Americans with
Disabilities Act (ADA), 42 U.S.C. 12101 et seq., and the Rehabilitation
Act of 1973, as amended, 29 U.S.C. 701 et seq., although other laws
barring discrimination on the basis of disability (such as the
nondiscrimination provisions of the Workforce Investment Act of 1988,
29 U.S.C. 2938) may also apply. Federal disability nondiscrimination
laws cover two general categories of entities relevant to this
discussion: employers and entities that receive federal financial
assistance.
Employers are not covered entities under the privacy regulation.
Many employers, however, are subject to the federal disability
nondiscrimination laws and, therefore, must protect the
[[Page 82486]]
confidentiality of all medical information concerning their applicants
and employees.
The employment provisions of the ADA, 42 U.S.C. 12111 et seq.,
expressly cover employers of 15 or more employees, employment agencies,
labor organizations, and joint labor-management committees. Since 1992,
employment discrimination complaints arising under sections 501, 503,
and 504 of the Rehabilitation Act also have been subject to the ADA's
employment nondiscrimination standards. See ``Rehabilitation Act
Amendments,'' Pub. L. No. 102-569, 106 Stat. 4344. Employers subject to
ADA nondiscrimination standards have confidentiality obligations
regarding applicant and employee medical information. Employers must
treat such medical information, including medical information from
voluntary health or wellness programs and any medical information that
is voluntarily disclosed as a confidential medical record, subject to
limited exceptions.
Transmission of health information by an employer to a covered
entity, such as a group health plan, is governed by the ADA
confidentiality restrictions. The ADA, however, has been interpreted to
permit an employer to use medical information for insurance purposes.
See 29 CFR part 1630 App. at Sec. 1630.14(b) (describing such use with
reference to 29 CFR 1630.16(f), which in turn explains that the ADA
regulation ``is not intended to disrupt the current regulatory
structure for self-insured employers * * * or current industry
practices in sales, underwriting, pricing, administrative and other
services, claims and similar insurance related activities based on
classification of risks as regulated by the states''). See also,
``Enforcement Guidance on Disability-Related Inquiries and Medical
Examinations of Employees under the Americans with Disabilities Act,''
4, n.10 (July 26, 2000), ____ FEP Manual (BNA) ____ (``Enforcement
Guidance on Employees''). See generally, ``ADA Enforcement Guidance on
Preemployment Disability-Related Questions and Medical Examinations''
(October 10, 1995), 8 FEP Manual (BNA) 405:7191 (1995) (also available
at http://www.eeoc.gov). Thus, use of medical information for insurance
purposes may include transmission of health information to a covered
entity.
If an employer-sponsored group health plan is closely linked to an
employer, the group health plan may be subject to ADA confidentiality
restrictions, as well as this privacy regulation. See Carparts
Distribution Center, Inc. v. Automotive Wholesaler's Association of New
England, Inc., 37 F.3d 12 (1st Cir. 1994)(setting forth three bases for
ADA Title I jurisdiction over an employer-provided medical
reimbursement plan, in a discrimination challenge to the plan's HIV/
AIDS cap). Transmission of applicant or employee health information by
the employer's management to the group health plan may be permitted
under the ADA standards as the use of medical information for insurance
purposes. Similarly, disclosure of such medical information by the
group health plan, under the limited circumstances permitted by this
privacy regulation, may involve use of the information for insurance
purposes as broadly described in the ADA discussion above.
Entities that receive federal financial assistance, which may also
be covered entities under the privacy regulation, are subject to
section 504 of the Rehabilitation Act (29 U.S.C. 794) and its
implementing regulations. Each federal agency has promulgated such
regulations that apply to entities that receive financial assistance
from that agency (``recipients''). These regulations may limit the
disclosure of medical information about persons who apply to or
participate in a federal financially assisted program or activity. For
example, the Department of Labor's section 504 regulation (found at 29
CFR part 32), consistent with the ADA standards, requires recipients
that conduct employment-related programs, including employment training
programs, to maintain confidentiality regarding any information about
the medical condition or history of applicants to or participants in
the program or activity. Such information must be kept separate from
other information about the applicant or participant and may be
provided to certain specified individuals and entities, but only under
certain limited circumstances described in the regulation. See 29 CFR
32.15(d). Apart from those circumstances, the information must be
afforded the same confidential treatment as medical records, id. Also,
recipients of federal financial assistance from the Department of
Health and Human Services, such as hospitals, are subject to the ADA's
employment nondiscrimination standards. They must, accordingly,
maintain confidentiality regarding the medical condition or history of
applicants for employment and employees.
The statutes and implementing regulations under which the federal
financial assistance is provided may contain additional provisions
regulating collection and disclosure of medical, health, and
disability-related information. See, e.g., section 188 of the Workforce
Investment Act of 1988 (29 U.S.C. 2938) and 29 CFR 37.3(b). Thus,
covered entities that are subject to this privacy regulation, may also
be subject to the restrictions in these laws as well.
U.S. Safe Harbor Privacy Principles (European Union Directive on Data
Protection)
The E.U. Directive became effective in October 1998 and prohibits
European Union Countries from permitting the transfer of personal data
to another country without ensuring that an ``adequate level of
protection,'' as determined by the European Commission, exists in the
other country or pursuant to one of the Directive's derogations of this
rule, such as pursuant to unambiguous consent or to fulfill a contract
with the individual. In July 2000, the European Commission concluded
that the U.S. Safe Harbor Privacy Principles \1\ constituted ``adequate
protection.'' Adherence to the Principles is voluntary. Organizations
wishing to engage in the exchange of personal data with E.U. countries
may assert compliance with the Principles as one means of obtaining
data from E.U. countries.
---------------------------------------------------------------------------
\1\ The Principles are: (1) Notice; (2) Choice (i.e., consent);
(3) Onward Transfer (i.e., subsequent disclosures); (4) Security;
(5) Data Integrity; (6) Access; and (7) Enforcement. Department of
Commerce, Safe Harbor Principles, July 21, 2000 (``Principles'').
They do not apply to manually processed data.
---------------------------------------------------------------------------
The Department of Commerce, which negotiated these Principles with
the European Commission, has provided guidance for U.S. organizations
seeking to adhere to the guidelines and comply with U.S. law. We
believe this guidance addresses the concerns covered entities seeking
to transfer personal data from E.U. countries may have. When ``U.S. law
imposes a conflicting obligation, U.S. organizations whether in the
safe harbor or not must comply with the law.'' An organization does not
need to comply with the Principles if a conflicting U.S. law
``explicitly authorizes'' the particular conduct. The organization's
non-compliance is ``limited to the extent necessary to meet the
overriding legitimate interests further[ed] by such authorization.''
However, if only a difference exists such that an ``option is allowable
under the Principles and/or U.S. law, organizations are expected to opt
for the higher protection where possible.'' Questions regarding
compliance and interpretation will be decided based on U.S. law. See
Department of Commerce, Memorandum on Damages for Breaches
[[Page 82487]]
of Privacy, Legal Authorizations and Mergers and Takeovers in U.S. Law
5 (July 17, 2000); Department of Commerce, Safe Harbor Privacy
Principles Issued by the U.S. Department of Commerce on July 21, 2000,
65 FR 45666 (2000). The Principles and our privacy regulation are based
on common principles of fair information practices. We believe they are
essentially consistent and that an organization complying with our
privacy regulation can fairly and correctly self-certify that it
complies with the Principles. If a true conflict arises between the
privacy regulation and the Principles, the Department of Commerce's
guidance provides that an entity must comply with the U.S. law.
Part 160--Subpart C--Compliance and Enforcement
Proposed Sec. 164.522 included five paragraphs addressing
activities related to the Secretary's enforcement of the rule. These
provisions were based on procedures and requirements in various civil
rights regulations. Proposed Sec. 164.522(a) provided that the
Secretary would, to the extent practicable, seek the cooperation of
covered entities in obtaining compliance, and could provide technical
assistance to covered entities to help them comply voluntarily.
Proposed Sec. 164.522(b) provided that individuals could file
complaints with the Secretary. However, where the complaint related to
the alleged failure of a covered entity to amend or correct protected
health information as proposed in the rule, the Secretary would not
make certain determinations such as whether protected health
information was accurate or complete. This paragraph also listed the
requirements for filing complaints and indicated that the Secretary may
investigate such complaints and what might be reviewed as part of such
investigation.
Under proposed Sec. 164.522(c), the Secretary would be able to
conduct compliance reviews. Proposed Sec. 164.522(d) described the
responsibilities that covered entities keep records and reports as
prescribed by the Secretary, cooperate with compliance reviews, permit
the Secretary to have access to their facilities, books, records, and
other sources of information during normal business hours, and seek
records held by other persons. This paragraph also stated that the
Secretary would maintain the confidentiality of protected health
information she collected and prohibit covered entities from taking
retaliatory action against individuals for filing complaints or for
other activities. Proposed Sec. 164.522(e) provided that the Secretary
would inform the covered entity and the individual complainant if an
investigation or review indicated a failure to comply and would seek to
resolve the matter informally if possible. If the matter could not be
resolved informally, the Secretary would be able to issue written
findings, be required to inform the covered entity and the complainant,
and be able to pursue civil enforcement action or make a criminal
referral. The Secretary would also be required to inform the covered
entity and the individual complainant if no violation was found.
We make the following changes and additions to proposed
Sec. 164.522 in the final rule. First, we have moved this section to
part 160, as a new subpart C, ``Compliance and Enforcement.'' Second,
we add new sections that explain the applicability of these provisions
and incorporate certain definitions. Accordingly, we change the
proposed references to violations to ``this subpart'' to violations of
``the applicable requirements of part 160 and the applicable standards,
requirements, and implementation specifications of subpart E of part
164 of this subchapter.'' Third, the final rule at Sec. 160.306(a)
provides that any person, not just an ``individual'' (the person who is
the subject of the individually identifiable health information) may
file a complaint with the Secretary. Other references in this subpart
to an individual have been changed accordingly. Fourth, we delete the
proposed Sec. 164.522(a) language that indicated that the Secretary
would not determine whether information was accurate or complete, or
whether errors or omissions might have an adverse effect on the
individual. While the policy is not changed in that the Secretary will
not make such determinations, we believe the language is unnecessary
and may suggest that we would make all other types of determinations,
such as all determinations in which the regulation defers to the
professional judgment of the covered entity. Fifth, Sec. 160.306(b)(3)
requires that complaints be filed within 180 days of when the
complainant knew or should have known that the act or omission
complained of occurred, unless this time limit is waived by the
Secretary for good cause shown. Sixth, Sec. 160.310(b) requires
cooperation with investigations as well as compliance reviews. Seventh,
Sec. 160.310 (c)(1) provides that the Secretary must be provided access
to a covered entity's facilities, books, records, accounts, and other
sources of information, including protected health information, at any
time and without notice where exigent circumstances exist, such as
where documents might be hidden or destroyed. Eighth, the provision
proposed at Sec. 164.522(d) that would prohibit covered entities from
taking retaliatory action against individuals for filing a complaint
with the Secretary or for certain other actions has been changed and
moved to Sec. 164.530. Ninth, Sec. 160. 312(a)(2) deletes the reference
in the proposed rule to using violation findings as a basis for
initiating action to secure penalties. This deletion is not a
substantive change. This language was removed because penalties will be
addressed in the enforcement regulation. As in the NPRM, the Secretary
may promulgate alternative procedures for complaints relating to
national security. For example, to protect classified information, we
may promulgate rules that would allow an intelligence community agency
to create a separate body within that agency to receive complaints.
The Department plans to issue an Enforcement Rule that applies to
all of the regulations that the Department issues under the
Administrative Simplification provisions of HIPAA. This regulation will
address the imposition of civil monetary penalties and the referral of
criminal cases where there has been a violation of this rule. Penalties
are provided for under section 262 of HIPAA. The Enforcement Rule would
also address the topics covered by Subpart C below. It is expected that
this Enforcement Rule would replace Subpart C.
Part 164--Subpart A--General Provisions
Section 164.102--Statutory Basis
In the NPRM, we provided that the provisions of this part are
adopted pursuant to the Secretary's authority to prescribe standards,
requirements, and implementation standards under part C of title XI of
the Act and section 264 of Public Law 104-191. The final rule adopts
this language.
Section 164.104--Applicability
In the NPRM, we provided that except as otherwise provided, the
provisions of this part apply to covered entities: health plans, health
care clearinghouses, and health care providers who transmit health
information in electronic form in connection with any transaction
referred to in section 1173(a)(1) of the Act. The final rule adopts
this language.
[[Page 82488]]
Section 164.106--Relationship to Other Parts
The final rule adds a new provision stating that in complying with
the requirements of this part, covered entities are required to comply
with the applicable provisions of parts 160 and 162 of this subchapter.
This language references Subchapter C in this regulation,
Administrative Data Standards and Related Requirements; Part 160,
General Administrative Requirements; and Part 162, Administrative
Requirements. Part 160 includes requirements such as keeping records
and submitting compliance reports to the Secretary and cooperating with
the Secretary's complaint investigations and compliance reviews. Part
162 includes requirements such as requiring a covered entity that
conducts an electronic transaction, adopted under this part, with
another covered entity to conduct the transaction as a standard
transaction as adopted by the Secretary.
Part 164--Subpart B-D--Reserved
Part 164--Subpart E--Privacy
Section 164.500--Applicability
The discussion below describes the entities and the information
that are subject to the final regulation.
Many of the provisions of the regulation are presented as
``standards.'' Generally, the standards indicate what must be
accomplished under the regulation and implementation specifications
describe how the standards must be achieved.
Covered Entities
We proposed in the NPRM to apply the standards in the regulation to
health plans, health care clearinghouses, and to any health care
provider who transmits health information in electronic form in
connection with transactions referred to in section 1173(a)(1) of the
Act. The proposal referred to these entities as ``covered entities.''
We have revised Sec. 164.500 to clarify the applicability of the
rule to health care clearinghouses. As we stated in the preamble to the
NPRM, we believe that in most instances health care clearinghouses will
receive protected health information as a business associate to another
covered entity. This understanding was confirmed by the comments and by
our fact finding. Clearinghouses rarely have direct contact with
individuals, and usually will not be in a position to create protected
health information or to receive it directly from them. Unlike health
plans and providers, clearinghouses usually convey and repackage
information and do not add materially to the substance of protected
health information of an individual.
The revised language provides that clearinghouses are not subject
to certain requirements in the rule when acting as business associates
of other covered entities. As revised, a clearinghouse acting as a
business associate is subject only to the provisions of this section,
to the definitions, to the general rules for uses and disclosures of
protected health information (subject to limitations), to the provision
relating to health care components, to the provisions relating to uses
and disclosures for which consent, individual authorization or an
opportunity to agree or object is not required (subject to
limitations), to the transition requirements and to the compliance
date. With respect to the uses and disclosures authorized under
Sec. 164.502 or Sec. 164.512, a clearinghouse acting as a business
associate is not authorized by the rule to make any use or disclosure
not permitted by its business associate contract. Clearinghouses acting
as business associates are not subject to the other requirements of
this rule, which include the provisions relating to procedural
requirements, requirements for obtaining consent, individual
authorization or agreement, provision of a notice, individual rights to
request privacy protection, access and amend information and receive an
accounting of disclosures and the administrative requirements.
We note that, even as business associates, clearinghouses remain
covered entities. Clearinghouses, like other covered entities, are
responsible under this regulation for abiding by the terms of business
associate contracts. For example, while the provisions regarding
individuals' access to and right to request corrections to protected
health information about them apply only to health plans and covered
health care providers, clearinghouses may have some responsibility for
providing such access under their business associate contracts. A
clearinghouse (or any other covered entity) that violates the terms of
a business associate contract also is in direct violation of this rule
and, as a covered entity, is subject to compliance and enforcement
action.
We clarify that a covered entity is only subject to these rules to
the extent that they possess protected health information. Moreover,
these rules only apply with regard to protected health information. For
example, if a covered entity does not disclose or receive from its
business associate any protected health information and no protected
health information is created or received by its business associate on
behalf of the covered entity, then the business associate requirements
of this rule do not apply.
We clarify that the Department of Defense or any other federal
agency and any non-governmental organization acting on its behalf, is
not subject to this rule when it provides health care in another
country to foreign national beneficiaries. The Secretary believes that
this exemption is warranted because application of the rule could have
the unintended effect of impeding or frustrating the conduct of such
activities, such as interfering with the ability of military command
authorities to obtain protected health information on prisoners of war,
refugees, or detainees for whom they are responsible under
international law. See the preamble to the definition of ``individual''
for further discussion.
Covered Information
We proposed in the NPRM to apply the requirements of the rule to
individually identifiable health information that is or has been
electronically transmitted or maintained by a covered entity. The
provisions would have applied to the information itself, referred to as
protected health information in the rule, and not to the particular
records in which the information is contained. We proposed that once
information was maintained or transmitted electronically by a covered
entity, the protections would follow the information in whatever form,
including paper records, in which it exists while held by a covered
entity. The proposal would not have applied to information that was
never electronically maintained or transmitted by a covered entity.
In the final rule, we extend the scope of protections to all
individually identifiable health information in any form, electronic or
non-electronic, that is held or transmitted by a covered entity. This
includes individually identifiable health information in paper records
that never has been electronically stored or transmitted. (See
Sec. 164.501, definition of ``protected health information,'' for
further discussion.)
Section 164.501--Definitions
Correctional Institution
The proposed rule did not define the term correctional institution.
The final rule defines correctional institution as any penal or
correctional facility, jail, reformatory, detention center, work farm,
halfway house, or residential community program center operated by, or
under contract to, the United States,
[[Page 82489]]
a state, a territory, a political subdivision of a state or territory,
or an Indian tribe, for the confinement or rehabilitation of persons
charged with or convicted of a criminal offense or other persons held
in lawful custody. Other persons held in lawful custody includes
juvenile offenders adjudicated delinquent, aliens detained awaiting
deportation, persons committed to mental institutions through the
criminal justice system, witnesses, or others awaiting charges or
trial. This language was necessary to explain the privacy rights and
protections of inmates in this regulation.
Covered Functions
We add a new term, ``covered functions,'' as a shorthand way of
expressing and referring to the functions that the entities covered by
section 1172(a) of the Act perform. Section 1171 defines the terms
``health plan'', ``health care provider'', and ``health care
clearinghouse'' in functional terms. Thus, a ``health plan'' is an
individual or group plan ``that provides, or pays the cost of, medical
care * * *'', a ``health care provider'' ``furnish[es] health care
services or supplies,'' and a ``health care clearinghouse'' is an
entity ``that processes or facilitates the processing of * * * data
elements of health information * * *''. Covered functions, therefore,
are the activities that any such entity engages in that are directly
related to operating as a health plan, health care provider, or health
care clearinghouse; that is, they are the functions that make it a
health plan, health care provider, or health care clearinghouse.
The term ``covered functions'' is not intended to include various
support functions, such as computer support, payroll and other office
support, and similar support functions, although we recognize that
these support functions must occur in order for the entity to carry out
its health care functions. Because such support functions are often
also performed for parts of an organization that are not doing
functions directly related to the health care functions and may involve
access to and/or use of protected health information, the rules below
describe requirements for ensuring that workforce members who perform
these support functions do not impermissibly use or disclose protected
health information. See Sec. 164.504.
Data Aggregation
The NPRM did not include a definition of data aggregation. In the
final rule, data aggregation is defined, with respect to protected
health information received by a business associate in its capacity as
the business associate of a covered entity, as the combining of such
protected health information by the business associate with protected
health information received by the business associate in its capacity
as a business associate of another covered entity, to permit the
creation of data for analyses that relate to the health care operations
of the respective covered entities. The definition is included in the
final rule to help describe how business associates can assist covered
entities to perform health care operations that involve comparative
analysis of protected health information from otherwise unaffiliated
covered entities. Data aggregation is a service that gives rise to a
business associate relationship if the performance of the service
involves disclosure of protected health information by the covered
entity to the business associate.
Designated Record Set
In the proposed rule, we defined designated record set as ``a group
of records under the control of a covered entity from which information
is retrieved by the name of the individual or by some identifying
number, symbol, or other identifying particular assigned to the
individual and which is used by the covered entity to make decisions
about the individual.'' We defined a ``record'' as ``any item,
collection, or grouping of protected health information maintained,
collected, used, or disseminated by a covered entity.''
In the final rule, we modify the definition of designated record
set to specify certain records maintained by or for a covered entity
that are always part of a covered entity's designated record sets and
to include other records that are used to make decisions about
individuals. We do not use the means of retrieval of a record as a
defining criteria.
For health plans, designated record sets include, at a minimum, the
enrollment, payment, claims adjudication, and case or medical
management record systems of the plan. For covered health care
providers, designated record sets include, at a minimum, the medical
record and billing record about individuals maintained by or for the
provider. In addition to these records, designated record sets include
any other group of records that are used, in whole or in part, by or
for a covered entity to make decisions about individuals. We note that
records that otherwise meet the definition of designated record set and
which are held by a business associate of the covered entity are part
of the covered entity's designated record sets. Although we do not
specify particular types of records that are always included in the
designated record sets of clearinghouses when they are not acting as
business associates, this definition includes a group of records that
such a clearinghouse uses, in whole or in part, to make decisions about
individuals.
For the most part we retain, with slight modifications, the
definition of ``record,'' defining it as any item, collection, or
grouping of information that includes protected health information and
is maintained, collected, used, or disseminated.
Direct Treatment Relationship
This term was not included in the proposed rule. Direct treatment
relationship means a relationship between a health care provider and an
individual that is not an indirect treatment relationship (see
definition of indirect treatment relationship, below). For example,
outpatient pharmacists and Web-based providers generally have direct
treatment relationships with patients. Outpatient pharmacists fill
prescriptions written by other providers, but they furnish the
prescription and advice about the prescription directly to the patient,
not through another treating provider. Web-based providers generally
deliver health care independently, without the orders of another
provider.
A provider may have direct treatment relationships with some
patients and indirect treatment relationships with others. In some
provisions of the final rule, providers with indirect treatment
relationships are excepted from requirements that apply to other
providers. See Sec. 164.506 regarding consent for uses and disclosures
of protected health information for treatment, payment, and health care
operations, and Sec. 164.520 regarding notice of information practices.
These exceptions apply only with respect to the individuals with whom
the provider has an indirect treatment relationship.
Disclosure
We proposed to define ``disclosure'' to mean the release, transfer,
provision of access to, or divulging in any other manner of information
outside the entity holding the information. The final rule is
unchanged. We note that the transfer of protected health information
from a covered entity to a business associate is a disclosure for
purposes of this regulation.
Health Care Operations
The preamble to the proposed rule explained that in order for
treatment and payment to occur, protected health
[[Page 82490]]
information must be used within entities and shared with business
partners. In the proposed rule we provided a definition for ``health
care operations'' to clarify the activities we considered to be
``compatible with and directly related to'' treatment and payment and
for which protected health information could be used or disclosed
without individual authorization. These activities included conducting
quality assessment and improvement activities, reviewing the competence
or qualifications and accrediting/licensing of health care
professionals and plans, evaluating health care professional and health
plan performance, training future health care professionals, insurance
activities relating to the renewal of a contract for insurance,
conducting or arranging for medical review and auditing services, and
compiling and analyzing information in anticipation of or for use in a
civil or criminal legal proceeding. Recognizing the dynamic nature of
the health care industry, we acknowledged that the specified categories
may need to be modified as the industry evolves.
The preamble discussion of the proposed general rules listed
certain activities that would not be considered health care operations
because they were sufficiently unrelated to treatment and payment to
warrant requiring an individual to authorize such use or disclosure.
Those activities included: marketing of health and non-health items and
services; disclosure of protected health information for sale, rent or
barter; use of protected health information by a non-health related
division of an entity; disclosure of protected health information for
eligibility, enrollment, underwriting, or risk rating determinations
prior to an individuals' enrollment in a health plan; disclosure to an
employer for employment determinations; and fundraising.
In the final rule, we do not change the general approach of
defining health care operations: health care operations are the listed
activities undertaken by the covered entity that maintains the
protected health information (i.e., one covered entity may not disclose
protected health information for the operations of a second covered
entity); a covered entity may use any protected health information it
maintains for its operations (e.g., a plan may use protected health
information about former enrollees as well as current enrollees); we
expand the proposed list to reflect many changes requested by
commenters.
We modify the proposal that health care operations represent
activities ``in support of'' treatment and payment functions. Instead,
in the final rule, health care operations are the enumerated activities
to the extent that the activities are related to the covered entity's
functions as a health care provider, health plan or health care
clearinghouse, i.e., the entity's ``covered functions.'' We make this
change to clarify that health care operations includes general
administrative and business functions necessary for the covered entity
to remain a viable business. While it is possible to draw a connection
between all the enumerated activities and ``treatment and payment,''
for some general business activities (e.g., audits for financial
disclosure statements) that connection may be tenuous. The proposed
concept also did not include the operations of those health care
clearinghouses that may be covered by this rule outside their status as
business associate to a covered entity. We expand the definition to
include disclosures for the enumerated activities of organized health
care arrangements in which the covered entity participates. See also
the definition of organized health care arrangements, below.
In addition, we make the following changes and additions to the
enumerated subparagraphs:
(1) We add language to clarify that the primary purpose of the
studies encompassed by ``quality assessment and improvement
activities'' must not be to obtain generalizable knowledge. A study
with such a purpose would meet the rule's definition of research, and
use or disclosure of protected health information would have to meet
the requirements of Secs. 164.508 or 164.512(i). Thus, studies may be
conducted as a health care operation if development of generalizable
knowledge is not the primary goal. However, if the study changes and
the covered entity intends the results to be generalizable, the change
should be documented by the covered entity as proof that, when
initiated, the primary purpose was health care operations.
We add population-based activities related to improving health or
reducing health care costs, protocol development, case management and
care coordination, contacting of health care providers and patients
with information about treatment alternatives, and related functions
that do not entail direct patient care. Many commenters recommended
adding the term ``disease management'' to health care operations. We
were unable, however, to find a generally accepted definition of the
term. Rather than rely on this label, we include many of the functions
often included in discussions of disease management in this definition
or in the definition of treatment. This topic is discussed further in
the comment responses below.
(2) We have deleted ``undergraduate and graduate'' as a qualifier
for ``students,'' to make the term more general and inclusive. We add
the term ``practitioners.'' We expand the purposes encompassed to
include situations in which health care providers are working to
improve their skills. The rule also adds the training of non-health
care professionals.
(3) The rule expands the range of insurance related activities to
include those related to the creation, renewal or replacement of a
contract for health insurance or health benefits, as well as ceding,
securing, or placing a contract for reinsurance of risk relating to
claims for health care (including stop-loss and excess of loss
insurance). For these activities, we also eliminate the proposed
requirement that these uses and disclosures apply only to protected
health information about individuals already enrolled in a health plan.
Under this provision, a group health plan that wants to replace its
insurance carrier may disclose certain protected health information to
insurance issuers in order to obtain bids on new coverage, and an
insurance carrier interested in bidding on new business may use
protected health information obtained from the potential new client to
develop the product and pricing it will offer. For circumstances in
which no new contract is issued, we add a provision in Sec. 164.514(g)
restricting the recipient health plan from using or disclosing
protected health information obtained for this purpose, other than as
required by law. Uses and disclosures in these cases come within the
definition of ``health care operations,'' provided that the
requirements of Sec. 164.514(g) are met, if applicable. See
Sec. 164.504(f) for requirements for such disclosures by group health
plans, as well as specific restrictions on the information that may be
disclosed to plan sponsors for such purposes. We note that a covered
health care provider must obtain an authorization under Sec. 164.508 in
order to disclose protected health information about an individual for
purposes of pre-enrollment underwriting; the underwriting is not an
``operation'' of the provider and that disclosure is not otherwise
permitted by a provision of this rule.
(4) We delete reference to the ``compiling and analyzing
information in anticipation of or for use in a civil or criminal legal
proceeding'' and replace it with a broader reference to
[[Page 82491]]
conducting or arranging for ``legal services.''
We add two new categories of activities:
(5) Business planning and development, such as conducting cost-
management and planning-related analyses related to managing and
operating the entity, including formulary development and
administration, development or improvement of methods of payment or
coverage policies.
(6) Business management activities and general administrative
functions, such as management activities relating to implementation of
and compliance with the requirements of this subchapter, fundraising
for the benefit of the covered entity to the extent permitted without
authorization under Sec. 164.514(f), and marketing of certain services
to individuals served by the covered entity, to the extent permitted
without authorization under Sec. 164.514(e) (see discussion in the
preamble to that section, below). For example, under this category we
permit uses or disclosures of protected health information to determine
from whom an authorization should be obtained, for example to generate
a mailing list of individuals who would receive an authorization
request.
We add to the definition of health care operations disclosure of
protected health information for due diligence to a covered entity that
is a potential successor in interest. This provision includes
disclosures pursuant to the sale of a covered entity's business as a
going concern, mergers, acquisitions, consolidations, and other similar
types of corporate restructuring between covered entities, including a
division of a covered entity, and to an entity that is not a covered
entity but will become a covered entity if the transfer or sale is
completed. Other types of sales of assets, or disclosures to
organizations that are not and would not become covered entities, are
not included in the definition of health care operations and could only
occur if the covered entity obtained valid authorization for such
disclosure in accordance with Sec. 164.508, or if the disclosure is
otherwise permitted under this rule.
We also add to health care operations disclosure of protected
health information for resolution of internal grievances. These uses
and disclosures include disclosure to an employee and/or employee
representative, for example when the employee needs protected health
information to demonstrate that the employer's allegations of improper
conduct are untrue. We note that such employees and employee
representatives are not providing services to or for the covered
entity, and, therefore, no business associate contract is required.
Also included are resolution of disputes from patients or enrollees
regarding the quality of care and similar matters.
We also add use for customer service, including the provision of
data and statistical analyses for policyholders, plan sponsors, or
other customers, as long as the protected health information is not
disclosed to such persons. We recognize that part of the general
management of a covered entity is customer service. We clarify that
customer service may include the use of protected health information to
provide data and statistical analyses. For example, a plan sponsor may
want to understand why its costs are rising faster than average, or why
utilization in one plant location is different than in another
location. An association that sponsors an insurance plan for its
members may want information on the relative costs of its plan in
different areas. Some plan sponsors may want more detailed analyses
that attempt to identify health problems in a work site. We note that
when a plan sponsor has several different group health plans, or when
such plans provide insurance or coverage through more than one health
insurance issuer or HMO, the covered entities may jointly engage in
this type of analysis as a health care operation of the organized
health care arrangement.
This activity qualifies as a health care operation only if it does
not result in the disclosure of protected health information to the
customer. The results of the analyses must be presented in a way that
does not disclose protected health information. A disclosure of
protected health information to the customer as a health care operation
under this provision violates this rule. This provision is not intended
to permit covered entities to circumvent other provisions in this rule,
including requirements relating to disclosures of protected health
information to plan sponsors or the requirements relating to research.
See Sec. 164.504(f) and Sec. 164.512(i).
We use the term customer to provide flexibility to covered
entities. We do not intend the term to apply to persons with whom the
covered entity has no other business; this provision is intended to
permit covered entities to provide service to their existing customer
base.
We note that this definition, either alone or in conjunction with
the definition of ``organized health care arrangement,'' allows an
entity such as an integrated staff model HMO, whether legally
integrated or whether a group of associated entities, that hold
themselves out as an organized arrangement to share protected health
information under Sec. 164.506. In these cases, the sharing of
protected health information will be either for the operations of the
disclosing entity or for the organized health care arrangement in which
the entity is participating.
Whether a disclosure is allowable for health care operations under
this provision is determined separately from whether a business
associate contract is required. These provisions of the rule operate
independently. Disclosures for health care operations may be made to an
entity that is neither a covered entity nor a business associate of the
covered entity. For example, a covered academic medical center may
disclose certain protected health information to community health care
providers who participate in one of its continuing medical education
programs, whether or not such providers are covered health care
providers under this rule. A provider attending a continuing education
program is not thereby performing services for the covered entity
sponsoring the program and, thus, is not a business associate for that
purpose. Similarly, health plans may disclose for due diligence
purposes to another entity that may or may not be a covered entity or a
business associate.
Health Oversight Agency
The proposed rule would have defined ``health oversight agency'' as
``an agency, person, or entity, including the employees or agents
thereof, (1) That is: (i) A public agency; or (ii) A person or entity
acting under grant of authority from or contract with a public agency;
and (2) Which performs or oversees the performance of any audit;
investigation; inspection; licensure or discipline; civil, criminal, or
administrative proceeding or action; or other activity necessary for
appropriate oversight of the health care system, of government benefit
programs for which health information is relevant to beneficiary
eligibility, or of government regulatory programs for which health
information is necessary for determining compliance with program
standards.'' The proposed rule also described the functions of health
oversight agencies in the proposed health oversight section
(Sec. 164.510(c)) by repeating much of this definition.
In the final rule, we modify the definition of health oversight
agency by eliminating from the definition the language in proposed
Sec. 164.510(c) (now Sec. 164.512(d)). In addition, the final rule
clarifies this definition by specifying that a ``health oversight
agency'' is an agency or authority of the United States,
[[Page 82492]]
a state, a territory, a political subdivision of a state or territory,
or an Indian tribe, or a person or entity acting under a grant of
authority from or contract with such public agency, including the
employees or agents of such public agency or its contractors or
grantees, that is authorized by law to oversee the health care system
or government programs in which health information is necessary to
determine eligibility or compliance, or to enforce civil rights laws
for which health information is relevant.
The preamble to the proposed rule listed the following as examples
of health oversight agencies that conduct oversight activities relating
to the health care system: state insurance commissions, state health
professional licensure agencies, Offices of Inspectors General of
federal agencies, the Department of Justice, state Medicaid fraud
control units, Defense Criminal Investigative Services, the Pension and
Welfare Benefit Administration, the HHS Office for Civil Rights, and
the FDA. The proposed rule listed the Social Security Administration
and the Department of Education as examples of health oversight
agencies that conduct oversight of government benefit programs for
which health information is relevant to beneficiary eligibility. The
proposed rule listed the Occupational Health and Safety Administration
and the Environmental Protection Agency as examples of oversight
agencies that conduct oversight of government regulatory programs for
which health information is necessary for determining compliance with
program standards.
In the final rule, we include the following as additional examples
of health oversight activities: (1) The U.S. Department of Justice's
civil rights enforcement activities, and in particular, enforcement of
the Civil Rights of Institutionalized Persons Act (42 U.S.C. 1997-
1997j) and the Americans with Disabilities Act (42 U.S.C. 12101 et
seq.), as well as the EEOC's civil rights enforcement activities under
titles I and V of the ADA; (2) the FDA's oversight of food, drugs,
biologics, devices, and other products pursuant to the Food, Drug, and
Cosmetic Act (21 U.S.C. 301 et seq.) and the Public Health Service Act
(42 U.S.C. 201 et seq.); and (3) data analysis --performed by a public
agency or by a person or entity acting under grant of authority from or
under contract with a public agency --to detect health care fraud.
``Overseeing the health care system,'' which is included in the
definition of health oversight, encompasses activities such as:
oversight of health care plans; oversight of health benefit plans;
oversight of health care providers; oversight of health care and health
care delivery; oversight activities that involve resolution of consumer
complaints; oversight of pharmaceuticals, medical products and devices,
and dietary supplements; and a health oversight agency's analysis of
trends in health care costs, quality, health care delivery, access to
care, and health insurance coverage for health oversight purposes.
We recognize that health oversight agencies, such as the U.S.
Department of Labor's Pension and Welfare Benefits Administration, may
perform more than one type of health oversight. For example, agencies
may sometimes perform audits and investigations and at other times
conduct general oversight of health benefit plans. Such entities are
considered health oversight agencies under the rule for any and all of
the health oversight functions that they perform.
The definition of health oversight agency does not include private
organizations, such as private-sector accrediting groups. Accreditation
organizations are performing health care operations functions on behalf
of health plans and covered health care providers. Accordingly, in
order to obtain protected health information without individuals'
authorizations, accrediting groups must enter into business associate
agreements with health plans and covered health care providers for
these purposes. Similarly, private entities, such as coding committees,
that help government agencies that are health plans make coding and
payment decisions are performing health care payment functions on
behalf the government agencies and, therefore, must enter into business
associate agreements in order to receive protected health information
from the covered entity (absent individuals' authorization for such
disclosure).
Indirect Treatment Relationship
This term was not included in the proposed rule. An ``indirect
treatment relationship'' is a relationship between a health care
provider and an individual in which the provider delivers health care
to the individual based on the orders of another health care provider
and the health care services, products, diagnoses, or results are
typically furnished to the patient through another provider, rather
than directly. For example, radiologists and pathologists generally
have indirect treatment relationships with patients because they
deliver diagnostic services based on the orders of other providers and
the results of those services are furnished to the patient through the
direct treating provider. This definition is necessary to clarify the
relationships between providers and individuals in the regulation. For
example, see the consent discussion at Sec. 164.506.
Individual
We proposed to define ``individual'' to mean the person who is the
subject of the protected health information. We proposed that the term
include, with respect to the signing of authorizations and other rights
(such as access, copying, and correction), the following types of legal
representatives:
(1) With respect to adults and emancipated minors, legal
representatives (such as court-appointed guardians or persons with a
power of attorney), to the extent to which applicable law permits such
legal representatives to exercise the person's rights in such contexts.
(2) With respect to unemancipated minors, a parent, guardian, or
person acting in loco parentis, provided that when a minor lawfully
obtains a health care service without the consent of or notification to
a parent, guardian, or other person acting in loco parentis, the minor
shall have the exclusive right to exercise the rights of an individual
with respect to the protected health information relating to such care.
(3) With respect to deceased persons, an executor, administrator,
or other person authorized under applicable law to act on behalf of the
decedent's estate.
In addition, we proposed to exclude from the definition:
(1) Foreign military and diplomatic personnel and their dependents
who receive health care provided by or paid for by the Department of
Defense or other federal agency or by an entity acting on its behalf,
pursuant to a country-to-country agreement or federal statute.
(2) Overseas foreign national beneficiaries of health care provided
by the Department of Defense or other federal agency or by a non-
governmental organization acting on its behalf.
In the final rule, we eliminate from the definition of
``individual'' the provisions designating a legal representative as the
``individual'' for purposes of exercising certain rights with regard to
protected health information. Instead, we include in the final rule a
separate standard for ``personal representatives.'' A covered entity
must treat a personal representative of an individual as the individual
except under specified circumstances. See discussion in
[[Page 82493]]
Sec. 164.502(g) regarding personal representatives.
In addition, we eliminate from the definition of ``individual'' the
above exclusions for foreign military and diplomatic personnel and
overseas foreign national beneficiaries. We address the special
circumstances for use and disclosure of protected health information
about individuals who are foreign military personnel in
Sec. 164.512(k). We address overseas foreign national beneficiaries in
Sec. 164.500, ``Applicability.'' The protected health information of
individuals who are foreign diplomatic personnel and their dependents
are not subject to special treatment under the final rule.
Individually identifiable health information about one individual
may exist in the health records of another individual; health
information about one individual may include health information about a
second person. For example, a patient's medical record may contain
information about the medical conditions of the patient's parents,
children, and spouse, as well as their names and contact information.
For the purpose of this rule, if information about a second person is
included within the protected health information of an individual, the
second person is not the person who is the subject of the protected
health information. The second person is not the ``individual'' with
regard to that protected health information, and under this rule thus
does not have the individual's rights (e.g., access and amendment) with
regard to that information.
Individually Identifiable Health Information
We proposed to define ``individually identifiable health
information'' to mean information that is a subset of health
information, including demographic information collected from an
individual, and that:
(1) Is created by or received from a health care provider, health
plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental
health or condition of an individual, the provision of health care to
an individual, or the past, present, or future payment for the
provision of health care to an individual, and
(i) Which identifies the individual, or
(ii) With respect to which there is a reasonable basis to believe
that the information can be used to identify the individual.
In the final rule, we change ``created by or received from a health
care provider * * *'' to ``created or received by a health care
provider * * * ``in order to conform to the statute. We otherwise
retain the definition of ``individually identifiable health
information'' without change in the final rule.
Inmate
The proposed rule did not define the term inmate. In the final
rule, it is defined as a person incarcerated in or otherwise confined
to a correctional institution. The addition of this definition is
necessary to explain the privacy rights and protections of inmates in
this regulation.
Law Enforcement Official
The proposed rule would have defined a ``law enforcement official''
as ``an official of an agency or authority of the United States, a
state, a territory, a political subdivision of a state or territory, or
an Indian tribe, who is empowered by law to conduct: (1) An
investigation or official proceeding inquiring into a violation of, or
failure to comply with, any law; or (2) a criminal, civil, or
administrative proceeding arising from a violation of, or failure to
comply with, any law.''
The final rule modifies this definition slightly. The definition in
the final rule recognizes that law enforcement officials are empowered
to prosecute cases as well as to conduct investigations and civil,
criminal, or administrative proceedings. In addition, the definition in
the final rule reflects the fact that when investigations begin, often
it is not clear that law has been violated. Thus, the final rule
describes law enforcement investigations and official proceedings as
inquiring into a potential violation of law. In addition, it describes
law enforcement-related civil, criminal, or administrative proceedings
as arising from alleged violation of law.
Marketing
The proposed rule did not include a definition of ``marketing.''
The proposed rule generally required that a covered entity would need
an authorization from an individual to use or disclose protected health
information for marketing.
In the final rule we define marketing as a communication about a
product or service a purpose of which is to encourage recipients of the
communication to purchase or use the product or service. The definition
does not limit the type or means of communication that are considered
marketing.
The definition of marketing contains three exceptions. If a covered
entity receives direct or indirect remuneration from a third party for
making a written communication otherwise described in an exception,
then the communication is not excluded from the definition of
marketing. The activities we except from the definition of marketing
are encompassed by the definitions of treatment, payment, and health
care operations. Covered entities may therefore use and disclose
protected health information for these excepted activities without
authorization under Sec. 164.508 and pursuant to any applicable consent
obtained under Sec. 164.506.
The first exception applies to communications made by a covered
entity for the purpose of describing the entities participating in a
provider network or health plan network. It also applies to
communications made by a covered entity for the purpose of describing
if and the extent to which a product or service, or payment for a
product or service, is provided by the covered entity or included in a
benefit plan. This exception permits covered entities to use or
disclose protected health information when discussing topics such as
the benefits and services available under a health plan, the payment
that may be made for a product or service, which providers offer a
particular product or service, and whether a provider is part of a
network or whether (and what amount of) payment will be provided with
respect to the services of particular providers. This exception
expresses our intent not to interfere with communications made to
individuals about their health benefits.
The second exception applies to communications tailored to the
circumstances of a particular individual, made by a health care
provider to an individual as part of the treatment of the individual,
and for the purpose of furthering the treatment of that individual.
This exception leaves health care providers free to use or disclose
protected health information as part of a discussion of its products
and services, or the products and services of others, and to prescribe,
recommend, or sell such products or services, as part of the treatment
of an individual. This exception includes activities such as referrals,
prescriptions, recommendations, and other communications that address
how a product or service may relate to the individual's health. This
exception expresses our intent not to interfere with communications
made to individuals about their treatment.
The third exception applies to communications tailored to the
[[Page 82494]]
circumstances of a particular individual and made by a health care
provider or health plan to an individual in the course of managing the
treatment of that individual or for the purpose of directing or
recommending to that individual alternative treatments, therapies,
providers, or settings of care. As with the previous exception, this
exception permits covered entities to discuss freely their products and
services and the products and services of third parties, in the course
of managing an individual's care or providing or discussing treatment
alternatives with an individual, even when such activities involve the
use or disclose protected health information.
Section 164.514 contains provisions governing use or disclosure of
protected health information in marketing communications, including a
description of certain marketing communications that may use or include
protected health information but that may be made by a covered entity
without individual authorization. The definition of health care
operations includes those marketing communications that may be made
without an authorization pursuant to Sec. 164.514. Covered entities may
therefore use and disclose protected health information for these
activities pursuant to any applicable consent obtained under
Sec. 164.506, or, if they are not required to obtain a consent under
Sec. 164.506, without one.
Organized Health Care Arrangement
This term was not used in the proposed rule. We define the term in
order to describe certain arrangements in which participants need to
share protected health information about their patients to manage and
benefit the common enterprise. To allow uses and disclosures of
protected health information for these arrangements, we also add
language to the definition of ``health care operations.'' See
discussion of that term above.
We include five arrangements within the definition of organized
health care arrangement. The arrangements involve clinical or
operational integration among legally separate covered entities in
which it is often necessary to share protected health information for
the joint management and operations of the arrangement. They may range
in legal structure, but a key component of these arrangements is that
individuals who obtain services from them have an expectation that
these arrangements are integrated and that they jointly manage their
operations. We include within the definition a clinically integrated
care setting in which individuals typically receive health care from
more than one health care provider. Perhaps the most common example of
this type of organized health care arrangement is the hospital setting,
where a hospital and a physician with staff privileges at the hospital
together provide treatment to the individual. Participants in such
clinically integrated settings need to be able to share health
information freely not only for treatment purposes, but also to improve
their joint operations. For example, any physician with staff
privileges at a hospital must be able to participate in the hospital's
morbidity and mortality reviews, even when the particular physician's
patients are not being discussed. Nurses and other hospital personnel
must also be able to participate. These activities benefit the common
enterprise, even when the benefits to a particular participant are not
evident. While protected health information may be freely shared among
providers for treatment purposes under other provisions of this rule,
some of these joint activities also support the health care operations
of one or more participants in the joint arrangement. Thus, special
rules are needed to ensure that this rule does not interfere with
legitimate information sharing among the participants in these
arrangements.
We also include within the definition an organized system of health
care in which more than one covered entity participates, and in which
the participating covered entities hold themselves out to the public as
participating in a joint arrangement, and in which the joint activities
of the participating covered entities include at least one of the
following: utilization review, in which health care decisions by
participating covered entities are reviewed by other participating
covered entities or by a third party on their behalf; quality
assessment and improvement activities, in which treatment provided by
participating covered entities is assessed by other participating
covered entities or by a third party on their behalf; or payment
activities, if the financial risk for delivering health care is shared
in whole or in part by participating covered entities through the joint
arrangement and if protected health information created or received by
a covered entity is reviewed by other participating covered entities or
by a third party on their behalf for the purpose of administering the
sharing of financial risk. A common example of this type of organized
health care arrangement is an independent practice association formed
by a large number of physicians. They may advertise themselves as a
common enterprise (e.g., Acme IPA), whether or not they are under
common ownership or control, whether or not they practice together in
an integrated clinical setting, and whether or not they share financial
risk.
If such a group engages jointly in one or more of the listed
activities, the participating covered entities will need to share
protected health information to undertake such activities and to
improve their joint operations. In this example, the physician
participants in the IPA may share financial risk through common
withhold pools with health plans or similar arrangements. The IPA
participants who manage the financial arrangements need protected
health information about all the participants' patients in order to
manage the arrangement. (The participants may also hire a third party
to manage their financial arrangements.) If the participants in the IPA
engage in joint quality assurance or utilization review activities,
they will need to share protected health information about their
patients much as participants in an integrated clinical setting would.
Many joint activities that require the sharing of protected health
information benefit the common enterprise, even when the benefits to a
particular participant are not evident.
We include three relationships related to group health plans as
organized health care arrangements. First, we include a group health
plan and an issuer or HMO with respect to the group health plan within
the definition, but only with respect to the protected health
information of the issuer or HMO that relates to individuals who are or
have been participants or beneficiaries in the group health plan. We
recognize that many group health plans are funded partially or fully
through insurance, and that in some cases the group health plan and
issuer or HMO need to coordinate operations to properly serve the
enrollees. Second, we include a group health plan and one or more other
group health plans each of which are maintained by the same plan
sponsor. We recognize that in some instances plan sponsors provide
health benefits through a combination of group health plans, and that
they may need to coordinate the operations of such plans to better
serve the participants and beneficiaries of the plans. Third, we
include a combination of group health plans maintained by the same plan
sponsor and the health insurance issuers and HMOs with respect to such
plans, but again only with respect to the protected health information
of such issuers and HMOs that relates to
[[Page 82495]]
individuals who are or have been enrolled in such group health plans.
We recognize that is some instances a plan sponsor may provide benefits
through more than one group health plan, and that such plans may fund
the benefits through one or more issuers or HMOs. Again, coordinating
health care operations among these entities may be necessary to serve
the participants and beneficiaries in the group health plans. We note
that the necessary coordination may necessarily involve the business
associates of the covered entities and may involve the participation of
the plan sponsor to the extent that it is providing plan administration
functions and subject to the limits in Sec. 164.504.
Payment
We proposed the term payment to mean:
(1) The activities undertaken by or on behalf of a covered entity
that is:
(i) A health plan, or by a business partner on behalf of a health
plan, to obtain premiums or to determine or fulfill its responsibility
for coverage under the health plan and for provision of benefits under
the health plan; or
(ii) A health care provider or health plan, or a business partner
on behalf of such provider or plan, to obtain reimbursement for the
provision of health care.
(2) Activities that constitute payment include:
(i) Determinations of coverage, adjudication or subrogation of
health benefit claims;
(ii) Risk adjusting amounts due based on enrollee health status and
demographic characteristics;
(iii) Billing, claims management, and medical data processing;
(iv) Review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges; and
(v) Utilization review activities, including precertification and
preauthorization of services.
In the final rule, we maintain the general approach of defining of
payment: payment activities are described generally in the first clause
of the definition, and specific examples are given in the second
clause. Payment activities relate to the covered entity that maintains
the protected health information (i.e., one covered entity may not
disclose protected health information for the payment activities of a
second covered entity). A covered entity may use or disclose only the
protected health information about the individual to whom care was
rendered, for its payment activities (e.g., a provider may disclose
protected health information only about the patient to whom care was
rendered in order to obtain payment for that care, or only the
protected health information about persons enrolled in the particular
health plan that seeks to audit the provider's records). We expand the
proposed list to reflect many changes requested by commenters.
We add eligibility determinations as an activity included in the
definition of payment. We expand coverage determinations to include the
coordination of benefits and the determination of a specific
individual's cost sharing amounts. The rule deletes activities related
to the improvement of methods of paying or coverage policies from this
definition and instead includes them in the definition of health care
operations. We add to the definition ``collection activities.'' We
replace ``medical data processing'' activities with health care data
processing related to billing, claims management, and collection
activities. We add activities for the purpose of obtaining payment
under a contract for reinsurance (including stop-loss and excess of
loss insurance). Utilization review activities now include concurrent
and retrospective review of services.
In addition, we modify this definition to clarify that the
activities described in section 1179 of the Act are included in the
definition of ``payment.'' We add new subclause (vi) allowing covered
entities to disclose to consumer reporting agencies an individual's
name, address, date of birth, social security number and payment
history, account number, as well as the name and address of the
individual's health care provider and/or health plan, as appropriate.
Covered entities may make disclosure of this protected health
information to consumer reporting agencies for purposes related to
collection of premiums or reimbursement. This allows reporting not just
of missed payments and overdue debt but also of subsequent positive
payment experience (e.g., to expunge the debt). We consider such
positive payment experience to be ``related to'' collection of premiums
or reimbursement.
The remaining activities described in section 1179 are included in
other language in this definition. For example, ``authorizing,
processing, clearing, settling, billing, transferring, reconciling or
collecting, a payment for, or related to, health plan premiums or
health care'' are covered by paragraph (2)(iii) of the definition,
which allows use and disclosure of protected health information for
``billing, claims management, collection activities and related health
care data processing.'' ``Claims management'' also includes auditing
payments, investigating and resolving payment disputes and responding
to customer inquiries regarding payments. Disclosure of protected
health information for compliance with civil or criminal subpoenas, or
with other applicable laws, are covered under Sec. 164.512 of this
regulation. (See discussion above regarding the interaction between
1179 and this regulation.)
We modify the proposed regulation text to clarify that payment
includes activities undertaken to reimburse health care providers for
treatment provided to individuals.
Covered entities may disclose protected health information for
payment purposes to any other entity, regardless of whether it is a
covered entity. For example, a health care provider may disclose
protected health information to a financial institution in order to
cash a check or to a health care clearinghouse to initiate electronic
transactions. However, if a covered entity engages another entity, such
as a billing service or a financial institution, to conduct payment
activities on its behalf, the other entity may meet the definition of
``business associate'' under this rule. For example, an entity is
acting as a business associate when it is operating the accounts
receivable system on behalf of a health care provider.
Similarly, payment includes disclosure of protected health
information by a health care provider to an insurer that is not a
``health plan'' as defined in this rule, to obtain payment. For
example, protected health information may be disclosed to obtain
reimbursement from a disability insurance carrier. We do not interpret
the definition of ``payment'' to include activities that involve the
disclosure of protected health information by a covered entity,
including a covered health care provider, to a plan sponsor for the
purpose of obtaining payment under a group health plan maintained by
such plan sponsor, or for the purpose of obtaining payment from a
health insurance issuer or HMO with respect to a group health plan
maintained by such plan sponsor, unless the plan sponsor is performing
plan administration pursuant to Sec. 164.504(f).
The Transactions Rule adopts standards for electronic health care
transactions, including two for processing payments. We adopted the ASC
X12N 835 transaction standard for ``Health Care Payment and Remittance
[[Page 82496]]
Advice'' transactions between health plans and health care providers,
and the ASC X12N 820 standard for ``Health Plan Premium Payments''
transactions between entities that arrange for the provision of health
care or provide health care coverage payments and health plans. Under
these two transactions, information to effect funds transfer is
transmitted in a part of the transaction separable from the part
containing any individually identifiable health information.
We note that a covered entity may conduct the electronic funds
transfer portion of the two payment standard transactions with a
financial institution without restriction, because it contains no
protected health information. The protected health information
contained in the electronic remittance advice or the premium payment
enrollee data portions of the transactions is not necessary either to
conduct the funds transfer or to forward the transactions. Therefore, a
covered entity may not disclose the protected health information to a
financial institution for these purposes. A covered entity may transmit
the portions of the transactions containing protected health
information through a financial institution if the protected health
information is encrypted so it can be read only by the intended
recipient. In such cases no protected health information is disclosed
and the financial institution is acting solely as a conduit for the
individually identifiable data.
Plan Sponsor
In the final rule we add a definition of ``plan sponsor.'' We
define plan sponsor by referencing the definition of the term provided
in (3)(16)(B) of the Employee Retirement Income Security Act (ERISA).
The plan sponsor is the employer or employee organization, or both,
that establishes and maintains an employee benefit plan. In the case of
a plan established by two or more employers, it is the association,
committee, joint board of trustees, or other similar group or
representative of the parties that establish and maintain the employee
benefit plan. This term includes church health plans and government
health plans. Group health plans may disclose protected health
information to plan sponsors who conduct payment and health care
operations activities on behalf of the group health plan if the
requirements for group health plans in Sec. 164.504 are met.
The preamble to the Transactions Rule noted that plan sponsors of
group health plans are not covered entities and, therefore, are not
required to use the standards established in that regulation to perform
electronic transactions, including enrollment and disenrollment
transactions. We do not change that policy through this rule. Plan
sponsors that perform enrollment functions are doing so on behalf of
the participants and beneficiaries of the group health plan and not on
behalf of the group health plan itself. For purposes of this rule, plan
sponsors are not subject to the requirements of Sec. 164.504 regarding
group health plans when conducting enrollment activities.
Protected Health Information
We proposed to define ``protected health information'' to mean
individually identifiable health information that is or has been
electronically maintained or electronically transmitted by a covered
entity, as well as such information when it takes any other form. For
purposes of this definition, we proposed to define ``electronically
transmitted'' as including information exchanged with a computer using
electronic media, such as the movement of information from one location
to another by magnetic or optical media, transmissions over the
Internet, Extranet, leased lines, dial-up lines, private networks,
telephone voice response, and ``faxback'' systems. We proposed that
this definition not include ``paper-to-paper'' faxes, or person-to-
person telephone calls, video teleconferencing, or messages left on
voice-mail.
Further, ``electronically maintained'' was proposed to mean
information stored by a computer or on any electronic medium from which
the information may be retrieved by a computer, such as electronic
memory chips, magnetic tape, magnetic disk, or compact disc optical
media.
The proposal's definition explicitly excluded:
(1) Individually identifiable health information that is part of an
``education record'' governed by the Family Educational Rights and
Privacy Act (FERPA), 20 U.S.C. 1232g.
(2) Individually identifiable health information of inmates of
correctional facilities and detainees in detention facilities.
In this final rule we expand the definition of protected health
information to encompass all individually identifiable health
information transmitted or maintained by a covered entity, regardless
of form. Specifically, we delete the conditions for individually
identifiable health information to be ``electronically maintained'' or
``electronically transmitted'' and the corresponding definitions of
those terms. Instead, the final rule defines protected health
information to be individually identifiable health information that is:
(1) Transmitted by electronic media;
(2) Maintained in any medium described in the definition of
electronic media at Sec. 162.103 of this subchapter; or
(3) Transmitted or maintained in any other form or medium.
We refer to electronic media, as defined in Sec. 162.103, which
means the mode of electronic transmission. It includes the Internet
(wide-open), Extranet (using Internet technology to link a business
with information only accessible to collaborating parties), leased
lines, dial-up lines, private networks, and those transmissions that
are physically moved from one location to another using magnetic tape,
disk, or compact disk media.
The definition of protected health information is set out in this
form to emphasize the severability of this provision. As discussed
below, we believe we have ample legal authority to cover all
individually identifiable health information transmitted or maintained
by covered entities. We have structured the definition this way so
that, if a court were to disagree with our view of our authority in
this area, the rule would still be operational, albeit with respect to
a more limited universe of information.
Other provisions of the rules below may also be severable,
depending on their scope and operation. For example, if the rule itself
provides a fallback, as it does with respect to the various
discretionary uses and disclosures permitted under Sec. 164.512, the
provisions would be severable under case law.
The definition in the final rule retains the exception relating to
individually identifiable health information in ``education records''
governed by FERPA. We also exclude the records described in 20 U.S.C.
1232g(a)(4)(B)(iv). These are records of students held by post-
secondary educational institutions or of students 18 years of age or
older, used exclusively for health care treatment and which have not
been disclosed to anyone other than a health care provider at the
student's request. (See discussion of FERPA above.)
We have removed the exception for individually identifiable health
information of inmates of correctional facilities and detainees in
detention facilities. Individually identifiable health information
about inmates is protected health information under the final rule, and
special rules for use and disclosure of the protected health
[[Page 82497]]
information about inmates and their ability to exercise the rights
granted in this rule are described below.
Psychotherapy Notes
Section 164.508(a)(3)(iv)(A) of the proposed rule defined
psychotherapy notes as notes recorded (in any medium) by a health care
provider who is a mental health professional documenting or analyzing
the contents of conversation during a private counseling session or a
group, joint, or family counseling session. The proposed definition
excluded medication prescription and monitoring, counseling session
start and stop times, the modalities and frequencies of treatment
furnished, results of clinical tests, and any summary of the following
items: Diagnosis, functional status, the treatment plan, symptoms,
prognosis and progress. Furthermore, we stated in the preamble of the
proposed rule that psychotherapy notes would have to be maintained
separately from the medical record.
In this final rule, we retain the definition of psychotherapy notes
that we had proposed, but add to the regulation text the requirement
that, to meet the definition of psychotherapy notes, the information
must be separated from the rest of the individual's medical record.
Public Health Authority
The proposed rule would have defined ``public health authority'' as
``an agency or authority of the United States, a state, a territory, or
an Indian tribe that is responsible for public health matters as part
of its official mandate.''
The final rule changes this definition slightly to clarify that a
``public health authority'' also includes a person or entity acting
under a grant of authority from or contract with a public health
agency. Therefore, the final rule defines this term as an agency or
authority of the United States, a state, a territory, a political
subdivision of a state or territory, or an Indian tribe, or a person or
entity acting under a grant of authority from or contract with such
public agency, including the employees or agents of such public agency
or its contractors or persons or entities to whom it has granted
authority, that is responsible for public health matters as part of its
official mandate.
Required By Law
In the preamble to the NPRM, we did not include a definition of
``required by law.'' We discussed what it meant for an action to be
considered to be ``required'' or ``mandated'' by law and included
several examples of activities that would be considered as required by
law for the purposes of the proposed rule, including a valid Inspector
General subpoena, grand jury subpoena, civil investigative demand, or a
statute or regulation requiring production of information justifying a
claim would constitute a disclosure required by law.
In the final rule we include a new definition, move the preamble
clarifications to the regulatory text and add several items to the
illustrative list. For purposes of this regulation, ``required by law''
means a mandate contained in law that compels a covered entity to make
a use or disclosure of protected health information and that is
enforceable in a court of law. Among the examples listed in definition
are Medicare conditions of participation with respect to health care
providers participating in that program, court-ordered warrants, and
subpoenas issued by a court. We note that disclosures ``required by
law'' include disclosures of protected health information required by
this regulation in Sec. 164.502(a)(2). It does not include contracts
between private parties or similar voluntary arrangements. This list is
illustrative only and is not intended in any way to limit the scope of
this paragraph or other paragraphs in Sec. 164.512 that permit uses or
disclosures to the extent required by other laws. We note that nothing
in this rule compels a covered entity to make a use or disclosure
required by the legal demands or prescriptions listed in this
clarification or by any other law or legal process, and a covered
entity remains free to challenge the validity of such laws and
processes.
Research
We proposed to define ``research'' as it is defined in the Federal
Policy for the Protection of Human Subjects, at 45 CFR part 46, subpart
A (referred to elsewhere in this rule as ``Common Rule''), and in
addition, elaborated on the meaning of the term ``generalizable
knowledge.'' In Sec. 164.504 of the proposed rule we defined research
as ``* * * a systematic investigation, including research development,
testing and evaluation, designed to develop or contribute to
generalizable knowledge. `Generalizable knowledge' is knowledge related
to health that can be applied to populations outside of the population
served by the covered entity.''
The final rule eliminates the further elaboration of
``generalizable knowledge.'' Therefore, the rule defines ``research''
as the term is defined in the Common Rule: a systematic investigation,
including research development, testing and evaluation, designed to
develop or contribute to generalizable knowledge.
Research Information Unrelated to Treatment
We delete this definition and the associated requirements from the
final rule. Refer to Sec. 164.508(f) for new requirements regarding
authorizations for research that includes treatment of the individual.
Treatment
The proposed rule defined ``treatment'' as the provision of health
care by, or the coordination of health care (including health care
management of the individual through risk assessment, case management,
and disease management) among, health care providers; the referral of a
patient from one provider to another; or the coordination of health
care or other services among health care providers and third parties
authorized by the health plan or the individual. The preamble noted
that the definition was intended to relate only to services provided to
an individual and not to an entire enrolled population.
In the final rule, we do not change the general approach to
defining treatment: treatment means the listed activities undertaken by
any health care provider, not just a covered health care provider. A
plan can disclose protected health information to any health care
provider to assist the provider's treatment activities; and a health
care provider may use protected health information about an individual
to treat another individual. A health care provider may use any
protected health information it maintains for treatment purposes (e.g.,
a provider may use protected health information about former patients
as well as current patients). We modify the proposed list of treatment
activities to reflect changes requested by commenters.
Specifically, we modify the proposed definition of ``treatment'' to
include the management of health care and related services. Under the
definition, the provision, coordination, or management of health care
or related services may be undertaken by one or more health care
providers. ``Treatment'' includes coordination or management by a
health care provider with a third party and consultation between health
care providers. The term also includes referral by a health care
provider of a patient to another health care provider.
Treatment refers to activities undertaken on behalf of a single
patient, not a population. Activities are considered treatment only if
delivered
[[Page 82498]]
by a health care provider or a health care provider working with
another party. Activities of health plans are not considered to be
treatment. Many services, such as a refill reminder communication or
nursing assistance provided through a telephone service, are considered
treatment activities if performed by or on behalf of a health care
provider, such as a pharmacist, but are regarded as health care
operations if done on behalf of a different type of entity, such as a
health plan.
We delete specific reference to risk assessment, case management,
and disease management. Activities often referred to as risk
assessment, disease and case management are treatment activities only
to the extent that they are services provided to a particular patient
by a health care provider; population based analyses or records review
for the purposes of treatment protocol development or modification are
health care operations, not treatment activities. If a covered entity
is licensed as both a health plan and a health care provider, a single
activity could be considered to be both treatment and health care
operations; for compliance purposes we would consider the purpose of
the activity. Given the integration of the health care system we
believe that further classification of activities into either treatment
or health care operations would not be helpful. See the definition of
health care operations for additional discussion.
Use
We proposed to define ``use'' to mean the employment, application,
utilization, examination, or analysis of information within an entity
that holds the information. In the final rule, we clarify that use
refers to the use of individually identifiable health information. We
replace the term ``holds'' with the term ``maintains.'' These changes
are for clarity only, and are not intended to effect any substantive
change.
Section 164.502--General Rules for Uses and Disclosures of
Protected Health Information
Section 164.502(a)--Use and Disclosure for Treatment, Payment and
Health Care Operations
As a general rule, we proposed in the NPRM to prohibit covered
entities from using or disclosing protected health information except
as authorized by the individual who is the subject of such information
or as explicitly permitted by the rule. The proposed rule explicitly
would have permitted covered entities to use or disclose an
individual's protected health information without authorization for
treatment, payment, and health care operations. The proposal would not
have restricted to whom disclosures could be made for the purposes of
treatment, payment, or operations. The proposal would have allowed
disclosure of the protected health information of one individual for
the treatment or payment of another, as appropriate. We also proposed
to prohibit covered entities from seeking individual authorization for
uses and disclosures for treatment, payment, and health care operations
unless required by state or other applicable law.
We proposed two exceptions to this general rule which prohibited
covered entities from using or disclosing research information
unrelated to treatment or psychotherapy notes for treatment, payment,
or health care operations purposes unless a specific authorization was
obtained from the subject of the information. In addition, we proposed
that a covered entity be prohibited from conditioning treatment,
enrollment in a health plan or payment decisions on a requirement that
the individual provide a specific authorization for the disclosure of
these two types of information (see proposed Sec. 164.508(a)(3)(iii)).
We also proposed to permit covered entities to use or disclose an
individual's protected health information for specified public and
public policy-related purposes, including public health, research,
health oversight, law enforcement, and use by coroners. In addition,
the proposal would have permitted covered entities to use and disclose
protected health information when required to do so by other law or
pursuant to an authorization from the individual allowing them to use
or disclose the information for purposes other than treatment, payment
or health care operations.
We proposed to require covered entities to disclose protected
health information for only two purposes: to permit individuals to
inspect and copy protected health information about themselves and for
enforcement of the rule.
We proposed not to require covered entities to vary the level of
protection accorded to protected health information based on the
sensitivity of such information. In addition, we proposed to require
that each affected entity assess its own needs and devise, implement,
and maintain appropriate privacy policies, procedures, and
documentation to address its business requirements.
In the final rule, the general standard remains that covered
entities may use or disclose protected health information only as
permitted or required by this rule. However, we make significant
changes to the conditions under which uses and disclosures are
permitted.
We revise the application of the general standard to require
covered health care providers who have a direct treatment relationship
with an individual to obtain a general ``consent'' from the individual
in order to use or disclose protected health information about the
individual for treatment, payment and health care operations (for
details on who must obtain such consents and the requirements they must
meet, see Sec. 164.506). These consents are intended to accommodate
both the covered provider's need to use or disclose protected health
information for treatment, payment, and health care operations, and
also the individual's interest in understanding and acquiescing to such
uses and disclosures. In general, other covered entities are permitted
to use and disclose protected health information to carry out
treatment, payment, or health care operations (as defined in this rule)
without obtaining such consent, as in the proposed rule. Covered
entities must, as under the proposed rule, obtain the individual's
``authorization'' in order to use or disclose psychotherapy notes for
most purposes: see Sec. 164.508(a)(2) for exceptions to this rule. We
delete the proposed special treatment of ``research information
unrelated to treatment.''
We revise the application of the general standard to require all
covered entities to obtain the individual's verbal ``agreement'' before
using or disclosing protected health information for facility
directories, to persons assisting in the individual's care, and for
other purposes described in Sec. 164.510. Unlike ``consent'' and
``authorization,'' verbal agreement may be informal and implied from
the circumstances (for details on who must obtain such agreements and
the requirements they must meet, see Sec. 164.510). Verbal agreements
are intended to accommodate situations where it is neither appropriate
to remove from the individual the ability to control the protected
health information nor appropriate to require formal, written
permission to share such information. For the most part, these
provisions reflect current practices.
As under the proposed rule, we permit covered entities to use or
disclose protected health information without the individual's consent,
authorization or agreement for specified
[[Page 82499]]
public policy purposes, in compliance with the requirements in
Sec. 164.512.
We permit covered entities to disclose protected health information
to the individual who is the subject of that information without any
condition. We note that this may include disclosures to ``personal
representatives'' of individuals as provided by Sec. 164.502(g).
We permit a covered entity to use or disclose protected health
information for other lawful purposes if the entity obtains a written
``authorization'' from the individual, consistent with the provisions
of Sec. 164.508. Unlike ``consents,'' these ``authorizations'' are
specific and detailed. (For details on who must obtain such
authorizations and the requirements they must meet, see Sec. 164.508.)
They are intended to provide the individuals with concrete information
about, and control over, the uses and disclosures of protected health
information about themselves.
The final rule retains the provision that requires a covered entity
to disclose protected health information only in two instances: When
individuals request access to information about themselves, and when
disclosures are compelled by the Secretary for compliance and
enforcement purposes.
Finally, Sec. 164.502(a)(1) also requires covered entities to use
or disclose protected health information in compliance with the other
provisions of Sec. 164.502, for example, consistent with the minimum
necessary standard, to create de-identified information, or to a
personal representative of an individual. These provisions are
described below.
We note that a covered entity may use or disclose protected health
information as permitted by and in accordance with a provision of this
rule, regardless of whether that use or disclosure fails to meet the
requirements for use or disclosure under another provision of this
rule.
Section 164.502(b)--Minimum Necessary Uses and Disclosures
The proposed rule required a covered entity to make all reasonable
efforts not to use or disclose more than the minimum amount of
protected health information necessary to accomplish the intended
purpose of the use or disclosure (proposed Sec. 164.506(b)). This final
rule significantly modifies the proposed requirements for implementing
the minimum necessary standard. In the final rule, Sec. 164.502(b)
contains the basic standard and Sec. 164.514 describes the requirements
for implementing the standard. Therefore we discuss all aspects of the
minimum necessary standard and specific requirements below in the
discussion of Sec. 164.514(d).
Section 164.502(c)--Uses and Disclosures Under a Restriction Agreement
The proposed rule would have required that covered health care
providers permit individuals to request restrictions of uses and
disclosures of protected health information and would have prohibited
covered providers from using or disclosing protected health information
in violation of any agreed-to restriction.
The final rule retains an individual's right to request
restrictions on uses or disclosures for treatment, payment or health
care operations and prohibits a covered entity from using or disclosing
protected health information in a way that is inconsistent with an
agreed upon restriction between the covered entity and the individual,
but makes some changes to this right. Most significantly, under the
final rule individuals have the right to request restrictions of all
covered entities. This standard is set forth in Sec. 164.522. Details
about the changes to the standard are explained in the preamble
discussion to Sec. 164.522.
Section 164.502(d)--Creation of De-identified Information
In proposed Sec. 164.506(d) of the NPRM, we proposed to permit use
of protected health information for the purpose of creating de-
identified information and we provided detailed mechanisms for doing
so.
In Sec. 164.502(d) of the final rule, we permit a covered entity to
use protected health information to create de-identified information,
whether or not the de-identified information is to be used by the
covered entity. We clarify that de-identified information created in
accordance with our procedures (which have been moved to
Sec. 164.514(a)) is not subject to the requirements of these privacy
rules unless it is re-identified. Disclosure of a key or mechanism that
could be used to re-identify such information is also defined to be
disclosure of protected health information. See the preamble to
Sec. 164.514(a) for further discussion.
Section 164.502(e)--Business Associates
In the proposed rule, other than for purposes of consultation or
referral for treatment, we would have allowed a covered entity to
disclose protected health information to a business partner only
pursuant to a written contract that would, among other specified
provisions, limit the business partner's uses and disclosures of
protected health information to those permitted by the contract, and
would impose certain security, inspection and reporting requirements on
the business partner. We proposed to define the term ``business
partner'' to mean, with respect to a covered entity, a person to whom
the covered entity discloses protected health information so that the
person can carry out, assist with the performance of, or perform on
behalf of, a function or activity for the covered entity.
In the final rule, we change the term ``business partner'' to
``business associate'' and in the definition clarify the full range of
circumstances in which a person is acting as a business associate of a
covered entity. (See definition of ``business associate'' in
Sec. 160.103.) These changes mean that Sec. 164.502(e) requires a
business associate contract (or other arrangement, as applicable) not
only when the covered entity discloses protected health information to
a business associate, but also when the business associate creates or
receives protected health information on behalf of the covered entity.
In the final rule, we modify the proposed standard and
implementation specifications for business associates in a number of
significant ways. These modifications are explained in the preamble
discussion of Sec. 164.504(e).
Section 164.502(f)--Deceased Individuals
We proposed to extend privacy protections to the protected health
information of a deceased individual for two years following the date
of death. During the two-year time frame, we proposed in the definition
of ``individual'' that the right to control the deceased individual's
protected health information would be held by an executor or
administrator, or other person (e.g., next of kin) authorized under
applicable law to act on behalf of the decedent's estate. The only
proposed exception to this standard allowed for uses and disclosures of
a decedent's protected health information for research purposes without
the authorization of a legal representative and without the
Institutional Review Board (IRB) or privacy board approval required (in
proposed Sec. 164.510(j)) for most other uses and disclosures for
research.
In the final rule (Sec. 164.502(f)), we modify the standard to
extend protection of protected health information about deceased
individuals for as long as the covered entity maintains the
information. We retain the exception for uses and disclosures for
research purposes, now part of Sec. 164.512(i), but also require that
the
[[Page 82500]]
covered entity take certain verification measures prior to release of
the decedent's protected health information for such purposes (see
Secs. 164.514(h) and 164.512(i)(1)(iii)).
We remove from the definition of ``individual'' the provision
related to deceased persons. Instead, we create a standard for
``personal representatives'' (Sec. 164.502(g), see discussion below)
that requires a covered entity to treat a personal representative of an
individual as the individual in certain circumstances, i.e., allows the
representative to exercise the rights of the individual. With respect
to deceased individuals, the final rule describes when a covered entity
must allow a person who otherwise is permitted under applicable law to
act with respect to the interest of the decedent or on behalf of the
decedent's estate, to make decisions regarding the decedent's protected
health information.
The final rule also adds a provision to Sec. 164.512(g), that
permits covered entities to disclose protected health information to a
funeral director, consistent with applicable law, as necessary to carry
out their duties with respect to the decedent. Such disclosures are
permitted both after death and in reasonable anticipation of death.
Section 164.502(g)--Personal Representatives
In the proposed rule we defined ``individual'' to include certain
persons who were authorized to act on behalf of the person who is the
subject of the protected health information. For adults and emancipated
minors, the NPRM provided that ``individual'' includes a legal
representative to the extent to which applicable law permits such legal
representative to exercise the individual's rights in such contexts.
With respect to unemancipated minors, we proposed that the definition
of ``individual'' include a parent, guardian, or person acting in loco
parentis, (hereinafter referred to as ``parent'') except when an
unemancipated minor obtained health care services without the consent
of, or notification to, a parent. Under the proposed rule, if a minor
obtained health care services under these conditions, the minor would
have had the exclusive rights of an individual with respect to the
protected health information related to such health care services.
In the final rule, the definition of ``individual'' is limited to
the subject of the protected health information, which includes
unemancipated minors and other individuals who may lack capacity to act
on their own behalf. We remove from the definition of ``individual''
the provisions regarding legal representatives. The circumstances in
which a representative must be treated as an individual for purposes of
this rule are addressed in a separate standard titled ``personal
representatives.'' (Sec. 164.502(g)). The standard regarding personal
representatives incorporates some changes to the proposed provisions
regarding legal representatives. In general, under the final
regulation, the ``personal representatives'' provisions are directed at
the more formal representatives, while Sec. 164.510(b) addresses
situations in which persons are informally acting on behalf of an
individual.
With respect to adults or emancipated minors, we clarify that a
covered entity must treat a person as a personal representative of an
individual if such person is, under applicable law, authorized to act
on behalf of the individual in making decisions related to health care.
This includes a court-appointed guardian and a person with a power of
attorney, as set forth in the NPRM, but may also include other persons.
The authority of a personal representative under this rule is limited:
the representative must be treated as the individual only to the extent
that protected health information is relevant to the matters on which
the personal representative is authorized to represent the individual.
For example, if a person's authority to make health care decisions for
an individual is limited to decisions regarding treatment for cancer,
such person is a personal representative and must be treated as the
individual with respect to protected health information related to the
cancer treatment of the individual. Such a person is not the personal
representative of the individual with respect to all protected health
information about the individual, and therefore, a covered entity may
not disclose protected health information that is not relevant to the
cancer treatment to the person, unless otherwise permitted under the
rule. We intend this provision to apply to persons empowered under
state or other law to make health related decisions for an individual,
whether or not the instrument or law granting such authority
specifically addresses health information.
In addition, we clarify that with respect to an unemancipated
minor, if under applicable law a parent may act on behalf of an
unemancipated minor in making decisions related to health care, a
covered entity must treat such person as a personal representative
under this rule with respect to protected health information relevant
to such personal representation, with three exceptions. Under the
general rule, in most circumstances the minor would not have the
capacity to act as the individual, and the parent would be able to
exercise rights and authorities on behalf of the minor. Under the
exceptions to the rule on personal representatives of unemancipated
minors, the minor, and not the parent, would be treated as the
individual and able to exercise the rights and authorities of an
individual under the rule. These exceptions occur if: (1) The minor
consents to a health care service; no other consent to such health care
service is required by law, regardless of whether the consent of
another person has also been obtained; and the minor has not requested
that such person be treated as the personal representative; (2) the
minor may lawfully obtain such health care service without the consent
of a parent, and the minor, a court, or another person authorized by
law consents to such health care service; or (3) a parent assents to an
agreement of confidentiality between a covered health care provider and
the minor with respect to such health care service. We note that the
definition of health care includes services, but we use ``health care
service'' in this provision to clarify that the scope of the rights of
minors under this rule is limited to the protected health information
related to a particular service.
Under this provision, we do not provide a minor with the authority
to act under the rule unless the state has given them the ability to
obtain health care without consent of a parent, or the parent has
assented. In addition, we defer to state law where the state authorizes
or prohibits disclosure of protected health information to a parent.
See part 160, subpart B, Preemption of State Law. This rule does not
affect parental notification laws that permit or require disclosure of
protected health information to a parent. However, the rights of a
minor under this rule are not otherwise affected by such notification.
In the final rule, the provision regarding personal representatives
of deceased individuals has been changed to clarify the provision. The
policy has not changed substantively from the NPRM.
Finally, we added a provision in the final rule to permit covered
entities to elect not to treat a person as a personal representative in
abusive situations. Under this provision, a covered entity need not
treat a person as a personal representative of an individual if the
covered entity, in the exercise of professional judgment, decides that
it is
[[Page 82501]]
not in the best interest of the individual to treat the person as the
individual's personal representative and the covered entity has a
reasonable belief that the individual has been or may be subjected to
domestic violence, abuse, or neglect by such person, or that treating
such person as the personal representative could endanger the
individual.
Section 164.502(g) requires a covered entity to treat a person that
meets the requirements of a personal representative as the individual
(with the exceptions described above). We note that disclosure of
protected health information to a personal representative is mandatory
under this rule only if disclosure to the individual is mandatory.
Disclosure to the individual is mandatory only under Secs. 164.524 and
164.528. Further, as noted above, the personal representative's rights
are limited by the scope of its authority under other law. Thus, this
provision does not constitute a general grant of authority to personal
representatives.
We make disclosure to personal representatives mandatory to ensure
that an individual's rights under Secs. 164.524 and 164.528 are
preserved even when individuals are incapacitated or otherwise unable
to act for themselves to the same degree as other individuals. If the
covered entity were to have the discretion to recognize a personal
representative as the individual, there could be situations in which no
one could invoke an individual's rights under these sections.
We continue to allow covered entities to use their discretion to
disclose certain protected health information to family members,
relatives, close friends, and other persons assisting in the care of an
individual, in accordance with Sec. 164.510(b). We recognize that many
health care decisions take place on an informal basis, and we permit
disclosures in certain circumstance to permit this practice to
continue. Health care providers may continue to use their discretion to
address these informal situations.
Section 164.502(h)--Confidential Communications
In the NPRM, we did not directly address the issue of whether an
individual could request that a covered entity restrict the manner in
which it communicated with the individual. The NPRM did provide
individuals with the right to request that health care providers
restrict uses and disclosures of protected health information for
treatment, payment and health operations, but providers were not
required to agree to such a restriction.
In the final rule, we require covered providers to accommodate
reasonable requests by patients about how the covered provider
communicates with the individual. For example, an individual who does
not want his or her family members to know about a certain treatment
may request that the provider communicate with the individual at his or
her place of employment, or to send communications to a designated
address. Covered providers must accommodate the request unless it is
unreasonable. Similarly, the final rule permits individuals to request
that health plans communicate with them by alternative means, and the
health plan must accommodate such a request if it is reasonable and the
individual states that disclosure of the information could endanger the
individual. The specific provisions relating to confidential
communications are in Sec. 164.522.
Section 164.502(i)--Uses and Disclosures Consistent with Notice
We proposed to prohibit covered entities from using or disclosing
protected health information in a manner inconsistent with their notice
of information practices. We retain this provision in the final rule.
See Sec. 164.520 regarding notice content and distribution
requirements.
Section 164.502(j)--Disclosures by Whistleblowers and Workforce Member
Crime Victims
Disclosures by Whistleblowers
In Sec. 164.518(c)(4) of the NPRM we addressed the issue of
whistleblowers by proposing that a covered entity not be held in
violation of this rule because a member of its workforce or a person
associated with a business associate of the covered entity used or
disclosed protected health information that such person believed was
evidence of a civil or criminal violation, and any disclosure was: (1)
Made to relevant oversight agencies or law enforcement or (2) made to
an attorney to allow the attorney to determine whether a violation of
criminal or civil law had occurred or to assess the remedies or actions
at law that may be available to the person disclosing the information.
We included an extensive discussion on how whistleblower actions
can further the public interest, including reference to the need in
some circumstances to utilize protected health information for this
purpose as well as reference to the qui tam provisions of the Federal
False Claims Act.
In the final rule we retitle the provision and include it in
Sec. 164.502 to reflect the fact that these disclosures are not made by
the covered entity and therefore this material does not belong in the
section on safeguarding information against disclosure.
We retain the basic concept in the NPRM of providing protection to
a covered entity for the good faith whistleblower action of a member of
its workforce or a business associate. We clarify that a whistleblower
disclosure by an employee, subcontractor, or other person associated
with a business associate is considered a whistleblower disclosure of
the business associate under this provision. However, in the final
rule, we modify the scope of circumstances under which a covered entity
is protected in whistleblower situations. A covered entity is not in
violation of the requirements of this rule when a member of its
workforce or a business associate of the covered entity discloses
protected health information to: (i) A health oversight agency or
public health authority authorized by law to investigate or otherwise
oversee the relevant conduct or conditions of the covered entity; (ii)
an appropriate health care accreditation organization; or (iii) an
attorney, for the purpose of determining his or her legal options with
respect to whistleblowing. We delete disclosures to a law enforcement
official.
We expand the scope of this section to cover disclosures of
protected health information to an oversight or accreditation
organization for the purpose of reporting breaches of professional
standards or problems with quality of care. The covered entity will not
be in violation of this rule, provided that the disclosing individual
believes in good faith that the covered entity has engaged in conduct
which is unlawful or otherwise violates professional or clinical
standards, or that the care, services or conditions provided by the
covered entity potentially endanger one or more patients, workers or
the public. Since these provisions only relate to whistleblower actions
in relation to the covered entity, disclosure of protected health
information to expose malfeasant conduct by another person, such as
knowledge gained during the course of treatment about an individual's
illicit drug use, would not be protected activity.
We clarify that this section only applies to protection of a
covered entity, based on the whistleblower action of a member of its
workforce or business associates. Since the HIPAA legislation only
applies to covered entities, not their workforces, it is beyond the
scope of this rule to directly regulate the
[[Page 82502]]
whistleblower actions of members of a covered entity's workforce.
In the NPRM, we had proposed to require covered entities to apply
sanctions to members of its workforce who improperly disclose protected
health information. In this final rule, we retain this requirement in
Sec. 164.530(e)(1) but modify the proposed provision on sanctions to
clarify that the sanctions required under this rule do not apply to
workforce members of a covered entity for whistleblower disclosures.
Disclosures by Workforce Members Who Are Crime Victims
The proposed rule did not address disclosures by workforce members
who are victims of a crime. In the final rule, we clarify that a
covered entity is not in violation of the rule when a workforce member
of a covered entity who is the victim of a crime discloses protected
health information to law enforcement officials about the suspected
perpetrator of the crime. We limit the amount of protected health
information that may be disclosed to the limited information for
identification and location described in Sec. 164.512(f)(2).
We note that this provision is similar to the provision in
Sec. 164.512(f)(5), which permits a covered entity to disclose
protected health information to law enforcement that the covered entity
believes in good faith constitutes evidence of criminal conduct that
occurred on the premises of the covered entity. This provision differs
in that it permits the disclosure even if the crime occurred somewhere
other than on the premises of the covered entity. For example, if a
hospital employee is the victim of an attack outside of the hospital,
but spots the perpetrator sometime later when the perpetrator seeks
medical care at the hospital, the workforce member who was attacked may
notify law enforcement of the perpetrator's location and other
identifying information. We do not permit, however, the disclosure of
protected health information other than that described in
Sec. 164.512(f)(2).
Section 164.504--Uses and Disclosures--Organizational
Requirements--Component Entities, Affiliated Entities, Business
Associates and Group Health Plans
Section 164.504(a)-(c)--Health Care Component (Component Entities)
In the preamble to the proposed rule we introduced the concept of a
``component entity'' to differentiate the health care unit of a larger
organization from the larger organization. In the proposal we noted
that some organizations that are primarily involved in non-health care
activities do provide health care services or operate health plans or
health care clearinghouses. Examples included a school with an on-site
health clinic and an employer that self administers a sponsored health
plan. In such cases, the proposal said that the health care component
of the entity would be considered the covered entity, and any release
of information from that component to another office or person in the
organization would be a regulated disclosure. We would have required
such entities to create barriers to prevent protected health
information from being used or disclosed for activities not authorized
or permitted under the proposal.
We discuss group health plans and their relationships with plan
sponsors below under ``Requirements for Group Health Plans.''
In the final rule we address the issue of differentiating health
plan, covered health care provider and health care clearinghouse
activities from other functions carried out by a single legal entity in
paragraphs (a)-(c) of Sec. 164.504. We have created a new term,
``hybrid entity'', to describe the situation where a health plan,
health care provider, or health care clearinghouse is part of a larger
legal entity; under the definition, a ``hybrid entity'' is ``a single
legal entity that is a covered entity and whose covered functions are
not its primary functions.'' The term ``covered functions'' is
discussed above under Sec. 164.501. By ``single legal entity'' we mean
a legal entity, such as a corporation or partnership, that cannot be
further differentiated into units with their own legal identities. For
example, for purposes of this rule a multinational corporation composed
of multiple subsidiary companies would not be a single legal entity,
but a small manufacturing firm and its health clinic, if not separately
incorporated, could be a single legal entity.
The health care component rules are designed for the situation in
which the health care functions of the legal entity are not its
dominant mission. Because some part of the legal entity meets the
definition of a health plan or other covered entity, the legal entity
as a whole could be required to comply with the rules below. However,
in such a situation, it makes sense not to require the entire entity to
comply with the requirements of the rules below, when most of its
activities may have little or nothing to do with the provision of
health care; rather, as a practical matter, it makes sense for such an
entity to focus its compliance efforts on the component that is
actually performing the health care functions. On the other hand, where
most of what the covered entity does consist of covered functions, it
makes sense to require the entity as a whole to comply with the rules.
The provisions at Secs. 164.504(a)-(c) provide that for a hybrid
entity, the rules apply only to the part of the entity that is the
health care component. At the same time, the lack of corporate
boundaries increases the risk that protected health information will be
used in a manner that would not otherwise be permitted by these rules.
Thus, we require that the covered entity erect firewalls to protect
against the improper use or disclosure within or by the organization.
See Sec. 164.504(c)(2).
The term ``primary functions'' in the definition of ``hybrid
entity'' is not meant to operate with mathematical precision. Rather,
we intend that a more common sense evaluation take place: Is most of
what the covered entity does related to its health care functions? If
so, then the whole entity should be covered. Entities with different
insurance lines, if not separately incorporated, present a particular
issue with respect to this analysis. Because the definition of ``health
plan'' excludes many types of insurance products (in the exclusion
under paragraph (2)(i) of the definition), we would consider an entity
that has one or more of these lines of insurance in addition to its
health insurance lines to come within the definition of ``hybrid
entity,'' because the other lines of business constitute substantial
parts of the total business operation and are required to be separate
from the health plan(s) part of the business.
An issue that arises in the hybrid entity situation is what records
are covered in the case of an office of the hybrid entity that performs
support functions for both the health care component of the entity and
for the rest of the entity. For example, this situation could arise in
the context of a company with an onsite clinic (which we will assume is
a covered health care provider), where the company's business office
maintains both clinic records and the company's personnel records.
Under the definition of the term ``health care component,'' the
business office is part of the health care component (in this
hypothetical, the clinic) ``to the extent that'' it is performing
covered functions on behalf of the clinic involving the use or
disclosure of protected health information that it receives from,
creates or maintains for the clinic. Part of the business office,
therefore, is part of the
[[Page 82503]]
health care component, and part of the business office is outside the
health care component. This means that the non-health care component
part of the business office is not covered by the rules below. Under
our hypothetical, then, the business office would not be required to
handle its personnel records in accordance with the rules below. The
hybrid entity would be required to establish firewalls with respect to
these record systems, to ensure that the clinic records were handled in
accordance with the rules.
With respect to excepted benefits, the rules below operate as
follows. (Excepted benefits include accident, disability income,
liability, workers' compensation and automobile medical payment
insurance.) Excepted benefit programs are excluded from the health care
component (or components) through the definition of ``health plan.'' If
a particular organizational unit performs both excepted benefits
functions and covered functions, the activities associated with the
excepted benefits program may not be part of the health care component.
For example, an accountant who works for a covered entity with both a
health plan and a life insurer would have his or her accounting
functions performed for the health plan as part of the component, but
not the life insurance accounting function. See
Sec. 164.504(c)(2)(iii). We require this segregation of excepted
benefits because HIPAA does not cover such programs, policies and
plans, and we do not permit any use or disclosure of protected health
information for the purposes of operating or performing the functions
of the excepted benefits without authorization from the individual,
except as otherwise permitted in this rule.
In Sec. 164.504(c)(2) we require covered entities with a health
care component to establish safeguard policies and procedures to
prevent any access to protected health information by its other
organizational units that would not be otherwise permitted by this
rule. We note that section 1173(d)(1)(B) of HIPAA requires policies and
procedures to isolate the activities of a health care clearinghouse
from a ``larger organization'' to prevent unauthorized access by the
larger organization. This safeguard provision is consistent with the
statutory requirement and extends to any covered entity that performs
``non-covered entity functions'' or operates or conducts functions of
more than one type of covered entity.
Because, as noted, the covered entity in the hybrid entity
situation is the legal entity itself, we state explicitly what is
implicitly the case, that the covered entity (legal entity) remains
responsible for compliance vis-a-vis subpart C of part 160. See
Sec. 164.504(c)(3)(i). We do this simply to make these responsibilities
clear and to avoid confusion on this point. Also, in the hybrid entity
situation the covered entity/legal entity has control over the entire
workforce, not just the workforce of the health care component. Thus,
the covered entity is in a position to implement policies and
procedures to ensure that the part of its workforce that is doing mixed
or non-covered functions does not impermissibly use or disclose
protected health information. Its responsibility to do so is clarified
in Sec. 164.504(c)(3)(ii).
Section 164.504(d)--Affiliated Entities
Some legally distinct covered entities may share common
administration of organizationally differentiated but similar
activities (for example, a hospital chain). In Sec. 164.504(d) we
permit legally distinct covered entities that share common ownership or
control to designate themselves, or their health care components,
together to be a single covered entity. Common control exists if an
entity has the power, directly or indirectly, significantly to
influence or direct the actions or policies of another entity. Common
ownership exists if an entity or entities possess an ownership or
equity interest of 5 percent or more in another entity.
Such organizations may promulgate a single shared notice of
information practices and a consent form. For example, a corporation
with hospitals in twenty states may designate itself as a covered
entity and, therefore, able to merge information for joint marketplace
analyses. The requirements that apply to a covered entity also apply to
an affiliated covered entity. For example, under the minimum necessary
provisions, a hospital in one state could not share protected health
information about a particular patient with another hospital if such a
use is not necessary for treatment, payment or health care operations.
The covered entities that together make up the affiliated covered
entity are separately subject to liability under this rule. The
safeguarding requirements for affiliated covered entities track the
requirements that apply to health care components.
Section 164.504(e)--Business Associates
In the NPRM, we proposed to require a contract between a covered
entity and a business associate, except for disclosures of protected
health information by a covered entity that is a health care provider
to another health care provider for the purposes of consultation or
referral. A covered entity would have been in violation of this rule if
the covered entity knew or reasonably should have known of a material
breach of the contract by a business associate and it failed to take
reasonable steps to cure the breach or terminate the contract. We
proposed in the preamble that when a covered entity acted as a business
associate to another covered entity, the covered entity that was acting
as business associate also would have been responsible for any
violations of the regulation.
We also proposed that covered health care providers receiving
protected health information for consultation or referral purposes
would still have been subject to this rule, and could not have used or
disclosed such protected health information for a purpose other than
the purpose for which it was received (i.e., the consultation or
referral). Further, we noted that providers making disclosures for
consultations or referrals should be careful to inform the receiving
provider of any special limitations or conditions to which the
disclosing provider had agreed to impose (e.g., the disclosing provider
had provided notice to its patients that it would not make disclosures
for research).
We proposed that business associates would not have been permitted
to use or disclose protected health information in ways that would not
have been permitted of the covered entity itself under these rules, and
covered entities would have been required to take reasonable steps to
ensure that protected health information disclosed to a business
associate remained protected.
In the NPRM (proposed Sec. 164.506(e)(2)) we would have required
that the contractual agreement between a covered entity and a business
associate be in writing and contain provisions that would:
Prohibit the business associate from further using or
disclosing the protected health information for any purpose other than
the purpose stated in the contract.
Prohibit the business associate from further using or
disclosing the protected health information in a manner that would
violate the requirements of this proposed rule if it were done by the
covered entity.
Require the business associate to maintain safeguards as
necessary to ensure that the protected health information is not used
or disclosed except as provided by the contract.
Require the business associate to report to the covered
entity any use or disclosure of the protected health information of
which the business
[[Page 82504]]
associate becomes aware that is not provided for in the contract.
Require the business associate to ensure that any
subcontractors or agents to whom it provides protected health
information received from the covered entity will agree to the same
restrictions and conditions that apply to the business associate with
respect to such information.
Require the business associate to provide access to non-
duplicative protected health information to the subject of that
information, in accordance with proposed Sec. 164.514(a).
Require the business associate to make available its
internal practices, books and records relating to the use and
disclosure of protected health information received from the covered
entity to the Secretary for the purposes of enforcing the provisions of
this rule.
Require the business associate, at termination of the
contract, to return or destroy all protected health information
received from the covered entity that the business associate still
maintains in any form to the covered entity and prohibit the business
associate from retaining such protected health information in any form.
Require the business associate to incorporate any
amendments or corrections to protected health information when notified
by the covered entity that the information is inaccurate or incomplete.
State that individuals who are the subject of the
protected health information disclosed are intended to be third party
beneficiaries of the contract.
Authorize the covered entity to terminate the contract, if
the covered entity determines that the business associate has violated
a material term of the contract.
We also stated in the preamble to the NPRM that the contract could
have included any additional arrangements that did not violate the
provisions of this regulation.
We explained in the preamble to the NPRM that a business associate
(including business associates that are covered entities) that had
contracts with more than one covered entity would have had no authority
to combine, aggregate or otherwise use for a single purpose protected
health information obtained from more than one covered entity unless
doing so would have been a lawful use or disclosure for each of the
covered entities that supplied the protected health information that is
being combined, aggregated or used. In addition, the business associate
would have had to have been authorized through the contract or
arrangement with each covered entity that supplied the protected health
information to combine or aggregate the information. A covered entity
would not have been permitted to obtain protected health information
through a business associate that it could not otherwise obtain itself.
In the final rule we retain the overall approach proposed: covered
entities may disclose protected health information to persons that meet
the rule's definition of business associate, or hire such persons to
obtain or create protected health information for them, only if covered
entities obtain specified satisfactory assurances from the business
associate that it will appropriately handle the information; the
regulation specifies the elements of such satisfactory assurances;
covered entities have responsibilities when such specified satisfactory
assurances are violated by the business associate. We retain the
requirement that specified satisfactory assurances must be obtained if
a covered entity's business associate is also a covered entity. We note
that a master business associate contract or MOU that otherwise meets
the requirements regarding specified satisfactory assurances meets the
requirements with respect to all the signatories.
A covered entity may disclose protected health information to a
business associate, consistent with the other requirements of the final
rule, as necessary to permit the business associate to perform
functions and activities for or on behalf of the covered entity, or to
provide the services specified in the business associate definition to
or for the covered entity. As discussed below, a business associate may
only use the protected health information it receives in its capacity
as a business associate to a covered entity as permitted by its
contract or agreement with the covered entity.
We do not attempt to directly regulate business associates, but
pursuant to our authority to regulate covered entities we place
restrictions on the flow of information from covered entities to non-
covered entities. We add a provision to clarify that a violation of a
business associate agreement by a covered entity that is a business
associate of another covered entity constitutes a violation of this
rule.
In the final rule, we make significant changes to the requirements
regarding business associates. As explained below in more detail: we
make significant changes to the content of the required contractual
satisfactory assurances; we include exceptions for arrangements that
would otherwise meet the definition of business associate; we make
special provisions for government agencies that by law cannot enter
into contracts with one another or that operate under other legal
requirements incompatible with some aspects of the required contractual
satisfactory assurances; we provide a new mechanism for covered
entities to hire a third party to aggregate data.
The final rule provides several exception to the business associate
requirements, where a business associate relationship would otherwise
exist. We substantially expand the exception for disclosure of
protected health information for treatment. Rather than allowing
disclosures without business associate assurances only for the purpose
of consultation or referral, in the final rule we allow covered
entities to make any disclosure of protected health information for
treatment purposes to a health care provider without a business
associate arrangement. This provision includes all activities that fall
under the definition of treatment.
We do not require a business associate contract for a group health
plan to make disclosures to the plan sponsor, to the extent that the
health plan meets the applicable requirements of Sec. 164.504(f).
We also include an exception for certain jointly administered
government programs providing public benefits. Where a health plan that
is a government program provides public benefits, such as SCHIP and
Medicaid, and where eligibility for, or enrollment in, the health plan
is determined by an agency other than the agency administering the
health plan, or where the protected health information used to
determine enrollment or eligibility in the health plan is collected by
an agency other than the agency administering the health plan, and the
joint activities are authorized by law, no business associate contract
is required with respect to the collection and sharing of individually
identifiable health information for the performance of the authorized
functions by the health plan and the agency other than the agency
administering the health plan. We note that the phrase ``government
programs providing public benefits'' refers to programs offering
benefits to specified members of the public and not to programs that
offer benefits only to employees or retirees of government agencies.
We note that we do not consider a financial institution to be
acting on behalf of a covered entity, and therefore no business
associate contract is required, when it processes consumer-conducted
financial transactions by debit, credit or other payment card,
[[Page 82505]]
clears checks, initiates or processes electronic funds transfers, or
conducts any other activity that directly facilitates or effects the
transfer of funds for compensation for health care. A typical consumer-
conducted payment transaction is when a consumer pays for health care
or health insurance premiums using a check or credit card. In these
cases, the identity of the consumer is always included and some health
information (e.g., diagnosis or procedure) may be implied through the
name of the health care provider or health plan being paid. Covered
entities that initiate such payment activities must meet the minimum
necessary disclosure requirements described in the preamble to
Sec. 164.514.
In the final rule, we reduce the extent to which a covered entity
must monitor the actions of its business associate and we make it
easier for covered entities to identify the circumstances that will
require them to take actions to correct a business associate's material
violation of the contract, in the following ways. We delete the
proposed language requiring covered entities to ``take reasonable steps
to ensure'' that each business associate complies with the rule's
requirements. Additionally, we now require covered entities to take
reasonable steps to cure a breach or terminate the contract for
business associate behaviors only if they know of a material violation
by a business associate. In implementing this standard, we will view a
covered entity that has substantial and credible evidence of a
violation as knowing of such violation. While this standard relieves
the covered entity of the need to actively monitor its business
associates, a covered entity nonetheless is expected to investigate
when they receive complaints or other information that contain
substantial and credible evidence of violations by a business
associate, and it must act upon any knowledge of such violation that it
possesses. We note that a whistleblowing disclosure by a business
associate of a covered entity that meets the requirements of
Sec. 164.502(j)(1) does not put the covered entity in violation of this
rule, and the covered entity has no duty to correct or cure, or to
terminate the relationship.
We also qualify the requirement for terminating contracts with non-
compliant business associates. The final rule still requires that the
business associate contract authorize the covered entity to terminate
the contract, if the covered entity determines that the business
associate has violated a material term of the contract, and it requires
the covered entity to terminate the contract if steps to cure such a
material breach fail. The rule now stipulates, however, that if the
covered entity is unable to cure a material breach of the business
associate's obligation under the contract, it is expected to terminate
the contract, when feasible. This qualification has been added to
accommodate circumstances where terminating the contract would be
unreasonably burdensome on the covered entity, such as when there are
no viable alternatives to continuing a contract with that particular
business associate. It does not mean, for instance, that the covered
entity can choose to continue the contract with a non-compliant
business associate merely because it is more convenient or less costly
than contracts with other potential business associates. We also
require that if a covered entity determines that it is not feasible to
terminate a non-compliant business associate, the covered entity must
notify the Secretary.
We retain all of the requirements for a business associate contract
that were listed in proposed Sec. 164.506(e)(2), with some
modifications. See Sec. 164.504(e)(2).
We retain the requirement that the business associate contract must
provide that the business associate will not use or further disclose
the information other than as permitted or required by the contract or
as required by law. We do not mean by this requirement that the
business associate contract must specify each and every use and
disclosure of protected health information permitted to the business
associate. Rather, the contract must state the purposes for which the
business associate may use and disclose protected health information,
and must indicate generally the reasons and types of persons to whom
the business associate may make further disclosures. For example,
attorneys often need to provide information to potential witnesses,
opposing counsel, and others in the course of their representation of a
client. The business associate contract pursuant to which protected
health information is provided to its attorney may include a general
statement permitting the attorney to disclose protected health
information to these types of people, within the scope of its
representation of the covered entity.
We retain the requirement that a business associate contract may
not authorize a business associate to use or further disclose protected
health information in a manner that would violate the requirements of
this subpart if done by the covered entity, but we add two exceptions.
First, we permit a covered entity to authorize a business associate to
use and disclose protected health information it receives in its
capacity as a business associate for its proper management and
administration and to carry out its legal responsibilities. The
contract must limit further disclosures of the protected health
information for these purposes to those that are required by law and to
those for which the business associate obtains reasonable assurances
that the protected health information will be held confidentially and
that it will be notified by the person to whom it discloses the
protected health information of any breaches of confidentiality.
Second, we permit a covered entity to authorize the business
associate to provide data aggregation services to the covered entity.
As discussed above in Sec. 164.501, data aggregation, with respect to
protected health information received by a business associate in its
capacity as the business associate of a covered entity, is the
combining of such protected health information by the business
associate with protected health information received by the business
associate in its capacity as a business associate of another covered
entity, to permit the creation of data for analyses that relate to the
health care operations of the respective covered entities. We added
this service to the business associate definition to clarify the
ability of covered entities to contract with business associates to
undertake quality assurance and comparative analyses that involve the
protected health information of more than one contracting covered
entity. We except data aggregation from the general requirement that a
business associate contract may not authorize a business associate to
use or further disclose protected health information in a manner that
would violate the requirements of this subpart if done by the covered
entity in order to permit the combining or aggregation of protected
health information received in its capacity as a business associate of
different covered entities when it is performing this service. In many
cases, the combining of this information for the respective health care
operations of the covered entities is not something that the covered
entities could do--a covered entity cannot generally disclose protected
health information to another covered entity for the disclosing covered
entity's health care operations. However, we permit covered entities
that enter into business associate contracts with a business associate
for data aggregation to permit the business associate to combine or
aggregate the protected health information they
[[Page 82506]]
disclose to the business associate for their respective health care
operations.
We note that there may be other instances in which a business
associate may combine or aggregate protected health information
received in its capacity as a business associate of different covered
entities, such as when it is performing health care operations on
behalf of covered entities that participate in an organized health care
arrangement. A business associate that is performing payment functions
on behalf of different covered entities also may combine protected
health information when it is necessary, such as when the covered
entities share financial risk or otherwise jointly bill for services.
In the final rule we clarify that the business associate contract
must require the business associate to make available protected health
information for amendment and to incorporate such amendments. The
business associate contract must also require the business associate to
make available the information required to provide an accounting of
disclosures. We provide more flexibility to the requirement that all
protected health information be returned by the business associate upon
termination of the contract. The rule now stipulates that if feasible,
the protected health information should be destroyed or returned at the
end of a contract. Accordingly, a contract with a business associate
must state that if there are reasons that the return or destruction of
the information is not feasible and the information must be retained
for specific reasons and uses, such as for future audits, privacy
protections must continue after the contract ends, for as long as the
business associate retains the information. The contract also must
state that the uses of information after termination of the contract
must be limited to the specific set of uses or disclosures that make it
necessary for the business associate to retain the information.
We also remove the requirement that business associate contracts
contain a provision stating that individuals whose protected health
information is disclosed under the contract are intended third-party
beneficiaries of the contract. Third party beneficiary or similar
responsibilities may arise under these business associate arrangements
by operation of state law; we do not intend in this rule to affect the
operation of such state laws.
We modify the requirement that a business associate contract
require the business associate to ensure that agents abide by the
provisions of the business associate contract. We clarify that agents
includes subcontractors, and we note that a business associate contract
must make the business associate responsible for ensuring that any
person to whom it delegates a function, activity or service which is
within its business associate contract with the covered entity agrees
to abide by the restrictions and conditions that apply to the business
associate under the contract. We note that a business associate will
need to consider the purpose for which protected health information is
being disclosed in determining whether the recipient must be bound to
the restrictions and conditions of the business associate contract.
When the disclosure is a delegation of a function, activity or service
that the business associate has agreed to perform for a covered entity,
the recipient who undertakes such a function steps into the shoes of
the business associate and must be bound to the restrictions and
conditions. When the disclosure is to a third party who is not
performing business associate functions, activities or services for on
behalf of the covered entity, but is the type of disclosure that the
covered entity itself could make without giving rise to a business
associate relationship, the business associate is not required to
ensure that the restrictions or conditions of the business associate
contract are maintained.
For example, if a business associate acts as the billing agent of a
health care provider, and discloses protected health information on
behalf of the hospital to health plans, the business associate has no
responsibility with respect to further uses or disclosures by the
health plan. In the example above, where a covered entity has a
business associate contract with a lawyer, and the lawyer discloses
protected health information to an expert witness in preparation for
litigation, the lawyer again would have no responsibility under this
subpart with respect to uses or disclosures by the expert witness,
because such witness is not undertaking the functions, activities or
services that the business associate lawyer has agreed to perform.
However, if a covered entity contracts with a third party administrator
to provide claims management, and the administrator delegates
management of the pharmacy benefits to a third party, the business
associate third party administrator must ensure that the pharmacy
manager abides by the restrictions and conditions in the business
associate contract between the covered entity and the third party
administrator.
We provide in Sec. 164.504(c)(3) several methods other than a
business associate contract that will satisfy the requirement for
satisfactory assurances under this section. First, when a government
agency is a business associate of another government agency that is a
covered entity, we permit memorandum of understanding between the
agencies to constitute satisfactory assurance for the purposes of this
rule, if the memorandum accomplishes each of the objectives of the
business associate contract. We recognize that the relationships of
government agencies are often organized as a matter of law, and that it
is not always feasible for one agency to contract with another for all
of the purposes provided for in this section. We also recognize that it
may be incorrect to view one government agency as ``acting on behalf
of'' the other government agency; under law, each agency may be acting
to fulfill a statutory mission. We note that in some instances, it may
not be possible for the agencies to include the right to terminate the
arrangement because the relationship may be established under law. In
such instances, the covered entity government agency would need to
fulfill the requirement to report known violations of the memorandum to
the Secretary.
Where the covered entity is a government agency, we consider the
satisfactory assurances requirement to be satisfied if other law
contains requirements applicable to the business associate that
accomplish each of the objectives of the business associate contract.
We recognize that in some cases, covered entities that are government
agencies may be able to impose the requirements of this section
directly on the persons acting as their business associates. We also
recognize that often one government agency is acting as a business
associate of another government agency, and either party may have the
legal authority to establish the requirements of this section by
regulation. We believe that imposing these requirements directly on
business associates provides greater protection than we can otherwise
provide under this section, and so we recognize such other laws as
sufficient to substitute for a business associate contract.
We also recognize that there may be some circumstances where the
relationship between covered entities and business associates is
otherwise mandated by law. In the final rule, we provide that where a
business associate is required by law to act as a business associate to
a covered entity, the covered entity may disclose protected health
information to the business associate to the extent necessary to comply
with the legal mandate without
[[Page 82507]]
meeting the requirement to have a business associate contract (or, in
the case of government agencies, a memorandum of understanding or law
pertaining to the business associate) if it makes a good faith attempt
the obtain satisfactory assurances required by this section and, if
unable to do so, documents the attempt and the reasons that such
assurances cannot be obtained. This provision addresses situations
where law requires one party to act as the business associate of
another party. The fact that the parties have contractual obligations
that may be enforceable is not sufficient to meet the required by law
test in this provision.
This provision recognizes that in some instances the law requires
that a government agency act as a business associate of a covered
entity. For example, the United States Department of Justice is
required by law to defend tort suits brought against certain covered
entities; in such circumstances, however, the United States, and not
the individual covered entity, is the client and is potentially liable.
In such situations, covered entities must be able to disclose protected
health information needed to carry out the representation, but the
particular requirements that would otherwise apply to a business
associate relationship may not be possible to obtain. Subsection (iii)
makes clear that, where the relationship is required by law, the
covered entity complies with the rule if it attempts, in good faith, to
obtain satisfactory assurances as are required by this paragraph and,
if such attempt fails, documents the attempts and the reasons that such
assurances cannot be obtained.
The operation of the final rule maintains the construction
discussed in the preamble to the NPRM that a business associate
(including a business associate that is a covered entity) that has
business associate contracts with more than one covered entity
generally may not use or disclose the protected health information that
it creates or receives in its capacity as a business associate of one
covered entity for the purposes of carrying out its responsibilities as
a business associate of another covered entity, unless doing so would
be a lawful use or disclosure for each of the covered entities and the
business associate's contract with each of the covered entities permits
the business associate to undertake the activity. For example, a
business associate performing a function under health care operations
on behalf of an organized health care arrangement would be permitted to
combine or aggregate the protected health information obtained from
covered entities participating in the arrangement to the extent
necessary to carry out the authorized activity and in conformance with
its business associate contracts. As described above, a business
associate providing data aggregation services to different covered
entities also could combine and use the protected health information of
the covered entities to assist with their respective health care
operations. A covered entity that is undertaking payment activities on
behalf of different covered entities also may use or disclose protected
health information obtained as a business associate of one covered
entity when undertaking such activities as a business associate of
another covered entity where the covered entities have authorized the
activities and where they are necessary to secure payment for the
entities. For example, when a group of providers share financial risk
and contract with a business associate to conduct payment activities on
their behalf, the business associate may use the protected health
information received from the covered entities to assist them in
managing their shared risk arrangement.
Finally, we note that the requirements imposed by this provision
are intended to extend privacy protection to situations in which a
covered entity discloses substantial amounts of protected health
information to other persons so that those persons can perform
functions or activities on its behalf or deliver specified services to
it. A business associate contract basically requires the business
associate to maintain the confidentiality of the protected health
information that it receives and generally to use and disclose such
information for the purposes for which it was provided. This
requirement does not interfere with the relationship between a covered
entity and business associate, or require the business associate to
subordinate its professional judgment to that of a covered entity.
Covered entities may rely on the professional judgment of their
business associates as to the type and amount of protected health
information that is necessary to carry out a permitted activity. The
requirements of this provision are aimed at securing the continued
confidentiality of protected health information disclosed to third
parties that are serving the covered entity's interests.
Section 164.504(f)--Group Health Plans
Covered entities under HIPAA include health care clearinghouses,
health care providers and health plans. Specifically included in the
definition of ``health plan'' are group health plans (as defined in
section 2791(a) of the Public Health Service Act) with 50 or more
participants or those of any size that are administered by an entity
other than the employer who established and maintains the plan. These
group health plans may be fully insured or self-insured. Neither
employers nor other group health plan sponsors are defined as covered
entities. However, employers and other plan sponsors--particularly
those sponsors with self-insured group health plans--may perform
certain functions that are integrally related to or similar to the
functions of group health plans and, in carrying out these functions,
often require access to individual health information held by the group
health plan.
Most group health plans are also regulated under the Employee
Retirement Income Security Act of 1974 (ERISA). Under ERISA, a group
health plan must be a separate legal entity from its plan sponsor.
ERISA-covered group health plans usually do not have a corporate
presence, in other words, they may not have their own employees and
sometimes do not have their own assets (i.e., they may be fully insured
or the benefits may be funded through the general assets of the plan
sponsor, rather than through a trust). Often, the only tangible
evidence of the existence of a group health plan is the contractual
agreement that describes the rights and responsibilities of covered
participants, including the benefits that are offered and the eligible
recipients.
ERISA requires the group health plan to identify a ``named
fiduciary,'' a person responsible for ensuring that the plan is
operated and administered properly and with ultimate legal
responsibility for the plan. If the plan documents under which the
group health plan was established and is maintained permit, the named
fiduciary may delegate certain responsibilities to trustees and may
hire advisors to assist it in carrying out its functions. While
generally the named fiduciary is an individual, it may be another
entity. The plan sponsor or employees of the plan sponsor are often the
named fiduciaries. These structural and operational relationships
present a problem in our ability to protect health information from
being used inappropriately in employment-related decisions. On the one
hand, the group health plan, and any health insurance issuer or HMO
providing health insurance or health coverage to the group health plan,
are covered entities under the regulation and may only disclose
protected health information as authorized under the
[[Page 82508]]
regulation or with individual consent. On the other hand, plan sponsors
may need access to protected health information to carry out
administration functions on behalf of the plan, but under circumstances
in which securing individual consent is impractical. We note that we
sometimes refer in the rule and preamble to health insurance issuers
and HMOs that provide health insurance or health coverage to a group
health plan as health insurance issuers or HMOs with respect to a group
health plan.
The proposed rule used the health care component approach for
employers and other plan sponsors. Under this approach, only the
component of an employer or other plan sponsor would be treated as a
covered entity. The component of the plan sponsor would have been able
to use protected health information for treatment, payment, and health
care operations, but not for other purposes, such as discipline, hiring
and firing, placement and promotions. We have modified the final rule
in a number of ways.
In the final rule, we recognize plan sponsors' legitimate need for
health information in certain situations while, at the same time,
protecting health information from being used for employment-related
functions or for other functions related to other employee benefit
plans or other benefits provided by the plan sponsor. We do not attempt
to directly regulate employers or other plan sponsors, but pursuant to
our authority to regulate health plans, we place restrictions on the
flow of information from covered entities to non-covered entities.
The final rule permits group health plans, and allows them to
authorize health insurance issuers or HMOs with respect to the group
health plan, to disclose protected health information to plan sponsors
if the plan sponsors voluntarily agree to use and disclose the
information only as permitted or required by the regulation. The
information may be used only for plan administration functions
performed on behalf of the group health plan which are specified in
plan documents. The group health plan is not required to have a
business associate contract with the plan sponsor to disclose the
protected health information or allow the plan sponsor to create
protected health information on its behalf, if the conditions of
Sec. 164.504(e) are met.
In order for the group health plan to disclose protected health
information to a plan sponsor, the plan documents under which the plan
was established and is maintained must be amended to: (1) Describe the
permitted uses and disclosures of protected health information; (2)
specify that disclosure is permitted only upon receipt of a
certification from the plan sponsor that the plan documents have been
amended and the plan sponsor has agreed to certain conditions regarding
the use and disclosure of protected health information; and (3) provide
adequate firewalls to: identify the employees or classes of employees
who will have access to protected health information; restrict access
solely to the employees identified and only for the functions performed
on behalf of the group health plan; and provide a mechanism for
resolving issues of noncompliance.
Any employee of the plan sponsor who receives protected health
information for payment, health care operations or other matters
related to the group health plan must be identified in the plan
documents either by name or function. We assume that since individuals
employed by the plan sponsor may change frequently, the group health
plan would likely describe such individuals in a general manner. Any
disclosure to employees or classes of employees not identified in the
plan documents is not a permissible disclosure. To the extent a group
health plan does have its own employees separate from the plan
sponsor's employees, as the workforce of a covered entity (i.e. the
group health plan), they also are bound by the permitted uses and
disclosures of this rule.
The certification that must be given to the group health plan must
state that the plan sponsor agrees to: (1) Not use or further disclose
protected health information other than as permitted or required by the
plan documents or as required by law; (2) ensure that any
subcontractors or agents to whom the plan sponsor provides protected
health information agree to the same restrictions; (3) not use or
disclose the protected health information for employment-related
actions; (4) report to the group health plan any use or disclosure that
is inconsistent with the plan documents or this regulation; (5) make
the protected health information accessible to individuals; (6) allow
individuals to amend their information; (7) provide an accounting of
its disclosures; (8) make its practices available to the Secretary for
determining compliance; (9) return and destroy all protected health
information when no longer needed, if feasible; and (10) ensure that
the firewalls have been established.
We have included this certification requirement in part, as a way
to reduce the burden on health insurance issuers and HMOs. Without a
certification, health insurance issuers and HMOs would need to review
the plan documents in order to ensure that the amendments have been
made before they could disclose protected health information to plan
sponsors. The certification, however, is a simple statement that the
amendments have been made and that the plan sponsor has agreed to
certain restrictions on the use and disclosure of protected health
information. The receipt of the certification therefore, is sufficient
basis for the health insurance issuer or HMO to disclose protected
health information to the plan sponsor.
Many activities included in the definitions of health care
operations and payment are commonly referred to as plan administration
functions in the ERISA group health plan context. For purposes of this
rule, plan administration activities are limited to activities that
would meet the definition of payment or health care operations, but do
not include functions to modify, amend, or terminate the plan or
solicit bids from prospective issuers. Plan administration functions
include quality assurance, claims processing, auditing, monitoring, and
management of carve-out plans--such as vision and dental. Under the
final rule, ``plan administration'' does not include any employment-
related functions or functions in connection with any other benefits or
benefit plans, and group health plans may not disclose information for
such purposes absent an authorization from the individual. For purposes
of this rule, enrollment functions performed by the plan sponsor on
behalf of its employees are not considered plan administration
functions.
Plan sponsors have access to protected health information only to
the extent group health plans have access to protected health
information and plan sponsors are permitted to use or disclose
protected health information only as would be permitted by group health
plans. That is, a group health plan may permit a plan sponsor to have
access to or to use protected health information only for purposes
allowed by the regulation.
As explained above, where a group health plan purchases insurance
or coverage from a health insurance issuer or HMO, the provision of
insurance or coverage by the health insurance issuer or HMO to the
group health plan does not make the health insurance issuer or HMO a
business associate. In such case, the activities of the health
insurance issuer or HMO are on their own behalf and not on the behalf
of the group
[[Page 82509]]
health plan. We note that where a group health plan contracts with a
health insurance issuer or HMO to perform functions or activities or to
provide services that are in addition to or not directly related to the
provision of insurance, the health insurance issuer or HMO may be a
business associate with respect to those additional functions,
activities, or services. In addition, group health plans that provide
health benefits only through an insurance contract and do not create,
maintain, or receive protected health information (except for summary
information described below or information that merely states whether
an individual is enrolled in or has been disenrolled from the plan) do
not have to meet the notice requirements of Sec. 164.520 or the
administrative requirements of Sec. 164.530, except for the
documentation requirement in Sec. 164.530(j), because these
requirements are satisfied by the issuer or HMO that is providing
benefits under the group health plan. A group health plan, however, may
not permit a health insurance issuer or HMO to disclose protected
health information to a plan sponsor unless the notice required in
164.520 indicate such disclosure may occur.
The final rule also permits a health plan that is providing
insurance to a group health plan to provide summary information to the
plan sponsor to permit the plan sponsor to solicit premium bids from
other health plans or for the purpose of modifying, amending, or
terminating the plan. The rule provides that summary information is
information that summarizes claims history, claims expenses, or types
of claims experienced by individuals for whom the plan sponsor has
provided health benefits under a group health plan, provided that
specified identifiers are not included. Summary information may be
disclosed under this provision even if it does not meet the definition
of de-identified information. As part of the notice requirements in
Sec. 164.520, health plans must inform individuals that they may
disclose protected health information to plan sponsors. The provision
to allow summaries of claims experience to be disclosed to plan
sponsors that purchase insurance will allow them to shop for
replacement coverage, and get meaningful bids from prospective issuers.
It also permits a plan sponsor to get summary information as part of
its consideration of whether or not to change the benefits that are
offered or employees or whether or not to terminate a group health
plan.
We note that a plan sponsor may perform enrollment functions on
behalf of its employees without meeting the conditions above and
without using the standard transactions described in the Transactions
Rule.
Section 164.504(g)--Multiple Covered Function Entities
Although not addressed in the proposed rule, this final rule also
recognizes that a covered entity may as a single legal entity,
affiliated entity, or other arrangement combine the functions or
operations of health care providers, health plans and health care
clearinghouses (for example, integrated health plans and health care
delivery systems may function as both health plans and health care
providers). The rule permits such covered entities to use or disclose
the protected health information of its patients or members for all
covered entity functions, consistent with the other requirements of
this rule. The health care component must meet the requirements of this
rule that apply to a particular type of covered entity when it is
functioning as that entity; e.g., when a health care component is
operating as a health care provider it must meet the requirements of
this rule applicable to a health care provider. However, such covered
entities may not use or disclose the protected health information of an
individual who is not involved in a particular covered entity function
for that function, and such information must be segregated from any
joint information systems. For example, an HMO may integrate data about
health plan members and clinic services to members, but a health care
system may not share information about a patient in its hospital with
its health plan if the patient is not a member of the health plan.
Section 164.506--Uses and Disclosures for Treatment, Payment, and
Health Care Operations
Introduction: ``Consent'' versus ``Authorization''
In the proposed rule, we used the term ``authorization'' to
describe the individual's written permission for a covered entity to
use and disclose protected health information, regardless of the
purpose of the use or disclosure. Authorization would have been
required for all uses and disclosures that were not otherwise permitted
or required under the NPRM.
We proposed to permit covered entities, subject to limited
exceptions for psychotherapy notes and research information unrelated
to treatment, to use and disclose protected health information to carry
out treatment, payment, and health care operations without
authorization. See proposed Sec. 164.506(a)(1).
We also proposed to prohibit covered entities from requiring
individuals to sign authorizations for uses and disclosures of
protected health information for treatment, payment, and health care
operations, unless required by other applicable law. See proposed
Sec. 164.508(a)(iv). We instead proposed requiring covered entities to
produce a notice describing their information practices, including
practices with respect to uses and disclosures to carry out treatment,
payment, and health care operations.
In the final rule, we retain the requirement for covered entities
to obtain the individual's written permission (an ``authorization'')
for uses and disclosures of protected health information that are not
otherwise permitted or required under the rule. However, under the
final rule, we add a second type of written permission for use or
disclosure of protected health information: a ``consent'' for uses and
disclosures to carry out treatment, payment, and health care
operations. In the final rule, we permit, and in some cases require,
covered entities to obtain the individual's written permission for the
covered entity to use or disclose protected health information other
than psychotherapy notes to carry out treatment, payment, and health
care operations. We refer to this written permission as a ``consent.''
The ``consent'' and the ``authorization'' do not overlap. The
requirement to obtain a ``consent'' applies in different circumstances
than the requirement to obtain an authorization. In content, a consent
and an authorization differ substantially from one another.
As described in detail below, a ``consent'' allows use and
disclosure of protected health information only for treatment, payment,
and health care operations. It is written in general terms and refers
the individual to the covered entity's notice for further information
about the covered entity's privacy practices. It allows use and
disclosure of protected health information by the covered entity
seeking the consent, not by other persons. Most persons who obtain a
consent will be health care providers; health plans and health care
clearinghouses may also seek a consent. The consent requirements appear
in Sec. 164.506 and are described in this section of the preamble.
With a few exceptions, an ``authorization'' allows use and
disclosure of protected health information for purposes other than
treatment, payment, and health care
[[Page 82510]]
operations. In order to make uses and disclosures that are not covered
by the consent requirements and not otherwise permitted or required
under the final rule, covered entities must obtain the individual's
``authorization.'' An ``authorization'' must be written in specific
terms. It may allow use and disclosure of protected health information
by the covered entity seeking the authorization, or by a third party.
In some instances, a covered entity may not refuse to treat or cover
individuals based on the fact that they refuse to sign an
authorization. See Sec. 164.508 and the corresponding preamble
discussion regarding authorization requirements.
Section 164.506(a)--Consent Requirements
We make significant changes in the final rule with respect to uses
and disclosures of protected health information to carry out treatment,
payment, and health care operations. We do not prohibit covered
entities from seeking an individual's written permission for use or
disclosure of protected health information to carry out treatment,
payment, or health care operations.
Except as described below, we instead require covered health care
providers to obtain the individual's consent prior to using or
disclosing protected health information to carry out treatment,
payment, or health care operations. If the covered provider does not
obtain the individual's consent, the provider is prohibited from using
or disclosing protected health information about the individual for
purposes of treating the individual, obtaining payment for health care
delivered to the individual, or for the provider's health care
operations. See Sec. 164.506(a)(1).
We except two types of health care providers from this consent
requirement. First, covered health care providers that have an indirect
treatment relationship with an individual are not required to obtain
the individual's consent prior to using or disclosing protected health
information about the individual to carry out treatment, payment, and
health care operations. An ``indirect treatment relationship'' is
defined in Sec. 164.501 and described in the corresponding preamble.
These providers may use and disclose protected health information as
otherwise permitted under the rule and consistent with their notice of
privacy practices (see Sec. 164.520 regarding notice requirements and
Sec. 164.502(i) regarding requirements to adhere to the notice). For
example, a covered provider that provides consultation services to
another provider without seeing the patient would have an indirect
treatment relationship with that patient and would not be required to
obtain the patient's consent to use protected health information about
the patient for the consultation. These covered providers are, however,
permitted to obtain consent, as described below.
Second, covered health care providers that create or receive
protected health information in the course of providing health care to
inmates of a correctional institution are not required to obtain the
inmate's consent prior to using or disclosing protected health
information about the inmate to carry out treatment, payment, and
health care operations. See Sec. 164.501 and the corresponding preamble
discussion regarding the definitions of ``correctional institution''
and ``inmate.'' These providers may use and disclose protected health
information as otherwise permitted under the rule. These providers are
permitted, however, to obtain consent, as described below.
In addition, we permit covered health care providers to use and
disclose protected health information, without consent, to carry out
treatment, payment, and health care operations, if the protected health
information was created or received in certain treatment situations. In
the treatment situations described in Sec. 164.506(a)(3) and
immediately below, the covered health care provider must attempt to
obtain the individual's consent. If the covered provider is unable to
obtain consent, but documents the attempt and the reason consent was
not obtained, the covered provider may, without consent, use and
disclose the protected health information resulting from the treatment
as otherwise permitted under the rule. All other protected health
information about that individual that the covered health care provider
creates or receives, however, is subject to the consent requirements.
This exception to the consent requirement applies to protected
health information created or received in any of three treatment
situations. First, the exception applies to protected health
information created or received in emergency treatment situations. In
these situations, covered providers must attempt to obtain the consent
as soon as reasonably practicable after the delivery of the emergency
treatment. Second, the exception applies to protected health
information created or received in situations where the covered health
care provider is required by law to treat the individual (for example,
certain publicly funded providers) and the covered health care provider
attempts to obtain such consent. Third, the exception applies to
protected health information created or received in treatment
situations where there are substantial barriers to communicating with
the individual and, in the exercise of professional judgment, the
covered provider clearly infers from the circumstances the individual's
consent to receive treatment. For example, there may be situations in
which a mentally incapacitated individual seeks treatment from a health
care provider but is unable to provide informed consent to undergo such
treatment and does not have a personal representative available to
provide such consent on the individual's behalf. If the covered
provider, in her professional judgment, believes she can legally
provide treatment to that individual, we also permit the provider to
use and disclose protected health information resulting from the
treatment without the individual's consent. We intend covered health
care providers that legally provide treatment without the individual's
consent to that treatment to be able to use and disclose protected
health information resulting from that treatment to carry out
treatment, payment, or health care operations without obtaining the
individual's consent for such use or disclosure. We do not intend to
impose unreasonable barriers to individuals' ability to receive, and
health care providers' ability to provide, health care.
Under Sec. 164.506(a)(4), covered health care providers that have
an indirect treatment relationship with an individual, as well as
health plans and health care clearinghouses, may elect to seek consent
for their own uses and disclosures to carry out treatment, payment, and
health care operations. If such a covered entity seeks consent for
these purposes, the consent must meet the minimum requirements
described below.
If a covered health care provider with an indirect treatment
relationship, a health plan, or a health care clearinghouse does not
seek consent, the covered entity may use or disclose protected health
information to carry out treatment, payment, and health care operations
as otherwise permitted under the rule and consistent with its notice of
privacy practices (see Sec. 164.520 regarding notice requirements and
Sec. 164.502(i) regarding requirements to adhere to the notice).
If a covered health care provider with an indirect treatment
relationship, a health plan, or a health care clearinghouse does ask an
individual to sign a consent, and the individual does not do so, the
covered entity is
[[Page 82511]]
prohibited under Sec. 164.502(a)(1) from using or disclosing protected
health information for the purpose(s) included in the consent. A
covered entity that seeks a consent must adhere to the individual's
decision.
In Sec. 164.506(a)(5), we specify that a consent obtained by one
covered entity is not effective to permit another covered entity to use
or disclose protected health information, unless the consent is a joint
consent. See Sec. 164.506(f) and the corresponding preamble discussion
below regarding joint consents. A consent provides the individual's
permission only for the covered entity that obtains the consent to use
or disclose protected health information for treatment, payment, and
health care operations. A consent under this section does not operate
to authorize another covered entity to use or disclose protected health
information, except where the other covered entity is operating as a
business associate. We note that, where a covered entity is acting as a
business associate of another covered entity, the business associate
covered entity is acting for or on behalf of the principal covered
entity, and its actions for or on behalf of the principal covered
entity are authorized by the consent obtained by the principal covered
entity. Thus, under this section, a health plan can obtain a consent
that permits the health plan and its business associates to use and
disclose protected health information that the health plan and its
business associates create or receive. That consent cannot, however,
permit another covered entity (that is not a business associate) to
disclose protected health information to the health plan or to any
other person.
If a covered entity wants to obtain the individual's permission for
another covered entity to disclose protected health information to it
for treatment, payment, or health care operations purposes, it must
seek an authorization in accordance with Sec. 164.508(e). For example,
when a covered provider asks the individual for written permission to
obtain the individual's medical record from another provider for
treatment purposes, it must do so with an authorization, not a consent.
Since the permission is for disclosure of protected health information
by another person, a consent may not be used.
Section 164.506(b)--Consent General Requirements
In the final rule, we permit a covered health care provider to
condition the provision of treatment on the receipt of the individual's
consent for the covered provider to use and disclose protected health
information to carry out treatment, payment, and health care
operations. Covered providers may refuse to treat individuals who do
not consent to uses and disclosures for these purposes. See
Sec. 164.506(b)(1). We note that there are exceptions to the consent
requirements for covered health care providers that are required by law
to treat individuals. See Sec. 164.506(a)(3), described above.
Similarly, in the final rule, we permit health plans to condition
an individual's enrollment in the health plan on the receipt of the
individual's consent for the health plan to use and disclose protected
health information to carry out treatment, payment, and health care
operations, if the consent is sought in conjunction with the enrollment
process. If the health plan seeks the individual's consent outside of
the enrollment process, the health plan may not condition any services
on obtaining such consent.
Under Sec. 164.520, covered entities must produce a notice of
privacy practices. A consent may not be combined in a single document
with the notice of privacy practices. See Sec. 164.506(b)(3).
Under Sec. 164.506(b)(4), consents for uses and disclosures of
protected health information to carry out treatment, payment, and
health care operations may be combined in a single document covering
all three types of activities and may be combined with other types of
legal permission from the individual. For example, a consent to use or
disclose protected health information under this rule may be combined
with an informed consent to receive treatment, a consent to assign
payment of benefits to a provider, or narrowly tailored consents
required under state law for the use or disclosure of specific types of
protected health information (e.g., state laws requiring specific
consent for any sharing of information related to HIV/AIDS).
Within a single consent document, the consent for use and
disclosure of protected health information required or permitted under
this rule must be visually and organizationally separate from the other
consents or authorizations and must be separately signed by the
individual and dated.
Where research includes treatment of the individual, a consent
under this rule may be combined with the authorization for the use or
disclosure of protected health information created for the research, in
accordance with Sec. 164.508(f). (This is the only case in which an
authorization under Sec. 164.508 of this rule may be combined with a
consent under Sec. 164.506 of this rule. See Sec. 164.508(b)(3).) The
covered entity that is creating protected health information for the
research may elect to combine the consent required under this section
with the research-related authorization required under Sec. 164.508(f).
For example, a covered health care provider that provides health care
to an individual for research purposes and for non-research purposes
must obtain a consent under this section for all of the protected
health information it maintains. In addition, it must obtain an
authorization in accordance with Sec. 164.508(f) which describes how it
will use and disclose the protected health information it creates for
the research for purposes of treatment, payment, and health care
operations. Section 164.506(b)(4) permits the covered entity to satisfy
these two requirements with a single document. See Sec. 164.508(f) and
the corresponding preamble discussion for a more detailed description
of research authorization requirements.
Under Sec. 164.506(b)(5), individuals may revoke a consent in
writing at any time, except to the extent that the covered entity has
taken action in reliance on the consent. Upon receipt of the written
revocation, the covered entity must stop processing the information for
use or disclosure, except to the extent that it has taken action in
reliance on the consent. A covered health care provider may refuse,
under this rule, to continue to treat an individual that revokes his or
her consent. A health plan may disenroll an individual that revokes a
consent that was sought in conjunction with the individual's enrollment
in the health plan.
Covered entities must document and retain any signed consent as
required by Sec. 164.530(j).
Section 164.506(c)--Consent Content Requirements
Under Sec. 164.506(c), the consent must be written in plain
language. See the preamble discussion regarding notice of privacy
practices for a description of plain language requirements. We do not
provide a model consent in this rule. We will provide further guidance
on drafting consent documents prior to the compliance date.
Under Sec. 164.506(c)(1), the consent must inform the individual
that protected health information may be used and disclosed by the
covered entity to carry out treatment, payment, or health care
operations. The covered entity must determine which of these elements
(use and/or disclosure; treatment, payment, and/or health care
operations) to include in the consent
[[Page 82512]]
document, as appropriate for the covered entity's practices.
For covered health care providers that are required to obtain
consent, the requirement applies only to the extent the covered
provider uses or discloses protected health information. For example,
if all of a covered provider's health care operations are conducted by
members of the covered provider's own workforce, the covered provider
may choose to obtain consent only for uses, not disclosures, of
protected health information to carry out health care operations. If an
individual pays out of pocket for all services received from the
covered provider and the provider will not disclose any information
about the patient to a third party payor, the provider may choose not
to obtain the individual's consent to disclose information for payment
purposes. In order for a covered provider to be able to use and
disclose information for all three purposes, however, all three
purposes must be included in the consent.
Under Secs. 164.506(c)(2) and (3), the consent must refer the
individual to the covered entity's notice for additional information
about the uses and disclosures of information described in the consent.
The consent must also indicate that the individual has the right to
review the notice prior to signing the consent. If the covered entity
has reserved the right to change its privacy practices in accordance
with Sec. 164.520(b)(1)(v)(C), the consent must indicate that the terms
of the notice may change and must describe how the individual may
obtain a revised notice. See Sec. 164.520 and the corresponding
preamble discussion regarding notice requirements.
Under Sec. 164.506(c)(4), the consent must inform individuals that
they have the right to request restrictions on uses and disclosures of
protected health information for treatment, payment, and health care
operations purposes. It must also state that the covered entity is not
required to agree to an individual's request, but that if the covered
entity does agree to the request, the restriction is binding on the
covered entity. See Sec. 164.522(a) regarding the right to request
restrictions.
Under Sec. 164.506(c)(5), the consent must indicate that the
individual has the right to revoke the consent in writing, except to
the extent that the covered entity has taken action in reliance on the
consent.
Under Sec. 164.506(c)(6), the consent must include the individual's
signature and the date of signature. Once we adopt the standards for
electronic signature, another of the required administrative
simplification standards we are required to adopt under HIPAA, an
electronic signature that meets those standards will be sufficient
under this rule. We do not require any verification of the individual's
identity or authentication of the individual's signature. We expect
covered health care providers that are required to obtain consent to
employ the same level of scrutiny to these signatures as they do to the
signature obtained on a document regarding the individual's consent to
undergo treatment by the provider.
Section 164.506(d)--Defective Consents
Under Sec. 164.506(d), there is no ``consent'' within the meaning
of the rule if the completed document lacks a required element or if
the individual has revoked the consent in accordance with
Sec. 164.506(b)(5).
Section 164.506(e)--Resolving Conflicting Consents and Authorizations
Situations may arise where a covered entity that has obtained the
individual's consent for the covered entity to use or disclose
protected health information to carry out treatment, payment, or health
care operations is asked to disclose protected health information
pursuant to another written legal permission from the individual, such
as an authorization, that was obtained by another person. Under
Sec. 164.506(e), when the terms of a covered entity's consent conflict
with the terms of another written legal permission from the individual
to use or disclose protected health information (such as a consent
obtained under state law by another covered entity or an
authorization), the covered entity must adhere to the more restrictive
document. By conflict, we mean that the consent and authorization
contain inconsistencies. In implementing this section, we note that the
consent under this section references the notice provided to the
individual and the individual's right to request restrictions. In
determining whether the covered entity's consent conflicts with another
written legal permission provided by the individual, the covered entity
must consider any limitations on its uses or disclosures resulting from
the notice provided to the individual or from restrictions to which it
has agreed. For example, a covered nursing home may elect to ask the
patient to sign an authorization for the patient's covered primary care
physician to forward the patient's medical records to the nursing home.
The physician may have previously obtained the individual's consent for
disclosure for treatment purposes. If the authorization obtained by the
nursing home grants permission for the physician to disclose particular
types of information, such as genetic information, but the consent
obtained by the physician excludes such information or the physician
has agreed to a restriction on that type of information, the physician
may not disclose that information. The physician must adhere to the
more restrictive written legal permission from the individual.
When a conflict between a consent and another written legal
permission from the individual exists, as described above, the covered
entity may attempt to resolve the conflict with the individual by
either obtaining a new consent from the individual or by having a
discussion or otherwise communicating with the individual to determine
the individual's preference regarding the use or disclosure. If the
individual's preference is communicated orally, the covered entity must
document the individual's preference and act in accordance with that
preference. In the example described above, the primary care physician
could ask the patient to sign a new consent that would permit the
disclosure of the genetic information. Alternatively, the physician
could ask the patient whether the patient intended for the genetic
information to be disclosed to the nursing home. If the patient
confirms that he or she intended for the genetic information to be
shared, the physician can document that fact (e.g., by making a
notation in the medical record) and disclose the information to the
nursing home.
We believe covered entities will rarely be faced with conflicts
between consents and other written legal permission from the individual
for uses and disclosures to carry out treatment, payment, and health
care operations. Under Sec. 164.506(a)(5), we specify that a consent
only permits the covered entity that obtains the consent to use or
disclose protected health information. A consent obtained by one
covered entity is not effective to permit another different covered
entity to use or disclose protected health information. Conflicting
consents obtained by covered entities, therefore, are not possible. We
expect authorizations that permit another covered entity to use and
disclose protected health information for treatment, payment, and
health care operations purposes will rarely be necessary, because we
expect covered entities that maintain protected health information to
obtain consents that permit them to make anticipated uses and
disclosures for these purposes. Nevertheless, covered entities are
permitted under Sec. 164.508(e) to obtain
[[Page 82513]]
authorization for another covered entity to use or disclose protected
health information to carry out treatment, payment, and health care
operations. We recognize these authorizations may be useful to
demonstrate an individual's intent and relationship to the intended
recipient of the information. For example, these authorizations may be
useful in situations where a health plan wants to obtain information
from one provider in order to determine payment of a claim for services
provided by a different provider (e.g., information from a primary care
physician that is necessary to determine payment of services provided
by a specialist) or where an individual's new physician wants to obtain
the individual's medical records from prior physicians. Other persons
not covered by this rule may also seek authorizations and state law may
require written permission for specific types of information, such as
information related to HIV/AIDS or to mental health. Because an
individual may sign conflicting documents over time, we clarify that
the covered entity maintaining the protected health information to be
used or disclosed must adhere to the more restrictive permission the
individual has granted, unless the covered entity resolves the conflict
with the individual.
Section 164.506(f)--Joint Consents
Covered entities that participate in an organized health care
arrangement and that develop a joint notice under Sec. 164.520(d) may
develop a joint consent in which the individual consents to the uses
and disclosures of protected health information by each of the covered
entities in the arrangement to carry out treatment, payment, and/or
health care operations. The joint consent must identify with reasonable
specificity the covered entities, or class of covered entities, to
which the joint consent applies and must otherwise meet the consent
requirements. If an individual revokes a joint consent, the covered
entity that receives the revocation must inform the other entities
covered by the joint consent of the revocation as soon as practicable.
If any one of the covered entities included in the joint consent
obtains the individual's consent, as required above, the consent
requirement is met for all of the other covered entities to which the
consent applies. For example, a covered hospital and the clinical
laboratory and emergency departments with which it participates in an
organized health care arrangement may produce a joint notice and obtain
a joint consent. If the covered hospital obtains the individual's joint
consent upon admission, and some time later the individual is
readmitted through the associated emergency department, the emergency
department's consent requirement will already have been met. These
joint consents are the only type of consent by which one covered entity
can obtain the individual's permission for another covered entity to
use or disclose protected health information to carry out treatment,
payment, or health care operations.
Effect of Consent
These consents, as well as the authorizations described in
Sec. 164.508, should not be construed to waive, directly or indirectly,
any privilege granted under federal, state, or local law or procedure.
Consents obtained under this regulation are not appropriate for the
disposition of more technical and legal proceedings and may not comport
with procedures and standards of federal, state, or local judicial
practice. For example, state courts and other decision-making bodies
may choose to examine more closely the circumstances and propriety of
such consent and may adopt more protective standards for application in
their proceedings. In the judicial setting, as in the legislative and
executive settings, states may provide for greater protection of
privacy. Additionally, both the Congress and the Secretary have
established a general approach to protecting from explicit preemption
state laws that are more protective of privacy than the protections set
forth in this regulation.
Section 164.508--Uses and Disclosures for Which an Authorization Is
Required
Section 164.508(a)--Standard
We proposed to require covered entities to obtain the individual's
authorization for all uses and disclosures of protected health
information not otherwise permitted or required under the proposed
rule. Uses and disclosures that would have been permitted without
individual authorization included uses and disclosures for national
priority purposes such as public health, law enforcement, and research
(see proposed Sec. 164.510) and uses and disclosures of protected
health information, other than psychotherapy notes and research
information unrelated to treatment, for purposes of treatment, payment,
and health care operations (see proposed Sec. 164.506). We also
proposed to require covered entities to disclose protected health
information to the individual for inspection and copying (see proposed
Sec. 164.514) and to the Secretary as required for enforcement of the
rule (see proposed Sec. 164.522). Individual authorization would not
have been required for these uses and disclosures.
We proposed to require covered entities to obtain the individual's
authorization for all other uses and disclosures of protected health
information. Under proposed Sec. 164.508(a), uses and disclosures that
would have required individual authorization included, but were not
limited to, the following:
Use for marketing of health and non-health items and
services by the covered entity;
Disclosure by sale, rental, or barter;
Use and disclosure to non-health related divisions of the
covered entity, e.g., for use in marketing life or casualty insurance
or banking services;
Disclosure, prior to an individual's enrollment in a
health plan, to the health plan or health care provider for making
eligibility or enrollment determinations relating to the individual or
for underwriting or risk rating determinations;
Disclosure to an employer for use in employment
determinations; and
Use or disclosure for fundraising.
In the preamble to the proposed rule, we stated that covered
entities would be bound by the terms of authorizations. Uses or
disclosures by the covered entity for purposes inconsistent with the
statements made in the authorization would have constituted a violation
of the rule.
In the final rule, under Sec. 164.508(a), as in the proposed rule,
covered entities must have authorization from individuals before using
or disclosing protected health information for any purpose not
otherwise permitted or required by this rule. Specifically, except for
psychotherapy notes (see below), covered entities are not required to
obtain the individual's authorization to use or disclose protected
health information to carry out treatment, payment, and health care
operations. (Covered entities may, however, be required to obtain the
individual's consent for these uses and disclosures. See the preamble
regarding Sec. 164.506 for a discussion of ``consent'' versus
``authorization''.) We also do not require covered entities to obtain
the individual's authorization for uses and disclosures of protected
health information permitted under Secs. 164.510 or 164.512, for
disclosures to the individual, or for required disclosures to the
Secretary under subpart C of part 160 of this subchapter for
enforcement of this rule.
In the final rule, we clarify that covered entities are bound by
the
[[Page 82514]]
statements provided on the authorization; use or disclosure by the
covered entity for purposes inconsistent with the statements made in
the authorization constitutes a violation of this rule.
Unlike the proposed rule, we do not include in the regulation
examples of the types of uses and disclosures that require individual
authorization. We eliminated two examples from the proposed list due to
potential confusion as to our intent: disclosure by sale, rental, or
barter and use and disclosure to non-health related divisions of the
covered entity. We recognize that covered entities sometimes make these
types of uses and disclosures for purposes that are permitted under the
rule without authorization. For example, a covered health care provider
may sell its accounts receivable to a collection agency for payment
purposes and a health plan may disclose protected health information to
its life insurance component for payment purposes. We do not intend to
require authorization for uses and disclosures made by sale, rental, or
barter or for disclosures made to non-health related divisions of the
covered entity, if those uses or disclosures could otherwise be made
without authorization under this rule. As with any other use or
disclosure, however, uses and disclosures of protected health
information for these purposes do require authorization if they are not
otherwise permitted under the rule.
We also eliminated the remaining proposed examples from the final
rule due to concern that these examples might be misinterpreted as an
exhaustive list of all of the uses and disclosures that require
individual authorization. We discuss the examples here, however, to
clarify the interaction of the authorization requirements and the
provisions of the rule that permit uses and disclosures without
authorization and/or with consent. Uses and disclosures for which
covered entities must have the individual's authorization include, but
are not limited to, the following activities.
Marketing
As in the proposed rule, covered entities must obtain the
individual's authorization before using or disclosing protected health
information for marketing purposes. In the final rule, we add a new
definition of marketing (see Sec. 164.501). For more detail on what
activities constitute marketing, see Sec. 164.501, definition of
``marketing,'' and Sec. 164.514(e).
Pre-Enrollment Underwriting
As in the proposed rule, covered entities must obtain the
individual's authorization to use or disclose protected health
information for the purpose of making eligibility or enrollment
determinations relating to an individual or for underwriting or risk
rating determinations, prior to the individual's enrollment in a health
plan (that is, for purposes of pre-enrollment underwriting). For
example, if an individual applies for new coverage with a health plan
in the non-group market and the health plan wants to review protected
health information from the individual's covered health care providers
before extending an offer of coverage, the individual first must
authorize the covered providers to share the information with the
health plan. If the individual applies for renewal of existing
coverage, however, the health plan would not need to obtain an
authorization to review its existing claims records about that
individual, because this activity would come within the definition of
health care operations and be permissible. We also note that under
Sec. 164.504(f), a group health plan and a health insurance issuer that
provides benefits with respect to a group health plan are permitted in
certain circumstances to disclose summary health information to the
plan sponsor for the purpose of obtaining premium bids. Because these
disclosures fall within the definition of health care operations, they
do not require authorization.
Employment Determinations
As in the proposed rule, covered entities must obtain the
individual's authorization to use or disclose protected health
information for employment determinations. For example, a covered
health care provider must obtain the individual's authorization to
disclose the results of a pre-employment physical to the individual's
employer. The final rule provides that a covered entity may condition
the provision of health care that is solely for the purpose of creating
protected health information for disclosure to a third party on the
provision of authorization for the disclosure of the information to the
third party.
Fundraising
Under the proposed regulation, we would have required authorization
before a covered entity could have used or disclosed protected health
information for fundraising. In the final rule, we narrow the
circumstances under which covered entities must obtain the individual's
authorization to use or disclose protected health information for
fundraising purposes. As provided in Sec. 164.514(f) and described in
detail in the corresponding preamble, authorization is not required
when a covered entity uses or discloses demographic information and
information about the dates of health care provided to an individual
for the purpose of raising funds for its own benefit, nor when it
discloses such information to an institutionally related foundation to
raise funds for the covered entity.
Any use or disclosure for fundraising purposes that does not meet
the requirements of Sec. 164.514(f) and does not fall within the
definition of health care operations (see Sec. 164.501), requires
authorization. Specifically, covered entities must obtain the
individual's authorization to use or disclose protected health
information to raise funds for any entity other than the covered
entity. For example, a covered entity must have the individual's
authorization to use protected health information about the individual
to solicit funds for a non-profit organization that engages in
research, education, and awareness efforts about a particular disease.
Psychotherapy Notes
In the NPRM, we proposed different rules with respect to
psychotherapy notes than we proposed with respect to all other
protected health information. The proposed rule would have required
covered entities to obtain an authorization for any use or disclosure
of psychotherapy notes to carry out treatment, payment, or health care
operations, unless the use was by the person who created the
psychotherapy notes. With respect to all other protected health
information, we proposed to prohibit covered entities from requiring
authorization for uses and disclosures for these purposes.
We significantly revise our approach to psychotherapy notes in the
final rule. With a few exceptions, covered entities must obtain the
individual's authorization to use or disclose psychotherapy notes to
carry out treatment, payment, or health care operations. A covered
entity must obtain the individual's consent, but not an authorization,
for the person who created the psychotherapy notes to use the notes to
carry out treatment and for the covered entity to use or disclose
psychotherapy notes for conducting training programs in which students,
trainees, or practitioners in mental health learn under supervision to
[[Page 82515]]
practice or improve their skills in group, joint, family, or individual
counseling. A covered entity may also use psychotherapy notes to defend
a legal action or other proceeding brought by the individual pursuant
to a consent, without a specific authorization. We note that, while
this provision allows disclosure of these records to the covered
entity's attorney to defend against the action or proceeding,
disclosure to others in the course of a judicial or administrative
proceeding is governed by Sec. 164.512(e). This special provision is
necessary because disclosure of protected health information for
purposes of legal representatives may be made under the general consent
as part of ``health care operations.'' Because we require an
authorization for disclosure of psychotherapy notes for ``health care
operations,'' an exception is needed to allow covered entities to use
protected health information about an individual to defend themselves
against an action threatened or brought by that individual without
asking that individual for authorization to do so. Otherwise, a consent
under Sec. 164.506 is not sufficient for the use or disclosure of
psychotherapy notes to carry out treatment, payment, or health care
operations. Authorization is required. We anticipate these
authorizations will rarely be necessary, since psychotherapy notes do
not include information that covered entities typically need for
treatment, payment, or other types of health care operations.
In the NPRM, we proposed to permit covered entities to use and
disclose psychotherapy notes for all other purposes permitted or
required under the rule without authorization. In the final rule, we
specify a more limited set of uses and disclosures of psychotherapy
notes that covered entities are permitted to make without
authorization. An authorization is not required for use or disclosure
of psychotherapy notes when required for enforcement purposes, in
accordance with subpart C of part 160 of this subchapter; when mandated
by law, in accordance with Sec. 164.512(a); when needed for oversight
of the health care provider who created the psychotherapy notes, in
accordance with Sec. 164.512(d); when needed by a coroner or medical
examiner, in accordance with Sec. 164.512(g)(1); or when needed to
avert a serious and imminent threat to health or safety, in accordance
with Sec. 164.512(j)(1)(i). We also provide transition provisions in
Sec. 164.532 regarding the effect of express legal permission obtained
from an individual prior to the compliance date of this rule.
Section 164.508(b)--Implementation Specifications for Authorizations
Valid and Defective Authorizations
We proposed to require a minimum set of elements for authorizations
requested by the individual and an additional set of elements for
authorizations requested by a covered entity. We would have permitted
covered entities to use and disclose protected health information
pursuant to authorizations containing the applicable required elements.
We would have prohibited covered entities from acting on an
authorization if the submitted document had any of the following
defects:
The expiration date had passed;
The form had not been filled out completely;
The covered entity knew the authorization had been
revoked;
The completed form lacked a required element; or
The covered entity knew the information on the form was
false.
In Sec. 164.508(b)(1) of the final rule, we specify that an
authorization containing the applicable required elements (as described
below) is a valid authorization. We clarify that a valid authorization
may contain additional, non-required elements, provided that these
elements are not inconsistent with the required elements. Covered
entities are not required to use or disclose protected health
information pursuant to a valid authorization. Our intent is to clarify
that a covered entity that uses or discloses protected health
information pursuant to an authorization meeting the applicable
requirements will be in compliance with this rule.
We retain the provision prohibiting covered entities from acting on
an authorization if the submitted document had any of the listed
defects, with a few changes. First, in Sec. 164.508(c)(1)(iv) we
specify that an authorization may expire upon a certain event or on a
specific date. For example, a valid authorization may state that it
expires upon acceptance or rejection of an application for insurance or
upon the termination of employment (for example, in an authorization
for disclosure of protected health information for fitness-for-duty
purposes) or similar event. The expiration event must, however, be
related to the individual or the purpose of the use or disclosure. An
authorization that purported to expire on the date when the stock
market reached a specified level would not be valid. Under
Sec. 164.508(b)(2)(i), if the expiration event is known by the covered
entity to have occurred, the authorization is defective. Second, we
clarify that certain compound authorizations, as described below, are
defective. We also clarify that authorizations that are not completely
filled out with respect to the required elements are defective.
Finally, we clarify that an authorization with information that the
covered entity knows to be false is defective only if the information
is material.
As under the proposed regulation, an authorization that the covered
entity knows has been revoked is not a valid authorization. We note
that, although an authorization must be revoked in writing, the covered
entity may not always ``know'' that an authorization has been revoked.
The writing required for an individual to revoke an authorization may
not always trigger the ``knowledge'' required for a covered entity to
consider an authorization defective. Conversely, a copy of the written
revocation is not required before a provider ``knows'' that an
authorization has been revoked.
Many authorizations will be obtained by persons other than the
covered entity. If the individual revokes an authorization by writing
to that other person, and neither the individual nor the other person
informs the covered entity of the revocation, the covered entity will
not ``know'' that the authorization has been revoked. For example, a
government agency may obtain an individual's authorization for ``all
providers who have seen the individual in the past year'' to disclose
protected health information to the agency for purposes of determining
eligibility for benefits. The individual may revoke the authorization
by writing to the government agency requesting such revocation. We
cannot require the agency to inform all covered entities to whom it has
presented the authorization that the authorization has been revoked. If
a covered entity does not know of the revocation, the covered entity
will not violate this rule by acting pursuant to the authorization. At
the same time, if the individual does inform the covered entity of the
revocation, even orally, the covered entity ``knows'' that the
authorization has been revoked and can no longer treat the
authorization as valid under this rule. Thus, in this example, if the
individual tells a covered entity that the individual has revoked the
authorization, the covered entity ``knows'' of the revocation and must
consider the authorization defective under Sec. 164.508(b)(2).
[[Page 82516]]
Compound Authorizations
Except for authorizations requested in connection with a clinical
trial, we proposed to prohibit covered entities from combining an
authorization for use or disclosure of protected health information for
purposes other than treatment, payment, or health care operations with
an authorization or consent for treatment (e.g., an informed consent to
receive care) or payment (e.g., an assignment of benefits).
We clarify the prohibition on compound authorizations in the final
rule. Other than as described below, Sec. 164.508(b)(3) prohibits a
covered entity from acting on an authorization required under this rule
that is combined with any other document, including any other written
legal permission from the individual. For example, an authorization
under this rule may not be combined with a consent for use or
disclosure of protected health information under Sec. 164.506, with the
notice of privacy practices under Sec. 164.520, with any other form of
written legal permission for the use or disclosure of protected health
information, with an informed consent to participate in research, or
with any other form of consent or authorization for treatment or
payment.
There are three exceptions to this prohibition. First, under
Sec. 164.508(f) (described in more detail, below), an authorization for
the use or disclosure of protected health information created for
research that includes treatment of the individual may be combined with
a consent for the use or disclosure of that protected health
information to carry out treatment, payment, or health care operations
under Sec. 164.506 and with other documents as provided in
Sec. 164.508(f). Second, authorizations for the use or disclosure of
psychotherapy notes for multiple purposes may be combined in a single
document, but may not be combined with authorizations for the use or
disclosure of other protected health information. Third, authorizations
for the use or disclosure of protected health information other than
psychotherapy notes may be combined, provided that the covered entity
has not conditioned the provision of treatment, payment, enrollment, or
eligibility on obtaining the authorization. If a covered entity
conditions any of these services on obtaining an authorization from the
individual, as permitted in Sec. 164.508(b)(4) and described below, the
covered entity must not combine the authorization with any other
document.
The following are examples of valid compound authorizations: an
authorization for the disclosure of information created for clinical
research combined with a consent for the use or disclosure of other
protected health information to carry out treatment, payment, and
health care operations, and the informed consent to participate in the
clinical research; an authorization for disclosure of psychotherapy
notes for both treatment and research purposes; and an authorization
for the disclosure of the individual's demographic information for both
marketing and fundraising purposes. Examples of invalid compound
authorizations include: an authorization for the disclosure of
protected health information for treatment, for research, and for
determining payment of a claim for benefits, when the covered entity
will refuse to pay the claim if the individual does not sign the
authorization; or an authorization for the disclosure of psychotherapy
notes combined with an authorization to disclose any other protected
health information.
Prohibition on Conditioning Treatment, Payment, Eligibility, or
Enrollment
We proposed to prohibit covered entities from conditioning
treatment or payment on the provision by the individual of an
authorization, except when the authorization was requested in
connection with a clinical trial. In the case of authorization for use
or disclosure of psychotherapy notes or research information unrelated
to treatment, we proposed to prohibit covered entities from
conditioning treatment, payment, or enrollment in a health plan on
obtaining such an authorization.
We retain this basic approach but refine its application in the
final rule. In addition to the general prohibition on conditioning
treatment and payment, covered entities are also prohibited (with
certain exceptions described below) from conditioning eligibility for
benefits or enrollment in a health plan on obtaining an authorization.
This prohibition extends to all authorizations, not just authorizations
for use or disclosure of psychotherapy notes. This prohibition is
intended to prevent covered entities from coercing individuals into
signing an authorization for a use or disclosure that is not necessary
to carry out the primary services that the covered entity provides to
the individual. For example, a health care provider could not refuse to
treat an individual because the individual refused to authorize a
disclosure to a pharmaceutical manufacturer for the purpose of
marketing a new product.
We clarify the proposed research exception to this prohibition.
Covered entities seeking authorization in accordance with
Sec. 164.508(f) to use or disclose protected health information created
for the purpose of research that includes treatment of the individual,
including clinical trials, may condition the research-related treatment
on the individual's authorization. Permitting use of protected health
information is part of the decision to receive care through a clinical
trial, and health care providers conducting such trials should be able
to condition research-related treatment on the individual's willingness
to authorize the use or disclosure of his or her protected health
information for research associated with the trial.
In addition, we permit health plans to condition eligibility for
benefits and enrollment in the health plan on the individual's
authorization for the use or disclosure of protected health information
for purposes of eligibility or enrollment determinations relating to
the individual or for its underwriting or risk-rating determinations.
We also permit health plans to condition payment of a claim for
specified benefits on the individual's authorization for the disclosure
of information maintained by another covered entity to the health plan,
if the disclosure is necessary to determine payment of the claim. These
exceptions do not apply, however, to authorization for the use or
disclosure of psychotherapy notes. Health plans may not condition
payment, eligibility, or enrollment on the receipt of an authorization
for the use or disclosure of psychotherapy notes, even if the health
plan intends to use the information for underwriting or payment
purposes.
Finally, when a covered entity provides treatment for the sole
purpose of providing information to a third party, the covered entity
may condition the treatment on the receipt of an authorization to use
or disclose protected health information related to that treatment. For
example, a covered health care provider may have a contract with an
employer to provide fitness-for-duty exams to the employer's employees.
The provider may refuse to conduct the exam if an individual refuses to
authorize the provider to disclose the results of the exam to the
employer. Similarly, a covered health care provider may have a contract
with a life insurer to provide pre-enrollment physicals to applicants
for life insurance coverage. The provider may refuse to conduct the
physical if an individual refuses to authorize the provider to disclose
the results of the physical to the life insurer.
[[Page 82517]]
Revocation of Authorizations
We proposed to allow individuals to revoke an authorization at any
time, except to the extent that the covered entity had taken action in
reliance on the authorization.
We retain this provision, but specify that the individual must
revoke the authorization in writing. When an individual revokes an
authorization, a covered entity that knows of such revocation must stop
making uses and disclosures pursuant to the authorization to the
greatest extent practical. A covered entity may continue to use and
disclose protected health information in accordance with the
authorization only to the extent the covered entity has taken action in
reliance on the authorization. For example, a covered entity is not
required to retrieve information that it has already disclosed in
accordance with the authorization. (See above for discussion of how
written revocation of an authorization and knowledge of that revocation
may differ.)
We also include an additional exception. Under Sec. 164.508(b)(5),
individuals do not have the right to revoke an authorization if the
authorization was obtained as a condition of obtaining insurance
coverage and other applicable law provides the insurer that obtained
the authorization with the right to contest a claim under the policy.
We intend this exception to permit insurers to obtain necessary
protected health information during contestability periods under state
law. For example, an individual may not revoke an authorization for the
disclosure of protected health information to a life insurer for the
purpose of investigating material misrepresentation if the individual's
policy is still subject to the contestability period.
Documentation
In the final rule, we clarify that a covered entity must document
and retain any signed authorization as required by Sec. 164.530(j) (see
below).
Section 164.508(c)--Core Elements and Requirements
We proposed to require authorizations requested by individuals to
contain a minimum set of elements: a description of the information to
be used or disclosed; the name of the covered entity, or class of
entities or persons, authorized to make the use or disclosure; the name
or types of recipient(s) of the information; an expiration date; the
individual's signature and date of signature; if signed by a
representative, a description of the representative's authority or
relationship to the individual; a statement regarding the individual's
right to revoke the authorization; and a statement that the information
may no longer be protected by the federal privacy law. We proposed a
model authorization form that entities could have used to satisfy the
authorization requirements. If the model form was not used, we proposed
to require covered entities to use authorization forms written in plain
language.
We modify the proposed approach, by eliminating the distinction
between authorizations requested by the individuals and authorizations
requested by others. Instead, we prescribe a minimum set of elements
for authorizations and certain additional elements when the
authorization is requested by a covered entity for its own use or
disclosure of protected health information it maintains or for receipt
of protected health information from another covered entity to carry
out treatment, payment, or health care operations.
The core elements are required for all authorizations, not just
authorizations requested by individuals. Individuals seek disclosure of
protected health information about them to others in many
circumstances, such as when applying for life or disability insurance,
when government agencies conduct suitability investigations, and in
seeking certain job assignments when health status is relevant. Another
common instance is tort litigation, when an individual's attorney needs
individually identifiable health information to evaluate an injury
claim and asks the individual to authorize disclosure of records
relating to the injury to the attorney. In each of these situations,
the individual may go directly to the covered entity and ask it to send
the relevant information to the intended recipient. Alternatively, the
intended recipient may ask the individual to complete a form, which the
recipient will submit to the covered entity on the individual's behalf,
that authorizes the covered entity to disclose the information. Whether
the authorization is submitted to the covered entity by the individual
or by another person on the individual's behalf, the covered entity
maintaining protected health information may not use or disclose it
pursuant to an authorization unless the authorization meets the
following requirements.
First, the authorization must include a description of the
information to be used or disclosed, with sufficient specificity to
allow the covered entity to know which information the authorization
references. For example, the authorization may include a description of
``laboratory results from July 1998'' or ``all laboratory results'' or
``results of MRI performed in July 1998.'' The covered entity can then
use or disclose that information and only that information. If the
covered entity does not understand what information is covered by the
authorization, the use or disclosure is not permitted unless the
covered entity clarifies the request.
There are no limitations on the information that can be authorized
for disclosure. If an individual wishes to authorize a covered entity
to disclose his or her entire medical record, the authorization can so
specify. In order for the covered entity to disclose the entire medical
record, the authorization must be specific enough to ensure that the
individual has a clear understanding that the entire record will be
disclosed. For example, if the Social Security Administration seeks
authorization for release of all health information to facilitate the
processing of benefit applications, then the description on the
authorization form must specify ``all health information'' or the
equivalent.
In some instances, a covered entity may be reluctant to undertake
the effort to review the record and select portions relevant to the
request (or redact portions not relevant). In such circumstances,
covered entities may provide the entire record to the individual, who
may then redact and release the more limited information to the
requestor. This rule does not require a covered entity to disclose
information pursuant to an individual's authorization.
Second, the authorization must include the name or other specific
identification of the person(s) or class of persons that are authorized
to use or disclose the protected health information. If an
authorization permits a class of covered entities to disclose
information to an authorized person, the class must be stated with
sufficient specificity so that a covered entity presented with the
authorization will know with reasonable certainty that the individual
intended the covered entity to release protected health information.
For example, a covered licensed nurse practitioner presented with an
authorization for ``all physicians'' to disclose protected health
information could not know with reasonable certainty that the
individual intended for the practitioner to be included in the
authorization.
Third, the authorization must include the name or other specific
identification of the person(s) or class of persons to
[[Page 82518]]
whom the covered entity is authorized to make the use or disclosure.
The authorization must identify these persons with sufficient
specificity to reasonably permit a covered entity responding to the
authorization to identify the authorized user or recipient of the
protected health information. Often, individuals provide authorizations
to third parties, who present them to one or more covered entities. For
example, an authorization could be completed by an individual and given
to a government agency, authorizing the agency to receive medical
information from any health care provider that has treated the
individual within a defined period of time. Such an authorization is
permissible (subject to the other requirements of this part) if it
sufficiently identifies the government entity that is authorized to
receive the disclosed protected health information.
Fourth, the authorization must state an expiration date or event.
This expiration date or event must either be a specific date (e.g.,
January 1, 2001), a specific time period (e.g., one year from the date
of signature), or an event directly relevant to the individual or the
purpose of the use or disclosure (e.g., for the duration of the
individual's enrollment with the health plan that is authorized to make
the use or disclosure). We note that the expiration date or event is
subject to otherwise applicable and more stringent law. For example,
the National Association of Insurance Commissioners' Insurance
Information and Privacy Protection Model Act, adopted in at least
fifteen states, specifies that authorizations signed for the purpose of
collecting information in connection with an application for a life,
health, or disability insurance policy are permitted to remain valid
for no longer than thirty months. In those states, the longest such an
authorization may remain in effect is therefore thirty months,
regardless of the expiration date or event indicated on the form.
Fifth, the authorization must state that the individual has the
right to revoke an authorization in writing, except to the extent that
action has been taken in reliance on the authorization or, if
applicable, during a contestability period. The authorization must
include instructions on how the individual may revoke the
authorization. For example, the person obtaining the authorization from
the individual can include an address where the individual can send a
written request for revocation.
Sixth, the authorization must inform the individual that, when the
information is used or disclosed pursuant to the authorization, it may
be subject to re-disclosure by the recipient and may no longer be
protected by this rule.
Seventh, the authorization must include the individual's signature
and the date of the signature. Once we adopt the standards for
electronic signature, another of the required administrative
simplification standards we are required to adopt under HIPAA, an
electronic signature that meets those standards will be sufficient
under this rule. We do not require verification of the individual's
identity or authentication of the individual's signature.
Finally, if the authorization is signed by a personal
representative of the individual, the representative must indicate his
or her authority to act for the individual.
As in the proposed rule, the authorization must be written in plain
language. See the preamble discussion regarding notice of privacy
practices (Sec. 164.520) for a discussion of the plain language
requirement. We do not provide a model authorization in this rule. We
will provide further guidance on this issue prior to the compliance
date.
Section 164.508(d)--Authorizations Requested by a Covered Entity for
Its Own Uses and Disclosures
We proposed to require covered entities to include additional
elements in authorizations initiated by the covered entity. Before a
covered entity could use or disclose protected health information of an
individual pursuant to a request the covered entity made, we proposed
to require the entity to obtain an authorization containing the minimum
elements described above and the following additional elements: except
for authorizations requested for clinical trials, a statement that the
entity will not condition treatment or payment on the individual's
authorization; a description of the purpose of the requested use or
disclosure; a statement that the individual may inspect or copy the
information to be used or disclosed and may refuse to sign the
authorization; and, if the use or disclosure of the requested
information will result in financial gain to the entity, a statement
that such gain will result.
We additionally proposed to require covered entities, when
requesting an individual's authorization, to request only the minimum
amount of information necessary to accomplish the purpose for which the
request was made. We also proposed to require covered entities to
provide the individual with a copy of the executed authorization.
We retain the proposed approach, but apply these additional
requirements when the covered entity requests the individual's
authorization for the entity's own use or disclosure of protected
health information maintained by the covered entity itself. For
example, a health plan may ask individuals to authorize the plan to
disclose protected health information to a subsidiary to market life
insurance to the individual. A pharmaceutical company may also ask a
covered provider to recruit patients for drug research; if the covered
provider asks patients to sign an authorization for the provider to
disclose protected health information to the pharmaceutical company for
this research, this is also an authorization requested by a covered
entity for disclosure of protected health information maintained by the
covered entity. When covered entities initiate the authorization by
asking individuals to authorize the entity to use or disclose protected
health information that the entity maintains, the authorization must
include all of the elements required above as well as several
additional elements.
Authorizations requested by covered entities for the covered
entity's own use or disclosure of protected health information must
state, as applicable under Sec. 164.508(b)(4), that the covered entity
will not condition treatment, payment, enrollment, or eligibility on
the individual's authorization for the use or disclosure. For example,
if a health plan asks an individual to sign an authorization for the
health plan to disclose protected health information to a non-profit
advocacy group for the advocacy group's fundraising purposes, the
authorization must contain a statement that the health plan will not
condition treatment, payment, enrollment in the health plan, or
eligibility for benefits on the individual providing the authorization.
Authorizations requested by covered entities for their own uses and
disclosures of protected health information must also identify each
purpose for which the information is to be used or disclosed. The
required statement of purpose(s) must provide individuals with the
facts they need to make an informed decision whether to allow release
of the information. We prohibit the use of broad or blanket
authorizations requesting the use or disclosure of protected health
information for a wide range of unspecified purposes. Both the
information that is to be used or disclosed and the specific purpose(s)
for such uses or disclosures must be stated in the authorization.
[[Page 82519]]
Authorizations requested by covered entities for their own uses and
disclosures must also advise individuals of certain rights available to
them under this rule. The authorization must state that the individual
may inspect or copy the information to be used or disclosed as provided
in Sec. 164.524 regarding access for inspection and copying and that
the individual may refuse to sign the authorization.
We alter the proposed requirements with respect to authorizations
for which the covered entity will receive financial gain. When the
covered entity initiates the authorization and the covered entity will
receive direct or indirect remuneration from a third party (rather than
financial gain, as proposed) in exchange for using or disclosing the
protected health information, the authorization must include a
statement that such remuneration will result. For example, a health
plan may wish to sell or rent its enrollee mailing list or a
pharmaceutical company may offer a covered provider a discount on its
products if the provider obtains authorization to disclose the
demographic information of patients with certain diagnoses so that the
company can market new drugs to them directly. In each case, the
covered entity must obtain the individual's authorization, and the
authorization must include a statement that the covered entity will
receive remuneration.
In Sec. 164.508(d)(2), we continue to require a covered entity that
requests an authorization for its own use or disclosure of protected
health information to provide the individual with a copy of the signed
authorization. While we eliminate from this section the provision
requiring covered entities to obtain authorization for use or
disclosure of the minimum necessary protected health information,
Sec. 164.514(d)(4) requires covered entities to request only the
minimum necessary protected health information to accomplish the
purpose for which the request is made. This requirement applies to
these authorizations, as well as other requests.
Section 164.508(e)--Authorizations Requested by a Covered Entity for
Disclosures by Others
In the proposed rule, we would have prohibited all covered entities
from requiring the individual's written legal permission (as proposed,
an ``authorization'') for the use or disclosure of protected health
information to carry out treatment, payment, or health care operations.
We generally eliminate this prohibition in the final rule, except to
specify that a consent obtained by one covered entity is not effective
to permit another covered entity to use or disclose protected health
information. See Sec. 164.506(a)(5) and the corresponding preamble
discussion.
In the final rule, if a covered entity seeks the individual's
written legal permission to obtain protected health information about
the individual from another covered entity for any purpose, it must
obtain the individual's authorization for the covered entity that
maintains the protected health information to make the disclosure. If
the authorization is for the purpose of obtaining protected health
information for purposes other than treatment, payment, or health care
operations, the authorization need only contain the core elements
required by Sec. 164.508(c) and described above.
If the authorization, however, is for the purpose of obtaining
protected health information to carry out treatment, payment, or health
care operations, the authorization must meet the requirements of
Sec. 164.508(e). We expect such authorizations will rarely be
necessary, because we expect covered entities that maintain protected
health information to obtain consents that permit them to make
anticipated uses and disclosures for these purposes. An authorization
obtained by another covered entity that authorizes the covered entity
maintaining the protected health information to make a disclosure for
the same purpose, therefore, would be unnecessary.
We recognize, however, that these authorizations may be useful to
demonstrate an individual's intent and relationship to the intended
recipient of the information when the intent or relationship is not
already clear. For example, a long term care insurer may need
information from an individual's health care providers about the
individual's ability to perform activities of daily living in order to
determine payment of a long term care claim. The providers that hold
the information may not be providing the long term care and may not,
therefore, be aware of the individual's coverage under the policy or
that the individual is receiving long term care services. An
authorization obtained by the long term care insurer will help to
demonstrate these facts to the providers holding the information, which
will make them more confident that the individual intends for the
information to be shared. Similarly, an insurer with subrogation
obligations may need health information from the enrollee's providers
to assess or prosecute the claim. A patient's new physician may also
need medical records from the patient's prior providers in order to
treat the patient. Without an authorization that demonstrates the
patient's intent for the information to be shared, the covered entity
that maintains the protected health information may be reluctant to
provide the information, even if that covered entity's consent permits
such disclosure to occur.
These authorizations may also be useful to accomplish clinical
coordination and integration among covered entities that do not meet
the definitions of affiliated covered entities or organized health care
arrangements. For example, safety-net providers that participate in the
Community Access Program (CAP) may not qualify as organized health care
arrangements but may want to share protected health information with
each other in order to develop and expand integrated systems of care
for uninsured people. An authorization under this section would permit
such providers to receive protected health information from other CAP
participants to engage in such activities.
Because of such concerns, we permit a covered entity to request the
individual's authorization to obtain protected health information from
another covered entity to carry out treatment, payment, and health care
operations. In these situations, the authorization must contain the
core elements described above and must also describe each purpose of
the requested disclosure.
With one exception, the authorization must also indicate that the
authorization is voluntary. It must state that the individual may
refuse to sign the authorization and that the covered entity requesting
the authorization will not condition the provision of treatment,
payment, enrollment in the health plan, or eligibility for benefits on
obtaining the individual's authorization. If the authorization is for a
disclosure of information that is necessary to determine payment of a
claim for specified benefits, however, the health plan requesting the
authorization may condition the payment of the claim on obtaining the
authorization from the individual. See Sec. 164.508(b)(4)(iii). In this
case, the authorization does not have to state that the health plan
will not condition payment on obtaining the authorization.
The covered entity requesting the authorization must provide the
individual with a copy of the signed authorization. We note that the
covered entity requesting the authorization is also subject to the
requirements in
[[Page 82520]]
Sec. 164.514 to request only the minimum necessary information needed
for the purpose of the authorization.
We additionally note that, when the covered entity that maintains
the protected health information has already obtained a consent for
disclosure of protected health information to carry out treatment,
payment, and/or health care operations under Sec. 164.506, and that
consent conflicts with an authorization obtained by another covered
entity under Sec. 164.508(e), the covered entity maintaining the
protected health information is bound by the more restrictive document.
See Sec. 164.506(e) and the corresponding preamble discussion for
further explanation.
Section 164.508(f)--Authorizations for Uses and Disclosures of
Protected Health Information Created for Research that Includes
Treatment of Individuals
In the proposed rule, we would have required individual
authorization for any use or disclosure of research information
unrelated to treatment. In the final rule, we eliminate the special
rules for this category of information and, instead, require covered
entities to obtain an authorization for the use or disclosure of
protected health information the covered entity creates for the purpose
of research that includes treatment of individuals, except as otherwise
permitted by Sec. 164.512(i).
The intent of this provision is to permit covered entities that
conduct research involving treatment to bind themselves to a more
limited scope of uses and disclosures of research information than they
would otherwise be permitted to make with non-research information.
Rather than creating a single definition of ``research information,''
we allow covered entities the flexibility to define that subset of
protected health information they create during clinical research that
is not necessary for treatment, payment, or health care operations and
that the covered entity will use or disclose under more limited
circumstances than it uses or discloses other protected health
information. In designing their authorizations, we expect covered
entities to be mindful of the often highly sensitive nature of research
information and the impact of individuals' privacy concerns on their
willingness to participate in research.
Covered entities seeking authorization to use or disclose protected
health information they create for the purpose of research that
includes treatment of individuals, including clinical trials, must
include in the authorization (in addition to the applicable elements
required above) a description of the extent to which some or all of the
protected health information created for the research will also be used
or disclosed for purposes of treatment, payment, and health care
operations. For example, if the covered entity intends to seek
reimbursement from the individual's health plan for the routine costs
of care associated with the research protocol, it must explain in the
authorization the types of information that it will provide to the
health plan for this purpose. This information, and the circumstances
under which disclosures will be made for treatment, payment, and health
care operations, may be more limited than the information and
circumstances described in the covered entity's general consent and
notice of privacy practices. To the extent the covered entity limits
itself to a subset of uses or disclosures that are otherwise
permissible under the rule and the covered entity's consent and notice,
the covered entity is bound by the statements made in the research-
related authorization. In these circumstances, the authorization must
indicate that the authorization, not the general consent and notice,
controls.
If the covered entity's primary interaction with the individual is
through the research, the covered entity may combine the general
consent for treatment, payment, and health care operations required
under Sec. 164.506 with this research authorization and need not obtain
an additional consent under Sec. 164.506. If the entity has already
obtained, or intends to obtain, a separate consent as required under
Sec. 164.506, the research authorization must refer to that consent and
state that the practices described in the research-related
authorization are binding on the covered entity as to the information
covered by the research-related authorization. The research-related
authorization may also be combined in the same document as the informed
consent for participation in the research. This is an exception to the
general rule in Sec. 164.508(b)(3) that an authorization under this
section may not be combined with any other document (see above).
The covered entity must also include in the authorization a
description of the extent to which it will not use or disclose the
protected health information it obtains in connection with the research
protocol for purposes that are permitted without individual
authorization under this rule (under Secs. 164.510 and 164.512). To the
extent that the entity limits itself to a subset of uses or disclosures
that are otherwise permissible under the rule and the entity's notice,
the entity is bound by the statements made in the research
authorization. In these circumstances, the authorization must indicate
that the authorization, not the notice, controls. The covered entity
may not, however, purport to preclude itself from making uses or
disclosures that are required by law or that are necessary to avert a
serious and imminent threat to health or safety.
In some instances, the covered entity may wish to make a use or
disclosure of the research information that it did not include in its
general consent or notice or for which authorization is required under
this rule. To the extent the entity includes uses or disclosures in the
research authorization that are otherwise not permissible under the
rule and the entity's consent and notice of information practices, the
entity must include all of the elements required by Secs. 164.508(c)
and (d) in the research-related authorization. The covered entity is
bound by these statements.
Research that involves the delivery of treatment to participants
sometimes relies on existing health information, such as to determine
eligibility for the trial. We note that under Sec. 164.508(b)(3)(iii),
the covered entity may combine the research-related authorization
required under Sec. 164.508(f) with any other authorization for the use
or disclosure of protected health information (other than psychotherapy
notes), provided that the covered entity does not condition the
provision of treatment on the individual signing the authorization. For
example, a covered health care provider that had a treatment
relationship with an individual prior to the individual's enrollment in
a clinical trial, but that is now providing research-related treatment
to the individual, may elect to request a compound authorization from
the individual: an authorization under Sec. 164.508(d) for the provider
to use the protected health information it created prior to the
initiation of the research that involves treatment, combined with an
authorization under Sec. 164.508(f) regarding use and disclosure of
protected health information the covered provider will create for the
purpose of the clinical trial. This compound authorization would be
valid, provided the covered provider did not condition the research-
related treatment on obtaining the authorization required under
Sec. 164.508(f), as permitted in Sec. 164.508(b)(4)(i).
However, we anticipate that covered entities will almost always, if
not always, condition the provision of research-related treatment on
the individual signing the authorization under Sec. 164.508(f) for the
covered
[[Page 82521]]
entity's use or disclosure of protected health information created for
the research. Therefore, we expect that the vast majority of covered
providers who wish to use or disclose protected health information
about an individual that will be created for research that includes
treatment and wish to use existing protected health information about
that individual for the research that includes treatment, will be
required to obtain two authorizations from the individual: (1) an
authorization for the use and disclosure of protected health
information to be created for the research that involves treatment of
the individual (as required under Sec. 164.508(f)), and (2) an
authorization for the use of existing protected health information for
the research that includes treatment of the individual (as required
under Sec. 164.508(d)).
Effect of Authorization
As noted in the discussion about consents in the preamble to
Sec. 164.506, authorizations under this rule should not be construed to
waive, directly or indirectly, any privilege granted under federal,
state, or local laws or procedures.
Section 164.510--Uses and Disclosures Requiring an Opportunity for
the Individual To Agree or To Object
Introduction
Section 164.510 of the NPRM proposed the uses and disclosures of
protected health information that covered entities could make for
purposes other than treatment, payment, or health care operations and
for which an individual authorization would not have been required.
These allowable uses and disclosures were designed to permit and
promote key national health care priorities, and to promote the smooth
operation of the health care system. In each of these areas, the
proposal permitted, but would not have required, covered entities to
use or disclose protected health information.
We proposed to require covered entities to obtain the individual's
oral agreement before making a disclosure to a health care facility's
directory or to the individual's next-of-kin or to another person
involved in the individual's health care. Because there is an
expectation in these two areas that individuals will have some input
into a covered entity's decision to use or disclose protected health
information, we decided to place disclosures to health facility
directories and to persons involved in an individual's care in a
separate section. In the final rule, requirements regarding disclosure
of protected health information for facility directories and to others
involved in an individual's care are included in Sec. 164.510(a) and
Sec. 164.510(b), respectively. In the final rule, we include in
Sec. 164.510(b) provisions to address a type of disclosure not
addressed in the NPRM: disclosures to entities providing relief and
assistance in disasters such as floods, fires, and terrorist attacks.
Requirements for most of the remaining categories of disclosures
addressed in proposed Sec. 164.510 of the NPRM are included in a new
Sec. 164.512 of the final rule, as discussed below.
Section 164.510 of the final rule addresses situations in which the
interaction between the covered entity and the individual is relatively
informal and agreements are made orally, without written authorizations
for use or disclosure. In general, under the final rule, to disclose or
use protected health information for these purposes, covered entities
must inform individuals in advance and must provide a meaningful
opportunity for the individual to prevent or restrict the disclosure.
In exceptional circumstances, where even this informal discussion
cannot practicably take place, covered entities are permitted to make
decisions regarding disclosure or use based on the exercise of
professional judgment of what is in the individual's best interest.
Section 164.510(a)--Use and Disclosure for Facility Directories
The NPRM proposed to allow covered health care providers to
disclose through an inpatient facility's directory a patient's name,
location in the facility, and general health condition, provided that
the individual had agreed to the disclosure. The NPRM would have
allowed this agreement to be oral. Pursuant to the NPRM, when making
decisions about incapacitated individuals, a covered health care
provider could have disclosed such information at the entity's
discretion and consistent with good medical practice and any prior
expressions of patient preference of which the covered entity was
aware.
The preamble to the NPRM listed several factors that we encouraged
covered entities to take into account when making decisions about
whether to include an incapacitated patient's information in the
directory. These factors included: (1) Whether disclosing that an
individual is in the facility could reasonably cause harm or danger to
the individual (e.g., if it appeared that an unconscious patient had
been abused and disclosing the information could give the attacker
sufficient information to seek out the person and repeat the abuse);
(2) whether disclosing a patient's location within a facility
implicitly would give information about the patient's condition (e.g.,
whether a patient's room number revealed that he or she was in a
psychiatric ward); (3) whether it was necessary or appropriate to give
information about patient status to family or friends (e.g., if giving
information to a family member about an unconscious patient could help
a physician administer appropriate medications); and (4) whether an
individual had, prior to becoming incapacitated, expressed a preference
not to be included in the directory. The preamble stated that if a
covered entity learned of such a preference, it would be required to
act in accordance with the preference.
The preamble to the NPRM said that when individuals entered a
facility in an incapacitated state and subsequently gained the ability
to make their own decisions, health facilities should ask them within a
reasonable time period for permission to include their information in
the facility's directory.
In the final rule, we change the NPRM's opt-in authorization
requirement to an opt-out approach for inclusion of patient information
in a health care facility's directory. The final rule allows covered
health care providers--which in this case are health care facilities--
to include patient information in their directory only if: (1) They
inform incoming patients of their policies regarding the directory; (2)
they give patients a meaningful opportunity to opt out of the directory
listing or to restrict some or all of the uses and disclosures that can
be included in the directory; and (3) the patient does not object to
being included in the directory. A patient must be allowed, for
example, to have his or her name and condition included in the
directory while not having his or her religious affiliation included.
The facility's notice and the individual's opt-out or restriction may
be oral.
Under the final rule, subject to the individual's right to object,
or known prior expressed preferences, a covered health care provider
may disclose the following information to persons who inquire about the
individual by name: (1) The individual's general condition in terms
that do not communicate specific medical information about the
individual (e.g., fair, critical, stable, etc.); and (2) location in
the facility. This approach represents a slight change to the NPRM,
which did not require members of the general public to ask for a
patient by name in order to obtain directory information and which,
[[Page 82522]]
in fact, would have allowed covered entities to disclose the
individual's name as part of directory information.
Under the final rule, we also establish provisions for disclosure
of directory information to clergy that are slightly different from
those which apply for disclosure to the general public. Subject to the
individual's right to object or restrict the disclosure, the final rule
permits a covered entity to disclose to a member of the clergy: (1) The
individual's name; (2) the individual's general condition in terms that
do not communicate specific medical information about the individual;
(3) the individual's location in the facility; and (4) the individual's
religious affiliation. A disclosure of directory information may be
made to members of the clergy even if they do not inquire about an
individual by name. We note that the rule in no way requires a covered
health care provider to inquire about the religious affiliation of an
individual, nor must individuals supply that information to the
facility. Individuals are free to determine whether they want their
religious affiliation disclosed to clergy through facility directories.
We believe that allowing clergy to access patient information
pursuant to this section does not violate the Establishment Clause of
the First Amendment, which prohibits laws ``respecting an establishment
of religion.'' Courts traditionally turn to the Lemon test when
evaluating laws that might raise Establishment Clause concerns. A law
does not violate the Clause if it has a secular purpose, is not
primarily to advance religion, and does not cause excessive government
entanglement with religion. The privacy regulation passes this test
because its purpose is to protect the privacy of individuals--
regardless of their religious affiliation--and it does not cause
excessive government entanglement.
More specifically, although this section provides a special rule
for members of the clergy, it does so as an accommodation to patients
who seek to engage in religious conduct. For example, restricting the
disclosure of an individual's religious affiliation, room number, and
health status to a priest could cause significant delay that would
inhibit the ability of a Catholic patient to obtain sacraments provided
during the last rites. We believe this accommodation does not violate
the Establishment Clause, because it avoids a government-imposed
restriction on the disclosure of information that could
disproportionately affect the practice of religion. In that way, it is
no different from accommodations upheld by the U.S. Supreme Court, such
as exceptions to laws banning the use of alcohol in religious
ceremonies.
The final rule expands the circumstances under which health care
facilities can disclose specified health information to the patient
directory without the patient's agreement. Besides allowing such
disclosures when patients are incapacitated, as the NPRM would have
allowed, the final rule allows such disclosures in emergency treatment
circumstances. For example, when a patient is conscious and capable of
making a decision, but is so seriously injured that asking permission
to include his or her information in the directory would delay
treatment such that the patient's health would be jeopardized, health
facilities can make decisions about including the patient's information
in the directory according to the same rules that apply when the
patient is incapacitated. The final rule modifies the NPRM requirements
for cases in which an incapacitated patient is admitted to a health
care facility. Whereas the NPRM would have allowed health care
providers to disclose an incapacitated patient's information to the
facility's directory ``at its discretion and consistent with good
medical practice and any prior expressions of preference of which the
covered entity [was] aware,'' the final rule states that in these
situations (and in other emergency treatment circumstances), covered
health care providers must make the decision on whether to include the
patient's information in the facility's directory in accordance with
professional judgment as to the patient's best interest. In addition,
when making decisions involving incapacitated patients and patients in
emergency situations, covered health care providers may decide to
include some portions of the patient's information (such as name) but
not other information (such as location in the facility) in order to
protect patient interests.
As in the preamble to the NPRM, we encourage covered health care
providers to take into account the four factors listed above when
making decisions about whether to include patient information in a
health care facility's directory when patients are incapacitated or are
in an emergency treatment circumstance. In addition, we retain the
requirement stated in the preamble of the NPRM that if a covered health
care provider learns of an incapacitated patient's prior expression of
preference not to be included in a facility's directory, the facility
must not include the patient's information in the directory. For cases
involving patients admitted to a health care facility in an
incapacitated or emergency treatment circumstance who during the course
of their stay become capable of decisionmaking, the final rule takes an
approach similar to that described in the NPRM. The final rule states
that when an individual who was incapacitated or in an emergency
treatment circumstance upon admission to an inpatient facility and
whose condition stabilizes such that he or she is capable of
decisionmaking, a covered health care provider must, when it becomes
practicable, inform the individual about its policies regarding the
facility's directory and provide the opportunity to object to the use
or disclosure of protected health information about themselves for the
directory.
Section 164.510(b)--Uses and Disclosures for Involvement in the
Individual's Care and Notification Purposes
In cases involving an individual with the capacity to make health
care decisions, the NPRM would have allowed covered entities to
disclose protected health information about the individual to a next-
of-kin, to other family members, or to close personal friends of the
individual if the individual had agreed orally to such disclosure. If
such agreement could not practicably or reasonably be obtained (e.g.,
when the individual was incapacitated), the NPRM would have allowed
disclosure of protected health information that was directly relevant
to the person's involvement in the individual's health care, consistent
with good health professional practices and ethics. The NPRM defined
next-of-kin as defined under state law.
Under the final rule, we specify that covered entities may disclose
to a person involved in the current health care of the individual (such
as a family member, other relative, close personal friend, or any other
person identified by the individual) protected health information
directly related to the person's involvement in the current health care
of an individual or payment related to the individual's health care.
Such persons involved in care and other contact persons might include,
for example: blood relatives; spouses; roommates; boyfriends and
girlfriends; domestic partners; neighbors; and colleagues. Inclusion of
this list is intended to be illustrative only, and it is not intended
to change current practices with respect to: (1) Involvement of other
persons in individuals' treatment decisions; (2) informal information-
sharing among individuals involved in a person's care; or (3) sharing
of protected health
[[Page 82523]]
information to contact persons during a disaster. The final rule also
includes new language stating that covered entities may use or disclose
protected health information to notify or assist in notification of
family members, personal representatives, or other persons responsible
for an individual's care with respect to an individual's location,
condition, or death. These provisions allow, for example, covered
entities to notify a patient's adult child that his father has suffered
a stroke and to tell the person that the father is in the hospital's
intensive care unit.
The final rule includes separate provisions for situations in which
the individual is present and for when the individual is not present at
the time of disclosure. When the individual is present and has the
capacity to make his or her own decisions, a covered entity may
disclose protected health information only if the covered entity: (1)
Obtains the individual's agreement to disclose to the third parties
involved in their care; (2) provides the individual with an opportunity
to object to such disclosure and the individual does not express an
objection; or (3) reasonably infers from the circumstances, based on
the exercise of professional judgment, that the individual does not
object to the disclosure. Situations in which covered providers may
infer an individual's agreement to disclose protected health
information pursuant to option (3) include, for example, when a patient
brings a spouse into the doctor's office when treatment is being
discussed, and when a colleague or friend has brought the individual to
the emergency room for treatment.
We proposed that when a covered entity could not practicably obtain
oral agreement to disclose protected health information to next-of-kin,
relatives, or those with a close personal relationship to the
individual, the covered entity could make such disclosures consistent
with good health professional practice and ethics. In such instances,
we proposed that covered entities could disclose only the minimum
information necessary for the friend or relative to provide the
assistance he or she was providing. For example, health care providers
could not disclose to a friend or relative simply driving a patient
home from the hospital extensive information about the patient's
surgery or past medical history when the friend or relative had no need
for this information.
The final rule takes a similar approach. Under the final rule, when
an individual is not present (for example, when a friend of a patient
seeks to pick up the patient's prescription at a pharmacy) or when the
opportunity to agree or object to the use or disclosure cannot
practicably be provided due to the individual's incapacity or an
emergency circumstance, covered entities may, in the exercise of
professional judgment, determine whether the disclosure is in the
individual's best interests and if so, disclose only the protected
health information that is directly relevant to the person's
involvement with the individual's health care. For example, this
provision allows covered entities to inform relatives or others
involved in a patient's care, such as the person who accompanied the
individual to the emergency room, that a patient has suffered a heart
attack and to provide updates on the patient's progress and prognosis
when the patient is incapacitated and unable to make decisions about
such disclosures. In addition, this section allows covered entities to
disclose functional information to individuals assisting in a patient's
care; for example, it allows hospital staff to give information about a
person's mobility limitations to a friend driving the patient home from
the hospital. It also allows covered entities to use professional
judgment and experience with common practice to make reasonable
inferences of the individual's best interest in allowing a person to
act on an individual's behalf to pick up filled prescriptions, medical
supplies, X-rays, or other similar forms of protected health
information. Thus, under this provision, pharmacists may release a
prescription to a patient's friend who is picking up the prescription
for him or her. Section 164.510(b) is not intended to disrupt most
covered entities' current practices or state law with respect to these
types of disclosures.
This provision is intended to allow disclosures directly related to
a patient's current condition and should not be construed to allow, for
example, disclosure of extensive information about the patient's
medical history that is not relevant to the patient's current condition
and that could prove embarrassing to the patient. In addition, if a
covered entity suspects that an incapacitated patient is a victim of
domestic violence and that a person seeking information about the
patient may have abused the patient, covered entities should not
disclose information to the suspected abuser if there is reason to
believe that such a disclosure could cause the patient serious harm. In
all of these situations regarding possible disclosures of protected
health information about an patient who is not present or is unable to
agree to such disclosures due to incapacity or other emergency
circumstance, disclosures should be in accordance with the exercise of
professional judgment as to the patient's best interest.
This section is not intended to provide a loophole for avoiding the
rule's other requirements, and it is not intended to allow disclosures
to a broad range of individuals, such as journalists who may be curious
about a celebrity's health status. Rather, it should be construed
narrowly, to allow disclosures to those with the closest relationships
with the patient, such as family members, in circumstances when a
patient is unable to agree to disclosure of his or her protected health
information. Furthermore, when a covered entity cannot practicably
obtain an individual's agreement before disclosing protected health
information to a relative or to a person involved in the individual's
care and is making decisions about such disclosures consistent with the
exercise of professional judgment regarding the individual's best
interest, covered entities must take into account whether such a
disclosure is likely to put the individual at risk of serious harm.
Like the NPRM, the final rule does not require covered entities to
verify the identity of relatives or other individuals involved in the
individual's care. Rather, the individual's act of involving the other
persons in his or her care suffices as verification of their identity.
For example, the fact that a person brings a family member into the
doctor's office when treatment information will be discussed
constitutes verification of the involved person's identity for purposes
of this rule. Likewise, the fact that a friend arrives at a pharmacy
and asks to pick up a specific prescription for an individual
effectively verifies that the friend is involved in the individual's
care, and the rule allows the pharmacist to give the filled
prescription to the friend.
We also clarify that the final rule does not allow covered entities
to assume that an individual's agreement at one point in time to
disclose protected health information to a relative or to another
person assisting in the individual's care implies agreement to disclose
protected health information indefinitely in the future. We encourage
the exercise of professional judgment in determining the scope of the
person's involvement in the individual's care and the time period for
which the individual is agreeing to the other person's involvement. For
example, if a friend simply picks up a patient from the hospital but
has played no other role
[[Page 82524]]
in the individual's care, hospital staff should not call the friend to
disclose lab test results a month after the initial encounter with the
friend. However, if a patient routinely brings a spouse into the
doctor's office when treatment is discussed, a physician can infer that
the spouse is playing a long-term role in the patient's care, and the
rule allows disclosure of protected health information to the spouse
consistent with his or her role in the patient's care, for example,
discussion of treatment options.
The NPRM did not specifically address situations in which disaster
relief organizations may seek to obtain protected health information
from covered entities to help coordinate the individual's care, or to
notify family or friends of an individual's location or general
condition in a disaster situation. In the final rule, we account for
disaster situations in this paragraph. Specifically, we allow covered
entities to use or disclose protected health information without
individual agreement to federal, state, or local government agencies
engaged in disaster relief activities, as well as to private disaster
relief or disaster assistance organizations (such as the Red Cross)
authorized by law or by their charters to assist in disaster relief
efforts, to allow these organizations to carry out their
responsibilities in a specific disaster situation. Covered entities may
make these disclosures to disaster relief organizations, for example,
so that these organizations can help family members, friends, or others
involved in the individual's care to locate individuals affected by a
disaster and to inform them of the individual's general health
condition. This provision also allows disclosure of information to
disaster relief or disaster assistance organizations so that these
organizations can help individuals obtain needed medical care for
injuries or other health conditions caused by a disaster.
We encourage disaster relief organizations to protect the privacy
of individual health information to the extent practicable in a
disaster situation. However, we recognize that the nature of disaster
situations often makes it impossible or impracticable for disaster
relief organizations and covered entities to seek individual agreement
or authorization before disclosing protected health information
necessary for providing disaster relief. Thus, we note that we do not
intend to impede disaster relief organizations in their critical
mission to save lives and reunite loved ones and friends in disaster
situations.
Section 164.512--Uses and Disclosures for Which Consent, an
Authorization, or Opportunity To Agree or Object Is Not Required
Introduction
The final rule's requirements regarding disclosures for directory
information and to family members or others involved in an individual's
care are in a section separate from that covering disclosures allowed
for other national priority purposes. In the final rule, we place most
of the other disclosures for national priority purposes in a new
Sec. 164.512.
As in the NPRM, in Sec. 164.512 of the final rule, we allow covered
entities to make these national priority uses and disclosures without
individual authorization. As in the NPRM, these uses and disclosures
are discretionary. Covered entities are free to decide whether or not
to use or disclose protected health information for any or all of the
permitted categories. However, as in the NPRM, nothing in the final
rule provides authority for a covered entity to restrict or refuse to
make a use or disclosure mandated by other law.
The new Sec. 164.512 includes paragraphs on: Uses and disclosures
required by law; uses and disclosures for public health activities;
disclosures about victims of abuse, neglect, or domestic violence; uses
and disclosures for health oversight activities; disclosures for
judicial and administrative proceedings; disclosures for law
enforcement purposes; uses and disclosures about decedents; uses and
disclosures for cadaveric donation of organs, eyes, or tissues; uses
and disclosures for research purposes; uses and disclosures to avert a
serious threat to health or safety (which we had called ``emergency
circumstances'' in the NPRM); uses and disclosures for specialized
government functions (referred to as ``specialized classes'' in the
NPRM); and disclosures to comply with workers' compensation laws.
Section 164.512(c) in the final rule, which addresses uses and
disclosures regarding adult victims of abuse, neglect and domestic
violence, is new, although it incorporates some provisions from
proposed Sec. 164.510 of the NPRM. In the final rule we also eliminate
proposed Sec. 164.510(g) on government health data systems and proposed
Sec. 164.510(i) on banking and payment processes. These changes are
discussed below.
Approach to Use of Protected Health Information
Proposed Sec. 164.510 of the NPRM included specific subparagraphs
addressing uses of protected health information by covered entities
that were also public health agencies, health oversight agencies,
government entities conducting judicial or administrative proceedings,
or government heath data systems. Such covered entities could use
protected health information in all instances for which they could
disclose the information for these purposes. In the final rule, as
discussed below, we retain this language in the paragraphs on public
health activities and health oversight. However, we eliminate this
clause with respect to uses of protected health information for
judicial and administrative proceedings, because we no longer believe
that there would be any situations in which a covered entity would also
be a judicial or administrative tribunal. Proposed Sec. 164.510(e) of
the NPRM, regarding disclosure of protected health information to
coroners, did not include such a provision. In the final rule we have
added it because we believe there are situations in which a covered
entity, for example, a public hospital conducting post-mortem
investigations, may need to use protected health information for the
same purposes for which it would have disclosed the information to a
coroner.
While the right to request restrictions under Sec. 164.522 and the
consents required under Sec. 164.506 do not apply to the use and
disclosure of protected health information under Sec. 164.512, we do
not intend to preempt any state or other restrictions, or any right to
enforce such agreements or consents under other law.
We note that a covered entity may use or disclose protected health
information as permitted by and in accordance with one of the
paragraphs of Sec. 164.512, regardless of whether that use or
disclosure fails to meet the requirements for use or disclosure under a
different paragraph in Sec. 164.512 or elsewhere in the rule.
Verification for Disclosures Under Sec. 164.512
In Sec. 164.510(a) of the NPRM, we proposed that covered entities
verify the identity and authority of persons to whom they made
disclosure under the section. In the final rule, we generally have
retained the proposed requirements. Verification requirements are
discussed in Sec. 164.514 of the final rule.
Section 164.512(a)--Uses and Disclosures Required by Law
In the NPRM we would have allowed covered entities to use or
disclose protected health information without individual authorization
where such use
[[Page 82525]]
or disclosure was required by other law, as long as the use or
disclosure met all relevant requirements of such law. However, a
legally mandated use or disclosure which fell into one or more of the
national priority purposes expressly identified in proposed
Sec. 164.510 of the NPRM would have been subject to the terms and
conditions specified by the applicable paragraph of proposed
Sec. 164.510. Thus, a disclosure required by law would have been
allowed only to the extent it was not otherwise prohibited or
restricted by another provision in proposed Sec. 164.510. For example,
mandatory reporting to law enforcement officials would not have been
allowed unless such disclosures conformed to the requirements of
proposed Sec. 164.510(f) of the NPRM, on uses and disclosures for law
enforcement purposes. As explained in the NPRM, this provision was not
intended to obstruct access to information deemed important enough by
federal, state or other government authorities to require it by law.
In Sec. 164.512(a) of the final rule, we retain the proposed
approach, and we permit covered entities to comply with laws requiring
the use or disclosure of protected health information, provided the use
or disclosure meets and is limited to the relevant requirements of such
other laws. To more clearly address where the substantive and
procedural requirements of other provisions in this section apply, we
have deleted the general sentence from the NPRM which stated that the
provision ``does not apply to uses or disclosures that are covered by
paragraphs (b) through (m)'' of proposed Sec. 164.510. Instead, in
Sec. 164.512 (a)(2) we list the specific paragraphs that have
additional requirements with which covered entities must comply. They
are disclosures about victims of abuse, neglect or domestic violence
(Sec. 164.512(c)), for judicial and administrative proceedings
(Sec. 164.512(e)), and for law enforcement purposes (Sec. 164.512(f)).
We include a new definition of ``required by law.'' See Sec. 164.501.
We clarify that the requirements provided for in Sec. 164.514(h)
relating to verification apply to disclosures under this paragraph.
Those provisions require covered entities to verify the identity and
authority of persons to whom they make disclosures. We note that the
minimum necessary requirements of Sec. 164.514(d) do not apply to
disclosures made under this paragraph.
We note that this rule does not affect what is required by other
law, nor does it compel a covered entity to make a use or disclosure of
protected health information required by the legal demands or reporting
requirements listed in the definition of ``required by law.'' Covered
entities will not be sanctioned under this rule for responding in good
faith to such legal process and reporting requirements. However,
nothing in this rule affects, either by expanding or contracting, a
covered entity's right to challenge such process or reporting
requirements under other laws. The only disclosures of protected health
information compelled by this rule are disclosures to an individual (or
the personal representative of an individual) or to the Secretary for
the purposes of enforcing this rule.
Uses and disclosures permitted under this paragraph must be limited
to the protected health information necessary to meet the requirements
of the law that compels the use or disclosure. For example, disclosures
pursuant to an administrative subpoena are limited to the protected
health information authorized to be disclosed on the face of the
subpoena.
Section 164.512(b)--Uses and Disclosures for Public Health Activities
The NPRM would have allowed covered entities to disclose protected
health information without individual authorization to: (1) A public
health authority authorized by law to collect or receive such
information for the purpose of preventing or controlling disease,
injury, or disability, including, but not limited to, the reporting of
disease, injury, vital events such as birth or death, and the conduct
of public health surveillance, public health investigations, and public
health interventions; (2) a public health authority or other
appropriate authority authorized by law to receive reports of child
abuse or neglect; (3) a person or entity other than a governmental
authority that could demonstrate or demonstrated that it was acting to
comply with requirements or direction of a public health authority; or
(4) a person who may have been exposed to a communicable disease or may
otherwise be at risk of contracting or spreading a disease or condition
and was authorized by law to be notified as necessary in the conduct of
a public health intervention or investigation.
In the final rule, we broaden the scope of permissible disclosures
pursuant to item (1) listed above. We narrow the scope of disclosures
permissible under item (3) of this list, and we add language to clarify
the scope of permissible disclosures with respect to item (4) on the
list. We broaden the scope of allowable disclosures regarding item (1)
by allowing covered entities to disclose protected health information
not only to U.S. public health authorities but also, at the direction
of a public health authority, to an official of a foreign government
agency that is acting in collaboration with a public health authority.
For example, we allow covered entities to disclose protected health
information to a foreign government agency that is collaborating with
the Centers for Disease Control and Prevention to limit the spread of
infectious disease.
We narrow the conditions under which covered entities may disclose
protected health information to non-government entities. We allow
covered entities to disclose protected health information to a person
subject to the FDA's jurisdiction, for the following activities: to
report adverse events (or similar reports with respect to food or
dietary supplements), product defects or problems, or biological
product deviations, if the disclosure is made to the person required or
directed to report such information to the FDA; to track products if
the disclosure is made to a person required or directed by the FDA to
track the product; to enable product recalls, repairs, or replacement,
including locating and notifying individuals who have received products
regarding product recalls, withdrawals, or other problems; or to
conduct post-marketing surveillance to comply with requirements or at
the direction of the FDA.
The terms included in Sec. 164.512(b)(iii) are intended to have
both their commonly understood meanings, as well as any specialized
meanings, pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 321
et seq.) or the Public Health Service Act (42 U.S.C. 201 et seq.). For
example, ``post-marketing surveillance'' is intended to mean activities
related to determining the safety or effectiveness of a product after
it has been approved and is in commercial distribution, as well as
certain Phase IV (post-approval) commitments by pharmaceutical
companies. With respect to devices, ``post-marketing surveillance'' can
be construed to refer to requirements of section 522 of the Food, Drug,
and Cosmetic Act regarding certain implanted, life-sustaining, or life-
supporting devices. The term ``track'' includes, for example, tracking
devices under section 519(e) of the Food, Drug, and Cosmetic Act, units
of blood or other blood products, as well as trace-backs of
contaminated food.
In Sec. 164.512(b)(iii), the term ``required'' refers to
requirements in statute, regulation, order, or other
[[Page 82526]]
legally binding authority exercised by the FDA. The term ``directed,''
as used in this section, includes other official agency communications
such as guidance documents.
We note that under this provision, a covered entity may disclose
protected health information to a non-governmental organization without
individual authorization for inclusion in a private data base or
registry only if the disclosure is otherwise for one of the purposes
described in this provision (e.g., for tracking products pursuant to
FDA direction or requirements, for post-marketing surveillance to
comply with FDA requirements or direction.)
To make a disclosure that is not for one of these activities,
covered entities must obtain individual authorization or must meet the
requirements of another provision of this rule. For example, covered
entities may disclose protected health information to employers for
inclusion in a workplace surveillance database only: with individual
authorization; if the disclosure is required by law; if the disclosure
meets the requirements of Sec. 164.512(b)(v); or if the disclosure
meets the conditions of another provision of this regulation, such as
Sec. 154.512(i) relating to research. Similarly, if a pharmaceutical
company seeks to create a registry containing protected health
information about individuals who had taken a drug that the
pharmaceutical company had developed, covered entities may disclose
protected health information without authorization to the
pharmaceutical company pursuant to FDA requirements or direction. If
the pharmaceutical company's registry is not for any of these purposes,
covered entities may disclose protected health information to it only
with patient authorization, if required by law, or if disclosure meets
the conditions of another provision of this rule.
The final rule continues to permit covered entities to disclose
protected health information without individual authorization directly
to public health authorities, such as the Food and Drug Administration,
the Occupational Safety and Health Administration, the Centers for
Disease Control and Prevention, as well as state and local public
health departments, for public health purposes as specified in the
NPRM.
The final rule retains the NPRM provision allowing covered entities
to disclose protected health information to public health authorities
or other appropriate government authorities authorized by law to
receive reports of child abuse or neglect. In addition, we clarify the
NPRM's provision regarding disclosure of protected health information
to persons who may have been exposed to a communicable disease or who
may otherwise be at risk of contracting or spreading a disease or
condition. Under the final rule, covered entities may disclose
protected health information to such individuals when the covered
entity or public health authority is authorized by law to notify these
individuals as necessary in the conduct of a public health intervention
or investigation.
In addition, as in the NPRM, under the final rule, a covered entity
that is acting as a public health authority--for example, a public
hospital conducting infectious disease surveillance in its role as an
arm of the public health department--may use protected health
information in all cases for which it is allowed to disclose such
information for public health activities as described above.
The proposed rule did not contain a specific provision relating to
disclosures by covered health care providers to employers concerning
work-related injuries or illnesses or workplace medical surveillance.
Under the proposed rule, a covered entity would have been permitted to
disclose protected health information without individual authorization
for public health purposes to private person if the person could
demonstrate that it was acting to comply with requirements or at the
direction of a public health authority.
As discussed above, in the final rule we narrow the scope of this
paragraph as it applies to disclosures to persons other than public
health authorities. To ensure that covered health care providers may
make disclosures of protected health information without individual
authorization to employers when appropriate under federal and state
laws addressing work-related injuries and illnesses or workplace
medical surveillance, we include a new provision in the final rule. The
provision permits covered health care providers who provide health care
as a workforce member of or at the request of an employer to disclose
to that employer protected health information concerning work-related
injuries or illnesses or workplace medical surveillance in situations
where the employer has a duty under the Occupational Safety and Health
Act, the Federal Mine Safety and Health Act, or under a similar state
law, to keep records on or act on such information. For example, OSHA
regulations in 29 CFR part 1904 require employers to record work-
related injuries and illnesses if medical treatment is necessary; MSHA
regulations at 30 CFR part 50 require mine operators to report injuries
and illnesses experienced by miners. Similarly, OSHA rules require
employers to monitor employees' exposure to certain substances and to
remove employees from exposure when toxic thresholds have been met. To
obtain the relevant health information necessary to determine whether
an injury or illness should be recorded, or whether an employee must be
medically removed from exposure at work, employers must refer employees
to health care providers for examination and testing.
OSHA and MSHA rules do not impose duties directly upon health care
providers to disclose health information pertaining to recordkeeping
and medical monitoring requirements to employers. Rather, these rules
operate on the presumption that health care providers who provide
services at the request of an employer will be able to disclose to the
employer work-related health information necessary for the employer to
fulfill its compliance obligations. This new provision permits covered
entities to make disclosures necessary for the effective functioning of
OSHA and MSHA requirements, or those of similar state laws, by
permitting a health care provider to make disclosures without the
authorization of the individual concerning work-related injuries or
illnesses or workplace medical surveillance in situations where the
employer has a duty under OSHA and MSHA requirements, or under a
similar state laws, to keep records on or act on such information.
We require health care providers who make disclosures to employers
under this provision to provide notice to individuals that it discloses
protected health information to employers relating to the medical
surveillance of the workplace and work-related illnesses and injuries.
The notice required under this provision is separate from the notice
required under Sec. 164.520. The notice required under this provision
may be met giving a copy of the notice to the individual at the time it
provides the health care services, or, if the health care services are
provided on the work site of the employer, by posting the notice in a
prominent place at the location where the health care services are
provided.
This provision applies only when a covered health care provider
provides health care services as a workforce member of or at the
request of an employer and for the purposes discussed above. The
provision does not affect the application of this rule to other health
care provided to
[[Page 82527]]
individuals or to their relationship with health care providers that
they select.
Section 164.512(c)--Disclosures About Victims of Abuse, Neglect or
Domestic Violence
The NPRM included two provisions related to disclosures about
persons who are victims of abuse. In the NPRM, we would have allowed
covered entities to report child abuse to a public health authority or
other appropriate authority authorized by law to receive reports of
child abuse or neglect. In addition, under proposed Sec. 164.510(f)(3)
of the NPRM, we would have allowed covered entities to disclose
protected health information about a victim of a crime, abuse or other
harm to a law enforcement official under certain circumstances. The
NPRM recognized that most, if not all, states had laws that mandated
reporting of child abuse or neglect to the appropriate authorities.
Moreover, HIPAA expressly carved out state laws on child abuse and
neglect from preemption or any other interference. The NPRM further
acknowledged that most, but not all, states had laws mandating the
reporting of abuse, neglect or exploitation of the elderly or other
vulnerable adults. We did not intend to impede reporting in compliance
with these laws.
The final rule includes a new paragraph, Sec. 164.512(c), which
allows covered entities to report protected health information to
specified authorities in abuse situations other than those involving
child abuse and neglect. In the final rule, disclosures of protected
health information related to child abuse continues to be addressed in
the paragraph allowing disclosure for public health activities
(Sec. 164.512(b)), as described above. Because HIPAA addresses child
abuse specifically in connection with a state's public health
activities, we believe it would not be appropriate to include child
abuse-related disclosures in this separate paragraph on abuse. State
laws continue to apply with respect to child abuse, and the final rule
does not in any way interfere with a covered entity's ability to comply
with these laws.
In the final rule, we address disclosures about other victims of
abuse, neglect and domestic violence in Sec. 164.512(c) rather than in
the law enforcement paragraph. Section 164.512(c) establishes
conditions for disclosure of protected health information in cases
involving domestic violence other than child abuse (e.g., spousal
abuse), as well as those involving abuse or neglect (e.g., abuse of
nursing home residents or residents of facilities for the mentally
retarded). This paragraph addresses reports to law enforcement as well
as to other authorized public officials. The provisions of this
paragraph supersede the provisions of Sec. 164.512(a) and
Sec. 164.512(f)(1)(i) to the extent that those provisions address the
subject matter of this paragraph.
Under the circumstances described below, the final rule allows
covered entities to disclose protected health information about an
individual whom the covered entity reasonably believes to be a victim
of abuse, neglect, or domestic violence. In this paragraph, references
to ``individual'' should be construed to mean the individual believed
to be the victim. The rule allows such disclosure to any governmental
authority authorized by law to receive reports of such abuse, neglect,
or domestic violence. These entities may include, for example, adult
protective or social services agencies, state survey and certification
agencies, ombudsmen for the aging or those in long-term care
facilities, and law enforcement or oversight.
The final rule specifies three circumstances in which disclosures
of protected health information is allowed in order to report abuse,
neglect or domestic violence. First, this paragraph allows disclosure
of protected health information related to abuse if required by law and
the disclosure complies with and is limited to the relevant
requirements of such law. As discussed below, the final rule requires
covered entities that make such disclosures pursuant to a state's
mandatory reporting law to inform the individual of the report.
Second, this paragraph allows covered entities to disclose
protected health information related to abuse if the individual has
agrees to such disclosure. When considering the possibility of
disclosing protected health information in an abuse situation pursuant
to this section, we encourage covered entities to seek the individual's
agreement whenever possible.
Third, this paragraph allows covered entities to disclose protected
health information about an individual without the individual's
agreement if the disclosure is expressly authorized by statute or
regulation and either: (1) The covered entity, in the exercise of its
professional judgment, believes that the disclosure is necessary to
prevent serious harm to the individual or to other potential victims;
or (2) if the individual is unable to agree due to incapacity, a law
enforcement or other public official authorized to received the report
represents that the protected health information for which disclosure
is sought is not intended to be used against the individual, and that
an immediate enforcement activity that depends on the disclosure would
be materially and adversely affected by waiting until the individual is
able to agree to the disclosure.
We emphasize that disclosure under this third part of the paragraph
also may be made only if it is expressly authorized by statute or
regulation. We use this formulation, rather than the broader ``required
by law,'' because of the heightened privacy and safety concerns in
these situations. We believe it appropriate to defer to other public
determinations regarding reporting of this information only where a
legislative or executive body has determined the reporting to be of
sufficient importance to warrant enactment of a law or promulgation of
a regulation. Law and regulations reflect a clear decision to authorize
the particular disclosure of protected health information, and reflect
greater public accountability (e.g., through the required public
comment process or because enacted by elected representatives).
For example, a Wisconsin law (Wis. Stat Sec. 46.90(4)) states that
any person may report to a county agency or state official that he or
she believes that abuse or neglect has occurred. Pursuant to
Sec. 164.512(c)(1)(iii), a covered entity may make a report only if the
specific type or subject matter of the report (e.g., abuse or neglect
of the elderly) is included in the law authorizing the report, and such
a disclosure may only be made to a public authority specifically
identified in the law authorizing the report. Furthermore, we note that
disclosures under this part of the paragraph are further limited to two
circumstances. In the first case, a covered entity, in the exercise of
professional judgment, must believe that the disclosure is necessary to
prevent serious harm to the individual or to other potential victims.
The second case addresses situations in which an individual who is a
victim of abuse, neglect or domestic violence is unable to agree due to
incapacity and a law enforcement or other public official authorized to
receive the report represents that the protected health information for
which disclosure is sought is not intended to be used against the
individual and that an immediate law enforcement activity that depends
on the disclosure would be materially and adversely affected by waiting
until the individual if able to agree to the disclosure. We note that,
in this second case, a covered entity may exercise discretion,
consistent with professional judgment as to the patient's
[[Page 82528]]
best interest, in deciding whether to make the requested disclosure.
The rules governing disclosure in this third set of circumstances
are different from those governing disclosures pursuant to
Sec. 164.512(f)(3) regarding disclosure to law enforcement about
victims of crime and other harm. We believe that in abuse situations--
to a greater extent than in situations involving crime victims in
general--there is clear potential for abusers to cause further serious
harm to the victim or to others, such as other family members in a
household or other residents of a nursing home. The provisions allowing
reporting of abuse when authorized by state law, as described above,
are consistent with principles articulated by the AMA's Council on
Ethical and Judicial Affairs, which state that when reporting abuse is
voluntary under state law, it is justified when necessary to prevent
serious harm to a patient. Through the provisions of Sec. 164.512(c),
we recognize the unique circumstances surrounding abuse and domestic
violence, and we seek to provide an appropriate balance between
individual privacy interests and important societal interests such as
preventing serious harm to other individuals. We note that here we are
relying on covered entities, in the exercise of professional judgment,
to determine what is in the best interests of the patient.
Finally, we require covered entities to inform the individual in
all of the situations described above that the covered entity has
disclosed protected health information to report abuse, neglect, or
domestic violence. We allow covered entities to provide this
information orally. We do not require written notification, nor do we
encourage it, due to the sensitivity of abuse situations and the
potential for the abuser to cause further harm to the individual if,
for example, a covered entity sends written notification to the home of
the individual and the abuser. Whenever possible, covered entities
should inform the individual at the same time that they determine abuse
has occurred and decide that the abuse should be reported. In cases
involving patient incapacity, we encourage covered entities to inform
the individual of such disclosures as soon as it is practicable to do
so.
The rule provides two exceptions to the requirement to inform the
victim about a report to a government authority, one based on concern
for future harm and one based on past harm. First, a covered entity
need not inform the victim if the covered entity, in the exercise of
professional judgment, believes that informing the individual would
place the individual at risk of serious harm. We believe that this
exception is necessary to address the potential for future harm, either
physical or emotional, that the individual may face from knowing that
the report has been made. Second, a covered entity may choose not to
meet the requirement for informing the victim, if the covered entity
actually would be informing a personal representative (such as a parent
of a minor) and the covered entity reasonably believes that such person
is responsible for the abuse, neglect, or other injury that has already
occurred and that informing that person would not be in the
individual's best interests.
Section 164.512(d)--Uses and Disclosures for Health Oversight
Activities
Under Sec. 164.510(c) of the NPRM, we proposed to permit covered
entities to disclose protected health information to health oversight
agencies for oversight activities authorized by law, including audit,
investigation, inspection, civil, criminal, or administrative
proceeding or action, or other activity necessary for appropriate
oversight of: (i) the health care system; (ii) government benefit
programs for which health information is relevant to beneficiary
eligibility; or (iii) government regulatory programs for which health
information is necessary for determining compliance with program
standards.
In Sec. 164.512(d) of the final rule, we modify the proposed
language to include civil and criminal investigations. In describing
``other activities necessary for oversight'' of particular entities, we
add the phrase ``entities subject to civil rights laws for which health
information is necessary for determining compliance.'' In addition, in
the final rule, we add ``licensure or disciplinary actions'' to the
list of oversight activities authorized by law for which covered
entities may disclose protected health information to health oversight
agencies. The NPRM's definition of ``health oversight agency'' (in
proposed Sec. 164.504) included this phrase, but it was inadvertently
excluded from the regulation text at proposed Sec. 164.510(c). We make
this change in the regulation text of the final rule to conform to the
NPRM's definition of health oversight agency and to reflect the full
range of activities for which we intend to allow covered entities to
disclose protected health information to health oversight agencies.
The NPRM would have allowed, but would not have required, covered
entities to disclose protected health information to public oversight
agencies and to private entities acting under grant of authority from
or under contract with oversight agencies for oversight purposes
without individual authorization for health oversight activities
authorized by law. When a covered entity was also an oversight agency,
it also would have been permitted to use protected health information
in all cases in which it would have been allowed to disclose such
information for health oversight purposes. The NPRM would not have
established any new administrative or judicial process prior to
disclosure for health oversight, nor would it have permitted
disclosures forbidden by other law. The proposed rule also would not
have created any new right of access to health records by oversight
agencies, and it could not have been used as authority to obtain
records not otherwise legally available to the oversight agency.
The final rule retains this approach to health oversight. As in the
NPRM, the final rule provides that when a covered entity is also an
oversight agency, it is allowed to use protected health information in
all cases in which it is allowed to disclose such information for
health oversight purposes. For example, if a state insurance department
is acting as a health plan in operating the state's Medicaid managed
care program, the final rule allows the insurance department to use
protected health information in all cases for which the plan can
disclose the protected health information for health oversight
purposes. For example, the state insurance department in its capacity
as the state Medicaid managed care plan can use protected health
information in the process of investigating and disciplining a state
Medicaid provider for attempting to defraud the Medicaid system. As in
the NPRM, the final rule does not establish any new administrative or
judicial process prior to disclosure for health oversight, nor does it
prohibit covered entities from making any disclosures for health
oversight that are otherwise required by law. Like the NPRM, it does
not create any new right of access to health records by oversight
agencies and it cannot be used as authority to obtain records not
otherwise legally available to the oversight agency.
Overlap Between Law Enforcement and Oversight
Under the NPRM, the proposed definitions of law enforcement and
oversight, and the rules governing disclosures for these purposes
[[Page 82529]]
overlapped. Specifically, this overlap occurred because: (1) The NPRM
preamble, but not the NPRM regulation text, indicated that agencies
conducting both oversight and law enforcement activities would be
subject to the oversight requirements when conducting oversight
activities; and (2) the NPRM addressed some disclosures for
investigations of health care fraud in the law enforcement paragraph
(proposed Sec. 164.510(f)(5)(i)), while health care fraud
investigations are central to the purpose of health care oversight
agencies (covered under proposed Sec. 164.510(c)). In the final rule,
we make substantial changes to these provisions, in an attempt to
prevent confusion.
In Sec. 164.512(d)(2), we include explicit decision rules
indicating when an investigation is considered law enforcement and when
an investigation is considered oversight under this regulation. An
investigation or activity is not considered health oversight for
purposes of this rule if: (1) The individual is the subject of the
investigation or activity; and (2) The investigation or activity does
not arise out of and is not directly related to: (a) The receipt of
health care; (b) a claim for public benefits related to health; or (c)
qualification for, or receipt of public benefits or services where a
patient's health is integral to the claim for benefits or services. In
such cases, where the individual is the subject of the investigation
and the investigation does not relate to issues (a) through (c), the
rules regarding disclosure for law enforcement purposes (see
Sec. 164.512(f)) apply. For the purposes of this rule, we intend for
investigations regarding issues (a) through (c) above to mean
investigations of health care fraud.
Where the individual is not the subject of the activity or
investigation, or where the investigation or activity relates to the
subject matter in (a) through (c) of the preceding sentence, a covered
entity may make a disclosure pursuant to Sec. 164.512(d)(1). For
example, when the U.S. Department of Labor's Pension and Welfare
Benefits Administration (PWBA) needs to analyze protected health
information about health plan enrollees in order to conduct an audit or
investigation of the health plan (i.e., the enrollees are not subjects
of the investigation) to investigate potential fraud by the plan, the
health plan may disclose protected health information to the PWBA under
the health oversight rules. These rules and distinctions are discussed
in greater detail in our responses to comments.
To clarify further that health oversight disclosure rules apply
generally in health care fraud investigations (subject to the exception
described above), in the final rule, we eliminate proposed
Sec. 164.510(f)(5)(i), which would have established requirements for
disclosure related to health care fraud for law enforcement purposes.
All disclosures of protected health information that would have been
permitted under proposed Sec. 164.510(f)(5)(i) are permitted under
Sec. 164.512(d).
In the final rule, we add new language (Sec. 164.512(d)(3)) to
address situations in which health oversight activities are conducted
in conjunction with an investigation regarding a claim for public
benefits not related to health (e.g., claims for Food Stamps). In such
situations, for example, when a state Medicaid agency is working with
the Food Stamps program to investigate suspected fraud involving
Medicaid and Food Stamps, covered entities may disclose protected
health information to the entities conducting the joint investigation
under the health oversight provisions of the rule.
In the proposed rule, the definitions of ``law enforcement
proceeding'' and ``oversight activity'' both included the phrase
``criminal, civil, or administrative proceeding.'' For reasons
explained below, the final rule retains this phrase in both
definitions. The final rule does not attempt to distinguish between
these activities based on the agency undertaking them or the applicable
enforcement procedures. Rather, as described above, the final rule
carves out certain activities which must always be considered law
enforcement for purposes of disclosure of protected health information
under this rule.
Additional Considerations
We note that covered entities are permitted to initiate disclosures
that are permitted under this paragraph. For example, a covered entity
could disclose protected health information in the course of reporting
suspected health care fraud to a health oversight agency.
We delete language in the NPRM that would have allowed disclosure
under this section only to law enforcement officials conducting or
supervising an investigation, official inquiry, or a criminal, civil or
administrative proceeding authorized by law. In some instances, a
disclosure by a covered entity under this section will initiate such an
investigation or proceeding, but it will not already be ongoing at the
time the disclosure is made.
Section 164.512(e)--Disclosures and Uses for Judicial and
Administrative Proceedings
Section 164.512(e) addresses when a covered entity is permitted to
disclose protected health information in response to requests for
protected health information that are made in the course of judicial
and administrative proceedings--for example, when a non-party health
care provider receives a subpoena (under Federal Rule of Civil
Procedure Rule 45 or similar provision) for medical records from a
party to a law suit. In the NPRM we would have allowed covered entities
to disclose protected health information in the course of any judicial
or administrative proceeding: (1) In response to an order of a court or
administrative tribunal; or (2) where an individual was a party to the
proceeding and his or her medical condition or history was at issue and
the disclosure was pursuant to lawful process or otherwise authorized
by law. Under the NPRM, if the request for disclosure of protected
health information was accompanied by a court order, a covered entity
could have disclosed that protected health information which the court
order authorized to be disclosed. If the request for disclosure of
protected health information were not accompanied by a court order,
covered entities could not have disclosed the information requested
unless a request authorized by law had been made by the agency
requesting the information or by legal counsel representing a party to
litigation, with a written statement certifying that the protected
health information requested concerned a litigant to the proceeding and
that the health condition of the litigant was at issue at the
proceeding.
In Sec. 164.512(e) of the final rule, we permit covered entities to
disclose protected health information in a judicial or administrative
proceeding if the request for such protected health information is made
through or pursuant to an order from a court or administrative tribunal
or in response to a subpoena or discovery request from, or other lawful
process by a party to the proceeding. When a request is made pursuant
to an order from a court or administrative tribunal, a covered entity
may disclose the information requested without additional process. For
example, a subpoena issued by a court constitutes a disclosure which is
required by law as defined in this rule, and nothing in this rule is
intended to interfere with the ability of the covered entity to comply
with such subpoena.
[[Page 82530]]
However, absent an order of, or a subpoena issued by, a court or
administrative tribunal, a covered entity may respond to a subpoena or
discovery request from, or other lawful process by, a party to the
proceeding only if the covered entity obtains either: (1) Satisfactory
assurances that reasonable efforts have been made to give the
individual whose information has been requested notice of the request;
or (2) satisfactory assurances that the party seeking such information
has made reasonable efforts to secure a protective order that will
guard the confidentiality of the information. In meeting the first
test, a covered entity is considered to have received satisfactory
assurances from the party seeking the information if that party
demonstrates that it has made a good faith effort (such as by sending a
notice to the individual's last known address) to provide written
notice to the individual whose information is the subject of the
request, that the written notice included sufficient information about
the proceeding to permit the individual to raise an objection, and that
the time for the individual to raise objections to the court or
administrative tribunal has elapsed and no objections were filed or any
objections filed by the individual have been resolved.
Unless required to do so by other law, the covered entity is not
required to explain the procedures (if any) available for the
individual to object to the disclosure. Under the rule, the individual
exercises the right to object before the court or other body having
jurisdiction over the proceeding, and not to the covered entity. The
provisions in this paragraph are not intended to disrupt current
practice whereby an individual who is a party to a proceeding and has
put his or her medical condition at issue will not prevail without
consenting to the production of his or her protected health
information. In such cases, we presume that parties will have ample
notice and an opportunity to object in the context of the proceeding in
which the individual is a party.
As described above, in this paragraph we also permit a covered
entity to disclose protected health information in response to a
subpoena, discovery request, or other lawful process if the covered
entity receives satisfactory assurances that the party seeking the
information has made reasonable efforts to seek a qualified protective
order that would protect the privacy of the information. A ``qualified
protective order'' means an order of a court or of an administrative
tribunal or a stipulation that: (1) Prohibits the parties from using or
disclosing the protected health information for any purpose other than
the litigation or proceeding for which the records are requested; and
(2) requires the return to the covered entity or destruction of the
protected health information (including all copies made) at the end of
the litigation or proceeding. Satisfactory assurances of reasonable
efforts to secure a qualified protective order are a statement and
documentation that the parties to the dispute have agreed to a
protective order and that it has been submitted to the court or
administrative tribunal with jurisdiction, or that the party seeking
the protected health information has requested a qualified protective
order from such court or tribunal. We encourage the development of
``model'' protective orders that will facilitate adherence with this
subpart.
In the final rule we also permit the covered entity itself to
satisfy the requirement to make reasonable efforts to notify the
individual whose information has been requested or to seek a qualified
protective order. We intend this to be a permissible activity for
covered entities: we do not require covered entities to undertake these
efforts in response to a subpoena, discovery request, or similar
process (other than an order from a court or administrative tribunal).
If a covered entity receives such a request without receiving the
satisfactory assurances described above from the party requesting the
information, the covered entity is free to object to the disclosure and
is not required to undertake the reasonable efforts itself.
We clarify that the provisions of this paragraph do not supersede
or otherwise invalidate other provisions of this rule that permit uses
and disclosures of protected health information. For example, the fact
that protected health information is the subject of a matter before a
court or tribunal does not prevent its disclosure under another
provision of the rule, such as Secs. 164.512(b), 164.512(d), or
164.512(f), even if a public agency's method of requesting the
information is pursuant to an administrative proceeding. For example,
where a public agency commences a disciplinary action against a health
professional, and requests protected health information as part of its
investigation, the disclosure made be made to the agency under
paragraph (d) of this section (relating to health oversight) even if
the method of making the request is through the proceeding. As with any
request for disclosure under this section, the covered entity will need
to verify the authority under which the request is being made, and we
expect that public agencies will identify their authority when making
such requests. We note that covered entities may reasonably rely on
assertions of authority made by government agencies.
Additional Considerations
Where a disclosure made pursuant to this paragraph is required by
law, such as in the case of an order from a court or administrative
tribunal, the minimum necessary requirements in Sec. 164.514(d) do not
apply to disclosures made under this paragraph. A covered entity making
a disclosure under this paragraph, however, may of course disclose only
that protected health information that is within the scope of the
permitted disclosure. For instance, in response to an order of a court
or administrative tribunal, the covered entity may disclose only the
protected health information that is expressly authorized by such an
order. Where a disclosure is not considered under this rule to be
required by law, the minimum necessary requirements apply, and the
covered entity must make reasonable efforts to limit the information
disclosed to that which is reasonably necessary to fulfill the request.
A covered entity is not required to second guess the scope or purpose
of the request, or take action to resist the request because they
believe that it is over broad. In complying with the request, however,
the covered entity must make reasonable efforts not to disclose more
information than is requested. For example, a covered entity may not
provide a party free access to its medical records under the theory
that the party can identify the information necessary for the request.
In some instances, it may be appropriate for a covered entity,
presented with a relatively broad discovery request, to permit access
to a relatively large amount of information in order for a party to
identify the relevant information. This is permissible as long as the
covered entity makes reasonable efforts to circumscribe the access as
appropriate.
The NPRM indicated that when a covered entity was itself a
government agency, the covered entity could use protected health
information in all cases in which it would have been allowed to
disclose such information in the course of any judicial or
administrative proceeding. As explained above, the final rule does not
include this provision.
[[Page 82531]]
Section 164.512(f)--Disclosure for Law Enforcement Purposes
Disclosures Pursuant to Process and as Otherwise Required by Law
In the NPRM we would have allowed covered entities to disclose
protected health information without individual authorization as
required by other law. However, as explained above, if a legally
mandated use or disclosure fell into one or more of the national
priority purposes expressly identified in other paragraphs of proposed
Sec. 164.510, the disclosure would have been subject to the terms and
conditions specified by the applicable paragraph of proposed
Sec. 164.510. For example, mandatory reporting to law enforcement
officials would not have been allowed unless such disclosures conformed
to the requirements of proposed Sec. 164.510(f) of the NPRM. Proposed
Sec. 164.510(f) did not explicitly recognize disclosures required by
other laws, and it would not have permitted covered entities to comply
with some state and other mandatory reporting laws that require covered
entities to disclose protected health information to law enforcement
officials, such as the reporting of gun shot wounds, stab wounds, and/
or burn injuries.
We did not intend to preempt generally state and other mandatory
reporting laws, and in Sec. 164.512(f)(1)(i) of the final rule, we
explicitly permit covered entities to disclose protected health
information for law enforcement purposes as required by other law. This
provision permits covered entities to comply with these state and other
laws. Under this provision, to the extent that a mandatory reporting
law falls under the provisions of Sec. 164.512(c)(1)(i) regarding
reporting of abuse, neglect, or domestic violence, the requirements of
those provisions supersede.
In the final rule, we specify that covered entities may disclose
protected health information pursuant to this provision in compliance
with and as limited by the relevant requirements of legal process or
other law. In the NPRM, for the purposes of this portion of the law
enforcement paragraph, we proposed to define ``law enforcement inquiry
or proceeding'' as an investigation or official proceeding inquiring
into a violation of or failure to comply with law; or a criminal, civil
or administrative proceeding arising from a violation of or failure to
comply with law. In the final rule, we do not include this definition
in Sec. 164.512(f), because it is redundant with the definition of
``law enforcement official'' in Sec. 164.501.
Proposed Sec. 164.510(f)(1) of the NPRM would have authorized
disclosure of protected health information to a law enforcement
official conducting or supervising a law enforcement inquiry or
proceeding authorized by law pursuant to process, under three
circumstances.
First, we proposed to permit such disclosures pursuant to a
warrant, subpoena, or other order issued by a judicial officer that
documented a finding by the officer. The NPRM did not specify
requirements for the nature of the finding. In the final rule, we
eliminate the requirement for a ``finding,'' and we make changes to the
list of orders in response to which covered entities may disclose under
this provision. Under the final rule, covered entities may disclose
protected health information in compliance with and as limited by
relevant requirements of: a court order or court-ordered warrant, or a
subpoena or summons issued by a judicial officer. We made this change
to the list to conform to the definition of ``required by law'' in
Sec. 164.501.
Second, we proposed to permit such disclosures pursuant to a state
or federal grand jury subpoena. In the final rule, we leave this
provision of the NPRM unchanged.
Third, we proposed to permit such disclosures pursuant to an
administrative request, including an administrative subpoena or
summons, a civil investigative demand, or similar process, under
somewhat stricter standards than exist today for such disclosures. We
proposed to permit a covered entity to disclose protected health
information pursuant to an administrative request only if the request
met three conditions, as follows: (i) The information sought was
relevant and material to a legitimate law enforcement inquiry; (ii) the
request was as specific and narrowly drawn as reasonably practicable;
and (iii) de-identified information could not reasonably have been used
to meet the purpose of the request.
The final rules generally adopts this provision of the NPRM. In the
final rule, we modify the list of orders in response to which covered
entities may disclose protected health information, to include
administrative subpoenas or summons, civil or authorized investigative
demands, or similar process authorized by law. We made this change to
the list to conform with the definition of ``required by law'' in
Sec. 164.501. In addition, we slightly modify the second of the three
conditions under which covered entities may respond to such requests,
to allow disclosure if the request is specific and is limited in scope
to the extent reasonably practicable in light of the purpose for which
the information is sought.
Limited Information for Identification and Location Purposes
The NPRM would have allowed covered entities to disclose ``limited
identifying information'' for purposes of identifying a suspect,
fugitive, material witness, or missing person, in response to a law
enforcement request. We proposed to define ``limited identifying
information'' as (i) name; (ii) address; (iii) Social Security number;
(iv) date of birth; (v) place of birth; (vi) type of injury or other
distinguishing characteristic; and (vii) date and time of treatment.
The final rules generally adopts this provision of the NPRM with a
few modifications. In the final rule, we expand the circumstances under
which limited information about suspects, fugitives, material
witnesses, and missing persons may be disclosed, to include not only
cases in which law enforcement officials are seeking to identify such
individuals, but also cases in which law enforcement officials are
seeking to locate such individuals. In addition, the final rule
modifies the list of data elements that may be disclosed under this
provision, in several ways. We expand the list of elements that may be
disclosed under these circumstances, to include ABO blood type and Rh
factor, as well as date and time of death, if applicable. We remove
``other distinguishing characteristic'' from the list of items that may
be disclosed for the location and identification purposes described in
this paragraph, and instead allow covered entities to disclose only a
description of distinguishing physical characteristics, such as scars
and tattoos, height, weight, gender, race, hair and eye color, and the
presence or absence of facial hair such as a beard or moustache. In
addition, in the final rule, protected health information associated
with the following cannot be disclosed pursuant to Sec. 164.512(f)(2):
DNA data and analyses; dental records; or typing, samples or analyses
of tissues or bodily fluids other than blood (e.g., saliva). If a
covered entity discloses additional information under this provision,
the covered entity will be out of compliance and subject to sanction.
We clarify our intent not to allow covered entities to initiate
disclosures of limited identifying information to law enforcement in
the absence of a law enforcement request; a covered entity may disclose
protected health information under this provision only in response to a
request from law enforcement. We allow a ``law enforcement official's
request'' to be
[[Page 82532]]
made orally or in writing, and we intend for it to include requests by
a person acting on behalf of law enforcement, for example, requests by
a media organization making a television or radio announcement seeking
the public's assistance in identifying a suspect. Such a request also
may include a ``Wanted'' poster and similar postings.
Disclosure About a Victim of Crime
The NPRM would have allowed covered entities to disclose protected
health information about a victim of a crime, abuse or other harm to a
law enforcement official, if the law enforcement official represented
that: (i) The information was needed to determine whether a violation
of law by a person other than the victim had occurred; and (ii)
immediate law enforcement activity that depended on obtaining the
information may have been necessary.
The final rule modifies the conditions under which covered entities
can disclose protected health information about victims. In addition,
as discussed above, the final rule includes a new Sec. 164.512(c),
which establishes conditions for disclosure of protected health
information about victims of abuse, neglect or domestic violence. In
addition, as discussed above, we have added Sec. 164.512(f)(1)(i) to
this paragraph to explicitly recognize that in some cases, covered
entities' disclosure of protected health information is mandated by
state or other law. The rule's requirements for disclosure in
situations not covered under mandatory reporting laws are different
from the rule's provisions regarding disclosure pursuant to a mandatory
reporting law.
The final rule requires covered entities to obtain individual
agreement as a condition of disclosing the protected health information
about victims to law enforcement, unless the disclosure is permitted
under Sec. 164.512(b) or (c) or Sec. 164.512(f)(1) above. The required
agreement may be obtained orally, and does not need to meet the
requirements of Sec. 164.508 of this rule (regarding authorizations).
The rule waives the requirement for individual agreement if the victim
is unable to agree due to incapacity or other emergency circumstance
and: (1) The law enforcement official represents that the protected
health information is needed to determine whether a violation of law by
a person other than the victim has occurred and the information is not
intended to be used against the victim; (2) the law enforcement
official represents that immediate law enforcement activity that
depends on such disclosure would be materially and adversely affected
by waiting until the individual is able to agree to the disclosure; and
(3) the covered entity, in the exercise of professional judgment,
determines that the disclosure is in the individual's best interests.
We intend that assessing the individual's best interests includes
taking into account any further risk of harm to the individual. This
provision does not allow covered entities to initiate disclosures of
protected health information to law enforcement; the disclosure must be
in response to a request from law enforcement.
We do not intend to create a new legal duty on the part of covered
entities with respect to the safety of their patients. Rather, we
intend to ensure that covered entities can continue to exercise their
professional judgment in these circumstances, on a case-by-case basis,
as they do today.
In some cases, a victim may also be a fugitive or suspect. For
example, an individual may receive a gunshot wound during a robbery and
seek treatment in a hospital emergency room. In such cases, when law
enforcement officials are requesting protected health information
because the individual is a suspect (and thus the information may be
used against the individual), covered entities may disclose the
protected health information pursuant to Sec. 164.512(f)(2) regarding
suspects and not pursuant to Sec. 164.512(f)(3) regarding victims.
Thus, in these situations, covered entities may disclose only the
limited identifying information listed in Sec. 164.512(f)(2)--not all
of the protected health information that may be disclosed under
Sec. 164.512(f)(3).
The proposed rule did not address whether a covered entity could
disclose protected health information to a law enforcement official to
alert the official of the individual's death.
Disclosures About Decedents
In the final rule, we add a new provision Sec. 164.512(f)(4) in
which we permit covered entities to disclose protected health
information about an individual who has died to a law enforcement
official for the purpose of alerting law enforcement of the death if
the covered entity has a suspicion that such death may have resulted
from criminal conduct. In such circumstances consent of the individual
is not available and it may be difficult to determine the identity of a
personal representative and gain consent for disclosure of protected
health information. Permitting disclosures in this circumstance will
permit law enforcement officials to begin their investigation into the
death more rapidly, increasingly the likelihood of success.
Intelligence and National Security Activities
Section 164.510(f)(4) of the NPRM would have allowed covered
entities to disclose protected health information to a law enforcement
official without individual authorization for the conduct of lawful
intelligence activities conducted pursuant to the National Security Act
of 1947 (50 U.S.C. 401 et seq.) or in connection with providing
protective services to the President or other individuals pursuant to
section 3056 of title 18, United States Code. In the final rule, we
move provisions regarding disclosures of protected health information
for intelligence and protective services activities to Sec. 164.512(k)
regarding uses and disclosures for specialized government functions.
Criminal Conduct on the Premises of a Covered Entity
The NPRM would have allowed covered entities on their own
initiative to disclose to law enforcement officials protected health
information that the covered entity believed in good faith constituted
evidence of criminal conduct that arose out of and was directly related
to: (A) The receipt of health care or payment for health care,
including a fraudulent claim for health care; (B) qualification for or
receipt of benefits, payments, or services based on a fraudulent
statement or material misrepresentation of the health of the
individual; that occurred on the covered entity's premises or was
witnessed by a member of the covered entity's workforce.
In the final rule, we modify this provision substantially, by
eliminating language allowing disclosures already permitted in other
sections of the regulation. The proposed provision overlapped with
other sections of the NPRM, in particular proposed Sec. 164.510(c)
regarding disclosure for health oversight activities. In the final
regulation, we clarify that this provision applies only to disclosures
to law enforcement officials of protected health information that the
covered entity believes in good faith constitutes evidence of a crime
committed on the premises. We eliminate proposed Sec. 164.510(f)(5)(i)
regarding health care fraud from the law enforcement section, because
all disclosures that would have been allowed under that provision are
allowed under Sec. 164.512(d) of the final rule (health oversight).
Similarly, in the final rule, we eliminate proposed
[[Page 82533]]
Sec. 164.510(f)(5)(iii) on disclosure of protected health information
to law enforcement officials regarding criminal activity witnessed by a
member of a health plan workforce. All disclosures that would have been
permitted by that provision are included in Sec. 164.512(f)(5), which
allows disclosure of information to report a crime committed on the
covered entity's premises, and by Sec. 164.502, which provides that a
covered entity is not in violation of the rule when a member of its
workforce or person working for a business associate uses or discloses
protected health information while acting as a ``whistle blower.''
Thus, Sec. 164.512(f)(5) allows covered entities to disclose health
information only on the good faith belief that it constitutes evidence
of a crime on their premises. The preamble to the NPRM said that if the
covered entity disclosed protected health information in good faith but
was wrong in its belief that the information was evidence of a
violation of law, the covered entity would not be subject to sanction
under this regulation. The final rule retains this approach.
Reporting Crime in Emergencies
The proposed rule did not address disclosures by emergency medical
personnel to a law enforcement official intended to alert law
enforcement about the commission of a crime. Because the provisions of
proposed rule were limited to individually identifiable health
information that was reduced to electronic form, many communications
that occur between emergency medical personnel and law enforcement
officials at the scene of a crime would not have been covered by the
proposed provisions.
In the final rule we include a new provision Sec. 164.512(f)(6)
that addresses ``911'' calls for emergency medical technicians as well
as other emergency health care in response to a medical emergency. The
final rule permits a covered health care provider providing emergency
health care in response to a medical emergency, other than such
emergency on the premises of the covered health care provider, to
disclose protected health information to a law enforcement official if
such disclosure appears necessary to alert law enforcement to (1) the
commission and nature of a crime, (2) the location of such crime or of
the victim(s) of such crime, and (3) the identity, description, and
location of the perpetrator of such crime. A disclosure is not
permitted under this section if health care provider believes that the
medical emergency is the result of abuse, neglect, or domestic violence
of the individual in need of emergency health care. In such cases,
disclosures to law enforcement would be governed by paragraph (c) of
this section.
This added provision recognizes the special role of emergency
medical technicians and other providers who respond to medical
emergencies. In emergencies, emergency medical personnel often arrive
on the scene before or at the same time as police officers,
firefighters, and other emergency response personnel. In these cases,
providers may be in the best position, and sometimes be the only ones
in the position, to alert law enforcement about criminal activity. For
instance, providers may be the first persons aware that an individual
has been the victim of a battery or an attempted murder. They may also
be in the position to report in real time, through use of radio or
other mechanism, information that may immediately contribute to the
apprehension of a perpetrator of a crime.
We note that disclosure under this provision is at the discretion
of the health care provider. Disclosures in some instances may be
governed more strictly, such as by applicable ethical standards and
state and local laws.
Finally, the NPRM also included a proposed Sec. 164.510(f)(5),
which duplicated proposed Sec. 164.510(f)(3). The final rule does not
include this duplicate provision.
Additional Considerations
As stated in the NPRM, this paragraph is not intended to limit or
preclude a covered entity from asserting any lawful defense or
otherwise contesting the nature or scope of the process when the
procedural rules governing the proceeding so allow. At the same time,
it is not intended to create a basis for appealing to federal court
concerning a request by state law enforcement officials. Each covered
entity will continue to have available legal procedures applicable in
the appropriate jurisdiction to contest such requests where warranted.
As was the case with the NPRM, this rule does not create any new
affirmative requirement for disclosure of protected health information.
Similarly, this section is not intended to limit a covered entity from
disclosing protected health information to law enforcement officials
where other sections of the rule permit such disclosure, e.g., as
permitted by Sec. 164.512(j) to avert an imminent threat to health or
safety, for health oversight activities, to coroners or medical
examiners, and in other circumstances permitted by the rule. For
additional provisions permitting covered entities to disclose protected
health information to law enforcement officials, see
Sec. 164.512(j)(1)(i) and (ii).
Under the NPRM and under the final rule, to obtain protected health
information, law enforcement officials must comply with whatever other
law is applicable. In certain circumstances, while this provision could
authorize a covered entity to disclose protected health information to
law enforcement officials, there could be additional applicable
statutes or rules that further govern the specific disclosure. If the
preemption provisions of this regulation do not apply, the covered
entity must comply with the requirements or limitations established by
such other law, regulation or judicial precedent. See Secs. 160.201
through 160.205. For example, if state law permits disclosure only
after compulsory process with court review, a provider or payor is not
allowed to disclose information to state law enforcement officials
unless the officials have complied with that requirement. Similarly,
disclosure of substance abuse patient records subject to, 42 U.S.C.
290dd-2, and the implementing regulations, 42 CFR part 2, continue to
be governed by those provisions.
In some instances, disclosure of protected health information to
law enforcement officials will be compelled by other law, for example,
by compulsory judicial process or compulsory reporting laws (such as
laws requiring reporting of wounds from violent crimes, suspected child
abuse, or suspected theft of controlled substances). As discussed
above, disclosure of protected health information under such other
mandatory law is permitted under Sec. 164.512(a).
In the responses to comments we clarify that items such as cells
and tissues are not protected health information, but that analyses of
them is. The same treatment would be given other physical items, such
as clothing, weapons, or a bloody knife. We note, however, that while
these items are not protected health information and may be disclosed,
some communications that could accompany the disclosure will be
protected health information under the rule. For example, if a person
provides cells to a researcher, and tells the researcher that these are
an identified individual's cancer cells, that accompanying statement is
protected health information about that individual. Similarly, if a
person provides a bullet to law enforcement, and tells law enforcement
that the bullet was extracted from an identified
[[Page 82534]]
individual, the person has disclosed the fact that the individual was
treated for a wound, and the additional statement is a disclosure of
protected health information.
To be able to make the additional statement accompanying the
provision of the bullet, a covered entity must look to the rule to find
a provision under which a disclosure may be made to law enforcement.
Section 164.512(f) of the rule addresses disclosures for law
enforcement purposes. Under Sec. 164.512(f)(1), the additional
statement may be disclosed to a law enforcement official if required by
law or with appropriate process. Under Sec. 164.512(f)(2), we permit
covered entities to disclose limited identifying information without
legal process in response to a request from a law enforcement official
for the purpose of identifying or locating a suspect, fugitive,
material witness, or missing person. Thus, in the case of bullet
described above, the covered entity may, in response to a law
enforcement request, provide the extracted bullet and such additional
limited identifying information as is permitted under
Sec. 164.512(f)(2).
Section 164.512(g)--Uses and Disclosures About Decedents
In the NPRM we proposed to allow covered entities to disclose
protected health information without individual authorization to
coroners and medical examiners, consistent with applicable law, for
identification of a deceased person or to determine cause of death.
In Sec. 164.512(g) of the final rule, we permit covered entities to
disclose protected health information to coroners, medical examiners,
and funeral directors as part of a new paragraph on disclosures related
to death. The final rule retains the NPRM approach regarding disclosure
of protected health information to coroners and medical examiners, and
it allows the information disclosed to coroners and medical examiners
to include identifying information about other persons that may be
included in the individual's medical record. Redaction of such names is
not required prior to disclosing the individual's record to coroners or
medical examiners. Since covered entities may also perform duties of a
coroner or medical examiner, where a covered entity is itself a coroner
or medical examiner, the final rule permits the covered entity to use
protected health information in all cases in which it is permitted to
disclose such information for its duties as a coroner or medical
examiner.
Section 164.512(g) allows covered entities to disclose protected
health information to funeral directors, consistent with applicable
law, as necessary to carry out their duties with respect to a decedent.
For example, the rule allows hospitals to disclose to funeral directors
the fact that an individual has donated an organ or tissue, because
this information has implications for funeral home staff duties
associated with embalming. When necessary for funeral directors to
carry out their duties, covered entities may disclose protected health
information prior to and in reasonable anticipation of the individual's
death.
Whereas the NPRM did not address the issue of disclosure of
psychotherapy notes without individual authorization to coroners and
medical examiners, the final rule allows such disclosures.
The NPRM did not include in proposed Sec. 164.510(e) language
stating that where a covered entity was itself a coroner or medical
examiner, it could use protected health information for the purposes of
engaging in a coroner's or a medical examiner's activities. The final
rule includes such language to address situations such as where a
public hospital performs medical examiner functions. In such cases, the
hospital's on-staff coroners can use protected health information while
conducting post-mortem investigations, and other hospital staff can
analyze any information associated with these investigations, for
example, as part of the process of determining the cause of the
individual's death.
Section 164.512(h)--Uses and Disclosures for Cadaveric Donation of
Organs, Eyes, or Tissues
In the NPRM we proposed to include the procurement or banking of
blood, sperm, organs, or any other tissue for administration to
patients in the definition of ``health care'' (described in proposed
Sec. 160.103). The NPRM's proposed approach did not differentiate
between situations in which the donor was competent to consent to the
donation--for example, when an individual is donating blood, sperm, a
kidney, or a liver or lung lobe--and situations in which the donor was
deceased, for example, when cadaveric organs and tissues were being
donated. We also proposed to allow use and disclosure of protected
health information for treatment without consent.
In the final rule, we take a different approach. In
Sec. 164.512(h), we permit covered entities to disclose protected
health information without individual authorization to organ
procurement organizations or other entities engaged in the procurement,
banking, or transplantation of cadaveric organs, eyes, or tissue for
donation and transplantation. This provision is intended to address
situations in which an individual has not previously indicated whether
he or she seeks to donate organs, eyes, or tissues (and therefore
authorized release of protected health information for this purpose).
In such situations, this provision is intended to allow covered
entities to initiate contact with organ and tissue donation and
transplantation organizations to facilitate transplantation of
cadaveric organs, eyes, and tissues.
Disclosures and Uses for Government Health Data Systems
In the NPRM we proposed to permit covered entities to disclose
protected health information to a government agency, or to a private
entity acting on behalf of a government agency, for inclusion in a
government health data system collecting health data for analysis in
support of policy, planning, regulatory, or management functions
authorized by law. The NPRM stated that when a covered entity was
itself a government agency collecting health data for these functions,
it could use protected health information in all cases for which it was
permitted to disclose such information to government health data
systems.
In the final rule, we eliminate the provision that would have
allowed covered entities to disclose protected health information to
government health data systems without authorization. Thus, under the
final rule, covered entities cannot disclose protected health
information without authorization to government health data systems--or
to private health data systems--unless the disclosure is permissible
under another provision of the rule.
Disclosures for Payment Processes
In the NPRM we proposed to permit covered entities to disclose, in
connection with routine banking activities or payment by debit, credit,
or other payment card, or other payment means, the minimum amount of
protected health information necessary to complete a banking or payment
activity to financial institutions or to entities acting on behalf of
financial institutions to authorize, process, clear, settle, bill,
transfer, reconcile, or collect payments for financial institutions.
The preamble to the NPRM clarified the proposed rule's intent
regarding disclosure of diagnostic and treatment information along with
payment
[[Page 82535]]
information to financial institutions. The preamble to the proposed
rule said that diagnostic and treatment information never was necessary
to process a payment transaction. The preamble said we believed that in
most cases, the permitted disclosure would include only: (1) The name
and address of the account holder; (2) the name and address of the
payor or provider; (3) the amount of the charge for health services;
(4) the date on which health services were rendered; (5) the expiration
date for the payment mechanism, if applicable; and (6) the individual's
signature. The preamble noted that the proposed regulation text did not
include an exclusive list of information that could lawfully be
disclosed to process payments, and it solicited comments on whether
more elements would be needed for banking and payment transactions and
on whether including a specific list of protected health information
that could be disclosed was an appropriate approach.
The preamble also noted that under section 1179 of HIPAA, certain
activities of financial institutions were exempt from this rule, to the
extent that these activities constituted authorizing, processing,
clearing, settling, billing, transferring, reconciling, or collecting
payments for health care or health plan premiums.
In the final rule, we eliminate the NPRM's provision on ``banking
and payment processes.'' All disclosures that would have been allowed
pursuant to proposed Sec. 164.510(i) are allowed under Sec. 164.502(a)
of the final rule, regarding disclosure for payment purposes.
Section 164.512(i)--Uses and Disclosures for Research Purposes
The NPRM would have permitted covered entities to use and disclose
protected health information for research--regardless of funding
source--without individual authorization, provided that the covered
entity obtained documentation of the following:
(1) A waiver, in whole or in part, of authorization for the use or
disclosure of protected health information was approved by an
Institutional Review Board (IRB) or a privacy board that was composed
as stipulated in the proposed rule;
(2) The date of approval of the waiver, in whole or in part, of
authorization by an IRB or privacy board;
(3) The IRB or privacy board had determined that the waiver, in
whole or in part satisfied the following criteria:
(i) The use or disclosure of protected health information involves
no more than minimal risk to the subjects;
(ii) The waiver will not adversely affect the rights and welfare of
the subjects;
(iii) The research could not practicably be conducted without the
waiver;
(iv) Whenever appropriate, the subjects will be provided with
additional pertinent information after participation;
(v) The research could not practicably be conducted without access
to and use of the protected health information;
(vi) The research is of sufficient importance so as to outweigh the
intrusion of the privacy of the individual whose information is subject
to the disclosure;
(vii) There is an adequate plan to protect the identifiers from
improper use and disclosure; and
(viii) There is an adequate plan to destroy the identifiers at the
earliest opportunity consistent with the conduct of the research,
unless there is a health or research justification for retaining the
identifiers; and
(4) The written documentation was signed by the chair of, as
applicable, the IRB or the privacy board.
The NPRM also proposed that IRBs and privacy boards be permitted to
adopt procedures for ``expedited review'' similar to those provided in
the Common Rule (Common Rule Sec. ____.110) for records research that
involved no more than minimal risk. However, this provision for
expedited review was not included in the proposed regulation text.
The board that would determine whether the research protocol met
the eight specified criteria for waiving the patient authorization
requirements (described above), could have been an IRB constituted as
required by the Common Rule, or a privacy board, whose proposed
composition is described below. The NPRM proposed no requirements for
the location or sponsorship of the IRB or privacy board. Under the
NPRM, the covered entity could have created such a board and could have
relied on it to review research proposals for uses and disclosures of
protected health information for research. A covered entity also could
have relied on the necessary documentation from an outside researcher's
own university IRB or privacy board. In addition, a covered entity
could have engaged the services of an outside IRB or privacy board to
obtain the necessary documentation.
Absent documentation that the requirements described above had been
met, the NPRM would have required individuals' authorization for the
use or disclosure of protected health information for research,
pursuant to the authorization requirements in proposed Sec. 164.508.
For research conducted with patient authorization, documentation of IRB
or privacy board approval would not have been required.
The final rule retains the NPRM's proposed framework for permitting
uses and disclosures of protected health information for research
purposes, although we are making several important changes for the
final rule. These changes are discussed below:
Documentation Requirements of IRB or Privacy Board Approval of Waiver
The final rule retains these documentation requirements, but
modifies some of them and includes two additional documentation
requirements. The final rule's modifications to the NPRM's proposed
documentation requirements are described first, followed by a
description of the three documentation requirements added in the final
rule.
The final rule makes the following modifications to the NPRM's
proposed documentation requirements for the waiver of individual
authorization:
1. IRB and privacy board membership. The NPRM stipulated that to
meet the requirements of proposed Sec. 164.510(j), the documentation
would need to indicate that the IRB had been composed as required by
the Common Rule (Sec. ____.107), and the privacy board had been
composed as follows: ``(A) Has members with varying backgrounds and
appropriate professional competency as necessary to review the research
protocol; (B) Includes at least one member who is not affiliated with
the entity conducting the research, or related to a person who is
affiliated with such entity; and (C) Does not have any member
participating in a review of any project in which the member has a
conflict of interest'' (Sec. 164.510(j)(1)(ii)).
The final rule modifies the first of the requirements for the
composition of a privacy board to focus on the effect of the research
protocol on the individual's privacy rights and related interests.
Therefore, under the final rule, the required documentation must
indicate that the privacy board has members with varying backgrounds
and appropriate professional competency as necessary to review the
effect of the research protocol on the individual's privacy rights and
related interests.
In addition, the final rule further restricts the NPRM's proposed
requirement that the privacy board include at least one member who was
[[Page 82536]]
not affiliated with the entity conducting the research, or related to a
person who is affiliated with such entity. Under the final rule, the
board must include at least one member who is not affiliated with the
covered entity, not affiliated with any entity conducting or sponsoring
the research, and not related to any person who is affiliated with such
entities.
The other documentation requirements for the composition of an IRB
and privacy board remain the same.
2. Waiver of authorization criteria. The NPRM proposed to prohibit
the use or disclosure of protected health information for research
without individual authorization as stipulated in proposed Sec. 164.508
unless the covered entity had documentation indicating that an IRB or
privacy board had determined that the following waiver criteria had
been met:
(i) The use or disclosure of protected health information involves
no more than minimal risk to the subjects;
(ii) The waiver will not adversely affect the rights and welfare of
the subjects;
(iii) The research could not practicably be conducted without the
waiver;
(iv) Whenever appropriate, the subjects will be provided with
additional pertinent information after participation;
(v) The research could not be practicably be conducted without
access to and use of the protected health information;
(vi) The research is of sufficient importance so as to outweigh the
intrusion of the privacy of the individual whose information is subject
to the disclosure;
(vii) There is an adequate plan to protect the identifiers from
improper use and disclosure; and
(viii) There is an adequate plan to destroy the identifiers at the
earliest opportunity consistent with the conduct of the research,
unless there is a health or research justification for retaining the
identifiers.
The final rule continues to permit the documentation of IRB or
privacy board approval of a waiver of an authorization as required by
Sec. 164.508, to indicate that only some or all of the Sec. 164.508
authorization requirements have been waived. In addition, the final
rule clarifies that the documentation of IRB or privacy board approval
may indicate that the authorization requirements have been altered.
Also, for all of the proposed waiver of authorization criteria that
used the term ``subject,'' we replace this term with the term
``individual'' in the final rule.
In addition, the final rule (1) eliminates proposed waiver
criterion iv, (2) modifies proposed waiver criteria ii, iii, vi, and
viii, and (3) adds a waiver criterion.
Proposed waiver criterion ii (waiver criterion
Sec. 164.512(i)(2)(ii)(B) in the final rule) is revised as follows to
focus more narrowly on the privacy interests of individuals, and to
clarify that it also pertains to alterations of individual
authorization: ``the alteration or waiver will not adversely affect the
privacy rights and the welfare of the individuals.'' Under criterion
Sec. 164.512(i)(2)(ii)(B), the question is whether the alteration or
waiver of individual authorization would adversely affect the privacy
rights and the welfare of individuals, not whether the research project
itself would adversely affect the privacy rights or the welfare of
individuals.
Proposed waiver criterion iii (waiver criterion
Sec. 164.512(i)(2)(ii)(C) in the final rule) is revised as follows to
clarify that it also pertains to alterations of individual
authorization: ``the research could not practicably be conducted
without the alteration or waiver.''
Proposed waiver criterion vi (waiver criterion
Sec. 164.512(i)(2)(ii)(E) in the final rule) is revised as follows to
be more consistent with one of the Common Rule's requirements for the
approval of human subjects research (Common Rule, Sec. ____.111(a)(2)):
``the privacy risks to individuals whose protected health information
is to be used or disclosed are reasonable in relation to anticipated
benefits if any to individuals, and the importance of the knowledge
that may reasonably be expected to result from the research.'' Under
criterion Sec. 164.512(i)(2)(ii)(E), the question is whether the risks
to an individual's privacy from participating in the research are
reasonable in relation to the anticipated benefits from the research.
This criterion is unlike waiver criterion Sec. 164.512(i)(2)(ii)(B) in
that it focuses on the privacy risks and benefits of the research
project more broadly, not on the waiver of individual authorization.
Proposed waiver criterion viii (waiver criterion
Sec. 164.512(i)(2)(ii)(G) in the final rule) is revised as follows:
``there is an adequate plan to destroy the identifiers at the earliest
opportunity consistent with the conduct of the research, unless there
is a health or research justification for retaining the identifiers, or
such retention is otherwise required by law.''
In addition, the final rule includes another waiver criterion:
waiver criterion Sec. 164.512(i)(2)(ii)(H). The NPRM proposed no
restriction on a researcher's further use or disclosure of protected
health information that had been received under proposed
Sec. 164.510(j). The final rule requires that the covered entity obtain
written agreement from the person or entity receiving protected health
information under Sec. 164.512(i) not to re-use or disclose protected
health information to any other person or entity, except: (1) As
required by law, (2) for authorized oversight of the research project,
or (3) for other research for which the use or disclosure of protected
health information would be permitted by this subpart. For instance, in
assessing whether this criterion has been met, we encourage IRBs and
privacy boards to obtain adequate assurances that the protected health
information will not be disclosed to an individual's employer for
employment decisions without the individual's authorization.
3. Required signature. The rule broadens the types of individuals
who are permitted to sign the required documentation of IRB or privacy
board approval. The final rule requires the documentation of the
alteration or waiver of authorization to be signed by (1) the chair of,
as applicable, the IRB or the privacy board, or (2) a member of the IRB
or privacy board, as applicable, who is designated by the chair to sign
the documentation.
Furthermore, the final rule makes the following three additions to
the proposed documentation requirements for the alteration or waiver of
authorization:
1. Identification of the IRB or privacy board. The NPRM did not
propose that the documentation of waiver include a statement
identifying the IRB or privacy board that approved the waiver of
authorization. In the final rule we require that such a statement be
included in the documentation of alteration or waiver of individual
authorization. By this requirement we mean that the name of the IRB or
privacy board must be included in such documentation, not the names of
individual members of the board.
2. Description of protected health information approved for use or
disclosure. The NPRM did not propose that the documentation of waiver
include a description of the protected health information that the IRB
or privacy board had approved for use or disclosure without individual
authorization. In considering waiver of authorization criterion
Sec. 164.512(i)(2)(ii)(D), we expect the IRB or privacy board to
consider the amount of information that is minimally needed for the
study. The final rule requires that the documentation of IRB or
[[Page 82537]]
privacy board approval of the alteration or waiver of authorization
describe the protected health information for which use or access has
been determined to be necessary for the research by the IRB or privacy
board. For example, if the IRB or privacy board approves only the use
or disclosure of certain information from patients' medical records,
and not patients' entire medical record, this must be stated on the
document certifying IRB or privacy board approval.
3. Review and approval procedures. The NPRM would not have required
documentation of IRBs' or privacy boards' review and approval
procedures. In the final rule, the documentation of the alteration or
waiver of authorization must state that the alteration or waiver has
been reviewed and approved by: (1) an IRB that has followed the voting
requirements stipulated in the Common Rule (Sec. ____.108(b)), or the
expedited review procedures as stipulated in Sec. ____.110(b); or (2) a
privacy board that has reviewed the proposed research at convened
meetings at which a majority of the privacy board members are present,
including at least one member who is not affiliated with the covered
entity, not affiliated with any entity conducting or sponsoring the
research, and not related to any person who is affiliated with any such
entities, and the alteration or waiver of authorization is approved by
the majority of privacy board members present at the meeting, unless an
expedited review procedure is used.
For documentation of IRB approval that used an expedited review
procedure, the covered entity must ensure that the documentation
indicates that the IRB followed the expedited review requirements of
the Common Rule (Sec. ____.110). For documentation of privacy board
approval that used an expedited review procedure, the covered entity
must ensure that the documentation indicates that the privacy board met
the expedited review requirements of the privacy rule. In the final
rule, a privacy board may use an expedited review procedure if the
research involves no more than minimal risk to the privacy of the
individuals who are the subject of the protected health information for
which disclosure is being sought. If a privacy board elects to use an
expedited review procedure, the review and approval of the alteration
or waiver of authorization may be carried out by the chair of the
privacy board, or by one or more members of the privacy board as
designated by the chair. Use of the expedited review mechanism permits
review by a single member of the IRB or privacy board, but continues to
require that the covered entity obtain documentation that all of the
specified waiver criteria have been met.
Reviews Preparatory to Research
Under the NPRM, if a covered entity used or disclosed protected
health information for research, but the researcher did not record the
protected health information in a manner that persons could be
identified, such an activity would have constituted a research use or
disclosure that would have been subject to either the individual
authorization requirements of proposed Sec. 164.508 or the
documentation of the waiver of authorization requirements of proposed
Sec. 164.510(j).
The final rule permits the use and disclosure of protected health
information for research without requiring authorization or
documentation of the alteration or waiver of authorization, if the
research is conducted in such a manner that only de-identified
protected health information is recorded by the researchers and the
protected health information is not removed from the premises of the
covered entity. For such uses and disclosures of protected health
information, the final rule requires that the covered entity obtain
from the researcher representations that use or disclosure is sought
solely to review protected health information as necessary to prepare a
research protocol or for similar purposes preparatory to research, no
protected health information is to be removed from the covered entity
by the researcher in the course of the review, and the protected health
information for which use or access is sought is necessary for the
research purposes. The intent of this provision is to permit covered
entities to use and disclose protected health information to assist in
the development of a research hypothesis and aid in the recruitment of
research participants. We understand that researchers sometimes require
access to protected health information to develop a research protocol,
and to determine whether a specific covered entity has protected health
information of prospective research participants that would meet the
eligibility criteria for enrollment into a research study. Therefore,
this provision permits covered entities to use and disclose protected
health information for these preliminary research activities without
individual authorization and without documentation that an IRB or
privacy board has altered or waived individual authorization.
Research on Protected Health Information of the Deceased
The NPRM would have permitted the use and disclosure of protected
health information of deceased persons for research without the
authorization of a legal representative, and without the requirement
for written documentation of IRB or privacy board approval in proposed
Sec. 164.510(j). In the final rule, we retain the exception for uses
and disclosures for research purposes but in addition require that the
covered entity take certain protective measures prior to release of the
decedent's protected health information for such purposes.
Specifically, the final rule requires that the covered entity obtain
representation that the use or disclosure is sought solely for research
on the protected health information of decedent, and representation
that the protected health information for which use or disclosure is
sought is necessary for the research purposes. In addition, the final
rule allows covered entities to request from the researcher
documentation of the death of the individuals about whom protected
health information is being sought.
Good Faith Reliance
The final rule clarifies that covered entities are allowed to rely
on the IRB's or privacy board's representation that the research
proposal meets the documentation requirements of Sec. 164.512(i)(1)(i)
and the minimum necessary requirements of Sec. 164.514.
In addition, when using or disclosing protected health information
for reviews preparatory to research (Sec. 164.512(i)(1)(ii)) or for
research solely on the protected health information of decedents
(Sec. 164.512)(1)(iii)), the final rule clarifies that the covered
entity may rely on the requesting researcher's representation that the
purpose of the request is for one of these two purpose, and that the
request meets the minimum necessary requirements of Sec. 164.514.
Therefore, the covered entity has not violated the rule if the
requesting researcher misrepresents his or her intended use of the
protected health information to the covered entity.
Additional Research Provisions
Research Including Treatment
To the extent that a researcher provided treatment to persons as
part of a research study, the NPRM would have covered such researchers
as health care providers for purposes of that treatment, and required
that the researcher comply with all of the provisions of the rule that
[[Page 82538]]
would be applicable to health care providers. The final rule retains
this requirement.
Individual Access to Research Information
Under proposed Sec. 164.514, the NPRM would have applied the
proposed provision regarding individuals' access to records to research
that includes the delivery of treatment. The NPRM proposed an exception
to individuals' right to access protected health information for
clinical trials, where (1) protected health information was obtained by
a covered entity in the course of clinical trial, (2) the individual
agreed to the denial of access when consenting to participate in the
trial (if the individual's consent to participate was obtained), and
(3) the trial was still in progress.
Section 164.524 of the final rule retains this exception to access
for research that includes treatment. In addition, the final rule
requires that participants in such research be informed that their
right of access to protected health information about them will be
reinstated once the research is complete.
Obtaining the Individual's Authorization for Research
The NPRM would have required covered entities obtaining
individuals' authorization for the use or disclosure of information for
research to comply with the requirements applicable to individual
authorization for the release of protected health information (proposed
Sec. 164.508(a)(2)). If an individual had initiated the use or
disclosure of his/her protected health information for research, or any
other purpose, the covered entity would have been required to obtain a
completed authorization for the use or disclosure of protected health
information as proposed in Sec. 164.508(c).
The final rule retains these requirements for research conducted
with authorization, as required by Sec. 164.508. In addition, for the
use and disclosure of protected health information created by a covered
entity for the purpose, in whole or in part, of research that includes
treatment of the individual, the covered entity must meet the
requirements of Sec. 164.508(f).
Interaction with the Common Rule
The NPRM stated that the proposed rule would not override the
Common Rule. Where both the NPRM and the Common Rule would have applied
to research conducted by the covered entity--either with or without
individuals' authorization--both sets of regulations would have needed
to be followed. This statement remains true in the final rule. In
addition, we clarify that FDA's human subjects regulations must also be
followed if applicable.
Section 164.512(j)--Uses and Disclosures to Avert a Serious Threat to
Health or Safety
In the NPRM we proposed to allow covered entities to use or
disclose protected health information without individual
authorization--consistent with applicable law and ethics standards--
based on a reasonable belief that use or disclosure of the protected
health information was necessary to prevent or lessen a serious and
imminent threat to health or safety of an individual or of the public.
Pursuant to the NPRM, covered entities could have used or disclosed
protected health information in these emergency circumstances to a
person or persons reasonably able to prevent or lessen the threat,
including the target of the threat. The NPRM stated that covered
entities that made disclosures in these circumstances were presumed to
have acted under a reasonable belief if the disclosure was made in good
faith, based on credible representation by a person with apparent
knowledge or authority. The NPRM did not include verification
requirements specific to this paragraph.
In Sec. 164.512(j) of the final rule, we retain the NPRM's approach
to uses and disclosures made to prevent or lessen serious and imminent
threats to health or safety, as well as its language regarding the
presumption of good faith. We also clarify that: (1) Rules governing
these situations, which the NPRM referred to as ``emergency
circumstances,'' are not intended to apply to emergency care treatment,
such as health care delivery in a hospital emergency room; and (2) the
``presumption of good faith belief'' is intended to apply only to this
provision and not to all disclosures permitted without individual
authorization. The final rule allows covered entities to use or
disclose protected health information without an authorization on their
own initiative in these circumstances, when necessary to prevent or
lessen a serious and imminent threat, consistent with other applicable
ethical or legal standards.
The rule's approach is consistent with the ``duty to warn'' third
persons at risk, which has been established through case law. In
Tarasoff v. Regents of the University of California (17 Cal. 3d 425
(1976)), the Supreme Court of California found that when a therapist's
patient had made credible threats against the physical safety of a
specific person, the therapist had an obligation to use reasonable care
to protect the intended victim of his patient against danger, including
warning the victim of the danger. Many states have adopted, through
either statutory or case law, versions of the Tarasoff duty to warn.
The rule is not intended to create a duty to warn or disclose. Rather,
it permits disclosure to avert a serious and imminent threat to health
or safety consistent with other applicable legal or ethical standards.
If disclosure in these circumstances is prohibited by state law, this
rule would not allow the disclosure.
As indicated above, in some situations (for example, when a person
is both a fugitive and a victim and thus covered entities could
disclose protected health information pursuant either to
Sec. 164.512(f)(2) regarding fugitives or to Sec. 164.512(f)(3)
establishing conditions for disclosure about victims), more than one
section of this rule potentially could apply with respect to a covered
entity's potential disclosure of protected health information.
Similarly, in situations involving a serious and imminent threat to
public health or safety, law enforcement officials may be seeking
protected health information from covered entities to locate a
fugitive. In the final rule, we clarify that if a situation fits one
section of the rule (for example, Sec. 164.512(j) on serious and
imminent threats to health or safety), covered entities may disclose
protected health information pursuant to that section, regardless of
whether the disclosure also could be made pursuant to another section
(e.g., Sec. 164.512(f)), regarding disclosure to law enforcement
officials).
The proposed rule did not address situations in which covered
entities could make disclosures to law enforcement officials about oral
statements admitting participation in violent conduct or about
escapees.
In the final rule we permit, but do not require, covered entities
to use or disclose protected health information, consistent with
applicable law and standards of ethical conduct, in specific situations
in which the covered entity, in good faith, believes the use or
disclosure is necessary to permit law enforcement authorities to
identify or apprehend an individual. Under paragraph (j)(1)(ii)(A) of
this section, a covered entity may take such action because of a
statement by an individual admitting participation in a violent crime
that the covered entity reasonably believes may have resulted in
serious physical harm to the victim. The
[[Page 82539]]
protected health information that is disclosed in this case is limited
to the statement and to the protected health information included under
the limited identifying and location information in Sec. 164.512(f)(2),
such as name, address, and type of injury. Under paragraph
(j)(1)(ii)(B) of this section, a covered entity may take such action
where it appears from all the circumstances that the individual has
escaped from a correctional institution or from lawful custody.
A disclosure may not be made under paragraph (j)(1)(ii)(A) for a
statement admitting participation in a violent crime if the covered
entity learns the information in the course of counseling or therapy.
Similarly, such a disclosure is not permitted if the covered entity
learns the information in the course of treatment to affect the
propensity to commit the violent crimes that are described in the
individual's statements. We do not intend to discourage individuals
from speaking accurately in the course of counseling or therapy
sessions, or to discourage other treatment that specifically seeks to
reduce the likelihood that someone who has acted violently in the past
will do so again in the future. This prohibition on disclosure is
triggered once an individual has made a request to initiate or be
referred to such treatment, therapy, or counseling.
The provision permitting use and disclosure has been added in light
of the broadened definition in the final rule of protected health
information. Under the NPRM, protected health information meant
individually identifiable health information that is or has been
electronically transmitted or electronically maintained by a covered
entity. Under the final rule, protected health information includes
information transmitted by electronic media as well as such information
transmitted or maintained in any other form or medium. The new
definition includes oral statements to covered entities as well as
individually identifiable health information transmitted ``in any other
form.''
The definition of protected health information, for instance, would
now apply to a statement by a patient that is overheard by a hospital
security guard in a waiting room. Such a statement would have been
outside the scope of the proposed rule (unless it was memorialized in
an electronic record), but is within the scope of the final rule. For
the example with the hospital guard, the new provision permitting
disclosure of a statement by an individual admitting participation in a
violent crime would have the same effect as the proposed rule--the
statement could be disclosed to law enforcement, so long as the other
aspects of the regulation are followed. Similarly, where it appears
from all the circumstances that the individual has escaped from prison,
the expanded definition of protected health information should not
prevent the covered entity from deciding to report this information to
law enforcement.
The disclosures that covered entities may elect to make under this
paragraph are entirely at their discretion. These disclosures to law
enforcement are in addition to other disclosure provisions in the rule.
For example, under paragraph Sec. 164.512(f)(2) of this section, a
covered entity may disclose limited categories of protected health
information in response to a request from a law enforcement official
for the purpose of identifying or locating a suspect, fugitive,
material witness, or missing person. Paragraph Sec. 164.512(f)(1) of
this section permits a covered entity to make disclosures that are
required by other laws, such as state mandatory reporting laws, or are
required by legal process such as court orders or grand jury subpoena.
Section 164.512(k)--Uses and Disclosures for Specialized Government
Functions
Application to Military Services
In the NPRM we would have permitted a covered entity providing
health care to Armed Forces personnel to use and disclose protected
health information for activities deemed necessary by appropriate
military command authorities to assure the proper execution of the
military mission, where the appropriate military authority had
published by notice in the Federal Register (In the NPRM, we proposed
that the Department of Defense would publish this Federal Register
notice in the future.) The final rule takes a similar approach while
making some modifications to the NPRM. One modification concerns the
information that will be required in the Federal Register notice. The
NPRM would have required a listing of (i) appropriate military command
authorities; (ii) the circumstances for which use or disclosure without
individual authorization would be required; and (iii) activities for
which such use or disclosure would occur in order to assure proper
execution of the military mission. In the final rule, we eliminate the
third category and also slightly modify language in the second category
to read: ``the purposes for which the protected health information may
be used or disclosed.''
An additional modification concerns the rule's application to
foreign military and diplomatic personnel. The NPRM would have excluded
foreign diplomatic and military personnel, as well as their dependents,
from the proposed definition of ``individual,'' thereby excluding any
protected health information created about these personnel from the
NPRM's privacy protections. Foreign military and diplomatic personnel
affected by this provision include, for example, allied military
personnel who are in the United States for training. The final rule
applies a more limited exemption to foreign military personnel only
(Foreign diplomatic personnel will have the same protections granted to
all other individuals under the rule). Under the final rule, foreign
military personnel are not excluded from the definition of
``individual.'' Covered entities will be able to use and disclose
protected health information of foreign military personnel to their
appropriate foreign military authority for the same purposes for which
uses and disclosures are permitted for U.S. Armed Forces personnel
under the notice to be published in the Federal Register. Foreign
military personnel do have the same rights of access, notice, right to
request privacy protection, copying, amendment, and accounting as do
other individuals pursuant to Secs. 164.520-164.526 (sections on
access, notice, right to request privacy protection for protected
health information, amendment, inspection, copying) of the rule.
The NPRM likewise would have exempted overseas foreign national
beneficiaries from the proposed rule's requirements by excluding them
from the definition of ``individual.'' Under the final rule, these
beneficiaries no longer are exempt from the definition of
``individual.'' However, the rule's provisions do not apply to the
individually identifiable health information of overseas foreign
nationals who receive care provided by the Department of Defense, other
federal agencies, or by non-governmental organizations incident to U.S.
sponsored missions or operations.
The final rule includes a new provision to address separation or
discharge from military service. The preamble to the NPRM noted that
upon completion of individuals' military service, DOD and the
Department of Transportation routinely transfer entire military service
records, including protected health information to the Department of
Veterans Affairs so that
[[Page 82540]]
the file can be retrieved quickly if the individuals or their
dependents apply for veterans benefits. The NPRM would have required
consent for such transfers. The final rule no longer requires consent
in such situations. Thus, under the final rule, a covered entity that
is a component of DOD or the Department of Transportation may disclose
to DVA the protected health information of an Armed Forces member upon
separation or discharge from military service for the purpose of a
determination by DVA of the individual's eligibility for or entitlement
to benefits under laws administered by the Secretary of Veterans
Affairs.
Department of Veterans Affairs
Under the NPRM, a covered entity that is a component of the
Department of Veterans Affairs could have used and disclosed protected
health information to other components of the Department that determine
eligibility for, or entitlement to, or that provide benefits under the
laws administered by the Secretary of Veterans Affairs. In the final
rule, we retain this approach.
Application to Intelligence Community
The NPRM would have provided an exemption from its proposed
requirements to the intelligence community. As defined in section 4 of
the National Security Act, 50 U.S.C. 401a, the intelligence community
includes: the Office of the Director of Central Intelligence Agency;
the Office of the Deputy Director of Central Intelligence; the National
Intelligence Council and other such offices as the Director may
designate; the Central Intelligence Agency; the National Security
Agency; the Defense Intelligence Agency; the National Imagery and
Mapping Agency ; the National Reconnaissance Office; other offices
within the DOD for the collection of specialized national intelligence
through reconnaissance programs; the intelligence elements of the Army,
the Navy, the Air Force, the Marine Corps, the Federal Bureau of
Investigation, the Department of the Treasury, and the Department of
Energy; the Bureau of Intelligence and Research of the Department of
State; and such other elements of any other department or agency as may
be designated by the President, or designated jointly by the Director
of Central Intelligence and the head of the department or agency
concerned, as an element of the intelligence community. It would have
allowed a covered entity to use without individual authorization
protected health information of employees of the intelligence
community, and of their dependents, if such dependents were being
considered for posting abroad. The final rule does not include such an
exemption. Rather, the final rule does not except intelligence
community employees and their dependents from the general rule
requiring an authorization in order for protected health information to
be used and disclosed.
National Security and Intelligence Activities
The NPRM included a provision, in Sec. 164.510(f)--Disclosure for
Law Enforcement Purposes--that would allow covered entities to disclose
protected health information without consent for the conduct of lawful
intelligence activities under the National Security Act, and in
connection with providing protective services to the President or to
foreign heads of state pursuant to 18 U.S.C. 3056 and 22 U.S.C.
2709(a)(3) respectively. The final rule preserves these exemptions,
with slight modifications, but moves them from proposed Sec. 164.510(f)
to Sec. 164.512(k). It also divides this area into two paragraphs--one
called ``National Security and Intelligence Activities'' and the second
called ``Protective services for the President and Others.''
The final rule, with modifications, allows a covered entity to
disclose protected health information to an authorized federal official
for the conduct of lawful intelligence, counter-intelligence, and other
national security activities authorized by the National Security Act
and implementing authority (e.g., Executive Order 1233). The references
to ``counter-intelligence and other national security activities'' are
new to the final rule. The reference to ``implementing authority (e.g.
Executive Order 12333)'' is also new. The final rule also adds
specificity to the provision on protective services. It states that a
covered entity may disclose protected health information to authorized
federal officials for the provision of protective services to the
President or other persons as authorized by 18 U.S.C. 3056, or to
foreign heads of state or other persons as authorized by 22 U.S.C.
2709(a)(3), or for the conduct of investigations authorized by 18
U.S.C. 871 and 879.
Application to the State Department
The final rule creates a narrower exemption for Department of State
for uses and disclosures of protected health information (1) for
purposes of a required security clearance conducted pursuant to
Executive Orders 10450 and 12698; (2) as necessary to meet the
requirements of determining worldwide availability or availability for
mandatory service abroad under Sections 101(a)(4) and 504 of the
Foreign Service Act; and (3) for a family member to accompany a Foreign
Service Officer abroad, consistent with Section 101(b)(5) and 904 of
the Foreign Service Act.
Regarding security clearances, nothing prevents any employer from
requiring that individuals provide authorization for the purpose of
obtaining a security clearance. For the Department of State, however,
the final rule provides a limited exemption that allows a component of
the Department of State without an authorization to (1) use protected
health information to make medical suitability determinations and (2)
to disclose whether or not the individual was determined to be
medically suitable to authorized officials in the Department of State
for the purpose of a security clearance investigation conducted
pursuant to Executive Order 10450 and 12698.
Sections 101(a)(4) and 504 of the Foreign Service Act require that
Foreign Service members be available to serve in assignments throughout
the world. The final rule permits disclosures to officials who need
protected health information to determine availability for duty
worldwide.
Section 101(b)(5) of the Foreign Service Act requires the
Department of State to mitigate the impact of hardships, disruptions,
and other unusual conditions on families of Foreign Service Officers.
Section 904 requires the Department to establish a health care program
to promote and maintain the physical and mental health of Foreign
Service member family members. The final rule permits disclosure of
protected health information to officials who need protected health
information for a family member to accompany a Foreign Service member
abroad.
This exemption does not permit the disclosure of specific medical
conditions, diagnoses, or other specific medical information. It
permits only the disclosure of the limited information needed to
determine whether the individual should be granted a security clearance
or whether the Foreign Service member of his or her family members
should be posted to a certain overseas assignment.
Application to Correctional Facilities
The NPRM would have excluded the individually identifiable health
information of correctional facility inmates and detention facility
detainees from the definition of protected health information. Thus,
none of the NPRM's
[[Page 82541]]
proposed privacy protections would have applied to correctional
facility inmates or to detention facility detainees while they were in
these facilities or after they had been released.
The final rule takes a different approach. First, to clarify that
we are referring to individuals who are incarcerated in correctional
facilities that are part of the criminal justice system or in the
lawful custody of a law enforcement official--and not to individuals
who are ``detained'' for non-criminal reasons, for example, in
psychiatric institutions--Sec. 164.512(k) covers disclosure of
protected health information to correctional institutions or law
enforcement officials having such lawful custody. In addition, where a
covered health care provider is also a health care component of a
correctional institution, the final rule permits the covered entity to
use protected health information in all cases in which it is permitted
to disclose such information.
We define correctional institution as defined pursuant to 42 U.S.C.
13725(b)(1), as a ``prison, jail, reformatory, work farm, detention
center, or halfway house, or any other similar institution designed for
the confinement or rehabilitation of criminal offenders.'' The rules
regarding disclosure and use of protected health information specified
in Sec. 164.512(k) cover individuals who are in transitional homes, and
other facilities in which they are required by law to remain for
correctional reasons and from which they are not allowed to leave. This
section also covers individuals who are confined to psychiatric
institutions for correctional reasons and who are not allowed to leave;
however, it does not apply to disclosure of information about
individuals in psychiatric institutions for treatment purposes only,
who are not there due to a crime or under a mandate from the criminal
justice system. The disclosure rules described in this section do not
cover release of protected health information about individuals in
pretrial release, probation, or on parole, such persons are not
considered to be incarcerated in a correctional facility.
As described in Sec. 164.512(k), correctional facility inmates'
individually identifiable health information is not excluded from the
definition of protected health information. When individuals are
released from correctional facilities, they will have the same privacy
rights that apply to all other individuals under this rule.
Section 164.512(k) of the final rule states that while individuals
are in a correctional facility or in the lawful custody of a law
enforcement official, covered entities (for example, the prison's
clinic) can use or disclose protected health information about these
individuals without authorization to the correctional facility or the
law enforcement official having custody as necessary for: (1) The
provision of health care to such individuals; (2) the health and safety
of such individual or other inmates; (3) the health and safety of the
officers of employees of or others at the correctional institution; and
(4) the health and safety of such individuals and officers or other
persons responsible for the transporting of inmates or their transfer
from one institution or facility to another; (5) law enforcement on the
premises of the correctional institution; and (6) the administration
and maintenance of the safety, security, and good order of the
correctional institution. This section is intended to allow, for
example, a prison's doctor to disclose to a van driver transporting a
criminal that the individual is a diabetic and frequently has seizures,
as well as information about the appropriate action to take if the
individual has a seizure while he or she is being transported.
We permit covered entities to disclose protected health information
about these individuals if the correctional institution or law
enforcement official represents that the protected health information
is necessary for these purposes. Under 164.514(h), a covered entity may
reasonably rely on the representation of such public officials.
Application to Public Benefits Programs Required to Share Eligibility
Information
We create a new provision for covered entities that are a
government program providing public benefits. This provision allows the
following disclosures of protected health information.
First, where other law requires or expressly authorizes information
relating to the eligibility for, or enrollment in more than one public
program to be shared among such public programs and/or maintained in a
single or combined data system, a public agency that is administering a
health plan may maintain such a data base and may disclose information
relating to such eligibility or enrollment in the health plan to the
extent authorized by such other law.
Where another public entity has determined that the appropriate
balance between the need for efficient administration of public
programs and public funds and individuals' privacy interests is to
allow information sharing for these limited purposes, we do not upset
that determination. For example, section 1137 of the Social Security
Act requires a variety of public programs, including the Social
Security program, state medicaid programs, the food stamp program,
certain unemployment compensation programs, and others, to participate
in a joint income and eligibility verification system. Similarly,
section 222 of the Social Security Act requires the Social Security
Administration to provide information to certain state vocational
rehabilitation programs for eligibility purposes. In some instances, it
is a covered entity that first collects or creates the information that
is then disclosed for these systems. We do not prohibit those
disclosures.
This does not authorize these entities to share information for
claims determinations or ongoing administration of these public
programs. This provision is limited to the agencies and activities
described above.
Second, Sec. 164.512(k)(6) permits a covered entity that is a
government agency administering a government program providing public
benefits to disclose protected health information relating to the
program to another covered entity that is a government agency
administering a government program providing public benefits if the
programs serve the same or similar populations and the disclosure of
protected health information is necessary to coordinate the covered
functions of such programs.
The second provision permits covered entities that are government
program providing public benefits that serve the same or similar
populations to share protected health information for the purposes of
coordinating covered functions of the programs and for general
management and administration relating to the covered functions of the
programs. Often, similar government health programs are administered by
different government agencies. For example, in some states, the
Medicaid program and the State Children's Health Insurance Program are
administered by different agencies, although they serve similar
populations. Many states coordinate eligibility for these two programs,
and sometimes offer services through the same delivery systems and
contracts. This provision would permit the covered entities
administering these programs to share protected health information of
program participants to coordinate enrollment and services and to
generally improve the health care operations of the programs. We note
that this provision does not authorize the
[[Page 82542]]
agencies to use or disclose the protected health information that is
shared for purposes other than as provided for in this paragraph.
Section 164.512(l)--Disclosures For Workers' Compensation
The NPRM did not contain special provisions permitting covered
entities to disclose protected health information for the purpose of
complying with workers' compensation and similar laws. Under HIPAA,
workers' compensation and certain other forms of insurance (such as
automobile or disability insurance) are ``excepted benefits.''
Insurance carriers that provide this coverage are not covered entities
even though they provide coverage for health care services. To carry
out their insurance functions, these non-covered insurers typically
seek individually identifiable health information from covered health
care providers and group health plans. In drafting the proposed rule,
the Secretary was faced with the challenge of trying to carry out the
statutory mandate of safeguarding the privacy of individually
identifiable health information by regulating the flow of such
information from covered entities while at the same time respecting the
Congressional intent to shield workers' compensation carriers and other
excepted benefit plans from regulation as covered entities.
In the proposed rule we allowed covered entities to disclose
protected health information without individual consent for purposes of
treatment, payment or health care operations--even when the disclosure
was to a non-covered entity such as a workers' compensation carrier. In
addition, we allowed protected health information to be disclosed if
required by state law for purposes of determining eligibility for
coverage or fitness for duty. The proposed rule also required that
whenever a covered entity disclosed protected health information to a
non-covered entity, even though authorized under the rule, the
individual who was the subject of the information must be informed that
the protected health information was no longer subject to privacy
protections.
Like other disclosures under the proposed rule, the information
provided to workers' compensation carriers for treatment, payment or
health care operations was subject to the minimum necessary standard.
However, to the extent that protected health information was disclosed
to the carrier because it was required by law, it was not subject to
the minimum necessary standard. In addition, individuals were entitled
to an accounting when protected health information was disclosed for
purposes other than treatment, payment or health care operations.
In the final rule, we include a new provision in this section that
clarifies the ability of covered entities to disclose protected health
information without authorization to comply with workers' compensation
and similar programs established by law that provide benefits for work-
related illnesses or injuries without regard to fault. Although most
disclosures for workers' compensation would be permissible under other
provisions of this rule, particularly the provisions that permit
disclosures for payment and as required by law, we are aware of the
significant variability among workers' compensation and similar laws,
and include this provision to ensure that existing workers'
compensation systems are not disrupted by this rule. We note that the
minimum necessary standard applies to disclosures under this paragraph.
Under this provision, a covered entity may disclose protected
health information regarding an individual to a party responsible for
payment of workers' compensation benefits to the individual, and to an
agency responsible for administering and/or adjudicating the
individual's claim for workers' compensation benefits. For purposes of
this paragraph, workers' compensation benefits include benefits under
programs such as the Black Lung Benefits Act, the federal Employees'
Compensation Act, the Longshore and Harbor Workers' Compensation Act,
and the Energy Employees' Occupational Illness Compensation Program
Act.
Additional Considerations
We have included a general authorization for disclosures under
workers' compensation systems to be consistent with the intent of
Congress, which defined workers' compensation carriers as excepted
benefits under HIPAA. We recognize that there are significant privacy
issues raised by how individually identifiable health information is
used and disclosed in workers' compensation systems, and believe that
states or the federal government should enact standards that address
those concerns.
Section 164.514--Other Procedural Requirements Relating To Uses and
Disclosures of Protected Health Information
Section 164.514(a)-(c)--De-identification
In Sec. 164.506(d) of the NPRM, we proposed that the privacy
standards would apply to ``individually identifiable health
information,'' and not to information that does not identify the
subject individual. The statute defines individually identifiable
health information as certain health information:
(i) Which identifies the individual, or
(ii) With respect to which there is a reasonable basis to believe
that the information can be used to identify the individual.
As we pointed out in the NPRM, difficulties arise because, even
after removing obvious identifiers (e.g., name, social security number,
address), there is always some probability or risk that any information
about an individual can be attributed to that individual.
The NPRM proposed two alternative methods for determining when
sufficient identifying information has been removed from a record to
render the information de-identified and thus not subject to the rule.
First, the NPRM proposed the establishment of a ``safe harbor'': if all
of a list of 19 specified items of information had been removed, and
the covered entity had no reason to believe that the remaining
information could be used to identify the subject of the information
(alone or in combination with other information), the covered entity
would have been presumed to have created de-identified information.
Second, the NPRM proposed an alternative method so that covered
entities with sufficient statistical experience and expertise could
remove or encrypt a combination of information different from the
enumerated list, using commonly accepted scientific and statistical
standards for disclosure avoidance. Such covered entities would have
been able to include information from the enumerated list of 19 items
if they (1) believed that the probability of re-identification was very
low, and (2) removed additional information if they had a reasonable
basis to believe that the resulting information could be used to re-
identify someone.
We proposed that covered entities and their business partners be
permitted to use protected health information to create de-identified
health information using either of these two methods. Covered entities
would have been permitted to further use and disclose such de-
identified information in any way, provided that they did not disclose
the key or other mechanism that would have enabled the information to
be re-identified, and provided that they reasonably believed that such
use or disclosure of de-identified information would not have resulted
in the use or
[[Page 82543]]
disclosure of protected health information.
A number of examples were provided of how valuable such de-
identified information would be for various purposes. We expressed the
hope that covered entities, their business partners, and others would
make greater use of de-identified health information than they do
today, when it is sufficient for the purpose, and that such practice
would reduce the burden and the confidentiality concerns that result
from the use of individually identifiable health information for some
of these purposes.
In Secs. 164.514(a)-(c) of this final rule, we make several
modifications to the provisions for de-identification. First, we
explicitly adopt the statutory standard as the basic regulatory
standard for whether health information is individually identifiable
health information under this rule. Information is not individually
identifiable under this rule if it does not identify the individual, or
if the covered entity has no reasonable basis to believe it can be used
to identify the individual. Second, in the implementation
specifications we reformulate the two ways in which a covered entity
can demonstrate that it has met the standard.
One way a covered entity may demonstrate that it has met the
standard is if a person with appropriate knowledge and experience
applying generally accepted statistical and scientific principles and
methods for rendering information not individually identifiable makes a
determination that the risk is very small that the information could be
used, either by itself or in combination with other available
information, by anticipated recipients to identify a subject of the
information. The covered entity must also document the analysis and
results that justify the determination. We provide guidance regarding
this standard in our responses to the comments we received on this
provision.
We also include an alternate, safe harbor, method by which covered
entities can demonstrate compliance with the standard. Under the safe
harbor, a covered entity is considered to have met the standard if it
has removed all of a list of enumerated identifiers, and if the covered
entity has no actual knowledge that the information could be used alone
or in combination to identify a subject of the information. We note
that in the NPRM, we had proposed that to meet the safe harbor, a
covered entity must have ``no reason to believe'' that the information
remained identifiable after the enumerated identifiers were removed. In
the final rule, we have changed the standard to one of actual knowledge
in order to provide greater certainty to covered entities using the
safe harbor approach.
In the safe harbor, we explicitly allow age and some geographic
location information to be included in the de-identified information,
but all dates directly related to the subject of the information must
be removed or limited to the year, and zip codes must be removed or
aggregated (in the form of most 3-digit zip codes) to include at least
20,000 people. Extreme ages of 90 and over must be aggregated to a
category of 90+ to avoid identification of very old individuals. Other
demographic information, such as gender, race, ethnicity, and marital
status are not included in the list of identifiers that must be
removed.
The intent of the safe harbor is to provide a means to produce some
de-identified information that could be used for many purposes with a
very small risk of privacy violation. The safe harbor is intended to
involve a minimum of burden and convey a maximum of certainty that the
rules have been met by interpreting the statutory ``reasonable basis to
believe that the information can be used to identify the individual''
to produce an easily followed, cook book approach.
Covered entities may use codes and similar means of marking records
so that they may be linked or later re-identified, if the code does not
contain information about the subject of the information (for example,
the code may not be a derivative of the individual's social security
number), and if the covered entity does not use or disclose the code
for any other purpose. The covered entity is also prohibited from
disclosing the mechanism for re-identification, such as tables,
algorithms, or other tools that could be used to link the code with the
subject of the information.
Language to clarify that covered entities may contract with
business associates to perform the de-identification has been added to
the section on business associates.
Section 164.514(d)--Minimum Necessary
The proposed rule required a covered entity to make all reasonable
efforts not to use or disclose more than the minimum amount of
protected health information necessary to accomplish the intended
purpose of the use or disclosure (proposed Sec. 164.506(b)).
The proposed minimum necessary standard did not apply to uses or
disclosures that were made by covered entities at the request of the
individual, either to allow the individual access to protected health
information about him or her or pursuant to an authorization initiated
by the individual. The requirement also did not apply to uses and
disclosures made: pursuant to the compliance and enforcement provisions
of the rule; as required by law and permitted by the regulation without
individual authorization; by a covered health care provider to a health
plan, when the information was requested for audit and related
purposes. Finally, the standard did not apply to the HIPAA
administrative simplification transactions.
The proposed implementation specifications would have required a
covered entity to have procedures to: (i) Identify appropriate persons
within the entity to determine what information should be used or
disclosed consistent with the minimum necessary standard; (ii) ensure
that those persons make the minimum necessary determinations, when
required; and (iii) within the limits of the entity's technological
capabilities, provide for the making of such determinations
individually. The proposal allowed a covered entity, when making
disclosures to public officials that were permitted without individual
authorization but not required by other law, to reasonably rely on the
representations of such officials that the information requested was
the minimum necessary for the stated purpose(s).
The preamble provided further guidance. The preamble explained that
covered entities could not have general policies of approving all
requests (or all requests of a particular type) without carefully
considering certain criteria (see ``Criteria,'' below) as well as other
information specific to the request. The minimum necessary
determination would have needed to be consistent with and directly
related to the purpose of the use or disclosure. Where there was
ambiguity regarding the information to be used or disclosed, the
preamble directed covered entities to interpret the ``minimum
necessary'' standard to ``require'' the covered entity to make some
effort to limit the amount of protected health information used/
disclosed.
The proposal would have required the minimum necessary
determination to take into consideration the ability of a covered
entity to delimit the amount of information used or disclosed. The
preamble noted that these determinations would have to be made under a
reasonableness standard: covered entities would be required to make
reasonable efforts and to incur reasonable expense to limit the use or
[[Page 82544]]
disclosure. The ``reasonableness'' of limiting particular uses or
disclosures was to be determined based on the following factors (which
were not included in the regulatory text):
a. The extent to which the use or disclosure would extend the
number of persons with access to the protected health information.
b. The likelihood that further uses or disclosures of the protected
health information could occur.
c. The amount of protected health information that would be used or
disclosed.
d. The importance of the use or disclosure.
e. The potential to achieve substantially the same purpose with de-
identified information. For disclosures, each covered entity would have
been required to have policies for determining when protected health
information must be stripped of identifiers.
f. The technology available to limit the amount of protected health
information used/disclosed.
g. The cost of limiting the use/disclosure.
h. Any other factors that the covered entity believed were relevant
to the determination.
The proposal shifted the ``minimum necessary'' burden off of
covered providers when they were being audited by a health plan. The
preamble explained that the duty would have been shifted to the payor
to request the minimum necessary information for the audit purpose,
although the regulatory text did not include such a requirement.
Outside of the audit context, the preamble stated that a health plan
would be required, when requesting a disclosure, to limit its requests
to the information required to achieve the purpose of the request; the
regulation text did not include this requirement.
The preamble stated that disclosure of an entire medical record, in
response to a request for something other than the entire medical
record, would presumptively violate the minimum necessary standard.
This final rule significantly modifies the proposed requirements
for implementing the minimum necessary standard. For all uses and many
disclosures and requests for disclosures from other covered entities,
we require covered entities to implement policies and procedures for
``minimum necessary'' uses and disclosures. Implementation of such
policies and procedures is required in lieu of making the ``minimum
necessary'' determination for each separate use or disclosure as
discussed in the proposal. Disclosures to or requests by a health care
provider for treatment purposes are not subject to the standard (see
Sec. 164.502).
Specifically (and as further described below), the proposed
requirement for individual review of all uses of protected health
information is replaced with a requirement for covered entities to
implement policies and procedures that restrict access and uses based
on the specific roles of members of the covered entity's workforce.
Routine disclosures also are not subject to individual review; instead,
covered entities must implement policies and procedures to limit the
protected health information in routine disclosures to the minimum
necessary to achieve the purpose of that type of disclosure. The
proposed exclusion of disclosures to health plans for audit purposes is
deleted and replaced with a general requirement that covered entities
must limit requests to other covered entities for individually
identifiable health information to what is reasonably necessary for the
use or disclosure intended. The other exclusions from the standard are
unchanged from the proposed rule (e.g., for individuals' access to
information about themselves, pursuant to an authorization initiated by
the individual, for enforcement of this rule, as required by law).
The language of the basic ``standard'' itself is largely unchanged;
covered entities must make reasonable efforts to use or disclose or to
request from another covered entity, only the minimum amount of
protected health information required to achieve the purpose of a
particular use or disclosure. We delete the word ``all'' from the
``reasonable efforts'' that covered entities must take in making a
``minimum necessary'' determination. The implementation specifications
are significantly modified, and differ based on whether the activity is
a use or disclosure.
Similarly, a ``minimum necessary'' disclosure for oversight
purposes in accordance with Sec. 164.512(d) could include large numbers
of records to allow oversight agencies to perform statistical analyses
to identify deviations in payment or billing patterns, and other data
analyses.
Uses of Protected Health Information
A covered entity must implement policies and procedures to identify
the persons or classes of persons in the entity's workforce who need
access to protected health information to carry out their duties, the
category or categories of protected health information to which such
persons or classes need access, and the conditions, as appropriate,
that would apply to such access. Covered entities must also implement
policies and procedures to limit access to only the identified persons,
and only to the identified protected health information. The policies
and procedures must be based on reasonable determinations regarding the
persons or classes of persons who require protected health information,
and the nature of the health information they require, consistent with
their job responsibilities.
For example, a hospital could implement a policy that permitted
nurses access to all protected health information of patients in their
ward while they are on duty. A health plan could permit its
underwriting analysts unrestricted access to aggregate claims
information for rate setting purposes, but require documented approval
from its department manager to obtain specific identifiable claims
records of a member for the purpose of determining the cause of
unexpected claims that could influence renewal premium rate setting.
The ``minimum necessary'' standard is intended to reflect and be
consistent with, not override, professional judgment and standards. For
example, we expect that covered entities will implement policies that
allow persons involved in treatment to have access to the entire
record, as needed.
Disclosures of Protected Health Information
For any type of disclosure that is made on a routine, recurring
basis, a covered entity must implement policies and procedures (which
may be standard protocols) that permit only the disclosure of the
minimum protected health information reasonably necessary to achieve
the purpose of the disclosure. Individual review of each disclosure is
not required. Instead, under Sec. 164.514(d)(3), these policies and
procedures must identify the types of protected health information to
be disclosed, the types of persons who would receive the protected
health information, and the conditions that would apply for such
access. We recognize that specific disclosures within a type may vary,
and require that the policies address what is the norm for the type of
disclosure involved. For example, a covered entity may decide to
participate in research studies and therefore establish a protocol to
minimize the information released for such purposes, e.g., by requiring
researchers requesting disclosure of data contained in paper-based
records to review the paper records on-site and to
[[Page 82545]]
abstract only the information relevant to the research. Covered
entities must develop policies and procedures (which may be standard
protocols) to apply to disclosures to routinely hired types of business
associates. For instance, a standard protocol could describe the subset
of information that may be disclosed to medical transcription services.
For non-routine disclosures, a covered entity must develop
reasonable criteria for determining, and limiting disclosure to, only
the minimum amount of protected health information necessary to
accomplish the purpose of the disclosure. They also must establish and
implement procedures for reviewing such requests for disclosures on an
individual basis in accordance with these criteria.
Disclosures to health care providers for treatment purposes are not
subject to these requirements.
Covered entities' policies and procedures must provide that
disclosure of an entire medical record will not be made except pursuant
to policies which specifically justify why the entire medical record is
needed. For instance, disclosure of all protected health information to
an accreditation group would not necessarily violate the regulation,
because the entire record may be the ``minimum necessary'' for its
purpose; covered entities may establish policies allowing for and
justifying such a disclosure. Disclosure of the entire medical record
absent such documented justification is a presumptive violation of this
rule.
Requests for Protected Health Information
For requests for protected health information from other covered
entities made on a routine, recurring basis, the requesting covered
entities' policies and procedures may establish standard protocols
describing what information is reasonably necessary for the purposes
and limiting their requests to only that information, in lieu of making
this determination individually for each request. For all other
requests, the policies and procedures must provide for review of the
requests on an individualized basis. A request by a covered entity may
be made in order to obtain information that will subsequently be
disclosed to a third party, for example, to obtain information that
will then be disclosed to a business associate for quality assessment
purposes; such requests are subject to this requirement.
Covered entities' policies and procedures must provide that
requests for an entire medical record will not be made except pursuant
to policies which specifically justify why the entire medical record is
needed. For instance, a health plan's request for all protected health
information from an applicant for insurance would not necessarily
violate the regulation, because the entire record may be the ``minimum
necessary'' for its purpose. Covered entities may establish policies
allowing for and justifying such a request. A request for the entire
medical record absent such documented justification is a presumptive
violation of this rule.
Reasonable Reliance
A covered entity may reasonably rely on the assertion of a
requesting covered entity that it is requesting the minimum protected
health information necessary for the stated purpose. A covered entity
may also rely on the assertions of a professional (such as attorneys
and accountants) who is a member of its workforce or its business
associate regarding what protected health information he or she needs
in order to provide professional services to the covered entity when
such person represents that the information requested is the minimum
necessary. As we proposed in the NPRM, covered entities making
disclosures to public officials that are permitted under Sec. 164.512
may rely on the representation of a public official that the
information requested is the minimum necessary.
Uses and Disclosures for Research
In making a minimum necessary determination regarding the use or
disclosure of protected health information for research purposes, a
covered entity may reasonably rely on documentation from an IRB or
privacy board describing the protected health information needed for
research and consistent with the requirements of Sec. 164.512(i),
``Uses and Disclosures for Research Purposes.'' A covered entity may
also reasonably rely on a representation made by the requestor that the
information is necessary to prepare a research protocol or for research
on decedents. The covered entity must ensure that the representation or
documentation of IRB or privacy board approval it obtains from a
researcher describes with sufficient specificity the protected health
information necessary for the research. Covered entities must use or
disclose such protected health information in a manner that minimizes
the scope of the use or disclosure.
Standards for Electronic Transactions
We clarify that under Sec. 164.502(b)(2)(v), covered entities are
not required to apply the minimum necessary standard to the required or
situational data elements specified in the implementation guides for
HIPAA administrative simplification standard transactions in the
Transactions Rule. The standard does apply for uses or disclosures in
standard transactions that are made at the option of the covered
entity.
Section 164.514(e)--Marketing
In the proposed rule, we would have required covered entities to
obtain the individual's authorization in order to use or disclose
protected health information to market health and non-health items and
services.
We have made a number of changes in the final rule that relate to
marketing. In the final rule, we retain the general rule that covered
entities must obtain the individual's authorization before making uses
or disclosures of protected health information for marketing. However,
we add a new definition of ``marketing'' that clarifies that certain
activities, such as communications made by a covered entity for the
purpose of describing the products and services it provides, are not
marketing. See Sec. 164.501 and the associated preamble regarding the
definition of marketing. In the final rule we also permit covered
entities to use and disclose protected health information for certain
marketing activities without individual authorization, subject to
conditions enumerated at Sec. 164.514(e).
First, Sec. 164.514(e) permits a covered entity to use or disclose
protected health information without individual authorization to make a
marketing communication if the communication occurs in a face-to-face
encounter with the individual. This provision would permit a covered
entity to discuss any services and products, including those of a
third-party, without restriction during a face-to-face communication. A
covered entity also could give the individual sample products or other
information in this setting.
Second, we permit a covered entity to use or disclose protected
health information without individual authorization to make marketing
communications involving products or services of only nominal value.
This provision ensures that covered entities do not violate the rule
when they distribute calendars, pens and other merchandise that
generally promotes the covered entity.
Third, we permit a covered entity to use or disclose protected
health information without individual authorization to make marketing
communications about the health-
[[Page 82546]]
related products or services of the covered entity or of a third party
if the communication: (1) Identifies the covered entity as the party
making the communication; (2) to the extent that the covered entity
receives direct or indirect remuneration from a third-party for making
the communication, prominently states that fact; (3) except in the case
of a general communication (such as a newsletter), contains
instructions describing how the individual may opt-out of receiving
future communications about health-related products and services; and
(4) where protected health information is used to target the
communication about a product or service to individuals based on their
health status or health condition, explains why the individual has been
targeted and how the product or service relates to the health of the
individual. The final rule also requires a covered entity to make a
determination, prior to using or disclosing protected health
information to target a communication to individuals based on their
health status or condition, that the product or service may be
beneficial to the health of the type or class of individual targeted to
receive the communication.
This third provision accommodates the needs of health care entities
to be able to discuss their own health-related products and services,
or those of third parties, as part of their everyday business and as
part of promoting the health of their patients and enrollees. The
provision is restricted to uses by covered entities or disclosures to
their business associates pursuant to a contract that requires
confidentiality, ensuring that protected health information is not
distributed to third parties. To provide individuals with a better
understanding of how their protected health information is being used
for marketing, the provision requires that the communication identify
that the covered entity is the source of the communication; a covered
entity may not send out information about the product of a third party
without disclosing to the individual where the communication
originated. We also require covered entities to disclose any direct or
indirect remuneration from third parties. This requirement permits
individuals to better understand why they are receiving a
communication, and to weigh the extent to which their information is
being used to promote their health or to enrich the covered entity.
Covered entities also are required to include in their communication
(unless it is a general newsletter or similar device) how the
individual may prevent further communications about health-related
products and services. This provision enhances individuals' control
over how their information is being used. Finally, where a covered
entity targets communications to individuals on the basis of their
health status or condition, we require that the entity make a
determination that the product or service being communicated may be
beneficial to the health of the type of individuals targeted, and that
the communication to the targeted individuals explain why they have
been targeted and how the product or service relates to their health.
This final provision balances the advantages that accrue from health
care entities informing their patients and enrollees of new or valuable
health products with individuals' expectations that their protected
health information will be used to promote their health.
Section 164.514(f)--Fundraising
We proposed in the NPRM to require covered entities to obtain
authorization from an individual in order to use the individual's
protected health information for fundraising activities.
As noted in Sec. 164.501, in the final rule we define fundraising
on behalf of a covered entity to be a health care operation. In
Sec. 164.514, we permit a covered entity to use protected health
information without individual authorization for fundraising on behalf
of itself, provided that it limits the information that it uses to
demographic information about the individual and the dates that it has
provided service to the individual (see the Sec. 164.501 discussion of
``health care operations''). In addition, we require fundraising
materials to explain how the individual may opt out of any further
fundraising communications, and covered entities are required to honor
such requests. We permit a covered entity to disclose the limited
protected health information to a business associate for fundraising on
its own behalf. We also permit a covered entity to disclose the
information to an institutionally related foundation.
By ``institutionally related foundation,'' we mean a foundation
that qualifies as a nonprofit charitable foundation under section
501(c)(3) of the Internal Revenue Code and that has in its charter
statement of charitable purposes an explicit linkage to the covered
entity. An institutionally related foundation may, as explicitly stated
in its charter, support the covered entity as well as other covered
entities or health care providers in its community. For example, a
covered hospital may disclose for fundraising on its own behalf the
specified protected health information to a nonprofit foundation
established for the specific purpose of raising funds for the hospital
or to a foundation that has as its mission the support of the members
of a particular hospital chain that includes the covered hospital. The
term does not include an organization with a general charitable
purpose, such as to support research about or to provide treatment for
certain diseases, that may give money to a covered entity, because its
charitable purpose is not specific to the covered entity.
Section 164.514(g)--Underwriting
As described under the definition of ``health care operations''
(Sec. 164.501), protected health information may be used or disclosed
for underwriting and other activities relating to the creation,
renewal, or replacement of a contract of health insurance or health
benefits. This final rule includes a requirement, not included in the
NPRM, that health plans receiving such information for these purposes
may not use or disclose it for any other purpose, except as may be
required by law, if the insurance or benefits contract is not placed
with the health plan.
Section 164.514(h)--Verification of Identity and Authority of Persons
Requesting Protected Health Information
Disclosure of Protected Health Information
We reorganize the provision regarding verification of identity of
individuals requesting protected health information to improve clarity,
but we retain the substance of requirements proposed in the NPRM in
Sec. 164.518(c), as follows.
The covered entity must establish and use written policies and
procedures (which may be standard protocols) that are reasonably
designed to verify the identity and authority of the requestor where
the covered entity does not know the person requesting the protected
health information. The knowledge of the person may take the form of a
known place of business, address, phone or fax number, as well a known
human being. Where documentation, statements or representations,
whether oral or written, from the person requesting the protected
health information is a condition of disclosure under this rule or
other law, this verification must involve obtaining such documentation
statement, or representation. In such a case, additional verification
is only required where this regulation (or other law)
[[Page 82547]]
requires additional proof of authority and identity.
The NPRM proposed that covered entities would be permitted to rely
on the required documentation of IRB or privacy board approval to
constitute sufficient verification that the person making the request
was a researcher and that the research is authorized. The final rule
retains this provision.
For most disclosures, verifying the authority for the request means
taking reasonable steps to verify that the request is lawful under this
regulation. Additional proof is required by other provisions of this
regulation where the request is made pursuant to Sec. 164.512 for
national priority purposes. Where the person requesting the protected
health information is a public official, covered entities must verify
the identity of the requester by examination of reasonable evidence,
such as a written statement of identity on agency letterhead, an
identification badge, or similar proof of official status. Similarly,
covered entities are required to verify the legal authority supporting
the request by examination of reasonable evidence, such as a written
request provided on agency letterhead that describes the legal
authority for requesting the release. Where Sec. 164.512 explicitly
requires written evidence of legal process or other authority before a
disclosure may be made, a public official's proof of identity and the
official's oral statement that the request is authorized by law are not
sufficient to constitute the required reasonable evidence of legal
authority; under these provisions, only the required written evidence
will suffice.
In some circumstances, a person or entity acting on behalf of a
government agency may make a request for disclosure of protected health
information under these subsections. For example, public health
agencies may contract with a nonprofit agency to collect and analyze
certain data. In such cases, the covered entity is required to verify
the requestor's identity and authority through examination of
reasonable documentation that the requestor is acting on behalf of the
government agency. Reasonable evidence includes a written request
provided on agency letterhead that describes the legal authority for
requesting the release and states that the person or entity is acting
under the agency's authority, or other documentation, including a
contract, a memorandum of understanding, or purchase order that
confirms that the requestor is acting on behalf of the government
agency.
In some circumstances, identity or authority will be verified as
part of meeting the underlying requirements for disclosure. For
example, a disclosure under Sec. 164.512(j)(1)(i) to avert an imminent
threat to safety is lawful only if made in the good faith belief that
the disclosure is necessary to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public, and to a
person reasonably able to prevent or lessen the threat. If these
conditions are met, no further verification is needed. In such
emergencies, the covered entity is not required to demand written proof
that the person requesting the protected health information is legally
authorized. Reasonable reliance on verbal representations are
appropriate in such situations.
Similarly, disclosures permitted under Sec. 164.510(a) for facility
directories may be made to the general public; the covered entity's
policies and procedures do not need to address verifying the identity
and authority for these disclosures. In Sec. 164.510(b) we do not
require verification of identity for persons assisting in an
individual's care or for notification purposes. For disclosures when
the individual is not present, such as when a friend is picking up a
prescription, we allow the covered entity to use professional judgment
and experience with common practice to make reasonable inferences.
Under Sec. 164.524, a covered entity is required to give
individuals access to protected health information about them (under
most circumstances). Under the general verification requirements of
Sec. 164.514(h), the covered entity is required to take reasonable
steps to verify the identity of the individual making the request. We
do not mandate particular identification requirements (e.g., drivers
licence, photo ID), but rather leave this to the discretion of the
covered entity. The covered entity must also establish and document
procedures for verification of identity and authority of personal
representatives, if not known to the entity. For example, a health care
provider can require a copy of a power of attorney, or can ask
questions to determine that an adult acting for a young child has the
requisite relationship to the child.
In Subpart C of Part 160, we require disclosure to the Secretary
for purposes of enforcing this regulation. When a covered entity is
asked by the Secretary to disclose protected health information for
compliance purposes, the covered entity must verify the same
information that it is required to verify for any other law enforcement
or oversight request for disclosure.
Use of Protected Health Information
The proposed rule's verification requirements applied to any person
requesting protected health information, whether for a use or a
disclosure. In the final regulation, the verification provisions apply
only to disclosures of protected health information. The requirements
in Sec. 164.514(d), for implementation of policies and procedures for
``minimum necessary'' uses of protected health information, are
sufficient to ensure that only appropriate persons within a covered
entity will have access to protected health information.
Section 164.520--Notice of Privacy Practices for Protected Health
Information
Section 164.520(a)--Right to Notice
We proposed to establish a right for individuals to receive
adequate notice of how covered health care providers and health plans
use and disclose protected health information, and of the individual's
rights with respect to that information.
In the final regulation, we retain the general right for
individuals to receive and the requirement for covered entities to
produce a notice of privacy practices, with significant modifications
to the content and distribution requirements.
We also modify the requirements with respect to certain covered
entities. First, in Sec. 164.500(b)(2), we clarify that a health care
clearinghouse that creates or receives protected health information
other than as a business associate of a covered entity must produce a
notice. If a health care clearinghouse creates or receives protected
health information only as a business associate of other covered
entities, it is not required to produce a notice.
Second, in Sec. 164.520(a)(2), we clarify the notice requirements
with respect to group health plans. Individuals who receive health
benefits under a group health plan other than through insurance are
entitled to a notice from the group health plan; self-insured group
health plans must maintain a notice that meets the requirements of this
section and must provide the notice in accordance with the requirements
of Sec. 164.520(c). At a minimum, the self-insured group health plan's
notice must describe the group health plan's privacy practices with
respect to the protected health information it creates or receives
through its self-insured arrangements. For example, if a group health
plan maintains both fully-insured and self-insured arrangements, the
group health plan must, at a minimum, maintain and provide a notice
that describes its
[[Page 82548]]
privacy practices with respect to protected health information it
creates or receives through the self-insured arrangements. This notice
would be distributed to all participants in the self-insured
arrangements (in accordance with Sec. 164.520(c)(1)) and would also be
available on request to other persons, including participants in the
fully-insured arrangements.
Individuals who receive health benefits under a group health plan
through an insurance contract (i.e., a fully-insured group health plan)
are entitled to a notice from the issuer or HMO through which they
receive their health benefits. The health insurance issuer or HMO must
maintain and provide the notice in accordance with Sec. 164.520(c)(1).
In addition, some fully-insured group health plans are required to
maintain and provide a notice of the group health plan's privacy
practices. If a group health plan provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and the group health plan creates or receives protected health
information in addition to summary information (as defined in
Sec. 164.504(a)) and information about individuals' enrollment in or
disenrollment from a health insurance issuer or HMO offered by the
group health plan, the group health plan must maintain a notice that
meets the requirements of this section and must provide the notice upon
request of any person. The group health plan is not required to meet
the other distribution requirements of Sec. 164.520(c)(1). Individuals
enrolled in such group health plans have the right to notice of the
health insurance issuer or HMO's privacy practices and, on request, to
notice of the group health plan's privacy practices. If the group
health plan, however, provides health benefits solely through an
insurance contract with a health insurance issuer or HMO, and the only
protected health information the group health plan creates or receives
is summary information (as defined in Sec. 164.504(a)) and information
about individuals' enrollment in or disenrollment from a health
insurance issuer or HMO offered by the group health plan, the group
health plan is not required to maintain or provide a notice under this
section. In this case, the individuals enrolled in the group health
plan would receive notice of the health insurance issuer or HMO's
privacy practices, but would not be entitled to notice of the group
health plan's privacy practices.
Third, in Sec. 164.520(a)(3), we clarify that inmates do not have a
right to notice under this section and a correctional institution that
is a covered entity is not required to produce a notice. No person,
including a current or former inmate, has the right to notice of such a
covered entity's privacy practices.
Section 164.520(b)--Content of Notice
We proposed to require the notice to be written in plain language
and contain each of the following elements: a description of the uses
and disclosures expected to be made without individual authorization;
statements that other uses and disclosures would be made only with the
individual's authorization and that the individual could revoke such
authorization; descriptions of the rights to request restrictions,
inspect and copy protected health information, amend or correct
protected health information, and receive an accounting of disclosures
of protected health information; statements about the entity's legal
requirements to protect privacy, provide notice, and adhere to the
notice; a statement about how individuals would be informed of changes
to the entity's policies and procedures; instructions on how to make
complaints with the entity or Secretary; the name and telephone number
of a contact person or office; and the date the notice was produced. We
provided a model notice of information policies and procedures for
covered health care providers.
In Sec. 164.520(b), and immediately below in this preamble, we
describe the notice content requirements for the final rule. As
described in detail, below, we make substantial changes to the uses and
disclosures of protected health information that must be described in
the notice. Unlike the proposed rule, we do not include a model notice.
We intend to develop further guidance on notice requirements prior to
the compliance date of this rule. In this section of the final rule, we
also refer to the covered entity's privacy ``practices,'' rather than
its ``policies and procedures.'' The purpose of this change in
vocabulary is to clarify that a covered entity's ``policies and
procedures'' is a detailed documentation of all of the entity's privacy
practices as required under this rule, not just those described in the
notice. For example, we require covered entities to have policies and
procedures implementing the requirements for ``minimum necessary'' uses
and disclosures of protected health information, but these policies and
procedures need not be reflected in the entity's notice. Similarly, we
require covered entities to have policies and procedures for assuring
individuals access to protected health information about them. While
such policies and procedures will need to include documentation of the
designated record sets subject to access, who is authorized to
determine when information will be withheld from an individual, and
similar details, the notice need only explain generally that
individuals have the right to inspect and copy information about them,
and tell individuals how to exercise that right.
A covered entity that adopts and follows the notice content and
distribution requirements described below will have provided adequate
notice. However, the requirements for the content of the notice are not
intended to be exclusive. As with the rest of the rule, we specify
minimum requirements, not best practices. Covered entities may want to
include more detail. We note that all federal agencies must still
comply with the Privacy Act of 1974. This means that federal agencies
that are covered entities or have covered health care components must
comply with the notice requirements of the Privacy Act as well as those
included in this rule.
In addition, covered entities may want or be required to produce
more than one notice in order to satisfy the notice content
requirements under this rule. For example, a covered entity that
conducts business in multiple states with different laws regarding the
uses and disclosures that the covered entity is permitted to make
without authorization may be required to produce a different notice for
each state. A covered entity that conducts business both as part of an
organized health care arrangement or affiliated covered entity and as
an independent enterprise (e.g., a physician who sees patients through
an on-call arrangement with a hospital and through an independent
private practice) may want to adopt different privacy practices with
respect to each line of business; such a covered entity would be
required to produce a different notice describing the practices for
each line of business. Covered entities must produce notices that
accurately describe the privacy practices that are relevant to the
individuals receiving the notice.
Required Elements
Plain Language
As in the proposed rule, we require the notice to be written in
plain language. A covered entity can satisfy the plain language
requirement if it makes a reasonable effort to: organize material to
serve the needs of the reader; write short sentences in the active
voice, using ``you'' and other pronouns; use common, everyday words in
sentences; and divide material into short sections.
[[Page 82549]]
We do not require particular formatting specifications, such as
easy-to-read design features (e.g., lists, tables, graphics,
contrasting colors, and white space), type face, and font size.
However, the purpose of the notice is to inform the recipients about
their rights and how protected health information collected about them
may be used or disclosed. Recipients who cannot understand the covered
entity's notice will miss important information about their rights
under this rule and about how the covered entity is protecting health
information about them. One of the goals of this rule is to create an
environment of open communication and transparency with respect to the
use and disclosure of protected health information. A lack of clarity
in the notice could undermine this goal and create misunderstandings.
Covered entities have an incentive to make their notice statements
clear and concise. We believe that the more understandable the notice
is, the more confidence the public will have in the covered entity's
commitment to protecting the privacy of health information.
It is important that the content of the notice be communicated to
all recipients and therefore we encourage the covered entity to
consider alternative means of communicating with certain populations.
We note that any covered entity that is a recipient of federal
financial assistance is generally obligated under Title VI of the Civil
Rights Act of 1964 to provide material ordinarily distributed to the
public in the primary languages of persons with limited English
proficiency in the recipients' service areas. Specifically, this Title
VI obligation provides that, where a significant number or proportion
of the population eligible to be served or likely to be directly
affected by a federally assisted program needs service or information
in a language other than English in order to be effectively informed of
or participate in the program, the recipient shall take reasonable
steps, considering the scope of the program and the size and
concentration of such population, to provide information in languages
appropriate to such persons. For covered entities not subject to Title
VI, the Title VI standards provide helpful guidance for effectively
communicating the content of their notices to non-English speaking
populations.
We also encourage covered entities to be attentive to the needs of
individuals who cannot read. For example, an employee of the covered
entity could read the notice to individuals upon request or the notice
could be incorporated into a video presentation that is played in the
waiting area.
Header
Unlike the proposed rule, covered entities must include prominent
and specific language in the notice that indicates the importance of
the notice. This is the only specific language we require covered
entities to include in the notice. The header must read, ``THIS NOTICE
DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT
CAREFULLY.''
Uses and Disclosures
We proposed to require covered entities to describe in plain
language the uses and disclosures of protected health information, and
the covered entity's policies and procedures with respect to such uses
and disclosures, that the health plan or covered provider expected to
make without individual authorization. The covered provider or health
plan would have had to distinguish between those uses and disclosures
required by law and those permitted but not required by law.
We also proposed to require covered health care providers and
health plans to state in the notice that all other uses and disclosures
would be made only with the individual's authorization and that such
authorization could be revoked. The notice would also have been
required to state that the individual could request restrictions on
certain uses and disclosures and that the covered entity would not be
required to agree to such a request.
We significantly modify these requirements in the final rule.
Covered entities must describe all uses and disclosures of protected
health information that they are permitted or required to make under
this rule without authorization, including those uses and disclosures
subject to the consent requirements under Sec. 164.506. If other
applicable law prohibits or materially limits the covered entity's
ability to make any uses or disclosures that would otherwise be
permitted under the rule, the covered entity must describe only the
uses and disclosures permitted under the more stringent law.
Covered entities must separately describe each purpose for which
they are permitted to use or disclose protected health information
under this rule without authorization, and must do so in sufficient
detail to place the individual on notice of those uses and disclosures.
With respect to uses and disclosures to carry out treatment, payment,
and health care operations, the description must include at least one
example of the types of uses and disclosures that the covered entity is
permitted to make. This requirement is intended to inform individuals
of all the uses and disclosures that the covered entity is legally
required or permitted to make under applicable law, even if the covered
entity does not anticipate actually making such uses and disclosures.
We do not require covered entities to distinguish in their notices
between those uses and disclosures required by law and those permitted
but not required by law.
Unlike the proposed rule, we additionally require covered entities
that wish to contact individuals for any of the following activities to
list these activities in the notice: providing appointment reminders,
describing or recommending treatment alternatives, providing
information about health-related benefits and services that may be of
interest to the individual, or soliciting funds to benefit the covered
entity. If the covered entity does not include these statements in its
notice, it is prohibited from using or disclosing protected health
information for these activities without authorization. See
Sec. 164.502(i).
In addition, if a group health plan, or a health insurance issuer
or HMO with respect to a group health plan, wants the option to
disclose protected health information to a group health plan sponsor
without authorization as permitted under Sec. 164.504(f), the group
health plan, health insurance issuer or HMO must describe that practice
in its notice.
As in the proposed rule, the notice must state that all other uses
and disclosures will be made only with the individual's authorization
and that the individual has the right to revoke such authorization.
We anticipate this requirement will lead to significant
standardization of the notice. This language could be the same for
every covered entity of a particular type within a state, territory, or
other locale. We encourage states, state professional associations, and
other organizations to develop model language to assist covered
entities in preparing their notices.
Individual Rights
As in the proposed rule, covered entities must describe
individuals' rights under the rule and how individuals may exercise
those rights with respect to the covered entity. Covered entities must
describe each of the following rights, as provided under the rule: the
right to request restrictions
[[Page 82550]]
on certain uses and disclosures, including a statement that the covered
entity is not required to agree to a requested restriction
(Sec. 164.522(a)); the right to receive confidential communications of
protected health information (Sec. 164.522(b)); the right to inspect
and copy protected health information (Sec. 164.524); the right to
amend protected health information (Sec. 164.526); and the right to an
accounting of disclosures of protected health information
(Sec. 164.528). We additionally require the notice to describe the
right of an individual, including an individual that has agreed to
receive the notice electronically, to obtain a paper copy of the notice
upon request.
Covered Entity's Duties
As in the proposed rule, covered entities must state in the notice
that they are required by law to maintain the privacy of protected
health information, to provide a notice of their legal duties and
privacy practices, and to abide by the terms of the notice currently in
effect. In the final rule, we additionally require the covered entity,
if it wishes to reserve the right to change its privacy practices and
apply the revised practices to protected health information previously
created or received, to make a statement to that effect and describe
how it will provide individuals with a revised notice. (See below for a
more detailed discussion of a covered entity's responsibilities when it
changes its privacy practices.)
Complaints
As in the proposed rule, a covered entity's notice must inform
individuals about how they can lodge complaints with the covered entity
if they believe their privacy rights have been violated. See
Sec. 164.530(d) and the corresponding preamble discussion for the
requirements on covered entities for receiving complaints. The notice
must also state that individuals may file complaints with the
Secretary. In the final rule, we additionally require the notice to
include a statement that the individual will not suffer retaliation for
filing a complaint.
Contact
As in the proposed rule, the notice must identify a point of
contact where the individual can obtain additional information about
any of the matters identified in the notice.
Effective Date
The notice must include the date the notice went into effect,
rather than the proposed requirement to include the date the notice was
produced. The effective date cannot be earlier than the date on which
the notice was first printed or otherwise published. Covered entities
may wish to highlight or otherwise emphasize any material modifications
that it has made, in order to help the individual recognize such
changes.
Optional Elements
As described above, we proposed to require covered entities to
describe the uses and disclosures of protected health information that
the covered entity in fact expected to make without the individual's
authorization. We did not specify any optional elements.
While the final rule requires covered entities to describe all of
the types of uses and disclosures permitted or required by law (not
just those that the covered entity intends to make), we also permit and
encourage covered entities to include optional elements that describe
the actual, more limited, uses and disclosures they intend to make
without authorization. We anticipate that some covered entities will
want to distinguish themselves on the basis of their more stringent
privacy practices. For example, covered health care providers who
routinely treat patients with particularly sensitive conditions may
wish to assure their patients that, even though the law permits them to
disclose information for a wide array of purposes, the covered health
care provider will only disclose information in very specific
circumstances, as required by law, and to avert a serious and imminent
threat to health or safety. A covered entity may not include statements
in the notice that purport to limit the entity's ability to make uses
or disclosures that are required by law or necessary to avert a serious
and imminent threat to health or safety.
As described above, if the covered entity wishes to reserve the
right to change its privacy practices with respect to the more limited
uses and disclosures and apply the revised practices to protected
health information previously created or received, it must make a
statement to that effect and describe how it will provide individuals
with a revised notice. (See below for a more detailed discussion of a
covered entity's responsibilities when it changes its privacy
practices.)
Revisions to the Notice
We proposed to require a covered entity to adhere to the terms of
its notice, and would have permitted it to change its information
policies and procedures at any time. We would have required covered
health care providers and health plans to update the notice to reflect
material changes to the information policies and procedures described
in the notice. Changes to the notice would have applied to all
protected health information held by the covered entity, including
information collected under prior notices. That is, we would not have
require covered entities to segregate their records according to the
notice in effect at the time the record was created. We proposed to
prohibit covered entities from implementing a change to an information
policy or procedure described in the notice until the notice was
updated to reflect the change, unless a compelling reason existed to
make a use or disclosure or take other action that the notice would not
have permitted. In these situations, we proposed to require covered
entities to document the compelling reason and, within 30 days of the
use, disclosure, or other action, change its notice to permit the
action.
As in the proposed rule, covered entities are required to adhere to
the terms of the notice currently in effect. See Sec. 164.502(i). When
a covered entity materially changes any of the uses or disclosures, the
individual's rights, the covered entity's legal duties, or other
privacy practices described in its notice, it must promptly revise its
notice accordingly. See Sec. 164.520(b)(3). (Pursuant to
Sec. 164.530(i), it must also revise its policies and procedures.)
Except when required by law, a material change to any term in the
notice may not be implemented prior to the effective date of the notice
in which such material change is reflected. In the final rule, however,
we revise the circumstances under and extent to which the covered
entity may revise the practices stated in the notice and apply the new
practices to protected health information it created or received under
prior notice.
Under Sec. 164.530(i), a covered entity that wishes to change its
practices over time without segregating its records according to the
notice in effect at the time the records were created must reserve the
right to do so in its notice. For example, a covered hospital that
states in its notice that it will only make public health disclosures
required by law, and that does not reserve the right to change this
practice, is prohibited from making any discretionary public health
disclosures of protected health information created or received during
the effective period of that notice. If the covered hospital wishes at
some point in the future to make discretionary disclosures for public
health purposes, it must revise its notice to so state, and
[[Page 82551]]
must segregate its records so that protected health information created
or received under the prior notice is not disclosed for discretionary
public health purposes. This hospital may then make discretionary
public health disclosures of protected health information created or
received after the effective date of the revised notice.
If a second covered hospital states in its notice that it will only
make public health disclosures required by law, but does reserve the
right to change its practices, it is prohibited from making any
discretionary public health disclosures of protected health information
created or received during the effective period of that notice. If this
hospital wishes at some point in the future to make discretionary
disclosures for public health purposes, it must revise its notice to so
state, but need not segregate its records. As of the effective date of
the revised notice, it may disclose any protected health information,
including information created or received under the prior notice, for
discretionary public health purposes.
Section 164.530(i) and the corresponding discussion in this
preamble describes requirements for revision of a covered entity's
privacy policies and procedures, including the privacy practices
reflected in its notice.
Section 164.520(c)--Provision of Notice
As in the proposed rule, all covered entities that are required to
produce a notice must provide the notice upon request of any person.
The requestor does not have to be a current patient or enrollee. We
intend the notice to be a public document that people can use in
choosing between covered entities.
For health plans, we proposed to require health plans to distribute
the notice to individuals covered by the health plan as of the
compliance date; after the compliance date, at enrollment in the health
plan; after enrollment, within 60 days of a material revision to the
content of the notice; and no less frequently than once every three
years.
As in the proposed rule, under the final rule health plans must
provide the notice to all health plan enrollees as of the compliance
date. After the compliance date, health plans must provide the notice
to all new enrollees at the time of enrollment and to all enrollees
within 60 days of a material revision to the notice. Of course, the
term ``enrollees'' includes participants and beneficiaries in group
health plans.
Unlike the proposed rule, we do not require health plans to
distribute the notice every three years. Instead, health plans must
notify enrollees no less than once every three years about the
availability of the notice and how to obtain a copy.
We also clarify that, in each of these circumstances, if a named
insured and one or more dependents are covered by the same policy, the
health plan can satisfy the distribution requirement with respect to
the dependents by sending a single copy of the notice to the named
insured. For example, if an employee of a firm and her three dependents
are all covered under a single health plan policy, that health plan can
satisfy the initial distribution requirement by sending a single copy
of the notice to the employee rather than sending four copies, each
addressed to a different member of the family.
We further clarify that if a health plan has more than one notice,
it satisfies its distribution requirement by providing the notice that
is relevant to the individual or other person requesting the notice.
For example, a health insurance issuer may have contracts with two
different group health plans. One contract specifies that the issuer
may use and disclose protected health information about the
participants in the group health plan for research purposes without
authorization (subject to the requirements of this rule) and one
contract specifies that the issuer must always obtain authorizations
for these uses and disclosures. The issuer accordingly develops two
notices reflecting these different practices and satisfies its
distribution requirements by providing the relevant notice to the
relevant group health plan participants.
We proposed to require covered health care providers with face-to-
face contact with individuals to provide the notice to all such
individuals at the first service delivery to the individual during the
one year period after the compliance date. After this one year period,
covered providers with face-to-face contact with individuals would have
been required to distribute the notice to all new patients at the first
service delivery. Covered providers without face-to-face contact with
individuals would have been required to provide the notice in a
reasonable period of time following first service delivery.
We proposed to require all covered providers to post the notice in
a clear and prominent location where it would be reasonable to expect
individuals seeking services from the covered provider to be able to
read the notice. We would have required revisions to be posted
promptly.
In the final rule, we vary the distribution requirements according
to whether the covered health care provider has a direct treatment
relationship with an individual, rather than whether the covered health
care provider has face-to-face contact with an individual. See
Sec. 164.501 and the corresponding discussion in this preamble
regarding the definition of indirect treatment relationship.
Covered health care providers that have direct treatment
relationships with individuals must provide the notice to such
individuals as of the first service delivery after the compliance date.
This requirement applies whether the first service is delivered
electronically or in person. Covered providers may satisfy this
requirement by sending the notice to all of their patients at once, by
giving the notice to each patient as he or she comes into the
provider's office or facility or contacts the provider electronically,
or by some combination of these approaches. Covered providers that
maintain a physical service delivery site must prominently post the
notice where it is reasonable to expect individuals seeking service
from the provider to be able to read the notice. The notice must also
be available on site for individuals to take on request. In the event
of a revision to the notice, the covered provider must promptly post
the revision and make it available on site.
Covered health care providers that have indirect treatment
relationships with individuals are only required to produce the notice
upon request, as described above.
The proposed rule was silent regarding electronic distribution of
the notice. Under the final rule, a covered entity that maintains a web
site describing the services and benefits it offers must make its
privacy notice prominently available through the site.
A covered entity may satisfy the applicable distribution
requirements described above by providing the notice to the individual
electronically, if the individual agrees to receiving materials from
the covered entity electronically and the individual has not withdrawn
his or her agreement. If the covered entity knows that the electronic
transmission has failed, the covered entity must provide a paper copy
of the notice to the individual.
If an individual's first service delivery from a covered provider
occurs electronically, the covered provider must provide electronic
notice automatically and contemporaneously in response to the
individual's first request for service. For example, the first time an
individual requests to fill a prescription through a covered internet
pharmacy, the pharmacy must automatically and contemporaneously provide
the individual with the
[[Page 82552]]
pharmacy's notice of privacy practices. An individual that receives a
covered entity's notice electronically retains the right to request a
paper copy of the notice as described above. This right must be
described in the notice.
We note that the Electronic Signatures in Global and National
Commerce Act (Pub. L. 106-229) may apply to documents required under
this rule to be provided in writing. We do not intend to affect the
application of that law to documents required under this rule.
Section 164.520(d)--Joint Notice by Separate Covered Entities
The proposed rule was silent regarding the ability of legally
separate covered entities to produce a single notice.
In the final rule, we allow covered entities that participate in an
organized health care arrangement to comply with this section by
producing a single notice that describes their combined privacy
practices. See Sec. 164.501 and the corresponding preamble discussion
regarding the definition of organized health care arrangement. (We note
that, under Sec. 164.504(d), covered entities that are under common
ownership or control may designate themselves as a single affiliated
covered entity. Joint notice requirements do not apply to such
entities. Single affiliated covered entities must produce a single
notice, consistent with the requirements described above for any other
covered entity. Covered entities under common ownership or control that
elect not to designate themselves as a single affiliated covered
entity, however, may elect to produce a joint notice if they meet the
definition of an organized health care arrangement.)
The joint notice must meet all of the requirements described above.
The covered entities must agree to abide by the terms of the notice
with respect to protected health information created or received by the
covered entities as part of their participation in the organized health
care arrangement. In addition, the joint notice must reasonably
identify the covered entities, or class of covered entities, to which
the joint notice applies and the service delivery sites, or classes of
service delivery sites, to which the joint notice applies. If the
covered entities participating in the organized health care arrangement
will share protected health information with each other as necessary to
carry out treatment, payment, or health care operations relating to the
arrangement, that fact must be stated in the notice.
Typical examples where this policy may be useful are health care
facilities where physicians and other providers who have offices
elsewhere also provide services at the facility (e.g. hospital staff
privileges, physicians visiting their patients at a residential
facility). In these cases, a single notice may cover both the physician
and the facility, if the above conditions are met. The physician is
required to have a separate notice covering the privacy practices at
the physician's office if those practices are different than the
practices described in the joint notice.
If any one of the covered entities included in the joint notice
distributes the notice to an individual, as required above, the
distribution requirement is met for all of the covered entities
included in the joint notice.
Section 164.520(e)--Documentation
As in the proposed rule, we establish documentation requirements
for covered entities subject to this provision. In the final rule, we
specify that covered entities must retain copies of the notice(s) they
issue in accordance with Sec. 164.530(j). See Sec. 164.530(j) and the
corresponding preamble discussion for further description of the
documentation requirements.
Section 164.522--Rights To Request Privacy Protection for Protected
Health Information
Section 164.522(a)--Right of An Individual To Request Restriction of
Uses and Disclosures
We proposed that individuals have the right to request that a
covered health care provider restrict the use or disclosure of
protected health information for treatment, payment, or health care
operations. Providers would not have been required to agree to
requested restrictions. However, a covered provider that agreed to a
restriction could not use or disclose protected health information
inconsistent with the restriction. The requirement would not have
applied to permissible uses or disclosures under proposed Sec. 164.510,
including uses and disclosures in emergency circumstances under
proposed Sec. 164.510(k); when the health care services provided were
emergency services; or to required disclosures to the Secretary under
proposed Sec. 164.522. We would have required covered providers to have
procedures for individuals to request restrictions, for agreed-upon
restrictions to be documented, for the provider to honor such
restrictions, and for notification of the existence of a restriction to
others to whom such protected health information is disclosed.
In the final rule, we retain the general right of an individual to
request that uses and disclosures of protected health information be
restricted and the requirement for covered entities to adhere to
restrictions to which they have agreed. However, we include some
significant changes and clarifications.
Under the final rule, we extend the right to request restrictions
to health plans and to health care clearinghouses that create or
receive protected health information other than as a business associate
of another covered entity. All covered entities must permit individuals
to request that uses and disclosures of protected health information to
carry out treatment, payment, and health care operations be restricted
and must adhere to restrictions to which they have agreed. A covered
entity is not required to agree to a restriction. We note that
restrictions between an individual and a covered entity for these or
other purposes may be otherwise enforceable under other law.
Under Sec. 164.522(a)(1)(i)(B), the right to request restrictions
applies to disclosures to persons assisting in the individual's care
under Sec. 164.510(b). An individual may request that a covered entity
agree not to disclose protected health information to persons assisting
with the individual's care, even if such disclosure is permissible in
accordance with Sec. 164.510(b). For example, if an individual requests
that a covered entity never disclose protected health information to a
particular family member, and the covered entity agrees to that
restriction, the covered entity is prohibited from disclosing protected
health information to that family member, even if the disclosure would
otherwise be permissible under Sec. 164.510(b). We note that
individuals additionally have the opportunity to agree or object to
disclosures to persons assisting in the individual's care under
Sec. 164.510(b)(2). The individual retains the right to agree or object
to such disclosures under Sec. 164.510(b)(2), in accordance with the
standards of that provision, regardless of whether the individual has
requested a restriction under Sec. 164.522(a). See Sec. 164.510(b) and
the corresponding preamble discussion regarding the individual's right
to agree or object to disclosures to persons assisting in the
individual's care.
In Secs. 164.522(a)(1)(iii) and (iv) we clarify the requirements
with respect to emergency treatment situations. In emergency treatment
situations, a covered entity that has agreed to a restriction may use,
or disclose to a health care provider, restricted protected health
information that is
[[Page 82553]]
necessary to provide the emergency treatment. If the covered entity
discloses restricted protected health information to a health care
provider for emergency treatment purposes, it must request that the
provider not further use or disclose the information. We expect covered
entities to consider the need for access to protected health
information for treatment purposes when considering a request for a
restriction, to discuss this need with the individual making the
request for restriction, and to agree to restrictions that will not
foreseeably impede the individual's treatment. Therefore, we expect
covered entities will rarely need to use or disclose restricted
protected health information in emergency treatment situations. We do
not intend, however, to adversely impact the delivery of health care.
We therefore provide a means for the use and disclosure of restricted
protected health information in emergency treatment situations, where
an unexpected need for the information could arise and there is
insufficient time to secure the individual's permission to use or
disclose the restricted information.
In Sec. 164.522(a)(1)(v) we clarify that restrictions are not
effective under this rule to prevent uses and disclosures required by
Sec. 164.502(a)(2)(ii) or permitted under Sec. 164.510(a) (regarding
facility directories) or Sec. 164.512 (regarding uses and disclosures
for which consent, individual authorization, or opportunity to agree or
object is not required). Covered entities are permitted to agree to
such restrictions, but if they do so, the restrictions are not
enforceable under this rule. For example, a provider who makes a
disclosure under Sec. 164.512(j)(1)(i) relating to serious and imminent
threats will not be in violation of this rule even if the disclosure is
contrary to a restriction agreed to under this paragraph.
In Sec. 164.522(a)(2) we clarify a covered entity's ability to
terminate a restriction to which it has agreed. A covered entity may
terminate a restriction with the individual's written or oral
agreement. If the individual's agreement is obtained orally, the
covered entity must document that agreement. A note in the medical
record or similar notation is sufficient documentation. If the
individual agrees to terminate the restriction, the covered entity may
use and disclose protected health information as otherwise permitted
under the rule. If the covered entity wants to terminate the
restriction without the individual's agreement, it may only terminate
the restriction with respect to protected health information it creates
or receives after it informs the individual of the termination. The
restriction continues to apply to protected health information created
or received prior to informing the individual of the termination. That
is, any protected health information that had been collected before the
termination may not be used or disclosed in a way that is inconsistent
with the restriction, but any information that is collected after
informing the individual of the termination of the restriction may be
used or disclosed as otherwise permitted under the rule.
In Sec. 164.522(a)(3), we clarify that a covered entity must
document a restriction to which it has agreed. We do not require a
specific form of documentation; a note in the medical record or similar
notation is sufficient. The documentation must be retained for six
years from the date it was created or the date it was last in effect,
whichever is later, in accordance with Sec. 164.530(j).
We eliminate the requirement from the NPRM for covered entities to
inform persons to whom they disclose protected health information of
the existence of any restriction on that information. A restriction is
only binding on the covered entity that agreed to the restriction. We
encourage covered entities to inform others of the existence of a
restriction when it is appropriate to do so. We note, however, that
disclosure of the existence of a restriction often amounts to a de
facto disclosure of the restricted information itself. If a restriction
does not permit a covered entity to disclose protected health
information to a particular person, the covered entity must carefully
consider whether disclosing the existence of the restriction to that
person would also violate the restriction.
Section 164.522(b)--Confidential Communications Requirements
In the NPRM, we did not directly address the issue of whether an
individual could request that a covered entity restrict the manner in
which it communicated with the individual. As described above, the NPRM
would have provided individuals with the right to request that health
care providers restrict uses and disclosures of protected health
information for treatment, payment and health care operations, but
would not have required providers to agree to such a restriction.
In the final rule, we require covered entities to permit
individuals to request that the covered entity provide confidential
communications of protected health information about the individual.
The requirement applies to communications from the covered entity to
the individual, and also communications from the covered entity that
would otherwise be sent to the named insured of an insurance policy
that covers the individual as a dependent of the named insured.
Individuals may request that the covered entity send such
communications by alternative means or at alternative locations. For
example, an individual who does not want his or her family members to
know about a certain treatment may request that the provider
communicate with the individual about that treatment at the
individual's place of employment, by mail to a designated address, or
by phone to a designated phone number. Similarly, an individual may
request that the provider send communications in a closed envelope
rather than a post card, as an ``alternative means.'' Covered health
care providers must accommodate all reasonable requests. Health plans
must accommodate all reasonable requests, if the individual clearly
states that the disclosure of all or part of the protected health
information could endanger the individual. For example, if an
individual requests that a health plan send explanations of benefits
about particular services to the individual's work rather than home
address because the individual is concerned that a member of the
individual's household (e.g., the named insured) might read the
explanation of benefits and become abusive towards the individual, the
health plan must accommodate the request.
The reasonableness of a request made under this paragraph must be
determined by a covered entity solely on the basis of the
administrative difficulty of complying with the request and as
otherwise provided in this section. A covered health care provider or
health plan cannot refuse to accommodate a request based on its
perception of the merits of the individual's reason for making the
request. A covered health care provider may not require the individual
to provide a reason for the request as a condition of accommodating the
request. As discussed above, a health plan is not required to
accommodate a request unless the individual indicates that the
disclosure could endanger the individual. If the individual indicates
such endangerment, however, the covered entity cannot further consider
the individual's reason for making the request in determining whether
it must accommodate the request.
A covered health care provider or health plan may refuse to
accommodate a request, however, if the individual has
[[Page 82554]]
not provided information as to how payment, if applicable, will be
handled, or if the individual has not specified an alternative address
or method of contact.
Section 164.524--Access of Individuals to Protected Health
Information
Section 164.524(a)--Right of Access
In the NPRM, we proposed to establish a right for individuals to
access (i.e., inspect and obtain a copy of) protected health
information about them maintained by a covered provider or health plan,
or its business partners, in a designated record set.
As in the proposed rule, in the final rule we provide that
individuals have a right of access to protected health information that
is maintained in a designated record set. This right applies to health
plans, covered health care providers, and health care clearinghouses
that create or receive protected health information other than as a
business associate of another covered entity (see Sec. 164.500(b)). In
the final rule, however, we modify the definition of designated record
set. For a discussion of the significant changes made to the definition
of designated record set, see Sec. 164.501 and the corresponding
preamble.
Under the revised definition, individuals have a right of access to
any protected health information that is used, in whole or in part, to
make decisions about individuals. This information includes, for
example, information used to make health care decisions or information
used to determine whether an insurance claim will be paid. Covered
entities often incorporate the same protected health information into a
variety of different data systems, not all of which will be utilized to
make decisions about individuals. For example, information systems that
are used for quality control or peer review analyses may not be used to
make decisions about individuals. In that case, the information systems
would not fall within the definition of designated record set. We do
not require entities to grant an individual access to protected health
information maintained in these types of information systems.
Duration of the Right of Access
As in the proposed rule, covered entities must provide access to
individuals for as long as the protected health information is
maintained in a designated record set.
Exceptions to the Right of Access
In the NPRM, we proposed to establish a right for individuals to
access any protected health information maintained in a designated
record set. Though we proposed to permit covered entities to deny
access in certain situations relating to the particular individual
requesting access, we did not specifically exclude any protected health
information from the right of access.
In the final rule, we specify three types of information to which
individuals do not have a right of access, even if the information is
maintained in a designated record set. They are psychotherapy notes,
information compiled in reasonable anticipation of, or for use in, a
civil, criminal, or administrative action or proceeding, and certain
protected health information maintained by a covered entity that is
subject to or exempted from the Clinical Laboratory Improvements
Amendments of 1988 (CLIA). Covered entities may, but are not required
to, provide access to this information.
First, unlike the proposed rule, we specify that individuals do not
have a right of access to psychotherapy notes.
Second, individuals do not have a right of access to information
compiled in reasonable anticipation of, or for use in, a civil,
criminal, or administrative action or proceeding. In the NPRM, we would
have permitted covered entities to deny a request for access to
protected health information complied in reasonable anticipation of, or
for use in, a legal proceeding. We change the language in the final
rule to clarify that a legal proceeding includes civil, criminal, and
administrative actions and proceedings. In the final rule, we clarify
that an individual does not have a right to this information by
including it in the list of exceptions rather than stating that a
covered entity may deny access to this information. Under this
exception, the covered entity may deny access to any information that
relates specifically to legal preparations but may not deny access to
the individual's underlying health information. We do not intend to
require covered entities to provide access to documents protected by
attorney work-product privilege nor do we intend to alter rules of
discovery.
Third, unlike the proposed rule, individuals do not have a right of
access to protected health information held by clinical laboratories if
CLIA prohibits such access. CLIA states that clinical laboratories may
provide clinical laboratory test records and reports only to
``authorized persons,'' as defined primarily by state law. The
individual who is the subject of the information is not always included
in this set of authorized persons. When an individual is not an
authorized person, this restriction effectively prohibits the clinical
laboratory from providing an individual access to this information. We
do not intend to preempt CLIA and, therefore, do not require covered
clinical laboratories to provide an individual access to this
information if CLIA prohibits them from doing so. We note, however,
that individuals have the right of access to this information if it is
maintained by a covered health care provider, clearinghouse, or health
plan that is not subject to CLIA.
Finally, unlike the proposed rule, individuals do not have access
to protected health information held by certain research laboratories
that are exempt from the CLIA regulations. The CLIA regulations
specifically exempt the components or functions of ``research
laboratories that test human specimens but do not report patient
specific results for the diagnosis, prevention or treatment of any
disease or impairment of, or the assessment of the health of individual
patients.'' 42 CFR 493.3(a)(2). If subject to the access requirements,
these laboratories, or the applicable components of them, would be
forced to comply with the CLIA regulations once they provided an
individual with the access under this privacy rule. Therefore, to
alleviate this additional regulatory burden, we have exempted these
laboratories, or the relevant components of them, from the access
requirements of this regulation.
Grounds for Denial of Access
In the NPRM we proposed to permit covered health care providers and
health plans to deny an individual access to inspect and copy protected
health information about them for five reasons: (1) a licensed health
care professional determined the inspection and copying was reasonably
likely to endanger the life or physical safety of the individual or
another person; (2) the information was about another person (other
than a health care provider) and a licensed health care professional
determined the inspection and copying was reasonably likely to cause
substantial harm to that other person; (3) the information was obtained
under a promise of confidentiality from someone other than a health
care provider and the inspection and copying was likely to reveal the
source of the information; (4) the information was obtained by a
covered provider in the course of a clinical trial, the individual
agreed to the denial of access in consenting to participate in the
trial, and the trial was in progress; and (5) the information was
compiled in reasonable anticipation of, or for use in, a legal
[[Page 82555]]
proceeding. In the NPRM, covered entities would not have been permitted
to use these grounds to deny individuals access to protected health
information that was also subject to the Privacy Act.
In the final rule, we retain all of these grounds for denial, with
some modifications. One of the proposed grounds for denial (regarding
legal proceedings) is retained as an exception to the right of access.
(See discussion above.) We also include additional grounds for denial
and create a right for individuals to request review of certain
denials.
There are five types of denials covered entities may make without
providing the individual with a right to have the denial reviewed.
First, a covered entity may deny an individual access to any
information that is excepted from the right of access under
Sec. 164.524(a)(1). (See discussion above.)
Second, we add a new provision that permits a covered entity that
is a correctional institution or covered health care provider acting
under the direction of a correctional institution to deny an inmate's
request to obtain a copy of protected health information if obtaining a
copy would jeopardize the health, safety, security, custody, or
rehabilitation of the individual or other inmates or the safety of any
officer, employee or other person at the correctional institution or
responsible for the transporting of the inmate. This ground for denial
is restricted to an inmate's request to obtain a copy of protected
health information. If an inmate requests inspection of protected
health information, the request must be granted unless one of the other
grounds for denial applies. The purpose for this exception, and the
reason that the exception is limited to denying an inmate a copy and
not to denying a right to inspect, is to give correctional institutions
the ability to maintain order in these facilities and among inmates
without denying an inmate the right to review his or her protected
health information.
Third, as in the proposed rule, a covered entity may deny an
individual access to protected health information obtained by a covered
provider in the course of research that includes treatment of the
research participants, while such research is in progress. For this
exception to apply, the individual must have agreed to the denial of
access in conjunction with the individual's consent to participate in
the research and the covered provider must have informed the individual
that the right of access will be reinstated upon completion of the
research. If either of these conditions is not met, the individual has
the right to inspect and copy the information (subject to the other
exceptions we provide here). In all cases, the individual has the right
to inspect and copy the information after the research is complete.
As with all the grounds for denial, covered entities are not
required to deny access under the research exception. We expect all
researchers to maintain a high level of ethical consideration for the
welfare of research participants and provide access in appropriate
circumstances. For example, if a participant has a severe adverse
reaction, disclosure of information during the course of the research
may be necessary to give the participant adequate information for
proper treatment decisions.
Fourth, we clarify the ability of a covered entity to deny
individuals access to protected health information that is also subject
to the Privacy Act. In the final rule, we specify that a covered entity
may deny an individual access to protected health information that is
contained in records that are subject to the Privacy Act if such denial
is permitted under the Privacy Act. This ground for denial exists in
addition to the other grounds for denial available under this rule. If
an individual requests access to protected health information that is
also subject to the Privacy Act, a covered entity may deny access to
that information for any of the reasons permitted under the Privacy Act
and for any of the reasons permitted under this rule.
Fifth, as in the proposed rule, a covered entity may deny an
individual access to protected health information if the covered entity
obtained the requested information from someone other than a health
care provider under a promise of confidentiality and such access would
be reasonably likely to reveal the source of the information. This
provision is intended to preserve a covered entity's ability to
maintain an implicit or explicit promise of confidentiality. A covered
entity may not, however, deny access to protected health information
when the information has been obtained from a health care provider. An
individual is entitled to have access to all information about him or
her generated by the health care system (apart from the other
exceptions we provide here). Confidentiality promises to health care
providers should not interfere with that access.
As in the proposed rule, a covered entity may deny access to
protected health information under certain circumstances in which the
access may harm the individual or others. In the final rule, we specify
that a covered entity may only deny access for these reasons if the
covered entity provides the individual with a right to have the denial
reviewed. (See below for a discussion of the right to review.)
There are three types of denials for which covered entities must
provide the individual with a right to review. A denial under these
provisions requires a determination by a licensed health care
professional (such as a physician, physician's assistant, or nurse)
based on an assessment of the particular circumstances and current
professional medical standards of harm. Therefore, when the request is
made to a health plan or clearinghouse, the covered entity will need to
consult with a licensed health care professional before denying access
under this provision.
First, as in the proposed rule, covered entities may deny
individuals access to protected health information about them if a
licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely
to endanger the life or physical safety of the individual or another
person. The most commonly cited example is when an individual exhibits
suicidal or homicidal tendencies. If a licensed health care
professional determines that an individual exhibits such tendencies and
that permitting inspection or copying of some of the individual's
protected health information is reasonably likely to result in the
individual committing suicide, murder, or other physical violence, then
the health care professional may deny the individual access to that
information. Under this reason for denial, covered entities may not
deny access on the basis of the sensitivity of the health information
or the potential for causing emotional or psychological harm.
Second, as in the proposed rule, covered entities may deny an
individual access to protected health information if the information
requested makes reference to someone other than the individual (and
other than a health care provider) and a licensed health care
professional has determined, in the exercise of professional judgment,
that the access requested is reasonably likely to cause serious harm to
that other person. On some occasions when health information about one
person is relevant to the care of another, a physician may incorporate
it into the latter's record, such as information from group therapy
sessions and information about illnesses with a genetic component. This
provision permits a covered entity to withhold information in such
cases if
[[Page 82556]]
the release of such information is reasonably likely to cause
substantial physical, emotional, or psychological harm.
Third, we add a new provision regarding denial of access requested
by personal representatives. Under Sec. 164.502(g), a person that is a
personal representative of an individual may exercise the rights of the
individual, including the right to inspect and copy protected health
information about the individual that is relevant to such person's
representation. The provision permits covered entities to refuse to
treat a personal representative as the individual, generally, if the
covered entity has a reasonable belief that the individual has been or
will be subjected to domestic violence, abuse or neglect by the
personal representative, or that treating the personal representative
as the individual may endanger the individual and, in its professional
judgment, the covered entity decides that it is not in the best
interest of the individual to treat such person as the personal
representative.
In addition to that provision, we add a new provision at
Sec. 164.524(a)(3)(iii) to clarify that a covered entity may deny a
request to inspect or copy protected health information if the
information is requested by a personal representative of the individual
and a licensed health care professional has determined that, in the
exercise of professional judgment, such access is reasonably likely to
cause substantial harm to the individual who is the subject of the
information or to another person. The health care professional need not
have a reasonable belief that the personal representative has abused or
neglected the individuals and the harm that is likely to result need
not be limited to the individual who is the subject of the requested
protected health information. Therefore, a covered entity can recognize
a person as a personal representative but deny such person access to
protected health information as a personal representative.
We do not intend these provisions to create a legal duty for the
covered entity to review all of the relevant protected health
information before releasing it. Rather, we are preserving the
flexibility and judgment of covered entities to deny access under
appropriate circumstances. Denials are not mandatory; covered entities
may always elect to provide requested health information to the
individual. For each request by an individual, the covered entity may
provide all of the information requested or evaluate the requested
information, consider the circumstances surrounding the individual's
request, and make a determination as to whether that request should be
granted or denied, in whole or in part, in accordance with one of the
reasons for denial under this rule. We intend to create narrow
exceptions to the right of access and we expect covered entities to
employ these exceptions rarely, if at all. Covered entities may only
deny access for the reasons specifically provided in the rule.
Review of a Denial of Access
In the NPRM, we proposed to require covered entities, when denying
an individual's request for access, to inform the individual of how to
make a complaint to the covered entity and the Secretary.
We retain in the final rule the proposed approach (see below). In
addition, if the covered entity denies the request on the basis of one
of the reviewable grounds for denial described above, the individual
has the right to have the denial reviewed by a licensed health care
professional who is designated by the covered entity to act as a
reviewing official and who did not participate in the original decision
to deny access. The covered entity must provide access in accordance
with the reviewing official's determination. ( See below for further
description of the covered entity's requirements under
Sec. 164.524(d)(4) if the individual requests a review of denial of
access.)
Section 164.524(b)--Requests for Access and Timely Action
In the NPRM, we proposed to require covered health care providers
and health plans to provide a means for individuals to request access
to protected health information about them. We proposed to require
covered health care providers and health plans to take action on a
request for access as soon as possible, but not later than 30 days
following the request.
As in the proposed rule, the final rule requires covered entities
to permit an individual to request access to inspect or to obtain a
copy of the protected health information about the individual that is
maintained in a designated record set. We additionally permit covered
entities to require individuals to make requests for access in writing,
if the individual is informed of this requirement.
In the final rule, we eliminate the requirement for the covered
entity to act on a request as soon as possible. We recognize that
circumstances may arise in which an individual will request access on
an expedited basis. We encourage covered entities to have procedures in
place for handling such requests. The time limitation is intended to be
an outside deadline, rather than an expectation.
In the final rule, covered entities must act on a request for
access within 30 days of receiving the request if the information is
maintained or accessible on-site. Covered entities must act on a
request for access within 60 days of receiving the request if the
information is not maintained or accessible on-site. If the covered
entity is unable to act on a request within the applicable deadline, it
may extend the deadline by no more than 30 days by providing the
individual with a written statement of the reasons for the delay and
the date by which the covered entity will complete its action on the
request. This written statement describing the extension must be
provided within the standard deadline. A covered entity may only extend
the deadline once per request for access. This provision permits a
covered entity to take a total of up to 60 days to act on a request for
access to information maintained on-site and up to 90 days to act on a
request for access to information maintained off-site.
The requirements for a covered entity to comply with or deny a
request for access, in whole or in part, are described below.
Section 164.524(c)--Provision of Access
In the NPRM, we proposed to require covered health care providers
and health plans, upon accepting a request for access, to notify the
individual of the decision and of any steps necessary to fulfill the
request; to provide the information requested in the form or format
requested, if readily producible in such form or format; and to
facilitate the process of inspection and copying.
We generally retain the proposed approach in the final rule. If a
covered entity accepts a request, in whole or in part, it must notify
the individual of the decision and provide the access requested.
Individuals have the right both to inspect and to copy protected health
information in a designated record set. The individual may choose
whether to inspect the information, to copy the information, or to do
both.
In the final rule, we clarify that if the same protected health
information is maintained in more than one designated record set or at
more than one location, the covered entity is required to produce the
information only once per request for access. We intend this provision
to reduce covered entities' burden in complying with requests without
reducing individuals' access to protected health information. We note
that summary information and reports
[[Page 82557]]
are not the same as the underlying information on which the summary or
report was based. Individuals have the right to obtain access both to
summaries and to the underlying information. An individual retains the
right of access to the underlying information even if the individual
requests access to, or production of, a summary. (See below regarding
requests for summaries.)
The covered entity must provide the information requested in the
form or format requested if it is readily producible in such form or
format. For example, if the covered entity maintains health information
electronically and the individual requests an electronic copy, the
covered entity must accommodate such request, if possible.
Additionally, we specify that if the information is not available in
the form or format requested, the covered entity must produce a readily
readable hard copy of the information or another form or format to
which the individual and covered entity can agree. If the individual
agrees, including agreeing to any associated fees (see below), the
covered entity may provide access to a summary of information rather
than all protected health information in designated record sets.
Similarly, a covered entity may provide an explanation in addition to
the protected health information, if the individual agrees in advance
to the explanation and any associated fees.
The covered entity must provide the access requested in a timely
manner, as described above, and arrange for a mutually convenient time
and place for the individual to inspect the protected health
information or obtain a copy. If the individual requests that the
covered entity mail a copy of the information, the covered entity must
do so, and may charge certain fees for copying and mailing. For
requests to inspect information that is maintained electronically, the
covered entity may print a copy of the information and allow the
individual to view the print-out on-site. Covered entities may discuss
the request with the individual as necessary to facilitate the timely
provision of access. For example, if the individual requested a copy of
the information by mail, but the covered entity is able to provide the
information faster by providing it electronically, the covered entity
may discuss this option with the individual.
We proposed in the NPRM to permit the covered entity to charge a
reasonable, cost-based fee for copying the information.
We clarify this provision in the final rule. If the individual
requests a copy of protected health information, a covered entity may
charge a reasonable, cost-based fee for the copying, including the
labor and supply costs of copying. If hard copies are made, this would
include the cost of paper. If electronic copies are made to a computer
disk, this would include the cost of the computer disk. Covered
entities may not charge any fees for retrieving or handling the
information or for processing the request. If the individual requests
the information to be mailed, the fee may include the cost of postage.
Fees for copying and postage provided under state law, but not for
other costs excluded under this rule, are presumed reasonable. If such
per page costs include the cost of retrieving or handling the
information, such costs are not acceptable under this rule.
If the individual requests an explanation or summary of the
information provided, and agrees in advance to any associated fees, the
covered entity may charge for preparing the explanation or summary as
well.
The inclusion of a fee for copying is not intended to impede the
ability of individuals to copy their records. Rather, it is intended to
reduce the burden on covered entities. If the cost is excessively high,
some individuals will not be able to obtain a copy. We encourage
covered entities to limit the fee for copying so that it is within
reach of all individuals.
We do not intend to affect the fees that covered entities charge
for providing protected health information to anyone other than the
individual. For example, we do not intend to affect current practices
with respect to the fees one health care provider charges for
forwarding records to another health care provider for treatment
purposes.
Section 164.524(d)--Denial of Access
We proposed in the NPRM to require a covered health care provider
or health plan that elects to deny a request for inspection or copying
to make any other protected health information requested available to
the individual to the extent possible, consistent with the denial.
In the final rule, we clarify the proposed approach. A covered
entity that denies access, in whole or in part, must, to the extent
possible, give the individual access to any other protected health
information requested after excluding the protected health information
to which the covered entity has a ground to deny access. We intend
covered entities to redact or otherwise exclude only the information
that falls within one or more of the denial criteria described above
and to permit inspection and copying of all remaining information, to
the extent it is possible to do so.
We also proposed to require covered providers and health plans,
upon denying a request for access in whole or in part, to provide the
individual with a written statement in plain language of the basis for
the denial and how the individual could make a complaint to the covered
entity or the Secretary.
We retain the proposed approach. A covered entity that denies
access, in whole or in part, must provide the individual with a written
denial in plain language that explains the basis for the denial. The
written denial could include a direct reference to the section of the
regulation relied upon for the denial, but the regulatory citation
alone does not sufficiently explain the reason for the denial. The
written denial must also describe how the individual can complain to
the covered entity and the Secretary and must include the name or title
and the telephone number of the covered entity's contact person or
office that is responsible for receiving complaints.
In the final rule, we impose two additional requirements when the
covered entity denies access, in whole or in part. First, if a covered
entity denies a request on the basis of one of the reviewable grounds
for denial, the written denial must describe the individual's right to
a review of the denial and how the individual may exercise this right.
Second, if the covered entity denies the request because it does not
maintain the requested information, and the covered entity knows where
the requested information is maintained, the covered entity must inform
the individual where to direct the request for access.
Finally, we specify a covered entity's responsibilities when an
individual requests a review of a denial. If the individual requests a
review of a denial made under Sec. 164.524(a)(3), the covered entity
must designate a licensed health care professional to act as the
reviewing official. This reviewing official must not have been involved
in the original decision to deny access. The covered entity must
promptly refer a request for review to the designated reviewing
official. The reviewing official must determine, within a reasonable
period of time, whether or not to deny the access requested based on
the standards in Sec. 164.524(a)(3). The covered entity must promptly
provide the individual with written notice of the reviewing official's
decision and otherwise carry out the decision in accordance with the
requirements of this section.
[[Page 82558]]
Section 164.524(e)--Policies, Procedures, and Documentation
As in the proposed rule, we establish documentation requirements
for covered entities that are subject to this provision. In accordance
with Sec. 164.530(j), the covered entity must retain documentation of
the designated record sets that are subject to access by individuals
and the titles of the persons or offices responsible for receiving and
processing requests for access by individuals.
Section 164.526--Amendment of Protected Health Information
Section 164.526(a)--Right to Amend
In proposed Sec. 164.516, we proposed to establish the individual's
right to request a covered health care provider or health plan to amend
or correct protected health information about the individual for as
long as the covered entity maintains the information.
In Sec. 164.526 of the final rule, we retain the general proposed
approach, but establish an individual's right to have the covered
entity amend, rather than amend or correct, protected health
information. This right applies to protected health information and
records in a designated record set for as long as the information is
maintained in the designated record set. In the final rule, covered
health care providers, health plans, and health care clearinghouses
that create or receive protected health information other than as a
business associate must comply with these requirements.
Denial of Amendment
We proposed to permit a covered health care provider or health plan
to deny a request for amendment if it determined that the protected
health information that was the subject of the request was not created
by the covered provider or health plan, would not be available for
inspection and copying under proposed Sec. 164.514, or was accurate and
complete. A covered entity would have been permitted, but not required,
to deny a request if any of these conditions were met.
As in the proposed rule, the final rule permits a covered entity to
deny a request for amendment if the covered entity did not create the
protected health information or record that is the subject of the
request for amendment. We add one exception to this provision: if the
individual provides a reasonable basis to believe that the originator
of the protected health information is no longer available to act on
the requested amendment, the covered entity must address the request
for amendment as though the covered entity had created the information.
As in the proposed rule, a covered entity also may deny a request
for amendment if the protected health information that is the subject
of the request for amendment is not part of a designated record set or
would not otherwise be available for inspection under Sec. 164.524. We
eliminate the ability to deny a request for amendment if the
information or record that is the subject of the request would not be
available for copying under the rule. Under Sec. 164.524(a)(2)(ii), an
inmate may be denied a copy of protected health information about the
inmate. We intend to preserve an inmate's ability to request amendments
to information, even if a copy of the information would not be
available to the inmate, subject to the other exceptions provided in
this section.
Finally, as in the proposed rule, a covered entity may deny a
request for amendment if the covered entity determines that the
information in dispute is accurate and complete. We draw this concept
from the Privacy Act of 1974, governing records held by federal
agencies, which permits an individual to request correction or
amendment of a record ``which the individual believes is not accurate,
relevant, timely, or complete.'' (5 U.S.C. 552a(d)(2)). We adopt the
standards of ``accuracy'' and ``completeness'' and draw on the
clarification and analysis of these terms that have emerged in
administrative and judicial interpretations of the Privacy Act during
the last 25 years. We note that for federal agencies that are also
covered entities, this rule does not diminish their present obligations
under the Privacy Act of 1974.
This right is not intended to interfere with medical practice or to
modify standard business record keeping practices. Perfect records are
not required. Instead, a standard of reasonable accuracy and
completeness should be used. In addition, this right is not intended to
provide a procedure for substantive review of decisions such as
coverage determinations by payors. It is intended only to affect the
content of records, not the underlying truth or correctness of
materials recounted therein. Attempts under the Privacy Act of 1974 to
use this mechanism as a basis for collateral attack on agency
determinations have generally been rejected by the courts. The same
results are intended here.
Section 164.526(b)--Requests for Amendment and Timely Action
We proposed to require covered health care providers and health
plans to provide a means for individuals to request amendment of
protected health information about them. Under the NPRM, we would have
required covered health care providers and health plans to take action
on a request for amendment or correction within 60 days of the request.
As in the proposed rule, covered entities must permit individuals
to request that the covered entity amend protected health information
about them. We also permit certain specifications for the form and
content of the request. If a covered entity informs individuals of such
requirements in advance, a covered entity may require individuals to
make requests for amendment in writing and to provide a reason to
support a requested amendment. If the covered entity imposes such a
requirement and informs individuals of the requirement in advance, the
covered entity is not required to act on an individual's request that
does not meet the requirements.
We retain the requirement for covered entities to act on a request
for amendment within 60 days of receipt of the request. In the final
rule, we specify the nature of the action the covered entity must take
within the time frame. The covered entity must inform the individual,
as described below, that the request has been either accepted or
denied, in whole or in part. It must also take certain actions pursuant
to its decision to accept or deny the request, as described below. If
the covered entity is unable to meet the deadline, the covered entity
may extend the deadline by no more than 30 days. The covered entity
must inform the individual in writing, within the initial 60-day
period, of the reason for the delay and the date by which the covered
entity will complete its action on the request. A covered entity may
only extend the deadline one time per request for amendment.
Section 164.526(c)--Accepting the Amendment
If a covered health care provider or health plan accepted a request
for amendment, in whole or in part, we proposed to require the covered
entity to make the appropriate change. The covered entity would have
had to identify the challenged entries as amended or corrected and
indicate the location of the amended or corrected information.
[[Page 82559]]
We also proposed to require the covered provider or health plan to
make reasonable efforts to notify certain entities of the amendment: 1)
entities the individual identified as needing to be notified and 2)
entities the covered provider or health plan knew had received the
erroneous or incomplete information and who may have relied, or could
foreseeably rely, on such information to the detriment of the
individual.
The covered provider or health plan would also have been required
to notify the individual of the decision to amend the information.
As in the proposed rule, if a covered entity accepts an
individual's request for amendment or correction, it must make the
appropriate amendment. In the final rule, we clarify that, at a
minimum, the covered entity must identify the records in the designated
record set that are affected by the amendment and must append or
otherwise provide a link to the location of the amendment. We do not
require covered entities to expunge any protected health information.
Covered entities may expunge information if doing so is consistent with
other applicable law and the covered entity's record keeping practices.
We alter some of the required procedures for informing the
individual and others of the accepted amendment. As in the proposed
rule, the covered entity must inform individuals about accepted
amendments. In the final rule, the covered entity must obtain the
individual's agreement to have the amended information shared with
certain persons. If the individual agrees, the covered entity must make
reasonable efforts to provide a copy of the amendment within a
reasonable time to: (1) Persons the individual identifies as having
received protected health information about the individual and needing
the amendment; and (2) persons, including business associates, that the
covered entity knows have the unamended information and who may have
relied, or could foreseeably rely, on the information to the detriment
of the individual. For example, a covered entity must make reasonable
efforts to inform a business associate that uses protected health
information to make decisions about individuals about amendments to
protected health information used for such decisions.
Section 164.526(d)--Denying the Amendment
If a covered health care provider or health plan denied a request
for amendment, in whole or in part, we proposed to require the covered
entity to provide the individual with a written statement in plain
language of the basis for the denial, a description of how the
individual could submit a written statement of disagreement with the
denial, and a description of how the individual could make a complaint
with the covered entity and the Secretary.
We proposed to require covered health care providers and health
plans to have procedures to permit the individual to file a written
statement of disagreement with the denial and to include the covered
entity's statement of denial and the individual's statement of
disagreement with any subsequent disclosure of the disputed
information. Covered entities would have been permitted to establish a
limit to the length of the individual's statement of disagreement and
to summarize the statement if necessary. We also proposed to permit
covered entities to provide a rebuttal to the individual's statement
with future disclosures.
As in the proposed rule, if a covered entity denies a request for
amendment, it must provide the individual with a statement of denial
written in plain language. The written denial must include the basis
for the denial, how the individual may file a written statement
disagreeing with the denial, and how the individual may make a
complaint to the covered entity and the Secretary.
In the final rule, we additionally require the covered entity to
inform individuals of their options with respect to future disclosures
of the disputed information in order to ensure that an individual is
aware of his or her rights. The written denial must state that if the
individual chooses not to file a statement of disagreement, the
individual may request that the covered entity include the individual's
request for amendment and the covered entity's denial of the request
with any future disclosures of the protected health information that is
the subject of the requested amendment.
As in the proposed rule, the covered entity must permit the
individual to submit a written statement disagreeing with the denial
and the basis of such disagreement. The covered entity may reasonably
limit the length of a statement of disagreement and may prepare a
written rebuttal to the individual's statement of disagreement. If the
covered entity prepares a rebuttal, it must provide a copy to the
individual.
The covered entity must identify the record or protected health
information that is the subject of the disputed amendment and append or
otherwise link the following information to the designated record set:
the individual's request for amendment, the covered entity's denial of
the request, the individual's statement of disagreement (if any), and
the covered entity's rebuttal (if any). If the individual submits a
written statement of disagreement, all of the appended or linked
information, or an accurate summary of it, must be included with any
subsequent disclosure of the protected health information to which the
disagreement relates. If the individual does not submit a written
statement of disagreement, the covered entity must include the appended
or linked information only if the individual requests that the covered
entity do so.
In the final rule, we clarify that when a subsequent disclosure is
a standard transaction adopted under the Transactions Rule that cannot
accommodate the additional materials described above, the covered
entity may separately disclose the additional material to the recipient
of the transaction.
Section 164.526(e)--Actions on Notices of Amendment
We proposed to require any covered entity that received a
notification of amendment to have procedures in place to make the
amendment in any of its designated record sets and to notify its
business associates, if appropriate, of amendments.
We retain the proposed approach in the final rule. If a covered
entity receives a notification of amended protected health information
from another covered entity as described above, the covered entity must
make the necessary amendment to protected health information in
designated record sets it maintains. In addition, covered entities must
require their business associates who receive such notifications to
incorporate any necessary amendments to designated record sets
maintained on the covered entity's behalf. (See Sec. 164.504 regarding
business associate requirements.)
Section 164.526(f)--Policies, Procedures, and Documentation
As in the proposed rule, we establish documentation requirements
for covered entities subject to this provision. In accordance with
Sec. 164.530(j), the covered entity must document the titles of the
persons or offices responsible for receiving and processing requests
for amendment.
Sec. 164.528--Accounting of Disclosures of Protected Health
Information
Right to an Accounting of Disclosures
We proposed in the NPRM to grant individuals a right to receive an
[[Page 82560]]
accounting of all disclosures of protected health information about
them by a covered entity for purposes other than treatment, payment,
and health care operations. We proposed this right to exist for as long
as the covered entity maintained the protected health information.
We also proposed that individuals would not have a right to an
accounting of disclosures to health oversight or law enforcement
agencies if the agency provided a written request for exclusion for a
specified time period and the request stated that access by the
individual during that time period would be reasonably likely to impede
the agency's activities.
We generally retain the proposed approach in the final rule. As in
the proposed rule, individuals have a right to receive an accounting of
disclosures made by a covered entity, including disclosures by or to a
business associate of the covered entity, for purposes other than
treatment, payment, and health care operations, subject to certain
exceptions as discussed below.
We revise the duration of this right under the final rule.
Individuals have a right to an accounting of the applicable disclosures
that have been made in the 6 year period prior to the date of a request
for an accounting. We additionally clarify in Sec. 164.528(b)(1) that
an individual may request, and a covered entity may then provide, an
accounting of disclosures for a period of time less than 6 years from
the date of the request. For example, an individual could request an
accounting only of disclosures that occurred during the year prior to
the request.
In the final rule, we exclude several additional types of
disclosures from the accounting requirement. Covered entities are not
required to include in the accounting disclosures to the individual as
provided in Sec. 164.502; disclosures for facility directories,
disclosures to persons involved in the individual's care, or other
disclosures for notification purposes as provided in Sec. 164.510;
disclosures for national security or intelligence purposes as provided
in Sec. 164.512(k)(2); disclosures to correctional institutions or law
enforcement officials as provided in Sec. 164.512(k)(5); or any
disclosures that were made by the covered entity prior to the
compliance date of the rule for that covered entity.
We retain the time-limited exclusion for disclosures to health
oversight and law enforcement agencies, but require rather than permit
the exclusion for the specified time period. Covered entities must
exclude disclosures to a health oversight agency or law enforcement
official from the accounting for the time period specified by the
applicable agency or official if the agency or official provides the
covered entity with a statement that inclusion of the disclosure(s) in
the accounting to the individual during that time period would be
reasonably likely to impede the agency or official's activities. The
agency or official's statement must specifically state how long the
information must be excluded. At the expiration of that period, the
covered entity is required to include the disclosure(s) in an
accounting for the individual. If the agency or official's statement is
made orally, the covered entity must document the identity of the
agency or official who made the statement and must exclude the
disclosure(s) for no longer than 30 days from the date of the oral
statement, unless a written statement is provided during that time. If
the agency or official provides a written statement, the covered entity
must exclude the disclosure(s) for the time period specified in the
written statement.
Content of the Accounting
We proposed in the NPRM to require the accounting to include all
disclosures as described above, including disclosures authorized by the
individual. The accounting would have been required to contain the date
of each disclosure; the name and address of the organization or person
who received the protected health information; a brief description of
the information disclosed; and copies of all requests for disclosures.
For disclosures other than those made at the request of the individual,
the accounting would have also included the purpose for which the
information was disclosed.
We generally retain the proposed approach in the final rule, but do
not require covered entities to make copies of authorizations or other
requests for disclosures available with the accounting. Instead, we
require the accounting to contain a brief statement of the purpose of
the disclosure. The statement must reasonably inform the individual of
the basis for the disclosure. In lieu of the statement of purpose, a
covered entity may include a copy of the individual's authorization
under Sec. 164.508 or a copy of a written request for disclosure, if
any, under Sec. 164.502(a)(2)(ii) or Sec. 164.512. We also clarify that
covered entities are only required to include the address of the
recipient of the disclosed protected health information if the covered
entity knows the address.
We add a provision allowing for a summary accounting of recurrent
disclosures. For multiple disclosures to the same recipient pursuant to
a single authorization under Sec. 164.508 or for a single purpose under
Secs. 164.502(a)(2)(ii) or 164.512, the covered entity may provide a
summary accounting addressing the series of disclosures rather than a
detailed accounting of each disclosure in the series. In this
circumstance, a covered entity may limit the accounting of the series
of disclosures to the following information: the information otherwise
required above for the first disclosure in the series during the
accounting period; the frequency, periodicity, or number of disclosures
made during the accounting period; and the date of the most recent
disclosure in the series. For example, if under Sec. 164.512(b), a
covered entity discloses the same protected health information to a
public health authority for the same purpose every month, it can
account for those disclosures by including in the accounting the date
of the first disclosure, the public health authority to whom the
disclosures were made and the public health authority's address, a
brief description of the information disclosed, a brief description of
the purpose of the disclosures, the fact that the disclosures were made
every month during the accounting period, and the date of the most
recent disclosure.
Provision of the Accounting
We proposed in the NPRM to require covered entities to provide
individuals with an accounting of disclosures as soon as possible, but
not later than 30 days following receipt of the request for the
accounting.
In the final rule, we eliminate the requirement for the covered
entity to act as soon as possible. We recognize that circumstances may
arise in which an individual will request an accounting on an expedited
basis. We encourage covered entities to implement procedures for
handling such requests. The time limitation is intended to be an
outside deadline, rather than an expectation. We expect covered
entities always to be attentive to the circumstances surrounding each
request and to respond in an appropriate time frame.
In the final rule, covered entities must provide a requested
accounting no later than 60 days after receipt of the request. If the
covered entity is unable to meet the deadline, the covered entity may
extend the deadline by no more than 30 days. The covered entity must
inform the individual in writing, within the standard 60-day deadline,
of the reason for the delay and the date by which the covered entity
will provide the request.
[[Page 82561]]
A covered entity may only extend the deadline one time per request for
accounting.
The NPRM did not address whether a covered entity could charge a
fee for the accounting of disclosures.
In the final rule, we provide that individuals have a right to
receive one free accounting per 12 month period. For each additional
request by an individual within the 12 month period, the covered entity
may charge a reasonable, cost-based fee. If it imposes such a fee, the
covered entity must inform the individual of the fee in advance and
provide the individual with an opportunity to withdraw or modify the
request in order to avoid or reduce the fee.
Procedures and Documentation
As in the proposed rule, we establish documentation requirements
for covered entities subject to this provision. In accordance with
Sec. 164.530(j), for disclosures that are subject to the accounting
requirement, the covered entity must retain documentation of the
information required to be included in the accounting. The covered
entity must also retain a copy of any accounting provided and must
document the titles of the persons or offices responsible for receiving
and processing requests for an accounting.
Section 164.530--Administrative Requirements
Designation of a Privacy Official and Contact Person
In Sec. 164.518(a) of the NPRM, we proposed that covered entities
be required to designate an individual as the covered entity's privacy
official, responsible for the implementation and development of the
entity's privacy policies and procedures. We also proposed that covered
entities be required to designate a contact person to receive
complaints about privacy and provide information about the matters
covered by the entity's notice. We indicated that the contact person
could be, but was not required to be, the person designated as the
privacy official. We proposed to leave implementation details to the
discretion of the covered entity. We expected implementation to vary
widely depending on the size and nature of the covered entity, with
small offices assigning this as an additional duty to an existing staff
person, and large organizations creating a full-time privacy official.
In proposed Sec. 164.512, we also proposed to require the covered plan
or provider's privacy notice to include the name of a contact person
for privacy matters.
The final regulation retains the requirements for a privacy
official and contact person as specified in the NPRM. These
designations must be documented. The designation of privacy official
and contact person positions within affiliated entities will depend on
how the covered entity chooses to designate the covered entity(ies)
under Sec. 164.504(b). If a subsidiary is defined as a covered entity
under this regulation, then a separate privacy official and contact
person is required for that covered entity. If several subsidiaries are
designated as a single covered entity, pursuant to Sec. 164.504(b),
then together they need have only a single privacy officer and contact
person. If several covered entities share a notice for services
provided on the same premises, pursuant to Sec. 164.520(d), that notice
need designate only one privacy official and contact person for the
information collected under that notice.
These requirements are consistent with the approach recommended by
the Joint Commission on Accreditation of Healthcare Organizations, and
the National Committee for Quality Assurance, in its paper ``Protecting
Personal Health Information; A framework for Meeting the Challenges in
a Managed Care Environment.'' This paper notes that ``accountability is
enhanced by having focal points who are responsible for assessing
compliance with policies and procedures * * * '' (p. 29)
Training
In Sec. 164.518(b) of the NPRM we proposed to require that covered
entities provide training on the entities' policies and procedures to
all members of the workforce likely to have access to protected health
information. Each entity would be required to provide initial training
by the date on which this rule became applicable. After that date, each
covered entity would have to provide training to new members of the
workforce within a reasonable time after joining the entity. In
addition, we proposed that when a covered entity made material changes
in its privacy policies or procedures, it would be required to retrain
those members of the workforce whose duties were related to the change
within a reasonable time of making the change.
The NPRM would have required that, upon completion of the training,
the trainee would be required to sign a statement certifying that he or
she received the privacy training and would honor all of the entity's
privacy policies and procedures. Entities would determine the most
effective means of achieving this training requirement for their
workforce. We also proposed that, at least every three years after the
initial training, covered entities would be required to have each
member of the workforce sign a new statement certifying that he or she
would honor all of the entity's privacy policies and procedures. The
covered entity would have been required to document its policies and
procedures for complying with the training requirements.
The final regulation requires covered entities to train all members
of their workforce on the policies and procedures with respect to
protected health information required by this rule, as necessary and
appropriate for the members of the workforce to carry out their
functions within the covered entity. We do not change the proposed time
lines for training existing and new members of the workforce, or for
training due to material changes in the covered entity's policies and
procedures. We eliminate both the requirement for employees to sign a
certification following training and the triennial re-certification
requirement. Covered entities are responsible for implementing policies
and procedures to meet these requirements and for documenting that
training has been provided.
Safeguards
In Sec. 164.518(c) of the NPRM, we proposed to require covered
entities to put in place administrative, technical, and physical
safeguards to protect the privacy of protected health information. We
made reference in the preamble to similar requirements proposed for
certain electronic information in the Notice of Proposed Rulemaking
entitled the Security and Electronic Signature Standards (HCFA-0049-P).
We stated that we were proposing parallel and consistent requirements
for safeguarding the privacy of protected health information. In
Sec. 164.518(c)(3) of the NPRM, we required covered entities to have
safeguards to ensure that information was not used in violation of the
requirements of this subpart or by people who did not have proper
authorization to access the information.
We do not change the basic proposed requirements that covered
entities have administrative, technical and physical safeguards to
protect the privacy of protected health information. We combine the
proposed requirements into a single standard that requires covered
entities to safeguard protected health information from accidental or
intentional use or disclosure that is a violation of the requirements
of this rule
[[Page 82562]]
and to protect against the inadvertent disclosure of protected health
information to persons other than the intended recipient. Limitations
on access to protected health information by the covered entities
workforce will also be covered by the policies and procedures for
``minimum necessary'' use of protected health information, pursuant to
Sec. 164.514(d). We expect these provisions to work in tandem.
We do not prescribe the particular measures that covered entities
must take to meet this standard, because the nature of the required
policies and procedures will vary with the size of the covered entity
and the type of activities that the covered entity undertakes. (That
is, as with other provisions of this rule, this requirement is
``scalable.'') Examples of appropriate safeguards include requiring
that documents containing protected health information be shredded
prior to disposal, and requiring that doors to medical records
departments (or to file cabinets housing such records) remain locked
and limiting which personnel are authorized to have the key or pass-
code. We intend this to be a common sense, scalable, standard. We do
not require covered entities to guarantee the safety of protected
health information against all assaults. Theft of protected health
information may or may not signal a violation of this rule, depending
on the circumstances and whether the covered entity had reasonable
policies to protect against theft. Organizations such as the
Association for Testing and Materials (ASTM) and the American Health
Information Management Association (AHIMA) have developed a body of
recommended practices for handling of protected health information that
covered entities may find useful.
We note that the proposed HIPAA Security Standards would require
covered entities to safeguard the privacy and integrity of health
information. For electronic information, compliance with both
regulations will be required.
In Sec. 164.518(c)(2) of the NPRM we proposed requirements for
verification procedures to establish identity and authority for
permitted disclosures of protected health information.
In the final rule, this material has been moved to Sec. 164.514(h).
Use or Disclosure of Protected Health Information by Whistleblowers
In Sec. 164.518(c)(4) of the NPRM, this provision was entitled
``Implementation Specification: Disclosures by whistleblowers.'' It is
now retitled ``Disclosures by whistleblowers,'' with certain changes,
and moved to Sec. 164.502(j)(1).
Complaints to the Covered Entity
In Sec. 164.518(d) of the NPRM, we proposed to require covered
entities to have a mechanism for receiving complaints from individuals
regarding the health plan's or provider's compliance with the
requirements of this proposed rule. We did not require that the health
plan or provider develop a formal appeals mechanism, nor that ``due
process'' or any similar standard be applied. Additionally, there was
no requirement to respond in any particular manner or time frame.
We proposed two basic requirements for the complaint process.
First, the covered health plan or health care provider would be
required to identify in the notice of information practices a contact
person or office for receiving complaints. Second, the health plan or
provider would be required to maintain a record of the complaints that
are filed and a brief explanation of their resolution, if any.
In the final rule, we retain the requirement for an internal
complaint process for compliance with this rule, including the two
basic requirements of identifying a contact person and documenting
complaints received and their dispositions, if any. We expand the scope
of complaints that covered entities must have a means of receiving to
include complaints concerning violations of the covered entity's
privacy practices, not just violations of the rule. For example, a
covered entity must have a mechanism for receiving a complaint that
patient information is used at a nursing station in a way that it can
also be viewed by visitors to the hospital, regardless of whether the
practices at the nursing stations might constitute a violation of this
rule.
Sanctions
In Sec. 164.518(e) of the NPRM, we proposed to require all covered
entities to develop, and apply when appropriate, sanctions against
members of its workforce who failed to comply with privacy policies or
procedures of the covered entity or with the requirements of the rule.
Covered entities would be required to develop and impose sanctions
appropriate to the nature of the violation. The preamble stated that
the type of sanction applied would vary depending on factors such as
the severity of the violation, whether the violation was intentional or
unintentional, and whether the violation indicated a pattern or
practice of improper use or disclosure of protected health information.
Sanctions could range from a warning to termination. The NPRM preamble
language also stated that covered entities would be required to apply
sanctions against business associates that violated the proposed rule.
In the final rule, we retain the requirement for sanctions against
members of a covered entity's workforce. We also require a covered
entity to have written policies and procedures for the application of
appropriate sanctions for violations of this subpart and to document
those sanctions. These sanctions do not apply to whistleblower
activities that meet the provisions of Sec. 164.502(j) or complaints,
investigations, or opposition that meet the provisions of
Sec. 164.530(g)(2). We eliminate language regarding business associates
from this section. Requirements with respect to business associates are
stated in Sec. 164.504.
Duty To Mitigate
In proposed Sec. 164.518(f), we would have required covered
entities to have policies and procedures for mitigating, to the extent
practicable, any deleterious effect of a use or disclosure of protected
health information in violation of the requirements of this subpart.
The NPRM preamble also included specific language applying this
requirement to harm caused by members of the covered entity's workforce
and business associates.
With respect to business associates, the NPRM preamble but not the
NPRM rule text, stated that covered entities would have a duty to take
reasonable steps in response to breaches of contract terms. Covered
entities generally would not be required to monitor the activities of
their business associates, but would be required to take steps to
address problems of which they become aware, and, where the breach was
serious or repeated, would also be required to monitor the business
associate's performance to ensure that the wrongful behavior had been
remedied. Termination of the arrangement would be required only if it
became clear that a business associate could not be relied upon to
maintain the privacy of protected health information provided to it.
In the final rule, we clarify this requirement by imposing a duty
for covered entities to mitigate any harmful effect of a use or
disclosure of protected health information that is known to the covered
entity. We apply the duty to mitigate to a violation of the covered
entity's policies and procedures, not just a violation of the
requirements of the subpart. We resolve the ambiguities in the NPRM by
imposing this duty on covered entities for harm caused by
[[Page 82563]]
either members of their workforce or by their business associates.
We eliminate the language regarding potential breaches of business
associate contracts from this section. All other requirements with
respect to business associates are stated in Sec. 164.504.
Refraining from Intimidating or Retaliatory Acts
In Sec. 164.522(d)(4) of the NPRM, in the Compliance and
Enforcement section, we proposed that one of the responsibilities of a
covered entity would be to refrain from intimidating or retaliatory
acts. Specifically, the rule provided that ``[a] covered entity may not
intimidate, threaten, coerce, discriminate against, or take other
retaliatory action against any individual for the filing of a complaint
under this section, for testifying, assisting, participating in any
manner in an investigation, compliance review, proceeding or hearing
under this Act, or opposing any act or practice made unlawful by this
subpart.''
In the final rule, we continue to require that entities refrain
from intimidating or retaliatory acts; however, the provisions have
been moved to the Administrative Requirements provisions in
Sec. 164.530. This change is not just clerical; in making this change,
we apply this provision to the privacy rule alone rather than to all
the HIPAA administrative simplification rules. (The compliance and
enforcement provisions that were in Sec. 164 are now in Part 160,
Subpart C.)
We continue to prohibit retaliation against individuals for filing
a complaint with the Secretary, but also prohibit retaliation against
any other person who files such a complaint. This is the case because
the term ``individual'' is generally limited to the person who is the
subject of the information. The final rule prohibits retaliation
against persons, not just individuals, for testifying, assisting, or
participating in an investigation, compliance review, proceeding or
hearing under Part C of Title XI. The proposed regulation referenced
the ``Act,'' which is defined in Part 160 as the Social Security Act.
Because we only intend to protect activities such as participation in
investigations and hearings under the Administrative Simplification
provisions of HIPAA, the final rule references Part C of Title XI of
the Social Security Act.
The proposed rule would have prohibited retaliatory actions against
individuals for opposing any act or practice made unlawful by this
subpart. The final rule retains this provision, but applies it to any
person, only if the person ``has a good faith belief that the practice
opposed is unlawful, the manner of the opposition is reasonable and
does not involve a disclosure of protected health information in
violation of this subpart.'' The final rule provides additional
protections, which had been included in the preamble to the proposed
rule. Specifically, we prohibit retaliatory actions against individuals
who exercise any right, or participate in any process established by
the privacy rule (Part 164 Subpart E), and include as an example the
filing of a complaint with the covered entity.
Waiver of Rights
In the final regulation, but not in the proposed regulation, we
provide that a covered entity may not require individuals to waive
their rights to file a complaint with the Secretary or their other
rights under this rule as a condition of the provision of treatment,
payment, enrollment in a health plan or eligibility for benefits. This
provision ensures that covered entities do not take away the rights
that individuals have been provided in Parts 160 and 164.
Requirements for Policies and Procedures, and Documentation
Requirements
In Sec. 164.520 of the NPRM, we proposed to require covered
entities to develop and document their policies and procedures for
implementing the requirements of the rule. In the final regulation we
retain this approach, but specify which standards must be documented in
each of the relevant sections. In this section, we state the general
administrative requirements applicable to all policies and procedures
required throughout the regulation.
In Sec. 164.530(i), (j), and (k) of the final rule, we amend the
NPRM language in several respects. In Sec. 164.530(i) we require that
the policies and procedures be reasonably designed to comply with the
standards, implementation specifications, and other requirements of the
relevant part of the regulation, taking into account the size of the
covered entity and the nature of the activities undertaken by the
covered entity that relate to protected health information. However, we
clarify that the requirements that policies and procedures be
reasonably designed may not be interpreted to permit or excuse any
action that violates the privacy regulation. Where the covered entity
has stated in its notice that it reserves the right to change
information practices, we allow the new practice to apply to
information created or collected prior to the effective date of the new
practice and establish requirements for making this change. We also
establish the conditions for making changes if the covered entity has
not reserved the right to change its practices.
We require covered entities to modify in a prompt manner their
policies and procedures to comply with changes in relevant law and,
where the change also affects the practices stated in the notice, to
change the notice. We make clear that nothing in our requirements
regarding changes to policies and procedures or changes to the notice
may be used by a covered entity to excuse a failure to comply with
applicable law.
In Sec. 164.530(j), we require that the policies and procedures
required throughout the regulation be maintained in writing, and that
any other communication, action, activity, or designation that must be
documented under this regulation be documented in writing. We note that
``writing'' includes electronic storage; paper records are not
required. We also note that, if a covered entity is required to
document the title of a person, we mean the job title or similar
description of the relevant position or office.
We require covered entities to retain any documentation required
under this rule for at least six years (the statute of limitations
period for the civil penalties) from the date of the creation of the
documentation, or the date when the document was last in effect, which
ever is later. This generalizes the NPRM provision to cover all
documentation required under the rule. The language on ``last was in
effect'' is a change from the NPRM which was worded ``unless a longer
period applies under this subpart.''
This approach is consistent with the approach recommended by the
Joint Commission on Accreditation of Healthcare Organizations, and the
National Committee for Quality Assurance, in its paper ``Protecting
Personal Health Information; A framework for Meeting the Challenges in
a Managed Care Environment.'' This paper notes that ``MCOs [Managed
Care Organizations] should have clearly defined policies and procedures
for dealing with confidentiality issues.'' (p. 29).
Standards for Certain Group Health Plans
We add a new provision (Sec. 164.530(k)) to clarify the
administrative responsibilities of group health plans that offer
benefits through issuers and HMOs. Specifically, a group health plan
that provides benefits solely through an issuer or HMO, and that does
not create, receive or maintain protected health
[[Page 82564]]
information other than summary health information or information
regarding enrollment and disenrollment, is not subject to the
requirements of this section regarding designation of a privacy
official and contact person, workforce training, safeguards,
complaints, mitigation, or policies and procedures. Such a group health
plan is only subject to the requirements of this section regarding
documentation with respect to its plan documents. Issuers and HMOs are
covered entities under this rule, and thus have independent obligations
to comply with this section with respect to the protected health
information they maintain about the enrollees in such group health
plans. The group health plans subject to this provision will have only
limited protected health information. Therefore, imposing these
requirements on the group health plan would impose burdens not
outweighed by a corresponding enhancement in privacy protections.
Section 164.532--Transition Provisions
In the NPRM, we did not address the effect of the regulation on
consents and authorizations covered entities obtained prior to the
compliance date of the regulation.
In the final rule, we clarify that, in certain circumstances, a
covered entity may continue to rely upon consents, authorizations, or
other express legal permissions obtained prior to the compliance date
of this regulation to use or disclose protected health information even
if these consents, authorizations, or permissions do not meet the
requirements set forth in Secs. 164.506 or 164.508.
We realize that a covered entity may wish to rely upon a consent,
authorization, or other express legal permission obtained from an
individual prior to the compliance date of this regulation which
permits the use or disclosure of individually identifiable health
information for activities that come within treatment, payment, or
health care operations (as defined in Sec. 164.501), but that do not
meet the requirements for consents set forth in Sec. 164.506. In the
final rule, we permit a covered entity to rely upon such consent,
authorization, or permission to use or disclose protected health
information that it created or received before the applicable
compliance date of the regulation to carry out the treatment, payment,
or health care operations as long as it meets two requirements. First,
the covered entity may not make any use or disclosure that is expressly
excluded from the consent, authorization, or permission. Second, the
covered entity must comply with all limitations expressed in the
consent, authorization, or permission. Thus, we do not require a
covered entity to obtain a consent that meets the requirements of
Sec. 164.506 to use or disclose this previously obtained protected
health information as long as the use or disclosure is consistent with
the requirements of this section. However, a covered entity will need
to obtain a consent that meets the requirements of Sec. 164.506 to the
extent that it is required to obtain a consent under Sec. 164.506 from
an individual before it may use or disclose any protected health
information it creates or receives after the date by which it must
comply with this rule.
Similarly, we recognize that a covered entity may wish to rely upon
a consent, authorization, or other express legal permission obtained
from an individual prior to the applicable compliance date of this
regulation that specifically permits the covered entity to use or
disclose individually identifiable health information for activities
other than to carry out treatment, payment, or health care operations.
In the final rule, we permit a covered entity to rely upon such a
consent, authorization, or permission to use or disclose protected
health information that it created or received before the applicable
compliance date of the regulation for the specific activities described
in the consent, authorization, or permission as long as the covered
entity complies with two requirements. First, the covered entity may
not make any use or disclosure that is expressly excluded from the
consent, authorization, or permission. Second, the covered entity must
comply with all limitations expressed in the consent, authorization, or
permission. Thus, we do not required a covered entity to obtain an
authorization that meets the requirements of Sec. 164.508 to use or
disclose this previously obtained protected health information so long
as the use or disclosure is consistent with the requirements of this
section. However, a covered entity will need to obtain an authorization
that meets the requirements of Sec. 164.508, to the extent that it is
required to obtain an authorization under this rule, from an individual
before it may use or disclose any protected health information it
creates or receives after the date by which it must comply with this
rule.
Additionally, the final rule acknowledges that covered entities may
wish to rely upon consents, authorizations, or other express legal
permission obtained from an individual prior to the applicable
compliance date for a specific research project that includes the
treatment of individuals, such as clinical trials. These consents,
authorizations, or permissions may specifically permit a use or
disclosure of individually identifiable health information for purposes
of the project. Alternatively, they may be general consents to
participate in the project. A covered entity may use or disclose
protected health information it created or received before or after to
the applicable compliance date of this rule for purposes of the project
provided that the covered entity complies with all limitations
expressed in the consent, authorization, or permission.
If, pursuant to this section, a covered entity relies upon a
previously obtained consent, authorization, or other express legal
permission and agrees to a request for a restriction by an individual
under Sec. 164.522(a), any subsequent use or disclosure under that
consent, authorization, or permission must comply with the agreed upon
restriction as well.
We believe it is necessary to grandfather in previously obtained
consents, authorizations, or other express legal permissions in these
circumstances to ensure that important functions of the health care
system are not impeded. We link the effectiveness of such consents,
authorizations, or permissions in these circumstances to the applicable
compliance date to give covered entities sufficient notice of the
requirements set forth in Secs. 164.506 and 164.508.
The rule does not change the past effectiveness of consents,
authorizations, or other express legal permissions that do not come
within this section. This means that uses or disclosures of
individually identifiable health information made prior to the
compliance date of this regulation are not subject to sanctions, even
if they were made pursuant to documents or permissions that do not meet
the requirements of this rule or were made without permission. This
rule alters only the future effectiveness of the previously obtained
consents, authorizations, or permissions. Covered entities are not
required to rely upon these consents, authorizations, or permissions
and may obtain new consents or authorizations that meet the applicable
requirements of Secs. 164.506 and 164.508.
When reaching this decision, we considered requiring all covered
entities to obtain new consents or authorizations consistent with the
requirements of Secs. 164.506 and 164.508 before they would be able to
use or disclose protected health information obtained
[[Page 82565]]
after the compliance date of these rules. We rejected this option
because we recognize that covered entities may not always be able to
obtain new consents or authorizations consistent with the requirements
of Secs. 164.506 and 164.508 from all individuals upon whose
information they rely. We also refrained from impeding the rights of
covered entities to exercise their interests in the records they have
created. We do not require covered entities with existing records or
databases to destroy or remove the protected health information for
which they do not have valid consents or authorizations that meet the
requirements of Secs. 164.506 and 164.508. Covered entities may rely
upon the consents, authorizations, or permissions they obtained from
individuals prior to the applicable compliance date of this regulation
consistent with the constraints of those documents and the requirements
discussed above.
We note that if a covered entity obtains before the applicable
compliance date of this regulation a consent that meets the
requirements of Sec. 164.506, an authorization that meets the
requirements of Sec. 164.508, or an IRB or privacy board waiver of
authorization that meets the requirements of Sec. 164.512(i), the
consent, authorization, or waiver is effective for uses or disclosures
that occur after the compliance date and that are consistent with the
terms of the consent, authorization, or waiver.
Section 164.534--Compliance Dates for Initial Implementation of the
Privacy Standards
In the NPRM, we provided that a covered entity must be in
compliance with this subpart not later than 24 months following the
effective date of this rule, except that a covered entity that is a
small health plan must be in compliance with this subpart not later
than 36 months following the effective date of the rule.
The final rule did not make any substantive changes. The format is
changed so as to more clearly present the various compliance dates. The
final rule lists the types of covered entities and then the various
dates that would apply to each of these entities.
III. Section-by-Section Discussion of Comments
The following describes the provisions in the final regulation, and
the changes we make to the proposed provisions section-by-section.
Following each section are our responses to the comments to that
section. This section of the preamble is organized to follow the
corresponding section of the final rule, not the NPRM.
General Comments
We received many comments on the rule overall, not to a particular
provision. We respond to those comments here. Similar comments, but
directed to a specific provision in the proposed rule, are answered
below in the corresponding section of this preamble.
Comments on the Need for Privacy Standards, and Effects of this
Regulation on Current Protections
Comment: Many commenters expressed the opinion that federal
legislation is necessary to protect the privacy of individuals' health
information. One comment advocated Congressional efforts to provide a
comprehensive federal health privacy law that would integrate the
substance abuse regulations with the privacy regulation.
Response: We agree that comprehensive privacy legislation is
urgently needed. This administration has urged the Congress to pass
such legislation. While this regulation will improve the privacy of
individuals' health information, only legislation can provide the full
array of privacy protection that individuals need and deserve.
Comment: Many commenters noted that they do not go to a physician,
or do not completely share health information with their physician,
because they are concerned about who will have access to that
information. Many physicians commented on their patients' reluctance to
share information because of fear that their information will later be
used against them.
Response: We agree that strong federal privacy protections are
necessary to enhance patients' trust in the health care system.
Comment: Many commenters expressed concerns that this regulation
will allow access to health information by those who today do not have
such access, or would allow their physician to disclose information
which may not lawfully be disclosed today. Many of these commenters
stated that today, they consent to every disclosure of health
information about them, and that absent their consent the privacy of
their health information is ``absolute.'' Others stated that, today,
health information is disclosed only pursuant to a judicial order.
Several commenters were concerned that this regulation would override
stronger state privacy protection.
Response: This regulation does not, and cannot, reduce current
privacy protections. The statutory language of the HIPAA specifically
mandates that this regulation does not preempt state laws that are more
protective of privacy.
As discussed in more detail in later this preamble, while many
people believe that they must be asked permission prior to any release
of health information about them, current laws generally do not impose
such a requirement. Similarly, as discussed in more detail later in
this preamble, judicial review is required today only for a small
proportion of releases of health information.
Comment: Many commenters asserted that today, medical records
``belong'' to patients. Others asserted that patients own their medical
information and health care providers and insurance companies who
maintain health records should be viewed as custodians of the patients'
property.
Response: We do not intend to change current law regarding
ownership of or responsibility for medical records. In developing this
rule we reviewed current law on this and related issues, and built on
that foundation.
Under state laws, medical records are often the property of the
health care provider or medical facility that created them. Some state
laws also provide patients with access to medical records or an
ownership interest in the health information in medical records.
However, these laws do not divest the health care provider or the
medical facility of its ownership interest in medical records. These
statutes typically provide a patient the right to inspect or copy
health information from the medical record, but not the right to take
the provider's original copy of an item in the medical record. If a
particular state law provides greater ownership rights, this regulation
leaves such rights in place.
Comment: Some commenters argued that the use and disclosure of
sensitive personal information must be strictly regulated, and
violation of such regulations should subject an entity to significant
penalties and sanctions.
Response: We agree, and share the commenters' concern that the
penalties in the HIPAA statute are not sufficient to fully protect
individuals' privacy interests. The need for stronger penalties is
among the reasons we believe Congress should pass comprehensive privacy
legislation.
Comment: Many commenters expressed the opinion that the proposed
ruled should provide stricter privacy protections.
[[Page 82566]]
Response: We received nearly 52,000 comments on the proposed
regulation, and make substantial changes to the proposal in response to
those comments. Many of these changes will strengthen the protections
that were proposed in the NPRM.
Comment: Many comments express concerns that their health
information will be given to their employers.
Response: We agree that employer access to health information is a
particular concern. In this final regulation, we make significant
changes to the NPRM that clarify and provide additional safeguards
governing when and how the health plans covered by this regulation may
disclose health information to employers.
Comment: Several commenters argued that individuals should be able
to sue for breach of privacy.
Response: We agree, but do not have the legislative authority to
grant a private right of action to sue under this statute. Only
Congress can grant that right.
Objections to Government Access to Protected Health Information
Comment: Many commenters urged the Department not to create a
government database of health information, or a tracking system that
would enable the government to track individuals health information.
Response: This regulation does not create such a database or
tracking system, nor does it enable future creation of such a database.
This regulation describes the ways in which health plans, health care
clearinghouses, and certain health care providers may use and disclose
identifiable health information with and without the individual's
consent.
Comment: Many commenters objected to government access to or
control over their health information, which they believe the proposed
regulation would provide.
Response: This regulation does not increase current government
access to health information. This rule sets minimum privacy standards.
It does not require disclosure of health information, other than to the
subject of the records or for enforcement of this rule. Health plans
and health care providers are free to use their own professional ethics
and judgement to adopt stricter policies for disclosing health
information.
Comment: Some commenters viewed the NPRM as creating fewer hurdles
for government access to protected health information than for access
to protected health information by private organizations. Some health
care providers commented that the NPRM would impose substantial new
restrictions on private sector use and disclosure of protected health
information, but would make government access to protected health
information easy. One consumer advocacy group made the same
observation.
Response: We acknowledge that many of the national priority
purposes for which we allow disclosure of protected health information
without consent or authorization are for government functions, and that
many of the governmental recipients of such information are not
governed by this rule. It is the role of government to undertake
functions in the broader public interest, such as public health
activities, law enforcement, identification of deceased individuals
through coroners' offices, and military activities. It is these public
purposes which can sometimes outweigh an individual's privacy interest.
In this rule, we specify the circumstances in which that balance is
tipped toward the public interest with respect to health information.
We discuss the rationale behind each of these permitted disclosures in
the relevant preamble sections below.
Miscellaneous Comments
Comment: Many commenters objected to the establishment of a unique
identifier for health care or other purposes.
Response: This regulation does not create an identifier. We assume
these comments refer to the unique health identifier that Congress
directed the Secretary to promulgate under section1173(b) of the Social
Security Act, added by section 262 of the HIPAA. Because of the public
concerns about such an identifier, in the summer of 1998 Vice President
Gore announced that the Administration would not promulgate such a
regulation until comprehensive medical privacy protections were in
place. In the fall of that year, Congress prohibited the Department
from promulgating such an identifier, and that prohibition remains in
place. The Department has no plans to promulgate a unique health
identifier.
Comment: Many commenters asked that we withdraw the proposed
regulation and not publish a final rule.
Response: Under section 264 of the HIPAA, the Secretary is required
by Congress to promulgate a regulation establishing standards for
health information privacy. Further, for the reasons explained
throughout this preamble above, we believe that the need to protect
health information privacy is urgent and that this regulation is in the
public's interest.
Comment: Many commenters express the opinion that their consent
should be required for all disclosure of their health information.
Response: We agree that consent should be required prior to release
of health information for many purposes, and impose such a requirement
in this regulation. Requiring consent prior to all release of health
information, however, would unduly jeopardize public safety and make
many operations of the health care system impossible. For example,
requiring consent prior to release of health information to a public
health official who is attempting to track the source of an outbreak or
epidemic could endanger thousands of lives. Similarly, requiring
consent before an oversight official could audit a health plan would
make detection of health care fraud all but impossible; it could take
health plans months or years to locate and obtain the consent of all
current and past enrollees, and the health plan would not have a strong
incentive to do so. These uses of medical information are clearly in
the public interest.
In this regulation, we must balance individuals' privacy interests
against the legitimate public interests in certain uses of health
information. Where there is an important public interest, this
regulation imposes procedural safeguards that must be met prior to
release of health information, in lieu of a requirement for consent. In
some instances the procedural safeguards consist of limits on the
circumstances in which information may be disclosed, in others the
safeguards consist of limits on what information may be disclosed, and
in other cases we require some form of legal process (e.g., a warrant
or subpoena) prior to release of health information. We also allow
disclosure of health information without consent where other law
mandates the disclosures. Where such other law exists, another public
entity has made the determination that the public interests outweigh
the individual's privacy interests, and we do not upset that
determination in this regulation. In short, we tailor the safeguards to
match the specific nature of the public purpose. The specific
safeguards are explained in each section of this regulation below.
Comment: Many comments address matters not relevant to this
regulation, such as alternative fuels, hospital reimbursement, and gulf
war syndrome.
Response: These and similar matters are not relevant to this
regulation and will not be addressed further.
[[Page 82567]]
Comment: A few commenters questioned why this level of detail is
needed in response to the HIPAA Congressional mandate.
Response: This level of detail is necessary to ensure that
individuals' rights with respect to their health information are clear,
while also ensuring that information necessary for important public
functions, such as protecting public health, promoting biomedical
research, fighting health care fraud, and notifying family members in
disaster situations, will not be impaired by this regulation. We
designed this rule to reflect current practices and change some of
them. The comments and our fact finding revealed the complexity of
current health information practices, and we believe that the
complexity entailed in reflecting those practices is better public
policy than a perhaps simpler rule that disturbed important information
flows.
Comment: A few comments stated that the goal of administrative
simplification should never override the privacy of individuals.
Response: We believe that privacy is a necessary component of
administrative simplification, not a competing interest.
Comment: At least one commenter said that the goal of
administrative simplification is not well served by the proposed rule.
Response: Congress recognized that privacy is a necessary component
of administrative simplification. The standardization of electronic
health information mandated by the HIPAA that make it easier to share
that information for legitimate purposes also make the inappropriate
sharing of that information easier. For this reason, Congress included
a mandate for privacy standards in this section of the HIPAA. Without
appropriate privacy protections, public fear and instances of abuse
would make it impossible for us to take full advantage of the
administrative and costs benefits inherent in the administrative
simplification standards.
Comment: At least one commenter asked us to require
psychotherapists to assert any applicable legal privilege on patients'
behalf when protected health information is requested.
Response: Whether and when to assert a claim of privilege on a
patient's behalf is a matter for other law and for the ethics of the
individual health care provider. This is not a decision that can or
should be made by the federal government.
Comment: One commenter called for HHS to consider the privacy
regulation in conjunction with the other HIPAA standards. In
particular, this comment focused on the belief that the Security
Standards should be compatible with the existing and emerging health
care and information technology industry standards.
Response: We agree that both this regulation and the final Security
Regulation should be compatible with existing and emerging technology
industry standards. This regulation is ``technology neutral.'' We do
not mandate the use of any particular technologies, but rather set
standards which can be met through a variety of means.
Comment: Several commenters claimed that the statutory authority
given under HIPAA cannot provide meaningful privacy protections because
many entities with access to protected health information, such as
employers, worker's compensation carriers, and life insurance
companies, are not covered entities. These commenters expressed support
for comprehensive legislation to close many of the existing loopholes.
Response: We agree with the commenters that comprehensive
legislation is necessary to provide full privacy protection and have
called for members of Congress to pass such legislation to prevent
unauthorized and potentially harmful uses and disclosures of
information.
Part 160--Subpart A--General Provisions
Section 160.103--Definitions
Business Associate
The response to comments on the definition of ``business partner,''
renamed in this rule as ``business associate,'' is included in the
response to comments on the requirements for business associates in the
preamble discussion of Sec. 164.504.
Covered Entity
Comment: A number of commenters urged the Department to expand or
clarify the definition of ``covered entity'' to include certain
entities other than health care clearinghouses, health plans, and
health care providers who conduct standard transactions. For example,
several commenters asked that the Department generally expand the scope
of the rule to cover all entities that receive or maintain individually
identifiable health information; others specifically urged the
Department to cover employers, marketing firms, and legal entities that
have access to individually identifiable health information. Some
commenters asked that life insurance and casualty insurance carriers be
considered covered entities for purposes of this rule. One commenter
recommended that Pharmacy Benefit Management (PBM) companies be
considered covered entities so that they may use and disclose protected
health information without authorization.
In addition, a few commenters asked the Department to clarify that
the definition includes providers who do not directly conduct
electronic transactions if another entity, such as a billing service or
hospital, does so on their behalf.
Response: We understand that many entities may use and disclose
individually identifiable health information. However, our jurisdiction
under the statute is limited to health plans, health care
clearinghouses, and health care providers who transmit any health
information electronically in connection with any of the standard
financial or administrative transactions in section 1173(a) of the Act.
These are the entities referred to in section 1173(a)(1) of the Act and
thus listed in Sec. 160.103 of the final rule. Consequently, once
protected health information leaves the purview of one of these covered
entities, their business associates, or other related entities (such as
plan sponsors), the information is no longer afforded protection under
this rule. We again highlight the need for comprehensive federal
legislation to eliminate such gaps in privacy protection.
We also provide the following clarifications with regard to
specific entities.
We clarify that employers and marketing firms are not covered
entities. However, employers may be plan sponsors of a group health
plan that is a covered entity under the rule. In such a case, specific
requirements apply to the group health plan. See the preamble on
Sec. 164.504 for a discussion of specific ``firewall'' and other
organizational requirements for group health plans and their employer
sponsors. The final rule also contains provisions addressing when an
insurance issuer providing benefits under a group health plan may
disclose summary health information to a plan sponsor.
With regard to life and casualty insurers, we understand that such
benefit providers may use and disclose individually identifiable health
information. However, Congress did not include life insurers and
casualty insurance carriers as ``health plans'' for the purposes of
this rule and therefore they are not covered entities. See the
discussion regarding the definition of ``health plan'' and excepted
benefits.
[[Page 82568]]
In addition, we clarify that a PBM is a covered entity only to the
extent that it meets the definition of one or more of the entities
listed in Sec. 160.102. When providing services to patients through
managed care networks, it is likely that a PBM is acting as a business
associate of a health plan, and may thus use and disclose protected
health information pursuant to the relevant provisions of this rule.
PBMs may also be business associates of health care providers. See the
preamble sections on Secs. 164.502, 164.504, and 164.506 for
discussions of the specific requirements related to business associates
and consent.
Lastly, we clarify that health care providers who do not submit
HIPAA transactions in standard form become covered by this rule when
other entities, such as a billing service or a hospital, transmit
standard electronic transactions on their behalf. The provider could
not circumvent these requirements by assigning the task to a
contractor.
Comment: Many commenters urged the Department to restrict or
clarify the definition of ``covered entity'' to exclude certain
entities, such as department-operated hospitals (public hospitals);
state Crime Victim Compensation Programs; employers; and certain lines
of insurers, such as workers' compensation insurers, property and
casualty insurers, reinsurers, and stop-loss insurers. One commenter
expressed concern that clergy, religious practitioners, and other
faith-based service providers would have to abide by the rule and asked
that the Department exempt prayer healing and non-medical health care.
Response: The Secretary provides the following clarifications in
response to these comments. To the extent that a ``department-operated
hospital'' meets the definition of a ``health care provider'' and
conducts any of the standard transactions, it is a covered entity for
the purposes of this rule. We agree that a state Crime Victim
Compensation Program is not a covered entity if it is not a health care
provider that conducts standard transactions, health plan, or health
care clearinghouse. Further, as described above, employers are not
covered entities.
In addition, we agree that workers' compensation insurers, property
and casualty insurers, reinsurers, and stop-loss insurers are not
covered entities, as they do not meet the statutory definition of
``health plan.'' See further discussion in the preamble on Sec. 160.103
regarding the definition of ``health plan.'' However, activities
related to ceding, securing, or placing a contract for reinsurance,
including stop-loss insurance, are health care operations in the final
rule. As such, reinsurers and stop-loss insurers may obtain protected
health information from covered entities.
Also, in response to the comment regarding religious practitioners,
the Department clarifies that ``health care'' as defined under the rule
does not include methods of healing that are solely spiritual.
Therefore, clergy or other religious practitioners that provide solely
religious healing services are not health care providers within the
meaning of this rule, and consequently not covered entities for the
purposes of this rule.
Comment: A few commenters expressed general uncertainty and
requested clarification as to whether certain entities were covered
entities for the purposes of this rule. One commenter was uncertain as
to whether the rule applies to certain social service entities, in
addition to clinical social workers that the commenter believes are
providers. Other commenters asked whether researchers or non-
governmental entities that collect and analyze patient data to monitor
and evaluate quality of care are covered entities. Another commenter
requested clarification regarding the definition's application to
public health agencies that also are health care providers as well as
how the rule affects public health agencies in their data collection
from covered entities.
Response: Whether the professionals described in these comments are
covered by this rule depends on the activities they undertake, not on
their profession or degree. The definitions in this rule are based on
activities and functions, not titles. For example, a social service
worker whose activities meet this rule's definition of health care will
be a health care provider. If that social service worker also transmits
information in a standard HIPAA transaction, he or she will be a
covered health entity under this rule. Another social service worker
may provide services that do not meet the rule's definition of health
care, or may not transmit information in a standard transaction. Such a
social service worker is not a covered entity under this rule.
Similarly, researchers in and of themselves are not covered entities.
However, researchers may also be health care providers if they provide
health care. In such cases, the persons, or entities in their role as
health care providers may be covered entities if they conduct standard
transactions.
With regard to public health agencies that are also health care
providers, the health care provider ``component'' of the agency is the
covered entity if that component conducts standard transactions. See
discussion of ``health care components'' below. As to the data
collection activities of a public health agency, the final rule in
Sec. 164.512(b) permits a covered entity to disclose protected health
information to public health authorities under specified circumstances,
and permits public health agencies that are also covered entities to
use protected health information for these purposes. See
Sec. 164.512(b) for further details.
Comment: A few commenters requested that the Department clarify
that device manufacturers are not covered entities. They stated that
the proposal did not provide enough guidance in cases where the
``manufacturer supplier'' has only one part of its business that acts
as the ``supplier,'' and additional detail is needed about the
relationship of the ``supplier component'' of the company to the rest
of the business. Similarly, another commenter asserted that drug,
biologics, and device manufacturers should not be covered entities
simply by virtue of their manufacturing activities.
Response: We clarify that if a supplier manufacturer is a Medicare
supplier, then it is a health care provider, and it is a covered entity
if it conducts standard transactions. Further, we clarify that a
manufacturer of supplies related to the health of a particular
individual, e.g., prosthetic devices, is a health care provider because
the manufacturer is providing ``health care'' as defined in the rule.
However, that manufacturer is a covered entity only if it conducts
standard transactions. We do not intend that a manufacturer of supplies
that are generic and not customized or otherwise specifically designed
for particular individuals, e.g., ace bandages for a hospital, is a
health care provider. Such a manufacturer is not providing ``health
care'' as defined in the rule and is therefore not a covered entity. We
note that, even if such a manufacturer is a covered entity, it may be
an ``indirect treatment provider'' under this rule, and thus not
subject to all of the rule's requirements.
With regard to a ``supplier component,'' the final rule addresses
the status of the unit or unit(s) of a larger entity that constitute a
``health care component.'' See further discussion under Sec. 164.504 of
this preamble.
Finally, we clarify that drug, biologics, and device manufacturers
are not health care providers simply by virtue of their manufacturing
activities. The manufacturer must be providing health care consistent
with the final
[[Page 82569]]
rule's definition in order to be considered a health care provider.
Comment: A few commenters asked that the Department clarify that
pharmaceutical manufacturers are not covered entities. It was explained
that pharmaceutical manufacturers provide support and guidance to
doctors and patients with respect to the proper use of their products,
provide free products for doctors to distribute to patients, and
operate charitable programs that provide pharmaceutical drugs to
patients who cannot afford to buy the drugs they need.
Response: A pharmaceutical manufacturer is only a covered entity if
the manufacturer provides ``health care'' according to the rule's
definition and conducts standard transactions. In the above case, a
pharmaceutical manufacturer that provides support and guidance to
doctors and patients regarding the proper use of their products is
providing ``health care'' for the purposes of this rule, and therefore,
is a health care provider to the extent that it provides such services.
The pharmaceutical manufacturer that is a health care provider is only
a covered entity, however, if it conducts standard transactions. We
note that this rule permits a covered entity to disclose protected
health information to any person for treatment purposes, without
specific authorization from the individual. Therefore, a covered health
care provider is permitted to disclose protected health information to
a pharmaceutical manufacturer for treatment purposes. Providing free
samples to a health care provider does not in itself constitute health
care. For further analysis of pharmacy assistance programs, see
response to comment on Sec. 164.501, definition of ``payment.''
Comment: Several commenters asked about the definition of ``covered
entity'' and its application to health care entities within larger
organizations.
Response: A detailed discussion of the final rule's organizational
requirements and firewall restrictions for ``health care components''
of larger entities, as well as for affiliated, and other entities is
found at the discussion of Sec. 164.504 of this preamble. The following
responses to comments provide additional information with respect to
particular ``component entity'' circumstances.
Comment: Several commenters asked that we clarify the definition of
covered entity to state that with respect to persons or organizations
that provide health care or have created health plans but are primarily
engaged in other unrelated businesses, the term ``covered entity''
encompasses only the health care components of the entity. Similarly,
others recommended that only the component of a government agency that
is a provider, health plan, or clearinghouse should be considered a
covered entity.
Other commenters requested that we revise proposed Sec. 160.102 to
apply only to the component of an entity that engages in the
transactions specified in the rule. Commenters stated that companies
should remain free to employ licensed health care providers and to
enter into corporate relationships with provider institutions without
fear of being considered to be a covered entity. Another commenter
suggested that the regulation not apply to the provider-employee or
employer when neither the provider nor the company are a covered
entity.
Some commenters specifically argued that the definition of
``covered entity'' did not contemplate an integrated health care system
and one commenter stated that the proposal would disrupt the multi-
disciplinary, collaborative approach that many take to health care
today by treating all components as separate entities. Commenters,
therefore, recommended that the rule treat the integrated entity, not
its constituent parts, as the covered entity.
A few commenters asked that the Department further clarify the
definition with respect to the unique organizational models and
relationships of academic medical centers and their parent universities
and the rules that govern information exchange within the institution.
One commenter asked whether faculty physicians who are paid by a
medical school or faculty practice plan and who are on the medical
staff of, but not paid directly by, a hospital are included within the
covered entity. Another commenter stated that it appears that only the
health center at an academic institution is the covered entity.
Uncertainty was also expressed as to whether other components of the
institution that might create protected health information only
incidentally through the conduct of research would also be covered.
Response: The Department understands that in today's health care
industry, the relationships among health care entities and non-health
care organizations are highly complex and varied. Accordingly, the
final rule gives covered entities some flexibility to segregate or
aggregate its operations for purposes of the application of this rule.
The new component entity provision can be found at Secs. 164.504(b)-
(c). In response to the request for clarification on whether the rule
would apply to a research component of the covered entity, we point out
that if the research activities fall outside of the health care
component they would not be subject to the rule. One organization may
have one or several ``health care component(s)'' that each perform one
or more of the health care functions of a covered entity, i.e., health
care provider, health plan, health care clearinghouse. In addition, the
final rule permits covered entities that are affiliated, i.e., share
common ownership or control, to designate themselves, or their health
care components, together to be a single covered entity for purposes of
the rule.
It appears from the comments that there is not a common
understanding of the meaning of ``integrated delivery system.''
Arrangements that apply this label to themselves operate and share
information many different ways, and may or may not be financially or
clinically integrated. In some cases, multiple entities hold themselves
out as one enterprise and engage together in clinical or financial
activities. In others, separate entities share information but do not
provide treatment together or share financial risk. Many health care
providers participate in more than one such arrangement.
Therefore, we do not include a separate category of ``covered
entity'' under this rule for ``integrated delivery systems'' but
instead accommodate the operations of these varied arrangements through
the functional provisions of the rule. For example, covered entities
that operate as ``organized health care arrangements'' as defined in
this rule may share protected health information for the operation of
such arrangement without becoming business associates of one another.
Similarly, the regulation does not require a business associate
arrangement when protected health information is shared for purposes of
providing treatment. The application of this rule to any particular
``integrated system'' will depend on the nature of the common
activities the participants in the system perform. When the
participants in such an arrangement are ``affiliated'' as defined in
this rule, they may consider themselves a single covered entity (see
Sec. 164. 504).
The arrangements between academic health centers, faculty practice
plans, universities, and hospitals are similarly diverse. We cannot
describe a blanket rule that covers all such arrangements. The
application of this rule will depend on the purposes for which the
participants in such arrangements share protected health information,
whether some or all participants are under common ownership or control,
and similar matters. We note that physicians who have staff privileges
at a covered
[[Page 82570]]
hospital do not become part of that hospital covered entity by virtue
of having such privileges.
We reject the recommendation to apply the rule only to components
of an entity that engage in the transactions. This would omit as
covered entities, for example, the health plan components that do not
directly engage in the transactions, including components that engage
in important health plan functions such as coverage determinations and
quality review. Indeed, we do not believe that the statute permits this
result with respect to health plans or health care clearinghouses as a
matter of negative implication from section 1172(a)(3). We clarify that
only a health care provider must conduct transactions to be a covered
entity for purposes of this rule.
We also clarify that health care providers (such as doctors or
nurses) who work for a larger organization and do not conduct
transactions on their own behalf are workforce members of the covered
entity, not covered entities themselves.
Comment: A few commenters asked the Department to clarify the
definition to provide that a multi-line insurer that sells insurance
coverages, some of which do and others which do not meet the definition
of ``health plan,'' is not a covered entity with respect to actions
taken in connection with coverages that are not ``health plans.''
Response: The final rule clarifies that the requirements below
apply only to the organizational unit or units of the organization that
are the ``health care component'' of a covered entity, where the
``covered functions'' are not the primary functions of the entity.
Therefore, for a multi-line insurer, the ``health care component'' is
the insurance line(s) that conduct, or support the conduct of, the
health care function of the covered entity. Also, it should be noted
that excepted benefits, such as life insurance, are not included in the
definition of ``health plan.'' (See preamble discussion of
Sec. 164.504).
Comment: A commenter questioned whether the Health Care Financing
Administration (HCFA) is a covered entity and how HCFA will share data
with Medicare managed care organizations. The commenter also questioned
why the regulation must apply to Medicaid since the existing Medicaid
statute requires that states have privacy standards in place. It was
also requested that the Department provide a definition of ``health
plan'' to clarify that state Medicaid Programs are considered as such.
Response: HCFA is a covered entity because it administers Medicare
and Medicaid, which are both listed in the statute as health plans.
Medicare managed care organizations are also covered entities under
this regulation. As noted elsewhere in this preamble, covered entities
that jointly administer a health plan, such as Medicare + Choice, are
both covered entities, and are not business associates of each other by
virtue of such joint administration.
We do not exclude state Medicaid programs. Congress explicitly
included the Medicaid program as a covered health plan in the HIPAA
statute.
Comment: A commenter asked the Department to provide detailed
guidance as to when providers, plans, and clearinghouses become covered
entities. The commenter provided the following example: if a provider
submits claims only in paper form, and a coordination of benefits (COB)
transaction is created due to other insurance coverage, will the
original provider need to be notified that the claim is now in
electronic form, and that it has become a covered entity? Another
commenter voiced concern as to whether physicians who do not conduct
electronic transactions would become covered entities if another entity
using its records downstream transmits information in connection with a
standard transaction on their behalf.
Response: We clarify that health care providers who submit the
transactions in standard electronic form, health plans, and health care
clearinghouses are covered entities if they meet the respective
definitions. Health care providers become subject to the rule if they
conduct standard transactions. In the above example, the health care
provider would not be a covered entity if the coordination of benefits
transaction was generated by a payor.
We also clarify that health care providers who do not submit
transactions in standard form become covered by this rule when other
entities, such as a billing service or a hospital, transmit standard
electronic transactions on the providers' behalf. However, where the
downstream transaction is not conducted on behalf of the health care
provider, the provider does not become a covered entity due to the
downstream transaction.
Comment: Several commenters discussed the relationship between
section 1179 of the Act and the privacy regulations. One commenter
suggested that HHS retain the statement that a covered entity means
``the entities to which part C of title XI of the Act applies.'' In
particular, the commenter observed that section 1179 of the Act
provides that part C of title XI of the Act does not apply to financial
institutions or to entities acting on behalf of such institutions that
are covered by the section 1179 exemption. Thus, under the definition
of covered entity, they comment that financial institutions and other
entities that come within the scope of the section 1179 exemption are
appropriately not covered entities.
Other commenters maintained that section 1179 of the Act means that
the Act's privacy requirements do not apply to the request for, or the
use or disclosure of, information by a covered entity with respect to
payment: (a) For transferring receivables; (b) for auditing; (c) in
connection with--(i) a customer dispute; or (ii) an inquiry from or to
a customer; (d) in a communication to a customer of the entity
regarding the customer's transactions payment card, account, check, or
electronic funds transfer; (e) for reporting to consumer reporting
agencies; or (f) for complying with: (i) a civil or criminal subpoena;
or (ii) a federal or state law regulating the entity. These companies
expressed concern that the proposed rule did not include the full text
of section 1179 when discussing the list of activities that were exempt
from the rule's requirements. Accordingly, they recommended including
in the final rule either a full listing of or a reference to section
1179's full list of exemptions. Furthermore, these firms opposed
applying the proposed rule's minimum necessary standard for disclosure
of protected health information to financial institutions because of
section 1179.
These commenters suggest that in light of section 1179, HHS lacks
the authority to impose restrictions on financial institutions and
other entities when they engage in activities described in that
section. One commenter expressed concern that even though proposed
Sec. 164.510(i) would have permitted covered entities to disclose
certain information to financial institutions for banking and payment
processes, it did not state clearly that financial institutions and
other entities described in section 1179 are exempt from the rule's
requirements.
Response: We interpret section 1179 of the Act to mean that
entities engaged in the activities of a financial institution, and
those acting on behalf of a financial institution, are not subject to
this regulation when they are engaged in authorizing, processing,
clearing, settling, billing, transferring, reconciling, or collecting
payments for a financial institution. The statutory reference to 12
U.S.C. 3401 indicates that Congress chose to adopt the definition of
financial institutions found
[[Page 82571]]
in the Right to Financial Privacy Act, which defines financial
institutions as any office of a bank, savings bank, card issuer,
industrial loan company, trust company, savings association, building
and loan, homestead association, cooperative bank, credit union, or
consumer finance institution located in the United States or one of its
Territories. Thus, when we use the term ``financial institution'' in
this regulation, we turn to the definition with which Congress provided
us. We interpret this provision to mean that when a financial
institution, or its agent on behalf of the financial institution,
conducts the activities described in section 1179, the privacy
regulation will not govern the activity.
If, however, these activities are performed by a covered entity or
by another entity, including a financial institution, on behalf of a
covered entity, the activities are subject to this rule. For example,
if a bank operates the accounts payable system or other ``back office''
functions for a covered health care provider, that activity is not
described in section 1179. In such instances, because the bank would
meet the rule's definition of ``business associate,'' the provider must
enter into a business associate contract with the bank before
disclosing protected health information pursuant to this relationship.
However, if the same provider maintains an account through which he/she
cashes checks from patients, no business associate contract would be
necessary because the bank's activities are not undertaken for or on
behalf of the covered entity, and fall within the scope of section
1179. In part to give effect to section 1179, in this rule we do not
consider a financial institution to be acting on behalf of a covered
entity when it processes consumer-conducted financial transactions by
debit, credit or other payment card, clears checks, initiates or
processes electronic funds transfers, or conducts any other activity
that directly facilitates or effects the transfer of funds for
compensation for health care.
We do not agree with the comment that section 1179 of the Act means
that the privacy regulation's requirements cannot apply to the
activities listed in that section; rather, it means that the entities
expressly mentioned, financial institutions (as defined in the Right to
Financial Privacy Act), and their agents that engage in the listed
activities for the financial institution are not within the scope of
the regulation. Nor do we interpret section 1179 to support an
exemption for disclosures to financial institutions from the minimum
necessary provisions of this regulation.
Comment: One commenter recommended that HHS include a definition of
``entity'' in the final rule because HIPAA did not define it. The
commenter explained that in a modern health care environment, the
organization acting as the health plan or health care provider may
involve many interrelated corporate entities and that this could lead
to difficulties in determining what ``entities'' are actually subject
to the regulation.
Response: We reject the commenter's suggestion. We believe it is
clear in the final rule that the entities subject to the regulation are
those listed at Sec. 160.102. However, we acknowledge that how the rule
applies to integrated or other complex health systems needs to be
addressed; we have done so in Sec. 164.504 and in other provisions,
such as those addressing organized health care arrangements.
Comment: The preamble should clarify that self-insured group health
and workmen's compensation plans are not covered entities or business
partners.
Response: In the preamble to the proposed rule we stated that
certain types of insurance entities, such as workers' compensation,
would not be covered entities under the rule. We do not change this
position in this final rule. The statutory definition of health plan
does not include workers' compensation products, and the regulatory
definition of the term specifically excludes them. However, HIPAA
specifically includes most group health plans within the definition of
``health plan.''
Comment: A health insurance issuer asserted that health insurers
and third party administrators are usually required by employers to
submit reports describing the volume, amount, payee, basis for services
rendered, types of claims paid and services for which payment was
requested on behalf of it covered employees. They recommended that the
rule permit the disclosure of protected health information for such
purposes.
Response: We agree that health plans should be able to disclose
protected health information to employers sponsoring health plans under
certain circumstances. Section 164.504(f) explains the conditions under
which protected health information may be disclosed to plan sponsors.
We believe that this provision gives sponsors access to the information
they need, but protects individual's information to the extent possible
under our legislative authority.
Group Health Plan
For response to comments relating to ``group health plan,'' see the
response to comments on ``health plan'' below and the response to
comments on Sec. 164.504.
Health Care
Comment: A number of commenters asked that we include disease
management activities and other similar health improvement programs,
such as preventive medicine, health education services and maintenance,
health and case management, and risk assessment, in the definition of
``health care.'' Commenters maintained that the rule should avoid
limiting technological advances and new health care trends intended to
improve patient ``health care.''
Response: Review of these and other comments, and our fact-finding,
indicate that there are multiple, different, understandings of the
definition of these terms. Therefore, rather than create a blanket rule
that includes such terms in or excludes such terms from the definition
of ``health care,'' we define health care based on the underlying
activities that constitute health care. The activities described by
these commenters are considered ``health care'' under this rule to the
extent that they meet this functional definition. Listing activities by
label or title would create the risk that important activities would be
left out and, given the lack of consensus on what these terms mean,
could also create confusion.
Comment: Several commenters urged that the Department clarify that
the activities necessary to procure and distribute eyes and eye tissue
will not be hampered by the rule. Some of these commenters explicitly
requested that we include ``eyes and eye tissue'' in the list of
procurement biologicals as well as ``eye procurement'' in the
definition of ``health care.'' In addition, it was argued that
``administration to patients'' be excluded in the absence of a clear
definition. Also, commenters recommended that the definition include
other activities associated with the transplantation of organs, such as
processing, screening, and distribution.
Response: We delete from the definition of ``health care''
activities related to the procurement or banking of blood, sperm,
organs, or any other tissue for administration to patients. We do so
because persons who make such donations are not seeking to be treated,
diagnosed, or assessed or otherwise seeking health care for themselves,
but are seeking to contribute to the health care of others. In
addition, the nature of
[[Page 82572]]
these activities entails a unique kind of information sharing and
tracking necessary to safeguard the nation's organ and blood supply,
and those seeking to donate are aware that this information sharing
will occur. Consequently, such procurement or banking activities are
not considered health care and the organizations that perform such
activities are not considered health care providers for purposes of
this rule.
With respect to disclosure of protected health information by
covered entities to facilitate cadaveric organ and tissue donation, the
final rule explicitly permits a covered entity to disclose protected
health information without authorization, consent, or agreement to
organ procurement organizations or other entities engaged in the
procurement, banking, or transplantation of cadaveric organs, eyes, or
tissue for the purpose of facilitating donation and transplantation.
See Sec. 164.512(h). We do not include blood or sperm banking in this
provision because, for those activities, there is direct contact with
the donor, and thus opportunity to obtain the individual's
authorization.
Comment: A large number of commenters urged that the term
``assessment'' be included in the list of services in the definition,
as ``assessment'' is used to determine the baseline health status of an
individual. It was explained that assessments are conducted in the
initial step of diagnosis and treatment of a patient. If assessment is
not included in the list of services, they pointed out that the
services provided by occupational health nurses and employee health
information may not be covered.
Response: We agree and have added the term ``assessment'' to the
definition to clarify that this activity is considered ``health care''
for the purposes of the rule.
Comment: One commenter asked that we revise the definition to
explicitly exclude plasmapheresis from paragraph (3) of the definition.
It was explained that plasmapheresis centers do not have direct access
to health care recipients or their health information, and that the
limited health information collected about plasma donors is not used to
provide health care services as indicated by the definition of health
care.
Response: We address the commenters' concerns by removing the
provision related to procurement and banking of human products from the
definition.
Health Care Clearinghouse
Comment: The largest set of comments relating to health care
clearinghouses focused on our proposal to exempt health care
clearinghouses from the patient notice and access rights provisions of
the regulation. In our NPRM, we proposed to exempt health care
clearinghouses from certain provisions of the regulation that deal with
the covered entities' notice of information practices and consumers'
rights to inspect, copy, and amend their records. The rationale for
this exemption was based on our belief that health care clearinghouses
engage primarily in business-to-business transactions and do not
initiate or maintain direct relationships with individuals. We proposed
this position with the caveat that the exemptions would be void for any
health care clearinghouse that had direct contact with individuals in a
capacity other than that of a business partner. In addition, we
indicated that, in most instances, clearinghouses also would be
considered business partners under this rule and would be bound by
their contracts with covered plans and providers. They also would be
subject to the notice of information practices developed by the plans
and providers with whom they contract.
Commenters stated that, although health care clearinghouses do not
have direct contact with individuals, they do have individually
identifiable health information that may be subject to misuse or
inappropriate disclosure. They expressed concern that we were proposing
to exempt health care clearinghouses from all or many aspects of the
regulation. These commenters suggested that we either delete the
exemption or make it very narrow, specific and explicit in the final
regulatory text.
Clearinghouse commenters, on the other hand, were in agreement with
our proposal, including the exemption provision and the provision that
the exemption is voided when the entity does have direct contact with
individuals. They also stated that a health care clearinghouse that has
a direct contact with individuals is no longer a health care
clearinghouse as defined and should be subject to all requirements of
the regulation.
Response: In the final rule, where a clearinghouse creates or
receives protected health information as a business associate of
another covered entity, we maintain the exemption for health care
clearinghouses from certain provisions of the regulation dealing with
the notice of information practices and patient's direct access rights
to inspect, copy and amend records (Secs. 164.524 and 164.526), on the
grounds that a health care clearinghouse is engaged in business-to-
business operations, and is not dealing directly with individuals.
Moreover, as business associates of plans and providers, health care
clearinghouses are bound by the notices of information practices of the
covered entities with whom they contract.
Where a health care clearinghouse creates or receives protected
health information other than as a business associate, however, it must
comply with all the standards, requirements, and implementation
specifications of the rule. We describe and delimit the exact nature of
the exemption in the regulatory text. See Sec. 164.500(b). We will
monitor developments in this sector should the basic business-to-
business relationship change.
Comment: A number of comments relate to the proposed definition of
health care clearinghouse. Many commenters suggested that we expand the
definition. They suggested that additional types of entities be
included in the definition of health care clearinghouse, specifically
medical transcription services, billing services, coding services, and
``intermediaries.'' One commenter suggested that the definition be
expanded to add entities that receive standard transactions, process
them and clean them up, and then send them on, without converting them
to any standard format. Another commenter suggested that the health
care clearinghouse definition be expanded to include entities that do
not perform translation but may receive protected health information in
a standard format and have access to that information. Another
commenter stated that the list of covered entities should include any
organization that receives or maintains individually identifiable
health information. One organization recommended that we expand the
health care clearinghouse definition to include the concept of a
research data clearinghouse, which would collect individually
identifiable health information from other covered entities to generate
research data files for release as de-identified data or with
appropriate confidentiality safeguards. One commenter stated that HHS
had gone beyond Congressional intent by including billing services in
the definition.
Response: We cannot expand the definition of ``health care
clearinghouse'' to cover entities not covered by the definition of this
term in the statute. In the final regulation, we
[[Page 82573]]
make a number of changes to address public comments relating to
definition. We modify the definition of health care clearinghouse to
conform to the definition published in the Transactions Rule (with the
addition of a few words, as noted above). We clarify in the preamble
that, while the term ``health care clearinghouse'' may have other
meanings and connotations in other contexts, for purposes of this
regulation an entity is considered a health care clearinghouse only to
the extent that it actually meets the criteria in our definition.
Entities performing other functions but not meeting the criteria for a
health care clearinghouse are not clearinghouses, although they may be
business associates. Billing services are included in the regulatory
definition of ``health care clearinghouse,'' if they perform the
specified clearinghouse functions. Although we have not added or
deleted any entities from our original definition, we will monitor
industry practices and may add other entities in the future as changes
occur in the health system.
Comment: Several commenters suggested that we clarify that an
entity acting solely as a conduit through which individually
identifiable health information is transmitted or through which
protected health information flows but is not stored is not a covered
entity, e.g., a telephone company or Internet Service Provider. Other
commenters indicated that once a transaction leaves a provider or plan
electronically, it may flow through several entities before reaching a
clearinghouse. They asked that the regulation protect the information
in that interim stage, just as the security NPRM established a chain of
trust arrangement for such a network. Others noted that these
``conduit'' entities are likely to be business partners of the
provider, clearinghouse or plan, and we should clarify that they are
subject to business partner obligations as in the proposed Security
Rule.
Response: We clarify that entities acting as simple and routine
communications conduits and carriers of information, such as telephone
companies and Internet Service Providers, are not clearinghouses as
defined in the rule unless they carry out the functions outlined in our
definition. Similarly, we clarify that value added networks and
switches are not health care clearinghouses unless they carry out the
functions outlined in the definition, and clarify that such entities
may be business associates if they meet the definition in the
regulation.
Comment: Several commenters, including the large clearinghouses and
their trade associations, suggested that we not treat health care
clearinghouses as playing a dual role as covered entity and business
partner in the final rule because such a dual role causes confusion as
to which rules actually apply to clearinghouses. In their view, the
definition of health care clearinghouse is sufficiently clear to stand
alone and identify a health care clearinghouse as a covered entity, and
allows health care clearinghouses to operate under one consistent set
of rules.
Response: For reasons explained in Sec. 164.504 of this preamble,
we do not create an exception to the business associate requirements
when the business associate is also a covered entity. We retain the
concept that a health care clearinghouse may be a covered entity and a
business associate of a covered entity under the regulation. As
business associates, they would be bound by their contracts with
covered plans and providers.
Health Care Provider
Comment: One commenter pointed out that the preamble referred to
the obligations of providers and did not use the term, ``covered
entity,'' and thus created ambiguity about the obligations of health
care providers who may be employed by persons other than covered
entities, e.g., pharmaceutical companies. It was suggested that a
better reading of the statute and rule is that where neither the
provider nor the company is a covered entity, the rule does not impose
an obligation on either the provider-employee or the employer.
Response: We agree. We use the term ``covered entity'' whenever
possible in the final rule, except for the instances where the final
rule treats the entities differently, or where use of the term ``health
care provider'' is necessary for purposes of illustrating an example.
Comment: Several commenters stated that the proposal's definition
was broad, unclear, and/or confusing. Further, we received many
comments requesting clarification as to whether specific entities or
persons were ``health care providers'' for the purposes of our rule.
One commenter questioned whether affiliated members of a health care
group (even though separate legal entities) would be considered as one
primary health care provider.
Response: We permit legally distinct covered entities that share
common ownership or control to designate themselves together to be a
single covered entity. Such organizations may promulgate a single
shared notice of information practices and a consent form. For more
detailed information, see the preamble discussion of Sec. 164.504(d).
We understand the need for additional guidance on whether specific
entities or persons are health care providers under the final rule. We
provide guidance below and will provide additional guidance as the rule
is implemented.
Comment: One commenter observed that sections 1171(3), 1861(s) and
1861(u) of the Act do not include pharmacists in the definition of
health care provider or pharmacist services in the definition of
``medical or other health services,'' and questioned whether
pharmacists were covered by the rule.
Response: The statutory definition of ``health care provider'' at
section 1171(3) includes ``any other person or organization who
furnishes, bills, or is paid for health care in the normal course of
business.'' Pharmacists' services are clearly within this statutory
definition of ``health care.'' There is no basis for excluding
pharmacists who meet these statutory criteria from this regulation.
Comment: Some commenters recommended that the scope of the
definition be broadened or clarified to cover additional persons or
organizations. Several commenters argued for expanding the reach of the
health care provider definition to cover entities such as state and
local public health agencies, maternity support services (provided by
nutritionists, social workers, and public health nurses and the Special
Supplemental Nutrition Program for Women, Infants and Children), and
those companies that conduct cost-effectiveness reviews, risk
management, and benchmarking studies. One commenter queried whether
auxiliary providers such as child play therapists, and speech and
language therapists are considered to be health care providers. Other
commenters questioned whether ``alternative'' or ``complementary''
providers, such as naturopathic physicians and acupuncturists would be
considered health care providers covered by the rule.
Response: As with other aspects of this rule, we do not define
``health care provider'' based on the title or label of the
professional. The professional activities of these kinds of providers
vary; a person is a ``health care provider'' if those activities are
consistent with the rule's definition of ``health care provider.''
Thus, health care providers include persons, such as those noted by the
commenters, to the extent that they meet the definition. We note that
health care providers are only
[[Page 82574]]
subject to this rule if they conduct certain transactions. See the
definition of ``covered entity.''
However companies that conduct cost-effectiveness reviews, risk
management, and benchmarking studies are not health care providers for
the purposes of this rule unless they perform other functions that meet
the definition. These entities would be business associates if they
perform such activities on behalf of a covered entity.
Comment: Another commenter recommended that the Secretary expand
the definition of health care provider to cover health care providers
who transmit or ``or receive'' any health care information in
electronic form.
Response: We do not accept this suggestion. Section 1172(a)(3)
states that providers that ``transmit'' health information in
connection with one of the HIPAA transactions are covered, but does not
use the term ``receive'' or a similar term.
Comment: Some comments related to online companies as health care
providers and covered entities. One commenter argued that there was no
reason ``why an Internet pharmacy should not also be covered'' by the
rule as a health care provider. Another commenter stated that online
health care service and content companies, including online medical
record companies, should be covered by the definition of health care
provider. Another commenter pointed out that the definitions of covered
entities cover ``Internet providers who `bill' or are `paid' for health
care services or supplies, but not those who finance those services in
other ways, such as through sale of identifiable health information or
advertising.'' It was pointed out that thousands of Internet sites use
information provided by individuals who access the sites for marketing
or other purposes.
Response: We agree that online companies are covered entities under
the rule if they otherwise meet the definition of health care provider
or health plan and satisfy the other requirements of the rule, i.e.,
providers must also transmit health information in electronic form in
connection with a HIPAA transaction. We restate here the language in
the preamble to the proposed rule that ``An individual or organization
that bills and/or is paid for health care services or supplies in the
normal course of business, such as * * * an ``online'' pharmacy
accessible on the Internet, is also a health care provider for purposes
of this statute'' (64 FR 59930).
Comment: We received many comments related to the reference to
``health clinic or licensed health care professional located at a
school or business in the preamble's discussion of ``health care
provider.'' It was stated that including ``licensed health care
professionals located at a school or business'' highlights the need for
these individuals to understand they have the authority to disclose
information to the Social Security Administration (SSA) without
authorization.
However, several commenters urged HHS to create an exception for or
delete that reference in the preamble discussion to primary and
secondary schools because of employer or business partner
relationships. One federal agency suggested that the reference
``licensed health care professionals located at a [school]'' be deleted
from the preamble because the definition of health care provider does
not include a reference to schools. The commenter also suggested that
the Secretary consider: adding language to the preamble to clarify that
the rules do not apply to clinics or school health care providers that
only maintain records that have been excepted from the definition of
protected health information, adding an exception to the definition of
covered entities for those schools, and limiting paperwork requirements
for these schools. Another commenter argued for deleting references to
schools because the proposed rule appeared to supersede or create
ambiguity as to the Family Educational Rights and Privacy Act (FERPA),
which gives parents the right to access ``education'' and health
records of their unemancipated minor children. However, in contrast,
one commenter supported the inclusion of health care professionals who
provide services at schools or businesses.
Response: We realize that our discussion of schools in the NPRM may
have been confusing. Therefore, we address these concerns and set forth
our policy regarding protected health information in educational
agencies and institutions in the ``Relationship to Other Federal Laws''
discussion of FERPA, above.
Comment: Many commenters urged that direct contact with the patient
be necessary for an entity to be considered a health care provider.
Commenters suggested that persons and organizations that are remote to
the patient and have no direct contact should not be considered health
care providers. Several commenters argued that the definition of health
care provider covers a person that provides health care services or
supplies only when the provider furnishes to or bills the patient
directly. It was stated that the Secretary did not intend that
manufacturers, such as pharmaceutical, biologics, and device
manufacturers, health care suppliers, medical-surgical supply
distributors, health care vendors that offer medical record
documentation templates and that typically do not deal directly with
the patient, be considered health care providers and thus covered
entities. However, in contrast, one commenter argued that, as an in
vitro diagnostics manufacturer, it should be covered as a health care
provider.
Response: We disagree with the comments that urged that direct
dealings with an individual be a prerequisite to meeting the definition
of health care provider. Many providers included in the statutory
definition of provider, such as clinical labs, do not have direct
contact with patients. Further, the use and disclosure of protected
health information by indirect treatment providers can have a
significant effect on individuals' privacy. We acknowledge, however,
that providers who treat patients only indirectly need not have the
full array of responsibilities as direct treatment providers, and
modify the NPRM to make this distinction with respect to several
provisions (see, for example Sec. 164.506 regarding consent). We also
clarify that manufacturers and health care suppliers who are considered
providers by Medicare are providers under this rule.
Comment: Some commenters suggested that blood centers and plasma
donor centers that collect and distribute source plasma not be
considered covered health care providers because the centers do not
provide ``health care services'' and the blood donors are not
``patients'' seeking health care. Similarly, commenters expressed
concern that organ procurement organizations might be considered health
care providers.
Response: We agree and have deleted from the definition of ``health
care'' the term ``procurement or banking of blood, sperm, organs, or
any other tissue for administration to patients.'' See prior discussion
under ``health care.''
Comment: Several commenters proposed to restrict coverage to only
those providers who furnished and were paid for services and supplies.
It was argued that a salaried employee of a covered entity, such as a
hospital-based provider, should not be covered by the rule because that
provider would be subject both directly to the rule as a covered entity
and indirectly as an employee of a covered entity.
Response: The ``dual'' direct and indirect situation described in
these comments can arise only when a health
[[Page 82575]]
care provider conducts standard HIPAA transactions both for itself and
for its employer. For example, when the services of a provider such as
a hospital-based physician are billed through a standard HIPAA
transaction conducted for the employer, in this example the hospital,
the physician does not become a covered provider. Only when the
provider uses a standard transaction on its own behalf does he or she
become a covered health care provider. Thus, the result is typically as
suggested by this commenter. When a hospital-based provider is not paid
directly, that is, when the standard HIPAA transaction is not on its
behalf, it will not become a covered provider.
Comment: Other commenters argued that an employer who provides
health care services to its employees for whom it neither bills the
employee nor pays for the health care should not be considered health
care providers covered by the proposed rule.
Response: We clarify that the employer may be a health care
provider under the rule, and may be covered by the rule if it conducts
standard transactions. The provisions of Sec. 164.504 may also apply.
Comment: Some commenters were confused about the preamble
statement: ``in order to implement the principles in the Secretary's
Recommendations, we must impose any protections on the health care
providers that use and disclose the information, rather than on the
researcher seeking the information,'' with respect to the rule's policy
that a researcher who provides care to subjects in a trial will be
considered a health care provider. Some commenters were also unclear
about whether the individual researcher providing health care to
subjects in a trial would be considered a health care provider or
whether the researcher's home institution would be considered a health
care provider and thus subject to the rule.
Response: We clarify that, in general, a researcher is also a
health care provider if the researcher provides health care to subjects
in a clinical research study and otherwise meets the definition of
``health care provider'' under the rule. However, a health care
provider is only a covered entity and subject to the rule if that
provider conducts standard transactions. With respect to the above
preamble statement, we meant that our jurisdiction under the statute is
limited to covered entities. Therefore, we cannot apply any
restrictions or requirements on a researcher in that person's role as a
researcher. However, if a researcher is also a health care provider
that conducts standard transactions, that researcher/provider is
subject to the rule with regard to its provider activities.
As to applicability to a researcher/provider versus the
researcher's home institution, we provide the following guidance. The
rule applies to the researcher as a covered entity if the researcher is
a health care provider who conducts standard transactions for services
on his or her own behalf, regardless of whether he or she is part of a
larger organization. However, if the services and transactions are
conducted on behalf of the home institution, then the home institution
is the covered entity for purposes of the rule and the researcher/
provider is a workforce member, not a covered entity.
Comment: One commenter expressed confusion about those instances
when a health care provider was a covered entity one day, and one who
``works under a contract'' for a manufacturer the next day.
Response: If persons are covered under the rule in one role, they
are not necessarily covered entities when they participate in other
activities in another role. For example, that person could be a covered
health care provider in a hospital one day but the next day read
research records for a different employer. In its role as researcher,
the person is not covered, and protections do not apply to those
research records.
Comment: One commenter suggested that the Secretary modify proposed
Sec. 160.102, to add the following clause at the end (after (c))
(regarding health care provider), ``With respect to any entity whose
primary business is not that of a health plan or health care provider
licensed under the applicable laws of any state, the standards,
requirements, and implementation specifications of this subchapter
shall apply solely to the component of the entity that engages in the
transactions specified in [Sec. ] 160.103.'' (Emphasis added.) Another
commenter also suggested that the definition of ``covered entity'' be
revised to mean entities that are ``primarily or exclusively engaged in
health care-related activities as a health plan, health care provider,
or health care clearinghouse.''
Response: The Secretary rejects these suggestions because they will
impermissibly limit the entities covered by the rule. An entity that is
a health plan, health care provider, or health care clearinghouse meets
the statutory definition of covered entity regardless of how much time
is devoted to carrying out health care-related functions, or regardless
of what percentage of their total business applies to health care-
related functions.
Comment: Several commenters sought to distinguish a health care
provider from a business partner as proposed in the NPRM. For example,
a number of commenters argued that disease managers that provide
services ``on behalf of'' health plans and health care providers, and
case managers (a variation of a disease management service) are
business partners and not ``health care providers.'' Another commenter
argued that a disease manager should be recognized (presumably as a
covered entity) because of its involvement from the physician-patient
level through complex interactions with health care providers.
Response: To the extent that a disease or case manager provides
services on behalf of or to a covered entity as described in the rule's
definition of business associate, the disease or case manager is a
business associate for purposes of this rule. However, if services
provided by the disease or case manager meet the definition of
treatment and the person otherwise meets the definition of ``health
care provider,'' such a person is a health care provider for purposes
of this rule.
Comment: One commenter argued that pharmacy employees who assist
pharmacists, such as technicians and cashiers, are not business
partners.
Response: We agree. Employees of a pharmacy that is a covered
entity are workforce members of that covered entity for purposes of
this rule.
Comment: A number of commenters requested that we clarify the
definition of health care provider (``* * * who furnishes, bills, or is
paid for health care services or supplies in the normal course of
business'') by defining the various terms ``furnish'', ``supply'', and
``in the normal course of business.'' For instance, it was stated that
this would help employers recognize when services such as an employee
assistance program constituted health care covered by the rule.
Response: Although we understand the concern expressed by the
commenters, we decline to follow their suggestion to define terms at
this level of specificity. These terms are in common use today, and an
attempt at specific definition would risk the inadvertent creations of
conflict with industry practices. There is a significant variation in
the way employers structure their employee assistance programs (EAPs)
and the type of services that they provide. If the EAP provides direct
treatment to individuals, it may be a health care provider.
[[Page 82576]]
Health Information
The response to comments on health information is included in the
response to comments on individually identifiable health information,
in the preamble discussion of Sec. 164.501.
Health Plan
Comment: One commenter suggested that to eliminate any ambiguity,
the Secretary should clarify that the catch-all category under the
definition of health plan includes ``24-hour coverage plans'' (whether
insured or self-insured) that integrate traditional employee health
benefits coverage and workers' compensation coverage for the treatment
of on-the-job injuries and illnesses under one program. It was stated
that this clarification was essential if the Secretary persisted in
excluding workers' compensation from the final rule.
Response: We understand concerns that such plans may use and
disclose individually identifiable health information. We therefore
clarify that to the extent that 24-hour coverage plans have a health
care component that meets the definition of ``health plan'' in the
final rule, such components must abide by the provisions of the final
rule. In the final rule, we have added a new provision to Sec. 164.512
that permits covered entities to disclose information under workers'
compensation and similar laws. A health plan that is a 24-hour plan is
permitted to make disclosures as necessary to comply with such laws.
Comment: A number of commenters urged that certain types of
insurance entities, such as workers' compensation and automobile
insurance carriers, property and casualty insurance health plans, and
certain forms of limited benefits coverage, be included in the
definition of ``health plan.'' It was argued that consumers deserve the
same protection with respect to their health information, regardless of
the entity using it, and that it would be inequitable to subject health
insurance carriers to more stringent standards than other types of
insurers that use individually identifiable health information.
Response: The Congress did not include these programs in the
definition of a ``health plan'' under section 1171 of the Act. Further,
HIPAA's legislative history shows that the House Report's (H. Rep. 104-
496) definition of ``health plan'' originally included certain benefit
programs, such as workers' compensation and liability insurance, but
was later amended to clarify the definition and remove these programs.
Thus, since the statutory definition of a health plan both on its face
and through legislative history evidence Congress' intention to exclude
such programs, we do not have the authority to require that these
programs comply with the standards. We have added explicit language to
the final rule which excludes the excepted benefit programs, as defined
in section 2971(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1).
Comment: Some commenters urged HHS to include entities such as stop
loss insurers and reinsurers in the definition of ``health plan.'' It
was observed that such entities have come to play important roles in
managed care delivery systems. They asserted that increasingly,
capitated health plans and providers contract with their reinsurers and
stop loss carriers to medically manage their high cost outlier cases
such as organ and bone marrow transplants, and therefore should be
specifically cited as subject to the regulations.
Response: Stop-loss and reinsurers do not meet the statutory
definition of health plan. They do not provide or pay for the costs of
medical care, as described in the statute, but rather insure health
plans and providers against unexpected losses. Therefore, we cannot
include them as health plans in the regulation.
Comment: A commenter asserted that there is a significant
discrepancy between the effect of the definition of ``group health
plan'' as proposed in Sec. 160.103, and the anticipated impact in the
cost estimates of the proposed rule at 64 FR 60014. Paragraph (1) of
the proposed definition of ``health plan'' defined a ``group health
plan'' as an ERISA-defined employee welfare benefit plan that provides
medical care and that: ``(i) Has 50 or more participants, or (ii) Is
administered by an entity other than the employer that established and
maintains the plan[.]'' (emphasis added) According to this commenter,
under this definition, the only insured or self-insured ERISA plans
that would not be regulated ``health plans'' would be those that have
less than 50 participants and are self administered.
The commenter presumed that the we had intended to exclude from the
definition of ``health plan'' (and from coverage under the proposed
rule) all ERISA plans that are small (less than 50 participants) or are
administered by a third party, whether large or small, based on the
statement at 64 FR 60014, note 18. That footnote stated that the
Department had ``not included the 3.9 million `other' employer-health
plans listed in HCFA's administrative simplification regulations
because these plans are administered by a third party. The proposed
regulation will not regulate the employer plans but will regulate the
third party administrators of the plan.'' The commenter urged us not to
repeat the statutory definition, and to adopt the policy implied in the
footnote.
Response: We agree with the commenter's observation that footnote
18 (64 FR 60014) was inconsistent with the proposed definition. We
erred in drafting that note. The definition of ``group health plan'' is
adopted from the statutory definition at section 1171(5)(A), and
excludes from the rule as ``health plans'' only the few insured or
self-insured ERISA plans that have less than 50 participants and are
self administered. We reject the commenter's proposed change to the
definition as inconsistent with the statute.
Comment: A number of insurance companies asked that long term care
insurance policies be excluded from the definition of ``health plan.''
It was argued that such policies do not provide sufficiently
comprehensive coverage of the cost of medical care, and are limited
benefit plans that provide or pay for the cost of custodial and other
related services in connection with a long term, chronic illness or
disability.
These commenters asserted that HIPAA recognizes this nature of long
term care insurance, observing that, with respect to HIPAA's
portability requirements, Congress enacted a series of exclusions for
certain defined types of health plan arrangements that do not typically
provide comprehensive coverage. They maintained that Congress
recognized that long term care insurance is excluded, so long as it is
not a part of a group health plan. Where a long term care policy is
offered separately from a group health plan it is considered an
excepted benefit and is not subject to the portability and guarantee
issue requirements of HIPAA. Although this exception does not appear in
the Administrative Simplification provisions of HIPAA, it was asserted
that it is guidance with respect to the treatment of long term care
insurance as a limited benefit coverage and not as coverage that is so
``sufficiently comprehensive'' that it is to be treated in the same
manner as a typical, comprehensive major medical health plan
arrangement.
Another commenter offered a different perspective observing that
there are some long-term care policies--that do not pay for medical
care and therefore are not ``health plans.'' It was noted that most
long-term care policies are reimbursement policies--that is,
[[Page 82577]]
they reimburse the policyholder for the actual expenses that the
insured incurs for long-term care services. To the extent that these
constitute ``medical care,'' this commenter presumed that these
policies would be considered ``health plans.'' Other long-term care
policies, they pointed out, simply pay a fixed dollar amount when the
insured becomes chronically ill, without regard to the actual cost of
any long-term care services received, and thus are similar to fixed
indemnity critical illness policies. The commenter suggested that while
there was an important distinction between indemnity based long-term
care policies and expenses based long-term care policies, it may be
wise to exclude all long-term care policies from the scope of the rule
to achieve consistency with HIPAA.
Response: We disagree. The statutory language regarding long-term
care policies in the portability title of HIPAA is different from the
statutory language regarding long-term care policies in the
Administrative Simplification title of HIPAA. Section 1171(5)(G) of the
Act means that issuers of long-term care policies are considered health
plans for purposes of administrative simplification. We also interpret
the statute as authorizing the Secretary to exclude nursing home fixed-
indemnity policies, not all long-term care policies, from the
definition of ``health plan,'' if she determines that these policies do
not provide ``sufficiently comprehensive coverage of a benefit'' to be
treated as a health plan (see section 1171 of the Act). We interpret
the term ``comprehensive'' to refer to the breadth or scope of coverage
of a policy. ``Comprehensive'' policies are those that cover a range of
possible service options. Since nursing home fixed indemnity policies
are, by their own terms, limited to payments made solely for nursing
facility care, we have determined that they should not be included as
health plans for the purposes of the HIPAA regulations. The Secretary,
therefore, explicitly excluded nursing home fixed-indemnity policies
from the definition of ``health plan'' in the Transactions Rule, and
this exclusion is thus reflected in this final rule. Issuers of other
long-term care policies are considered to be health plans under this
rule and the Transactions Rule.
Comment: One commenter was concerned about the potential impact of
the proposed regulations on ``unfunded health plans,'' which the
commenter described as programs used by smaller companies to provide
their associates with special employee discounts or other membership
incentives so that they can obtain health care, including prescription
drugs, at reduced prices. The commenter asserted that if these discount
and membership incentive programs were covered by the regulation, many
smaller employers might discontinue offering them to their employees,
rather than deal with the administrative burdens and costs of complying
with the rule.
Response: Only those special employee discounts or membership
incentives that are ``employee welfare benefit plans'' as defined in
section 3(1) of the Employee Retirement Income Security Act of 1974, 29
U.S.C. 1002(1), and provide ``medical care'' (as defined in section
2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(2)),
are health plans for the purposes of this rule. Discount or membership
incentive programs that are not group health plans are not covered by
the rule.
Comment: Several commenters agreed with the proposal to exclude
``excepted benefits'' such as disability income insurance policies,
fixed indemnity critical illness policies, and per diem long-term care
policies from the definition of ``health plan,'' but were concerned
that the language of the proposed rule did not fully reflect this
intent. They asserted that clarification was necessary in order to
avoid confusion and costs to both consumers and insurers.
One commenter stated that, while HHS did not intend for the rule to
apply to every type of insurance coverage that paid for medical care,
the language of the proposed rule did not bear this out. The problem,
it was asserted, is that under the proposed rule any insurance policy
that pays for ``medical care'' would technically be a ``health plan.''
It was argued that despite the statements in the narrative, there are
no provisions that would exempt any of the ``excepted benefits'' from
the definition of ``health care.'' It was stated that:
Although (with the exception of long-term care insurance), the
proposed rule does not include the `excepted benefits' in its list
of sixteen examples of a health plan (proposed 45 CFR 160.104), it
does not explicitly exclude them either. Because these types of
policies in some instances pay benefits that could be construed as
payments for medical care, we are concerned by the fact that they
are not explicitly excluded from the definition of `health plan' or
the requirements of the proposed rule.''
Several commenters proposed that HHS adopt the same list of
``excepted benefits'' contained in 29 U.S.C. 1191b, suggesting that
they could be adopted either as exceptions to the definition of
``health plan'' or as exceptions to the requirements imposed on
``health plans.'' They asserted that this would promote consistency in
the federal regulatory structure for health plans.
It was suggested that HHS clarify whether the definition of health
plan, particularly the ``group health plan'' and ``health insurance
issuer'' components, includes a disability plan or disability insurer.
It was noted that a disability plan or disability insurer may cover
only income lost from disability and, as mentioned above, some
rehabilitation services, or a combination of lost income,
rehabilitation services and medical care. The commenter suggested that
in addressing this coverage issue, it may be useful to refer to the
definitions of group health plan, health insurance issuer and medical
care set forth in Part I of HIPAA, which the statutory provisions of
the Administrative Simplification subtitle expressly reference. See 42
U.S.C. 1320d(5)(A) and (B).
Response: We agree that the NPRM may have been ambiguous regarding
the types of plans the rule covers. To remedy this confusion, we have
added language that specifically excludes from the definition any
policy, plan, or program providing or paying the cost of the excepted
benefits, as defined in section 2971(c)(1) of the PHS Act, 42 U.S.C.
300gg-91(c)(1). As defined in the statute, this includes but is not
limited to benefits under one or more (or any combination thereof) of
the following: coverage only for accident, or disability income
insurance, or any combination thereof; liability insurance, including
general liability insurance and automobile liability insurance; and
workers' compensation or similar insurance.
However, the other excepted benefits as defined in section
2971(c)(2) of the PHS Act, 42 U.S.C. 300gg-91(c)(2), such as limited
scope dental or vision benefits, not explicitly excepted from the
regulation could be considered ``health plans'' under paragraph
(1)(xvii) of the definition of ``health plan'' in the final rule if and
to the extent that they meet the criteria for the definition of
``health plan.'' Such plans, unlike the programs and plans listed at
section 2971(c)(1), directly and exclusively provide health insurance,
even if limited in scope.
Comment: One commenter recommended that the Secretary clarify that
``health plan'' does not include property and casualty benefit
providers. The commenter stated that the clarifying language is needed
given the ``catchall'' category of entities defined as ``any other
individual plan or group health plan, or combination thereof, that
[[Page 82578]]
provides or pays for the cost of medical care,'' and asserted that
absent clarification there could be serious confusion as to whether
property and casualty benefit providers are ``health plans'' under the
rule.
Response: We agree and as described above have added language to
the final rule to clarify that the ``excepted benefits'' as defined
under 42 U.S.C. 300gg-91(c)(1), which includes liability programs such
as property and casualty benefit providers, are not health plans for
the purposes of this rule.
Comment: Some commenters recommended that the Secretary replace the
term ``medical care'' with ``health care.'' It was observed that
``health care'' was defined in the proposal, and that this definition
was used to define what a health care provider does. However, they
observed that the definition of ``health plan'' refers to the provision
of or payment for ``medical care,'' which is not defined. Another
commenter recommended that HHS add the parenthetical phrase ``as such
term is defined in section 2791 of the Public Health Service Act''
after the phrase ``medical care.''
Response: We disagree with the first recommendation. We understand
that the term ``medical care'' can be easily confused with the term
``health care.'' However, the two terms are not synonymous. The term
``medical care'' is a statutorily defined term and its use is critical
in making a determination as to whether a health plan is considered a
``health plan'' for purposes of administrative simplification. In
addition, since the term ``medical care'' is used in the regulation
only in the context of the definition of ``health plan'' and we believe
that its inclusion in the regulatory text may cause confusion, we did
not add a definition of ``medical care'' in the final rule. However,
consistent with the second recommendation above, the statutory cite for
``medical care'' was added to the definition of ``health plan'' in the
Transactions Rule, and thus is reflected in this final rule.
Comment: A number of commenters urged that the Secretary define
more narrowly what characteristics would make a government program that
pays for specific health care services a ``health plan.'' Commenters
argued that there are many ``payment'' programs that should not be
included, as discussed below, and that if no distinctions were made,
``health plan'' would mean the same as ``purchaser'' or even ``payor.''
Commenters asserted that there are a number of state programs that
pay for ``health care'' (as defined in the rule) but that are not
health plans. They said that examples include the WIC program (Special
Supplemental Nutrition Program for Women, Infants, and Children) which
pays for nutritional assessment and counseling, among other services;
the AIDS Client Services Program (including AIDS prescription drug
payment) under the federal Ryan White Care Act and state law; the
distribution of federal family planning funds under Title X of the
Public Health Services Act; and the breast and cervical health program
which pays for cancer screening in targeted populations. Commenters
argued that these are not insurance plans and do not fall within the
``health plan'' definition's list of examples, all of which are either
insurance or broad-scope programs of care under a contract or statutory
entitlement. However, paragraph (16) in that list opens the door to
broader interpretation through the catchall phrase, ``any other
individual or group plan that provides or pays for the cost of medical
care.'' Commenters assert that clarification is needed.
A few commenters stated that other state agencies often work in
partnership with the state Medicaid program to implement certain
Medicaid benefits, such as maternity support services and prenatal
genetics screening. They concluded that while this probably makes parts
of the agency the ``business partner'' of a covered entity, they were
uncertain whether it also makes the same agency parts a ``health plan''
as well.
Response: We agree with the commenters that clarification is needed
as to the rule's application to government programs that pay for health
care services. Accordingly, in the final rule we have excepted from the
definition of ``health plan'' a government funded program which does
not have as its principal purpose the provision of, or payment for, the
cost of health care or which has as its principal purpose the
provision, either directly or by grant, of health care. For example,
the principal purpose of the WIC program is not to provide or pay for
the cost of health care, and thus, the WIC program is not a health plan
for purposes of this rule. The program of health care services for
individuals detained by the INS provides health care directly, and so
is not a health plan. Similarly, the family planning program authorized
by Title X of the Public Health Service Act pays for care exclusively
through grants, and so is not a health plan under this rule. These
programs (the grantees under the Title X program) may be or include
health care providers and may be covered entities if they conduct
standard transactions.
We further clarify that, where a public program meets the
definition of ``health plan,'' the government agency that administers
the program is the covered entity. Where two agencies administer a
program jointly, they are both a health plan. For example, both the
Health Care Financing Administration and the insurers that offers a
Medicare+Choice plan are ``health plans'' with respect to Medicare
beneficiaries. An agency that does not administer a program but which
provides services for such a program is not a covered entity by virtue
of providing such services. Whether an agency providing services is a
business associate of the covered entity depends on whether its
functions for the covered entity meet the definition of business
associate in Sec. 164.501 and, in the example described by this
comment, in particular on whether the arrangement falls into the
exception in Sec. 164.504(e)(1)(ii)(C) for government agencies that
collect eligibility or enrollment information for covered government
programs.
Comment: Some commenters expressed support for retaining the
category in paragraph (16) of the proposal's definition: ``Any other
individual or group health plan, or combination thereof, that provides
or pays for the cost of medical care.'' Others asked that the Secretary
clarify this category. One commenter urged that the final rule clearly
define which plans would meet the criteria for this category.
Response: As described in the proposed rule, this category
implements the language at the beginning of the statutory definition of
the term ``health plan'': ``The term `health plan' means an individual
or group plan that provides, or pays the cost of, medical care * * *
Such term includes the following, and any combination thereof * * *''
This statutory language is general, not specific, and as such, we are
leaving it general in the final rule. However, as described above, we
add explicit language which excludes certain ``excepted benefits'' from
the definition of ``health plan'' in an effort to clarify which plans
are not health plans for the purposes of this rule. Therefore, to the
extent that a certain benefits plan or program otherwise meets the
definition of ``health plan'' and is not explicitly excepted, that
program or plan is considered a ``health plan'' under paragraph
(1)(xvii) of the final rule.
Comment: A commenter explained that HIPAA defines a group health
plan by expressly cross-referencing the statutory sections in the PHS
Act and the Employee Retirement Income
[[Page 82579]]
Security Act of 1974 (ERISA), 29 U.S.C. 1001, et seq., which define the
terms ``group health plan,'' ``employee welfare benefit plan'' and
``participant.'' See 29 U.S.C. 1002(l) (definition of ``employee
welfare benefit plan,'' which is the core of the definition of group
health plan under both ERISA and the PHS Act); 29 U.S.C. 100217)
(definition of participant); 29 U.S.C. 1193(a) (definition of ``group
health plan,'' which is identical to that in section 2791(a) of the PHS
Act).
It was pointed out that the preamble and the text of the proposed
rule both limit the definition of all three terms to their current
definitions. The commenter reasoned that since the ERISA definitions
may change over time through statutory amendment, Department of Labor
regulations or judicial interpretation, it would not be clear what
point in time is to be considered current. Therefore, they suggested
deleting references to ``current'' or ``currently'' in the preamble and
in the regulation with respect to these three ERISA definitions.
In addition, the commenter stated that as the preamble to the NPRM
correctly reflected, HIPAA expressly cross-references ERISA's
definition of ``participant'' in section 3(7) of ERISA, 29 U.S.C.
1002(7). 42 U.S.C. 1320d(5)(A). The text of the privacy regulation,
however, omits this cross-reference. It was suggested that the
reference to section 3(7) of ERISA, defining ``participant,'' be
included in the regulation.
Finally, HIPAA incorporates the definition of a group health plan
as set forth in section 2791(a) of the PHS Act, 42 U.S.C. 300gg-
91(a)(l). That definition refers to the provision of medical care
``directly or through insurance, reimbursement, or otherwise.'' The
word ``reimbursement'' is omitted in both the preamble and the text of
the regulation; the commenter suggested restoring it to both.
Response: We agree. These changes were made to the definition of
``health plan'' as promulgated in the Transactions Rule, and are
reflected in this final rule.
Small Health Plan
Comment: One commenter recommended that we delete the reference to
$5 million in the definition and instead define a ``small health plan''
as a health plan with fewer than 50 participants. It was stated that
using a dollar limitation to define a ``small health plan'' is not
meaningful for self-insured plans and some other types of health plan
coverage arrangements. A commenter pointed out that the general
definition of a health plan refers to ``50 or more participants,'' and
that using a dollar factor to define a ``small health plan'' would be
inconsistent with this definition.
Response: We disagree. The Small Business Administration (SBA)
promulgates size standards that indicate the maximum number of
employees or annual receipts allowed for a concern (13 CFR 121.105) and
its affiliates to be considered ``small.'' The size standards
themselves are expressed either in number of employees or annual
receipts (13 CFR 121.201). The size standards for compliance with
programs of other agencies are those for SBA programs which are most
comparable to the programs of such other agencies, unless otherwise
agreed by the agency and the SBA (13 CFR 121.902). With respect to the
insurance industry, the SBA has specified that annual receipts of $5
million is the maximum allowed for a concern and its affiliates to be
considered small (13 CFR 121.201). Consequently, we retain the
proposal's definition in the final rule to be consistent with SBA
requirements.
We understand there may be some confusion as to the meaning of
``annual receipts'' when applied to a health plan. For our purposes,
therefore, we consider ``pure premiums'' to be equivalent to ``annual
receipts.''
Workforce
Comment: Some commenters requested that we exclude ``volunteers''
from the definition of workforce. They stated that volunteers are
important contributors within many covered entities, and in particular
hospitals. They argued that it was unfair to ask that these people
donate their time and at the same time subject them to the penalties
placed upon the paid employees by these regulations, and that it would
discourage people from volunteering in the health care setting.
Response: We disagree. We believe that differentiating those
persons under the direct control of a covered entity who are paid from
those who are not is irrelevant for the purposes of protecting the
privacy of health information, and for a covered entity's management of
its workforce. In either case, the person is working for the covered
entity. With regard to implications for the individual, persons in a
covered entity's workforce are not held personally liable for violating
the standards or requirements of the final rule. Rather, the Secretary
has the authority to impose civil monetary penalties and in some cases
criminal penalties for such violations on only the covered entity.
Comment: One commenter asked that the rule clarify that employees
administering a group health or other employee welfare benefit plan on
their employers' behalf are considered part of the covered entity's
workforce.
Response: As long as the employees have been identified by the
group health plan in plan documents as performing functions related to
the group health plan (consistent with the requirements of
Sec. 164.504(f)), those employees may have access to protected health
information. However, they are not permitted to use or disclose
protected health information for employment-related purposes or in
connection with any other employee benefit plan or employee benefit of
the plan sponsor.
Part 160--Subpart B--Preemption of State Law
We summarize and respond below to comments received in the
Transactions rulemaking on the issue of preemption, as well as those
received on this topic in the Privacy rulemaking. Because no process
was proposed in the Transactions rulemaking for granting exceptions
under section 1178(a)(2)(A), a process for making exception
determinations was not adopted in the Transactions Rule. Instead, since
a process for making exception determinations was proposed in the
Privacy rulemaking, we decided that the comments received in the
Transactions rulemaking should be considered and addressed in
conjunction with the comments received on the process proposed in the
Privacy rulemaking. See 65 FR 50318 for a fuller discussion.
Accordingly, we discuss the preemption comments received in the
Transactions rulemaking where relevant below.
Comment: The majority of comments on preemption addressed the
subject in general terms. Numerous comments, particularly from plans
and providers, argued that the proposed preemption provisions were
burdensome, ineffective, or insufficient, and that complete federal
preemption of the ``patchwork'' of state privacy laws is needed. They
also argued that the proposed preemption provisions are likely to
invite litigation. Various practical arguments in support of this
position were made. Some of these comments recognized that the
Secretary's authority under section 1178 of the Act is limited and
acknowledged that the Secretary's proposals were within her statutory
authority. One commenter suggested that the exception determination
process would result in a very costly and laborious and sometimes
inconsistent analysis of the occasions in which state law would
[[Page 82580]]
survive federal preemption, and thus suggested the final privacy
regulations preempt state law with only limited exceptions, such as
reporting child abuse. Many other comments, however, recommended
changing the proposed preemption provisions to preempt state privacy
laws on as blanket a basis as possible.
One comment argued that the assumption that more stringent privacy
laws are better is not necessarily true, citing a 1999 GAO report
finding evidence that the stringent state confidentiality laws of
Minnesota halted the collection of comparative information on health
care quality.
Several comments in this vein were also received in the
Transactions rulemaking. The majority of these comments took the
position that exceptions to the federal standards should either be
prohibited or discouraged. It was argued that granting exceptions to
the standards, particularly the transactions standards, would be
inconsistent with the statute's objective of promoting administrative
simplification through the use of uniform transactions.
Many other commenters, however, endorsed the ``federal floor''
approach of the proposed rules. (These comments were made in the
context of the proposed privacy regulations.) These comments argued
that this approach was preferable because it would not impair the
effectiveness of state privacy laws that are more protective of
privacy, while raising the protection afforded medical information in
states that do not enact laws that are as protective as the rules
below. Some comments argued, however, that the rules should give even
more deference to state law, questioning in particular the definitions
and the proposed addition to the ``other purposes'' criterion for
exception determinations in this regard.
Response: With respect to the exception process provided for by
section 1178(a)(2)(A), the contention that the HIPAA standards should
uniformly control is an argument that should be addressed to the
Congress, not this agency. Section 1178 of the Act expressly gives the
Secretary authority to grant exceptions to the general rule that the
HIPAA standards preempt contrary state law in the circumstances she
determines come within the provisions at section 1178(a)(2)(A). We
agree that the underlying statutory goal of standardizing financial and
administrative health care transactions dictates that exceptions should
be granted only on narrow grounds. Nonetheless, Congress clearly
intended to accommodate some state laws in these areas, and the
Department is not free to disregard this Congressional choice. As is
more fully explained below, we have interpreted the statutory criteria
for exceptions under section 1178(a)(2)(A) to balance the need for
relative uniformity with respect to the HIPAA standards with state
needs to set certain policies in the statutorily defined areas.
The situation is different with respect to state laws relating to
the privacy of protected health information. Many of the comments
arguing for uniform standards were particularly concerned with
discrepancies between the federal privacy standards and various state
privacy requirements. Unlike the situation with respect to the
transactions standards, where states have generally not entered the
field, all states regulate the privacy of some medical information to a
greater or lesser extent. Thus, we understand the private sector's
concern at having to reconcile differing state and federal privacy
requirements.
This is, however, likewise an area where the policy choice has been
made by Congress. Under section 1178(a)(2)(B) of the Act and section
264(c)(2) of HIPAA, provisions of state privacy laws that are contrary
to and more stringent than the corresponding federal standard,
requirement, or implementation specification are not preempted. The
effect of these provisions is to let the law that is most protective of
privacy control (the ``federal floor'' approach referred to by many
commenters), and this policy choice is one with which we agree. Thus,
the statute makes it impossible for the Secretary to accommodate the
requests to establish uniformly controlling federal privacy standards,
even if doing so were viewed as desirable.
Comment: Numerous comments stated support for the proposal at
proposed Subpart B to issue advisory opinions with respect to the
preemption of state laws relating to the privacy of individually
identifiable health information. A number of these comments appeared to
assume that the Secretary's advisory opinions would be dispositive of
the issue of whether or not a state law was preempted. Many of these
commenters suggested what they saw as improvements to the proposed
process, but supported the proposal to have the Department undertake
this function.
Response: Despite the general support for the advisory opinion
proposal, we decided not to provide specifically for the issuance of
such opinions. The following considerations led to this decision.
First, the assumption by commenters that an advisory opinion would
establish what law applied in a given situation and thereby simplify
the task of ascertaining what legal requirements apply to a covered
entity or entities is incorrect. Any such opinion would be advisory
only. Although an advisory opinion issued by the Department would
indicate to covered entities how the Department would resolve the legal
conflict in question and would apply the law in determining compliance,
it would not bind the courts. While we assume that most courts would
give such opinions deference, the outcome could not be guaranteed.
Second, the thousands of questions raised in the public comment
about the interpretation, implications, and consequences of all of the
proposed regulatory provisions have led us to conclude that significant
advice and technical assistance about all of the regulatory
requirements will have to be provided on an ongoing basis. We recognize
that the preemption concerns that would have been addressed by the
proposed advisory opinions were likely to be substantial. However,
there is no reason to assume that they will be the most substantial or
urgent of the questions that will most likely need to be addressed. It
is our intent to provide as much technical advice and assistance to the
regulated community as we can with the resources available. Our concern
is that setting up an advisory opinion process for just one of the many
types of issues that will have to be addressed will lead to a non-
optimal allocation of those resources. Upon careful consideration,
therefore, we have decided that we will be better able to prioritize
our workload and be better able to be responsive to the most urgent and
substantial questions raised to the Department, if we do not provide
for a formal advisory opinion process on preemption as proposed.
Comment: A few commenters argued that the Privacy Rule should
preempt state laws that would impose more stringent privacy
requirements for the conduct of clinical trials. One commenter asserted
that the existing federal regulations and guidelines for patient
informed consent, together with the proposed rule, would adequately
protect patient privacy.
Response: The Department does not have the statutory authority
under HIPAA to preempt state laws that would impose more stringent
privacy requirements on covered entities. HIPAA provides that the rule
promulgated by the Secretary may not preempt state laws that are in
conflict
[[Page 82581]]
with the regulatory requirements and that provide greater privacy
protections.
Section 160.201--Applicability
Comment: Several commenters indicated that the guidance provided by
the definitions at proposed Sec. 160.202 would be of substantial
benefit both to regulated entities and to the public. However, these
commenters argued that the applicability of such definitions would be
too limited as drafted, since proposed Sec. 160.201 provided that the
definitions applied only to ``determinations and advisory opinions
issued by the Secretary pursuant to 42 U.S.C. 1320d-7.'' The commenters
stated that it would be far more helpful to make the definitions in
proposed Sec. 160.202 more broadly applicable, to provide general
guidance on the issue of preemption.
Response: We agree with the comments on this issue, and have
revised the applicability provision of subpart B below accordingly.
Section 160.201 below sets out that Subpart B implements section 1178.
This means, in our view, that the definitions of the statutory terms at
Sec. 160.202 are legislative rules that apply when those statutory
terms are employed, whether by HHS, covered entities, or the courts.
Section 160.202--Definitions
Contrary
Comment: Some commenters asserted that term ``contrary'' as defined
at Sec. 160.202 was overly broad and that its application would be
time-consuming and confusing for states. These commenters argued that,
under the proposed definition, a state would be required to examine all
of its laws relating to health information privacy in order to
determine whether or not its law were contrary to the requirements
proposed. It was also suggested that the definition contain examples of
how it would work in practical terms.
A few commenters, however, argued that the definition of
``contrary'' as proposed was too narrow. One commenter argued that the
Secretary erred in her assessment of the case law analyzing what is
known as ``conflict preemption'' and which is set forth in shorthand in
the tests set out at Sec. 160.202.
Response: We believe that the definition proposed represents a
policy that is as clear as is feasible and which can be applied
nationally and uniformly. As was noted in the preamble to the proposed
rules (at 64 FR 59997), the tests in the proposed definition of
``contrary'' are adopted from the jurisprudence of ``conflict
preemption.'' Since preemption is a judicially developed doctrine, it
is reasonable to interpret this term as indicating that the statutory
analysis should tie in to the analytical formulations employed by the
courts. Also, while the court-developed tests may not be as clear as
commenters would like, they represent a long-term, thoughtful
consideration of the problem of defining when a state/federal conflict
exists. They will also, we assume, generally be employed by the courts
when conflict issues arise under the rules below. We thus see no
practical alternative to the proposed definition and have retained it
unchanged. With respect to various suggestions for shorthand versions
of the proposed tests, such as the arguably broader term ``inconsistent
with,'' we see no operational advantages to such terms.
Comment: One comment asked that the Department clarify that if
state law is not preempted, then the federal law would not also apply.
Response: This comment raises two issues, both of which deserve
discussion. First, a state law may not be preempted because there is no
conflict with the analogous federal requirement; in such a situation,
both laws can, and must, be complied with. We thus do not accept this
suggestion, to the extent that it suggests that the federal law would
give way in this situation. Second, a state law may also not be
preempted because it comes within section 1178(a)(2)(B), section
1178(b), or section 1178(c); in this situation, a contrary federal law
would give way.
Comment: One comment urged the Department to take the position that
where state law exists and no analogous federal requirement exists, the
state requirement would not be ``contrary to'' the federal requirement
and would therefore not trigger preemption.
Response: We agree with this comment.
Comment: One commenter criticized the definition as unhelpful in
the multi-state transaction context. For example, it was asked whether
the issue of whether a state law was ``contrary to'' should be
determined by the law of the state where the treatment is provided,
where the claim processor is located, where the payment is issued, or
the data maintained, assuming all are in different states.
Response: This is a choice of law issue, and, as is discussed more
fully below, is a determination that is routinely made today in
connection with multi-state transactions. See discussion below under
Exception Determinations (Criteria for Exception Determinations).
State Law
Comment: Comments noted that the definition of ``state law'' does
not explicitly include common law and recommended that it be revised to
do so or to clarify that the term includes evidentiary privileges
recognized at state law. Guidance concerning the impact of state
privileges was also requested.
Response: As requested, we clarify that the definition of ``state
law'' includes common law by including the term ``common law.'' In our
view, this phrase encompasses evidentiary privileges recognized at
state law (which may also, we note, be embodied in state statutes).
Comment: One comment criticized this definition as unwieldy, in
that locating state laws pertaining to privacy is likely to be
difficult. It was noted that Florida, for example, has more than 60
statutes that address health privacy.
Response: To the extent that state laws currently apply to covered
entities, they have presumably determined what those laws require in
order to comply with them. Thus, while determining which laws are
``contrary'' to the federal requirements will require additional work
in terms of comparing state law with the federal requirements, entities
should already have acquired the knowledge of state law needed for this
task in the ordinary course of doing business.
Comment: The New York City Department of Health noted that in many
cases, provisions of New York State law are inapplicable within New
York City, because the state legislature has recognized that the local
code is tailored to the particular needs of the City. It urged that the
New York City Code be treated as state law, for preemption purposes.
Response: We agree that, to the extent a state treats local law as
substituting for state law it could be considered to be ``state law''
for purposes of this definition. If, however, a local law is local in
scope and effect, and a tier of state law exists over the same subject
matter, we do not think that the local law could or should be treated
as ``state law'' for preemption purposes. We do not have sufficient
information to assess the situation raised by this comment with respect
to this principle, and so express no opinion thereon.
More Stringent
Comment: Many commenters supported the policy in the proposed
definition of ``individual'' at proposed Sec. 164.502, which would have
permitted unemancipated minors to exercise, on
[[Page 82582]]
their own behalf, rights granted to individuals in cases where they
consented to the underlying health care. Commenters stated, however,
that the proposed preemption provision would leave in place state laws
authorizing or prohibiting disclosure to parents of the protected
health information of their minor children and would negate the
proposed policy for the treatment of minors under the rule. The
comments stated that such state laws should be treated like other state
laws, and preempted to the extent that they are less protective of the
privacy of minors.
Other commenters supported the proposed preemption provision--not
to preempt a state law to the extent it authorizes or prohibits
disclosure of protected health information regarding a minor to a
parent.
Response: Laws regarding access to health care for minors and
confidentiality of their medical records vary widely; this regulation
recognizes and respects the current diversity of state law in this
area. Where states have considered the balance involved in protecting
the confidentiality of minors' health information and have explicitly
acted, for example, to authorize disclosure, defer the decision to
disclose to the discretion of the health care provider, or prohibit
disclosure of minor's protected health information to a parent, the
rule defers to these decisions to the extent that they regulate such
disclosures.
Comment: The proposed definition of ``more stringent'' was
criticized as affording too much latitude to for granting exceptions
for state laws that are not protective of privacy. It was suggested
that the test should be ``most protective of the individual's
privacy.''
Response: We considered adopting this test. However, for the
reasons set out at 64 FR 59997, we concluded that this test would not
provide sufficient guidance. The comments did not address the concerns
we raised in this regard in the preamble to the proposed rules, and we
continue to believe that they are valid.
Comment: A drug company expressed concern with what it saw as the
expansive definition of this term, arguing that state governments may
have less experience with the special needs of researchers than federal
agencies and may unknowingly adopt laws that have a deleterious effect
on research. A provider group expressed concern that allowing stronger
state laws to prevail could result in diminished ability to get enough
patients to complete high quality clinical trials.
Response: These concerns are fundamentally addressed to the
``federal floor'' approach of the statute, not to the definition
proposed: even if the definition of ``more stringent'' were narrowed,
these concerns would still exist. As discussed above, since the
``federal floor'' approach is statutory, it is not within the
Secretary's authority to change the dynamics that are of concern.
Comment: One comment stated that the proposed rule seemed to
indicate that the ``more stringent'' and ``contrary to'' definitions
implied that these standards would apply to ERISA plans as well as to
non-ERISA plans.
Response: The concern underlying this comment is that ERISA plans,
which are not now subject to certain state laws because of the
``field'' preemption provision of ERISA but which are subject to the
rules below, will become subject to state privacy laws that are ``more
stringent'' than the federal requirements, due to the operation of
section 1178(a)(2)(B), together with section 264(c)(2). We disagree
that this is the case. While the courts will have the final say on
these questions, it is our view that these sections simply leave in
place more stringent state laws that would otherwise apply; to the
extent that such state laws do not apply to ERISA plans because they
are preempted by ERISA, we do not think that section 264(c)(2)
overcomes the preemption effected by section 514(a) of ERISA. For more
discussion of this point, see 64 FR 60001.
Comment: The Lieutenant Governor's Office of the State of Hawaii
requested a blanket exemption for Hawaii from the federal rules, on the
ground that its recently enacted comprehensive health privacy law is,
as a whole, more stringent than the proposed federal standards. It was
suggested that, for example, special weight should be given to the
severity of Hawaii's penalties. It was suggested that a new definition
(``comprehensive'') be added, and that ``more stringent'' be defined in
that context as whether the state act or code as a whole provides
greater protection.
An advocacy group in Vermont argued that the Vermont legislature
was poised to enact stronger and more comprehensive privacy laws and
stated that the group would resent a federal prohibition on that.
Response: The premise of these comments appears to be that the
provision-by-provision approach of Subpart B, which is expressed in the
definition of the term ``contrary'', is wrong. As we explained in the
preamble to the proposed rules (at 64 FR 59995), however, the statute
dictates a provision-by-provision comparison of state and federal
requirements, not the overall comparison suggested by these comments.
We also note that the approach suggested would be practically and
analytically problematic, in that it would be extremely difficult, if
not impossible, to determine what is a legitimate stopping point for
the provisions to be weighed on either the state side or the federal
side of the scale in determining which set of laws was the ``more
stringent.'' We accordingly do not accept the approach suggested by
these comments.
With respect to the comment of the Vermont group, nothing in the
rules below prohibits or places any limits on states enacting stronger
or more comprehensive privacy laws. To the extent that states enact
privacy laws that are stronger or more comprehensive than contrary
federal requirements, they will presumably not be preempted under
section 1178(a)(2)(B). To the extent that such state laws are not
contrary to the federal requirements, they will act as an overlay on
the federal requirements and will have effect.
Comment: One comment raised the issue of whether a private right of
action is a greater penalty, since the proposed federal rule has no
comparable remedy.
Response: We have reconsidered the proposed ``penalty'' provision
of the proposed definition of ``more stringent'' and have eliminated
it. The HIPAA statute provides for only two types of penalties: fines
and imprisonment. Both types of penalties could be imposed in addition
to the same type of penalty imposed by a state law, and should not
interfere with the imposition of other types of penalties that may be
available under state law. Thus, we think it is unlikely that there
would be a conflict between state and federal law in this respect, so
that the proposed criterion is unnecessary and confusing. In addition,
the fact that a state law allows an individual to file a lawsuit to
protect privacy does not conflict with the HIPAA penalty provisions.
Relates to the Privacy of Individually Identifiable Health Information
Comment: One comment criticized the definition of this term as too
narrow in scope and too uncertain. The commenter argued that
determining the specific purpose of a state law may be difficult and
speculative, because many state laws have incomplete, inaccessible, or
non-existent legislative histories. It was suggested that the
definition be revised by deleting the word ``specific'' before the word
``purpose.'' Another commenter argued
[[Page 82583]]
that the definition of this term should be narrowed to minimize reverse
preemption by more stringent state laws. One commenter generally
supported the proposed definition of this term.
Response: We are not accepting the first comment. The purpose of a
given state enactment should be ascertainable, if not from legislative
history or a purpose statement, then from the statute viewed as a
whole. The same should be true of state regulations or rulings. In any
event, it seems appropriate to restrict the field of state laws that
may potentially trump the federal standards to those that are clearly
intended to establish state public policy and operate in the same area
as the federal standards. To the extent that the definition in the
rules below does this, we have accommodated the second comment. We
note, however, that we do not agree that the definition should be
further restricted to minimize ``reverse preemption,'' as suggested by
this comment, as we believe that state laws that are more protective of
privacy than contrary federal standards should remain, in order to
ensure that the privacy of individuals' health information receives the
maximum legal protection available.
Sections 160.203 and 160.204--Exception Determinations and Advisory
Opinions
Most of the comments received on proposed Subpart B lumped together
the proposed process for exception determinations under section
1178(a)(2)(A) with the proposed process for issuing advisory opinions
under section 1178(a)(2)(B), either because the substance of the
comment applied to both processes or because the commenters did not
draw a distinction between the two processes. We address these general
comments in this section.
Comment: Numerous commenters, particularly providers and provider
groups, recommended that exception determinations and advisory opinions
not be limited to states and advocated allowing all covered entities
(including individuals, providers and insurers), or private sector
organizations, to request determinations and opinions with respect to
preemption of state laws. Several commenters argued that limiting
requests to states would deny third party stakeholders, such as life
and disability income insurers, any means of resolving complex
questions as to what rule they are subject to. One commenter noted that
because it is an insurer who will be liable if it incorrectly analyzes
the interplay between laws and reaches an incorrect conclusion, there
would be little incentive for the states to request clarification. It
would also cause large administrative burdens which, it was stated,
would be costly and confusing. It was also suggested that the request
for the exception be made to the applicable state's attorney general or
chief legal officer, as well as the Secretary. Various changes to the
language were suggested, such as adding that ``a covered entity, or any
other entity impacted by this rule'' be allowed to submit the written
request.
Response: We agree, and have changed Sec. 164.204(a) below
accordingly.
The decision to eliminate advisory opinions makes this issue moot
with respect to those opinions.
Comment: Several commenters noted that it was unclear under the
proposed rule which state officials would be authorized to request a
determination.
Response: We agree that the proposed rule was unclear in this
respect. The final rule clarifies who may make the request for a state,
with respect to exception determinations. See, Sec. 160.204(a). The
language adopted should ensure that the Secretary receives an
authoritative statement from the state. At the same time, this language
provides states with flexibility, in that the governor or other chief
elected official may choose to designate other state officials to make
such requests.
Comment: Many commenters recommended that a process be established
whereby HHS performs an initial state-by-state critical analysis to
provide guidance on which state laws will not be preempted; most
suggested that such an analysis (alternatively referred to as a
database or clearinghouse) should be completed before providers would
be required to come into compliance. Many of these comments argued that
the Secretary should bear the cost for the analyses of state law,
disagreeing with the premise stated in the preamble to the proposed
rules that it is more efficient for the private market to complete the
state-by-state review. Several comments also requested that HHS
continue to maintain and monitor the exception determination process,
and update the database over time in order to provide guidance and
certainty on the interaction of the federal rules with newly enacted or
amended state laws that are produced after the final rule. Some
comments recommended that each state be required to certify agreement
with the HHS analyses.
In contrast, one hospital association noted concerns that the
Secretary would conduct a nationwide analysis of state laws. The
comment stated that implementation would be difficult since much of the
law is a product of common law, and such state-specific research should
only be attempted by experienced health care attorneys in each
jurisdiction.
Response: These comments seem to be principally concerned with
potential conflicts between state privacy laws and the privacy
standards, because, as is more fully explained below, preemption of
contrary state laws not relating to privacy is automatic unless the
Secretary affirmatively acts under section 1178(a)(2)(A) to grant an
exception. We recognize that the provisions of sections 1178(b) (state
public health laws), and 1178(c) (state regulation of health plans)
similarly preserve state laws in those areas, but very little of the
public comment appeared to be concerned with these latter statutory
provisions. Accordingly, we respond below to what we see as the
commenters' main concern.
The Department will not do the kind of global analysis requested by
many of these comments. What these comments are in effect seeking is a
global advisory opinion as to when the federal privacy standards will
control and when they will not. We understand the desire for certainty
underlying these comments. Nonetheless, the reasons set out above as
the basis for our decision not to establish a formal advisory opinion
process apply equally to these requests. We also do not agree that the
task of evaluating the requirements below in light of existing state
law is unduly burdensome or unreasonable. Rather, it is common for new
federal requirements to necessitate an examination by the regulated
entities of the interaction between existing state law and the federal
requirements incident to coming into compliance.
We agree, however, that the case is different where the Secretary
has affirmatively acted, either through granting an exception under
section 1178(a)(2)(A) or by making a specific determination about the
effect of a particular state privacy law in, for example, the course of
determining an entity's compliance with the privacy standards. As is
discussed below, the Department intends to make notice of exception
determinations that it makes routinely available.
We do not agree with the comments suggesting that compliance by
covered entities be delayed pending completion of an analysis by the
Secretary and that states be required to certify agreement with the
Secretary's analysis, as we are not institutionalizing the advisory
opinion/analysis process upon which these comments are predicated.
[[Page 82584]]
Furthermore, with respect to the suggestion regarding delaying the
compliance date, Congress provided in section 1175(b) of the Act for a
delay in when compliance is required to accommodate the needs of
covered entities to address implementation issues such as those raised
by these comments. With respect to the suggestion regarding requiring
states to certify their agreement with the Secretary's analysis, we
have no authority to do this.
Comment: Several commenters criticized the proposed provision for
annual publication of determinations and advisory opinions in the
Federal Register as inadequate. They suggested that more frequent
notices should be made and the regulation be changed accordingly, to
provide for publication either quarterly or within a few days of a
determination. A few commenters suggested that any determinations made,
or opinions issued, by the Secretary be published on the Department's
website within 10 days or a few days of the determination or opinion.
Response: We agree that the proposed provision for annual
publication was inadequate and have accordingly deleted it. Subpart B
contains no express requirement for publication, as the Department is
free to publish its determinations absent such a requirement. It is our
intention to publish notice of exception determinations on a periodic
basis in the Federal Register. We will also consider other avenues of
making such decisions publicly available as we move into the
implementation process.
Comment: A few commenters argued that the process for obtaining an
exception determination or an advisory opinion from the Secretary will
result in a period of time in which there is confusion as to whether
state or federal law applies. The proposed regulations say that the
federal provisions will remain effective until the Secretary makes a
determination concerning the preemption issue. This means that, for
example, a state law that was enacted and enforced for many years will
be preempted by federal law for the period of time during which it
takes the Secretary to make a determination. Then if the Secretary
determines that the state law is not preempted, the state law will
again become effective. Such situations will result in confusion and
unintended violations of the law. One of the commenters suggested that
requests for exceptions be required only when a challenge is brought
against a particular state law, and that a presumption of validity
should lie with state laws. Another commenter, however, urged that
``instead of the presumption of preemption, the state laws in question
would be presumed to be subject to the exception unless or until the
Secretary makes a determination to the contrary.''
Response: It is true that the effect of section 1178(a)(2)(A) is
that the federal standards will preempt contrary state law and that
such preemption will not be removed unless and until the Secretary acts
to grant an exception under that section (assuming, of course, that
another provision of section 1178 does not apply). We do not agree,
however, that confusion should result, where the issue is whether a
given state law has been preempted under section 1178(a)(2)(A). Because
preemption is automatic with respect to state laws that do not come
within the other provisions of section 1178 (i.e., sections
1178(a)(2)(B), 1178(b), and 1178(c)), such state laws are preempted
until the Secretary affirmatively acts to preserve them from preemption
by granting an exception under section 1178(a)(2)(A).
We cannot accept the suggestion that a presumption of validity
attach to state laws, and that states not be required to request
exceptions except in very narrow circumstances. The statutory scheme is
the opposite: The statute effects preemption in the section
1178(a)(2)(A) context unless the Secretary affirmatively acts to except
the contrary state law in question.
With respect to preemption under sections 1178(b) and 1178(c) (the
carve-outs for state public health laws and state regulation of health
plans), we do not agree that preemption is likely to be a major cause
of uncertainty. We have deferred to Congressional intent by crafting
the permissible releases for public health, abuse, and oversight
broadly. See, Secs. 164.512(b)--(d) below. Since there must first be a
conflict between a state law and a federal requirement in order for an
issue of preemption to even arise, we think that, as a practical
matter, few preemption questions should arise with respect to sections
1178(b) and 1178(c).
With respect to preemption of state privacy laws under section
1178(a)(2)(B), however, we agree that the situation may be more
difficult to ascertain, because the Secretary does not determine the
preemption status of a state law under that section, unlike the
situation with respect to section 1178(a)(2)(A). We have tried to
define the term ``more stringent'' to identify and particularize the
factors to be considered by courts to those relevant to privacy
interests. The more specific (than the statute) definition of this term
at Sec. 160.202 below should provide some guidance in making the
determination as to which law prevails. Ambiguity in the state of the
law might also be a factor to be taken into account in determining
whether a penalty should be applied.
Comment: Several comments recommended that exception determinations
or advisory opinions encompass a state act or code in its entirety (in
lieu of a provision-specific evaluation) if it is considered more
stringent as a whole than the regulation. It was argued that since the
provisions of a given law are typically interconnected and related,
adopting or overriding them on a provision-by-provision basis would
result in distortions and/or unintended consequences or loopholes. For
example, when a state law includes authorization provisions, some of
which are consistent with the federal requirements and some which are
not, the cleanest approach is to view the state law as inconsistent
with the federal requirements and thus preempted in its entirety.
Similarly, another comment suggested that state confidentiality laws
written to address the specific needs of individuals served within a
discreet system of care be considered as a whole in assessing whether
they are as stringent or more stringent than the federal requirements.
Another comment requested explicit clarification that state laws with a
broader scope than the regulation will be viewed as more stringent and
be allowed to stand.
Response: We have not adopted the approach suggested by these
comments. As discussed above with respect to the definition of the term
``more stringent,'' it is our view that the statute precludes the
approach suggested. We also suggest that this approach ignores the fact
that each separate provision of law usually represents a nuanced policy
choice to, for example, permit this use or prohibit that disclosure;
the aggregated approach proposed would fail to recognize and weigh such
policy choices.
Comment: One comment recommended that the final rule: permit
requests for exception determinations and advisory opinions as of the
date of publication of the final rule, require the Secretary to notify
the requestor within a specified short period of time of all additional
information needed, and prohibit enforcement action until the Secretary
issues a response.
Response: With respect to the first recommendation, we clarify that
requests for exception determinations may be made at any time; since
the process for issuing advisory opinions has not been adopted, this
recommendation is moot as it pertains
[[Page 82585]]
to advisory opinions. With respect to the second recommendation, we
will undertake to process exception requests as expeditiously as
possible, but, for the reasons discussed below in connection with the
comments relating to setting deadlines for those determinations, we
cannot commit at this time to a ``specified short period of time''
within which the Secretary may request additional information. We see
no reason to agree to the third recommendation. Because contrary state
laws for which an exception is available only under section
1178(a)(2)(A) will be preempted by operation of law unless and until
the Secretary acts to grant an exception, there will be an
ascertainable compliance standard for compliance purposes, and
enforcement action would be appropriate where such compliance did not
occur.
Sections 160.203(a) and 160.204(a)--Exception Determinations
Section 160.203(a)--Criteria for Exception Determinations
Comment: Numerous comments criticized the proposed criteria for
their substance or lack thereof. A number of commenters argued that the
effectiveness language that was added to the third statutory criterion
made the exception so massive that it would swallow the rule. These
comments generally expressed concern that laws that were less
protective of privacy would be granted exceptions under this language.
Other commenters criticized the criteria generally as creating a large
loophole that would let state laws that do not protect privacy trump
the federal privacy standards.
Response: We agree with these comments. The scope of the statutory
criteria is ambiguous, but they could be read so broadly as to largely
swallow the federal protections. We do not think that this was
Congress's intent. Accordingly, we have added language to most of the
statutory criteria clarifying their scope. With respect to the criteria
at 1178(a)(2)(A)(i), this clarifying language generally ties the
criteria more specifically to the concern with protecting and making
more efficient the health care delivery and payment system that
underlies the Administrative Simplification provisions of HIPAA, but,
with respect to the catch-all provision at section
1178(a)(2)(A)(i)(IV), also requires that privacy interests be balanced
with such concerns, to the extent relevant. We require that exceptions
for rules to ensure appropriate state regulation of insurance and
health plans be stated in a statute or regulation, so that such
exceptions will be clearly tied to statements of priorities made by
publicly accountable bodies (e.g., through the public comment process
for regulations, and by elected officials through statutes). With
respect to the criterion at section 1178(a)(2)(A)(ii), we have further
delineated what ``addresses controlled substances'' means. The language
provided, which builds on concepts at 21 U.S.C. 821 and the Medicare
regulations at 42 CFR 1001.2, delineates the area within which the
government traditionally regulates controlled substances, both civilly
and criminally; it is our view that HIPAA was not intended to displace
such regulation.
Comment: Several commenters urged that the request for
determination by the Secretary under proposed Sec. 160.204(a) be
limited to cases where an exception is absolutely necessary, and that
in making such a determination, the Secretary should be required to
make a determination that the benefits of granting an exception
outweigh the potential harm and risk of disclosure in violation of the
regulation.
Response: We have not further defined the statutory term
``necessary'', as requested. We believe that the determination of what
is ``necessary'' will be fact-specific and context dependent, and
should not be further circumscribed absent such specifics. The state
will need to make its case that the state law in question is
sufficiently ``necessary'' to accomplish the particular statutory
ground for exception that it should trump the contrary federal
standard, requirement, or implementation specification.
Comment: One commenter noted that a state should be required to
explain whether it has taken any action to correct any less stringent
state law for which an exception has been requested. This commenter
recommended that a section be added to proposed Sec. 160.204(a) stating
that ``a state must specify what, if any, action has been taken to
amend the state law to comply with the federal regulations.'' Another
comment, received in the Transactions rulemaking, took the position
that exception determinations should be granted only if the state
standards in question exceeded the national standards.
Response: The first and last comments appear to confuse the ``more
stringent'' criterion that applies under section 1178(a)(2)(B) of the
Act with the criteria that apply to exceptions under section
1178(a)(2)(A). We are also not adopting the language suggested by the
first comment, because we do not agree that states should necessarily
have to try to amend their state laws as a precondition to requesting
exceptions under section 1178(a)(2)(A). Rather, the question should be
whether the state has made a convincing case that the state law in
question is sufficiently necessary for one of the statutory purposes
that it should trump the contrary federal policy.
Comment: One commenter stated that exceptions for state laws that
are contrary to the federal standards should not be preempted where the
state and federal standards are found to be equal.
Response: This suggestion has not been adopted, as it is not
consistent with the statute. With respect to the administrative
simplification standards in general, it is clear that the intent of
Congress was to preempt contrary state laws except in the limited areas
specified as exceptions or carve-outs. See, section 1178. This
statutory approach is consistent with the underlying goal of
simplifying health care transactions through the adoption of uniform
national standards. Even with respect to state laws relating to the
privacy of medical information, the statute shields such state laws
from preemption by the federal standards only if they are ``more''
stringent than the related federal standard or implementation
specification.
Comment: One commenter noted that determinations would apply only
to transactions that are wholly intrastate. Thus, any element of a
health care transaction that would implicate more than one state's law
would automatically preclude the Secretary's evaluation as to whether
the laws were more or less stringent than the federal requirement.
Other commenters expressed confusion about this proposed requirement,
noting that providers and plans operate now in a multi-state
environment.
Response: We agree with the commenters and have dropped the
proposed requirement. As noted by the commenters, health care entities
now typically operate in a multi-state environment, so already make the
choice of law judgements that are necessary in multi-state
transactions. It is the result of that calculus that will have to be
weighed against the federal standards, requirements, and implementation
specifications in the preemption analysis.
Comment: One comment received in the Transactions rulemaking
suggested that the Department should allow exceptions to the standard
transactions to accommodate abbreviated transactions between state
agencies, such as claims between a public health department and the
state Medicaid
[[Page 82586]]
agency. Another comment requested an exception for Home and Community
Based Waiver Services from the transactions standards.
Response: The concerns raised by these comments would seem to be
more properly addressed through the process established for maintaining
and modifying the transactions standards. If the concerns underlying
these comments cannot be addressed in this manner, however, there is
nothing in the rules below to preclude states from requesting
exceptions in such cases. They will then have to make the case that one
or more grounds for exception applies.
Section 160.204(a)--Process for Exception Determinations--Comments and
Responses
Comment: Several comments received in the Transactions rulemaking
stated that the process for applying for and granting exception
determinations (referred to as ``waivers'' by some) needed to be
spelled out in the final rule.
Response: We agree with these comments. As noted above, since no
process was proposed in the Transactions rulemaking, a process for
making exception determinations was not adopted in those final rules.
Subpart B below adopts a process for making exception determinations,
which responds to these comments.
Comment: Comments stated that the exception process would be
burdensome, unwieldy, and time-consuming for state agencies as well as
the Department. One comment took the position that states should not be
required to submit exception requests to the Department under proposed
Sec. 160.203(a), but could provide documentation that the state law
meets one of the conditions articulated in proposed Sec. 160.203.
Response: We disagree that the process adopted at Sec. 164.204
below will be burdensome, unwieldy, or time-consuming. The only thing
the regulation describes is the showings that a requestor must make as
part of its submission, and all are relevant to the issue to be
determined by the Secretary. How much information is submitted is,
generally speaking, in the requestor's control, and the regulation
places no restrictions on how the requestor obtains it, whether by
acting directly, by working with providers and/or plans, or by working
with others. With respect to the suggestion that states not be required
to submit exception requests, we disagree that this suggestion is
either statutorily authorized or advisable. We read this comment as
implicitly suggesting that the Secretary must proactively identify
instances of conflict and evaluate them. This suggestion is, thus, at
bottom the same as the many suggestions that we create a database or
compendium of controlling law, and it is rejected for the same reasons.
Comment: Several comments urged that all state requests for non-
preemption include a process for public participation. These comments
believe that members of the public and other interested stakeholders
should be allowed to submit comments on a state's request for
exception, and that these comments should be reviewed and considered by
the Secretary in determining whether the exception should be granted.
One comment suggested that the Secretary at least give notice to the
citizens of the state prior to granting an exception.
Response: The revision to Sec. 160.204(a), to permit requests for
exception determinations by any person, responds to these comments.
Comment: Many commenters noted that the lack of a clear and
reasonable time line for the Secretary to issue an exception
determination would not provide sufficient assurance that the questions
regarding what rules apply will be resolved in a time frame that will
allow business to be conducted properly, and argued that this would
increase confusion and uncertainty about which statutes and regulations
should be followed. Timeframes of 60 or 90 days were suggested. One
group suggested that, if a state does not receive a response from HHS
within 60 days, the waiver should be deemed approved.
Response: The workload prioritization and management considerations
discussed above with respect to advisory opinions are also relevant
here and make us reluctant to agree to a deadline for making exception
determinations. This is particularly true at the outset, since we have
no experience with such requests. We therefore have no basis for
determining how long processing such requests will take, how many
requests we will need to process, or what resources will be available
for such processing. We agree that states and other requesters should
receive timely responses and will make every effort to make
determinations as expeditiously as possible, but we cannot commit to
firm deadlines in this initial rule. Once we have experience in
handling exception requests, we will consult with states and others in
regard to their experiences and concerns and their suggestions for
improving the Secretary's expeditious handling of such requests.
We are not accepting the suggestion that requests for exception be
deemed approved if not acted upon in some defined time period. Section
1178(a)(2)(A) requires a specific determination by the Secretary. The
suggested policy would not be consistent with this statutory
requirement. It is also inadvisable from a policy standpoint, in that
it would tend to maximize exceptions. This would be contrary to the
underlying statutory policy in favor of uniform federal standards.
Comment: One commenter took exception to the requirement for states
to seek a determination from the Department that a provision of state
law is necessary to prevent fraud and abuse or to ensure appropriate
state regulation of insurance plans, contending that this mandate could
interfere with the Insurance Commissioners' ability to do their jobs.
Another commenter suggested that the regulation specifically recognize
the broad scope of state insurance department activities, such as
market conduct examinations, enforcement investigations, and consumer
complaint handling.
Response: The first comment raises an issue that lies outside our
legal authority to address, as section 1178(a)(2)(A) clearly mandates
that the Secretary make a determination in these areas. With respect to
the second comment, to the extent these concerns pertain to health
plans, we believe that the provisions at Sec. 164.512 relating to
oversight and disclosures required by law should address the concerns
underlying this comment.
Section 160.204(a)(4)--Period of Effectiveness of Exception
Determinations
Comment: Numerous commenters stated that the proposed three year
limitation on the effectiveness of exception determinations would pose
significant problems and should be limited to one year, since a one
year limitation would provide more frequent review of the necessity for
exceptions. The commenters expressed concern that state laws which
provide less privacy protection than the federal regulation would be
given exceptions by the Secretary and thus argued that the exceptions
should be more limited in duration or that the Secretary should require
that each request, regardless of duration, include a description of the
length of time such an exception would be needed.
One state government commenter, however, argued that the 3 year
limit should be eliminated entirely, on the ground that requiring a
redetermination
[[Page 82587]]
every three years would be burdensome for the states and be a waste of
time and resources for all parties. Other commenters, including two
state agencies, suggested that the exemption should remain effective
until either the state law or the federal regulation is changed.
Another commenter suggested that the three year sunset be deleted and
that the final rule provide for automatic review to determine if
changes in circumstance or law would necessitate amendment or deletion
of the opinion. Other recommendations included deeming the state law as
continuing in effect upon the submission of a state application for an
exemption rather than waiting for a determination by the Secretary that
may not occur for a substantial period of time.
Response: We are persuaded that the proposed 3 year limit on
exception determinations does not make sense where neither law
providing the basis for the exception has changed in the interim. We
also agree that where either law has changed, a previously granted
exception should not continue. Section 160.205(a) below addresses these
concerns.
Sections 160.203(b) and 160.204(b)--Advisory Opinions
Section 160.203(b)--Effect of Advisory Opinions
Comment: Several commenters questioned whether or not DHHS has
standing to issue binding advisory opinions and recommended that the
Department clarify this issue before implementation of this regulation.
One respondent suggested that the Department clarify in the final rule
the legal issues on which it will opine in advisory opinion requests,
and state that in responding to requests for advisory opinions the
Department will not opine on the preemptive force of ERISA with respect
to state laws governing the privacy of individually identifiable health
information, since interpretations as to the scope and extent of
ERISA's preemption provisions are outside of the Department's
jurisdictional authority.
One commenter asked whether a state could enforce a state law which
the Secretary had indicated through an advisory opinion is preempted by
federal law. This commenter also asked whether the state would be
subject to penalties if it chose to continue to enforce its own laws.
Response: As discussed above, in part for reasons raised by these
comments, the Department has decided not to have a formal process for
issuing advisory opinions, as proposed.
Several of these concerns, however, raise issues of broader concern
that need to be addressed. First, we disagree that the Secretary lacks
legal authority to opine on whether or not state privacy laws are
preempted. The Secretary is charged by law with determining compliance,
and where state law and the federal requirements conflict, a
determination of which law controls will have to be made in order to
determine whether the federal standard, requirement, or implementation
specification at issue has been violated. Thus, the Secretary cannot
carry out her enforcement functions without making such determinations.
It is further reasonable that, if the Secretary makes such
determinations, she can make those determinations known, for whatever
persuasive effect they may have.
The questions as to whether a state could enforce, or would be
subject to penalties if it chose to continue to enforce, its own laws
following a denial by the Secretary of an exception request under
Sec. 160.203 or a holding by a court of competent jurisdiction that a
state privacy law had been preempted by a contrary federal privacy
standard raise several issues. First, a state law is preempted under
the Act only to the extent that it applies to covered entities; thus, a
state is free to continue to enforce a ``preempted'' state law against
non-covered entities to which the state law applies. If there is a
question of coverage, states may wish to establish processes to
ascertain which entities within their borders are covered entities
within the meaning of these rules. Second, with respect to covered
entities, if a state were to try to enforce a preempted state law
against such entities, it would presumably be acting without legal
authority in so doing. We cannot speak to what remedies might be
available to covered entities to protect themselves against such
wrongful state action, but we assume that covered entities could seek
judicial relief, if all else failed. With respect to the issue of
imposing penalties on states, we do not see this as likely. The only
situation that we can envision in which penalties might be imposed on a
state would be if a state agency were itself a covered entity and
followed a preempted state law, thereby violating the contrary federal
standard, requirement, or implementation specification.
Section 160.204(b)--Process for Advisory Opinions
Comment: Several commenters stated that it was unclear whether a
state would be required to submit a request for an advisory opinion in
order for the law to be considered more stringent and thus not
preempted. The Department should clarify whether a state law could be
non-preempted even without such an advisory opinion. Another commenter
requested that the final rule explicitly state that the stricter rule
always applies, whether it be state or federal, and regardless of
whether there is any conflict between state and federal law.
Response: The elimination of the proposed process for advisory
opinions renders moot the first question. Also, the preceding response
clarifies that which law preempts in the privacy context (assuming that
the state law and federal requirement are ``contrary'') is a matter of
which one is the ``more stringent.'' This is not a matter which the
Secretary will ultimately determine; rather, this is a question about
which the courts will ultimately make the final determination. With
respect to the second comment, we believe that Sec. 160.203(b) below
responds to this issue, but we would note that the statute already
provides for this.
Comment: Several commenters supported the decision to limit the
parties who may request advisory opinions to the state. These
commenters did not believe that insurers should be allowed to request
an advisory opinion and open every state law up to challenge and
review.
Several commenters requested that guidance on advisory opinions be
provided in all circumstances, not only at the Secretary's discretion.
It was suggested that proposed Sec. 160.204(b)(2)(iv) be revised to
read as follows: ``A state may submit a written request to the
Secretary for an advisory opinion under this paragraph. The request
must include the following information: the reasons why the state law
should or should not be preempted by the federal standard, requirement,
or implementation specification, including how the state law meets the
criteria at Sec. 160.203(b).''
Response: The decision not to have a formal process for issuing
advisory opinions renders these issues moot.
Sections 160.203(c) and 160.203(d)--Statutory Carve-Outs
Comment: Several commenters asked that the Department provide more
specific examples itemizing activities traditionally regulated by the
state that could constitute ``carve-out'' exceptions. These commenters
also requested that the Department include language in the regulation
stating that if a state law falls within several different exceptions,
the state chooses which determination exception shall apply.
[[Page 82588]]
Response: We are concerned that itemizing examples in this way
could leave out important state laws or create inadvertent negative
implications that laws not listed are not included. However, as
explained above, we have designed the types of activities that are
permissive disclosures for public health under Sec. 164.512(b) below in
part to come within the carve-out effected by section 1178(b); while
the state regulatory activities covered by section 1178(c) will
generally come within Sec. 164.512(d) below. With respect to the
comments asking that a state get to ``choose'' which exception it comes
under, we have in effect provided for this with respect to exceptions
under section 1178(a)(2)(A), by giving the state the right to request
an exception under that section. With respect to exceptions under
section 1178(a)(2)(B), those exceptions occur by operation of law, and
it is not within the Secretary's power to ``let'' the state choose
whether an exception occurs under that section.
Comment: Several commenters took the position that the Secretary
should not limit the procedural requirements in proposed
Sec. 160.204(a) to only those applications under proposed
Sec. 160.203(a). They urged that the requirements of proposed
Sec. 160.204(a) should also apply to preemption under sections
1178(a)(2)(B), 1178(b) and 1178(c). It was suggested that the rules
should provide for exception determinations with respect to the matters
covered by these provisions of the statute; such additional provisions
would provide clear procedures for states to follow and ensure that
requests for exceptions are adequately documented.
A slightly different approach was taken by several commenters, who
recommended that proposed Sec. 160.204(b) be amended to clarify that
the Secretary will also issue advisory opinions as to whether a state
law constitutes an exception under proposed Secs. 160.203(c) and
160.203(d). This change would, they argued, give states the same
opportunity for guidance that they have under Sec. 160.203(a) and (b),
and as such, avoid costly lawsuits to preserve state laws.
Response: We are not taking either of the recommended courses of
action. With respect to the recommendation that we expand the exception
determination process to encompass exceptions under sections
1178(a)(2)(B), 1178(b), and 1178(c), we do not have the authority to
grant exceptions under these sections. Under section 1178, the
Secretary has authority to make exception determinations only with
respect to the matters covered by section 1178(a)(2)(A); contrary state
laws coming within section 1178(a)(2)(B) are preempted if not more
stringent, while if a contrary state law comes within section 1178(b)
or section 1178(c), it is not preempted. These latter statutory
provisions operate by their own terms. Thus, it is not within the
Secretary's authority to establish the determination process which
these comments seek.
With respect to the request seeking advisory opinions in the
section 1178(b) and 1178(c) situations, we agree that we have the
authority to issue such opinions. However, the considerations described
above that have led us not to adopt a formal process for issuing
advisory opinions in the privacy context apply with equal force and
effect here.
Comment: One commenter argued that it would be unnecessarily
burdensome for state health data agencies (whose focus is on the cost
of healthcare or improving Medicare, Medicaid, or the healthcare
system) to obtain a specific determination from the Department for an
exception under proposed Sec. 160.203(c). States should be required
only to notify the Secretary of their own determination that such
collection is necessary. It was also argued that cases where the
statutory carve-outs apply should not require a Secretarial
determination.
Response: We clarify that no Secretarial determination is required
for activities that fall into one of the statutory carve-outs. With
respect to data collections for state health data agencies, we note
that provision has been made for many of these activities in several
provisions of the rules below, such as the provisions relating to
disclosures required by law (Sec. 164.512(a)), disclosures for
oversight (Sec. 164.512(d)), and disclosures for public health
(Sec. 164.512(b)). Some disclosures for Medicare and Medicaid purposes
may also come within the definition of health care operations. A fuller
discussion of this issue appears in connection with Sec. 164.512 below.
Constitutional Comments and Responses
Comment: Several commenters suggested that as a general matter the
rule is unconstitutional.
Response: We disagree that the rule is unconstitutional. The
particular grounds for this conclusion are set out with respect to
particular constitutional issues in the responses below. With respect
to the comments that simply made this general assertion, the lack of
detail of the comments makes a substantive response impossible.
Article II
Comment: One commenter contended that the Secretary improperly
delegated authority to private entities by requiring covered entities
to enter into contracts with, monitor, and take action for violations
of the contract against their business partners. These comments assert
that the selection of these entities to ``enforce'' the regulations
violates the Executive Powers Clause and the Appointments and Take Care
Clauses.
Response: We reject the assertion that the business associate
provisions constitute an improper delegation of executive power to
private entities. HIPAA provides HHS with authority to enforce the
regulation against covered entities. The rules below regulate only the
conduct of the covered entity; to the extent a covered entity chooses
to conduct its funding through a business associate, those functions
are still functions of the covered entity. Thus, no improper delegation
has occurred because what is being regulated are the actions of the
covered entity, not the actions of the business associate in its
independent capacity.
We also reject the suggestion that the business associates
provisions constitute an improper appointment of covered entities to
enforce the regulation and violate the Take Care Clause. Because the
Secretary has not delegated authority to covered entities, the
inference that she has appointed covered entities to exercise such
authority misses the mark.
Commerce Clause
Comment: A few commenters suggested that the privacy regulation
regulates activities that are not in interstate commerce and which are,
therefore, beyond the powers the U.S. Constitution gives the federal
government.
Response: We disagree. Health care providers, health plans, and
health care clearinghouses are engaged in economic and commercial
activities, including the exchange of individually identifiable health
information electronically across state lines. These activities
constitute interstate commerce. Therefore, they come within the scope
of Congress' power to regulate interstate commerce.
Nondelegation Doctrine
Comment: Some commenters objected to the manner by which Congress
provided the Secretary authority to promulgate this regulation. These
comments asserted that Congress violated the nondelegation doctrine by
(1) not providing an ``intelligible principle'' to guide the agency,
(2) not
[[Page 82589]]
establishing ``ascertainable standards,'' and (3) improperly permitting
the Secretary to make social policy decisions.
Response: We disagree. HIPAA clearly delineates Congress' general
policy to establish strict privacy protections for individually
identifiable health information to encourage electronic transactions.
Congress also established boundaries limiting the Secretary's
authority. Congress established these limitations in several ways,
including by calling for privacy standards for ``individually
identifiable health information''; specifying that privacy standards
must address individuals' rights regarding their individually
identifiable health information, the procedures for exercising those
rights, and the particular uses and disclosures to be authorized or
required; restricting the direct application of the privacy standards
to ``covered entities,'' which Congress defined; requiring consultation
with the National Committee on Vital and Health Statistics and the
Attorney General; specifying the circumstances under which the federal
requirements would supersede state laws; and specifying the civil and
criminal penalties the Secretary could impose for violations of the
regulation. These limitations also serve as ``ascertainable standards''
upon which reviewing courts can rely to determine the validity of the
exercise of authority.
Although Congress could have chosen to impose expressly an
exhaustive list of specifications that must be met in order to achieve
the protective purposes of the HIPAA, it was entirely permissible for
Congress to entrust to the Secretary the task of providing these
specifications based on her experience and expertise in dealing with
these complex and technical matters.
We disagree with the comments that Congress improperly delegated
Congressional policy choices to her. Congress clearly decided to create
federal standards protecting the privacy of ``individually identifiable
health information'' and not to preempt state laws that are more
stringent. Congress also determined over whom the Secretary would have
authority, the type of information protected, and the minimum level of
regulation.
Separation of Powers
Comment: Some commenters asserted that the federal government may
not preempt state laws that are not as strict as the privacy regulation
because to do so would violate the separation of powers in the U.S.
Constitution. One comment suggested that the rules raised a substantial
constitutional issue because, as proposed, they permitted the Secretary
to make determinations on preemption, which is a role reserved for the
judiciary.
Response: We disagree. We note that this comment only pertains to
determinations under section 1178(a)(2)(A); as discussed above, the
rules below provide for no Secretarial determinations with respect to
state privacy laws coming within section 1178(a)(2)(B). With respect to
determinations under section 1178(a)(2)(A), however, the final rules,
like the proposed rules, provide that at a state's request the
Secretary may make certain determinations regarding the preemptive
effect of the rules on a particular state law. As usually the case with
any administrative decisions, these are subject to judicial review
pursuant to the Administrative Procedure Act.
First Amendment
Comment: Some comments suggested that the rules violated the First
Amendment. They asserted that if the rule included Christian Science
practitioners as covered entities it would violate the separation of
church and state doctrine.
Response: We disagree. The First Amendment does not always prohibit
the federal government from regulating secular activities of religious
organizations. However, we address concerns relating to Christian
Science practitioners more fully in the response to comments discussion
of the definition of ``covered entity'' in Sec. 160.103.
Fourth Amendment
Comment: Many comments expressed Fourth Amendment concerns about
various proposed provisions. These comments fall into two categories--
general concerns about warrantless searches and specific concerns about
administrative searches. Several comments argued that the proposed
regulations permit law enforcement and government officials access to
protected health information without first requiring a judicial search
warrant or an individual's consent. These comments rejected the
applicability of any of the existing exceptions permitting warrantless
searches in this context. Another comment argued that federal and state
police should be able to obtain personal medical records only with the
informed consent of an individual. Many of these comments also
expressed concern that protected health information could be provided
to government or private agencies for inclusion in a governmental
health data system.
Response: We disagree that the provisions of these rules that
permit disclosures for law enforcement purposes and governmental health
data systems generally violate the Fourth Amendment. The privacy
regulation does not create new access rights for law enforcement.
Rather, it refrains from placing a significant barrier in front of
access rights that law enforcement currently has under existing legal
authority. While the regulation may permit a covered entity to make
disclosures in specified instances, it does not require the covered
entity make the disclosure. Thus, because we are not modifying existing
law regarding disclosures to law enforcement officials, except to
strengthen the requirements related to requests already authorized
under law, and are not requiring any such disclosures, the privacy
regulation does not infringe upon individual's Fourth Amendment rights.
We discuss the rationale underlying the permissible disclosures to law
enforcement officials more fully in the preamble discussion relating to
Sec. 164.512(f).
We note that the proposed provision relating to disclosures to
government health data systems has been eliminated in the final rule.
However, to the extent that the comments can be seen as raising concern
over disclosure of protected health information to government agencies
for public health, health oversight, or other purposes permitted by the
final rule, the reasoning in the previous paragraph applies.
Comment: One commenter suggested that the rules violate the Fourth
Amendment by requiring covered entities to provide access to the
Secretary to their books, records, accounts, and facilities to ensure
compliance with these rules. The commenter also suggested that the
requirement that covered entities enter into agreements with their
business partners to make their records available to the Secretary for
inspection as well also violates the warrant requirement of the Fourth
Amendment.
Response: We disagree. These requirements are consistent with U.S.
Supreme Court cases holding that warrantless administrative searches of
commercial property are not per se violations of the Fourth Amendment.
The provisions requiring that covered entities provide access to
certain material to determine compliance with the regulation come
within the well-settled exception regarding closely regulated
businesses and industries to the warrant requirement. From state and
local licensure laws to the federal fraud and abuse statutes and
regulations, the health care industry is one of the most
[[Page 82590]]
tightly regulated businesses in the country. Because the industry has
such an extensive history of government oversight and involvement,
those operating within it have no reasonable expectation of privacy
from the government such that a warrant would be required to determine
compliance with the rules.
In addition, the cases cited by the commenters concern unannounced
searches of the premises and facilities of particular entities. Because
our enforcement provisions only provide for the review of books,
records, and other information and only during normal business hours
with notice, except for exceptional situations, this case law does not
apply.
As for business associates, they voluntarily enter into their
agreements with covered entities. This agreement, therefore, functions
as knowing and voluntary consents to the search (even assuming it could
be understood to be a search) and obviates the need for a warrant.
Fifth Amendment
Comment: Several comments asserted that the proposed rules violated
the Fifth Amendment because in the commenters' views they authorized
the taking of privacy property without just compensation or due process
of law.
Response: We disagree. The rules set forth below do not address the
issue of who owns an individual's medical record. Instead, they address
what uses and disclosures of protected health information may be made
by covered entities with or without a consent or authorization. As
described in response to a similar comment, medical records have been
the property of the health care provider or medical facility that
created them, historically. In some states, statutes directly provide
these entities with ownership. These laws are limited by laws that
provide patients or their representatives with access to the records or
that provide the patient with an ownership interest in the information
within the records. As we discuss, the final rule is consistent with
current state law that provides patients access to protected health
information, but not ownership of medical records. State laws that
provide patients with greater access would remain in effect. Therefore,
because patients do not own their records, no taking can occur. As for
their interest in the information, the final rule retains their rights.
As for covered entities, the final rule does not take away their
ownership rights or make their ownership interest in the protected
health information worthless. Therefore, no taking has occurred in
these situations either.
Ninth and Tenth Amendments
Comment: Several comments asserted that the proposed rules violated
the Ninth and Tenth Amendments. One commenter suggested that the Ninth
Amendment prohibits long and complicated regulations. Other commenters
suggested that the proposed rules authorized the compelled disclosure
of individually identifiable health information in violation of State
constitutional provisions, such as those in California and Florida.
Similarly, a couple of commenters asserted that the privacy rules
violate the Tenth Amendment.
Response: We disagree. The Ninth and Tenth Amendments address the
rights retained by the people and acknowledge that the States or the
people are reserved the powers not delegated to the federal government
and not otherwise prohibited by the Constitution. Because HHS is
regulating under a delegation of authority from Congress in an area
that affects interstate commerce, we are within the powers provided to
Congress in the Constitution. Nothing in the Ninth Amendment, or any
other provision of the Constitution, restricts the length or complexity
of any law. Additionally, we do not believe the rules below
impermissibly authorize behavior that violates State constitutions.
This rule requires disclosure only to the individual or to the
Secretary to enforce this rule. As noted in the preamble discussion of
``Preemption,'' these rules do not preempt State laws, including
constitutional provisions, that are contrary to and more stringent, as
defined at Sec. 160.502, than these rules. See the discussion of
``Preemption'' for further clarification. Therefore, if these State
constitutions are contrary to the rule below and provide greater
protection, they remain in full force; if they do not, they are
preempted, in accordance with the Supremacy Clause of the Constitution.
Right to Privacy
Comment: Several comments suggested that the proposed regulation
would violate the right to privacy guaranteed by the First, Fourth,
Fifth, and Ninth Amendments because it would permit covered entities to
disclose protected health information without the consent of the
individual.
Response: These comments did not provide specific facts or legal
basis for the claims. We are, thus, unable to provide a substantive
response to these particular comments. However, we note that the rule
requires disclosures only to the individual or to the Secretary to
determine compliance with this rule. Other uses or disclosures under
this rule are permissive, not required. Therefore, if a particular use
or disclosure under this rule is viewed as interfering with a right
that prohibited the use or disclosure, the rule itself is not what
requires the use or disclosure.
Void for Vagueness
Comment: One comment suggested that the Secretary's use of a
``reasonableness'' standard is unconstitutionally vague. Specifically,
this comment objected to the requirement that covered entities use
``reasonable'' efforts to use or disclose the minimum amount of
protected health information, to ensure that business partners comply
with the privacy provisions of their contracts, to notify business
partners of any amendments or corrections to protected health
information, and to verify the identity of individuals requesting
information, as well as charge only a ``reasonable'' fee for inspecting
and copying health information. This comment asserted that the
Secretary provided ``inadequate guidance'' as to what qualifies as
``reasonable.''
Response: We disagree with the comment's suggestion that by
applying a ``reasonableness'' standard, the regulation has failed to
provide for ``fair warning'' or ``fair enforcement.'' The
``reasonableness'' standard is well-established in law; for example, it
is the foundation of the common law of torts. Courts also have
consistently held as constitutional statutes that rely upon a
``reasonableness'' standard. Our reliance upon a ``reasonableness''
standard, thus, provides covered entities with constitutionally
sufficient guidance.
Criminal Intent
Comment: One comment argued that the regulation's reliance upon a
``reasonableness'' standard criminalizes ``unreasonable efforts''
without requiring criminal intent or mens rea.
Response: We reject this suggestion because HIPAA clearly provides
the criminal intent requirement. Specifically, HIPPA provides that a
``person who knowingly and in violation of this part--(1) uses or
causes to be used a unique health identifier; (2) obtains individually
identifiable health information relating to an individual; or (3)
discloses individually identifiable health information to another
person, shall be punished as provided in subsection (b).'' HIPAA
section 1177 (emphasis added). Subsection (b) also relies on a
knowledge standard in
[[Page 82591]]
outlining the three levels of criminal sanctions. Thus, Congress, not
the Secretary, established the mens rea by including the term
``knowingly'' in the criminal penalty provisions of HIPAA.
Data Collection
Comment: One commenter suggested that the U.S. Constitution
authorized the collection of data on individuals only for the purpose
of the census.
Response: While it might be true that the U.S. Constitution
expressly discusses the national census, it does not forbid federal
agencies from collecting data for other purposes. The ability of
agencies to collect non-census data has been upheld by the courts.
Relationship to Other Federal Laws
Comment: We received several comments that sought clarification of
the interaction of various federal laws and the privacy regulation.
Many of these comments simply listed federal laws and regulations with
which the commenter currently must comply. For example, commenters
noted that they must comply with regulations relating to safety, public
health, and civil rights, including Medicare and Medicaid, the
Americans with Disabilities Act, the Family and Medical Leave Act, the
Federal Aviation Administration regulations, the Department of
Transportation regulations, the Federal Highway Administration
regulations, the Occupational Safety and Health Administration
regulations, and the Environmental Protection Agency regulations, and
alcohol and drug free workplace rules. These commenters suggested that
the regulation state clearly and unequivocally that uses or disclosures
of protected health information for these purposes were permissible.
Some suggested modifying the definition of health care operations to
include these uses specifically. Another suggestion was to add a
section that permitted the transmission of protected health information
to employers when reasonably necessary to comply with federal, state,
or municipal laws and regulations, or when necessary for public or
employee safety and health.
Response: Although we sympathize with entities' needs to evaluate
the existing laws with which they must comply in light of the
requirements of the final regulation, we are unable to respond
substantially to comments that do not pose specific questions. We
offer, however, the following guidance: if an covered entity is
required to disclose protected health information pursuant to a
specific statutory or regulatory scheme, the covered entity generally
will be permitted under Sec. 164.512(a) to make these disclosures
without a consent or authorization; if, however, a statute or
regulation merely suggests a disclosure, the covered entity will need
to determine if the disclosure comes within another category of
permissible disclosure under Secs. 164.510 or 164.512 or,
alternatively, if the disclosure would otherwise come within
Sec. 164.502. If not, the entity will need to obtain a consent or
authorization for the disclosure.
Comment: One commenter sought clarification as to when a disclosure
is considered to be ``required'' by another law versus ``permitted'' by
that law.
Responses: We use these terms according to their common usage. By
``required by law,'' we mean that a covered entity has a legal
obligation to disclose the information. For example, if a statute
states that a covered entity must report the names of all individuals
presenting with gun shot wounds to the emergency room or else be fined
$500 for each violation, a covered entity would be required by law to
disclose the protected health information necessary to comply with this
mandate. The privacy regulation permits this type of disclosure, but
does not require it. Therefore, if a covered entity chose not to comply
with the reporting statute it would violate only the reporting statute
and not the privacy regulation.
On the other hand, if a statute stated that a covered entity may or
is permitted to report the names of all individuals presenting with gun
shot wounds to the emergency room and, in turn, would receive $500 for
each month it made these reports, a covered entity would not be
permitted by Sec. 164.512(a) to disclose the protected health
information. Of course, if another permissible provision applied to
these facts, the covered entity could make the disclosure under that
provision, but it would not be considered to be a disclosure. See
discussion under Sec. 164.512(a) below.
Comment: Several commenters suggested that the proposed rule was
unnecessarily duplicative of existing regulations for federal programs,
such as Medicare, Medicaid, and the Federal Employee Health Benefit
Program.
Response: Congress specifically subjected certain federal programs,
including Medicare, Medicaid, and the Federal Employee Health Benefit
Program to the privacy regulation by including them within the
definition of ``health plan.'' Therefore, covered entities subject to
requirements of existing federal programs will also have to comply with
the privacy regulation.
Comment: One comment asserts that the regulation would not affect
current federal requirements if the current requirements are weaker
than the requirements of the privacy regulation. This same commenter
suggested that current federal requirements will trump both state law
and the proposed regulation, even if Medicaid transactions remain
wholly intrastate.
Response: We disagree. As noted in our discussion of ``Relationship
to Other Federal Laws,'' each law or regulation will need to be
evaluated individually. We similarly disagree with the second assertion
made by the commenter. The final rule will preempt state laws only in
specific instances. For a more detailed analysis, see the preamble
discussion of ``Preemption.''
Administrative Subpoenas
Comment: One comment stated that the final rule should not impose
new standards on administrative subpoenas that would conflict with
existing laws or administrative or judicial rules that establish
standards for issuing subpoenas. Nor should the final rule conflict
with established standards for the conduct of administrative, civil, or
criminal proceedings, including the rules regarding the discovery of
evidence. Other comments sought further restrictions on access to
protected health information in this context.
Response: Section 164.512(e) below addresses disclosures for
judicial and administrative proceedings. The final rules generally do
not interfere with these existing processes to the extent an individual
served with a subpoena, court order, or other similar process is able
to raise objections already available. See the discussion below under
Sec. 164.512(e) for a fuller response.
Americans with Disabilities Act
Comment: Several comments discussed the intersection between the
proposed Privacy Rule and the Americans with Disabilities Act (``ADA'')
and sections 503 and 504 of the Rehabilitation Act of 1973. One comment
suggested that the final rule explicitly allows disclosures authorized
by the Americans with Disabilities Act without an individual's
authorization, because this law, in the commenter's view, provides more
than adequate protection for the confidentiality of medical records in
the employment context. The comment noted that under these laws
employers may receive information related to fitness for duty, pre-
employment physicals, routine examinations, return to work
examinations, examinations following other types of absences,
examinations triggered by specific events, changes in
[[Page 82592]]
circumstances, requests for reasonable accommodations, leave requests,
employee wellness programs, and medical monitoring.
Other commenters suggested that the ADA requires the disclosure of
protected health information to employers so that the employee may take
advantage of the protections of these laws. They suggested that the
final rules clarify that employment may be conditioned on obtaining an
authorization for disclosure of protected health information for lawful
purposes and provide guidance concerning the interaction of the ADA
with the final regulation's requirements. Several commenters wanted
clarification that the privacy regulation would not permit employers to
request or use protected health information in violation of the ADA.
Response: We disagree with the comment that the final rule should
allow disclosures of protected health information authorized by the ADA
without the individual's authorization. We learned from the comments
that access to and use of protected health information by employers is
of particular concern to many people. With regard to employers, we do
not have statutory authority to regulate them. Therefore, it is beyond
the scope of this regulation to prohibit employers from requesting or
obtaining protected health information. Covered entities may disclose
protected health information about individuals who are members of an
employer's workforce with an authorization. Nothing in the privacy
regulation prohibits employers from obtaining that authorization as a
condition of employment. We note, however, that employers must comply
with other laws that govern them, such as nondiscrimination laws. For
example, if an employer receives a request for a reasonable
accommodation, the employer may require reasonable documentation about
the employee's disability and the functional limitations that require
the reasonable accommodation, if the disability and the limitations are
not obvious. If the individual provides insufficient documentation and
does not provide the missing information in a timely manner after the
employer's subsequent request, the employer may require the individual
to go to an appropriate health professional of the employer's choice.
In this situation, the employee does not authorize the disclosure of
information to substantiate the disability and the need for reasonable
accommodation, the employer need not provide the accommodation.
We agree that this rule does not permit employers to request or use
protected health information in violation of the ADA or other
antidiscrimination laws.
Appropriations Laws
Comment: One comment suggested that the penalty provisions of
HIPAA, if extended to the privacy regulation, would require the
Secretary to violate ``Appropriations Laws'' because the Secretary
could be in the position of assessing penalties against her own and
other federal agencies in their roles as covered entities. Enforcing
penalties on these entities would require the transfer of agency funds
to the General Fund.
Response: We disagree. Although we anticipate achieving voluntary
compliance and resolving any disputes prior to the actual assessment of
penalties, the Department of Justice's Office of Legal Counsel has
determined in similar situations that federal agencies have authority
to assess penalties against other federal agencies and that doing so is
not in violation of the Anti-Deficiency Act, 31 U.S.C. 1341.
Balanced Budget Act of 1997
Comment: One comment expressed concern that the regulation would
place tremendous burdens on providers already struggling with the
effects of the Balanced Budget Act of 1997.
Response: We appreciate the costs covered entities face when
complying with other statutory and regulatory requirements, such as the
Balanced Budget Act of 1997. However, HHS cannot address the impact of
the Balanced Budget Act or other statutes in the context of this
regulation.
Comment: Another comment stated that the regulation is in direct
conflict with the Balanced Budget Act of 1997 (``BBA''). The comment
asserts that the regulation's compliance date conflicts with the BBA,
as well as Generally Acceptable Accounting Principles. According to the
comment, covered entities that made capital acquisitions to ensure
compliance with the year 2000 (``Y2K'') problem would not be able to
account for the full depreciation of these systems until 2005. Because
HIPAA requires compliance before that time, the regulation would force
premature obsolescence of this equipment because while it is Y2K
compliant, it may be HIPAA non-compliant.
Response: This comment raises two distinct issues--(1) the
investment in new equipment and (2) the compliance date. With regard to
the first issue, we reject the comment's assertion that the regulation
requires covered entities to purchase new information systems or
information technology equipment, but realize that some covered
entities may need to update their equipment. We have tried to minimize
the costs, while responding appropriately to Congress' mandate for
privacy rules. We have dealt with the cost issues in detail in the
``Regulatory Impact Analysis'' section of this Preamble. With regard to
the second issue, Congress, not the Secretary, established the
compliance data at section 1175(b) of the Act.
Civil Rights of Institutionalized Persons Act
Comment: A few comments expressed concern that the privacy
regulation would inadvertently hinder the Department of Justice Civil
Rights Divisions' investigations under the Civil Rights of
Institutionalized Persons Act (``CRIPA''). These comments suggested
clearly including civil rights enforcement activities as health care
oversight.
Response: We agree with this comment. We do not intend for the
privacy rules to hinder CRIPA investigations. Thus, the final rule
includes agencies that are authorized by law to ``enforce civil rights
laws for which health information is relevant'' in the definition of
``health oversight agency'' at Sec. 164.501. Covered entities are
permitted to disclose protected health information to health oversight
agencies under Sec. 164.512(d) without an authorization. Therefore, we
do not believe the final rule should hinder the Department of Justice's
ability to conduct investigations pursuant to its authority in CRIPA.
Clinical Laboratory Improvement Amendments
Comment: One comment expressed concern that the proposed definition
of health care operations did not include activities related to the
quality control clinical studies performed by laboratories to
demonstrate the quality of patient test results. Because the Clinical
Laboratory Improvement Amendments of 1988 (``CLIA'') requires these
studies that the comment asserted require the use of protected health
information, the comment suggested including this specific activity in
the definition of ``health care operations.''
Response: We do not intend for the privacy regulation to impede the
ability of laboratories to comply with the requirements of CLIA.
Quality control activities come within the definition of ``health care
operations'' in Sec. 164.501 because they come within the meaning of
the term ``quality assurance activities.'' To the extent they would not
come within health care operations, but
[[Page 82593]]
are required by CLIA, the privacy regulation permits clinical
laboratories that are regulated by CLIA to comply with mandatory uses
and disclosures of protected health information pursuant to
Sec. 164.512(a).
Comment: One comment stated that the proposed regulation's right of
access for inspection and copying provisions were contrary to CLIA in
that CLIA permits laboratories to disclose lab test results only to
``authorized persons.'' This comment suggested that the final rule
include language adopting this restriction to ensure that patients not
obtain laboratory test results before the appropriate health care
provider has reviewed and explained those results to the patients.
A similar comment stated that the lack of preemption of state laws
could create problems for clinical laboratories under CLIA.
Specifically, this comment noted that CLIA permits clinical
laboratories to perform tests only upon the written or electronic
request of, and to provide the results to, an ``authorized person.''
State laws define who is an ``authorized person.'' The comment
expressed concern as to whether the regulation would preempt state laws
that only permit physicians to receive test results.
Response: We agree that CLIA controls in these cases. Therefore, we
have amended the right of access, Sec. 164.524(a), so that a covered
entity that is subject to CLIA does not have to provide access to the
individual to the extent such access would be prohibited by law.
Because of this change, we believe the preemption concern is moot.
Controlled Substance Act
Comment: One comment expressed concern that the privacy regulation
as proposed would restrict the Drug Enforcement Agency's (``the DEA'')
enforcement of the Controlled Substances Act (``CSA''). The comment
suggested including enforcement activities in the definition of
``health oversight agency.''
Response: In our view, the privacy regulation should not impede the
DEA's ability to enforce the CSA. First, to the extent the CSA requires
disclosures to the DEA, these disclosures would be permissible under
Sec. 164.512(a). Second, some of the DEA's CSA activities come within
the exception for health oversight agencies which permits disclosures
to health oversight agencies for:
Activities authorized by law, including audits; civil,
administrative, or criminal investigations; inspections * * * civil,
administrative, or criminal proceedings or actions; and other
activity necessary for appropriate oversight of the health care
system.
Therefore, to the extent the DEA is enforcing the CSA, disclosures
to it in its capacity as a health oversight agency are permissible
under Sec. 164.512(d). Alternatively, CSA required disclosures to the
DEA for law enforcement purposes are permitted under Sec. 164.512(f).
When acting as a law enforcement agency under the CSA, the DEA may
obtain the information pursuant to Sec. 164.512(f). Thus, we do not
agree that the privacy regulation will impede the DEA's enforcement of
the CSA. See the preamble discussion of Sec. 164.512 for further
explanation.
Comment: One commenter suggested clarifying the provisions allowing
disclosures that are ``required by law'' to ensure that the mandatory
reporting requirements the CSA imposes on covered entities, including
making available reports, inventories, and records of transactions, are
not preempted by the regulation.
Response: We agree that the privacy regulation does not alter
covered entities' obligations under the CSA. Because the CSA requires
covered entities manufacturing, distributing, and/or dispensing
controlled substances to maintain and provide to the DEA specific
records and reports, the privacy regulation permits these disclosures
under Sec. 164.512(a). In addition, when the DEA seeks documents to
determine an entity's compliance with the CSA, such disclosures are
permitted under Sec. 164.512(d).
Comment: The same commenter expressed concern that the proposed
privacy regulation inappropriately limits voluntary reporting and would
prevent or deter employees of covered entities from providing the DEA
with information about violations of the CSA.
Response: We agree with the general concerns expressed in this
comment. We do not believe the privacy rules will limit voluntary
reporting of violations of the CSA. The CSA requires certain entities
to maintain several types of records that may include protected health
information. Although reports that included protected health
information may be restricted under these rules, reporting the fact
that an entity is not maintaining proper reports is not. If it were
necessary to obtain protected health information during the
investigatory stages following such a voluntary report, the DEA would
be able to obtain the information in other ways, such as by following
the administrative procedures outlined in Sec. 164.512(e).
We also agree that employees of covered entities who report
violations of the CSA should not be subjected to retaliation by their
employers. Under Sec. 164.502(j), we specifically state that a covered
entity is not considered to have violated the regulation if a workforce
member or business associate in good faith reports violations of laws
or professional standards by covered entities to appropriate
authorities. See discussion of Sec. 164.502(j) below.
Department of Transportation
Comment: Several commenters stated that the Secretary should
recognize in the preamble that it is permissible for employers to
condition employment on an individual's delivering a consent to certain
medical tests and/or examinations, such as drug-free workplace programs
and Department of Transportation (``DOT'')-required physical
examinations. These comments also suggested that employers should be
able to receive certain information, such as pass/fail test and
examination results, fitness-to-work assessments, and other legally
required or permissible physical assessments without obtaining an
authorization. To achieve this goal, these comments suggested defining
``health information'' to exclude information such as information about
how much weight a specific employee can lift.
Response: We reject the suggestion to define ``health
information,'' which Congress defined in HIPAA, so that it excludes
individually identifiable health information that may be relevant to
employers for these types of examinations and programs. We do not
regulate employers. Nothing in the rules prohibit employers from
conditioning employment on an individual signing the appropriate
consent or authorization. By the same token, however, the rules below
do not relieve employers from their obligations under the ADA and other
laws that restrict the disclosure of individually identifiable health
information.
Comment: One commenter asserted that the proposed regulation
conflicts with the DOT guidelines regarding positive alcohol and drug
tests that require the employer be notified in writing of the results.
This document contains protected health information. In addition, the
treatment center records must be provided to the Substance Abuse
Professional (``SAP'') and the employer must receive a report from SAP
with random drug testing recommendations.
Response: It is our understanding that DOT requires drug testing of
all applicants for employment in safety-sensitive positions or
individuals being transferred to such positions.
[[Page 82594]]
Employers, pursuant to DOT regulations, may condition an employee's
employment or position upon first obtaining an authorization for the
disclosure of results of these tests to the employer. Therefore, we do
not believe the final rules conflict with the DOT requirements, which
do not prohibit obtaining authorizations before such information is
disclosed to employers.
Developmental Disabilities Act
Comment: One commenter urged HHS to ensure that the regulation
would not impede access to individually identifiable health information
to entities that are part of the Protection and Advocacy System to
investigate abuse and neglect as authorized by the Developmental
Disabilities Bill of Rights Act.
Response: The Developmental Disabilities Assistance and Bill of
Rights Act of 2000 (``DD Act'') mandates specific disclosures of
individually identifiable health information to Protection and Advocacy
systems designated by the chief elected official of the states and
Territories. Therefore, covered entities may make these disclosures
under Sec. 164.512(a) without first obtaining an individual's
authorization, except in those circumstances in which the DD Act
requires the individual's authorization. Therefore, the rules below
will not impede the functioning of the existing Protection and Advocacy
System.
Employee Retirement Income Security Act of 1974
Comment: Several commenters objected to the fact that the NPRM did
not clarify the scope of preemption of state laws under the Employee
Retirement Income Security Act of 1974 (ERISA). These commenters
asserted that the final rule must state that ERISA preempts all state
laws (including those relating to the privacy of individually
identifiable health information) so that multistate employers could
continue to administer their group health plans using a single set of
rules. In contrast, other commenters criticized the Department for its
analysis of the current principles governing ERISA preemption of state
law, pointing out that the Department has no authority to interpret
ERISA.
Response: This Department has no authority to issue regulations
under ERISA as requested by some of these commenters, so the rule below
does not contain the statement requested. See the discussion of this
point under ``Preemption'' above.
Comment: One commenter requested that the final rule clarify that
section 264(c)(2) of HIPAA does not save state laws that would
otherwise be preempted by the Federal Employees Health Benefits
Program. The commenter noted that in the NPRM this statement was made
with respect to Medicare and ERISA, but not the law governing the
FEHBP.
Response: We agree with this comment. The preemption analysis set
out above with respect to ERISA applies equally to the Federal
Employees Health Benefit Program.
Comment: One commenter noted that the final rule should clarify the
interplay between state law, the preemption standards in Subtitle A of
Title I of HIPAA (Health Care Access, Portability and Renewability),
and the preemption standards in the privacy requirements in Subtitle F
of Title II of HIPAA (Administrative Simplification).
Response: The NPRM described only the preemption standards that
apply with respect to the statutory provisions of HIPAA that were
implemented by the proposed rule. We agree that the preemption
standards in Subtitle A of Title I of HIPAA are different. Congress
expressly provided that the preemption provisions of Title I apply only
to Part 7, which addresses portability, access, and renewability
requirements for Group Health Plans. To the extent state laws contain
provisions regarding portability, access, or renewability, as well as
privacy requirements, a covered entity will need to evaluate the
privacy provisions under the Title II preemption provisions, as
explained in the preemption provisions of the rules, and the other
provisions under the Title I preemption requirements.
European Union Privacy Directive and U.S. Safe Harbors
Comment: Several comments stated that the privacy regulation should
be consistent with the European Union's Directive on Data Protection.
Others sought guidance as to how to comply with both the E.U. Directive
on Data Protection and the U.S. Safe Harbor Privacy Principles.
Response: We appreciate the need for covered entities obtaining
personal data from the European Union to understand how the privacy
regulation intersects with the Data Protection Directive. We have
provided guidance as to this interaction in the ``Other Federal Laws''
provisions of the preamble.
Comment: A few comments expressed concern that the proposed
definition of ``individual'' excluded foreign military and diplomatic
personnel and their dependents, as well as overseas foreign national
beneficiaries. They noted that the distinctions are based on
nationality and are inconsistent with the stance of the E.U. Directive
on Data Protection and the Department of Commerce's assurances to the
European Commission.
Response: We agree with the general principle that privacy
protections should protect every person, regardless of nationality. As
noted in the discussion of the definition of ``individual,'' the final
regulation's definition does not exclude foreign military and
diplomatic personnel, their dependents, or overseas foreign national
beneficiaries from the definition of individual. As described in the
discussion of Sec. 164.512 below, the final rule applies to foreign
diplomatic personnel and their dependents like all other individuals.
Foreign military personnel receive the same treatment under the final
rule as U.S. military personnel do, as discussed with regard to
Sec. 164.512 below. Overseas foreign national beneficiaries to the
extent they receive care for the Department of Defense or a source
acting on behalf of the Department of Defense remain generally excluded
from the final rules protections. For a more detailed explanation, see
Sec. 164.500.
Fair Credit Reporting Act
Comment: A few commenters requested that we exclude information
maintained, used, or disclosed pursuant to the Fair Credit Reporting
Act (``FCRA'') from the requirements of the privacy regulation. These
commenters noted that the protection in the privacy regulation
duplicate those in the FCRA.
Response: Although we realize that some overlap between FCRA and
the privacy rules may exist, we have chosen not to remove information
that may come within the purview of FCRA from the scope of our rules
because FCRA's focus is not the same as our Congressional mandate to
protect individually identifiable health information.
To the extent a covered entity seeks to engage in collection
activities or other payment-related activities, it may do so pursuant
to the requirements of this rule related to payment. See discussion of
Secs. 164.501 and 164.502 below.
We understand that some covered entities may be part of, or contain
components that are, entities which meet the definition of ``consumer
reporting agencies.'' As such, these entities are subject to the FCRA.
As described in the preamble to Sec. 164.504, covered entities must
designate what parts of their organizations will be treated as covered
entities for the
[[Page 82595]]
purpose of these privacy rules. The covered entity component will need
to comply with these rules, while the components that are consumer
reporting agencies will need to comply with FCRA.
Comment: One comment suggested that the privacy regulation would
conflict with the FCRA if the regulation's requirement applied to
information disclosed to consumer reporting agencies.
Response: To the extent a covered entity is required to disclose
protected health information to a consumer reporting agency, it may do
so under Sec. 164.512(a). See also discussion under the definition of
``payment'' below.
Fair Debt Collection and Practices Act
Comment: Several comments expressed concern that health plans and
health care providers be able to continue using debt collectors in
compliance with the Fair Debt Collections Practices Act and related
laws.
Response: In our view, health plans and health care providers will
be able to continue using debt collectors. Using the services of a debt
collector to obtain payment for the provision of health care comes
within the definition of ``payment'' and is permitted under the
regulation. Thus, so long as the use of debt collectors is consistent
with the regulatory requirements (such as, providers obtain the proper
consents, the disclosure is of the minimum amount of information
necessary to collect the debt, the provider or health plan enter into a
business associate agreement with the debt collector, etc.), relying
upon debt collectors to obtain reimbursement for the provision of
health care would not be prohibited by the regulation.
Family Medical Leave Act
Comment: One comment suggested that the proposed regulation
adversely affects the ability of an employer to determine an employee's
entitlement to leave under the Family Medical Leave Act (``FMLA'') by
affecting the employer's right to receive medical certification of the
need for leave, additional certifications, and fitness for duty
certification at the end of the leave. The commenter sought
clarification as to whether a provider could disclose information to an
employer without first obtaining an individual's consent or
authorization. Another commenter suggested that the final rule
explicitly exclude from the rule disclosures authorized by the FMLA,
because, in the commenter's view, it provides more than adequate
protection for the confidentiality of medical records in the employment
context.
Response: We disagree that the FMLA provides adequate privacy
protections for individually identifiable health information. As we
understand the FMLA, the need for employers to obtain protected health
information under the statute is analogous to the employer's need for
protected health information under the ADA. In both situations,
employers may need protected health information to fulfill their
obligations under these statutes, but neither statute requires covered
entities to provide the information directly to the employer. Thus,
covered entities in these circumstances will need an individual's
authorizations before the disclosure is made to the employer.
Federal Common Law
Comment: One commenter did not want the privacy rules to interfere
with the federal common law governing collective bargaining agreements
permitting employers to insist on the cooperation of employees with
medical fitness evaluations.
Response: We do not seek to interfere with legal medical fitness
evaluations. These rules require a covered entity to have an
individual's authorization before the information resulting from such
evaluations is disclosed to the employer unless another provision of
the rule applies. We do not prohibit employers from conditioning
employment, accommodations, or other benefits, when legally permitted
to do so, upon the individual/employee providing an authorization that
would permit the disclosure of protected health information to
employers by covered entities. See Sec. 164.508(b)(4) below.
Federal Educational Rights and Privacy Act
Comment: A few commenters supported the exclusion of ``education
records'' from the definition of ``protected health information.''
However, one commenter requested that ``treatment records'' of students
who are 18 years or older attending post-secondary education
institutions be excluded from the definition of ``protected health
information'' as well to avoid confusion.
Response: We agree with these commenters. See ``Relationship to
Other Federal Laws'' for a description of our exclusion of FERPA
``education records'' and records defined at 20 U.S.C.
1232g(a)(4)(B)(iv), commonly referred to as ``treatment records,'' from
the definition of ``protected health information.''
Comment: One comment suggested that the regulation should not apply
to any health information that is part of an ``education record'' in
any educational agency or institution, regardless of its FERPA status.
Response: We disagree. As noted in our discussion of ``Relationship
of Other Federal Laws,'' we exclude education records from the
definition of protected health information because Congress expressly
provided privacy protections for these records and explained how these
records should be treated in FERPA.
Comment: One commenter suggested eliminating the preamble language
that describes school nurses and on-site clinics as acting as providers
and subject to the privacy regulation, noting that this language is
confusing and inconsistent with the statements provided in the preamble
explicitly stating that HIPAA does not preempt FERPA.
Response: We agree that this language may have been confusing. We
have provided a clearer expression of when schools may be required to
comply with the privacy regulation in the ``Relationship to Other
Federal Laws'' section of the preamble.
Comment: One commenter suggested adding a discussion of FERPA to
the ``Relationship to Other Federal Laws'' section of the preamble.
Response: We agree and have added FERPA to the list of federal laws
discussed in ``Relationship to Other Federal Laws'' section of the
preamble.
Comment: One commenter stated that school clinics should not have
to comply with the ``ancillary'' administrative requirements, such as
designating a privacy official, maintaining documentation of their
policies and procedures, and providing the Secretary of HHS with
access.
Response: We disagree. Because we have excluded education records
and records described at 20 U.S.C. 1232g(a)(4)(B)(iv) held by
educational agencies and institutions subject to FERPA from the
definition of protected health information, only non-FERPA schools
would be subject to the administrative requirements. Most of these
school clinics will also not be covered entities because they are not
engaged in HIPAA transactions and these administrative requirements
will not apply to them. However, to the extent a school clinic is
within the definition of a health care provider, as Congress defined
the term, and the school clinic is engaged in HIPAA transactions, it
will be a covered entity and must comply with the rules below.
[[Page 82596]]
Comment: Several commenters expressed concern that the privacy
regulation would eliminate the parents' ability to have access to
information in their children's school health records. Because the
proposed regulation suggests that school-based clinics keep health
records separate from other educational files, these comments argued
that the regulation is contrary to the spirit of FERPA, which provides
parents with access rights to their children's educational files.
Response: As noted in the ``Relationship to Other Federal Laws''
provision of the preamble, to the extent information in school-based
clinics is not protected health information because it is an education
record, the FERPA access requirements apply and this regulation does
not. For more detail regarding the rule's application to unemancipated
minors, see the preamble discussion about ``Personal Representatives.''
Federal Employees Compensation Act
Comment: One comment noted that the Federal Employees Compensation
Act (``FECA'') requires claimants to sign a release form when they file
a claim. This commenter suggested that the privacy regulation should
not place additional restrictions on this type of release form.
Response: We agree. In the final rule, we have added a new
provision, Sec. 164.512(l), that permits covered entities to make
disclosures authorized under workers' compensation and similar laws.
This provision would permit covered entities to make disclosures
authorized under FECA and not require a different release form.
Federal Employees Health Benefits Program
Comment: A few comments expressed concern about the preemption
effect on FEHBP and wanted clarification that the privacy regulation
does not alter the existing preemptive scope of the program.
Response: We do not intend to affect the preemptive scope of the
FEHBP. The Federal Employee Health Benefit Act of 1998 preempts any
state law that ``relates to'' health insurance or plans. 5 U.S.C.
8902(m). The final rule does not attempt to alter the preemptive scope
Congress has provided to the FEHBP.
Comment: One comment suggested that in the context of FEHBP HHS
should place the enforcement responsibilities of the privacy regulation
with Office of Personnel Management, as the agency responsible for
administering the program.
Response: We disagree. Congress placed enforcement with the
Secretary. See section 1176 of the Act.
Federal Rules of Civil Procedure
Comment: A few comments suggested revising proposed Sec. 164.510(d)
so that it is consistent with the existing discovery procedure under
the Federal Rules of Civil Procedure or local rules.
Response: We disagree that the rules regarding disclosures and uses
of protected health information for judicial and administrative
procedures should provide only those protections that exist under
existing discovery rules. Although the current process may be
appropriate for other documents and information requested during the
discovery process, the current system, as exemplified by the Federal
Rules of Civil Procedure, does not provide sufficient protection for
protected health information. Under current discovery rules, private
attorneys, government officials, and others who develop such requests
make the initial determinations as to what information or documentation
should be disclosed. Independent third-party review, such as that by a
court, only becomes necessary if a person of whom the request is made
refuses to provide the information. If this happens, the person seeking
discovery must obtain a court order or move to compel discovery. In our
view this system does not provide sufficient protections to ensure that
unnecessary and unwarranted disclosures of protected health information
does not occur. For a related discuss, see the preamble regarding
``Disclosures for Judicial and Administrative Proceedings'' under
Sec. 164.512(e).
Federal Rules of Evidence
Comment: Many comments requested clarification that the privacy
regulation does not conflict or interfere with the federal or state
privileges. In particular, one of these comments suggested that the
final regulation provide that disclosures for a purpose recognized by
the regulation not constitute a waiver of federal or state privileges.
Response: We do not intend for the privacy regulation to interfere
with federal or state rules of evidence that create privileges.
Consistent with The Uniform Health-Care Information Act drafted by the
National Conference of Commissioners on Uniform State Laws, we do not
view a consent or an authorization to function as a waiver of federal
or state privileges. For further discussion of the effect of consent or
authorization on federal or state privileges, see preamble discussions
in Secs. 164.506 and 164.508.
Comment: Other comments applauded the Secretary's references to
Jaffee v. Redman, 518 U.S. 1 (1996), which recognized a
psychotherapist-patient privilege, and asked the Secretary to
incorporate expressly this privilege into the final regulation.
Response: We agree that the psychotherapist-patient relationship is
an important one that deserves protection. However, it is beyond the
scope our mandate to create specific evidentiary privileges. It is also
unnecessary because the United States Supreme Court has adopted this
privilege.
Comment: A few comments discussed whether one remedy for violating
the privacy regulation should be to exclude or suppress evidence
obtained in violation of the regulation. One comment supported using
this penalty, while another opposed it.
Response: We do not have the authority to mandate that courts apply
or not apply the exclusionary rule to evidence obtained in violation of
the regulation. This issue is in the purview of the courts.
Federal Tort Claims Act
Comment: One comment contended that the proposed regulation's
requirement mandating covered entities to name the subjects of
protected health information disclosed under a business partner
contract as third party intended beneficiaries under the contract would
have created an impermissible right of action against the government
under the Federal Tort Claims Act (``FTCA'').
Response: Because we have deleted the third party beneficiary
provisions from the final rules, this comment is moot.
Comment: Another comment suggested the regulation would hamper the
ability of federal agencies to disclose protected health information to
their attorneys, the Department of Justice, during the initial stages
of the claims brought under the FTCA.
Response: We disagree. The regulation applies only to federal
agencies that are covered entities. To the extent an agency is not a
covered entity, it is not subject to the regulation; to the extent an
agency is a covered entity, it must comply with the regulation. A
covered entity that is a federal agency may disclose relevant
information to its attorneys, who are business associates, for purposes
of health care operations, which includes uses or disclosures for legal
functions. See Sec. 164.501 (definitions of ``business associate'' and
``health care operations''). The final rule provides specific
provisions describing how federal agencies may provide
[[Page 82597]]
adequate assurances for these types of disclosures of protected health
information. See Sec. 164.504(e)(3).
Food and Drug Administration
Comment: A few comments expressed concerns about the use of
protected health information for reporting activities to the Food and
Drug Administration (``FDA''). Their concern focused on the ability to
obtain or disclose protected health information for pre-and post-
marketing adverse event reports, device tracking, and post-marketing
safety and efficacy evaluation.
Response: We agree with this comment and have provided that covered
entities may disclose protected health information to persons subject
to the jurisdiction of the FDA, to comply with the requirements of, or
at the direction of, the FDA with regard to reporting adverse events
(or similar reports with respect to dietary supplements), the tracking
of medical devices, other post-marketing surveillance, or other similar
requirements described at Sec. 164.512(b).
Foreign Standards
Comment: One comment asked how the regulation could be enforced
against foreign countries (or presumably entities in foreign countries)
that solicit medical records from entities in the United States.
Response: We do not regulate solicitations of information. To the
extent a covered entity wants to comply with a request for disclosure
of protected health information to foreign countries or entities within
foreign countries, it will need to comply with the privacy rules before
making the disclosure. If the covered entity fails to comply with the
rules, it will be subject to enforcement proceedings.
Freedom of Information Act
Comment: One comment asserted that the proposed privacy regulation
conflicts with the Freedom of Information Act (``FOIA''). The comment
argued that the proposed restriction on disclosures by agencies would
not come within one of the permissible exemptions to the FOIA. In
addition, the comment noted that only in exceptional circumstances
would the protected health information of deceased individuals come
within an exemption because, for the most part, death extinguishes an
individual's right to privacy.
Response: Section 164.512(a) below permits covered entities to
disclose protected health information when such disclosures are
required by other laws as long as they follow the requirements of those
laws. Therefore, the privacy regulation will not interfere with the
ability of federal agencies to comply with FOIA, when it requires the
disclosure.
We disagree, however, that most protected health information will
not come within Exemption 6 of FOIA. See the discussion above under
``Relationship to Other Federal Laws'' for our review of FOIA.
Moreover, we disagree with the comment's assertion that the protected
health information of deceased individuals does not come within
Exemption 6. Courts have recognized that a deceased individual's
surviving relatives may have a privacy interest that federal agencies
may consider when balancing privacy interests against the public
interest in disclosure of the requested information. Federal agencies
will need to consider not only the privacy interests of the subject of
the protected health information in the record requested, but also,
when appropriate, those of a deceased individual's family consistent
with judicial rulings.
If an agency receives a FOIA request for the disclosure of
protected health information of a deceased individual, it will need to
determine whether or not the disclosure comes within Exemption 6. This
evaluation must be consistent with the court's rulings in this area. If
the exemption applies, the federal agency will not have to release the
information. If the federal agency determines that the exemption does
not apply, may release it under Sec. 164.512(a) of this regulation.
Comment: One commenter expressed concern that our proposal to
protect the individually identifiable health information about the
deceased for two years following death would impede public interest
reporting and would be at odds with many state Freedom of Information
laws that make death records and autopsy reports public information.
The commenter suggested permitting medical information to be available
upon the death of an individual or, at the very least, that an appeals
process be permitted so that health information trustees would be
allowed to balance the interests in privacy and in public disclosure
and release or not release the information accordingly.
Response: These rules permit covered entities to make disclosures
that are required by state Freedom of Information Act (FOIA) laws under
Sec. 164.512(a). Thus, if a state FOIA law designates death records and
autopsy reports as public information that must be disclosed, a covered
entity may disclose it without an authorization under the rule. To the
extent that such information is required to be disclosed by FOIA or
other law, such disclosures are permitted under the final rule. In
addition, to the extent that death records and autopsy reports are
obtainable from non-covered entities, such as state legal authorities,
access to this information is not impeded by this rule.
If another law does not require the disclosure of death records and
autopsy reports generated and maintained by a covered entity, which are
protected health information, covered entities are not allowed to
disclose such information except as permitted or required by the final
rule, even if another entity discloses them.
Comment: One comment sought clarification of the relationship
between the Freedom of Information Act, the Privacy Act, and the
privacy rules.
Response: We have provided this analysis in the ``Relationship to
Other Federal Laws'' section of the preamble in our discussion of the
Freedom of Information Act.
Gramm-Leach-Bliley
Comments: One commenter noted that the Financial Services
Modernization Act, also known as Gramm-Leach-Bliley (``GLB''), requires
financial institutions to provide detailed privacy notices to
individuals. The commenter suggested that the privacy regulation should
not require financial institutions to provide additional notice.
Response: We disagree. To the extent a covered entity is required
to comply with the notice requirements of GLB and those of our rules,
the covered entity must comply with both. We will work with the FTC and
other agencies implementing GLB to avoid unnecessary duplication. For a
more detailed discussion of GLB and the privacy rules, see the
``Relationship to Other Federal Laws'' section of the preamble.
Comment: A few commenters asked that the Department clarify that
financial institutions, such as banks, that serve as payors are covered
entities. The comments explained that with the enactment of the Gramm-
Leach-Bliley Act, banks are able to form holding companies that will
include insurance companies (that may be covered entities). They
recommended that banks be held to the rule's requirements and be
required to obtain authorization to conduct non-payment activities,
such as for the marketing of health and non-health items and services
or the use and disclosure to non-health related divisions of the
covered entity.
[[Page 82598]]
Response: These comments did not provide specific facts that would
permit us to provide a substantive response. An organization will need
to determine whether it comes within the definition of ``covered
entity.'' An organization may also need to consider whether or not it
contains a health care component. Organizations that are uncertain
about the application of the regulation to them will need to evaluate
their specific facts in light of this rule.
Inspector General Act
Comment: One comment requested the Secretary to clarify in the
preamble that the privacy regulation does not preempt the Inspector
General Act.
Response: We agree that to the extent the Inspector General Act
requires uses or disclosures of protected health information, the
privacy regulation does not preempt it. The final rule provides that to
the extent required under section 201(a)(5) of the Act, nothing in this
subchapter should be construed to diminish the authority of any
Inspector General, including the authority provided in the Inspector
General Act of 1978. See discussion of Sec. 160.102 above.
Medicare and Medicaid
Comment: One comment suggested possible inconsistencies between the
regulation and Medicare/Medicaid requirements, such as those under the
Quality Improvement System for Managed Care. This commenter asked that
HHS expand the definition of health care operations to include health
promotion activities and avoid potential conflicts.
Response: We disagree that the privacy regulation would prohibit
managed care plans operating in the Medicare or Medicaid programs from
fulfilling their statutory obligations. To the extent a covered entity
is required by law to use or disclose protected health information in a
particular manner, the covered entity may make such a use or disclosure
under Sec. 164.512(a). Additionally, quality assessment and improvement
activities come within the definition of ``health care operations.''
Therefore, the specific example provided by the commenter would seem to
be a permissible use or disclosure under Sec. 164.502, even if it were
not a use or disclosure ``required by law.''
Comment: One commenter stated that Medicare should not be able to
require the disclosure of psychotherapy notes because it would destroy
a practitioner's ability to treat patients effectively.
Response: If the Title XVIII of the Social Security Act requires
the disclosure of psychotherapy notes, the final rule permits, but does
not require, a covered entity to make such a disclosure under
Sec. 164.512(a). If, however, the Social Security Act does not require
such disclosures, Medicare does not have the discretion to require the
disclosure of psychotherapy notes as a public policy matter because the
final rule provides that covered entities, with limited exceptions,
must obtain an individual's authorization before disclosing
psychotherapy notes. See Sec. 164.508(a)(2).
National Labor Relations Act
Comment: A few comments expressed concern that the regulation did
not address the obligation of covered entities to disclose protected
health information to collective bargaining representatives under the
National Labor Relations Act.
Response: The final rule does not prohibit disclosures that covered
entities must make pursuant to other laws. To the extent a covered
entity is required by law to disclose protected health information to
collective bargaining representatives under the NLRA, it may to so
without an authorization. Also, the definition of ``health care
operations'' at Sec. 164.501 permits disclosures to employee
representatives for purposes of grievance resolution.
Organ Donation
Comment: One commenter expressed concern about the potential impact
of the regulation on the organ donation program under 42 CFR part 482.
Response: In the final rule, we add provisions allowing the use or
disclosure of protected health information to organ procurement
organizations or other entities engaged in the procurement, banking, or
transplantation of cadaveric organs, eyes, or tissue for the purpose of
facilitating donation and transplantation. See Sec. 164.512(h).
Privacy Act Comments
Comment: One comment suggested that the final rule unambiguously
permit the continued operation of the statutorily established or
authorized discretionary routine uses permitted under the Privacy Act
for both law enforcement and health oversight.
Response: We disagree. See the discussion of the Privacy Act in
``Relationship to Other Federal Laws'' above.
Public Health Services Act
Comment: One comment suggested that the Public Health Service Act
places more stringent rules regarding the disclosure of information on
Federally Qualified Health Centers than the proposed privacy regulation
suggested. Therefore, the commenter suggested that the final rule
exempt Federally Qualified Health Centers from the rules requirements
Response: We disagree. Congress expressly included Federally
Qualified Health Centers, a provider of medical or other health
services under the Social Security Act section 1861(s), within its
definition of health care provider in section 1171 of the Act;
therefore, we cannot exclude them from the regulation.
Comment: One commenter noted that no conflicts existed between the
proposed rule and the Public Health Services Act.
Response: As we discuss in the ``Relationship to Other Federal
Laws'' section of the preamble, the Public Health Service Act contains
explicit confidentiality requirements that are so general as not to
create problems of inconsistency. We recognized, however, that in some
cases, that law or its accompanying regulations may contain greater
restrictions. In those situations, a covered entity's ability to make
what are permissive disclosures under this privacy regulation would be
limited by those laws.
Reporting Requirement
Comment: One comment noted that federal agencies must provide
information to certain entities pursuant to various federal statutes.
For example, federal agencies must not withhold information from a
Congressional oversight committee or the General Accounting Office.
Similarly, some federal agencies must provide the Bureau of the Census
and the National Archives and Records Administration with certain
information. This comment expressed concern that the privacy regulation
would conflict with these requirements. Additionally, the commenter
asked whether the privacy notice would need to contain these uses and
disclosures and recommended that a general statement that these federal
agencies would disclose protected health information when required by
law be considered sufficient to meet the privacy notice requirements.
Response: To the extent a federal agency acting as a covered entity
is required by federal statute to disclose protected health
information, the regulation permits the disclosure as required by law
under Sec. 164.512(a). The notice provisions at
Sec. 164.520(b)(1)(ii)(B) require covered entities to provide a brief
description of the purposes for which the covered
[[Page 82599]]
entity is permitted or required by the rules to use or disclose
protected health information without an individual's written
authorization. If these statutes require the disclosures, covered
entities subject to the requirement may make the disclosure pursuant to
Sec. 164.512(a). Thus, their notice must include a description of the
category of these disclosures. For example, a general statement such as
the covered entity ``will disclose your protected health information to
comply with legal requirements'' should suffice.
Comment: One comment stressed that the final rule should not
inadvertently preempt mandatory reporting laws duly enacted by federal,
state, or local legislative bodies. This commenter also suggested that
the final rule not prevent the reporting of violations to law
enforcement agencies.
Response: We agree. Like the proposed rule, the final rule permits
covered entities to disclose protected health information when required
by law under Sec. 164.512(a). To the extent a covered entity is
required by law to make a report to law enforcement agencies or is
otherwise permitted to make a disclosure to a law enforcement agency as
described in Sec. 164.512(f), it may do so without an authorization.
Alternatively, a covered entity may always request that individuals
authorize these disclosures.
Security Standards
Comment: One comment called for HHS to consider the privacy
regulation in conjunction with the other HIPAA standards. In
particular, this comment focused on the belief that the security
standards should be compatible with the existing and emerging health
care and information technology industry standards.
Response: We agree that the security standards and the privacy
rules should be compatible with one another and are working to ensure
that the final rules in both areas function together. Because we are
addressing comments regarding the privacy rules in this preamble, we
will consider the comment about the security standard as we finalize
that set of rules.
Substance Abuse Confidentiality Statute and Regulations
Comment: Several commenters noted that many health care providers
are bound by the federal restrictions governing alcohol and drug abuse
records. One commenter noted that the NPRM differed substantially from
the substance abuse regulations and would have caused a host of
practical problems for covered entities. Another commenter, however,
supported the NPRM's analysis that stated that more stringent
provisions of the substance abuse provisions would apply. This
commenter suggested an even stronger approach of including in the text
a provision that would preserve existing federal law. Yet, one comment
suggested that the regulation as proposed would confuse providers by
making it difficult to determine when they may disclose information to
law enforcement because the privacy regulation would permit disclosures
that the substance abuse regulations would not.
Response: We appreciate the need of some covered entities to
evaluate the privacy rules in light of federal requirements regarding
alcohol and drug abuse records. Therefore, we provide a more detailed
analysis in the ``Relationship to Other Federal Laws'' section of the
preamble.
Comment: Some of these commenters also noted that state laws
contain strict confidentiality requirements. A few commenters suggested
that HHS reassess the regulations to avoid inconsistencies with state
privacy requirements, implying that problems exist because of conflicts
between the federal and state laws regarding the confidentiality of
substance abuse information.
Response: As noted in the preamble section discussing preemption,
the final rules do not preempt state laws that provide more privacy
protections. For a more detailed analysis of the relationship between
state law and the privacy rules, see the ``Preemption'' provisions of
the preamble.
Tribal Law
Comments: One commenter suggested that the consultation process
with tribal governments described in the NPRM was inadequate under
Executive Order No. 13084. In addition, the commenter expressed concern
that the disclosures for research purposes as permitted by the NPRM
would conflict with a number of tribal laws that offer individuals
greater privacy rights with respect to research and reflects cultural
appropriateness. In particular, the commenter referenced the Health
Research Code for the Navajo Nation which creates a entity with broader
authority over research conducted on the Navajo Nation than the local
IRB and requires informed consent by study participants. Other laws
mentioned by the commenter included the Navajo Nation Privacy and
Access to Information Act and a similar policy applicable to all health
care providers within the Navajo Nation. The commenter expressed
concern that the proposed regulation research provisions would override
these tribal laws.
Response: We disagree with the comment that the consultation with
tribal governments undertaken prior to the proposed regulation is
inadequate under Executive Order No. 13084. As stated in the proposed
regulation, the Department consulted with representatives of the
National Congress of American Indians and the National Indian Health
Board, as well as others, about the proposals and the application of
HIPAA to the Tribes, and the potential variations based on the
relationship of each Tribe with the IHS for the purpose of providing
health services. In addition, Indian and tribal governments had the
opportunity to, and did, submit substantive comments on the proposed
rules.
Additionally, disclosures permitted by this regulation do not
conflict with the policies as described by this commenter. Disclosures
for research purposes under the final rule, as in the proposed
regulation, are permissive disclosures only. The rule describes the
outer boundaries of permissible disclosures. A covered health care
provider that is subject to the tribal laws of the Navajo Nation must
continue to comply with those tribal laws. If the tribal laws impose
more stringent privacy standards on disclosures for research, such as
requiring informed consent in all cases, nothing in the final rule
would preclude compliance with those more stringent privacy standards.
The final rule does not interfere with the internal governance of the
Navajo Nation or otherwise adversely affect the policy choices of the
tribal government with respect to the cultural appropriateness of
research conducted in the Navajo Nation.
TRICARE
Comment: One comment expressed concern regarding the application of
the ``minimum necessary'' standard to investigations of health care
providers under the TRICARE (formerly the CHAMPUS) program. The comment
also expressed concern that health care providers would be able to
avoid providing their records to such investigators because the
proposed Sec. 164.510 exceptions were not mandatory disclosures.
Response: In our view, neither the minimum necessary standard nor
the final Secs. 164.510 and 164.512 permissive disclosures will impede
such investigations. The regulation requires covered entities to make
all reasonable efforts not to disclose more than the minimum amount of
protected health
[[Page 82600]]
information necessary to accomplish the intended purpose of the use or
disclosure. This requirement, however, does not apply to uses or
disclosures that are required by law. See Sec. 164.502(b)(2)(iv). Thus,
if the disclosure to the investigators is required by law, the minimum
necessary standard will not apply. Additionally, the final rule
provides that covered entities rely, if such reliance is reasonable, on
assertions from public officials about what information is reasonably
necessary for the purpose for which it is being sought. See
Sec. 164.514(d)(3)(iii).
We disagree with the assertion that providers will be able to avoid
providing their records to investigators. Nothing in this rule permits
covered entities to avoid disclosures required by other laws.
Veterans Affairs
Comment: One comment sought clarification about how disclosures of
protected health information would occur within the Veterans Affairs
programs for veterans and their dependents.
Response: We appreciate the commenter's request for clarification
as to how the rules will affect disclosures of protected health
information in the specific context of Veteran's Affairs programs.
Veterans health care programs under 38 U.S.C. chapter 17 are defined as
``health plans.'' Without sufficient details as to the particular
aspects of the Veterans Affairs programs that this comment views as
problematic, we cannot comment substantively on this concern.
Comment: One comment suggested that the final regulation clarify
that the analysis applied to the substance abuse regulations apply to
laws governing Veteran's Affairs health records.
Response: Although we realize some difference may exist between the
laws, we believe the discussion of federal substance abuse
confidentiality regulations in the ``Relationship to Other Federal
Laws'' preamble provides guidance that may be applied to the laws
governing Veteran's Affairs (``VA'') health records. In most cases, a
conflict will not exist between these privacy rules and the VA
programs. For example, some disclosures allowed without patient consent
or authorization under the privacy regulation may not be within the VA
statutory list of permissible disclosures without a written consent. In
such circumstances, the covered entity would have to abide by the VA
statute, and no conflict exists. If the disclosures permitted by the VA
statute come within the permissible disclosures of our rules, no
conflict exists. In some cases, our rules may demand additional
requirements, such as obtaining the approval of a privacy board or
Institutional Review Board if a covered entity seeks to disclose
protected health information for research purposes without the
individual's authorization. A covered entity subject to the VA statute
will need to ensure that it meets the requirements of both that statute
and the regulation below. If a conflict arises, the covered entity
should evaluate the specific potential conflicting provisions under the
implied repeal analysis set forth in the ``Relationship to Other
Federal Laws'' discussion in the preamble.
WIC
Comment: One comment called on other federal agencies to examine
their regulations and policies regarding the use and disclosure of
protected health information. The comment suggested that other agencies
revise their regulations and policies to avoid duplicative,
contradictory, or more stringent requirements. The comment noted that
the U.S. Department of Agriculture's Special Supplemental Nutrition
Program for Women, Infants, and Children (``WIC'') does not release WIC
data. Because the commenter believed the regulation would not prohibit
the disclosure of WIC data, the comment stated that the Department of
Agriculture should now release such information.
Response: We support other federal agencies to whom the rules apply
in their efforts to review existing regulations and policies regarding
protected health information. However, we do not agree with the
suggestion that other federal agencies that are not covered entities
must reduce the protections or access-related rights they provide for
individually identifiable health information they hold.
Part 160, Subpart C--Compliance and Enforcement
Section 160.306(a)--Who Can File Complaints With the Secretary
Comment: The proposed rule limited those who could file a complaint
with the Secretary to individuals. A number of commenters suggested
that other persons with knowledge of a possible violation should also
be able to file complaints. Examples that were provided included a
mental health care provider with first hand knowledge of a health plan
improperly requiring disclosure of psychotherapy notes and an
occupational health nurse with knowledge that her human resources
manager is improperly reviewing medical records. A few comments raised
the concern that permitting any person to file a complaint lends itself
to abuse and is not necessary to ensure privacy rights and that the
complainant should be a person for whom there is a duty to protect
health information.
Response: As discussed below, the rule defines ``individual'' as
the person who is the subject of the individually identifiable health
information. However, the covered entity may allow other persons, such
as personal representatives, to exercise the rights of the individual
under certain circumstances, e.g., for a deceased individual. We agree
with the commenters that any person may become aware of conduct by a
covered entity that is in violation of the rule. Such persons could
include the covered entity's employees, business associates, patients,
or accrediting, health oversight, or advocacy agencies or
organizations. Many persons, such as the covered entity's employees,
may, in fact, be in a better position than the ``individual'' to know
that a violation has occurred. Another example is a state Protection
and Advocacy group that may represent persons with developmental
disabilities. We have decided to allow complaints from any person. The
term ``person'' is not restricted here to human beings or natural
persons, but also includes any type of association, group, or
organization.
Allowing such persons to file complaints may be the only way the
Secretary may learn of certain possible violations. Moreover,
individuals who are the subject of the information may not be willing
to file a complaint because of fear of embarrassment or retaliation.
Based on our experience with various civil rights laws, such as Title
VI of the Civil Rights Act of 1964 and Title II of the Americans with
Disabilities Act, that allow any person to file a complaint with the
Secretary, we do not believe that this practice will result in abuse.
Finally, upholding privacy protections benefits all persons who have or
may be served by the covered entity as well as the general public, and
not only the subject of the information.
If a complaint is received from someone who is not the subject of
protected health information, the person who is the subject of this
information may be concerned with the Secretary's investigation of this
complaint. While we did not receive comments on this issue, we want to
protect the privacy rights of this individual. This might
[[Page 82601]]
involve the Secretary seeking to contact the individual to provide
information as to how the Secretary will address individual's privacy
concerns while resolving the complaint. Contacting all individuals may
not be practicable in the case of allegations of systemic violations
(e.g., where the allegation is that hundreds of medical records were
wrongfully disclosed).
Requiring That a Complainant Exhaust the Covered Entity's Internal
Complaint Process Prior to Filing a Complaint With the Secretary
Comment: A number of commenters, primarily health plans, suggested
that individuals should not be permitted to file a complaint with the
Secretary until they exhaust the covered entity's own complaint
process. Commenters stated that covered entities should have a certain
period of time, such as ninety days, to correct the violation. Some
commenters asserted that providing for filing a complaint with the
Secretary will be very expensive for both the public and private
sectors of the health care industry to implement. Other commenters
suggested requiring the Secretary to inform the covered entity of any
complaint it has received and not initiate an investigation or ``take
enforcement action'' before the covered entity has time to address the
complaint.
Response: We have decided, for a number of reasons, to retain the
approach as presented in the proposed rule. First, we are concerned
that requiring that complainants first notify the covered entity would
have a chilling effect on complaints. In the course of investigating
individual complaints, the Secretary will often need to reveal the
identity of the complainant to the covered entity. However, in the
investigation of cases of systemic violations and some individual
violations, individual names may not need to be identified. Under the
approach suggested by these commenters, the covered entity would learn
the names of all persons who file complaints with the Secretary. Some
individuals might feel uncomfortable or fear embarrassment or
retaliation revealing their identity to the covered entity they believe
has violated the regulation. Individuals may also feel they are being
forced to enter into negotiations with this entity before they can file
a complaint with the Secretary.
Second, because some potential complainants would not bring
complaints to the covered entity, possible violations might not become
known to the Secretary and might continue. Third, the delay in the
complaint coming to the attention of the Secretary because of the time
allowed for the covered entity to resolve the complaint may mean that
significant violations are not addressed expeditiously. Finally, the
process proposed by these commenters is arguably unnecessary because an
individual who believes that an agreement can be reached with the
covered entity, can, through the entity's internal complaint process or
other means, seek resolution before filing a complaint with the
Secretary.
Our approach is consistent with other laws and regulations
protecting individual rights. None of the civil rights laws enforced by
the Secretary require a complainant to provide any notification to the
entity that is alleged to have engaged in discrimination (e.g.,
Americans with Disabilities Act, section 504 of the Rehabilitation Act,
Title VI of the Civil Rights Act, and the Age Discrimination Act). The
concept of ``exhaustion'' is used in laws that require individuals to
pursue administrative remedies, such as that provided by a governmental
agency, before bringing a court action. Under HIPAA, individuals do not
have a right to court action.
Some commenters seemed to believe that the Secretary would pursue
enforcement action without notifying the covered entity. It has been
the Secretary's practice in investigating cases under other laws, such
as various civil rights laws, to inform entities that we have received
a complaint against them and to seek early resolution if possible. In
enforcing the privacy rule, the Secretary will generally inform the
covered entity of the nature of any complaints it has received against
the entity. (There may be situations where information is withheld to
protect the privacy interests of the complainant or others or where
revealing information would impede the investigation of the covered
entity.) The Secretary will also generally afford the entity an
opportunity to share information with the Secretary that may result in
an early resolution. Our approach will be to seek informal resolution
of complaints whenever possible, which includes allowing covered
entities a reasonable amount of time to work with the Secretary to come
into compliance before initiating action to seek civil monetary
penalties.
Section 160.306(b)(3)--Requiring That Complaints Be Filed With the
Secretary Within a Certain Period of Time
Comment: A number of commenters, primarily privacy and disability
advocacy organizations, suggested that the regulation require that
complaints be filed with the Secretary by a certain time. These
commenters generally recommended that the time period for filing a
complaint should commence to run from the time when the individual knew
or had reason to know of the violation or omission. Another comment
suggested that a requirement to file a complaint with the Secretary
within 180 days of the alleged noncompliance is a problem because a
patient may, because of his or her medical condition, be unable to
access his or her records within that time frame.
Response: We agree with the commenters that complainants should
generally be required to submit complaints in a timely fashion. Federal
regulations implementing Title VI of the Civil Rights Act of 1964
provide that ``[a] complaint must be filed not later than `180 days
from the date of the alleged discrimination' unless the time for filing
is extended by the responsible Department official or his designee.''
45 CFR 80.7(b). Other civil rights laws, such as the Age Discrimination
Act, section 504 of the Rehabilitation Act, and Title II of the
Americans with Disabilities Act (ADA) (state and local government
services), also use this approach. Under civil rights laws administered
by the EEOC, individuals have 180 days of the alleged discriminatory
act to file a charge with EEOC (or 300 days if there is a state or
local fair employment practices agency involved).
Therefore, in the final rule we require that complaints be filed
within 180 days of when the complainant knew or should have known that
the act or omission complained of occurred unless this time limit is
waived by the Secretary for good cause shown. We believe that an
investigation of a complaint is likely to be most effective if persons
can be interviewed and documents reviewed as close to the time of the
alleged violation as possible. Requiring that complaints generally be
filed within a certain period of time increases the likelihood that the
Secretary will have necessary and reliable information. Moreover, we
are taking this approach in order to encourage complainants to file
complaints as soon as possible. By receiving complaints in a timely
fashion, we can, if such complaints prove valid, reduce the harm caused
by the violation.
Section 160.308--Basis for Conducting Compliance Reviews
Comment: A number of comments expressed concern that the Secretary
would conduct compliance reviews
[[Page 82602]]
without having received a complaint or having reason to believe there
is noncompliance. A number of these commenters appeared to believe that
the Secretary would engage in ``routine visits.'' Some commenters
suggested that the Secretary should only be able to conduct compliance
reviews if the Secretary has initiated an investigation of a complaint
regarding the covered entity in the preceding twelve months. Some
commenters suggested that there should only be compliance reviews based
on established criteria for reviews (e.g., finding of ``reckless
disregard''). Many of these commenters stated that cooperating with
compliance reviews is potentially burdensome and expensive.
One commenter asked whether the Secretary will have a process for
reviewing all covered entities to determine how they are complying with
requirements. This commenter questioned whether covered entities will
be required to submit plans and wait for Departmental approval.
Another commenter suggested that the Secretary specify a time limit
for the completion of a compliance review.
Response: We disagree with the commenters that the final rule
should restrict the Secretary's ability to conduct compliance reviews.
The Secretary needs to maintain the flexibility to conduct whatever
reviews are necessary to ensure compliance with the rule.
Section 160.310 (a) and (c)--The Secretary's Access to Information in
Determining Compliance
Comment: Some commenters raised objections to provisions in the
proposed rule which required that covered entities maintain records and
submit compliance reports as the Secretary determines is necessary to
determine compliance and required that covered entities permit access
by the Secretary during normal business hours to its books, records,
accounts, and other sources of information, including protected health
information, and its facilities, that are pertinent to ascertaining
compliance with this subpart. One commenter stated that the Secretary's
access to private health information without appropriate patient
consent is contrary to the intent of HIPAA. Another commenter expressed
the view that, because covered entities face criminal penalties for
violations, these provisions violate the Fifth Amendment protections
against forced self incrimination. Other commenters stated that covered
entities should be given the reason the Secretary needs to have access
to its books and records. Another commenter stated that there should be
a limit to the frequency or extent of intrusion by the federal
government into the business practices of a covered entity and that
these provisions violate the Fourth Amendment of the Constitution.
Finally, a coalition of church plans suggested that the Secretary
provide church plans with additional procedural safeguards to reduce
unnecessary intrusion into internal church operations. These suggested
safeguards included permitting HHS to obtain records and other
documents only if they are relevant and necessary to compliance and
enforcement activities related to church plans, requiring a senior
official to determine the appropriateness of compliance-related
activities for church plans, and providing church plans with a self-
correcting period similar to that Congress expressly provided in Title
I of HIPAA under the tax code.
Response: The final rule retains the proposed language in these two
provisions with one change. The rule adds a provision indicating that
the Secretary's access to information held by the covered entity may be
at any time and without notice where exigent circumstances exist, such
as where time is of the essence because documents might be hidden or
destroyed. Thus, covered entities will generally receive notice before
the Secretary seeks to access the entity's books or records.
Other than the exigent circumstances language, the language in
these two provisions is virtually the same as the language in this
Department's regulation implementing Title VI of the Civil Rights Act
of 1964. 45 CFR 80.6(b) and (c). The Title VI regulation is
incorporated by reference in other Department regulations prohibiting
discrimination of the basis of disability. 45 CFR 84.61. Similar
provisions allowing this Department access to recipient information is
found in the Secretary's regulation implementing the Age Discrimination
Act. 45 CFR 91.34. These provisions have not proved to be burdensome to
entities that are subject to these civil rights regulations (i.e., all
recipients of Department funds).
We do not interpret Constitutional case law as supporting the view
that a federal agency's review of information pursuant to statutory
mandate violates the Fifth Amendment protections against forced self
incrimination. Nor would such a review of this information raise Fourth
Amendment problems. See discussion above regarding Constitutional
comments and responses.
We appreciate the concern that the Secretary not involve herself
unnecessarily into the internal operations of church plans. However, by
providing health insurance or care to their employees, church plans are
engaging in a secular activity. Under the regulation, church plans are
subject to the same compliance and enforcement requirements with which
other covered entities must comply. Because Congress did not carve out
specific exceptions or require stricter standards for investigations
related to church plans, incorporating such measures into the
regulation would be inappropriate.
Additionally, there is no indication that the regulation will
directly interfere with the religious practices of church plans. Also,
the regulation as written appropriately limits the ability of
investigators to obtain information from covered entities. The
regulation provides that the Secretary may obtain access only to
information that is pertinent to ascertain compliance with the
regulation. We do not anticipate asking for information that is not
necessary to assess compliance with the regulation. The purpose of
obtaining records and similar materials is to determine compliance, not
to engage in any sort of review or evaluation of religious activities
or beliefs. Therefore, we believe the regulation appropriately balances
the need to access information to determine compliance with the desire
of covered entities to avoid opening every record in their possession
to the government.
Provision of Technical Assistance
Comment: A number of commenters inquired as to how a covered entity
can request technical assistance from the Secretary to come into
compliance. A number of commenters suggested that the Secretary provide
interpretive guidance to assist with compliance. Others recommended
that the Secretary have a contact person or privacy official, available
by telephone or email, to provide guidance on the appropriateness of a
disclosure or a denial of access. One commenter suggested that there be
a formal process for a covered entity to submit compliance activities
to the Secretary for prior approval and clarification. This commenter
suggested that clarifications be published on a contemporaneous basis
in the Federal Register to help correct any ambiguities and confusion
in implementation. It was also suggested that the Secretary undertake
an assessment of ``best practices'' of covered entities and document
and promote the findings to serve as a convenient ``road map'' for
other covered entities. Another commenter suggested that we work with
providers to create implementation guidelines modeled after the
interpretative
[[Page 82603]]
guidelines that HCFA creates for surveyors on the conditions of
participation for Medicare and Medicaid contractors.
Response: While we have not in the final rule committed the
Secretary to any specific model of providing guidance or assistance, we
do state our intent, subject to budget and staffing constraints, to
develop a technical assistance program that will include the provision
of written material when appropriate to assist covered entities in
achieving compliance. We will consider other models including HCFA's
Medicare and Medicaid interpretative guidelines. Further information
regarding the Secretary's technical assistance program may be provided
in the Federal Register and on the HHS Office for Civil Rights (OCR)
Web Site. While OCR plans to have fully trained staff available to
respond to questions, its ability to provide individualized advice in
regard to such matters as the appropriateness of a particular
disclosure or the sufficiency of compliance activities will be based on
staff resources and demands. The idea of looking at ``best practices''
and sharing information with all covered entities is a good one and we
will explore how best to do this. We note that a covered entity is not
excused from compliance with the regulation because of any failure to
receive technical assistance or guidance.
Basis for Violation Findings and Enforcement
Comment: A number of commenters asked that covered entities not be
liable for violations of the rule if they have acted in good faith. One
commenter indicated that enforcement actions should not be pursued
against covered entities that make legitimate business decisions about
how to comply with the privacy standards.
Response: The commenters seemed to argue that even if a covered
entity does not comply with a requirement of the rule, the covered
entity should not be liable if there was an honest and sincere
intention or attempt to fulfill its obligations. The final rule,
however, does not take this approach but instead draws careful
distinctions between what a covered entity must do unconditionally, and
what a covered entity must make certain reasonable efforts to do. In
addition, the final rule is clear as to the specific provisions where
``good faith'' is a consideration. For example, a covered entity is
permitted to use and disclose protected health information without
authorization based on criteria that includes a good faith belief that
such use or disclosure is necessary to avert an imminent threat to
health or safety (Sec. 164.512(j)(1)(i)). Therefore, covered entities
need to pay careful attention to the specific language in each
requirement. However, we note that many of these provisions can be
implemented in a variety of ways; e.g, covered entities can exercise
business judgement regarding how to conduct staff training.
As to enforcement, a covered entity will not necessarily suffer a
penalty solely because an act or omission violates the rule. As we
discuss elsewhere, the Department will exercise discretion to consider
not only the harm done, but the willingness of the covered entity to
achieve voluntary compliance. Further, the Administrative
Simplification provisions of HIPAA provide that whether a violation was
known or not is relevant in determining whether civil or criminal
penalties apply. In addition, if a civil penalty applies, HIPAA allows
the Secretary, where the failure to comply was due to reasonable cause
and not to willful neglect, to delay the imposition of the penalty to
allow the covered entity to comply. The Department will develop and
release for public comment an enforcement regulation applicable to all
the administrative simplification regulations that will address these
issues.
Comment: One commenter asked whether hospitals will be vicariously
liable for the violations of their employees and expressed concern that
hospitals and other providers will be the ones paying large fines.
Response: The enforcement regulation will address this issue.
However, we note that section 1128A(1) of the Social Security Act,
which applies to the imposition of civil monetary penalties under
HIPAA, provides that a principal is liable for penalties for the
actions of its agent acting within the scope of the agency. Therefore,
a covered entity will generally be responsible for the actions of its
employees such as where the employee discloses protected health
information in violation of the regulation.
Comment: A commenter expressed the concern that if a covered entity
acquires a non-compliant health plan, it would be liable for financial
penalties. This commenter suggested that, at a minimum, the covered
entity be given a grace period of at least a year, but not less than
six months to bring any acquisition up to standard. The commenter
stated that the Secretary should encourage, not discourage, compliant
companies to acquire non-compliant ones. Another commenter expressed a
general concern about resolution of enforcement if an entity faced with
a HIPAA complaint acquires or merges with an entity not covered by
HIPAA.
Response: As discussed above, the Secretary will encourage
voluntary efforts to cure violations of the rule, and will consider
that fact in determining whether to bring a compliance action. We do
not agree, however, that we should limit our authority to pursue
violations of the rule if the situation warrants it.
Comment: One commenter was concerned about the ``undue risk'' of
liability on originators of information, stemming from the fact that
``the number of covered entities is limited and they are unable to
restrict how a recipient of information may use or re-disclose
information * * *''
Response: Under this rule, we do not hold covered entities
responsible for the actions of recipients of protected health
information, unless the recipient is a business associate of the
covered entity. We agree that it is not fair to hold covered entities
responsible for the actions of persons with whom they have no on-going
relationship, but believe it is fair to expect covered entities to hold
their business associates to appropriate standards of behavior with
respect to health information.
Other Compliance and Enforcement Comments
Comment: A number of comments raised questions regarding the
Secretary's priorities for enforcement. A few commenters stated that
they supported deferring enforcement until there is experience using
the proposed standards. One organization asked that we clarify that the
regulation does not replace or otherwise modify the self-regulatory/
consumer empowerment approach to consumer privacy in the online
environment.
Response: We have not made any decisions regarding enforcement
priorities. It appears that some commenters believe that no enforcement
action will be taken against a given covered entity until that entity
has had some time to comply. Covered entities have two years to come
into compliance with the regulation (three years in the case of small
health plans). Some covered entities will have had experience using the
standards prior to the compliance date. We do not agree that we should
defer enforcement where violations of the rule occur. It would be wrong
for covered entities to believe that enforcement action is based on
their not having much experience in
[[Page 82604]]
using a particular standard or meeting another requirement.
We support a self-regulation approach in that we recognize that
most compliance will be achieved by the voluntary activities of covered
entities rather than by our enforcement activities. Our emphasis will
be on education, technical assistance, and voluntary compliance and not
on finding violations and imposing penalties. We also support a
consumer empowerment approach. A knowledgeable consumer is key to the
effectiveness of this rule. A consumer familiar with the requirements
of this rule will be equipped to make choices regarding which covered
entity will best serve their privacy interests and will know their
rights under the rule and how they can seek redress for violations of
this rule. Privacy-minded consumers will seek to protect the privacy
rights of others by bringing concerns to the attention of covered
entities, the public, and the Secretary. However, we do not agree that
we should defer enforcement where violations of the rule occur.
Comment: One commenter expressed concern that by filing a complaint
an individual would be required to reveal sensitive information to the
public. Another commenter suggested that complaints regarding
noncompliance in regard to psychotherapy notes should be made to a
panel of mental health professionals designated by the Secretary. This
commenter also proposed that all patient information be maintained as
privileged, not be revealed to the public, and be kept under seal after
the case is reviewed and closed.
Response: We appreciate this concern and will seek to ensure that
individually identifiable health information and other personal
information contained in complaints will not be available to the
public. The privacy regulation provides, at Sec. 160.310(c)(3), that
protected health information obtained by the Secretary in connection
with an investigation or compliance review will not be disclosed except
if necessary for ascertaining or enforcing compliance with the
regulation or if required by law. In addition, this Department
generally seeks to protect the privacy of individuals to the fullest
extent possible, while permitting the exchange of records required to
fulfill its administrative and program responsibilities. The Freedom of
Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45
CFR part 5, provide substantial protection for records about
individuals where disclosure would constitute an unwarranted invasion
of their personal privacy. In implementing the privacy regulation, OCR
plans to continue its current practice of protecting its complaint
files from disclosure. OCR treats these files as investigatory records
compiled for law enforcement purposes. Moreover, OCR maintains that
disclosing protected health information in these files generally
constitutes an unwarranted invasion of personal privacy.
It is not clear in regarding the use of mental health
professionals, whether the commenter believes that such professionals
should be involved because they would be best able to keep
psychotherapy notes confidential or because such professionals can best
understand the meaning or relevance of such notes. OCR anticipates that
it will not have to obtain a copy or review psychotherapy notes in
investigating most complaints regarding noncompliance in regard to such
notes. There may be some cases where a review of the notes may be
needed such as where we need to identify that the information a covered
entity disclosed was in fact psychotherapy notes. If we need to obtain
a copy of psychotherapy notes, we will keep these notes confidential
and secure. OCR investigative staff will be trained to ensure that they
fully respect the confidentiality of personal information. In addition,
while the specific contents of these notes is generally not relevant to
violations under this rule, if such notes are relevant, we will secure
the expertise of mental health professionals if needed in reviewing
psychotherapy notes.
Comment: A member of Congress and a number of privacy and consumer
groups expressed concern with whether OCR has adequate funding to carry
out the major responsibility of enforcing the complaint process
established by this rule. The Senator stated that ``[d]ue to the
limited enforcement ability allowed for in this rule by HIPAA, it is
essential that OCR have the capacity to enforce the regulations. Now is
the time for OCR to begin building the necessary infrastructure to
enforce the regulation effectively.''
Response: We agree and are committed to an effective enforcement
program. We are working with Congress to ensure that the Secretary has
the necessary funds to secure voluntary compliance through education
and technical assistance, to investigate complaints and conduct
compliance reviews, to provide states with exception determinations,
and to use civil and criminal penalties when necessary. We will
continue to work with Congress and within the new Administration in
this regard.
Coordination With Reviewing Authorities
Comment: A number of commenters referenced other entities that
already consider the privacy of health information. One commenter
indicated opposition to the delegation of inspections to third party
organizations, such as the Joint Commission on the Accreditation of
Healthcare Organizations (JCAHO). A few commenters indicated that state
agencies are already authorized to investigate violations of state
privacy standards and that we should rely on those agencies to
investigate alleged violations of the privacy rules or delegate its
complaint process to states that wish to carry out this responsibility
or to those states that have a complaint process in place. Another
commenter argued that individuals should be required to exhaust any
state processes before filing a complaint with the Secretary. Others
referenced the fact that state medical licensing boards investigate
complaints against physicians for violating patient confidentiality.
One group asked that the federal government streamline all of these
activities so physicians can have a single entity to whom they must be
responsive. Another group suggested that OMB should be given
responsibility for ensuring that FEHB Plans operate in compliance with
the privacy standards and for enforcement.
A few commenters stated that the regulation might be used as a
basis for violation findings and subsequent penalties under other
Department authorities, such as under Medicare's Conditions of
Participation related to patient privacy and right to confidentiality
of medical records. One commenter wanted some assurance that this
regulation will not be used as grounds for sanctions under Medicare.
Another commenter indicated support for making compliance with the
privacy regulation a Condition of Participation under Medicare.
Response: HIPAA does not give the Secretary the authority to
delegate her responsibilities to other private or public agencies such
as JCAHO or state agencies. However, we plan to explore ways that we
may benefit from current activities that also serve to protect the
privacy of individually identifiable health information. For example,
if we conduct an investigation or review of a covered entity, that
entity may want to share information regarding findings of other bodies
that conducted similar reviews. We would welcome such
[[Page 82605]]
information. In developing its enforcement program, we may explore ways
it can coordinate with other regulatory or oversight bodies so that we
can efficiently and effectively pursue our joint interests in
protecting privacy.
We do not accept the suggestion that individuals be required to
exhaust their remedies under state law before filing a complaint with
the Secretary. Our rationale is similar to that discussed above in
regard to the suggestion that covered entities be required to exhaust a
covered entity's internal complaint process before filing a complaint
with the Secretary. Congress provided for federal privacy protection
and we want to allow individuals the right to this protection without
barriers or delay. Covered entities may in their privacy notice inform
individuals of any rights they have under state law including any right
to file privacy complaints. We do not have the authority to interfere
with state processes and HIPAA explicitly provides that we cannot
preempt state laws that provide greater privacy protection.
We have not yet addressed the issue as to whether this regulation
might be used as a basis for violation findings or penalties under
other Department authorities. We note that Medicare conditions of
participation require participating providers to have procedures for
ensuring the confidentiality of patient records, as well as afford
patients with the right to the confidentiality of their clinical
records.
Penalties
Comment: Many commenters considered the statutory penalties
insufficient to protect privacy, stating that the civil penalties are
too weak to have the impact needed to reduce the risk of inappropriate
disclosure. Some commenters took the opposing view and stated that
large fines and prison sentences for violations would discourage
physicians from transmitting any sort of health care information to any
other agency, regardless of the medical necessity. Another comment
expressed the concern that doctors will be at risk of going to jail for
protecting the privacy of individuals (by not disclosing information
the government believes should be released).
Response: The enforcement regulation will address the application
of the civil monetary and criminal penalties under HIPAA. The
regulation will be published in the Federal Register as a proposed
regulation and the public will have an opportunity to comment. We do
not believe that our rule, and the penalties available under it, will
discourage physicians and other providers from using or disclosing
necessary information. We believe that the rule permits physicians to
make the disclosures that they need to make under the health care
system without exposing themselves to jeopardy under the rule. We
believe that the penalties under the statute are woefully inadequate.
We support legislation that would increase the amount of these
penalties.
Comment: A number of commenters stated that the regulations should
permit individuals to sue for damages caused by breaches of privacy
under these regulations. Some of these commenters specified that
damages, equitable relief, attorneys fees, and punitive damages should
be available. Conversely, one comment stated that strong penalties are
necessary and would preclude the need for a private right of action.
Another commenter stated that he does not believe that the statute
intended to give individuals the equivalent of a right to sue, which
results from making individuals third party beneficiaries to contracts
between business partners.
Response: We do not have the authority to provide a private right
of action by regulation. As discussed below, the final rule deletes the
third party beneficiary provision that was in the proposed rule.
However, we believe that, in addition to strong civil monetary
penalties, federal law should allow any individual whose rights have
been violated to bring an action for actual damages and equitable
relief. The Secretary's Recommendations, which were submitted to
Congress on September 11, 1997, called for a private right of action to
permit individuals to enforce their privacy rights.
Comment: One comment stated that, in calculating civil monetary
penalties, the criteria should include aggravating or mitigating
circumstances and whether the violation is a minor or first time
violation. Several comments stated that penalties should be tiered so
that those that commit the most egregious violations face stricter
civil monetary penalties.
Response: As mentioned above, issues regarding civil fines and
criminal penalties will be addressed in the enforcement regulation.
Comment: One comment stated that the regulation should clarify
whether a single disclosure that involved the health information of
multiple parties would constitute a single or multiple infractions, for
the purpose of calculating the penalty amount.
Response: The enforcement regulation will address the calculation
of penalties. However, we note that section 1176 subjects persons to
civil monetary penalties of not more than $100 for each violation of a
requirement or prohibition and not more than $25,000 in a calendar year
for all violations of an identical requirement or prohibition. For
example, if a covered entity fails to permit amendment of protected
health information for 10 patients in one calendar year, the entity may
be fined up to $1000 ($100 times 10 violations equals $1000).
Part 164--Subpart A--General Requirements
Part 164--Subpart B-D--Reserved
Part 164--Subpart E--Privacy
Section 164.500--Applicability
Covered Entities
The response to comments on covered entities is included in the
response to comments on the definition of ``covered entity'' in the
preamble discussion of Sec. 160.103.
Covered Information
The response to comments on covered information is included in the
response to comments on the definition of ``protected health
information'' in the preamble discussion of Sec. 164.501.
Section 164.501--Definitions
Designated record set
Comment: Many commenters generally supported our proposed
definition of designated record set. Commenters suggested different
methods for narrowing the information accessible to individuals, such
as excluding information obtained without face-to-face interaction
(e.g., phone consultations). Other commenters recommended broadening
the information accessible to individuals, such as allowing access to
``the entire medical record,'' not just a designated record set. Some
commenters advocated for access to all information about individuals. A
few commenters generally supported the provision but recommended that
consultation and interpretative assistance be provided when the
disclosure may cause harm or misunderstanding.
Response: We believe individuals should have a right to access any
protected health information that may be used to make decisions about
them and modify the final rule to accomplish this result. This approach
facilitates an open and cooperative relationship between individuals
and covered health care providers and health plans and allows
individuals fair opportunities to know what health information may be
[[Page 82606]]
used to make decisions about them. We list certain records that are
always part of the designated record set. For covered providers these
are the medical record and billing record. For health plans these are
the enrollment, payment, claims adjudication, and case or medical
management records. The purpose of these specified records is
management of the accounts and health care of individuals. In addition,
we include in the designated record set to which individuals have
access any record used, in whole or in part, by or for the covered
entity to make decisions about individuals. Only protected health
information that is in a designated record set is covered. Therefore,
if a covered provider has a phone conversation, information obtained
during that conversation is subject to access only to the extent that
it is recorded in the designated record set.
We do not require a covered entity to provide access to all
individually identifiable health information, because the benefits of
access to information not used to make decisions about individuals is
limited and is outweighed by the burdens on covered entities of
locating, retrieving, and providing access to such information. Such
information may be found in many types of records that include
significant information not relevant to the individual as well as
information about other persons. For example, a hospital's peer review
files that include protected health information about many patients but
are used only to improve patient care at the hospital, and not to make
decisions about individuals, are not part of that hospital's designated
record sets.
We encourage but do not require covered entities to provide
interpretive assistance to individuals accessing their information,
because such a requirement could impose administrative burdens that
outweigh the benefits likely to accrue.
The importance to individuals of having the right to inspect and
copy information about them is supported by a variety of industry
groups and is recognized in current state and federal law. The July
1977 Report of the Privacy Protection Study Commission recommended that
individuals have access to medical records and medical record
information.\2\ The Privacy Act (5 U.S.C. 552a) requires government
agencies to permit individuals to review records and have a copy made
in a form comprehensible to the individual. In its report ``Best
Principles for Health Privacy,'' the Health Privacy Working Group
recommended that individuals should have the right to access
information about them.\3\ The National Association of Insurance
Commissioners' Health Information Privacy Model Act establishes the
right of an individual to examine or receive a copy of protected health
information in the possession of the carrier or a person acting on
behalf of the carrier.
---------------------------------------------------------------------------
\2\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 298-299.
\3\ Health Privacy Working Group, ``Best Principles for Health
Privacy,'' Health Privacy Project, Institute for Health Care
Research and Policy, Georgetown University, July 1999.
---------------------------------------------------------------------------
Many states also establish a right for individuals to access health
information about them. For example, Alaska law (AK Code 18.23.005)
entitles patients ``to inspect and copy any records developed or
maintained by a health care provider or other person pertaining to the
health care rendered to the patient.'' Hawaii law (HRS section 323C-11)
requires health care providers and health plans, among others, to
permit individuals to inspect and copy protected health information
about them. Many other states have similar provisions.
Industry and standard-setting organizations also have developed
policies to enable individual access to health information. The
National Committee for Quality Assurance and the Joint Commission on
Accreditation of Healthcare Organizations issued recommendations
stating, ``Patients' confidence in the protection of their information
requires that they have the means to know what is contained in their
records. The opportunity for patients to review their records will
enable them to correct any errors and may provide them with a better
understanding of their health status and treatment.'' \4\ Standards of
the American Society for Testing and Materials state, ``The patient or
his or her designated personal representative has access rights to the
data and information in his or her health record and other health
information databases except as restricted by law. An individual should
be able to inspect or see his or her health information or request a
copy of all or part of the health information, or both.'' \5\ We build
on this well-established principle in this final rule.
---------------------------------------------------------------------------
\4\ National Committee on Quality Assurance and the Joint
Commission on Accreditation of Healthcare Organizations,
``Protecting Personal Health Information: A Framework for Meeting
the Challenges in a Managed Care Environment,'' 1998, p. 25.
\5\ ASTM, ``Standard Guide for Confidentiality, Privacy, Access
and Data Security, Principles for Health Information Including
Computer-Based Patient Records,'' E 1869-97, Sec. 11.1.1.
---------------------------------------------------------------------------
Comment: Several commenters advocated for access to not only
information that has already been used to make decisions, but also
information that may be used to make decisions. Other commenters
believed accessible information should be more limited; for example,
some commenters argued that accessible information should be restricted
to only information used to make health care decisions.
Response: We agree that it is desirable that individuals have
access to information reasonably likely to be used to make decisions
about them. On the other hand, it is desirable that the category of
records covered be readily ascertainable by the covered entity. We
therefore define ``designated record set'' to include certain
categories of records (a provider's medical record and billing record,
the enrollment records, and certain other records maintained by a
health plan) that are normally used, and are reasonably likely to be
used, to make decisions about individuals. We also add a category of
other records that are, in fact, used, in whole or in part, to make
decisions about individuals. This category includes records that are
used to make decisions about any individuals, whether or not the
records have been used to make a decision about the particular
individual requesting access.
We disagree that accessible information should be restricted to
information used to make health care decisions, because other decisions
by covered entities can also affect individuals' interests. For
example, covered entities make financial decisions about individuals,
such as whether an individual's deductible has been met. Because such
decisions can significantly affect individuals' interests, we believe
they should have access to any protected health information included in
such records.
Comment: Some commenters believed the rule should use the term
``retrievable'' instead of ``retrieved'' to describe information
accessible to individuals. Other commenters suggested that the rule
follow the Privacy Act's principle of allowing access only when
entities retrieve records by individual identifiers. Some commenters
requested clarification that covered entities are not required to
maintain information by name or other patient identifier.
Response: We have modified the proposed definition of the
designated record set to focus on how information is used, not how it
is retrieved. Information may be retrieved or retrievable by name, but
if it is never used to make decisions about any
[[Page 82607]]
individuals, the burdens of requiring a covered entity to find it and
to redact information about other individuals outweigh any benefits to
the individual of having access to the information. When the
information might be used to affect the individual's interests,
however, that balance changes and the benefits outweigh the burdens. We
confirm that this regulation does not require covered entities to
maintain any particular record set by name or identifier.
Comment: A few commenters recommended denial of access for
information relating to investigations of claims, fraud, and
misrepresentations. Many commenters suggested that sensitive,
proprietary, and legal documents that are ``typical state law
privileges'' be excluded from the right to access. Specific suggestions
for exclusion, either from the right of access or from the definition
of designated record set, include quality assurance activities,
information related to medical appeals, peer review and credentialing,
attorney-client information, and compliance committee activities. Some
commenters suggested excluding information already supplied to
individuals on previous requests and information related to health care
operations. However, some commenters felt that such information was
already excluded from the definition of designated record set. Other
commenters requested clarification that this provision will not prevent
patients from getting information related to medical malpractice.
Response: We do not agree that records in these categories are
never used to affect the interests of individuals. For example, while
protected health information used for peer review and quality assurance
activities typically would not be used to make decisions about
individuals, and, thus, typically would not be part of a designated
record set, we cannot say that this is true in all cases. We design
this provision to be sufficiently flexible to work with the varying
practices of covered entities.
The rule addresses several of these comments by excepting from the
access provisions (Sec. 164.524) information compiled in reasonable
anticipation of, or for use in, a civil, criminal, or administrative
action or proceeding. Similarly, nothing in this rule requires a
covered entity to divulge information covered by physician-patient or
similar privilege. Under the access provisions, a covered entity may
redact information in a record about other persons or information
obtained under a promise of confidentiality, prior to releasing the
information to the individual. We clarify that nothing in this
provision would prevent access to information needed to prosecute or
defend a medical malpractice action; the rules of the relevant court
determine such access.
We found no persuasive evidence to support excluding information
already supplied to individuals on previous requests. The burdens of
tracking requests and the information provided pursuant to requests
outweigh the burdens of providing the access requested. A covered
entity may, however, discuss the scope of the request for access with
the individual to facilitate the timely provision of access. For
example, if the individual agrees, the covered entity could supply only
the information created or received since the date access was last
granted.
Disclosure
Comment: A number of commenters asked that the definition of
``disclosure'' be modified so that it is clear that it does not include
the release, transfer, provision of access to, or divulging in any
other manner of protected health information to the individual who is
the subject of that information. It was suggested that we revise the
definition in this way to clarify that a health care provider may
release protected health information to the subject of the information
without first requiring that the patient complete an authorization
form.
Response: We agree with the commenters' concern, but accomplish
this result through a different provision in the regulation. In
Sec. 164.502 of this final rule, we specify that disclosures of
protected health information to the individual are not subject to the
limitations on disclosure of protected health information otherwise
imposed by this rule.
Comment: A number of commenters stated that the regulation should
not apply to disclosures occurring within or among different
subsidiaries or components of the same entity. One commenter
interpreted ``disclosure'' to mean outside the agency or, in the case
of a state Department of Health, outside sister agencies and offices
that directly assist the Secretary in performing Medicaid functions and
are listed in the state plan as entitled to receive Medicaid data.
Response: We agree that there are circumstances under which related
organizations may be treated as a single covered entity for purposes of
protecting the privacy of health information, and modify the rule to
accommodate such circumstances. In Sec. 164.504 of the final rule, we
specify the conditions under which affiliated companies may combine
into a single covered entity and similarly describe which components of
a larger organization must comply with the requirements of this rule.
For example, transfers of information within the designated component
or affiliated entity are uses while transfers of information outside
the designated component or affiliated entity are disclosures. See the
discussion of Sec. 164.504 for further information and rationale. It is
not clear from these comments whether the particular organizational
arrangements described could constitute a single covered entity.
Comment: A commenter noted that the definition of ``disclosure''
should reflect that health plan correspondence containing protected
health information, such as Explanation of Benefits (EOBs), is
frequently sent to the policyholder. Therefore, it was suggested that
the words ``provision of access to'' be deleted from the definition and
that a ``disclosure'' be clarified to include the conveyance of
protected health information to a third party.
Response: The definition is, on its face, broad enough to cover the
transfers of information described and so is not changed. We agree that
health plans must be able to send EOBs to policyholders. Sending EOB
correspondence to a policyholder by a covered entity is a disclosure
for purposes of this rule, but it is a disclosure for purposes of
payment. Therefore, subject to the provisions of Sec. 164.522(b)
regarding Confidential Communications, it is permitted even if it
discloses to the policyholder protected health information about
another individual (see below).
Health care operations
Comment: Several commenters stated that the list of activities
within the definition of health care operations was too broad and
should be narrowed. They asserted that the definition should be limited
to exclude activities that have little or no connection to the care of
a particular patient or to only include emergency treatment situations
or situations constituting a clear and present danger to oneself or
others.
Response: We disagree. We believe that narrowing the definition in
the manner requested will place serious burdens on covered entities and
impair their ability to conduct legitimate business and management
functions.
Comment: Many commenters, including physician groups, consumer
groups, and privacy advocates, argued that we should limit the
information that can be used for health care operations to de-
identified data. They
[[Page 82608]]
argued that if an activity could be done with de-identified data, it
should not be incorporated in the definition of health care operations.
Response: We disagree. We believe that many activities necessary
for the business and administrative operations of health plans and
health care providers are not possible with de-identified information
or are possible only under unduly burdensome circumstances. For
example, identified information may be used or disclosed during an
audit of claims, for a plan to contact a provider about alternative
treatments for specific patients, and in reviewing the competence of
health care professionals. Further, not all covered entities have the
same ability to de-identify protected health information. Covered
entities with highly automated information systems will be able to use
de-identified data for many purposes. Other covered entities maintain
most of their records on paper, so a requirement to de-identify
information would place too great a burden on the legitimate and
routine business functions included in the definition of health care
operations. Small business, which are most likely to have largely paper
records, would find such a blanket requirement particularly burdensome.
Protected health information that is de-identified pursuant to
Sec. 164.514(a) is not subject to this rule. We hope this provides
covered entities capable of de-identifying information with the
incentive to do so.
Comment: Some commenters requested that we permit the use of
demographic data (geographic, location, age, gender, and race) separate
from all other data for health care operations. They argued that
demographic data was needed to establish provider networks and monitor
providers to ensure that the needs of ethnic and minority populations
were being addressed.
Response: The use of demographic data for the stated purposes is
within the definition of health care operations; a special rule is not
necessary.
Comment: Some commenters pointed out that the definition of health
care operations is similar to, and at times overlaps with, the
definition of research. In addition, a number of commenters questioned
whether or not research conducted by the covered entity or its business
partner must only be applicable to and used within the covered entity
to be considered health care operations. Others questioned whether such
studies or research performed internal to a covered entity are ``health
care operations'' even if generalizable results may be produced.
Response: We agree that some health care operations have many of
the characteristics of research studies and in the NPRM asked for
comments on how to make this distinction. While a clear answer was not
suggested in any of the comments, the comments generally together with
our fact finding lead to the provisions in the final rule. The
distinction between health care operations and research rests on
whether the primary purpose of the study is to produce ``generalizable
knowledge.'' We have modified the definition of health care operations
to include ``quality assessment and improvement activities, including
outcomes evaluation and development of clinical guidelines, provided
that the obtaining of generalizable knowledge is not the primary
purpose of any studies resulting from such activities.'' If the primary
purpose of the activity is to produce generalizable knowledge, the
activity fits within this rule's definition of ``research'' and the
covered entity must comply with Secs. 164.508 or 164.512, including
obtaining an authorization or the approval of an institutional review
board or privacy board. If not and the activity otherwise meets the
definition of health care operations, the activity is not research and
may be conducted under the health care operations provisions of this
rule.
In some instances, the primary purpose of the activity may change
as preliminary results are analyzed. An activity that was initiated as
an internal outcomes evaluation may produce information that the
covered entity wants to generalize. If the purpose of a study changes
and the covered entity does intend to generalize the results, the
covered entity should document the change in status of the activity to
establish that they did not violate the requirements of this rule. (See
definition of ``research,'' below, for further information on the
distinction between ``research'' and ``health care operations.'')
We note that the difficulty in determining when an activity is for
the internal operations of an entity and when it is a research activity
is a long-standing issue in the industry. The variation among
commenters' views is one of many indications that, today, there is not
consensus on how to draw this line. We do not resolve the larger issue
here, but instead provide requirements specific to the information
covered by this rule.
Comment: Several commenters asked that disease management and
disability management activities be explicitly included in the
definition of health care operations. Many health plans asserted that
they would not be able to provide disease management, wellness, and
health promotion activities if the activity were solely captured in the
rule's definition of ``treatment.'' They also expressed concern that
``treatment'' usually applies to an individual, not to a population, as
is the practice for disease management.
Response: We were unable to find generally accepted definitions of
the terms ``disease management'' and ``disability management.'' Rather
than rely on this label, we include many of the functions often
included in discussions of disease management in this definition or in
the definition of treatment, and modify both definitions to address the
commenters' concerns. For example, we have revised the definition of
health care operations to include population-based activities related
to improving health or reducing health care costs. This topic is
discussed further in the comment responses regarding the definition of
``treatment,'' below.
Comment: Several commenters urged that the definition of health
care operations be illustrative and flexible, rather than structured in
the form of a list as in the proposed rule. They believed it would be
impossible to identify all the activities that constitute health care
operations. Commenters representing health plans were concerned that
the ``static'' nature of the definition would stifle innovation and
could not reflect the new functions that health plans may develop in
the future that benefit consumers, improve quality, and reduce costs.
Other commenters, expressed support for the approach taken in the
proposed rule, but felt the list was too broad.
Response: In the final rule, we revise the proposed definition of
health care operations to broaden the list of activities included, but
we do not agree with the comments asking for an illustrative definition
rather than an inclusive list. Instead, we describe the activities that
constitute health care operations in broad terms and categories, such
as ``quality assessment'' and ``business planning and development.'' We
believe the use of broadly stated categories will allow industry
innovation, but without the privacy risks entailed in an illustrative
approach.
Comment: Several commenters noted that utilization review and
internal quality review should be included in the definition. They
pointed out that both of these activities were discussed in the
preamble to the proposed rule but were not incorporated into the
regulation text.
[[Page 82609]]
Response: We agree and have modified the regulation text to
incorporate quality assessment and improvement activities, including
the development of clinical guidelines and protocol development.
Comment: Several commenters stated that the proposal did not
provide sufficient guidance regarding compiling and analyzing
information in anticipation of or for use in legal proceedings. In
particular, they raised concerns about the lack of specificity as to
when ``anticipation'' would be triggered.
Response: We agree that this provision was confusing and have
replaced it with a broader reference to conducting or arranging for
legal services generally.
Comment: Hospital representatives pointed out the pressure on
health care facilities to improve cost efficiencies, make cost-
effectiveness studies, and benchmark essential health care operations.
They emphasized that such activities often use identifiable patient
information, although the products of the analyses usually do not
contain identifiable health information. Commenters representing state
hospital associations pointed out that they routinely receive protected
health information from hospitals for analyses that are used by member
hospitals for such things as quality of care benchmark comparisons,
market share analysis, determining physician utilization of hospital
resources, and charge comparisons.
Response: We have expanded the definition of health care operations
to include use and disclosure of protected health information for the
important functions noted by these commenters. We also allow a covered
entity to engage a business associate to provide data aggregation
services. See Sec. 164.504(e).
Comment: Several commenters argued that many activities that are
integral to the day-to-day operations of a health plan have not been
included in the definition. Examples provided by the commenters
include: issuing plan identification cards, customer service, computer
maintenance, storage and back-up of radiologic images, and the
installation and servicing of medical equipment or computer systems.
Response: We agree with the commenters that there are activities
not directly part of treatment or payment that are more closely
associated with the administrative or clerical functions of the plan or
provider that need to be included in the definition. To include such
activities in the definition of health care operations, we eliminate
the requirement that health care operations be directly related to
treatment and payment, and we add to this definition the new categories
of business management (including general administrative activities)
and business planning activities.
Comment: One commenter asked for clarification on whether cost-
related analyses could also be done by providers as well as health
plans.
Response: Health care operations, including business management
functions, are not limited to health plans. Any covered entity can
perform health care operations.
Comment: One commenter stated that the proposed rule did not
address what happens to records when a covered entity is sold or merged
with another entity.
Response: We agree and add to the definition of health care
operations disclosures of protected health information for due
diligence to a covered entity that is a potential successor in
interest. This provision includes disclosures pursuant to the sale of a
covered entity's business as a going concern, mergers, acquisitions,
consolidations, and other similar types of corporate restructuring
between covered entities, including a division of a covered entity, and
to an entity that is not a covered entity but will become a covered
entity if the reorganization or sale is completed. Other types of sales
of assets, or disclosures to organizations that are not and would not
become covered entities, are not included in the definition of health
care operations and could only occur if the covered entity obtained
valid authorization for such disclosure in accordance with Sec. 164.508
or if the disclosure is otherwise permitted under this rule.
Once a covered entity is sold or merged with another covered
entity, the successor in interest becomes responsible for complying
with this regulation with respect to the transferred information.
Comment: Several commenters expressed concern that the definition
of health care operations failed to include the use of protected health
information for the underwriting of new health care policies and took
issue with the exclusion of uses and disclosures of protected health
information of prospective enrollees. They expressed the concern that
limiting health care operations to the underwriting and rating of
existing members places a health plan in the position of not being able
to evaluate prudently and underwrite a consumer's health care risk.
Response: We agree that covered entities should be able to use the
protected health information of prospective enrollees to underwrite and
rate new business and change the definition of health care operations
accordingly. The definition of health care operations below includes
underwriting, premium rating, and other activities related to the
creation of a contract of health insurance.
Comment: Several commenters stated that group health plans needed
to be able to use and disclose protected health information for
purposes of soliciting a contract with a new carrier and rate setting.
Response: We agree and add ``activities relating to the * * *
replacement of a contract of insurance'' to cover such disclosures. See
Sec. 164.504 for the rules for plan sponsors of group health plans to
obtain such information.
Comment: Commenters from the business community supported our
recognition of the importance of financial risk transfer mechanisms in
the health care marketplace by including ``reinsurance'' in the
definition of health care operations. However, they stated that the
term ``reinsurance'' alone was not adequate to capture ``stop-loss
insurance'' (also referred to as excess of loss insurance), another
type of risk transfer insurance.
Response: We agree with the commenters that stop-loss and excess of
loss insurance are functionally equivalent to reinsurance and add these
to the definition of health care operations.
Comment: Commenters from the employer community explained that
there is a trend among employers to contract with a single insurer for
all their insurance needs (health, disability, workers' compensation).
They stated that in these integrated systems, employee health
information is shared among the various programs in the system. The
commenters believed the existing definition poses obstacles for those
employers utilizing an integrated health system because of the need to
obtain authorizations before being permitted to use protected health
information from the health plan to administer or audit their
disability or workers' compensation plan.
Other commenters representing employers stated that some employers
wanted to combine health information from different insurers and health
plans providing employee benefits to their workforces, including its
group health plan, workers' compensation insurers, and disability
insurers, so that they could have more information in order to better
manage the occurrences of disability and illness among their
workforces. They expressed concern
[[Page 82610]]
that the proposed rule would not permit such sharing of information.
Response: While we agree that integrating health information from
different benefit programs may produce efficiencies as well as benefits
for individuals, the integration also raises significant privacy
concerns, particularly if there are no safeguards on uses and
disclosures from the integrated data. Under HIPAA, we do not have
jurisdiction over many types of insurers that use health information,
such as workers' compensation insurers or insurers providing disability
income benefits, and we cannot address the extent to which they provide
individually identifiable health information to a health plan, nor do
we prohibit a health plan from receiving such information. Once a
health plan receives identifiable health information, however, the
information becomes protected and may only be used and disclosed as
otherwise permitted by this rule.
We clarify, however, that a covered entity may provide data and
statistical analyses for its customers as a health care operation,
provided that it does not disclose protected health information in a
way that would otherwise violate this rule. A group health plan or
health insurance issuer or HMO, or their business associate on their
behalf, may perform such analyses for an employer customer and provide
the results in de-identified form to the customer, using integrated
data received from other insurers, as long as protected health
information is not disclosed in violation of this rule. See the
definition of ``health care operations,'' Sec. 164.501. If the employer
sponsors more than one group health plan, or if its group health plan
provides coverage through more than one health insurance issuer or HMO,
the different covered entities may be an organized health care
arrangement and be able to jointly participate in such an analysis as
part of the health care operations of such organized health care
arrangement. See the definitions of ``health care operations'' and
``organized health care arrangement,'' Sec. 164.501. We further clarify
that a plan sponsor providing plan administration to a group health
plan may participate in such an analysis, provided that the
requirements of Sec. 164.504(f) and other parts of this rule are met.
The results described above are the same whether the health
information that is being combined is from separate insurers or from
one entity that has a health component and also provides excepted
benefits. See the discussion relating to health care components,
Sec. 164.504.
We note that under the arrangements described above, the final rule
provides substantial flexibility to covered entities to provide general
data and statistical analyses, resulting in the disclosure of de-
identified information, to employers and other customers. An employer
also may receive protected health information from a covered entity for
any purpose, including those described in comment above, with the
authorization of the individual. See Sec. 164.508.
Comment: A number of commenters asserted that the proposed
definition appeared to limit training and educational activities to
that of health care professionals, students, and trainees. They asked
that we expand the definition to include other education-related
activities, such as continuing education for providers and training of
non-health care professionals as needed for supporting treatment or
payment.
Response: We agree with the commenters that the definition of
health care operations was unnecessarily limiting with respect to
educational activities and expand the definition of health care
operations to include ``conducting training programs in which students,
trainees, or practitioners in areas of health care learn under
supervision to practice or improve their skills as health care
providers.'' We clarify that medical rounds are considered treatment,
not health care operations.
Comment: A few commenters outlined the need to include the training
of non-health care professionals, such as health data analysts,
administrators, and computer programmers within the definition of
health care operations. It was argued that, in many cases, these
professionals perform functions which support treatment and payment and
will need access to protected health information in order to carry out
their responsibilities.
Response: We agree and expand the definition of health care
operations to include training of non-health care professionals.
Comment: One commenter stated that the definition did not
explicitly include physician credentialing and peer review.
Response: We have revised the definition to specifically include
``licensing or credentialing activities.'' In addition, peer review
activities are captured in the definition as reviewing the competence
or qualifications of health care professionals and evaluating
practitioner and provider performance.
Health Oversight Agency
Comment: Some commenters sought to have specific organizations
defined as health oversight agencies. For example, some commenters
asked that the regulation text, rather than the preamble, explicitly
list state insurance departments as an example of health oversight
agencies. Medical device manufacturers recommended expanding the
definition to include government contractors such as coding committees,
which provide data to HCFA to help the agency make reimbursement
decisions.
One federal agency sought clarification that several of its sub-
agencies were oversight agencies; it was concerned about its status in
part because the agency fits into more than one of the categories of
health oversight agency listed in the proposed rule.
Other commenters recommended expanding the definition of oversight
agency to include private-sector accreditation organizations. One
commenter recommended stating in the final rule that private companies
providing information to insurers and employers are not included in the
definition of health oversight agency.
Response: Because the range of health oversight agencies is so
broad, we do not include specific examples in the definition. We
include many examples in the preamble above and provide further clarity
here.
As under the NPRM, state insurance departments are an example of a
health oversight agency. A commenter concerned about state trauma
registries did not describe the registries' activities or legal
charters, so we cannot clarify whether such registries may be health
oversight agencies. Government contractors such as coding committees,
which provide data to HCFA to support payment processes, are not
thereby health oversight agencies under this rule. We clarify that
public agencies may fit into more than one category of health oversight
agency.
The definition of health oversight agency does not include private-
sector accreditation organizations. While their work can promote
quality in the health care delivery system, private accreditation
organizations are not authorized by law to oversee the health care
system or government programs in which health information is necessary
to determine eligibility or compliance, or to enforce civil rights laws
for which health information is relevant. Under the final rule, we
consider private accrediting groups to be performing a health care
operations function for covered entities. Thus, disclosures to private
accrediting organizations are
[[Page 82611]]
disclosures for health care operations, not for oversight purposes.
When they are performing accreditation activities for a covered
entity, private accrediting organizations will meet the definition of
business associate, and the covered entity must enter into a business
associate contract with the accrediting organization in order to
disclose protected health information. This is consistent with current
practice; today, accrediting organizations perform their work pursuant
to contracts with the accredited entity. This approach is also
consistent with the recommendation by the Joint Commission on
Accreditation of Healthcare Organizations and the National Committee
for Quality Assurance, which stated in their report titled Protecting
Personal Health Information: A Framework for Meeting the Challenges in
a Managed Care Environment (1998) that ``Oversight organizations,
including accrediting bodies, states, and federal agencies, should
include in their contracts terms that describe their responsibility to
maintain the confidentiality of any personally identifiable health
information that they review.''
We agree with the commenter who believed that private companies
providing information to insurers and employers are not performing an
oversight function; the definition of health oversight agency does not
include such companies.
In developing and clarifying the definition of health oversight in
the final rule, we seek to achieve a balance in accounting for the full
range of activities that public agencies may undertake to perform their
health oversight functions while establishing clear and appropriate
boundaries on the definition so that it does not become a catch-all
category that public and private agencies could use to justify any
request for information.
Individual
Comment: A few commenters stated that foreign military and
diplomatic personnel, and their dependents, and overseas foreign
national beneficiaries, should not be excluded from the definition of
``individual.''
Response: We agree with concerns stated by commenters and eliminate
these exclusions from the definition of ``individual'' in the final
rule. Special rules for use and disclosure of protected health
information about foreign military personnel are stated in
Sec. 164.512(k). Under the final rule, protected health information
about diplomatic personnel is not accorded special treatment. While the
exclusion of overseas foreign national beneficiaries has been deleted
from the definition of ``individual,'' we have revised Sec. 164.500 to
indicate that the rule does not apply to the Department of Defense or
other federal agencies or non-governmental organizations acting on its
behalf when providing health care to overseas foreign national
beneficiaries. This means that the rule will not cover any health
information created incident to the provision of health care to foreign
nationals overseas by U.S. sponsored missions or operations. (See
Sec. 164.500 and its corresponding preamble for details and the
rationale for this policy.)
Comment: Several commenters expressed concern about the
interrelationship of the definition of ``individual'' and the two year
privacy protection for deceased persons.
Response: In the final rule, we eliminate the two year limit on
privacy protection for protected health information about deceased
individuals and require covered entities to comply with the
requirements of the rule with respect to the protected health
information of deceased individuals as long as they hold such
information. See discussion under Sec. 164.502.
Individually Identifiable Health Information
Comment: A number of commenters suggested that HHS revise the
definitions of health information and individually identifiable health
information to include consistent language in paragraph (1) of each
respective definition. They observed that paragraph (1) of the
definition of health information reads: ``(1) Is created or received by
a health care provider, health plan, public health authority, employer,
life insurer, school or university, or health care clearinghouse * *
*;'' in contrast to paragraph (1) of the definition of individually
identifiable health information, which reads: ``(1) Is created by or
received from a health care provider, health plan, employer, or health
care clearinghouse * * *'' [Emphasis added.]
Another commenter asked that we delete from the definition of
health information, the words ``health or'' to make the definition more
consistent with the definition of ``health care,'' as well as the words
``whether oral or.''
Response: We define these terms in the final rule as they are
defined by Congress in sections 1171(4) and 1171(6) of the Act,
respectively. We have, however, changed the word ``from'' in the
definition of ``individually identifiable health information'' to
conform to the statute.
Comment: Several commenters urged that the definition of
individually identifiable health information include information
created or received by a researcher. They reasoned that it is important
to ensure that researchers using personally identifiable health
information are subject to federal privacy standards. They also stated
that if information created by a school regarding the health status of
its students could be labeled ``health information,'' then information
compiled by a clinical researcher regarding an individual also should
be considered health information.
Response: We are restricted to the statutory limits of the terms.
The Congress did not include information created or received by a
researcher in either definition, and, consequently, we do not include
such language in the rule's definitions.
Comment: Several commenters suggested modifying the definition of
individually identifiable health information to state as a condition
that the information provide a direct means of identifying the
individual. They commented that the rule should support the need of
those (e.g., researchers) who need ``ready access to health information
* * * that remains linkable to specific individuals.''
Response: The Congress included in the statutory definition of
individually identifiable health information the modifier ``reasonable
basis'' when describing the condition for determining whether
information can be used to identify the individual. Congress thus
intended to go beyond ``direct'' identification and to encompass
circumstances in which a reasonable likelihood of identification
exists. Even after removing ``direct'' or ``obvious'' identifiers of
information, a risk or probability of identification of the subject of
the information may remain; in some instances, the risk will not be
inconsequential. Thus, we agree with the Congress that ``reasonable
basis'' is the appropriate standard to adequately protect the privacy
of individuals' health information.
Comment: A number of commenters suggested that the Secretary
eliminate the distinction between protected health information and
individually identifiable health information. One commenter asserted
that all individually identifiable health information should be
protected. One commenter observed that the terms individually
identifiable health information and protected health information are
defined differently in the rule and requested clarification as to the
precise scope of coverage of the standards. Another commenter stated
[[Page 82612]]
that the definition of individually identifiable health information
includes ``employer,'' whereas protected health information pertains
only to covered entities for which employers are not included. The
commenter argued that this was an ``incongruity'' between the
definitions of individually identifiable health information and
protected health information and recommended that we remove
``employer'' from the definition of individually identifiable health
information.
Response: We define individually identifiable health information in
the final rule generally as it is defined by Congress in section
1171(6) of the Act. Because ``employer'' is included in the statutory
definition, we cannot accept the comment to remove the word
``employer'' from the regulatory definition.
We use the phrase `protected health information' to distinguish
between the individually identifiable health information that is used
or disclosed by the entities that are subject to this rule and the
entire universe of individually identifiable health information.
`Individually identifiable health information' as defined in the
statute is not limited to health information used or disclosed by
covered entities, so the qualifying phrase `protected health
information' is necessary to define that individually identifiable
health information to which this rule applies.
Comment: One commenter noted that the definition of individually
identifiable health information in the NPRM appeared to be the same
definition used in the other HIPAA proposed rule, Security and
Electronic Signature Standards (63 FR 43242). However, the commenter
stated that the additional condition in the privacy NPRM, that
protected health information is or has been electronically transmitted
or electronically maintained by a covered entity and includes such
information in any other form, appears to create potential disparity
between the requirements of the two rules. The commenter questioned
whether the provisions in proposed Sec. 164.518(c) were an attempt to
install similar security safeguards for such situations.
Response: The statutory definition of individually identifiable
health information applies to the entire Administrative Simplification
subtitle of HIPAA and, thus, was included in the proposed Security
Standards. At this time, however, the final Security Standards have not
been published, so the definition of protected health information is
relevant only to HIPAA's privacy standards and is, therefore, included
in subpart E of part 164 only. We clarify that the requirements in the
proposed Security Standards are distinct and separate from the privacy
safeguards promulgated in this final rule.
Comment: Several commenters expressed confusion and requested
clarification as to what is considered health information or
individually identifiable health information for purposes of the rule.
For example, one commenter was concerned that information exists in
collection agencies, credit bureaus, etc., which could be included
under the proposed regulation but may or may not have been originally
obtained by a covered entity. The commenter noted that generally this
information is not clinical, but it could be inferred from the data
that a health care provider provided a person or member of person's
family with health care services. The commenter urged the Secretary to
define more clearly what and when information is covered.
One commenter queried how a non-medical record keeper could tell
when personal information is health information within the meaning of
rule, e.g., when a worker asks for a low salt meal in a company
cafeteria, when a travel voucher of an employee indicates that the
traveler returned from an area that had an outbreak of fever, or when
an airline passenger requests a wheel chair. It was suggested that the
rule cover health information in the hands of schools, employers, and
life insurers only when they receive individually identifiable health
information from a covered entity or when they create it while
providing treatment or making payment.
Response: This rule applies only to individually identifiable
health information that is held by a covered entity. Credit bureaus,
airlines, schools, and life insurers are not covered entities, so the
information described in the above comments is not protected health
information. Similarly, employers are not covered entities under the
rule. Covered entities must comply with this regulation in their health
care capacity, not in their capacity as employers. For example,
information in hospital personnel files about a nurses' sick leave is
not protected health information under this rule.
Comment: One commenter recommended that the privacy of health
information should relate to actual medical records. The commenter
expressed concern about the definition's broadness and contended that
applying prescriptive rules to information that health plans hold will
not only delay processing of claims and coverage decisions, but
ultimately affect the quality and cost of care for health care
consumers.
Response: We disagree. Health information about individuals exists
in many types of records, not just the formal medical record about the
individual. Limiting the rule's protections to individually
identifiable health information contained in medical records, rather
than individually identifiable health information in any form, would
omit a significant amount of individually identifiable health
information, including much information in covered transactions.
Comment: One commenter voiced a need for a single standard for
individually identifiable health information and disability and
workers' compensation information; each category of information is
located in their one electronic data base, but would be subjected to a
different set of use and transmission rules.
Response: We agree that a uniform, comprehensive privacy standard
is desirable. However, our authority under the HIPAA is limited to
individually identifiable health information as it is defined in the
statute. The legislative history of HIPAA makes clear that workers'
compensation and disability benefits programs were not intended to be
covered by the rule. Entities are of course free to apply the
protections required by this rule to all health information they hold,
including the excepted benefits information, if they wish to do so (for
example, in order to reduce administrative burden).
Comment: Commenters recommended that the definition of individually
identifiable health information not include demographic information
that does not have any additional health, treatment, or payment
information with it. Another commenter recommended that protected
health information should not include demographic information at all.
Response: Congress explicitly included demographic information in
the statutory definition of this term, so we include such language in
our regulatory definition of it.
Comments: A number of commenters expressed concern about whether
references to personal information about individuals, such as ``John
Doe is fit to work as a pipe fitter * * *'' or ``Jane Roe can stand no
more than 2 hours * * *'', would be considered individually
identifiable health information. They argued that such ``fitness-to-
work'' and ``fitness for duty'' statements are not health care because
they do not reveal the type of
[[Page 82613]]
information (such as the diagnosis) that is detrimental to an
individual's privacy interest in the work environment.
Response: References to personal information such as those
suggested by the commenters could be individually identifiable health
information if the references were created or received by a health care
provider, health plan, employer, or health care clearinghouse and they
related to the past, present, or future physical or mental health or
condition, the provision of health care to an individual, or the past,
present, or future payment for the provision of health care to an
individual. Although these fitness for duty statements may not reveal a
diagnosis, they do relate to a present physical or mental condition of
an individual because they describe the individual's capacity to
perform the physical and mental requirements of a particular job at the
time the statement is made (even though there may be other non-health-
based qualifications for the job). If these statements were created or
received by one of more of the entities described above, they would be
individually identifiable health information.
Law Enforcement Official
Comment: Some commenters, particularly those representing health
care providers, expressed concern that the proposed definition of ``law
enforcement official'' could have allowed many government officials
without health care oversight duties to obtain access to protected
health information without patient consent.
Response: We do not intend for the definition of ``law enforcement
official'' to be limited to officials with responsibilities directly
related to health care. Law enforcement officials may need protected
health information for investigations or prosecutions unrelated to
health care, such as investigations of violent crime, criminal fraud,
or crimes committed on the premises of health care providers. For these
reasons, we believe it is not appropriate to limit the definition of
``law enforcement official'' to persons with responsibilities of
oversight of the health care system.
Comment: A few commenters expressed concern that the proposed
definition could include any county or municipal official, even those
without traditional law enforcement training.
Response: We do not believe that determining training requirements
for law enforcement officials is appropriately within the purview of
this regulation; therefore, we do not make the changes that these
commenters requested.
Comment: Some commenters, particularly those from the district
attorney community, expressed general concern that the proposed
definition of ``law enforcement official'' was too narrow to account
for the variation in state interpretations of law enforcement
officials' power. One group noted specifically that the proposed
definition could have prevented prosecutors from gaining access to
needed protected health information.
Response: We agree that protected health information may be needed
by law enforcement officials for both investigations and prosecutions.
We did not intend to exclude the prosecutorial function from the
definition of ``law enforcement official,'' and accordingly we modify
the definition of law enforcement official to reflect their involvement
in prosecuting cases. Specifically, in the final rule, we define law
enforcement official as an official of any agency or authority of the
United States, a state, a territory, a political subdivision of a state
or territory, or an Indian tribe, who is empowered by law to: (1)
Investigate or conduct an inquiry into a potential violation of law; or
(2) prosecute or otherwise conduct a criminal, civil, or administrative
proceeding arising from an alleged violation of law.
Comment: One commenter recommended making the definition of law
enforcement official broad enough to encompass Medicaid program
auditors, because some matters requiring civil or criminal law
enforcement action are first identified through the audit process.
Response: We disagree. Program auditors may obtain protected health
information necessary for their audit functions under the oversight
provision of this regulation (Sec. 164.512(d)).
Comment: One commenter suggested that the proposed definition of
``law enforcement official'' could be construed as limited to
circumstances in which an official ``knows'' that law has been
violated. This commenter was concerned that, because individuals are
presumed innocent and because many investigations, such as random
audits, are opened without an agency knowing that there is a violation,
the definition would not have allowed disclosure of protected health
information for these purposes. The commenter recommended modifying the
definition to include investigations into ``whether'' the law has been
violated.
Response: We do not intend for lawful disclosures of protected
health information for law enforcement purposes to be limited to those
in which a law enforcement official knows that law has been violated.
Accordingly, we revise the definition of ``law enforcement official''
to include investigations of ``potential'' violations of law.
Marketing
Comments related to ``marketing'' are addressed in the responses to
comments regarding Sec. 164.514(e).
Payment
Comment: One commenter urged that the Department not permit
protected health information to be disclosed to a collection agency for
collecting payment on a balance due on patient accounts. The commenter
noted that, at best, such a disclosure would only require the patient's
and/or insured's address and phone number.
Response: We disagree. A collection agency may require additional
protected health information to investigate and assess payment disputes
for the covered entity. For example, the collection agency may need to
know what services the covered entity rendered in order to resolve
disputes about amounts due. The information necessary may vary,
depending on the nature of the dispute. Therefore we do not specify the
information that may be used or disclosed for collection activities.
The commenter's concern may be addressed by the minimum necessary
requirements in Sec. 164.514. Under those provisions, when a covered
entity determines that a collection agency only requires limited
information for its activities, it must make reasonable efforts to
limit disclosure to that information.
Comment: A number of commenters supported retaining the expansive
definition in the proposed rule so that current methods of
administering the claims payment process would not be hindered by
blocking access to protected health information.
Response: We agree and retain the proposed overall approach to the
definition.
Comment: Some commenters argued that the definition of ``payment''
should be narrowly interpreted as applying only to the individual who
is the subject of the information.
Response: We agree with the commenter and modify the definition to
clarify that payment activities relate to the individual to whom health
care is provided.
Comment: Another group of commenters asserted that the doctor-
patient relationship was already being interfered with by the current
practices of managed care. For example, it was argued that the
definition expanded the
[[Page 82614]]
power of government and other third party ``payors,'' turning them into
controllers along with managed care companies. Others stated that
activities provided for under the definition occur primarily to fulfill
the administrative function of managed health plans and that an
individual's privacy is lost when his or her individually identifiable
health information is shared for administrative purposes.
Response: Activities we include in the definition of payment
reflect core functions through which health care and health insurance
services are funded. It would not be appropriate for a rule about
health information privacy to hinder mechanisms by which health care is
delivered and financed. We do not through this rule require any health
care provider to disclose protected health information to governmental
or other third party payors for the activities listed in the payment
definition. Rather, we allow these activities to occur, subject to and
consistent with the requirements of this rule.
Comment: Several commenters requested that we expand the definition
to include ``coordination of benefits'' as a permissible activity.
Response: We agree and modify the definition accordingly.
Comment: A few commenters raised concerns that the use of ``medical
data processing'' was too restrictive. It was suggested that a broader
reference such as ``health related'' data processing would be more
appropriate.
Response: We agree and modify the definition accordingly.
Comment: Some commenters suggested that the final rule needed to
clarify that drug formulary administration activities are payment
related activities.
Response: While we agree that uses and disclosures of protected
health information for drug formulary administration and development
are common and important activities, we believe these activities are
better described as health care operations and that these activities
come within that definition.
Comment: Commenters asked that the definition include calculation
of prescription drug costs, drug discounts, and maximum allowable costs
and copayments.
Response: Calculations of drug costs, discounts, or copayments are
payment activities if performed with respect to a specific individual
and are health care operations if performed in the aggregate for a
group of individuals.
Comment: We were urged to specifically exclude ``therapeutic
substitution'' from the definition.
Response: We reject this suggestion. While we understand that there
are policy concerns regarding therapeutic substitution, those policy
concerns are not primarily about privacy and thus are not appropriately
addressed in this regulation.
Comment: A few commenters asked that patient assistance programs
(PAPS) should be excluded from the definition of payment. Such programs
are run by or on behalf of manufacturers and provide free or discounted
medications to individuals who could not afford to purchase them.
Commenters were concerned that including such activities in the
definition of payment could harm these programs.
For example, a university school of pharmacy may operate an
outreach program and serve as a clearinghouse for information on
various pharmaceutical manufacturer PAPS. Under the program state
residents can submit a simple application to the program (including
medication regimen and financial information), which is reviewed by
program pharmacists who study the eligibility criteria and/or directly
call the manufacturer's program personnel to help evaluate eligibility
for particular PAPS. The program provides written guidance to the
prescribing physicians that includes a suggested approach for helping
their indigent patients obtain the medications that they need and
enrollment information for particular PAPS.
Response: We note that the concerns presented are not affected by
definition of ``payment.'' The application of this rule to patient
assistance programs activities will depend on how the individual
programs operate and are affected primarily by the definition of
treatment. Each of these programs function differently, so it is not
possible to state a blanket rule for whether and how the rule affects
such programs.
Under the example provided, the physician who contacts the program
on behalf of a patient is managing the patient's care. If the provider
is also a covered entity, he or she would be permitted to make such a
``treatment'' disclosure of protected health information if a general
consent had been obtained from the patient. Depending on the particular
facts, the manufacturer, by providing the prescription drugs for an
individual, could also be providing health care under this rule. Even
so, however, the manufacturer may or may not be a covered entity,
depending on whether or not it engages in any of the standard
electronic transactions (See the definition of a covered entity). It
also may be an indirect treatment provider, since it may be providing
the product through another provider, not directly to the patient. In
this example, the relevant disclosures of protected health information
by any covered health care provider with a direct treatment
relationship with the patient would be permitted subject to the general
consent requirements of Sec. 164.506.
Whether and how this rule affects the school of pharmacy is equally
dependent on the specific facts. For example, if the school merely
provides a patient or a physician with the name of a manufacturer and a
contact phone number, it would not be functioning as a health care
provider and would not be subject to the rule. However, if the school
is more involved in the care of the individual, its activities could
come in within the definition of ``health care provider'' under this
rule.
Comment: Commenters pointed out that drugs may or may not be
``covered'' under a plan. Individuals, on the other hand, may or may
not be ``eligible'' for benefits under a plan. The definition should
incorporate both terms to clarify that determinations of both coverage
and eligibility are payment activities.
Response: We agree and modify the rule to include ``eligibility''.
Comment: Several commenters urged that ``concurrent and
retrospective review'' were significant utilization review activities
and should be incorporated.
Response: We agree and modify the definition accordingly.
Comment: Commenters noted that the proposed rule was not clear as
to whether protected health information could be used to resolve
disputes over coverage, including appeals or complaints regarding
quality of care.
Response: We modify the definition of payment to include resolution
of payment and coverage disputes; the final definition of payment
includes ``the adjudication * * * of health benefit claims.'' The other
examples provided by commenters, such as arranging, conducting, or
assistance with primary and appellate level review of enrollee coverage
appeals, also fall within the scope of adjudication of health benefits
claims. Uses and disclosures of protected health information to resolve
disputes over quality of care may be made under the definition of
``health care operations'' (see above).
Comment: Some commenters suggested that if an activity falls within
the scope of payment it should not be considered marketing. Commenters
supported an approach that would bar such an activity from being
construed as ``marketing'' even if performing that
[[Page 82615]]
activity would result in financial gain to the covered entity.
Response: We agree that the proposed rule did not clearly define
``marketing,'' leaving commenters to be concerned about whether payment
activities that result in financial gain might be considered marketing.
In the final rule we add a definition of marketing and clarify when
certain activities that would otherwise fall within that definition can
be accomplished without authorization. We believe that these changes
will clarify the distinction between marketing and payment and address
the concerns raised by commenters.
Comment: Commenters asserted that HHS should not include long-term
care insurance within the definition of ``health plan.'' If they are
included, the commenters argued that the definition of payment must be
modified to reflect the activities necessary to support the payment of
long-term care insurance claims. As proposed, commenters argued that
the definition of payment would not permit long term care insurers to
use and disclose protected health information without authorization to
perform functions that are ``compatible with and directly relate to * *
* payment'' of claims submitted under long term care policies.
Response: Long-term care policies, except for nursing home fixed-
indemnity policies, are defined as health plans by the statute (see
definition of ``health plan,'' above). We disagree with the assertion
that the definition of payment does not permit long term care insurers
to undertake these necessary activities. Processing of premium
payments, claims administration, and other activities suggested for
inclusion by the commenters are covered by the definition. The rule
permits protected health information to be used or disclosed by a
health plan to determine or fulfill its responsibility for provision of
benefits under the health plan.
Comment: Some commenters argued that the definition needs to be
expanded to include the functions of obtaining stop-loss and ceding
reinsurance.
Response: We agree that use and disclosure of protected health
information for these activities should be permitted without
authorization, but have included them under health care operation
rather than payment.
Comment: Commenters asked that the definition be modified to
include collection of accounts receivable or outstanding accounts.
Commenters raised concern that the proposed rule, without changes,
might unintentionally prevent the flow of information between medical
providers and debt collectors.
Response: We agree that the proposed definition of payment did not
explicitly provide for ``collection activities'' and that this
oversight might have impeded a covered entity's debt collection
efforts. We modify the regulatory text to add ``collection
activities.''
Comment: The preamble should clarify that self-insured group health
and workers' compensation plans are not covered entities or business
partners.
Response: The statutory definition of health plan does not include
workers' compensation products. See the discussion of ``health plan''
under Sec. 160.103 above.
Comment: Certain commenters explained that third party
administrators usually communicate with employees through Explanation
of Benefit (EOB) reports on behalf of their dependents (including those
who might not be minor children). Thus, the employee might be apprised
of the medical encounters of his or her dependents but not of medical
diagnoses unless there is an over-riding reason, such as a child
suspected of drug abuse due to multiple prescriptions. The commenters
urged that the current claim processing procedures be allowed to
continue.
Response: We agree. We interpret the definition of payment and, in
particular the term ``claims management,'' to include such disclosures
of protected health information.
Comment: One private company noted that pursuant to the proposed
Transactions Rule standard for payment and remittance advice, the ASC
X12N 835 can be used to make a payment, send a remittance advice, or
make a payment and send remittance advice by a health care payor and a
health care provider, either directly or through a designated financial
institution. Because a remittance advice includes diagnostic or
treatment information, several private companies and a few public
agencies believed that the proposed Transactions Rule conflicted with
the proposed privacy rule. Two health plans requested guidance as to
whether, pursuant to the ASC X12N 835 implementation guide, remittance
advice information is considered ``required'' or ``situational.'' They
sought guidance on whether covered entities could include benefits
information in payment of claims and transfer of remittance
information.
One commenter asserted that if the transmission of certain
protected health information were prohibited, health plans may be
required to strip remittance advice information from the ASC X12N 835
when making health care payments. It recommended modifying the proposed
rule to allow covered entities to provide banks or financial
institutions with the data specified in any transaction set mandated
under the Transactions Rule for health care claims payment.
Similarly, a private company and a state health data organization
recommended broadening the scope of permissible disclosures pursuant to
the banking section to include integrated claims processing
information, as contained in the ASC X12N 835 and proposed for adoption
in the proposed Transactions Rule; this transaction standard includes
diagnostic and treatment information. The company argued that inclusion
of diagnostic and treatment information in the data transmitted in
claims processing was necessary for comprehensive and efficient
integration in the provider's patient accounting system of data
corresponding with payment that financial institutions credit to the
provider's account.
A state health data organization recommended applying these rules
to financial institutions that process electronic remittance advice
pursuant to the Transactions Rule.
Response: The Transactions Rule was published August 17, 2000,
after the issuance of the privacy proposed rule. As noted by the
commenters, the ASC X12N 835 we adopted as the ``Health Care Payment
and Remittance Advice'' standard in the Transactions Rule has two
parts. They are the electronic funds transfer (EFT) and the electronic
remittance advice (ERA). The EFT part is optional and is the mechanism
that payors use to electronically instruct one financial institution to
move money from one account to another at the same or at another
financial institution. The EFT includes information about the payor,
the payee, the amount, the payment method, and a reassociation trace
number. Since the EFT is used to initiate the transfer of funds between
the accounts of two organizations, typically a payor to a provider, it
includes no individually identifiable health information, not even the
names of the patients whose claims are being paid. The funds transfer
information may also be transmitted manually (by check) or by a variety
of other electronic means, including various formats of electronic
transactions sent through a payment network, such as the Automated
Clearing House (ACH) Network.
The ERA, on the other hand, contains specific information about the
patients and the medical procedures for which
[[Page 82616]]
the money is being paid and is used to update the accounts receivable
system of the provider. This information is always needed to complete a
standard Health Care Payment and Remittance Advice transaction, but is
never needed for the funds transfer activity of the financial
institution. The only information the two parts of this transaction
have in common is the reassociation trace number.
Under the ASC X12N 835 standard, the ERA may be transmitted alone,
directly from the health plan to the health care provider and the
reassociation trace number is used by the provider to match the ERA
information with a specific payment conducted in some other way (e.g.,
EFT or paper check). The standard also allows the EFT to be transmitted
alone, directly to the financial institution that will initiate the
payment. It also allows both parts to be transmitted together, even
though the intended recipients of the two parts are different (the
financial institution and the provider). For example, this would be
done when the parties agree to use the ACH system to carry the ERA
through the provider's bank to the provider when it is more efficient
than sending the ERA separately through a different electronic medium.
Similarly, the ASC X12N 820 standard for premium payments has two
parts, an EFT part (identical to that of the 835) and a premium data
part containing identity and health information about the individuals
for whom health insurance premiums are being paid.
The transmission of both parts of the standards are payment
activities under this rule, and permitted subject to certain
restrictions. Because a financial institution does not require the
remittance advice or premium data parts to conduct funds transfers,
disclosure of those parts by a covered entity to it (absent a business
associate arrangement to use the information to conduct other
activities) would be a violation of this rule.
We note that additional requirements may be imposed by the final
Security Rule. Under the proposed Security Rule, the ACH system and
similar systems would have been considered ``open networks'' because
transmissions flow unpredictably through and become available to member
institutions who are not party to any business associate agreements (in
a way similar to the internet). The proposed Security Rule would
require any protected health information transferred through the ACH or
similar system to be encrypted.
Comment: A few commenters noted the Gramm-Leach-Bliley (GLB) Act
(Pub. L. 106-102) allows financial holding companies to engage in a
variety of business activities, such as insurance and securities,
beyond traditional banking activities. Because the term ``banking'' may
take on broader meaning in light of these changes, the commenter
recommended modifying the proposed rule to state that disclosure of
diagnostic and treatment information to banks along with payment
information would constitute a violation of the rule. Specifically, the
organization recommended clarifying in the final rule that the
provisions included in the proposed section on banking and payment
processes (proposed Sec. 164.510(i)) govern payment processes only and
that all activities of financial institutions that did not relate
directly to payment processes must be conducted through business
partner contracts. Furthermore, this group recommended clarifying that
if financial institutions act as payors, they will be covered entities
under the rule.
Response: We recognize that implementation of the GLB Act will
expand significantly the scope of activities in which financial holding
companies engage. However, unless a financial institution also meets
the definition of a ``covered entity,'' it cannot be a covered entity
under this rule.
We agree with the commenters that disclosure of diagnostic and
specific treatment information to financial institutions for many
banking and funds processing purposes may not be consistent with the
minimum necessary requirements of this final rule. We also agree with
the commenters that financial institutions are business associates if
they receive protected health information when they engage in
activities other than funds processing for covered entities. For
example, if a health care provider contracts with a financial
institution to conduct ``back office'' billing and accounts receivable
activities, we require the provider to enter into a business associate
contract with the institution.
Comment: Two commenters expressed support for the proposed rule's
approach to disclosure for banking and payment processes. On the other
hand, many other commenters were opposed to disclosure of protected
health information without authorization to banks. One commenter said
that no financial institution should have individually identifiable
health information for any reason, and it said there were technological
means for separating identity from information necessary for financial
transactions. Some commenters believed that implementation of the
proposed rule's banking provisions could lead banks to deny loans on
the basis of individuals' health information.
Response: We seek to achieve a balance between protecting patient
privacy and facilitating the efficient operation of the health care
system. While we agree that financial institutions should not have
access to extensive information about individuals' health, we recognize
that even the minimal information required for processing of payments
may effectively reveal a patient's health condition; for example, the
fact that a person has written a check to a provider suggests that
services were rendered to the person or a family member. Requiring
authorization for disclosure of protected health information to a
financial institution in order to process every payment transaction in
the health care system would make it difficult, if not impossible, for
the health care system to operate effectively. See also discussion of
section 1179 of the Act above.
Comment: Under the proposed rule, covered entities could have
disclosed the following information without consent to financial
institutions for the purpose of processing payments: (1) The account
holder's name and address; (2) the payor or provider's name and
address; (3) the amount of the charge for health services; (4) the date
on which services were rendered; (5) the expiration date for the
payment mechanism, if applicable (e.g., credit card expiration date);
and (6) the individual's signature. The proposed rule solicited
comments on whether additional data elements would be necessary to
process payment transactions from patients to covered entities.
One commenter believed that it was unnecessary to include this list
in the final rule, because information that could have been disclosed
under the proposed minimum necessary rule would have been sufficient to
process banking and payment information. Another private company said
that its extensive payment systems experience indicated that we should
avoid attempts to enumerate a list of information allowed to be
disclosed for banking and payment processing. Furthermore, the
commenter said, the proposed rule's list of information allowed to be
disclosed was not sufficient to perform the range of activities
necessary for the operation of modern electronic payment systems.
Finally, the commenter said, inclusion of specific data elements
allowed to be
[[Page 82617]]
disclosed for banking and payment processes rule would stifle
innovation in continually evolving payment systems. Thus, the commenter
recommended that in the final rule, we eliminate the minimum necessary
requirement for banking and payment processing and that we do not
include a list of specific types of information allowed to be disclosed
for banking and payment processes.
On the other hand, several other commenters supported applying the
minimum necessary standard to covered entities' disclosures to
financial institutions for payment processing. In addition, these
groups said that because financial institutions are not covered
entities under the proposed rule, they urged Congress to enact
comprehensive privacy legislation to limit financial institutions' use
and re-disclosure of the minimally necessary protected health
information they could receive under the proposed rule. Several of
these commenters said that, in light of the increased ability to
manipulate data electronically, they were concerned that financial
institutions could use the minimal protected health information they
received for making financial decisions. For example, one of these
commenters said that a financial institution could identify an
individual who had paid for treatment of domestic violence injuries and
subsequently could deny the individual a mortgage based on that
information.
Response: We agree with the commenters who were concerned that a
finite list of information could hamper systems innovation, and we
eliminate the proposed list of data items. However, we disagree with
the commenters who argued that the requirement for minimum necessary
disclosures not apply to disclosures to financial institution or for
payment activities. They presented no persuasive reasons why these
disclosures differ from others to which the standard applies, nor did
they suggest alternative means of protecting individuals' privacy.
Further, with elimination of the proposed list of items that may be
disclosed, it will be necessary to rely on the minimum necessary
disclosure requirement to ensure that disclosures for payment purposes
do not include information unnecessary for that purposes. In practice,
the following is the information that generally will be needed: the
name and address of the individual; the name and address of the payor
or provider; the amount of the charge for health services; the date on
which health services were rendered; the expiration date for the
payment mechanism, if applicable (i.e., credit card expiration date);
the individual's signature; and relevant identification and account
numbers.
Comment: One commenter said that the minimum necessary standard
would be impossible to implement with respect to information provided
on its standard payment claim, which, it said, was used by pharmacies
for concurrent drug utilization review and that was expected to be
adopted by HHS as the national pharmacy payment claim.
Two other commenters also recommended clarifying in the final rule
that pharmacy benefit cards are not considered a type of ``other
payment card'' pursuant to the rule's provisions governing payment
processes. These commenters were concerned that if pharmacy benefit
cards were covered by the rule's payment processing provisions, their
payment claim, which they said was expected to be adopted by HHS as the
national pharmacy payment claim, may have to be modified to comply with
the minimum necessary standard that would have been required pursuant
to proposed Sec. 164.510(i) on banking and payment processes. One of
these commenters noted that its payment claim facilitates concurrent
drug utilization review, which was mandated by Congress pursuant to the
Omnibus Budget Reconciliation Act of 1990 and which creates the real-
time ability for pharmacies to gain access to information that may be
necessary to meet requirements of this and similar state laws. The
commenter said that information on its standard payment claim may
include information that could be used to provide professional pharmacy
services, such as compliance, disease management, and outcomes
programs. The commenter opposed restricting such information by
applying the minimum necessary standard.
Response: We make an exception to the minimum necessary disclosure
provision of this rule for the required and situational data elements
of the standard transactions adopted in the Transactions Rule, because
those elements were agreed to through the ANSI-accredited consensus
development process. The minimum necessary requirements do apply to
optional elements in such standard transactions, because industry
consensus has not resulted in precise and unambiguous situation
specific language to describe their usage. This is particularly
relevant to the NCPDP standards for retail pharmacy transactions
referenced by these commenters, in which the current standard leaves
most fields optional. For this reason, we do not accept this
suggestion.
The term `payment card' was intended to apply to a debit or credit
card used to initiate payment transactions with a financial
institution. We clarify that pharmacy benefit cards, as well as other
health benefit cards, are used for identification of individual, plan,
and benefits and do not qualify as ``other payment cards.''
Comment: Two commenters asked the following questions regarding the
banking provisions of the proposed rule: (1) Does the proposed
regulation stipulate that disclosures to banks and financial
institutions can occur only once a patient has presented a check or
credit card to the provider, or pursuant to a standing authorization?;
and (2) Does the proposed rule ban disclosure of diagnostic or other
related detailed payment information to financial institutions?
Response: We do not ban disclosure of diagnostic information to
financial institutions, because some such information may be evident
simply from the name of the payee (e.g., when payment is made to a
substance abuse clinic). This type of disclosure, however, is permitted
only when reasonably necessary for the transaction (see requirements
for minimum necessary disclosure of protected health information, in
Sec. 164.502 and Sec. 164.514).
Similarly, we do not stipulate that such disclosure may be made
only once a patient has presented a check or credit card, because some
covered entities hire financial institutions to perform services such
as management of accounts receivables and other back office functions.
In providing such services to covered entities, the financial
institution will need access to protected health information. (In this
situation, the disclosure will typically be made under a business
associate arrangement that includes provisions for protection of the
information.)
Comment: One commenter was concerned that the proposed rule's
section on financial institutions, when considered in conjunction with
the proposed definition of ``protected health information,'' could have
been construed as making covered entities' disclosures of consumer
payment history information to consumer reporting agencies subject to
the rule. It noted that covered entities' reporting of payment history
information to consumer reporting agencies was not explicitly covered
by the proposed rule's provisions regarding disclosure of protected
health information without authorization. It was also concerned that
the proposed rule's minimum necessary standard could have been
interpreted to
[[Page 82618]]
prevent covered entities and their business partners from disclosing
appropriate and complete information to consumer reporting agencies. As
a result, it said, consumer reporting agencies might not be able to
compile complete consumer reports, thus potentially creating an
inaccurate picture of a consumer's credit history that could be used to
make future credit decisions about the individual.
Furthermore, this commenter said, the proposed rule could have been
interpreted to apply to any information disclosed to consumer reporting
agencies, thus creating the possibility for conflicts between the
rule's requirements and those of the Fair Credit Reporting Act. They
indicated that areas of potential overlap included: limits on
subsequent disclosures; individual access rights; safeguards; and
notice requirements.
Response: We have added to the definition of ``payment'' disclosure
of certain information to consumer reporting agencies. With respect to
the remaining concerns, this rule does not apply to consumer reporting
agencies if they are not covered entities.
Comment: Several commenters recommended prohibiting disclosure of
psychotherapy notes under this provision and under all of the sections
governing disclosure without consent for national priority purposes.
Response: We agree that psychotherapy notes should not be disclosed
without authorization for payment purposes, and the final rule does not
allow such disclosure. See the discussion under Sec. 164.508.
Protected Health Information
Comment: An overwhelmingly large number of commenters urged the
Secretary to expand privacy protection to all individually identifiable
health information, regardless of form, held or transmitted by a
covered entity. Commenters provided many arguments in support of their
position. They asserted that expanding the scope of covered information
under the rule would increase patient confidence in their health care
providers and the health care system in general. Commenters stated that
patients may not seek care or honestly discuss their health conditions
with providers if they do not believe that all of their health
information is confidential. In particular, many suggested that this
fear would be particularly strong with certain classes of patients,
such as persons with disabilities, who may be concerned about potential
discrimination, embarrassment or stigmatization, or domestic violence
victims, who may hide the real cause of their injuries.
In addition, commenters felt that a more uniform standard that
covered all records would reduce the complexity, burden, cost, and
enforcement problems that would result from the NPRM's proposal to
treat electronic and non-electronic records differently. Specifically,
they suggested that such a standard would eliminate any confusion
regarding how to treat mixed records (paper records that include
information that has been stored or transmitted electronically) and
would eliminate the need for health care providers to keep track of
which portions of a paper record have been (or will be) stored or
transmitted electronically, and which are not. Many of these commenters
argued that limiting the definition to information that is or has at
one time been electronic would result in different protections for
electronic and paper records, which they believe would be unwarranted
and give consumers a false sense of security. Other comments argued
that the proposed definition would cause confusion for providers and
patients and would likely cause difficulties in claims processing. Many
others complained about the difficulty of determining whether
information has been maintained or transmitted electronically. Some
asked us to explicitly list the electronic functions that are intended
to be excluded, such as voice mail, fax, etc. It was also recommended
that the definitions of ``electronic transmission'' and ``electronic
maintenance'' be deleted. It was stated that the rule may apply to many
medical devices that are regulated by the FDA. A commenter also
asserted that the proposal's definition was technically flawed in that
computers are also involved in analog electronic transmissions such as
faxes, telephone, etc., which is not the intent of the language. Many
commenters argued that limiting the definition to information that has
been electronic would create a significant administrative burden,
because covered entities would have to figure out how to apply the rule
to some but not all information.
Others argued that covering all individually identifiable health
information would eliminate any disincentives for covered entities to
convert from paper to computerized record systems. These commenters
asserted that under the proposed limited coverage, contrary to the
intent of HIPAA's administrative simplification standards, providers
would avoid converting paper records into computerized systems in order
to bypass the provisions of the regulation. They argued that treating
all records the same is consistent with the goal of increasing the
efficiency of the administration of health care services.
Lastly, in the NPRM, we explained that while we chose not to extend
our regulatory coverage to all records, we did have the authority to do
so. Several commenters agreed with our interpretation of the statute
and our authority and reiterated such statements in arguing that we
should expand the scope of the rule in this regard.
Response: We find these commenters' arguments persuasive and extend
protections to individually identifiable health information transmitted
or maintained by a covered entity in any form (subject to the exception
for ``education records'' governed by FERPA and records described at 20
U.S.C. 1232g(a)(4)(B)(iv)). We do so for the reasons described by the
commenters and in our NPRM, as well as because we believe that the
approach in the final rule creates a logical, consistent system of
protections that recognizes the dynamic nature of health information
use and disclosure in a continually shifting health care environment.
Rules that are specific to certain formats or media, such as
``electronic'' or ``paper,'' cannot address the privacy threats
resulting from evolving forms of data capture and transmission or from
the transfer of the information from one form to another. This approach
avoids the somewhat artificial boundary issues that stem from defining
what is and is not electronic.
In addition, we have reevaluated our reasons for not extending
privacy protections to all paper records in the NPRM and after review
of comments believe such justifications to be less compelling than we
originally thought. For example, in the NPRM, we explained that we
chose not to cover all paper records in order to focus on the public
concerns about health information confidentiality in electronic
communications, and out of concern that the potential additional burden
of covering all records may not be justified because of the lower
privacy risks presented by records that are in paper form only. As
discussed above however, a great many commenters asserted that dealing
with a mixture of protected and non-protected records is more
burdensome, and that public concerns over health information
confidentiality are not at all limited to electronic communications.
We note that medical devices in and of themselves, for example,
pacemakers, are not protected health information for purposes of this
regulation. However, information in or from the device may
[[Page 82619]]
be protected health information to the extent that it otherwise meets
the definition.
Comment: Numerous commenters argued that the proposed coverage of
any information other than that which is transmitted electronically
and/or in a HIPAA transaction exceeds the Secretary's authority under
section 264(c)(1) of HIPAA. The principal argument was that the initial
language in section 264(c)(1) (``If language governing standards with
respect to the privacy of individually identifiable health information
transmitted in connection with the transactions described in section
1173(a) of the Social Security Act * * * is not enacted by [August 21,
1999], the Secretary * * * shall promulgate final regulations
containing such standards* * * '') limits the privacy standards to
``information transmitted in connection with the [HIPAA]
transactions.'' The precise argument made by some commenters was that
the grant of authority is contained in the words ``such standards,''
and that the referent of that phrase was ``standards with respect to
the privacy of individually identifiable health information transmitted
in connection with the transactions described in section 1173(a)* *
*''.
Commenters also argued that this limitation on the Secretary's
authority is discernible from the statutory purpose statement at
section 261 of HIPAA, from the title to section 1173(a) (``Standards to
Enable Electronic Exchange''), and from various statements in the
legislative history, such as the statement in the Conference Report
that the ``Secretary would be required to establish standards and
modifications to such standards regarding the privacy of individually
identifiable health information that is in the health information
network.'' H. Rep. No. 104-736,104th Cong., 2d Sess., at 265. It was
also argued that extension of coverage beyond the HIPAA transactions
would be inconsistent with the underlying statutory trade-off between
facilitating accessibility of information in the electronic
transactions for which standards are adopted under section 1173(a) and
protecting that information through the privacy standards.
Other commenters argued more generally that the Secretary's
authority was limited to information in electronic form only, not
information in any other form. These comments tended to focus on the
statutory concern with regulating transactions in electronic form and
argued that there was no need to have the privacy standards apply to
information in paper form, because there is significantly less risk of
breach of privacy with respect to such information.
The primary justifications provided by commenters for restricting
the scope of covered individually identifiable health information under
the regulation were that such an approach would reduce the complexity,
burden, cost, and enforcement problems that would result from a rule
that treats electronic and non-electronic records differently; would
appropriately limit the rule's focus to the security risks that are
inherent in electronic transmission or maintenance of individually
identifiable health information; and would conform these provisions of
the rule more closely with their interpretation of the HIPAA statutory
language.
Response: We disagree with these commenters. We believe that
restricting the scope of covered information under the rule consistent
with any of the comments described above would generate a number of
policy concerns. Any restriction in the application of privacy
protections based on the media used to maintain or transmit the
information is by definition arbitrary, unrelated to the potential use
or disclosure of the information itself and therefore not responsive to
actual privacy risks. For example, information contained in a paper
record may be scanned and transmitted worldwide almost as easily as the
same information contained in an electronic claims transaction, but
would potentially not be protected.
In addition, application of the rule to only the standard
transactions would leave large gaps in the amount of health information
covered. This limitation would be particularly harmful for information
used and disclosed by health care providers, who are likely to maintain
a great deal of information never contained in a transaction.
We disagree with the arguments that the Secretary lacks legal
authority to cover all individually identifiable health information
transmitted or maintained by covered entities. The arguments raised by
these comments have two component parts: (1) That the Secretary's
authority is limited by form, to individually identifiable health
information in electronic form only; and (2) that the Secretary's
authority is limited by content, to individually identifiable health
information that is contained in what commenters generally termed the
``HIPAA transactions,'' i.e., information contained in a transaction
for which a standard has been adopted under section 1173(a) of the Act.
With respect to the issue of form, the statutory definition of
``health information'' at section 1171(4) of the Act defines such
information as ``any information, whether oral or recorded in any form
or medium'' (emphasis added) which is created or received by certain
entities and relates to the health condition of an individual or the
provision of health care to an individual (emphasis added).
``Individually identifiable health information'', as defined at section
1171(6) of the Act, is information that is created or received by a
subset of the entities listed in the definition of ``health
information'', relates to the same subjects as ``health information,''
and is, in addition, individually identifiable. Thus, ``individually
identifiable health information'' is, as the term itself implies, a
subset of ``health information.'' As ``health information,''
``individually identifiable health information'' means, among other
things, information that is ``oral or recorded in any form or medium.''
Therefore, the statute does not limit ``individually identifiable
health information'' to information that is in electronic form only.
With respect to the issue of content, the limitation of the
Secretary's authority to information in HIPAA transactions under
section 264(c)(1) is more apparent than real. While the first sentence
of section 264(c)(1) may be read as limiting the regulations to
standards with respect to the privacy of individually identifiable
health information ``transmitted in connection with the [HIPAA]
transactions,'' what that sentence in fact states is that the privacy
regulations must ``contain'' such standards, not be limited to such
standards. The first sentence thus sets a statutory minimum, first for
Congress, then for the Secretary. The second sentence of section
264(c)(1) directs that the regulations ``address at least the subjects
in subsection (b) (of section 264).'' Section 264(b), in turn, refers
only to ``individually identifiable health information'', with no
qualifying language, and refers back to subsection (a) of section 264,
which is not limited to HIPAA transactions. Thus, the first and second
sentences of section 264(c)(1) can be read as consistent with each
other, in which case they direct the issuance of privacy standards with
respect to individually identifiable health information. Alternatively,
they can be read as ambiguous, in which case one must turn to the
legislative history.
The legislative history of section 264 does not reflect the content
limitation of the first sentence of section 264(c)(1). Rather, the
Conference Report
[[Page 82620]]
summarizes this section as follows: ``If Congress fails to enact
privacy legislation, the Secretary is required to develop standards
with respect to privacy of individually identifiable health information
not later than 42 months from the date of enactment.'' Id., at 270.
This language indicates that the overriding purpose of section
264(c)(1) was to postpone the Secretary's duty to issue privacy
standards (which otherwise would have been controlled by the time
limits at section 1174(a)), in order to give Congress more time to pass
privacy legislation. A corollary inference, which is also supported by
other textual evidence in section 264 and Part C of title XI, is that
if Congress failed to act within the time provided, the original
statutory scheme was to kick in. Under that scheme, which is set out in
section 1173(e) of the House bill, the standards to be adopted were
``standards with respect to the privacy of individually identifiable
health information.'' Thus, the legislative history of section 264
supports the statutory interpretation underlying the rules below.
Comment: Many commenters were opposed to the rule covering specific
forms of communication or records that could potentially be considered
covered information, i.e., faxes, voice mail messages, etc. A subset of
these commenters took issue particularly with the inclusion of oral
communications within the scope of covered information. The commenters
argued that covering information when it takes oral form (e.g., verbal
discussions of a submitted claim) makes the regulation extremely costly
and burdensome, and even impossible to administer. Another commenter
also offered that it would make it nearly impossible to discuss health
information over the phone, as the covered entity cannot verify that
the person on the other end is in fact who he or she claims to be.
Response: We disagree. Covering oral communications is an important
part of keeping individually identifiable health information private.
If the final rule were not to cover oral communication, a conversation
about a person's protected health information could be shared with
anyone. Therefore, the same protections afforded to paper and
electronically based information must apply to verbal communication as
well. Moreover, the Congress explicitly included ``oral'' information
in the statutory definition of health information.
Comment: A few commenters supported, without any change, the
approach proposed in the NPRM to limit the scope of covered information
to individually identifiable health information in any form once the
information is transmitted or maintained electronically. These
commenters asserted that our statutory authority limited us
accordingly. Therefore, they believed we had proposed protections to
the extent possible within the bounds of our statutory authority and
could not expand the scope of such protections without new legislative
authority.
Response: We disagree with these commenters regarding the
limitations under our statutory authority. As explained above, we have
the authority to extend the scope of the regulation as we have done in
the final rule. We also note here that most of these commenters who
supported the NPRM's proposed approach, voiced strong support for
extending the scope of coverage to all individually identifiable health
information in any form, but concluded that we had done what we could
within the authority provided.
Comment: One commenter argued that the term ``transaction'' is
generally understood to denote a business matter, and that the NPRM
applied the term too broadly by including hospital directory
information, communication with a patient's family, researchers' use of
data and many other non-business activities.
Response: This comment reflects a misunderstanding of our use of
the term ``transaction.'' The uses and disclosures described in the
comment are not ``transactions'' as defined in Sec. 160.103. The
authority to regulate the types of uses and disclosures described is
provided under section 264 of Pub. L. 104-191. The conduct of the
activities noted by the commenters are not related to the determination
of whether a health care provider is a covered entity. We explain in
the preamble that a health care provider is a covered entity if it
transmits health information in electronic form in connection with
transactions referred to in section 1173(a)(1) of the Act.
Comment: A few commenters asserted that the Secretary has no
authority to regulate ``use'' of protected health information. They
stated that although section 264(b) mentions that the Secretary should
address ``uses and disclosures,'' no other section of HIPAA employs the
term ``use.''
Response: We disagree with these commenters. As they themselves
note, the authority to regulate use is given in section 264(b) and is
sufficient.
Comment: Some commenters requested clarification as to how certain
types of health information, such as photographs, faxes, X-Rays, CT-
scans, and others would be classified as protected or not under the
rule.
Response: All types of individually identifiable health information
in any form, including those described, when maintained or transmitted
by a covered entity are covered in the final rule.
Comment: A few commenters requested clarification with regard to
the differences between the definitions of individually identifiable
health information and protected health information.
Response: In expanding the scope of covered information in the
final rule, we have simplified the distinction between the two
definitions. In the final rule, protected health information is the
subset of individually identifiable health information that is
maintained or transmitted by covered entity, and thereby protected by
this rule. For additional discussion of protected health information
and individually identifiable health information, see the descriptive
summary of Sec. 164.501.
Comment: A few commenters remarked that the federal government has
no right to access or control any medical records and that HHS must get
consent in order to store or use any individually identifiable health
information.
Response: We understand the commenters' concern. It is not our
intent, nor do we through this rule create any government right of
access to medical records, except as needed to investigate possible
violations of the rule. Some government programs, such as Medicare, are
authorized under other law to gain access to certain beneficiary
records for administrative purposes. However, these programs are
covered by the rule and its privacy protections apply.
Comment: Some commenters asked us to clarify how schools would be
treated by the rule. Some of these commenters worried that privacy
would be compromised if schools were exempted from the provisions of
the final rule. Other commenters thought that school medical records
were included in the provisions of the NPRM.
Response: We agree with the request for clarification and provide
guidance regarding the treatment of medical records in schools in the
``Relationship to Other Federal Laws'' preamble discussion of FERPA,
which governs the privacy of education records.
Comment: One commenter was concerned that only some information
from a medical chart would be included as covered information. The
commenter was especially concerned that transcribed material might not
be considered covered information.
[[Page 82621]]
Response: As stated above, all individually identifiable health
information in any form, including transcribed or oral information,
maintained or transmitted by a covered entity is covered under the
provisions of the final rule.
Comment: In response to our solicitation of comments on the scope
of the definition of protected health information, many commenters
asked us to narrow the scope of the proposed definition to include only
information in electronic form. Others asked us to include only
information from the HIPAA standard transactions.
Response: For the reasons stated by the commenters who asked us to
expand the proposed definition, we reject these comments. We reject
these approaches for additional reasons, as well. Limiting the
protections to electronic information would, in essence, protect
information only as long as it remained in a computer or other
electronic media; the protections in the rule could be avoided simply
by printing out the information. This approach would thus result in the
illusion, but not the reality, of privacy protections. Limiting
protection to information in HIPAA transactions has many of the
problems in the proposed approach: it would fail to protect significant
amounts of health information, would force covered entities to figure
out which information had and had not been in such a transaction, and
could cause the administrative burdens the commenters feared would
result from protecting some but not all information.
Comment: A few commenters asserted that the definition of protected
health information should explicitly include ``genetic'' information.
It was argued that improper disclosure and use of such information
could have a profound impact on individuals and families.
Response: We agree that the definition of protected health
information includes genetic information that otherwise meets the
statutory definition. But we believe that singling out specific types
of protected health information for special mention in the regulation
text could wrongly imply that other types are not included.
Comment: One commenter recommended that the definition of protected
health information be modified to clarify that an entity does not
become a `covered entity' by providing a device to an individual on
which protected health information may be stored, provided that the
company itself does not store the individual's health information.''
Response: We agree with the commenter's analysis, but believe the
definition is sufficiently clear without a specific amendment to this
effect.
Comment: One commenter recommended that the definition be amended
to explicitly exclude individually identifiable health information
maintained, used, or disclosed pursuant to the Fair Credit Reporting
Act, as amended, 15 U.S.C. 1681. It was stated that a disclosure of
payment history to a consumer reporting agency by a covered entity
should not be considered protected health information. Another
commenter recommended that health information, billing information, and
a consumer's credit history be exempted from the definition because
this flow of information is regulated by both the Fair Credit Reporting
Act (FCRA) and the Fair Debt Collection Practices Act (FDCPA).
Response: We disagree. To the extent that such information meets
the definition of protected health information, it is covered by this
rule. These statutes are designed to protect financial, not health,
information. Further, these statutes primarily regulate entities that
are not covered by this rule, minimizing the potential for overlap or
conflict. The protections in this rule are more appropriate for
protecting health information. However, we add provisions to the
definition of payment which should address these concerns. See the
definition of `payment' in Sec. 164.501.
Comment: An insurance company recommended that the rule require
that medical records containing protected health information include a
notation on a cover sheet on such records.
Response: Since we have expanded the scope of protected health
information, there is no need for covered entities to distinguish among
their records, and such a notation is not needed. This uniform coverage
eliminates the mixed record problem and resultant potential for
confusion.
Comment: A government agency requested clarification of the
definition to address the status of information that flows through
dictation services.
Response: A covered entity may disclose protected health
information for transcription of dictation under the definition of
health care operations, which allows disclosure for ``general
administrative'' functions. We view transcription and clerical services
generally as part of a covered entity's general administrative
functions. An entity transcribing dictation on behalf of a covered
entity meets this rule's definition of business associate and may
receive protected health information under a business associate
contract with the covered entity and subject to the other requirements
of the rule.
Comment: A commenter recommended that information transmitted for
employee drug testing be exempted from the definition.
Response: We disagree that is necessary to specifically exclude
such information from the definition of protected health information.
If a covered entity is involved, triggering this rule, the employer may
obtain authorization from the individuals to be tested. Nothing in this
rule prohibits an employer from requiring an employee to provide such
an authorization as a condition of employment.
Comment: A few commenters addressed our proposal to exclude
individually identifiable health information in education records
covered by FERPA. Some expressed support for the exclusion. One
commenter recommended adding another exclusion to the definition for
the treatment records of students who attend institutions of post
secondary education or who are 18 years old or older to avoid confusion
with rules under FERPA. Another commenter suggested that the definition
exclude health information of participants in ``Job Corps programs'' as
it has for educational records and inmates of correctional facilities.
Response: We agree with the commenter on the potential for
confusion regarding records of students who attend post-secondary
schools or who are over 18, and therefore in the final rule we exclude
records defined at 20 U.S.C. 1232g(a)(4)(B)(iv) from the definition of
protected health information. For a detailed discussion of this change,
refer to the ``Relationship to Other Federal Laws'' section of the
preamble. We find no similar reason to exclude ``Job Corps programs''
from the requirements of this regulation.
Comment: Some commenters voiced support for the exclusion of the
records of inmates from the definition of protected health information,
maintaining that correctional agencies have a legitimate need to share
some health information internally without authorization between health
service units in various facilities and for purposes of custody and
security. Other commenters suggested that the proposed exclusion be
extended to individually identifiable health information: created by
covered entities providing services to inmates or detainees under
contract to such facilities; of ``former'' inmates; and of persons who
are in the custody of law enforcement officials, such as the United
States Marshals Service and local police agencies. They stated that
[[Page 82622]]
corrections and detention facilities must be able to share information
with law enforcement agencies such as the United States Marshals
Service, the Immigration and Naturalization Services, county jails, and
U.S. Probation Offices.
Another commenter said that there is a need to have access to
records of individuals in community custody and explained that these
individuals are still under the control of the state or local
government and the need for immediate access to records for inspections
and/or drug testing is necessary.
A number of commenters were opposed to the proposed exclusion to
the definition of protected health information, arguing that the
proposal was too sweeping. Commenters stated that while access without
consent is acceptable for some purposes, it is not acceptable in all
circumstances. Some of these commenters concurred with the sharing of
health care information with other medical facilities when the inmate
is transferred for treatment. These commenters recommended that we
delete the exception for jails and prisons and substitute specific
language about what information could be disclosed and the limited
circumstances or purposes for which such disclosures could occur.
Others recommended omission of the proposed exclusion entirely,
arguing that excluding this information from protection sends the
message that, with respect to this population, abuses do not matter.
Commenters argued that inmates and detainees have a right to privacy of
medical records and that individually identifiable health information
obtained in these settings can be misused, e.g., when communicated
indiscriminately, health information can trigger assaults on
individuals with stigmatized conditions by fellow inmates or detainees.
It can also lead to the denial of privileges, or inappropriately
influence the deliberations of bodies such as parole boards.
A number of commenters explicitly took issue with the exclusion
relative to individuals, and in particular youths, with serious mental
illness, seizure disorders, and emotional or substance abuse disorders.
They argued that these individuals come in contact with criminal
justice authorities as a result of behaviors stemming directly from
their illness and assert that these provisions will cause serious
problems. They argue that disclosing the fact that an individual was
treated for mental illness while incarcerated could seriously impair
the individual's reintegration into the community. Commenters stated
that such disclosures could put the individual or family members at
risk of discrimination by employers and in the community at large.
Some commenters asserted that the rule should be amended to
prohibit jails and prisons from disclosing private medical information
of individuals who have been discharged from these facilities. They
argued that such disclosures may seriously impair individuals'
rehabilitation into society and subject them to discrimination as they
attempt to re-establish acceptance in the community.
Response: We find commenters' arguments against a blanket exemption
from privacy protection for inmates persuasive. We agree health
information in these settings may be misused, which consequently poses
many risks to the inmate or detainee and in some cases, their families
as described above by the commenters. Accordingly, we delete this
exception from the definition of ``protected health information'' in
the final rule. The final rule considers individually identifiable
health information of individuals who are prisoners and detainees to be
protected health information to the extent that it meets the definition
and is maintained or transmitted by a covered entity.
At the same time, we agree with those commenters who explained that
correctional facilities have legitimate needs for use and sharing of
individually identifiable health information inmates without
authorization. Therefore, we add a new provision (Sec. 164.512(k)(5))
that permits a covered entity to disclose protected health information
about inmates without individual consent, authorization, or agreement
to correctional institutions for specified health care and other
custodial purposes. For example, covered entities are permitted to
disclose for the purposes of providing health care to the individual
who is the inmate, or for the health and safety of other inmates or
officials and employees of the facility. In addition, a covered entity
may disclose protected health information as necessary for the
administration and maintenance of the safety, security, and good order
of the institution. See the preamble discussion of the specific
requirements at Sec. 164.512(k)(5), as well as discussion of certain
limitations on the rights of individuals who are inmates with regard to
their protected health information at Secs. 164.506, 164.520, 164.524,
and 164.528.
We also provide the following clarifications. Covered entities that
provide services to inmates under contract to correctional institutions
must treat protected health information about inmates in accordance
with this rule and are permitted to use and disclose such information
to correctional institutions as allowed under Sec. 164.512(k)(5).
As to former inmates, the final rule considers such persons who are
released on parole, probation, supervised release, or are otherwise no
longer in custody, to be individuals who are not inmates. Therefore,
the permissible disclosure provision at Sec. 164.512(k)(5) does not
apply in such cases. Instead, a covered entity must apply privacy
protections to the protected health information about former inmates in
the same manner and to the same extent that it protects the protected
health information of other individuals. In addition, individuals who
are former inmates hold the same rights as all other individuals under
the rule.
As to individuals in community custody, the final rule considers
inmates to be those individuals who are incarcerated in or otherwise
confined to a correctional institution. Thus, to the extent that
community custody confines an individual to a particular facility,
Sec. 164.512(k)(5) is applicable.
Psychotherapy Notes
Comment: Some commenters thought the definition of psychotherapy
notes was contrary to standard practice. They claimed that reports of
psychotherapy are typically part of the medical record and that
psychologists are advised, for ethical reasons and liability risk
management purposes, not to keep two separate sets of notes. Others
acknowledged that therapists may maintain separate notations of therapy
sessions for their own purpose. These commenters asked that we make
clear that psychotherapy notes, at least in summary form, should be
included in the medical record. Many plans and providers expressed
concern that the proposed definition would encourage the creation of
``shadow'' records which may be dangerous to the patient and may
increase liability for the health care providers. Some commenters
claimed that psychotherapy notes contain information that is often
essential to treatment.
Response: We conducted fact-finding with providers and other
knowledgeable parties to determine the standard practice of
psychotherapists and determined that only some psychotherapists keep
separate files with notes pertaining to psychotherapy sessions. These
notes are often referred to as ``process notes,'' distinguishable from
``progress notes,'' ``the medical record,'' or ``official records.''
These process notes capture the therapist's
[[Page 82623]]
impressions about the patient, contain details of the psychotherapy
conversation considered to be inappropriate for the medical record, and
are used by the provider for future sessions. We were told that process
notes are often kept separate to limit access, even in an electronic
record system, because they contain sensitive information relevant to
no one other than the treating provider. These separate ``process
notes'' are what we are calling ``psychotherapy notes.'' Summary
information, such as the current state of the patient, symptoms,
summary of the theme of the psychotherapy session, diagnoses,
medications prescribed, side effects, and any other information
necessary for treatment or payment, is always placed in the patient's
medical record. Information from the medical record is routinely sent
to insurers for payment.
Comment: Various associations and their constituents asked that the
exceptions for psychotherapy notes be extended to health care
information from other health care providers. These commenters argued
that psychotherapists are not the only providers or even the most
likely providers to discuss sensitive and potentially embarrassing
issues, as treatment and counseling for mental health conditions, drug
abuse, HIV/AIDS, and sexual problems are often provided outside of the
traditional psychiatric settings. One writer stated, ``A prudent health
care provider will always assess the past and present psychiatric
medical history and symptoms of a patient.''
Many commenters believed that the psychotherapy notes should
include frequencies of treatment, results of clinical tests, and
summary of diagnosis, functional status, the treatment plan, symptoms,
prognosis and progress to date. They claimed that this information is
highly sensitive and should not be released without the individual's
written consent, except in cases of emergency. One commenter suggested
listing the types of mental health information that can be requested by
third party payors to make payment determinations and defining the
meaning of each term.
Response: As discussed above and in the NPRM, the rationale for
providing special protection for psychotherapy notes is not only that
they contain particularly sensitive information, but also that they are
the personal notes of the therapist, intended to help him or her recall
the therapy discussion and are of little or no use to others not
involved in the therapy. Information in these notes is not intended to
communicate to, or even be seen by, persons other than the therapist.
Although all psychotherapy information may be considered sensitive, we
have limited the definition of psychotherapy notes to only that
information that is kept separate by the provider for his or her own
purposes. It does not refer to the medical record and other sources of
information that would normally be disclosed for treatment, payment,
and health care operations.
Comment: One commenter was particularly concerned that the use of
the term ``counseling'' in the definition of psychotherapy notes would
lead to confusion because counseling and psychotherapy are different
disciplines.
Response: In the final rule, we continue to use the term
``counseling'' in the definition of ``psychotherapy.'' During our fact-
finding, we learned that ``counseling'' had no commonly agreed upon
definition, but seemed to be widely understood in practice. We do not
intend to limit the practice of psychotherapy to any specific
professional disciplines.
Comment: One commenter noted that the public mental health system
is increasingly being called upon to integrate and coordinate services
among other providers of mental health services and they have developed
an integrated electronic medical record system for state-operated
hospitals, part of which includes psychotherapy notes, and which cannot
be easily modified to provide different levels of confidentiality.
Another commenter recommended allowing use or disclosure of
psychotherapy notes by members of an integrated health care facility as
well as the originator.
Response: The final rule makes it clear that any notes that are
routinely shared with others, whether as part of the medical record or
otherwise, are, by definition, not psychotherapy notes, as we have
defined them. To qualify for the definition and the increased
protection, the notes must be created and maintained for the use of the
provider who created them i.e., the originator, and must not be the
only source of any information that would be critical for the treatment
of the patient or for getting payment for the treatment. The types of
notes described in the comment would not meet our definition for
psychotherapy notes.
Comment: Many providers expressed concern that if psychotherapy
notes were maintained separately from other protected health
information, other health providers involved in the individual's care
would be unable to treat the patient properly. Some recommended that if
the patient does not consent to sharing of psychotherapy notes for
treatment purposes, the treating provider should be allowed to decline
to treat the patient, providing a referral to another provider.
Response: The final rule retains the policy that psychotherapy
notes be separated from the remainder of the medical record in order to
receive additional protection. We based this decision on conversations
with mental health providers who have told us that information that is
critical to the treatment of individuals is normally maintained in the
medical record and that psychotherapy notes are used by the provider
who created them and rarely for other purposes. A strong part of the
rationale for the special treatment of psychotherapy notes is that they
are the personal notes of the treating provider and are of little or no
use to others who were not present at the session to which the notes
refer.
Comment: Several commenters requested that we clarify that the
information contained in psychotherapy notes is being protected under
the rule and not the notes themselves. They were concerned that the
protection for psychotherapy notes would not be meaningful if health
plans could demand the same information in a different format.
Response: This rule provides special protection for the information
in psychotherapy notes, but it does not extend that protection to the
same information that may be found in other locations. We do not
require the notes to be in a particular format, such as hand-written.
They may be typed into a word processor, for example. Copying the notes
into a different format, per se, would not allow the information to be
accessed by a health plan. However, the requirement that psychotherapy
notes be kept separate from the medical record and solely for the use
of the provider who created them means that the special protection does
not apply to the same information in another location.
Public Health Authority
Comment: A number of the comments called for the elimination of all
permissible disclosures without authorization, and some specifically
cited the public health section and its liberal definition of public
health authority as an inappropriately broad loophole that would allow
unfettered access to private medical information by various government
authorities.
Other commenters generally supported the provision allowing
disclosure to public health authorities and to non-governmental
entities
[[Page 82624]]
authorized by law to carry out public health activities. They further
supported the broad definition of public health authority and the
reliance on broad legal or regulatory authority by public health
entities although explicit authorities were preferable and better
informed the public.
Response: In response to comments arguing that the provision is too
broad, we note that section 1178(b) of the Act, as explained in the
NPRM, explicitly carves out protection for state public health laws.
This provision states that: ``[N]othing in this part shall be construed
to invalidate or limit the authority, power, or procedures established
under any law providing for the reporting of disease or injury, child
abuse, birth or death, public health surveillance, or public health
investigation or intervention.'' In light of this broad Congressional
mandate not to interfere with current public health practices, we
believe the broad definition of ``public health authority'' is
appropriate to achieve that end.
Comment: Some commenters said that they performed public health
activities in analyzing data and information. These comments suggested
that activities conducted by provider and health plan organizations
that compile and compare data for benchmarking performance, monitoring,
utilization, and determining the health needs of a given market should
be included as part of the public health exemption. One commenter
recommended amending the regulation to permit covered entities to
disclose protected health information to private organizations for
public health reasons.
Response: We disagree that such a change should be made. In the
absence of some nexus to a government public health authority or other
underlying legal authority, covered entities would have no basis for
determining which data collections are ``legitimate'' and how the
confidentiality of the information will be protected. In addition, the
public health functions carved out for special protection by Congress
are explicitly limited to those established by law.
Comment: Two commenters asked for additional clarification as to
whether the Occupational Safety and Health Administration (OSHA) and
the Mine Safety and Health Administration (MSHA) would be considered
public health authorities as indicated in the preamble. They suggested
specific language for the final rule. Commenters also suggested that we
specify that states operating OSHA-approved programs also are
considered public health authorities. One comment applauded the
Secretary's recognition of OSHA as both a health oversight agency and
public health authority. It suggested adding OSHA-approved programs
that operate in states to the list of entities included in these
categories. In addition, the comment requested the final regulation
specifically mention these entities in the text of the regulation as
well.
Response: We agree that OSHA, MSHA and their state equivalents are
public health authorities when carrying out their activities related to
the health and safety of workers. We do not specifically reference any
agencies in the regulatory definition, because the definition of public
health authority and this preamble sufficiently address this issue. As
defined in the final rule, the definition of ``public health
authority'' at Sec. 164.501 continues to include OSHA as a public
health authority. State agencies or authorities responsible for public
health matters as part of their official mandate, such as OSHA-approved
programs, also come within this definition. See discussion of
Sec. 164.512(b) below. We have refrained, however, from listing
specific agencies and have retained a general descriptive definition.
Comments: Several commenters recommended expanding the definition
of public health authority to encompass other governmental entities
that may collect and hold health data as part of their official duties.
One recommended changing the definition of public health authority to
read as follows: Public health authority means an agency or authority *
* * that is responsible for public health matters or the collection of
health data as part of its official mandate.
Response: We do not adopt this recommendation. The public health
provision is not intended to cover agencies that are not responsible
for public health matters but that may in the course of their
responsibilities collect health-related information. Disclosures to
such authorities may be permissible under other provision of this rule.
Comment: Many commenters asked us to include a formal definition of
``required by law'' incorporating the material noted in this preamble
and additional suggested disclosures.
Response: We agree generally and modify the definition accordingly.
See discussion above.
Research
Comment: We received many comments from supporting the proposed
definition of ``research.'' These commenters agreed that the definition
of ``research'' should be the same as the definition in the Common
Rule. These commenters argued that it was important that the definition
of ``research'' be consistent with the Common Rule's definition to
ensure the coherent oversight of medical research. In addition, some of
these commenters also supported this definition because they believed
it was already well-understood by researchers and provided reasonably
clear guidance needed to distinguish between research and health care
operations.
Some commenters, believed that the NPRM's definition was too
narrow. Several of these commenters agreed that the Common Rule's
definition should be adopted in the final rule, but argued that the
proposed definition of ``generalizable knowledge'' within the
definition of ``research,'' which limited generalizable knowledge to
knowledge that is ``related to health,'' was too narrow. For example,
one commenter stated that gun shot wound, spousal abuse, and other
kinds of information from emergency room statistics are often used to
conduct research with ramifications for social policy, but may not be
``related to health.'' Several of these commenters recommended that the
definition of research be revised to delete the words ``related to
health.'' Additional commenters who argued that the definition was too
narrow raised the following concerns: the difference between
``research'' and ``health care operations'' is irrelevant from the
patients' perspective, and therefore, the proposed rule should have
required documentation of approval by an IRB or privacy board before
protected health information could be used or disclosed for either of
these purposes, and the proposed definition was too limited because it
did not capture research conducted by non-profit entities to ensure
public health goals, such as disease-specific registries.
Commenters who argued that the definition was too broad recommended
that certain activities should be explicitly excluded from the
definition. In general, these commenters were concerned that if certain
activities were considered to be ``research'' the rule's research
requirements would represent a problematic level of regulation on
industry initiatives. Some activities that these commenters recommended
be explicitly excluded from the definition of ``research'' included:
marketing research, health and productivity management, quality
assessment and improvement activities, and internal research conducted
to improve health.
Response: We agree that the final rule's definition of ``research''
should be
[[Page 82625]]
consistent with the Common Rule's definition of this term. We also
agree that our proposal to limit ``generalizable knowledge'' to
knowledge that is ``related to health,'' and ``knowledge that could be
applied to populations outside of the population served by the covered
entity,'' was too narrow. Therefore, in the final rule, we retain the
Common Rule's definition of ``research'' and eliminate the further
elaboration of ``generalizable knowledge.'' We understand knowledge to
be generalizable when it can be applied to either a population inside
or outside of the population served by the covered entity. Therefore,
knowledge may be ``generalizable'' even if a research study uses only
the protected health information held within a covered entity, and the
results are generalizable only to the population served by the covered
entity. For example, generalizable knowledge could be generated from a
study conducted by the HCFA, using only Medicare data held by HCFA,
even if the knowledge gained from the research study is applicable only
to Medicare beneficiaries.
We rejected the other arguments claiming that the definition of
``research'' was either too narrow or too broad. While we agree that it
is sometimes difficult to distinguish between ``research'' and ``health
care operations,'' we disagree that the difference between these
activities is irrelevant from the patients' perspective. We believe,
based on many of the comments, that individuals expect that
individually identifiable health information about themselves will be
used for health care operations such as reviewing the competence or
qualifications of health care professionals, evaluating provider and
plan performance, and improving the quality of care. A large number of
commenters, however, indicated that they did not expect that
individually identifiable health information about themselves would be
used for research purposes without their authorization. Therefore, we
retain more stringent protections for research disclosures without
patient authorization.
We also disagree with the commenters who were concerned that the
proposed definition was too limited because it did not capture research
conducted by non-profit entities to ensure public health goals, such as
disease-specific registries. Such activities conducted by either non-
profit or for-profit entities could meet the rule's definition of
research, and therefore are not necessarily excluded from this
definition.
We also disagree with many of the commenters who argued that
certain activities should be explicitly excluded from the definition of
research. We found no persuasive evidence that, when particular
activities are also systematic investigations designed to contribute to
generalizable knowledge, they should be treated any different from
other such activities.
We are aware that the National Bioethics Advisory Commission (NBAC)
is currently assessing the Common Rule's definition of ``research'' as
part of a report they are developing on the implementation and adequacy
of the Common Rule. Since we agree that a consistent definition is
important to the conduct and oversight of research, if the Common
Rule's definition of ``research'' is modified in the future, the
Department of Health and Human Services will consider whether the
definition should also be modified for this subpart.
Comment: Some commenters urged the Department to establish precise
definitions for ``health care operations'' and ``research'' to provide
clear guidance to covered entities and adequate privacy protections for
the subjects of the information whose information is disclosed for
these purposes. One commenter supported the definition of ``research''
proposed in the NPRM, but was concerned about the ``crossover'' from
data analyses that begin as health care operations but later become
``research'' because the analytical results are of such importance that
they should be shared through publication, thereby contributing to
generalizable knowledge. To distinguish between the definitions of
``health care operations'' and ``research,'' a few commenters
recommended that the rule make this distinction based upon whether the
activity is a ``use'' or a ``disclosure.'' These commenters recommend
that the ``use'' of protected health information for research without
patient authorization should be exempt from the proposed research
provisions provided that protected health information was not disclosed
in the final analysis, report, or publication.
Response: We agree with commenters that at times it may be
difficult to distinguish projects that are health operations and
projects that are research. We note that this ambiguity exists today,
and disagree that we can address this issue with more precise
definitions of research and health care operations. Today, the issue is
largely one of intent. Under the Common Rule, the ethical and
regulatory obligations of the researcher stem from the intent of the
activity. We follow that approach here. If such a project is a
systematic investigation that designed to develop or contribute to
generalizable knowledge, it is considered to be ``research,'' not
``health care operations.''
In some instances, the primary purpose of the activity may change
as preliminary results are analyzed. An activity that was initiated as
an internal outcomes evaluation may produce information that could be
generalized. If the purpose of a study changes and the covered entity
does intend to generalize the results, the covered entity should
document the fact as evidence that the activity was not subject to
Sec. 164.512(i) of this rule.
We understand that for research that is subject to the Common Rule,
this is not the case. The Office for Human Research Protection
interprets 45 CFR part 46 to require IRB review as soon as an activity
meets the definition of research, regardless of whether the activity
began as ``health care operations'' or ``public health,'' for example.
The final rule does not affect the Office of Human Research
Protection's interpretation of the Common Rule.
We were not persuaded that an individual's privacy interest is of
less concern when covered entities use protected health information for
research purposes than when covered entities disclose protected health
information for research purposes. We do not agree generally that
internal activities of covered entities do not potentially compromise
the privacy interests of individuals. Many persons within a covered
entity may have access to protected health information. When the
activity is a systematic investigation, the number of persons who may
be involved in the records review and analysis may be substantial. We
believe that IRB or privacy board approval of the waiver of
authorization will provide important privacy protections to individuals
about whom protected health information is used or disclosed for
research. If a covered entity wishes to use protected health
information about its enrollees for research purposes, documentation of
an IRBs' or privacy board's assessment of the privacy impact of such a
use is as important as if the same research study required the
disclosure of protected health information. This conclusion is
consistent with the Common Rule's requirement for IRB review of all
human subjects research.
Treatment
Comment: Some commenters advocated for a narrow interpretation of
[[Page 82626]]
treatment that applies only to the individual who is the subject of the
information. Other commenters asserted that treatment should be broadly
defined when activities are conducted by health care providers to
improve or maintain the health of the patient. A broad interpretation
may raise concerns about potential misuse of information, but too
limited an interpretation will limit beneficial activities and further
contribute to problems in patient compliance and medical errors.
Response: We find the commenters' arguments for a broad definition
of treatment persuasive. Today, health care providers consult with one
another, share information about their experience with particular
therapies, seek advice about how to handle unique or challenging cases,
and engage in a variety of other discussions that help them maintain
and improve the quality of care they provide. Quality of care improves
when providers exchange information about treatment successes and
failures. These activities require sharing of protected health
information. We do not intend this rule to interfere with these
important activities. We therefore define treatment broadly and allow
use and disclosure of protected health information about one individual
for the treatment of another individual.
Under this definition, only health care providers or a health care
provider working with a third party can perform treatment activities.
In this way, we temper the breadth of the definition by limiting the
scope of information sharing. The various codes of professional ethics
also help assure that information sharing among providers for treatment
purposes will be appropriate.
We note that poison control centers are health care providers for
purposes of this rule. We consider the counseling and follow-up
consultations provided by poison control centers with individual
providers regarding patient outcomes to be treatment. Therefore, poison
control centers and other health care providers can share protected
health information about the treatment of an individual without a
business associate contract.
Comment: Many commenters suggested that ``treatment'' activities
should include services provided to both a specific individual and
larger patient populations and therefore urged that the definition of
treatment specifically allow for such activities, sometimes referred to
as ``disease management'' activities. Some argued that an analysis of
an overall population is integral to determining which individuals
would benefit from disease management services. Thus, an analysis of
health care claims for enrolled populations enables proactive contact
with those identified individuals to notify them of the availability of
services. Certain commenters noted that ``disease management'' services
provided to their patient populations, such as reminders about
recommended tests based on nationally accepted clinical guidelines, are
integral components of quality health care.
Response: We do not agree that population based services should be
considered treatment activities. The definition of ``treatment'' is
closely linked to the Sec. 160.103 definition of ``health care,'' which
describes care, services and procedures related to the health of an
individual. The activities described by ``treatment,'' therefore, all
involve health care providers supplying health care to a particular
patient. While many activities beneficial to patients are offered to
entire populations or involve examining health information about entire
populations, treatment involves health services provided by a health
care provider and tailored to the specific needs of an individual
patient. Although a population-wide analysis or intervention may prompt
a health care provider to offer specific treatment to an individual, we
consider the population-based analyses to improve health care or reduce
health care costs to be health care operations (see definition of
``health care operations,'' above).
Comment: A number of commenters requested clarification about
whether prescription drug compliance management programs would be
considered ``treatment.'' One commenter urged HHS to clarify that
provision by a pharmacy to a patient of customized prescription drug
information about the risks, benefits, and conditions of use of a
prescription drug being dispensed is considered a treatment activity.
Others asked that the final rule expressly recognize that prescription
drug advice provided by a dispensing pharmacist, such as a customized
pharmacy letter, is within the scope of treatment.
Response: The activities that are part of prescription drug
compliance management programs were not fully described by these
commenters, so we cannot state a general rule regarding whether such
activities constitute treatment. We agree that pharmacists' provision
of customized prescription drug information and advice about the
prescription drug being dispensed is a treatment activity. Pharmacists'
provisions of information and counseling about pharmaceuticals to their
customers constitute treatment, and we exclude certain communications
made in the treatment context from the definition of marketing. (See
discussion above.)
Comment: Some commenters noted the issues and recommendations
raised in the Institutes of Medicine report ``To Err Is Human'' and the
critical need to share information about adverse drug and other medical
events, evaluation of the information, and its use to prevent future
medical errors. They noted that privacy rules should not be so
stringent as to prohibit the sharing of patient data needed to reduce
errors and optimize health care outcomes. To bolster the notion that
other programs associated with the practice of pharmacy must be
considered as integral to the definition of health care and treatment,
they reference OBRA '90 (42 U.S.C. 1396r-8) and the minimum required
activities for dispensing drugs; they also note that virtually every
state Board of Pharmacy adopted regulations imposing OBRA'90
requirements on pharmacies for all patients and not just Medicaid
recipients.
Response: We agree that reducing medical errors is critical, and do
not believe that this regulation impairs efforts to reduce medical
errors. We define treatment broadly and include quality assessment and
improvement activities in the definition of health care operations.
Covered pharmacies may conduct such activities, as well as treatment
activities appropriate to improve quality and reduce errors. We believe
that respect for the privacy rights of individuals and appropriate
protection of the confidentiality of their health information are
compatible with the goal of reducing medical errors.
Comment: Some commenters urged us to clarify that health plans do
not perform ``treatment'' activities; some of these were concerned that
a different approach in this regulation could cause conflict with state
corporate practice of medicine restrictions. Some commenters believed
that the proposed definition of treatment crossed into the area of cost
containment, which would seem to pertain more directly to payment. They
supported a narrower definition that would eliminate any references to
third party payors. One commenter argued that the permissible
disclosure of protected health information to carry out treatment is
too broad for health plans and that health plans that have no
responsibility for treatment or care coordination should have no
authority to release health information without authorization for
treatment purposes.
Response: We do not consider the activities of third party payors,
including health plans, to be
[[Page 82627]]
``treatment.'' Only health care providers, not health plans, conduct
``treatment'' for purposes of this rule. A health plan may, however,
disclose protected health information without consent or authorization
for treatment purposes if that disclosure is made to a provider. Health
plans may have information the provider needs, for example information
from other providers or information about the patient's treatment
history, to develop an appropriate plan of care.
Comment: We received many comments relating to ``disease
management'' programs and whether activities described as disease
management should be included in the definition of treatment. One group
of commenters supported the proposed definition of treatment that
includes disease management. One commenter offered the position that
disease management services are more closely aligned with treatment
because they involve the coordination of treatment whereas health care
operations are more akin to financial and ministerial functions of
plans.
Some recommended that the definition of treatment be limited to
direct treatment of individual patients and not allow for sharing of
information for administrative or other programmatic reasons. They
believed that allowing disclosures for disease management opens a
loophole for certain uses and disclosures, such as marketing, that
should only be permitted with authorization. Others recommended that
the definition of disease management be restricted to prevent
unauthorized use of individual health records to target individuals in
a health plan or occupational health program. Many asked that the
definition of disease management be clarified to identify those
functions that, although some might consider them to be subsumed by the
term, are not permitted under this regulation without authorization,
such as marketing and disclosures of protected health information to
employers. They suggested that disease management may describe
desirable activities, but is subject to abuse and therefore should be
restricted and controlled. One commenter recommends that we adopt a
portion of the definition adopted by the Disease Management Association
of America in October 1999.
On the other hand, many comments urged that disease management be
part of the ``treatment'' definition or the ``health care operations''
definition and asked that specific activities be included in a
description of the term. They viewed disease management as important
element of comprehensive health care services and cost management
efforts. They recommended that the definition of disease management
include services directed at an entire population and not just
individual care, in order to identify individuals who would benefit
from services based on accepted clinical guidelines. They recommended
that disease management be included under health care operations and
include population level services. A commenter asserted that limiting
disease management programs to the definition of treatment ignores that
these programs extend beyond providers, especially since NCQA
accreditation standards strongly encourage plans and insurers to
provide these services.
Response: Disease management appeared to represent different
activities to different commenters. Our review of the literature,
industry materials, state and federal statutes,\6\ and discussions with
physician groups, health plan groups and disease management
associations confirm that a consensus definition from the field has not
yet evolved, although efforts are underway. Therefore, rather than rely
on this label, we delete ``disease management'' from the treatment
definition and instead include the functions often discussed as disease
management activities in this definition or in the definition of health
care operations and modify both definitions to address the commenters'
concerns.
---------------------------------------------------------------------------
\6\ Definition of Disease Management, October 1999 (from web
site of Disease Management Association of America (www.dmaa.org/definition.html) accessed May 21, 2000. Other references used for
our analysis include: Mary C. Gurnee, et al, Constructing Disease
Management Programs, Managed Care, June 1997, accessed at http://managedcaremag.com, 5/19/2000; Peter Wehrwein, Disease Management
Gains a Degree of Respectability, Managed Care, August 1997,
accessed at www.managedcaremag.com, 5/18/00; John M. Harris, Jr.,
disease management: New Wine in Old Bottles, 124 Annals of Internal
Medicine 838 (1996); Robert S. Epstein and Louis M. Sherwood, From
Outcomes research to disease management: A Guide for the Perplexed,
124 Annals of Internal Medicine 832 (1996); Anne Mason et al,
disease management, the Pharmaceutical Industry and the NHS, Office
of Health Economics (United Kingdom), accessed at www.ohe.org, 5/19/
2000; Thomas Bodenheimer, Disease Management--Promises and Pitfalls,
340 New Eng. J. Med, April 15, 1999, accessed at www.nejm.org, 4/20/
99; Bernard Lo and Ann Alpers, Uses and Abuses of Prescription Drug
information in pharmacy benefits Management Programs, 283 JAMA 801
(2000); Robert F. DeBusk, Correspondence, Disease Management, and
Regina E. Herzlinger, Correspondence, Disease Management, 341 New
Eng. J. Med, Sept 2, 1999, accessed 9/2/99; Letter, John A. Gans,
American Pharmaceutical Association, to Health Care Financing
Administration, Reference HCFA-3002-P, April 12, 1999, accessed at
www.aphanet.org, 1/18/2000; Ronald M. Davis, et al, Editorial,
Advances in Managing Chronic Disease, 320 BMJ 525 (2000), accessed
at www.bmj.com, 2/25/00; Thomas Bodenheimer, Education and Debate,
disease management in the American Market, 320 BMJ 563 (2000),
accessed at www.bmj.com, 2/25/2000; David J. Hunter, disease
management: has it a future?, 320 BMJ 530 (2000), accessed
www.bmj.com 2/25/2000; Trisha Greenhalgh, Commercial partnerships in
chronic disease management: proceeding with caution, 320 BMJ 566
(2000); Edmund X. DeJesus, disease management in a Warehouse,
Healthcare Informatics, September 1999, accessed at www.healthcare-informatics.com, 5/19/00; Regulation, 42 CFR 422.112,
Medicare+Choice Program, subpart C, Benefits and Beneficiary
Protections, sec. 422.112, Access to Services; and Arnold Chen, Best
Practices in Coordinated Care, Submitted by Mathematica Policy
Research, Inc., to Health Care Financing Administration, March 22,
2000.
---------------------------------------------------------------------------
We add population-based activities to improve health care or reduce
health care costs to the definition of health care operations. Outreach
programs as described by the commenter may be considered either health
care operations or treatment, depending on whether population-wide or
patient-specific activities occur, and if patient-specific, whether the
individualized communication with a patient occurs on behalf of health
care provider or a health plan. For example, a call placed by a nurse
in a doctor's office to a patient to discuss follow-up care is a
treatment activity. The same activity performed by a nurse working for
a health plan would be a health care operation. In both cases, the
database analysis that created a list of patients that would benefit
from the intervention would be a health care operation. Use or
disclosure of protected health information to provide education
materials to patients may similarly be either treatment or operations,
depending on the circumstances and on who is sending the materials. We
cannot say in the abstract whether any such activities constitute
marketing under this rule. See Secs. 164.501 and 164.514 for details on
what communications are marketing and when the authorization of the
individual may be required.
Comment: Many commenters were concerned that the definition of
treatment would not permit Third Party Administrators (TPAs) to be
involved with disease management programs without obtaining
authorization. They asserted that while the proposed definition of
treatment included disease management conducted by health care
providers it did not recognize the role of employers and TPAs in the
current disease management process.
Response: Covered entities disclose protected health information to
other persons, including TPAs, that they hire to perform services for
them or on their behalf. If a covered entity hires a TPA to perform the
disease management activities included in the rule's definitions of
treatment and health care operations that disclosure will not
[[Page 82628]]
require authorization. The relationship between the covered entity and
the TPA may be subject to the business associate requirements of
Secs. 164.502 and 164.504. Disclosures by covered entities to plan
sponsors, including employers, for the purpose of plan administration
are addressed in Sec. 164.504.
Comment: Commenters suggested that as disease management is defined
only as an element of treatment, it could only be carried out by health
care providers, and not health plans. They opposed this approach
because health plans also conduct such programs, and are indeed
required to do it by accreditation standards and HCFA Managed Care
Organization standards.
Response: We agree that the placement of disease management in the
proposed definition of treatment suggested that health plans could not
conduct such programs. We revise the final rule to clarify that health
plans may conduct population based care management programs as a health
care operation activity.
Comment: Some commenters stated that the rule should require that
disease management only be done with the approval of the treating
physician or at least with the knowledge of the physician.
Response: We disagree with this comment because we do not believe
that this privacy rule is an appropriate venue for setting policies
regarding the management of health care costs or treatment.
Comment: Some industry groups stated that if an activity involves
selling products, it is not disease management. They asked for a
definition that differentiates use of information for the best
interests of patient from uses undertaken for ``ulterior purposes''
such as advertising, marketing, or promoting separate products.
Response: We eliminate the definition of ``disease management''
from the rule. Often however, treatment decisions involve discussing
the relevant advantages and disadvantages of products and services.
Health plans, as part of payment and operations, sometimes communicate
with individuals about particular products and services. We address
these distinctions in the definitions of marketing and ``health care
operations'' in Sec. 164.501, and in the requirements for use and
disclosure of protected health information for marketing in
Sec. 164.514.
Comment: Some health care providers noted that there is a danger
that employers will ``force'' individual employees with targeted
conditions into self-care or compliance programs in ways that violate
both the employee's privacy interest and his or her right to control
own medical care.
Response: Employers are not covered entities under HIPAA, so we
cannot prohibit them under this rule from undertaking these or other
activities with respect to health information. In Sec. 164.504 we limit
disclosure of health information from group health plans to the
employers sponsoring the plans. However, other federal and/or state
laws, such as disability nondiscrimination laws, may govern the rights
of employees under such circumstances.
Comment: Many commenters urged that disease management only be
allowed with the written consent of the individual. Others also desired
consent but suggested that an opt-out would be sufficient. Other
commenters complained that the absence of a definition for disease
management created uncertainty in view of the proposed rule's
requirement to get authorization for marketing. They were concerned
that the effect would be to require patient consent for many activities
that are desirable, not practicably done if authorization is required,
and otherwise classifiable as treatment, payment, or health care
operations. Examples provided include reminders for appointments,
reminders to get preventive services like mammograms, and information
about home management of chronic illnesses.
Response: We agree with the commenters who stated that the
requirement for specific authorization for certain activities
considered part of disease management could impede the ability of
health plans and covered providers to implement effective health care
management and cost containment programs. In addition, this approach
would require us to distinguish activities undertaken as part of a
formal disease management program from the same activities undertaken
outside the context of disease management program. For example, we see
no clear benefit to privacy in requiring written authorization before a
physician may call a patient to discuss treatment options in all cases,
nor do we see a sound basis for requiring it only when the physician
was following a formal protocol as part of a population based
intervention. We also are not persuaded that the risk to privacy for
these activities warrants a higher degree of protection than do other
payment, health care operations or treatment activities for which
specific authorization was not suggested by commenters.
Comment: A few commenters asked that we clarify that disclosure of
protected health information about a prospective patient to a health
care provider (e.g., a possible admission to an assisted living
facility from a nursing facility) is a treatment activity that does not
require authorization.
Response: We agree that the described activity is ``treatment,''
because it constitutes referral and coordination of health care.
Comment: Comments called for the removal of ``other services'' from
the definition.
Response: We disagree with the concept that only health care
services are appropriately included in the treatment definition. We
have modified this definition to instead include ``the provision,
coordination, or management of health care and related services.'' This
definition allows health care providers to offer or coordinate social,
rehabilitative, or other services that are associated with the
provision of health care. Our use of the term ``related'' prevents
``treatment'' from applying to the provision of services unrelated to
health care.
Comment: Several commenters stated that the definition of treatment
should include organ and tissue recovery activities. They asserted that
the information exchanged and collected to request consent, evaluate
medical information about a potential donor and perform organ
recoveries relates to treatment and are not administrative activities.
When hospitals place a patient on the UNOS list it is transferring
individually identifiable health information. Also, when an organ
procurement organization registers a donor with UNOS it could be
disclosing protected health information. Commenters questioned whether
these activities would be administrative or constitute treatment.
Response: In the proposed rule we included in the definition of
``health care'' activities related to the procurement or organs, blood,
eyes and other tissues. This final rule deletes those activities from
the definition of ``health care.'' We do so because, while organ and
tissue procurement organizations are integral components of the health
care system, we do not believe that the testing, procurement, and other
procedures they undertake describe ``health care'' offered to the
donors of the tissues or organs themselves. See the discussion under
the definition of ``health care'' in Sec. 160.103.
Comment: Some commenters recommended including health promotion
activities in the definition of health care.
[[Page 82629]]
Response: We consider health promotion activities to be preventive
care, and thus within the definition of health care. In addition, such
activities that are population based are included in the definition of
health care operations.
Comment: We received a range of comments regarding the proper
placement of case and disease management in the definitions and the
perceived overlap between health care operations and treatment. Some
consider that these activities are a function of improving quality and
controlling costs. Thus, they recommend that the Secretary move risk
assessment, case and disease management to the definition of health
care operations.
Response: In response to these comments, we remove these terms from
the definition of treatment and add case management to the definition
of health care operations. We explain our treatment of disease
management in responses to comments above. Whether an activity
described as disease or case management falls under treatment or health
care operations would depend in part on whether the activity is focused
on a particular individual or a population. A single program described
as a ``case management'' effort may include both health care operations
activities (e.g., records analysis, protocol development, general risk
assessment) and treatment activities (e.g., particular services
provided to or coordinated for an individual, even if applying a
standardized treatment protocol).
Comment: We received comments that argued for the inclusion of
``disability management'' in the treatment definition. They explained
that through disability management, health care providers refer and
coordinate medical management and they require contemporaneous exchange
of an employee's specific medical data for the provider to properly
manage.
Response: To the extent that a covered provider is coordinating
health care services, the provider is providing treatment. We do not
include the term ``disability management'' because the scope of the
activities covered by that term is not clear. In addition, the
commenters did not provide enough information for us to make a fact-
based determination of how this rule applies to the uses and
disclosures of protected health information that are made in a
particular ``disability management'' program.
Use
Comment: One commenter asserted that the scope of the proposal had
gone beyond the intent of Congress in addressing uses of information
within the covered entity, as opposed to transactions and disclosures
outside the covered entity. This commenter argued that, although HIPAA
mentions use, it is unclear that the word ``use'' in the proposed rule
is what Congress intended. The commenter pointed to the legislative
history to argue that ``use'' is related to an information exchange
outside of the entity.
Response: We disagree with the commenter regarding the Congress'
intent. Section 264 of HIPAA requires that the Secretary develop and
send to Congress recommendations on standards with respect to the
privacy of individually identifiable health information (which she did
on September 11, 1997) and prescribes that the recommendations address
among other items ``the uses and disclosures of such information that
should be authorized or required.'' Section 264 explicitly requires the
Secretary to promulgate standards that address at least the subjects
described in these recommendations. It is therefore our interpretation
that Congress intended to cover ``uses'' as well as disclosures of
individually identifiable health information. We find nothing in the
legislative history to indicate that Congress intended to deviate from
the common meaning of the term ``use.''
Comment: One commenter observed that the definition could encompass
the processing of data by computers to execute queries. It was argued
that this would be highly problematic because computers are routinely
used to identify subsets of data sets. It was explained that in
performing this function, computers examine each record in the data set
and return only those records in the data set that meet specific
criteria. Consequently, a human being will see only the subset of data
that the computer returns. Thus, the commenter stated that it is only
this subset that could be used or disclosed.
Response: We interpret ``use'' to mean only the uses of the product
of the computer processing, not the internal computer processing that
generates the product.
Comments: Some commenters asked that the Department clarify that
individualized medical information obtained through a fitness for duty
examination is not subject to the privacy protections under the
regulation.
Response: As discussed above, we have clarified that the definition
of ``treatment'' to include assessments of an individual. If the
assessment is performed by a covered health care provider, the health
information resulting from the assessment is protected health
information. We note that a covered entity is permitted to condition
the provision of health care when the sole purpose is to create
protected health information for the benefit of a third person. See
Sec. 164.508(b). For example, a covered health care provider may
condition the provision of a fitness for duty examination to an
individual on obtaining an authorization from the individual for
disclosure to the employer who has requested the examination.
Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
Section 164.502(a)--General Standard
Comment: A few commenters requested an exemption from the rule for
the Social Security and Supplemental Security Income Disability
Programs so that disability claimants can be served in a fair and
timely manner. The commenters were concerned that the proposal would be
narrowly interpreted, thereby impeding the release of medical records
for the purposes of Social Security disability programs.
Another commenter similarly asked that a special provision be added
to the proposal's general rule for uses and disclosures without
authorization for treatment, payment, and health care operations
purposes to authorize disclosure of all medical information from all
sources to the Social Security Administration, including their
contracted state agencies handling disability determinations.
Response: A complete exemption for disclosures for these programs
is not necessary. Under current practice, the Social Security
Administration obtains authorization from applicants for providers to
release an individual's records to SSA for disability and other
determinations. Thus, there is no reason to believe that an exemption
from the authorization required by this rule is needed to allow these
programs to function effectively. Further, such an exemption would
reduce privacy protections from current levels. When this rule goes
into effect, those authorizations will need to meet the requirements
for authorization under Sec. 164.508 of this rule.
We do, however, modify other provisions of the proposed rule to
accommodate the special requirements of these programs. In particular,
Social Security Disability and other federal programs, and public
benefits programs run by the states, are authorized by law
[[Page 82630]]
to share information for eligibility purposes. Where another public
body has determined that the appropriate balance between need for
efficient administration of public programs and public funds and
individuals' privacy interests is to allow information sharing for
these limited purposes, we do not upset that determination. Where the
sharing of enrollment and eligibility information is required or
expressly authorized by law, this rule permits such sharing of
information for eligibility and enrollment purposes (see
Sec. 164.512(k)(6)(i)), and also excepts these arrangements from the
requirements for business associate agreements (see
Sec. 164.502(e)(1)).
Comment: A few commenters asked that the rule be revised to
authorize disclosures to clergy, for directory purposes, to organ and
tissue procurement organizations, and to the American Red Cross without
patient authorization.
Response: We agree and revise the final rule accordingly. The new
policies and the rationale for these policies are found in
Secs. 164.510 and 164.512, and the corresponding preamble.
Comment: One commenter recommended that the rule apply only to the
``disclosure'' of protected health information by covered entities,
rather than to both ``use'' and ``disclosure.'' The commenter stated
that the application of the regulation to a covered entity's use of
individually identifiable health information offers little benefit in
terms of protecting protected health information, yet imposes costs and
may hamper many legitimate activities, that fall outside the definition
of treatment, payment or health care operations.
Another commenter similarly urged that the final regulation draw
substantive distinctions between restrictions on the ``use'' of
individually identifiable health information and on the ``disclosure''
of such information, with broader latitude for ``uses'' of such
information. The commenter believed that internal ``uses'' of such
information generally do not raise the same issues and concerns that a
disclosure of that information might raise. It was argued that any
concerns about the potential breadth of use of this information could
be addressed through application of the ``minimum necessary'' standard.
The commenter also argued that Congressional intent was that a
``disclosure'' of individually identifiable health information is
potentially much more significant than a ``use'' of that information.
Response: We do not accept the commenter's broad recommendation to
apply the regulation only to the ``disclosure'' of protected health
information and not to ``use'' of such information. Section 264 charges
the Secretary with promulgating standards that address, among other
things, ``the uses and disclosures'' of individually identifiable
health information. We also do not agree that applying the regulation
to ``use'' offers little benefit to protecting protected health
information. The potential exists for misuse of protected health
information within entities. This potential is even greater when the
covered entity also provides services or products outside its role as a
health care provider, health plan, or health care clearinghouse for
which ``use'' of protected health information offers economic benefit
to the entity. For example, if this rule did not limit ``uses''
generally to treatment, payment and health care operations, a covered
entity that also offered financial services could be able to use
protected health information without authorization to market or make
coverage or rate decisions for its financial services products. Without
the minimum necessary standard for uses, a hospital would not be
constrained from allowing their appointment scheduling clerks free
access to medical records.
We agree, however, that it is appropriate to apply somewhat
different requirements to uses and disclosures of protected health
information permitted by this rule. We therefore modify the application
of the minimum necessary standard to accomplish this. See the preamble
to Sec. 164.514 for a discussion of these changes.
Comment: A commenter argued that the development, implementation,
and use of integrated computer-based patient medical record systems,
which requires efficient information sharing, will likely be impeded by
regulatory restrictions on the ``use'' of protected health information
and by the minimum necessary standard.
Response: We have modified the proposed approach to regulating
``uses'' of protected health information within an entity, and believe
our policy is compatible with the development and implementation of
computer-based medical record systems. In fact, we drew part of the
revised policy on ``minimum necessary'' use of protected health
information from the role-based access approach used in several
computer-based records systems today. These policies are described
further in Sec. 164.514.
Comment: One commenter asked that the general rules for uses and
disclosures be amended to permit covered entities to disclose protected
health information for purposes relating to property and casualty
benefits. The commenter argued that the proposal could affect its
ability to obtain protected health information from covered entities,
thereby constricting the flow of medical information needed to
administer property and casualty benefits, particularly in the workers'
compensation context. It was stated that this could seriously impede
property and casualty benefit providers' ability to conduct business in
accordance with state law.
Response: We disagree that the rule should be expanded to permit
all uses and disclosures that relate to property and casualty benefits.
Such a broad provision is not in keeping with protecting the privacy of
individuals. Although we generally lack the authority under HIPAA to
regulate the practices of this industry, the final rule addresses when
covered entities may disclose protected health information to property
and casualty insures. We believe that the final rule permits property
and casualty insurers to obtain the protected health information that
they need to maintain their promises to their policyholders. For
example, the rule permits a covered entity to use or disclose protected
health information relating to an individual when authorized by the
individual. Property and casualty insurers are free to obtain
authorizations from individuals for release by covered entities of the
health information that the insurers need to administer claims, and
this rule does not affect their ability to condition payment on
obtaining such an authorization from insured individuals. Property and
casualty insurers providing payment on a third-party basis have an
opportunity to obtain authorization from the individual and to
condition payment on obtaining such authorization. The final rule also
permits covered entities to make disclosures to obtain payment, whether
from a health plan or from another person such as a property and
casualty insurer. For example, where an automobile insurer is paying
for medical benefits on a first-party basis, a health care provider may
disclose protected health information to the insurer as part of a
request for payment. We also include in the final rule a new provision
that permits covered entities to use or disclose protected health
information as authorized by workers' compensation or similar programs
established by law addressing work-related injuries or illness. See
Sec. 164.512(l). These statutory programs establish channels of
information sharing that are necessary
[[Page 82631]]
to permit compensation of injured workers.
Comment: A few commenters suggested that the Department specify
``prohibited'' uses and disclosures rather than ``permitted'' uses and
disclosures.
Response: We reject these commenters' because we believe that the
best privacy protection in most instances is to require the
individual's authorization for use or disclosure of information, and
that the role of this rule is to specify those uses and disclosures for
which the balance between the individuals' privacy interest and the
public's interests dictates a different approach. The opposite approach
would require us to anticipate the much larger set of all possible uses
of information that do not implicate the public's interest, rather than
to specify the public interests that merit regulatory protection.
Comment: A commenter recommended that the rule be revised to more
strongly discourage the use of individually identifiable health
information where de-identified information could be used.
Response: We agree that the use of de-identified information
wherever possible is good privacy practice. We believe that by
requiring covered entities to implement these privacy restrictions only
with respect to individually identifiable health information, the final
rule strongly encourages covered entities to use de-identified
information as much as practicable.
Comment: One commenter recommended that when information from
health records is provided to authorized external users, this
information should be accompanied by a statement prohibiting use of the
information for other than the stated purpose; prohibiting disclosure
by the recipient to any other party without written authorization from
the patient, or the patient's legal representative, unless such
information is urgently needed for the patient's continuing care or
otherwise required by law; and requiring destruction of the information
after the stated need has been fulfilled.
Response: We agree that restricting other uses or re-disclosure of
protected health information by a third party that may receive the
information for treatment, payment, and health care operations purposes
or other purposes permitted by rule would be ideal with regard to
privacy protection. However, as described elsewhere in this preamble,
once protected health information leaves a covered entity the
Department no longer has jurisdiction under the statute to apply
protections to the information. Since we would have no enforcement
authority, the costs and burdens of requiring covered entities to
produce and distribute such a statement to all recipients of protected
heath information, including those with whom the covered entity has no
on-going relationship, would outweigh any benefits to be gained from
such a policy. Similarly, where protected health information is
disclosed for routine treatment, payment and operations purposes, the
sheer volume of these disclosures makes the burden of providing such a
statement unacceptable. Appropriate protection for these disclosures
requires law or regulation directly applicable to the recipient of the
information, not further burden on the disclosing entity. Where,
however, the recipient of protected health information is providing a
service to or on behalf of the covered entity this balance changes. It
is consistent with long-standing legal principles to hold the covered
entity to a higher degree of responsibility for the actions of its
agents and contractors. See Sec. 164.504 for a discussion of the
responsibilities of covered entities for the actions of their business
associates with respect to protected health information.
Section 164.502(b)--Minimum Necessary
Comments on the minimum necessary standard are addressed in the
preamble to Sec. 164.514(d).
Section 164.502(c)--Uses or Disclosures of Protected Health Information
Subject to an Agreed Upon Restriction
Comments on the agreed upon restriction standard are addressed in
the preamble to Sec. 164.522(a).
Section 164.502(d)--Uses and Disclosures of De-Identified Protected
Health Information
Comments on the requirements for de-identifying information are
addressed in the preamble to Sec. 164.514(a)-(c).
Section 164.502(e)--Business Associates
Comments on business associates are addressed in the preamble to
Sec. 164.504(e).
Section 164.502(f)--Deceased Individuals
Comment: Most commenters on this topic generally did not approve of
the Secretary's proposal with regard to protected health information
about deceased individuals. The majority of these commenters argued
that our proposal was not sufficiently protective of such information.
Commenters agreed with the statements made in the preamble to the
proposed rule that the privacy concerns addressed by this policy are
not limited to the confidential protection of the deceased individual
but instead also affects the decedent's family, as genetic information
and information pertinent to hereditary diseases and risk factors for
surviving relatives and direct family members may be disclosed through
the disclosure of the deceased individual's confidential data. It was
argued that the proposal would be inadequate to protect the survivors
who could be negatively affected and in most cases will outlive the
two-year period of protection. A number of medical associations
asserted that individuals may avoid genetic testing, diagnoses, and
treatment and suppress information important to their health care if
they fear family members will suffer discrimination from the release of
their medical information after their death. One commenter pointed out
that ethically little distinction can be made between protecting an
individual's health information during life and protecting it post-
mortem. Further, it was argued that the privacy of the deceased
individual and his or her family is far more important than allowing
genetic information to be abstracted by an institutional or commercial
collector of information. A few commenters asked that we provide
indefinite protection on the protected health information about a
deceased person contained in psychotherapy notes. One commenter asked
that we extend protections on records of children who have died of
cancer for the lifetime of a deceased child's siblings and parents.
The majority of commenters who supported increased protections on
the protected health information about the deceased asked that we
extend protections on such information indefinitely or for as long as
the covered entity maintains the information. It was also argued that
the administrative burden of perpetual protection would be no more
burdensome than it is now as current practice is that the
confidentiality of identifiable patient information continues after
death. A number of others pointed out that there was no reason to set a
different privacy standard for deceased individuals than we had for
living individuals and that it has been standard practice to release
the information of deceased individuals with a valid consent of the
executor, next of kin, or specific court order. In addition, commenters
referenced Hawaii's health care information privacy law (see Haw. Rev.
Stat. section
[[Page 82632]]
323C-43) as at least one example of a state law where the privacy and
access provisions of the law continue to apply to the protected health
information of a deceased individual following the death of that
individual.
Response: We find the arguments raised by these commenters
persuasive. We have reconsidered our position and believe these
arguments for maintaining privacy on protected health information
without temporal limitations outweigh any administrative burdens
associated with maintaining such protections. As such, in the final
rule we revise our policy to extend protections on the protected health
information about a deceased individual to remain in effect for as long
as the covered entity maintains the information.
For purposes of this regulation, this means that, except for uses
and disclosures for research purposes (see Sec. 164.512(i)), covered
entities must under this rule protect the protected health information
about a deceased individual in the same manner and to the same extent
as required for the protected health information of living individuals.
This policy alleviates the burden on the covered entity from having to
determine whether or not the person has died and if so, how long ago,
when determining whether or not the information can be released.
Comment: One commenter asked us to delete our standard for deceased
individuals, asserting that the deceased have no constitutional right
to privacy and state laws are sufficient to maintain protections for
protected health information about deceased individuals.
Response: We understand that traditional privacy law has
historically stripped privacy protection on information at the time the
subject of the information dies. However, as we pointed out in the
preamble to the proposed rule, the dramatic proliferation of
electronic-based interchanges and maintenance of information has
enabled easier and more ready access to information that once may have
been de facto protected for most people because of the difficulty of
its collection and aggregation. It is also our understanding that
current state laws vary widely with regard to the privacy protection of
a deceased individual's individually identifiable health information.
Some are less protective than others and may not take into account the
implications of disclosure of genetic and hereditary information on
living individuals. For these reasons, a regulatory standard is needed
here in order to adequately protect the privacy interests of those who
are living.
Comment: Another commenter expressed concern over the
administrative problems that the proposed standard would impose,
particularly in the field of retrospective health research.
Response: For certain research purposes, we permit a covered entity
to use and disclose the protected health information of a deceased
individual without authorization by a personal representative and
absent review by an IRB or privacy board. The verification standard
(Sec. 164.514(h)) requires that covered entities obtain an oral or
written representation that the protected health information sought
will be used or disclosed solely for research, and
Sec. 164.512(i)(1)(iii) requires the covered entity to obtain from the
researcher documentation of the death of the individual. We believe the
burden on the covered entity will be small, because it can reasonably
rely on the representation of purpose and documentation of death
presented by the researcher.
Comment: A few commenters argued that the standard in the proposed
rule would cause significant administrative burdens on their record
retention and storage policies. Commenters explained that they have
internal policy record-retention guidelines which do not envision the
retention of records beyond a few years. Some commenters complained
about the burden of having to track dates of death, as the commenters
are not routinely notified when an individual has died.
Response: The final rule does not dictate any record retention
requirements for the records of deceased individuals. Since we have
modified the NPRM to cover protected health information about deceased
individuals for as long as the covered entity maintains the
information, there will be no need for the covered entity to track
dates of death.
Comment: A few commenters voiced support for the approach proposed
in the proposal to maintain protections for a period of two years.
Response: After consideration of public comments, we chose not to
retain this approach because the two-year period would be both
inadequate and arbitrary. As discussed above, we agree with commenter
arguments in support of providing indefinite protection.
Comment: A few commenters expressed concern that the regulations
may be interpreted as providing a right of access to a deceased's
records only for a two-year period after death. They asked the
Department to clarify that the right of access of an individual,
including the representatives of a deceased individual, exists for the
entire period the information is held by a covered entity.
Response: We agree with these comments, given the change in policy
discussed above.
Comment: A few commenters suggested that privacy protections on
protected health information about deceased individuals remain in
effect for a specified time period longer than 2 years, arguing that
two years was not long enough to protect the privacy rights of living
individuals. These commenters, however, were not in agreement as to
what other period of protection should be imposed, suggesting various
durations from 5 to 20 years.
Response: We chose not to extend protections in this way because
specifying another time period would raise many of the same concerns
voiced by the commenters regarding our proposed two year period and
would not reduce the administrative burden of having to track or learn
dates of death. We believe that the policy in this final rule extending
protections for as long as the covered entity maintains the information
addresses commenter concerns regarding the need for increased
protections on the protected health information about the deceased.
Comment: Some commenters asserted that information on the decedent
from the death certificate is important for assessment and research
purposes and requested that the Department clarify accordingly that
death certificate data be allowed for use in traditional public health
assessment activities.
Response: Nothing in the final rule impedes reporting of death by
covered entities as required or authorized by other laws, or access to
death certificate data to the extent that such data is available
publicly from non-covered entities. Death certificate data maintained
by a covered entity is protected health information and must only be
used or disclosed by a covered entity in accordance with the
requirements of this regulation. However, the final rule permits a
covered entity to disclose protected health information about a
deceased individual for research purposes without authorization and
absent IRB or privacy board approval.
Comment: A few commenters asked that we include in the regulation a
mechanism to provide for notification of date of death. These
commenters questioned how a covered entity or business partner would be
notified of a death and subsequently be able to determine whether the
two-year period of protection had expired and if they
[[Page 82633]]
were permitted to use or disclose the protected health information
about the deceased. One commenter further stated that absent such a
mechanism, a covered entity would continue to protect the information
as if the individual were still living. This commenter recommended that
the burden for providing notification and confirmation of death be
placed on any authorized entity requesting information from the covered
entity beyond the two-year period.
Response: In general, such notification is no longer necessary as,
except for uses and disclosures for research purposes, the final rule
protects the protected health information about a deceased individual
for as long as the covered entity holds the record. With regard to uses
and disclosures for research, the researcher must provide covered
entities with appropriate documentation of proof of death, the burden
is not on the covered entity.
Comment: A few commenters pointed to the sensitivity of genetic and
hereditary information and its potential impact on the privacy of
living relatives as a reason for extending protections on the
information about deceased individuals for as long as the covered
entity maintains the information. However, a few commenters recommended
additional protections for genetic and hereditary information. For
example, one commenter suggested that researchers should be able to use
sensitive information of the deceased but then be required to publish
findings in de-identified form. Another commenter recommended that
protected health information about a deceased individual be protected
as long as it implicates health problems that could be developed by
living relatives.
Response: We agree with many of the commenters regarding the
sensitivity of genetic or hereditary information and, in part for this
reason, extended protections on the protected health information of
deceased individuals. Our reasons for retaining the exception for
research are explained above.
We agree with and support the practice of publishing research
findings in de-identified form. However, we cannot regulate researchers
who are not otherwise covered entities in this regulation.
Comment: One commenter asked that the final rule allow for
disclosure of protected health information to funeral directors as
necessary for facilitating funeral and disposition arrangements. The
commenter believed that our proposal could seriously disrupt a family's
ability to make funeral arrangements as hospitals, hospices, and other
health care providers would not be allowed to disclose the time of
death and other similar information critical to funeral directors for
funeral preparation. The commenter also noted that funeral directors
are already precluded by state licensing regulations and ethical
standards from inappropriately disclosing confidential information
about the deceased.
Further, the commenter stated that funeral directors have
legitimate needs for protected health information of the deceased or of
an individual when death is anticipated. For example, often funeral
directors are contacted when death is foreseen in order to begin the
process of planning funeral arrangements and prevent unnecessary
delays. In addition, the embalming of the body is affected by the
medical condition of the body.
In addition, it was noted that funeral directors need to be aware
of the presence of a contagious or infectious disease in order to
properly advise family members of funeral and disposition options and
how they may be affected by state law. For example, certain states may
prohibit cremation of remains for a certain period unless the death was
caused by a contagious or infectious disease, or prohibit family
members from assisting in preparing the body for disposition if there
is a risk of transmitting a communicable disease from the corpse.
Response: We agree that disclosures to funeral directors for the
above purposes should be allowed. Accordingly, the final rule at
Sec. 164.512(g)(2) permits covered entities to disclose protected
health information to funeral directors, consistent with applicable
law, as necessary to carry out their duties with respect to the
decedent. Such disclosures are also permitted prior to, and in
reasonable anticipation of, the individual's death.
Comment: Several commenters urged that the proposed standard for
deceased individuals be clarified to allow access by a family member
who has demonstrated a legitimate health-related reason for seeking the
information when there is no executor, administrator, or other person
authorized under applicable law to exercise the right of access of the
individual.
Another commenter asked that the rule differentiate between blood
relatives and family members and address their different access
concerns, such as with genetic information versus information about
transmittable diseases. They also recommended that the regulation allow
access to protected health information by blood-related relatives prior
to the end of the two-year period and provide them with the authority
to extend the proposed two-year period of protection if they see fit.
Lastly, the commenter suggested that the regulation address the concept
of when the next-of-kin may not be appropriate to control a deceased
person's health information.
Response: We agree that family members may need access to the
protected health information of a deceased individual, and this
regulation permits such disclosure in two ways. First, a family member
may qualify as a ``personal representative'' of the individual (see
Sec. 164.502(g)). Personal representatives include anyone who has
authority to act on behalf of a deceased individual or such
individual's estate, not just legally-appointed executors. We also
allow disclosure of protected health information to health care
providers for purposes of treatment, including treatment of persons
other than the individual. Thus, where protected health information
about a deceased person is relevant to the treatment of a family
member, the family member's physician may obtain that information.
Because we limit these disclosures to disclosures for treatment
purposes, there is no need to distinguish between disclosure of
information about communicable diseases and disclosure of genetic
information.
With regard to fitness to control information, we defer to existing
state and other laws that address this matter.
Section 164.502(g)--Personal Representative
Comment: It was observed that under the proposed regulation, legal
representatives with ``power of attorney'' for matters unrelated to
health care would have unauthorized access to confidential medical
records. Commenters recommended that access to a person's protected
health information be limited to those representatives with a ``power
of attorney'' for health care matters only. Related comments asked that
the rule limit the definition of ``power of attorney'' to include only
those instruments granting specific power to deal with health care
functions and health care records.
Response: We have deleted the reference to ``power of attorney.''
Under the final rule, a person is a personal representative of a living
individual if, under applicable law, such person has authority to act
on behalf of an individual in making decisions related to health care.
``Decisions relating to health care'' is broader than consenting to
treatment on behalf of an individual;
[[Page 82634]]
for example, it would include decisions relating to payment for health
care. We clarify that the rights and authorities of a personal
representative under this rule are limited to protected health
information relevant to the rights of the person to make decisions
about an individual under other law. For example, if a husband has the
authority only to make health care decisions about his wife in an
emergency, he would have the right to access protected health
information related to that emergency, but he may not have the right to
access information about treatment that she had received ten years ago.
We note that the rule for deceased individuals differs from that of
living individuals. A person may be a personal representative of a
deceased individual if they have the authority to act on behalf of such
individual or such individual's estate for any decision, not only
decisions related to health care. We create a broader scope for a
person who is a personal representative of a deceased individual
because the deceased individual can not request that information be
disclosed pursuant to an authorization, whereas a living individual can
do so.
Comment: Some commenters asked that the NPRM provision allowing
informal decision-makers access to the protected health information of
an incapacitated individual should be maintained in the final rule.
Response: We agree with the commenters, and retain permission for
covered entities to share protected health information with informal
decision-makers, under conditions specified in Sec. 164.510(b). A
person need not be a personal representative for such disclosure of
protected health information to be made to an informal decision-maker.
Comment: Commenters urged that individuals with mental retardation,
who can provide verbal agreement or authorization, should have control
over dissemination of their protected health information, in order to
increase the privacy rights of such individuals.
Response: Individuals with mental retardation have control over
dissemination of their protected health information under this rule to
the extent that state law provides such individuals with the capacity
to act on their own behalf. We note that a covered entity need not
disclose information pursuant to a consent or authorization. Therefore,
even if state law determines that an individual with mental retardation
is not competent to act and a personal representative provides
authorization for a disclosure, a covered entity may choose not to
disclose such information if the individual who lacks capacity to act
expresses his or her desire that such information not be disclosed.
Comment: A commenter suggested that the final rule should provide
health plans with a set of criteria for formally identifying an
incapacitated individual's decision-maker. Such criteria would give
guidance to health plans that would help in not releasing information
to the wrong person.
Response: The determination about who is a personal representative
under this rule is based on state or other applicable law. We require
that a covered entity verify the authority of a personal
representative, in accordance with Sec. 164.514(h) in order to disclose
information to such person.
Comment: Commenters were troubled by the inclusion of minors in the
definition of ``individual'' and believed that the presumption should
be that parents have the right to care for their children.
Response: We agree that a parent should have access to the
protected health information about their unemancipated minor children,
except in limited circumstances based on state law. The approach in the
final rule helps clarify this policy. The definition of ``individual''
is simplified in the final rule to ``the person who is the subject of
protected health information.'' (Sec. 164.501). We created a new
section (Sec. 164.502(g)) to address ``personal representatives,''
which includes parents and guardians of unemancipated minors.
Generally, we provide that if under applicable law a parent has
authority to act on behalf of an unemancipated minor in making
decisions relating to health care about the minor, a covered entity
must treat the parent as the personal representative with respect to
protected health information relevant to such personal representation.
The regulation provides only three limited exceptions to this rule
based upon current state law and physician practice.
Comment: Many commenters agreed with our approach in the NPRM to
give minors who may lawfully access health care the rights to control
the protected health information related to such health care.
Several commenters disagreed with this approach and recommended
that where states allow minors too much independence from parents, the
rule should not defer to state law. One commenter suggested that we
give an individual the right to control protected health information
only when the individual reaches the age of majority.
Response: In the final rule, the parent, as the personal
representative of a minor child, controls the protected health
information about the minor, except that the parent does not act as a
personal representative of the minor under the rule in three limited
circumstances based on state consent law and physician practice. The
final rule defers to consent laws of each state and does not attempt to
evaluate the amount of control a state gives to a parent or minor. If a
state provides an alternative means for a minor to obtain health care,
other than with the consent of a parent, this rule preserves the system
put in place by the state.
The first two exceptions, whereby a parent is not the personal
representative for the minor and the minor can act for himself or
herself under the rule, occur if the minor consents to a health care
service, and no other consent to such health care service is required
by law, or when the minor may lawfully obtain a health care service
without the consent of a parent, and the minor, a court, or another
person authorized by law consents to such service. The third exception
is based on guidelines of the American Pediatric Association, current
practice, and agreement by parents. If a parent assents to an agreement
of confidentiality between a covered provider and a minor with respect
to a health care service, the parent is not the personal representative
of the minor with respect to the protected health information created
or received subject to that confidentiality agreement. In such
circumstances, the minor would have the authority to act as an
individual, with respect to such protected health information.
Comment: Some commenters requested that we permit minors to
exercise the rights of an individual when applicable law requires
parental notification as opposed to parental consent.
Response: We adopt this policy in the final rule. If the minor
consents to a health care service, and no other consent to such health
care service is required by law, regardless of whether the consent of
another person has also been obtained or notification to another person
has been given, only the minor may be treated as the individual with
respect to the protected health information relating to such health
care service. The rule does not affect state law that authorizes or
requires notification to a parent of a minor's decision to obtain a
health care service to the extent authorized or required by such law.
In addition, state parental notification laws do not affect the rights
of minors under this regulation.
[[Page 82635]]
Comment: Some commenters requested clarification that when a minor
may obtain a health care service without parental consent and
voluntarily chooses to involve a parent, the minor retains the rights,
authorities and confidentiality protections established in this rule.
Response: We agree that minors should be encouraged to voluntarily
involve a parent or other responsible adult in their health care
decisions. The rule is not intended to require that minors choose
between involving a parent and maintaining confidentiality protections.
We have added language in Sec. 164.502(g)(3)(i) to clarify that when a
minor consents to a health care service and no other consent is
required by law, if the minor voluntarily chooses to involve a parent
or other adult, the minor nonetheless maintains the exclusive ability
to exercise their rights under the rule. This is true even if a parent
or other person also has consented to the health care service for which
the minor lawfully consented. Under the rule, a minor may involve a
parent and still preserve the confidentiality of their protected health
information. In addition, a minor may choose to have a parent act as
his or her personal representative even if the minor could act on his
or her own behalf under the rule. If the minor requests that a covered
entity treat a parent as his or her personal representative, the
covered entity must treat such person as the minor's personal
representative even if the minor consents to a health care service and
no other consent to such health care service is required by law.
Comment: Some commenters requested that the rule provide for the
preservation of patient confidences if a health care provider and a
minor patient enter into an agreement of confidentiality and a parent
assents to this arrangement.
Response: We have addressed this concern in the final rule by
adding a provision that ensures that a minor maintains the
confidentiality protections provided by the rule for information that
is created or received pursuant to a confidential communication between
a provider and a minor when the minor's parent assents to an agreement
of confidentiality between the provider and the minor.
(Sec. 164.502(g)(3)(ii)). The American Academy of Pediatrics Guidelines
for Health Supervision III, which are meant to serve as ``a framework
to help clinicians focus on important issues at developmentally
appropriate time intervals,'' recommends that physicians interview
children alone beginning at the age of twelve (or as early as the age
of ten if it is comfortable for the child). This recommendation is
based on the fact that adolescents tend to underutilize existing health
care resources, in part, because of a concern for confidentiality.\7\
The recommended interview technique in the Guidelines states that the
provider discuss the rules of confidentiality with the adolescent and
the parent and that the adolescent's confidentiality should be
respected. We do not intend to interfere with these established
protocols or current practices. Covered entities will need to establish
procedures to separate protected health information over which the
minor maintains control from protected health information with respect
to which the minor's parent has rights as a personal representative of
the minor.
---------------------------------------------------------------------------
\7\ Confidentiality in Adolescent Health Care, a joint policy
statement of the American Academy of Pediatrics; the American
Academy of Family Physicians; the American College of Obstetricians
and Gynecologists; NAACOG--The Organization for Obstetric,
Gynecologic, and Neonatal Nurses; and the National Medical
Association.
---------------------------------------------------------------------------
A covered provider may disclose protected health information to a
parent, regardless of a confidentiality agreement, if there is an
imminent threat to the minor or another person, in accordance with
Sec. 164.512(j)(1)(i).
Comment: Several commenters suggested that we add a provision in
the final rule to provide minors and parents with concurrent rights
under certain circumstances, particularly when the minor reaches 16
years of age or when a parent authorizes his or her minor child to
exercise these rights concurrently.
Response: We do not add such provision in the final rule. We
believe that establishing concurrent rights through this rule could
result in problems that effect the quality of health care if the minor
and the parent were to disagree on the exercise of their rights. The
rule would not prevent a parent from allowing a minor child to make
decisions about his or her protected health information and acting
consistently with the minor's decision. In all cases, either the parent
has the right to act for the individual with respect to protected
health information, or the minor has the right to act for himself or
herself. The rule does not establish concurrent rights for parents and
minors.
Comment: Commenters requested clarification about the rights of an
adult or emancipated minor with respect to protected health information
concerning health care services rendered while the person was an
unemancipated minor.
Response: Once a minor becomes emancipated or attains the age of
majority, as determined by applicable state law, the parent is no
longer the personal representative under Sec. 164.502(g)(3) of such
individual, unless the parent has the authority to act on behalf of the
individual for some reason other than their authority as a parent. An
adult or emancipated minor has rights under the rule with respect to
all protected health information about them, including information
obtained while the individual was an unemancipated minor.
Comment: One commenter pointed out that language in the definition
of individual in the NPRM that grants a minor the rights of an
individual when he or she ``lawfully receives care without the consent
of, or notification to, a parent * * *'' would have the effect of
granting rights to an infant minor who receives emergency care when the
parent is not available.
Response: This result was not our intent. We have changed the
language in Sec. 164.502(g)(3)(i) of the final rule to provide a minor
the right to act as an individual when the minor can obtain care
without the consent of a parent and the minor consents to such care.
Because an infant treated in an emergency situation would not be able
to consent to care, the infant's parent would be treated as the
personal representative of the infant. Section 164.502(g)(3)(ii)
provides that the parent is not the personal representative of the
minor under the rule if the minor may obtain health care without the
consent of a parent and the minor, a court, or another person
authorized by law consents to such service. If an infant obtains
emergency care without the consent of a parent, a health care provider
may provide such care without consent to treatment. This situation
would fall outside the second exception, and the parent would remain
the personal representative of the minor.
Comment: Commenters were concerned about the interaction of this
rule with FERPA with respect to parents' right to access the medical
records of their children.
Response: We direct the commenters to a discussion of the
interaction between our rule and FERPA in the ``Relationship to Other
Federal Laws'' section of the preamble.
Section 164.502(h)--Confidential Communications
Comments on confidential communications are addressed in the
preamble to Sec. 164.522(b).
[[Page 82636]]
Section 164.502(i)--Uses and Disclosures Consistent With Notice
Comments on the notice requirements are addressed in the preamble
to Sec. 164.520.
Section 164.502(j)--Uses and Disclosures by Whistleblowers and
Workforce Crime Victims
Comments: Some commenters wanted to see more limitations put on the
ability to whistleblow in the final rule. These commenters were
concerned about how disclosed protected health information would be
used during and subsequent to the whistleblowing event and felt that
adding additional limitations to the ability to whistleblow would help
to alleviate these concerns. Some of these commenters were concerned
that there was no protection against information later being leaked to
the public or re-released after the initial whistleblowing event, and
that this could put covered entities in violation of the law. Many
commenters wanted to see the whistleblower provision deleted entirely.
According to a number of health care associations who commented on this
topic, current practices already include adequate mechanisms for
informing law enforcement, oversight and legal counsel of possible
violations without the need for patient identifiable information; thus,
the provision allowing whistleblowers to share protected health
information is unnecessary. Additionally, some commenters felt that the
covered entity needs to be allowed to prohibit disclosures outside of
legitimate processes. Some commenters were concerned about not having
any recourse if the whistleblower's suspicions were unfounded.
Response: In this rule, we do not regulate the activities of
whistleblowers. Rather, we regulate the activities of covered entities,
and determine when they may be held responsible under this rule for
whistleblowing activities of their workforce or business associates
when that whistleblowing involves the disclosure of protected health
information. Similarly, we regulate when covered entities must and need
not sanction their workforce who disclose protected health information
in violation of the covered entity's policies and procedures, when that
disclosure is for whistleblowing purposes. See Sec. 164.530(e). This
rule does not address a covered entity's recourse against a
whistleblower under other applicable law.
We do not hold covered entities responsible under this rule for
whistleblowing disclosures of protected health information under the
circumstances described in Sec. 164.502(j). Our purpose in including
this provision is to make clear that we are not erecting a new barrier
to whistleblowing, and that covered entities may not use this rule as a
mechanism for sanctioning workforce members or business associates for
whistleblowing activity. We do not find convincing commenters'
arguments for narrowing or eliminating the scope of the whistleblowing
which triggers this protection.
Congress, as well as several states, have recognized the importance
of whistleblower activity to help identify fraud and mismanagement and
protect the public's health and safety. Whistleblowers, by their unique
insider position, have access to critical information not otherwise
easily attainable by oversight and enforcement organizations.
While we recognize that in many instances, de-identified or
anonymous information can be used to accomplish whistleblower
objectives, there are instances, especially involving patient care and
billing, where this may not be feasible. Oversight investigative
agencies such as the Department of Justice rely on identifiable
information in order to issue subpoenas that are enforceable. Relevant
court standards require the government agency issuing the subpoena to
explain why the specific records requested are relevant to the subject
of the investigation, and without such an explanation the subpoena will
be quashed. Issuing a subpoena for large quantities of individual
records to find a few records involving fraud is cost prohibitive as
well as likely being unenforceable.
We note that any subsequent inappropriate disclosure by a recipient
of whistleblower information would not put the covered entity in
violation of this rule, since the subsequent disclosure is not covered
by this regulation.
Comments: A few commenters felt that the whistleblower should be
held to a ``reasonableness standard'' rather than a ``belief'' that a
violation has taken place before engaging in whistleblower activities.
The commenters felt that a belief standard is too subjective. By
holding the whistleblower to this higher standard, this would serve to
protect protected health information from being arbitrarily released.
Some commenters saw the whistleblower provision as a loophole that
gives too much power to disgruntled employees to inappropriately
release information in order to cause problems for the employer.
On the other hand, some commenters felt that all suspicious
activities should be reported. This would ease potential
whistleblowers' concerns over whether or not they had a legitimate
concern by leaving this decision up to someone else. A number of
commenters felt that employees should be encouraged to report
violations of professional or clinical standards, or when a patient,
employee, or the public would be put at risk. A small number of
commenters felt that the whistleblower should raise the issue within
the covered entity before going to the attorney, oversight agency, or
law enforcement entity.
Response: We do not attempt to regulate the conduct of
whistleblowers in this rule. We address uses and disclosures of
protected health information by covered entities, and when a covered
entity will violate this rule due to the actions of a workforce member
or business associate. In the final rule, we provide that a covered
entity is not in violation of the rule when a workforce member or
business associate has a good faith belief that the conduct being
reported is unlawful or otherwise violates professional or clinical
standards, or potentially endangers patients, employees or the public.
We concur that the NPRM language requiring only a ``belief'' was
insufficient. Consequently, we have strengthened the standard to
require a good faith belief that an inappropriate behavior has
occurred.
Comment: A number of commenters believe that employees should be
encouraged to report violations of professional or clinical standards,
or report situations where patients, employees, or the public would be
put at risk. Their contention is that employees, especially health care
employees, may not know whether the problem they have encountered meets
a legal threshold of wrongdoing, putting them at jeopardy of sanction
if they are incorrect, even if the behavior did reflect violation of
professional and clinical standards or put patients, employees, or the
public at risk.
Response: We agree that covered entities should be protected when
their employees and others engage in the conduct described by these
commenters. We therefore modify the proposal to protect covered
entities when the whistleblowing relates to violations of professional
or clinical standards, or situations where the public may be at risk,
and eliminate the reference to ``evidence.''
Comments: A significant number of those commenting on the
whistleblower provision felt that this provision was contrary to the
rest of the rule.
[[Page 82637]]
Whistleblowers could very easily release protected health information
under this provision despite the fact that the rest of this rule works
very hard to ensure privacy of protected health information in all
other contexts. To this end, some commenters felt that whistleblowers
should not be exempt from the minimum necessary requirement.
Response: As stated above, we do not regulate the conduct of
whistleblowers. We discuss above the importance of whistleblowing, and
our intention not to erect a new barrier to such activity. The minimum
necessary standard applies to covered entities, not to whistleblowers.
Comments: Some commenters felt that disclosures of suspected
violations should only be made to a law enforcement official or
oversight agency. Other commenters said that whistleblowers should be
able to disclose their concerns to long-term care ombudsmen or health
care accreditation organizations, particularly because certain
protected health information may contain evidence of abuse. Some
commenters felt that whistleblowers should not be allowed to freely
disclose information to attorneys. They felt that this may cause more
lawsuits within the health care industry and be costly to providers.
Furthermore, allowing whistleblowers to go to attorneys increases the
number of people who have protected health information without any
jurisdiction for the Secretary to do anything to protect this
information.
Response: We agree with the commenters who suggested that we
recognize other appropriate entities to which workforce members and
business associates might reasonably make a whistleblowing disclosure.
In the final rule we expand the provision to protect covered entities
for disclosures of protected health information made to accreditation
organizations by whistleblowers. We agree with the commenters that
whistleblowers may see these organizations as appropriate recipients of
health information, and do not believe that covered entities should be
penalized for such conduct.
We also agree that covered entities should be protected when
whistleblowers disclose protected health information to any health
oversight agency authorized by law to investigate or oversee the
conditions of the covered entity, including state Long-Term Care
Ombudsmen appointed in accordance with the Older Americans Act. Among
their mandated responsibilities is their duty to identify, investigate
and resolve complaints that are made by, or on behalf of, residents
related to their health, safety, welfare, or rights. Nursing home staff
often bring complaints regarding substandard care or abuse to
ombudsmen. Ombudsmen provide a potentially more attractive outlet for
whistleblowers since resolution of problems may be handled short of
legal action or formal investigation by an oversight agency.
We disagree with commenters that the provision permitting
disclosures to attorneys is too broad. Workforce members or business
associates may not understand their legal options or their legal
exposure when they come into possession of information about unlawful
or other inappropriate or dangerous conduct. Permitting potential
whistleblowers to consult an attorney provides them with a better
understanding of their legal options. We rephrase the provision to
improve its clarity.
Comment: One commenter suggested that a notice of information
practices that omits disclosure for voluntary reporting of fraud will
chill internal whistleblowers who will be led to believe--falsely--that
they would violate federal privacy law, and be lawfully subject to
sanction by their employer, if they reported fraud to health oversight
agencies.
Response: The notice of information practices describes a covered
entity's information practices. A covered entity does not make
whistleblower disclosures of protected health information, nor can it
be expected to anticipate any such disclosures by its workforce.
Comment: One commenter suggested that the whistleblower provisions
could allow covered entities to make illegal disclosures to police
through the back door by having an employee who believes there is a
violation of law do the disclosing. Any law could have been violated
and the violator could be anyone (a patient, a member of the patient's
family, etc.)
Response: We have eliminated whistleblower disclosures for law
enforcement purposes from the list of circumstances in which the
covered entity will be protected under this rule. This provision is
intended to protect the covered entity when a member of its workforce
or a business associate discloses protected health information to
whistleblow on the covered entity (or its business associates); it is
not intended for disclosures of conduct by the individual who is the
subject of the information or third parties.
Section 164.504--Uses and Disclosures--Organizational
Requirements--Component Entities, Affiliated Entities, Business
Associates and Group Health Plans
Section 164.504(a)-(c)--Health Care Component (Component Entities) and
Section 164.504(d)--Affiliated Entities
Comment: A few commenters asked that the concept of ``use'' be
modified to allow uses within an integrated healthcare delivery system.
Commenters argued that the rule needs to ensure that the full spectrum
of treatment is protected from the need for authorizations at the
points where treatment overlaps entities. It was explained that, for
example, treatment for a patient often includes services provided by
various entities, such as by a clinic and hospital, or that treatment
may also necessitate referrals from one provider entity to another
unrelated entity. Further, the commenter argued that the rule needs to
ensure that the necessary payment and health care operations can be
carried out across entities without authorizations.
Response: The Department understands that in today's health care
industry, the organization of and relationships among health care
entities are highly complex and varied. We modify the proposed rule
significantly to allow affiliated entities to designate themselves as a
single covered entity. A complex organization, depending on how it
self-designates, may have one or several ``health care component(s)''
that are each a covered entity. Aggregation into a single covered
entity will allow the entities to use a single notice of information
practices and will allow providers that must obtain consent for uses
and disclosures for treatment, payment, and operations to obtain a
single consent.
We do not allow this type of aggregation for unrelated entities, as
suggested by some commenters, because unrelated entities' information
practices will be too disparate to be accurately reflected on a single
consent or notice form. Our policies on when consent and authorization
are required for sharing information among unrelated entities, and the
rationale for these policies, is described in Secs. 164.506 and 164.508
and corresponding preamble.
As discussed above, in the final rule we have added a definition of
organized health care arrangement and permit covered entities
participating in such arrangements to disclose protected health
information to support the health care operations of the arrangement.
See the preamble discussion of the definitions of organized health care
[[Page 82638]]
arrangement and health care operations, Sec. 164.501.
Comment: Some commenters expressed concern that the requirement to
obtain authorization for the disclosure of information to a non-health
related division of the covered entity would impede covered entities'
ability to engage in otherwise-permissible activities such as health
care operations. Some of these commenters requested clarification that
covered entities are only required to obtain authorization for
disclosures to non-health related divisions if the disclosure is for
marketing purposes.
Response: In the final rule, we remove the example of use and
disclosure to non-health related divisions of the covered entity from
the list of examples of uses and disclosures requiring authorization in
Sec. 164.508. We determined that the example could lead covered
entities to the mistaken conclusion that some uses or disclosures that
would otherwise be permitted under the rule without authorization would
require authorization when made to a non-health related division of the
covered entity. In the final rule, we clarify that disclosure to a non-
health related division does not require authorization if the use or
disclosure is otherwise permitted or required under the rule. For
example, in Sec. 164.501 we define health care operations to include
conducting or arranging for legal and auditing services. A covered
entity that is the health care component of a larger entity is
permitted under the final rule to include the legal department of the
larger entity as part of the health care component. The covered entity
may not, however, generally permit the disclosure of protected health
information from the health care component to non-health related
divisions unless they support the functions of the health care
component and there are policies and procedures in place to restrict
the further use to the support of the health related functions.
Comment: Many commenters, especially those who employed providers,
supported our position in the proposed rule to consider only the health
care component of an entity to be the covered entity. They stated that
this was a balanced approach that would allow them to continue
conducting business. Some commenters felt that there was ambiguity in
the regulation text of the proposed rule and requested that the final
rule explicitly clarify that only the health care component is
considered the covered entity, not the entity itself. Similarly,
another commenter requested that we clarify that having a health care
component alone did not make the larger entity a covered entity under
the rule.
Response: We appreciate the support of the commenters on the health
care component approach and we agree that there was some ambiguity in
the proposed rule. The final rule creates a new Sec. 164.504(b) for
health care components. Under Sec. 164.504(b), for a covered entity
that is a single legal entity which predominantly performs functions
other than the functions performed by a health plan, provider, or
clearinghouse, the privacy rules apply only to the entity's health care
component. A policy, plan, or program that is an ``excepted benefit''
under section 2791(c)(1) of HIPAA cannot be part of a health care
component because it is expressly excluded from the definition of
``health plan'' for the reasons discussed above. The health care
component is prohibited from sharing protected health information
outside of the component, except as otherwise permitted or required by
the regulation.
At a minimum, the health care component includes the organizational
units of the covered entity that operate as or perform the functions of
the health plan, health care provider, or clearinghouse and does not
include any unit or function of the excepted benefits plan, policy, or
program. While the covered entity remains responsible for compliance
with this rule because it is responsible for the actions of its
workforce, we otherwise limit the responsibility to comply to the
health care component of the covered entity. The requirements of this
rule apply only to the uses and disclosures of the protected health
information by the component entity. See Sec. 164.504(b).
Comment: Some commenters stated that the requirement to erect
firewalls between different components would unnecessarily delay
treatment, payment, and health care operations and thereby increase
costs. Other commenters stressed that it is necessary to create
firewalls between the health care component and the larger entity to
prevent unauthorized disclosures of protected health information.
Response: We believe that the requirement to implement firewalls or
safeguards is necessary to provide meaningful privacy protections,
particularly because the health care component is part of a larger
legal organization that performs functions other than those covered
under this rule. Without the safeguard requirement we cannot ensure
that the component will not share protected health information with the
larger entity. While we do not specifically identify the safeguards
that are required, the covered entity must implement policies and
procedures to ensure that: the health care component's use and disclose
of protected health information complies with the regulation; members
of the health care component who perform duties for the larger entity
do not use and disclose protected health information obtained through
the health care component while performing non-component functions
unless otherwise permitted or required by the regulation; and when a
covered entity conducts multiple functions regulated under this rule,
the health care component adheres to the appropriate requirements (e.g.
when acting as a health plan, adheres to the health plan requirements)
and uses or discloses protected health information of individuals who
receive limited functions from the component only for the appropriate
functions. See Secs. 164.504(c)(2) and 164.504(g). For example, a
covered entity that includes both a hospital and a health plan may not
use protected health information obtained from an individual's
hospitalization for the health plan, unless the individual is also
enrolled in the health plan. We note that covered entities are
permitted to make a disclosure to a health care provider for treatment
of an individual without restrictions.
Comment: One commenter stated that multiple health care components
of a single organization should be able to be treated as a single
component entity for the purposes of this rule. Under this approach,
they argued, one set of policies and procedures would govern the entire
component and protected health information could be shared among
components without authorization. Similarly, other commenters stated
that corporate subsidiaries and affiliated entities should not be
treated as separate covered entities.
Response: We agree that some efficiencies may result from
designating multiple component entities as a single covered entity. In
the final rule we allow legally distinct covered entities that share
common ownership or control to designate themselves or their health
care components as a single covered entity. See Sec. 164.504(d). Common
ownership is defined as an ownership or equity interest of five percent
or more. Common control exists if an entity has the power--directly or
indirectly--to significantly influence or direct the actions or
policies of another entity. If the affiliated entity contains health
care components, it must implement safeguards to prevent the
[[Page 82639]]
larger entity from using protected health information maintained by the
component entity. As stated above, organizations that perform multiple
functions may designate a single component entity as long as it does
not include the functions of an excepted benefit plan that is not
covered under the rule. In addition, it must adhere to the appropriate
requirements when performing its functions (e.g. when acting as a
health plan, adhere to the health plan requirements) and uses or
discloses protected health information of individuals who receive
limited functions from the component only for the appropriate
functions. At the same time, a component that is outside of the health
care component may perform activities that otherwise are not permitted
by a covered entity, as long as it does not use or disclose protected
health information created or received by or on behalf of the health
care component in ways that violate this rule.
Comment: Some commenters asked whether or not workers' compensation
carriers could be a part of the health care component as described in
the proposed rule. They argued that this would allow for sharing of
information between the group health plan and workers' compensation
insurers.
Response: Under HIPAA, workers' compensation is an excepted benefit
program and is excluded from the definition of ``health plan.'' As
such, a component of a covered entity that provides such excepted
benefits may not be part of a health care component that performs the
functions of a health plan. If workforce members of the larger entity
perform functions for both the health care component and the non-
covered component, they may not use protected health information
created or received by or on behalf of the health care component for
the purposes of the non-covered component, unless otherwise permitted
by the rule. For example, information may be shared between the
components for coordination of benefits purposes.
Comment: Several commenters requested specific guidance on
identifying the health care component entity. They argued that we
underestimated the difficulty in determining the component and that
many organizations have multiple functions with the same people
performing duties for both the component and the larger entity.
Response: With the diversity of organizational structures, it is
impossible to provide a single specific guidance for identifying health
care components that will meet the needs of all organizations. Covered
entities must designate their health care components consistent with
the definition at Sec. 164.504(a). We have tried to frame this
definition to delineate what comes within a health care component and
what falls outside the component.
Comment: A commenter representing a government agency recommended
that only the component of the agency that runs the program be
considered a covered entity, not the agency itself. In addition, this
commenter stated that often subsets of other government agencies work
in partnership with the agency that runs the program to provide certain
services. For example, one state agency may provide maternity support
services to the Medicaid program which is run by a separate agency. The
commenter read the rule to mean that the agency providing the maternity
support services would be a business associate of the Medicaid agency,
but was unclear as to whether it would also constitute a health care
component within its own agency.
Response: We generally agree. We expect that in most cases,
government agencies that run health plans or provide health care
services would typically meet the definition of a ``hybrid entity''
under Sec. 164.504(a), so that such an agency would be required to
designate the health care component or components that run the program
or programs in question under Sec. 164.504(c)(3), and the rules would
not apply to the remainder of the agency's operations, under
Sec. 164.504(b). In addition, we have created an exception to the
business associate contract requirement for government agencies who
perform functions on behalf of other government agencies. Government
agencies can enter into a memorandum of understanding with another
government entity or adopt a regulation that applies to the other
government entity in lieu of a business associate contract, as long as
the memorandum or regulation contains certain terms. See
Sec. 164.504(e).
Comment: One commenter representing an insurance company stated
that different product lines should be treated separately under the
rule. For example, the commenter argued, because an insurance company
offers both life insurance and health insurance, it does not mean that
the insurance company itself is a covered entity, rather only the
health insurance component is a covered entity. Another commenter
requested clarification of the use of the term ``product line'' in the
proposed rule. This commenter stated that product line should
differentiate between different lines of coverage such as life vs.
health insurance, not different variations of the same coverage, such
as HMO vs. PPO. Finally, one commenter stated that any distinction
among product lines is unworkable because insurance companies need to
share information across product lines for coordinating benefits. This
sharing of information, the commenter urged, should be able to take
place whether or not all product lines are covered under the rule.
Response: We agree that many forms of insurance do not and should
not come within the definition of ``health plan,'' and we have excepted
them from the definition of this term in Sec. 160.103 applies. This
point is more fully discussed in connection with that definition.
Although we do not agree that the covered entity is only the specific
product line, as this comment suggests, the hybrid entity rules in
Sec. 164.504 address the substance of this concern. Under
Sec. 164.504(c)(3), an entity may create a health plan component which
would include all its health insurance lines of business or separate
health care components for each health plan product line. Finally, the
sharing of protected health information across lines of business is
allowed if it meets the permissive or required disclosures under the
rule. The commenter's example of coordination of benefits would be
allowed under the rule as payment.
Comment: Several commenters representing occupational health care
providers supported our use of the component approach to prohibit
unauthorized disclosures of protected health information. They
requested that the regulation specifically authorize them to deny
requests for disclosures outside of the component entity when the
disclosure was not otherwise permitted or required by the regulation.
Response: We appreciate the commenters' support of the health care
component approach. As members of a health care component, occupational
health providers are prohibited from sharing protected health
information with the larger entity (i.e., the employer), unless
otherwise permitted or required by the regulation.
Comment: One commenter asked how the regulation affects employers
who carry out research. The commenter questioned whether the employees
carrying out the research would be component entities under the rule.
Response: If the employer is gathering its own information rather
than obtaining it from an entity regulated by this rule, the
information does not constitute protected health information since the
employer is not a covered
[[Page 82640]]
entity. If the employer is obtaining protected health information from
a covered entity, the disclosure by the covered entity must meet the
requirements of Sec. 164.512(i) regarding disclosures for research.
Comment: One commenter stated that the proposed rule did not
clearly articulate whether employees who are health care providers are
considered covered entities when they collect and use individually
identifiable health information acting on behalf of an employer.
Examples provided include, administering mandatory drug testing, making
fitness-for-duty and return-to-work determinations, testing for
exposure to environmental hazards, and making short and long term
disability determinations. This commenter argued that if disclosing
information gained through these activities requires authorization,
many of the activities are meaningless. For example, an employee who
fails a drug test is unlikely to give authorization to the provider to
share the information with the employer.
Response: Health care providers are covered entities under this
rule if they conduct standard transactions. A health care provider who
is an employee and is administering drug testing on behalf of the
employer, but does not conduct standard transactions, is not a covered
entity. If the health care provider is a covered entity, then we
require authorization for the provider to disclose protected health
information to an employer. Nothing in this rule, however, prohibits
the employer from conditioning an individual's employment on agreeing
to the drug testing and requiring the individual to sign an
authorization allowing his or her drug test results to be disclosed to
the employer.
Comment: One commenter stated its belief that only a health center
at an academic institution would be a covered entity under the
component approach. This commenter believed it was less clear whether
or not other components that may create protected health information
``incidentally'' through conducting research would also become covered
entities.
Response: While a covered entity must designate as a health care
component the functions that make it a health care provider, the
covered entity remains responsible for the actions of its workforce.
Components that create protected health information through research
would be covered entities to the extent they performed one of the
required transactions described in Sec. 164.500; however, it is
possible that the research program would not be part of the health care
component, depending on whether the research program performed or
supported covered functions.
Comment: Several commenters stated that employers need access to
protected health information in order to provide employee assistance
programs, wellness programs, and on-site medical testing to their
employees.
Response: This rule does not affect disclosure of health
information by employees to the employer if the information is not
obtained from a covered entity. The employer's access to information
from an EAP, wellness program, or on-site medical clinic will depend on
whether the program or clinic is a covered entity.
Comment: One commenter stated that access to workplace medical
records by the occupational medical physicians is fundamental to
workplace and community health and safety. Access is necessary whether
it is a single location or multiple sites of the same company, such as
production facilities of a national company located throughout the
country.
Response: Health information collected by the employer directly
from providers who are not covered entities is outside the scope of
this regulation. We note that the disclosures which this comment
concerns should be covered by Sec. 164.512(b).
Section 164.504(e)--Business Associates
Comment: Many commenters generally opposed the business partner
standard and questioned the Secretary's legal authority under section
1172(a) of HIPAA to require business partner contracts. Others stated
that the proposed rule imposed too great a burden on covered entities
with regard to monitoring their business partners' actions. Commenters
stated that they did not have the expertise to adequately supervise
their business partners' activities--including billing, accounting, and
legal activities--to ensure that protected health information is not
inappropriately disclosed. Commenters argued that business partners are
not ``under the control'' of health care providers, and that the rule
would significantly increase the cost of medical care. Many commenters
stated that the business partner provisions would be very time
consuming and expensive to implement, noting that it is not unusual for
a health plan or hospital to have hundreds of business partners,
especially if independent physicians and local pharmacies are
considered business partners. Many physician groups pointed out that
their business partners are large providers, hospitals, national drug
supplier and medical equipment companies, and asserted that it would be
impossible, or very expensive, for a small physician group to attempt
to monitor the activity of large national companies. Commenters stated
that complex contract terms and new obligations would necessitate the
investment of significant time and resources by medical and legal
personnel, resulting in substantial expenses. Many commenters proposed
that the duty to monitor be reduced to a duty to terminate the
contractual arrangement upon discovery of a failure to comply with the
privacy requirements.
In addition, many commenters argued that covered entities should
have less responsibility for business partners' actions regarding the
use and disclosure of protected health information. The proposed rule
would have held covered entities responsible for the actions of their
business partners when they ``knew or reasonably should have known'' of
improper use of protected health information and failed to take
reasonable steps to cure a breach of the business partner contract or
terminate the contract. Many commenters urged that the term ``knew or
should have known'' be clearly defined, with examples. Some commenters
stated that covered entities should be liable only when they have
actual knowledge of the material breach of the privacy rules by the
business partner. Others recommended creation of a process by which a
business partner could seek advice to determine if a particular
disclosure would be appropriate. Some commenters stated that, in order
to create an environment that would encourage covered entities to
report misuses of protected health information, a covered entity should
not be punished if it discovered an inappropriate disclosure.
Response: With regard to our authority to require business
associate contracts, we clarify that Congress gave the Department
explicit authority to regulate what uses and disclosures of protected
health information by covered entities are ``authorized.'' If covered
entities were able to circumvent the requirements of these rules by the
simple expedient of contracting out the performance of various
functions, these rules would afford no protection to individually
identifiable health information and be rendered meaningless. It is thus
reasonable to place restrictions on disclosures to business associates
that are designed to ensure that the personal medical information
disclosed to them continues to be protected and used and further
[[Page 82641]]
disclosed only for appropriate (i.e., permitted or required) purposes.
We do not agree that business associate contracts would necessarily
have complex terms or result in significant time and resource burdens.
The implementation specifications for business associate contracts set
forth in Sec. 164.504 are straightforward and clear. Nothing prohibits
covered entities from having standard contract forms which could
require little or no modification for many business associates.
In response to comments that the ``knew or should have known''
standard in the proposed rule was too vague or difficult to apply, and
concerns that we were asking too much of small entities in monitoring
the activities of much larger business associates, we have changed the
rule. Under the final rule, we put responsibility on the covered entity
to take action when it ``knew of a pattern of activity or practice of
the business associate that constituted, respectively, a material
breach or violation of the business associate's obligation under the
contract * * *'' This will preclude confusion about what a covered
entity `should have known.' We interpret the term ``knew'' to include
the situation where the covered entity has credible evidence of a
violation. Covered entities cannot avoid responsibility by
intentionally ignoring problems with their contractors. In addition, we
have eliminated the requirement that a covered entity actively monitor
and ensure protection by its business associates. However, a covered
entity must investigate credible evidence of a violation by a business
associate and act upon any such knowledge.
In response to the concern that the covered entity should not be
punished if it discovers an inappropriate disclosure by its business
associate, Sec. 164.504(e) provides that the covered entity is not in
compliance with the rule if it fails to take reasonable steps to cure
the breach or end the violation, while Sec. 164.530(f) requires the
covered entity to mitigate, to the extent practicable, any resultant
harm. The breach itself does not cause a violation of this rule.
Comment: Some commenters voiced support for the concept of business
partners. Moreover, some commenters urged that the rule apply directly
to those entities that act as business partners, by restricting
disclosures of protected health information after a covered entity has
disclosed it to a business partner.
Response: We are pleased that commenters supported the business
associate standard and we agree that there are advantages to
legislation that directly regulates most entities that use or disclose
protected health information. However, we reiterate that our
jurisdiction under the statute limits us to regulate only those covered
entities listed in Sec. 160.102.
Comment: Many commenters strongly opposed the provision in the
proposed rule requiring business partner contracts to state that
individuals whose protected health information is disclosed under the
contract are intended third party beneficiaries of the contract. Many
noted that HIPAA did not create a private right of action for
individuals to enforce a right to privacy of medical information, and
questioned the Secretary's authority to create such a right through
regulation. Others questioned whether the creation of such a right was
appropriate in light of the inability of Congress to reach consensus on
the question, and perceived the provision as a ``back door'' attempt to
create a right that Congress did not provide. Some commenters noted
that third party beneficiary law varies from state to state, and that a
third party beneficiary provision may be unenforceable in some states.
These commenters suggested that the complexity and variation of state
third party beneficiary law would increase cost and confusion with
limited privacy benefits.
Commenters predicted that the provision would result in a dramatic
increase in frivolous litigation, increased costs throughout the health
care system, and a chilling effect on the willingness of entities to
make authorized disclosures of protected information. Many commenters
predicted that fear of lawsuits by individuals would impede the flow of
communications necessary for the smooth operation of the health care
system, ultimately affecting quality of care. For example, some
predicted that the provision would inhibit providers from making
authorized disclosures that would improve care and reduce medical
errors. Others predicted that it would limit vendors' willingness to
support information systems requirements. One large employer stated
that the provision would create a substantial disincentive for
employers to sponsor group health plans. Another commenter noted that
the provision creates an anomaly in that individuals may have greater
recourse against business partners and covered entities that contract
with them than against covered entities acting alone.
However, some commenters strongly supported the concept of
providing individuals with a mechanism to enforce the provisions of the
rule, and considered the provision among the most important privacy
protections in the proposed rule.
Response: We eliminate the requirement that business associate
contracts contain a provision stating that individuals whose protected
health information is disclosed under the contract are intended third-
party beneficiaries of the contract.
We do not intend this change to affect existing laws regarding when
individuals may be third party beneficiaries of contracts. If existing
law allows individuals to claim third party beneficiary rights, or
prohibits them from doing so, we do not intend to affect those rules.
Rather, we intend to leave this matter to such other law.
Comment: Some commenters objected to the proposed rule's
requirement that the business partner must return or destroy all
protected health information received from the covered entity at the
termination of the business partner contract. Commenters argued that
business partners will need to maintain business records for legal and/
or financial auditing purposes, which would preclude the return or
destruction of the information. Moreover, they argued that computer
back-up files may contain protected health information, but business
partners cannot be expected to destroy entire electronic back-up files
just because part of the information that they contain is from a client
for whom they have completed work.
Response: We modify the proposed requirement that the business
associate must return or destroy all protected health information
received from the covered entity when the business associate contract
is terminated. Under the final rule, a business associate must return
or destroy all protected health information when the contract is
terminated if feasible and lawful. The business partner contract must
state that privacy protections continue after the contract ends, if
there is a need for the business associate to retain any of the
protected health information and for as long as the information is
retained. In addition, the permissible uses of information after
termination of the contract must be limited to those activities that
make return or destruction of the information not feasible.
Comment: Many commenters recommended that providers and plans be
excluded from the definition of ``business partner'' if they are
already governed by the rule as covered entities. Providers expressed
particular concern about the inclusion of physicians with hospital
privileges as business partners of the hospital, as each hospital would
[[Page 82642]]
be required to have written contracts with and monitor the privacy
practices of each physician with privileges, and each physician would
be required to do the same for the hospital. Another commenter argued
that consultations between covered entities for treatment or referral
purposes should not be subject to the business partner contracting
requirement.
Response: The final rule retains the general requirement that,
subject to the exceptions below, a covered entity must enter into a
business associate contract with another covered entity when one is
providing services to or acting on behalf of the other. We retain this
requirement because we believe that a covered entity that is a business
associate should be restricted from using or disclosing the protected
health information it creates or receives through its business
associate function for any purposes other than those that are
explicitly detailed in its contract.
However, the final rule expands the proposed exception for
disclosures of protected health information by a covered health care
provider to another health care provider. The final rule allows such
disclosures without a business associate contract for any activities
that fall under the definition of ``treatment.'' We agree with the
commenter that the administrative burdens of requiring contracts in
staff privileges arrangements would not be outweighed by any potential
privacy enhancements from such a requirement. Although the exception
for disclosure of protected health information for treatment could be
sufficient to relieve physicians and hospitals of the contract
requirement, we also believe that this arrangement does not meet the
true meaning of ``business associate,'' because both the hospital and
physician are providing services to the patient, not to each other. We
therefore also add an exception to Sec. 164.502(e)(1) that explicitly
states that a contract is not required when the association involves a
health care facility and another health care provider with privileges
at that facility, if the purpose is providing health care to the
individual. We have also added other exceptions in
Sec. 164.502(e)(1)(ii) to the requirement to obtain ``satisfactory
assurances'' under Sec. 164.502(e)(1)(i). We do not require a business
associate arrangement between group health plans and their plan
sponsors because other, albeit analogous, requirements apply under
Sec. 164.504(f) that are more tailored to the specifics of that legal
relationship. We do not require business associate arrangements between
government health plans providing public benefits and other agencies
conducting certain functions for the health plan, because these
arrangements are typically very constrained by other law.
Comment: Many commenters expressed concern that required contracts
for federal agencies would adversely affect oversight activities,
including investigations and audits. Some health plan commenters were
concerned that if HMOs are business partners of an employer then the
employer would have a right to all personal health information
collected by the HMO. A commenter wanted to be sure that authorization
would not be required for accreditation agencies to access information.
A large manufacturing company wanted to make sure that business
associate contracts were not required between affiliates and a parent
corporation that provides administrative services for a sponsored
health plan. Attorney commenters asserted that a business partner
contract would undermine the attorney/client relationship, interfere
with attorney/client privilege, and was not necessary to protect client
confidences. A software vendor wanted to be excluded because the
requirements for contracts were burdensome and government oversight
intrusive. Some argued that because the primary purpose of medical
device manufacturers is supplying devices, not patient care, they
should be excluded.
Response: We clarify in the above discussion of the definition of
``business associate'' that a health insurance issuer or an HMO
providing health insurance or health coverage to a group health plan
does not become a business associate simply by providing health
insurance or health coverage. The health insurance issuer or HMO may
perform additional functions or activities or provide additional
services, however, that would give rise to a business associate
relationship. However, even when an health insurance issuer or HMO acts
as a business associate of a group health plan, the group health plan
has no right of access to the other protected health information
maintained by the health insurance issuer or HMO. The business
associate contract must constrain the uses and disclosures of protected
health information obtained by the business associate through the
relationship, but does not give the covered entity any right to request
the business associate to disclose protected health information that it
maintains outside of the business associate relationship to the group
health plan. Under HIPAA, employers are not covered entities, so a
health insurance issuer or HMO cannot act as a business associate of an
employer. See Sec. 164.504(f) with respect to disclosures to plan
sponsors from a group health plan or health insurance issuer or HMO
with respect to a group health plan.
With respect to attorneys generally, the reasons the commenters put
forward to exempt attorneys from this requirement were not persuasive.
The business associate requirements will not prevent attorneys from
disclosing protected health information as necessary to find and
prepare witness, nor from doing their work generally, because the
business associate contract can allow disclosures for these purposes.
We do not require business associate contracts to identify each
disclosure to be made by the business associate; these disclosures can
be identified by type or purpose. We believe covered entities and their
attorneys can craft agreements that will allow for uses and disclosures
of protected health information as necessary for these activities. The
requirement for a business associate contract does not interfere with
the attorney-client relationship, nor does it override professional
judgement of business associates regarding the protected health
information they need to discharge their responsibilities. We do not
require covered entities to second guess their professional business
associates' reasonable requests to use or disclose protected health
information in the course of the relationship.
The attorney-client privilege covers only a small portion of
information provided to attorneys and so is not a substitute for this
requirement. More important, attorney-client privilege belongs to the
client, in this case the covered entity, and not to the individual who
is the subject of the information. The business associate requirements
are intended to protect the subject of the information.
With regard to government attorneys and other government agencies,
we recognize that federal and other law often does not allow standard
legal contracts among governmental entities, but instead requires
agreements to be made through the Economy Act or other mechanisms;
these are generally reflected in a memorandum of understanding (MOU).
We therefore modify the proposed requirements to allow government
agencies to meet the required ``satisfactory assurance'' through such
MOUs that contain the same provisions required of business associate
contracts. As discussed elsewhere, we believe that direct regulation of
entities receiving protected health information can be as or more
effective in protecting health
[[Page 82643]]
information as contracts. We therefore also allow government agencies
to meet the required ``satisfactory assurances'' if law or regulations
impose requirements on business associates consistent with the
requirements specified for business associate contracts.
We do not believe that the requirement to have a business associate
contract with agencies that are performing the specified services for
the covered entity or undertaking functions or activities on its behalf
undermines the government functions being performed. A business
associate arrangement requires the business associate to maintain the
confidentiality of the protected health information and generally to
use and disclose the information only for the purposes for which it was
provided. This does not undermine government functions. We have
exempted from the business associate requirement certain situations in
which the law has created joint uses or custody over health
information, such as when law requires another government agency to
determine the eligibility for enrollment in a covered health plan. In
such cases, information is generally shared across a number of
government programs to determine eligibility, and often is jointly
maintained. We also clarify that health oversight activities do not
give rise to a business associate relationship, and that protected
health information may be disclosed by a covered entity to a health
oversight agency pursuant to Sec. 164.512(d).
We clarify for purposes of the final rule that accreditation
agencies are business associates of a covered entity and are explicitly
included within the definition. During accreditation, covered entities
disclose substantial amounts of protected health information to other
private persons. A business associate contract basically requires the
business associate to maintain the confidentiality of the protected
health information that it receives and generally to use and disclose
such information for the purposes for which it was provided. As with
attorneys, we believe that requiring a business associate contract in
this instance provides substantial additional privacy protection
without interfering with the functions that are being provided by the
business associate.
With regard to affiliates, Sec. 164.504(d) permits affiliates to
designate themselves as a single covered entity for purposes of this
rule. (See Sec. 164.504(d) for specific organizational requirements.)
Affiliates that choose to designate themselves as a single covered
entity for purposes of this rule will not need business associate
contracts to share protected health information. Absent such
designation, affiliates are business associates of the covered entity
if they perform a function or service for the covered entity that
necessitates the use or disclosure of protected health information.
Software vendors are business associates if they perform functions
or activities on behalf of, or provide specified services to, a covered
entity. The mere provision of software to a covered entity would not
appear to give rise to a business associate relationship, although if
the vendor needs access to the protected health information of the
covered entity to assist with data management or to perform functions
or activities on the covered entity's behalf, the vendor would be a
business associate. We note that when an employee of a contractor, like
a software or IT vendor, has his or her primary duty station on-site at
a covered entity, the covered entity may choose to treat the employee
of the vendor as a member of the covered entity's workforce, rather
than as a business associate. See the preamble discussion to the
definition of workforce, Sec. 160.103.
With regard to medical device manufacturers, we clarify that a
device manufacturer that provides ``health care'' consistent with the
rule's definition, including being a ``supplier'' under the Medicare
program, is a health care provider under the final rule. We do not
require a business associate contract when protected health information
is shared among health care providers for treatment purposes. However,
a device manufacturer that does not provide ``health care'' must be a
business associate of a covered entity if that manufacturer receives or
creates protected health information in the performance of functions or
activities on behalf of, or the provision of specified services to, a
covered entity.
As to financial institutions, they are business associates under
this rule when they conduct activities that cause them to meet the
definition of business associate. See the preamble discussion of the
definition of ``payment'' in Sec. 164.501, for an explanation of
activities of a financial institution that do not require it to have a
business associated contract.
Disease managers may be health care providers or health plans, if
they otherwise meet the respective definitions and perform disease
management activities on their own behalf. However, such persons may
also be business associates if they perform disease management
functions or services for a covered entity.
Comment: Other commenters recommended that certain entities be
included within the definition of ``business partner,'' such as
transcription services; employee representatives; in vitro diagnostic
manufacturers; private state and comparative health data organizations;
state hospital associations; warehouses; ``whistleblowers,'' credit
card companies that deal with health billing; and patients.
Response: We do not list all the types of entities that are
business associates, because whether an entity is a business associate
depends on what the entity does, not what the entity is. That is, this
is a definition based on function; any entity performing the function
described in the definition is a business associate. Using one of the
commenters' examples, a state hospital association may be a business
associate if it performs a service for a covered entity for which
protected health information is required. It is not a business
associate by virtue of the fact that it is a hospital association, but
by virtue of the service it is performing.
Comment: A few commenters urged that certain entities, i.e.,
collection agencies and case managers, be business partners rather than
covered entities for purposes of this rule.
Response: Collection agencies and case managers are business
associates to the extent that they provide specified services to or
perform functions or activities on behalf of a covered entity. A
collection agency is not a covered entity for purposes of this rule.
However, a case manager may be a covered entity because, depending on
the case manager's activities, the person may meet the definition of
either a health care provider or a health plan. See definitions of
``health care provider'' and ``health plan'' in Sec. 164.501.
Comment: Several commenters complained that the proposed HIPAA
security regulation and privacy regulation were inconsistent with
regard to business partners.
Response: We will conform these policies in the final Security
Rule.
Comment: One commenter expressed concern that the proposal appeared
to give covered entities the power to limit by contract the ability of
their business partners to disclose protected health information
obtained from the covered entity regardless of whether the disclosure
was permitted under proposed Sec. 164.510, ``Uses and disclosures for
which individual authorization is not required'' (Sec. 164.512 in the
final rule). Therefore, the commenter argued that the covered
[[Page 82644]]
entity could prevent the business partner from disclosing protected
health information to oversight agencies or law enforcement by omitting
them from the authorized disclosures in the contract.
In addition, the commenter expressed concern that the proposal did
not authorize business partners and their employees to engage in
whistleblowing. The commenter concluded that this omission was
unintended since the proposal's provision at proposed
Sec. 164.518(c)(4) relieved the covered entity, covered entity's
employees, business partner, and the business partner's employees from
liability for disclosing protected health information to law
enforcement and to health oversight agencies when reporting improper
activities, but failed to specifically authorize business partners and
their employees to engage in whistleblowing in proposed
Sec. 164.510(f), ``Disclosures for law enforcement.''
Response: Under our statutory authority, we cannot directly
regulate entities that are not covered entities; thus, we cannot
regulate most business associates, or `authorize' them to use or
disclose protected health information. We agree with the result sought
by the commenter, and accomplish it by ensuring that such whistle
blowing disclosures by business associates and others do not constitute
a violation of this rule on the part of the covered entity.
Comment: Some commenters suggested that the need to terminate
contracts that had been breached would be particularly problematic when
the contracts were with single-source business partners used by health
care providers. For example, one commenter explained that when the
Department awards single-source contracts, such as to a Medicare
carrier acting as a fiscal intermediary that then becomes a business
partner of a health care provider, the physician is left with no viable
alternative if required to terminate the contract.
Response: In most cases, we expect that there will be other
entities that could be retained by the covered entity as a business
associate to carry out those functions on its behalf or provide the
necessary services. We agree that under certain circumstances, however,
it may not be possible for a covered entity to terminate a contract
with a business associate. Accordingly, although the rule still
generally requires a covered entity to terminate a contract if steps to
cure such a material breach fail, it also allows an exception to this
to accommodate those infrequent circumstances where there simply are no
viable alternatives to continuing a contract with that particular
business associate. It does not mean, however, that the covered entity
can choose to continue the contract with a non-compliant business
associate merely because it is more convenient or less costly than
doing business with other potential business associates. We also
require that if a covered entity determines that it is not feasible to
terminate a non-compliant business associate, the covered entity must
notify the Secretary.
Comment: Another commenter argued that having to renegotiate every
existing contract within the 2-year implementation window so a covered
entity can attest to ``satisfactory assurance'' that its business
partner will appropriately safeguard protected health information is
not practical.
Response: The 2-year implementation period is statutorily required
under section 1175(b) of the Act. Further, we believe that two years
provides adequate time to come into compliance with the regulation.
Comment: A commenter recommended that the business partner contract
specifically address the issue of data mining because of its increasing
prevalence within and outside the health care industry.
Response: We agree that protected health information should only be
used by business associates for the purposes identified in the business
associate contract. We address the issue of data mining by requiring
that the business associate contract explicitly identify the uses or
disclosures that the business associate is permitted to make with the
protected health information. Aside from disclosures for data
aggregation and business associate management, the business associate
contract cannot authorize any uses or disclosures that the covered
entity itself cannot make. Therefore, data mining by the business
associate for any purpose not specified in the contract is a violation
of the contract and grounds for termination of the contract by the
covered entity.
Comment: One commenter stated that the rule needs to provide the
ability to contract with persons and organizations to complete clinical
studies, provide clinical expertise, and increase access to experts and
quality of care.
Response: We agree, and do not prohibit covered entities from
sharing protected health information under a business associate
contract for these purposes.
Comment: A commenter requested clarification as to whether sister
agencies are considered business partners when working together.
Response: It is unclear from the comment whether the ``sister
agencies'' are components of a larger entity, are affiliated entities,
or are otherwise linked. Requirements regarding sharing protected
health information among affiliates and components are found in
Sec. 164.504.
Comment: One commenter stated that some union contracts specify
that the employer and employees jointly conduct patient quality of care
reviews. The commenter requested clarification as to whether this
arrangement made the employee a business partner.
Response: An employee organization that agrees to perform quality
assurance for a group health plan meets the definition of a business
associate. We note that the employee representatives acting on behalf
of the employee organization would be performing the functions of the
organization, and the employee organization would be responsible under
the business associate contract to ensure that the representatives
abided by the restrictions and conditions of the contract. If the
employee organization is a plan sponsor of the group health plan, the
similar provisions of Sec. 164.504(f) would apply instead of the
business associate requirements. See Sec. 164.502(e)(1).
Comment: Some commenters supported regulating employers as business
partners of the health plan. These commenters believed that this
approach provided flexibility by giving employers access to information
when necessary while still holding employers accountable for improper
use of the information. Many commenters, however, stressed that this
approach would turn the relationship between employers, employees and
other agents ``on its head'' by making the employer subordinate to its
agents. In addition, several commenters objected to the business
partner approach because they alleged it would place employers at risk
for greater liability.
Response: We do not require a business associate contract for
disclosure of protected health information from group health plans to
employers. We do, however, put other conditions on the disclosure of
protected health information from group health plans to employers who
sponsor the plan. See further discussion in Sec. 164.504 on disclosure
of protected health information to employers.
Comment: One commenter expressed concern that the regulation would
discourage organizations from participating with Planned Parenthood
since pro bono and volunteer services may have no contract signed.
[[Page 82645]]
Response: We design the rule's requirements with respect to
volunteers and pro bono services to allow flexibility to the covered
entity so as not to disturb these arrangements. Specifically, when such
volunteers work on the premises of the covered entity, the covered
entity may choose to treat them as members of the covered entity's
workforce or as business associates. See the definitions of business
associate and workforce in Sec. 160.103. If the volunteer performs its
work off-site and needs protected health information, a business
associate arrangement will be required. In this instance, where
protected health information leaves the premises of the covered entity,
privacy concerns are heightened and it is reasonable to require an
agreement to protect the information. We believe that pro bono
contractors will easily develop standard contracts to allow those
activities to continue smoothly while protecting the health information
that is shared.
Section 164.504(f)--Group Health Plans
Comment: Several commenters interpreted the preamble in the
proposed rule to mean that only self-insured group health plans were
covered entities. Another commenter suggested there was an error in the
definition of group health plans because it only included plans with
more than 50 participants or plans administered by an entity other than
the employer (emphasis added by commenter). This commenter believed the
``or'' should be an ``and'' because almost all plans under 50 are
administered by another entity and therefore this definition does not
exclude most small plans.
Response: We did not intend to imply that only self-insured group
health plans are covered health plans. We clarify that all group health
plans, both self-insured and fully-funded, with 50 or more participants
are covered entities, and that group health plans with fewer than 50
participants are covered health plans if they are administered by
another entity. While we agree with the commenter that few group health
plans with fewer than 50 participants are self-administered, the ``or''
is dictated by the statute. Therefore, the statute only exempts group
health plans with fewer than 50 participants that are not administered
by an entity other than the employer.
Comment: Several commenters stated that the proposed rule mis-
characterized the relationship between the employer and the group
health plan. The commenters stated that under ERISA and the Internal
Revenue Code group health plans are separate legal entities from their
employer sponsors. The group health plan itself, however, generally
does not have any employees. Most operations of the group health plan
are contracted out to other entities or are carried out by employees of
the employer who sponsors the plan. The commenters stressed that while
group health plans are clearly covered entities, the Department does
not have the statutory authority to cover employers or other entities
that sponsor group health plans. In contrast, many commenters stated
that without covering employers, meaningful privacy protection is
unattainable.
Response: We agree that group health plans are separate legal
entities from their plan sponsors and that the group health plan itself
may be operated by employees of the plan sponsor. We make significant
modification to the proposed rule to better reflect this reality. We
design the requirements in the final regulation to use the existing
regulatory tools provided by ERISA, such as the plan documents required
by that law and the constellation of plan administration functions
defined by that law that established and maintain the group health
plan.
We recognize plan sponsors' legitimate need for health information
in certain situations while, at the same time, protecting health
information from being used for employment-related functions or for
other functions related to other employee benefit plans or other
benefits provided by the plan sponsor. We do not attempt to directly
regulate plan sponsors, but pursuant to our authority to regulate
health plans, we place restrictions on the flow of information from
covered entities to non-covered entities. The final rule permits group
health plans to disclose protected health information to plan sponsors,
and allows them to authorize health insurance issuers or HMOs to
disclose protected health information to plan sponsors, if the plan
sponsors agree to use and disclose the information only as permitted or
required by the regulation. The information may be used only for plan
administration functions performed on behalf of the group health plan
and specified in the plan documents. Hereafter, any reference to
employer in a response to a comment uses the term ``plan sponsor,''
since employers can only receive protected health information in their
role as plan sponsors, except as otherwise permitted under this rule,
such as with an authorization.
Specifically, in order for a plan sponsor to obtain without
authorization protected health information from a group health plan,
health insurance issuer, or HMO, the documents under which the group
health plan was established and is maintained must be amended to: (1)
Describe the permitted uses and disclosures of protected health
information by the plan sponsor (see above for further explanation);
(2) specify that disclosure is permitted only upon receipt of a written
certification that the plan documents have been amended; and (3)
provide adequate firewalls. The firewalls must identify the employees
or classes of employees or other persons under the plan sponsor's
control who will have access to protected health information; restrict
access to only the employees identified and only for the administrative
functions performed on behalf of the group health plan; and provide a
mechanism for resolving issues of noncompliance by the employees
identified. Any employee of the plan sponsor who receives protected
health information in connection with the group health plan must be
included in the amendment to the plan documents. As required by ERISA,
the named fiduciary is responsible for ensuring the accuracy of
amendments to the plan documents.
Group health plans, and health insurance issuers or HMOs with
respect to the group health plan, that disclose protected health
information to plan sponsors are bound by the minimum necessary
standard as described in Sec. 164.514.
Group health plans, to the extent they provide health benefits only
through an insurance contract with a health insurance issuer or HMO and
do not create, receive, or maintain protected health information
(except for summary information or enrollment and disenrollment
information), are not required to comply with the requirements of
Secs. 164.520 or 164.530, except for the documentation requirements of
Sec. 164.530(j). In addition, because the group health plan does not
have access to protected health information, the requirements of
Secs. 164.524, 164.526, and 164.528 are not applicable. Individuals
enrolled in a group health plan that provides benefits only through an
insurance contract with a health insurance issuer or HMO would have
access to all rights provided by this regulation through the health
insurance issuer or HMO, because they are covered entities in their own
right.
Comment: We received several comments from self-insured plans who
stated that the proposed rule did not fully appreciate the dual nature
of an employer as a plan sponsor and as a insurer. These commenters
stated that
[[Page 82646]]
the regulation should have an exception for employers who are also
insurers.
Response: We believe the approach we have taken in the final rule
recognizes the special relationship between plan sponsors and group
health plans, including group health plans that provide benefits
through a self-insured arrangement. The final rule allows plan sponsors
and employees of plan sponsors access to protected health information
for purposes of plan administration. The group health plan is bound by
the permitted uses and disclosures of the regulation, but may disclose
protected health information to plan sponsors under certain
circumstances. To the extent that group health plans do not provide
health benefits through an insurance contract, they are required to
establish a privacy officer and provide training to employees who have
access to protected health information, as well as meet the other
applicable requirements of the regulation.
Comment: Some commenters supported our position not to require
individual consent for employers to have access to protected health
information for purposes of treatment, payment, and health care
operations. For employer sponsored insurance to continue to exist as it
does today, the commenters stressed, this policy is essential. Other
commenters encouraged the Department to amend the regulation to require
authorization for disclosure of information to employers. These
commenters stressed that because the employer was not a covered entity,
individual consent is the only way to prohibit potential abuses of
information.
Response: In the final regulation, we maintain the position in the
proposed rule that a health plan, including a group health plan, need
not obtain individual consent for use and disclosure of protected
health information for treatment, payment and or health care operations
purposes. However, we impose conditions (described above) for making
such disclosures to the plan sponsor. Because employees of the plan
sponsor often perform health care operations and payment (e.g. plan
administration) functions, such as claims payment, quality review, and
auditing, they may have legitimate need for such information. Requiring
authorization from every participant in the plan could make such
fundamental plan administration activities impossible. We therefore
impose regulatory restrictions, rather than a consent requirement, to
prevent abuses. For example, the plan sponsor must certify that any
protected health information obtained by its employees through such
plan administration activities will not be used for employment-related
decisions.
Comment: Several commenters stressed that the regulation must
require the establishment of firewalls between group health plans and
employers. These commenters stated that firewalls were necessary to
prevent the employer from accessing information improperly and using it
in making job placements, promotions, and firing decisions. In
addition, one commenter stated that employees with access to protected
health information must be empowered through this regulation to deny
unauthorized access to protected health information to corporate
managers and executives.
Response: We agree with the commenters that firewalls are necessary
to prevent unauthorized use and disclosure of protected health
information. Among the conditions for group health plans to disclose
information to plan sponsors, the plan sponsor must establish firewalls
to prevent unauthorized uses and disclosures of information. The
firewalls include: describing the employees or classes of employees
with access to protected health information; restricting access to and
use of the protected health information to the plan administration
functions performed on behalf of the group health plan and described in
plan documents; and providing an effective mechanism for resolving
issues of noncompliance.
Comment: Several commenters supported our proposal to cover the
health care component of an employer in its capacity as an
administrator of the group health plan. These commenters felt the
component approach was necessary to prevent the disclosure of protected
health information to other parts of the employer where it might be
used or disclosed improperly. Other commenters believed the component
approach was unworkable and that distinguishing who was in the covered
entity would not be as easy as assumed in the proposed rule. One
commenter stated it was unreasonable for an employer to go through its
workforce division by division and employee by employee designating who
is included in the component and who is not. In addition, some
commenters argued that we did not have the statutory authority to
regulate employers at all, including their health care components.
One commenter requested more guidance with respect to identifying
the health care component as proposed under the proposed rule. In
particular, the commenter requested that the regulation clearly define
how to identify such persons and what activities and functional areas
may be included. The commenter alleged that identification of persons
needing access to protected health information will be administratively
burdensome. Another commenter requested clarification on distinguishing
the component entity from non-component entities within an organization
and how to administer such relationships. The commenter stated that
individuals included in the covered entity could change on a daily
basis and advocated for a simpler set of rules governing intra-
organizational relationships as opposed to inter-organizational
relationships.
Response: While we have not adopted the component approach for plan
sponsors in the final rule, plan sponsors who want protected health
information must still identify who in the organization will have
access to the information. Several of the changes we make to the NPRM
will make this designation easier. First, we move from ``component'' to
a more familiar functional approach. We limit the employees of the plan
sponsor who may receive protected health information to those employees
performing plan administration functions, as that term is understood
with respect to ERISA compliance, and as limited by this rule's
definitions of payment and health care operation. We also allow
designation of a class of employees (e.g., all employees assigned to a
particular department) or individual employees.
Although some commenters have asked for guidance, we have
intentionally left the process flexible to accommodate different
organizational structures. Plan sponsors may identify who will have
access to protected health information in whatever way best reflects
their business needs as long as participants can reasonably identify
who will have access. For example, persons may be identified by naming
individuals, job titles (e.g. Director of Human Resources), functions
(e.g. employees with oversight responsibility for the outside third
party claims administrator), divisions of the company (e.g. Employee
Benefits) or other entities related to the plan sponsor. We believe
this flexibility will also ease any administrative burden that may
result from the identification process. Identification in terms such as
``individuals who from time to time may need access to protected health
information'' or in other broad or generic ways, however, would not be
sufficient.
Comment: In addition to the comments on the component approach
itself, several commenters pointed out
[[Page 82647]]
that many employees wear two hats in the organization, one for the
group health plan and one for the employer. The commenters stressed
that these employees should not be regulated when they are performing
group health plan functions. This arrangement is necessary,
particularly in small employers where the plan fiduciary may also be in
charge of other human resources functions. The commenter recommended
that employees be allowed access to information when necessary to
perform health plan functions while prohibiting them from using the
information for non-health plan functions.
Response: We agree with the commenters that many employees perform
multiple functions in an organization and we design these provisions
specifically to accommodate this way of conducting business. Under the
approach taken in the final regulation, employees who perform multiple
functions (i.e. group health plan and employment-related functions) may
receive protected health information from group health plans, but among
other things, the plan documents must certify that these employees will
not use the information for activities not otherwise permitted by this
rule including for employment-related activities.
Comment: Several commenters pointed out that the amount of access
needed to protected health information varies greatly from employer to
employer. Some employers may perform many plan administration functions
themselves which are not possible without access to protected health
information. Other employers may simply offer health insurance by
paying a premium to a health insurance issuer rather than provide or
administer health benefits themselves. Some commenters argued that
fully insured plans should not be covered under the rule. Similarly,
some commenters argued that the regulation was overly burdensome on
small employers, most of whom fully insure their group health plans.
Other commenters pointed out that health insurance issuers--even in
fully insured arrangements--are often asked for identifiable health
information, sometimes for legitimate purposes such as auditing or
quality assurance, but sometimes not. One commenter, representing an
insurer, gave several examples of employer requests, including claims
reports for employees, individual and aggregate amounts paid for
employees, identity of employees using certain drugs, and the identity,
diagnosis and anticipated future costs for ``high cost'' employees.
This same commenter requested guidance in what types of information can
be released to employers to help them determine the organization's
responsibilities and liabilities.
Response: In the final regulation we recognize the diversity in
plan sponsors' need for protected health information. Many plan
sponsors need access to protected health information to perform plan
administration functions, including eligibility and enrollment
functions, quality assurance, claims processing, auditing, monitoring,
trend analysis, and management of carve-out plans (such as vision and
dental plans). In the final regulation we allow group health plans to
disclose protected health information to plan sponsors if the plan
sponsor voluntarily agrees to use the information only in accordance
with the purposes stated in the plan documents and as permitted by the
regulation. We clarify, however, that plan administration does not
include any employment-related decisions, including fitness for duty
determinations, or duties related to other employee benefits or plans.
Plan documents may only permit health insurance issuers to disclose
protected health information to a plan sponsor as is otherwise
permitted under this rule and consistent with the minimum necessary
standard.
Some plan sponsors, including those with a fully insured group
health plan, do not perform plan administration functions on behalf of
group health plans, but still may require health information for other
purposes, such as modifying, amending or terminating the plan or
soliciting bids from prospective issuers or HMOs. In the ERISA context
actions undertaken to modify, amend or terminate a group health plan
may be known as ``settlor'' functions (see Lockheed Corp. v. Spink, 517
U.S. 882 (1996)). For example, a plan sponsor may require access to
information to evaluate whether to adopt a three-tiered drug formulary.
Additionally, a prospective health insurance issuer may need claims
information from a plan sponsor in order to provide rating information.
The final rule permits plan sponsors to receive summary health
information with identifiers removed in order to carry out such
functions. Summary health information is information that summarizes
the claims history, expenses, or types of claims by individuals
enrolled in the group health plan. In addition, the identifiers listed
in Sec. 164.514(b)(2)(i) must be removed prior to disclosing the
information to a plan sponsor for purposes of modifying, amending, or
terminating the plan. See Sec. 164.504(a). This information does not
constitute de-identified information because there may be a reasonable
basis to believe the information is identifiable to the plan sponsor,
especially if the number of participants in the group health plan is
small. A group health plan, however, may not permit an issuer or HMO to
disclose protected health information to a plan sponsor unless the
requirement in Sec. 164.520 states that this disclosure may occur.
Comment: Several commenters stated that health insurance issuers
cannot be held responsible for employers' use of protected health
information. They stated that the issuer is the agent of the employer
and it should not be required to monitor the employer's use and
disclosure of information.
Response: Under this regulation, health insurance issuers are
covered entities and responsible for their own uses and disclosures of
protected health information. A group health plan must require a health
insurance issuer or HMO providing coverage to the group health plan to
disclose information to the plan sponsor only as provided in the plan
documents.
Comment: Several commenters urged us to require de-identified
information to be used to the greatest extent possible when information
is being shared with employers.
Response: De-identified information is not sufficient for many
functions plan sponsors perform on behalf of their group health plans.
We have created a process to allow plan sponsors and their employees
access to protected health information when necessary to administer the
plan. We note that all uses and disclosures of protected health
information by the group health plan are bound by the minimum necessary
standard.
Comment: One commenter representing church plans argued that the
regulation should treat such plans differently from other group health
plans. The commenter was concerned about the level of access to
information the Secretary would have in performing compliance reviews
and suggested that a higher degree of sensitivity is need for
information related to church plans than information related to other
group health plans. This sensitivity is needed, the commenter alleged,
to reduce unnecessary intrusion into church operations. The commenter
also advocated that church plans found to be out of compliance should
be able to self-correct within a stated time frame (270 days) and avoid
paying penalty taxes as allowed in the Internal Revenue Code.
Response: We do not believe there is sufficient reason to treat
church plans differently than other covered entities.
[[Page 82648]]
The intent of the compliance reviews is to determine whether or not the
plan is abiding by the regulation, not to gather information on the
general operations of the church. As required by Sec. 160.310(c), the
covered entity must provide access only to information that is
pertinent to ascertaining compliance with part 160 or subpart E of 164.
Comment: Several commenters stated that employers often advocate on
behalf of their employees in benefit disputes and appeals, answer
questions with regard to the health plan, and generally help them
navigate their health benefits. These commenters questioned whether
this type of assistance would be allowed under the regulation, whether
individual consent was required, and whether this intervention would
make them a covered entity.
Response: The final rule does nothing to hinder or prohibit plan
sponsors from advocating on behalf of group health plan participants or
providing assistance in understanding their health plan. Under the
privacy rule, however, the plan sponsor could not obtain any
information from the group health plan or a covered provider unless
authorization was given. We do not believe obtaining authorization when
advocating or providing assistance will be impractical or burdensome
since the individual is requesting assistance and therefore should be
willing to provide authorization. Advocating on behalf of participants
or providing other assistance does not make the plan sponsor a covered
entity.
Section 164.506--Consent for Treatment, Payment, and Health Care
Operations
Comment: Many commenters supported regulatory authorization for
treatment, payment, and health care operations. In particular, health
plans, employers, and institutional providers supported the use of
regulatory authorization for treatment, payment, and health care
operations.
In contrast, a large number of commenters, particularly health care
professionals, patients, and patient advocates, suggested that consent
for treatment, payment, and health care operations should be required.
Many commenters supported the use of consent for treatment, payment,
and health care operations, considering this a requirement for
maintaining the integrity of the health care system. Some commenters
made a distinction between requiring and permitting providers to obtain
consent.
Commenters nearly uniformly agreed that covered health care
providers, health plans, and clearinghouses should not be prohibited
from seeking authorization for treatment, payment, and health care
operations. Some commenters stated that the prohibition against
obtaining an authorization goes against professional ethics, undermines
the patient-provider relationship, and is contrary to current industry
practice.
Some commenters specifically noted the primacy of the doctor-
patient relationship regarding consent. In general, commenters
recommended that individually identifiable health information not be
released by doctors without patient consent. A few commenters stated
that prohibiting health care providers from obtaining consent could
cause the patient to become suspicious and distrustful of the health
care provider. Other commenters believed that clinicians have the
responsibility for making sure that patients are fully informed about
the consequences of releasing information. A few commented that the
process of obtaining consent provided an opportunity for the patient
and provider to negotiate the use and disclosure of patient
information.
Commenters discussed how, when, and by whom consent should be
sought. For example, some commenters viewed a visit between a health
care provider and patient as the appropriate place for consent to be
discussed and obtained. While others did not necessarily dispute the
appropriateness of health care providers obtaining consent for uses and
disclosures of protected health information from individuals, some said
that it was appropriate for health plans to be permitted to obtain
consent.
Response: In the NPRM we stated our concern that the blanket
consents that individuals sign today provide these individuals with
neither notice nor control over how their information is to be used.
While we retain those concerns, we also understand that for many who
participate in the health care system, the acts of providing and
obtaining consent represent important values that these parties wish to
retain. Many individuals argued that providing consent enhances their
control; many advocates argued that the act of consent focuses patient
attention on the transaction; and many health care providers argued
that obtaining consent is part of ethical behavior.
The final rule amends our proposed approach and requires most
covered health care providers to obtain a consent from their patients
to use or disclose protected health information for treatment, payment,
and health care operations. Providers who have an indirect treatment
relationship with the patient, as defined in Sec. 164.501, cannot be
expected to have an opportunity to obtain consent and may continue to
rely on regulatory authorization for their uses and disclosures for
these purposes.
As described in the comments, it is the relationship between the
health care provider and the patient that is the basis for many
decisions about uses and disclosures of protected health information.
Much of the individually identifiable health information that is the
subject of this rule is created when a patient interacts with a health
care provider. By requiring covered providers to obtain consent for
treatment, payment, and health care operations, the individual will
have appropriate opportunity to consider the appropriate uses and
disclosures of his or her protected health information. We also require
that the consent contain a reference to the provider's notice, which
contains a more detailed description of the provider's practices
relating to uses and disclosures of protected health information. This
combination provides the basis for an individual to have an informed
conversation with his or her provider and to request restrictions.
It is our understanding that it is common practice for providers to
obtain consent for this type of information-sharing today. Many
providers and provider organizations stated that they are ethically
obligated to obtain the patient's consent and that it is their practice
to do so. A 1998 study by Merz, et al, published in the Journal of Law,
Medicine and Ethics examined hospital consent forms regarding
disclosure of medical information.\8\ They found that 97% of all
hospitals seek consent for the release of information for payment
purposes; 45% seek consent for disclosure for utilization review, peer
review, quality assurance, and/or prospective review; and 50% seek
consent for disclosure to providers, other health care facilities, or
others for continuity of care purposes. All of these activities fall
within our definitions of treatment, payment, or health care
operations.
---------------------------------------------------------------------------
\8\ J. Merz, P. Sankar, S.S. Yoo, ``Hospital Consent for
Disclosure of Medical Records,'' Journal of Law, Medicine & Ethics,
26 (1998): 241-248.
---------------------------------------------------------------------------
In the final rule we have not required that health plans or health
care clearinghouses obtain consent for their uses and disclosures of
protected health information for treatment, payment, or health care
operations. The rationale underlying the consent requirements for uses
and disclosures by health care providers do not pertain to health plans
and health care clearinghouses. First, current practice is varied, and
there is little history of health plans obtaining
[[Page 82649]]
consent relating to their own information practices unless required to
do so by some other law. This is reflected in the public comments, in
which most health plans supported the regulatory authorization approach
proposed in the NPRM. Further, unlike many health care providers,
health plans did not maintain that they were ethically obligated to
seek the consent of their patients for their use and disclosure
activities. Finally, it is the unique relationship between an
individual and his or her health care provider that provides the
foundation for a meaningful consent process. Requiring that consent
process between an individual and a health plan or clearinghouse, when
no such unique relationship exists, we believe is not necessary.
Unlike their relationship with health care providers, individuals
in most instances do not have a direct opportunity to engage in a
discussion with a health plan or clearinghouse at the time that they
enter into a relationship with those entities. Most individuals choose
a health plan through their employer and often sign up through their
employer without any direct contact with the health plan. We concluded
that providing for a signed consent in such a circumstance would add
little to the proposed approach, which would have required health plans
to provide a detailed notice to their enrollees. In the final rule, we
also clarify that an individual can request a restriction from a health
plan or health care clearinghouse. Since individuals rarely if ever
have any direct contact with clearinghouses, we concluded that
requiring a signed consent would have virtually no effect beyond the
provision of the notice and the opportunity to request restrictions.
We agree with the comments we received objecting to the provision
prohibiting covered entities from obtaining consent from individuals.
As discussed above, in the final rule we require covered health care
providers with direct treatment relationships to obtain consent to use
or disclose protected health information for treatment, payment, and
health care operations. In addition, we have eliminated the provision
prohibiting other covered entities from obtaining such consents. We
note that the consents that covered entities are permitted to obtain
relate to their own uses and disclosures of protected health
information for treatment, payment, and health care operations and not
to the practices of others. If a covered entity wants to obtain the
individual's permission to receive protected health information from
another covered entity, it must do so using an authorization under
Sec. 164.508.
``Consent'' versus ``Authorization''
Comment: In general, commenters did not distinguish between
``consent'' and ``authorization.'' Commenters used both terms to refer
to the individual's giving permission for the use and disclosure of
protected health information by any entity.
Response: In the final rule we have made an important distinction
between consent and authorization. Under the final rule, we refer to
the process by which a covered entity seeks agreement from an
individual regarding how it will use and disclose the individual's
protected health information for treatment, payment, and health care
operations as ``consent.'' The provisions in the final rule relating to
consent are largely contained in Sec. 164.506. The process by which a
covered entity seeks agreement from an individual to use or disclose
protected health information for other purposes, or to authorize
another covered entity to disclose protected health information to the
requesting covered entity, are termed ``authorizations'' and the
provisions relating to them are found in Sec. 164.508.
Consent Requirements
Comment: Many commenters believed that consent might be problematic
in that it could allow covered entities to refuse enrollment or
services if the individual does not grant the consent. Some commenters
proposed that covered entities be allowed to condition treatment,
payment, or health care operations on whether or not an individual
granted consent. Other commenters said that consent should be voluntary
and not coerced.
Response: In the final rule (Sec. 164.506(b)(1)), we permit covered
health care providers to condition treatment on the individual's
consent to the covered provider's use or disclosure of protected health
information to carry out treatment, payment, and health care
operations. We recognize that it would be difficult, if not impossible,
for health care providers to treat their patients and run their
businesses without being able to use or disclose protected health
information for these purposes. For example, a health care provider
could not be reimbursed by a health plan unless the provider could
share protected health information about the individual with the health
plan. Under the final rule, if the individual refuses to grant consent
for this disclosure, the health care provider may refuse to treat the
individual. We encourage health care providers to exhaust other
options, such as making alternative payment arrangements with the
individual, before refusing to treat the individual on these grounds.
We also permit health plans to condition enrollment in the health
plan on the individual's consent for the health plan to use and
disclose protected health information to carry out treatment, payment,
and health care operations (see Sec. 164.506(b)(2)). The health plan
must seek the consent in conjunction with the individual's enrollment
in the plan for this provision to apply. For example, a health plan's
application for enrollment may include a consent for the health plan to
use or disclose protected health information to carry out treatment,
payment, and/or health care operations. If the individual does not sign
this consent, the health plan, under Sec. 164.502(a)(1)(iii), is
prohibited from using or disclosing protected health information about
the individual for the purposes stated in the consent form. Because the
health plan may not be able adequately to provide services to the
individual without these uses and disclosures, we permit the health
plan to refuse to enroll the individual if the consent is not signed.
Comment: Some commenters were concerned that the NPRM conflicted
with state law regarding when covered entities would be required to
obtain consent for uses and disclosures of protected health
information.
Response: We have modified the provisions in the final rule to
require certain health care providers to obtain consent for uses and
disclosures for treatment, payment, and health care operations and to
permit other covered entities to do so. A consent under this rule may
be combined with other types of written legal permission from the
individual, such as state-required consents for uses and disclosures of
certain types of health information (e.g., information relating to HIV/
AIDS or mental health). We also permit covered entities to seek
authorization from the individual for another covered entity's use or
disclosure of protected health information for these purposes,
including if the covered entity is required to do so by other law.
Though we do not believe any states currently require such
authorizations, we wanted to avoid future conflicts. These changes
should resolve the concerns raised by commenters regarding conflicts
with state laws that require consent, authorization, or other types of
written legal permission for uses and disclosures of protected health
information.
[[Page 82650]]
Comment: Some commenters noted that there would be circumstances
when consent is impossible or impractical. A few commenters suggested
that in such situations patient information be de-identified or
reviewed by an objective third party to determine if consent is
necessary.
Response: Covered health care providers with direct treatment
relationships are required to obtain consent to use or disclose
protected health information to carry out treatment, payment, and
health care operations. In certain treatment situations where the
provider is permitted or required to treat an individual without the
individual's written consent to receive health care, the provider may
use and disclose protected health information created or obtained in
the course of that treatment without the individual's consent under
this rule (see Sec. 164.506(a)(3)). In these situations, the provider
must attempt to obtain the individual's consent and, if the provider is
unable to obtain consent, the provider must document the attempt and
the reason consent could not be obtained. Together with the uses and
disclosures permitted under Secs. 164.510 and 164.512, the concerns
raised regarding situations in which it is impossible or impractical
for covered entities to obtain the individual's permission to use or
disclose protected health information about the individual have been
addressed.
Comment: An agency that provides care to individuals with mental
retardation and developmental disabilities expressed concern that many
of their consumers lack capacity to consent to the release of their
records and may not have a surrogate readily available to provide
consent on their behalf.
Response: Under Sec. 164.506(a)(3), we provide exceptions to the
consent requirement for certain treatment situations in which consent
is difficult to obtain. In these situations, the covered provider must
attempt to obtain consent and must document the reason why consent was
not obtained. If these conditions are met, the provider may use and
disclose the protected health information created or obtained during
the treatment for treatment, payment, or health care operations
purposes, without consent.
Comment: Many commenters were concerned that covered entities
working together in an integrated health care system would each
separately be required to obtain consent for use and disclosure of
protected health information for treatment, payment, and health care
operations. These commenters recommend that the rule permit covered
entities that are part of the same integrated health care system to
obtain a single consent allowing each of the covered entities to use
and disclose protected health information in accordance with that
consent form. Some commenters said that it would be confusing to
patients and administratively burdensome to require separate consents
for health care systems that include multiple covered entities.
Response: We agree with commenters' concerns. In Sec. 164.506(f) of
the final rule we permit covered entities that participate in an
organized health care arrangement to obtain a single consent on behalf
of the arrangement. See Sec. 164.501 and the corresponding preamble
discussion regarding organized health care arrangements. To obtain a
joint consent, the covered entities must have a joint notice and must
refer to the joint notice in the joint consent. See Sec. 164.520(d) and
the corresponding preamble discussion regarding joint notice. The joint
consent must also identify the covered entities to which it applies so
that individuals will know who is permitted to use and disclose
information about them.
Comment: Many commenters stated that individuals own their medical
records and, therefore, should have absolute control over them,
including knowing by whom and for what purpose protected health
information is used, disclosed, and maintained. Some commenters
asserted that, according to existing law, a patient owns the medical
records of which he is the subject.
Response: We disagree. In order to assert an ownership interest in
a medical record, a patient must demonstrate some legitimate claim of
entitlement to it under a state law that establishes property rights or
under state contract law. Historically, medical records have been the
property of the health care provider or medical facility that created
them, and some state statutes directly provide that medical records are
the property of a health care provider or a health care facility. The
final rule is consistent with current state law that provides patients
access to protected health information but not ownership of medical
records. Furthermore, state laws that are more stringent than the rule,
that is, state laws that provide a patient with greater access to
protected health information, remain in effect. See discussion of
``Preemption'' above.
Electronically Stored Data
Comment: Some commenters stated that privacy concerns would be
significantly reduced if patient information is not stored
electronically. One commenter suggested that consent should be given
for patient information to be stored electronically. One commenter
believed that information stored in data systems should not be
individually identifiable.
Response: We agree that storing and transmitting health information
electronically creates concerns about the privacy of health
information. We do not agree, however, that covered entities should be
expected to maintain health information outside of an electronic
system, particularly as health care providers and health plans extend
their reliance on electronic transactions. We do not believe that it
would be feasible to permit individuals to opt out of electronic
transactions by withholding their consent. We note that individuals can
ask providers and health plans whether or not they store information
electronically, and can choose only providers who do not do so or who
agree not to do so. We also do not believe that it is practical or
efficient to require that electronic data bases contain only de-
identified information. Electronic transactions have achieved
tremendous savings in the health care system and electronic records
have enabled significant improvements in the quality and coordination
of health care. These improvements would not be possible with de-
identified information.
Section 164.508--Uses and Disclosures for Which Authorization Is
Required
Uses and Disclosures Requiring Authorization
Comment: We received many comments in general support of requiring
authorization for the use or disclosure of protected health
information. Some comments suggested, however, that we should define
those uses and disclosures for which authorization is required and
permit covered entities to make all other uses and disclosures without
authorization.
Response: We retain the requirement for covered entities to obtain
authorization for all uses and disclosures of protected health
information that are not otherwise permitted or required under the rule
without authorization. We define exceptions to the general rule
requiring authorization for the use or disclosure of protected health
information, rather than defining narrow circumstances in which
authorization is required.
We believe this approach is consistent with well-established
privacy principles, with other law, and with industry standards and
ethical
[[Page 82651]]
guidelines. The July 1977 Report of the Privacy Protection Study
Commission recommended that ``each medical-care provider be considered
to owe a duty of confidentiality to any individual who is the subject
of a medical record it maintains, and that, therefore, no medical care
provider should disclose, or be required to disclose, in individually
identifiable form, any information about any such individual without
the individual's explicit authorization, unless the disclosures would
be'' for specifically enumerated purposes such as treatment, audit or
evaluation, research, public health, and law enforcement.\9\ The
Commission made similar recommendations with respect to insurance
institutions.\10\ The Privacy Act (5 U.S.C. 552a) prohibits government
agencies from disclosing records except pursuant to the written request
of or pursuant to a written consent of the individual to whom the
record pertains, unless the disclosure is for certain specified
purposes. The National Association of Insurance Commissioners' Health
Information Privacy Model Act states, ``A carrier shall not collect,
use or disclose protected health information without a valid
authorization from the subject of the protected health information,
except as permitted by * * * this Act or as permitted or required by
law or court order. Authorization for the disclosure of protected
health information may be obtained for any purpose, provided that the
authorization meets the requirements of this section.'' In its report
``Best Principles for Health Privacy,'' the Health Privacy Working
Group stated, ``Personally identifiable health information should not
be disclosed without patient authorization, except in limited
circumstances' such as when required by law, for oversight, and for
research.\11\ The American Medical Association's Council on Ethical and
Judicial Affairs has issued an opinion stating, ``The physician should
not reveal confidential communications or information without the
express consent of the patient, unless required to do so by law [and]
subject to certain exceptions which are ethically and legally justified
because of overriding social considerations.'' \12\ We build on these
standards in this final rule.
---------------------------------------------------------------------------
\9\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 306.
\10\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, pp. 215-217.
\11\ Health Privacy Working Group, ``Best Principles for Health
Privacy,'' Health Privacy Project, Institute for Health Care
Research and Policy, Georgetown University, July 1999, p. 19.
\12\ AMA Council on Ethical and Judicial Affairs, ``Opinion E-
5.05: Confidentiality,'' Issued December 1983, Updated June 1994.
---------------------------------------------------------------------------
Comment: Some comments suggested that, under the proposed rule, a
covered entity could not use protected health information to solicit
authorizations from individuals. For example, a covered entity could
not use protected health information to generate a mailing list for
sending an authorization for marketing purposes.
Response: We agree with this concern and clarify that covered
entities are permitted to use protected health information in this
manner without authorization as part of the management activities
relating to implementation of and compliance with the requirements of
this rule. See Sec. 164.501 and the corresponding preamble regarding
the definition of health care operations.
Comment: We received several comments suggesting that we not
require written authorizations for disclosures to the individual or for
disclosures initiated by the individual or the individual's legal
representative.
Response: We agree with this concern and in the final rule we
clarify that disclosures of protected health information to the
individual who is the subject of the information do not require the
individual's authorization. See Sec. 164.502(a)(1). We do not intend to
impose barriers between individuals and disclosures of protected health
information to them.
When an individual requests that the covered entity disclose
protected health information to a third party, however, the covered
entity must obtain the individual's authorization, unless the third
party is a personal representative of the individual with respect to
such protected health information. See Sec. 164.502(g). If under
applicable law a person has authority to act on behalf of an individual
in making decisions related to health care, except under limited
circumstances, that person must be treated as the personal
representative under this rule with respect to protected health
information related to such representation. A legal representative is a
personal representative under this rule if, under applicable law, such
person is able to act on behalf of an individual in making decisions
related to health care, with respect to the protected health
information related to such decisions. For example, an attorney of an
individual may or may not be a personal representative under the rule
depending on the attorney's authority to act on behalf of the
individual in decisions related to health care. If the attorney is the
personal representative under the rule, he may obtain a copy of the
protected health information relevant to such personal representation
under the individual's right to access. If the attorney is not the
personal representative under the rule, or if the attorney wants a copy
of more protected health information than that which is relevant to his
personal representation, the individual would have to authorize such
disclosure.
Comment: Commenters expressed concern about whether a covered
entity can rely on authorizations made by parents on behalf of their
minor children once the child has reached the age of majority and
recommended that covered entities be able to rely on the most recent,
valid authorization, whether it was authorized by the parent or the
minor.
Response: We agree. If an authorization is signed by a parent, who
is the personal representative of the minor child at the time the
authorization is signed, the covered entity may rely on the
authorization for as long as it is a valid authorization, in accordance
with Sec. 164.508(b). A valid authorization remains valid until it
expires or is revoked. This protects a covered entity's reasonable
reliance on such authorization. The expiration date of the
authorization may be the date the minor will reach the age of majority.
In that case, the covered entity would be required to have the
individual sign a new authorization form in order to use or disclose
information covered in the expired authorization form.
Comment: Some commenters were concerned that covered entities
working together in an integrated system would each be required to
obtain authorization separately. These commenters suggested the rule
should allow covered entities that are part of the same system to
obtain a single authorization allowing each of the covered entities to
use and disclose protected health information in accordance with that
authorization.
Response: If the rule does not permit or require a covered entity
to use or disclose protected health information without the
individual's authorization, the covered entity must obtain the
individual's authorization to make the use or disclosure. Multiple
covered entities working together as an integrated delivery system or
otherwise may satisfy this requirement in at least three ways. First,
each covered entity may separately obtain an authorization directly
from the individual who is the subject of the protected health
information to be used or disclosed. Second, one covered entity may
obtain
[[Page 82652]]
a compound authorization in accordance with Sec. 164.508(b)(3) that
authorizes multiple covered entities to use and disclose protected
health information. In accordance with Sec. 164.508(c)(1)(ii), each
covered entity, or class of covered entities, that is authorized to
make the use or disclosure must be clearly identified. Third, if the
requirements in Sec. 164.504(d) are met, the integrated delivery system
may elect to designate itself as a single affiliated covered entity. A
valid authorization obtained by that single affiliated covered entity
would satisfy the authorization requirements for each covered entity
within the affiliated covered entity. Whichever option is used, because
these authorizations are being requested by a covered entity for its
own use or disclosure, the authorization must contain both the core
elements in Sec. 164.508(c) and the additional elements in
Sec. 164.508(d).
Sale, Rental, or Barter
Comment: Proposed Sec. 164.508 listed examples of activities that
would have required authorization, which included disclosure by sale,
rental, or barter. Some commenters requested clarification that this
provision is not intended to affect mergers, sale, or similar
transactions dealing with entire companies or their individual
divisions. A few commenters stated that covered entities should be
allowed to sell protected health information, including claims data, as
an asset of the covered entity.
Response: We clarify in the definition of health care operations
that a covered entity may sell or transfer its assets, including
protected health information, to a successor in interest that is or
will become a covered entity. See Sec. 164.501 and the corresponding
preamble discussion regarding this change. We believe this change meets
commenters' business needs without compromising individuals' privacy
interests.
Comment: Some commenters supported the requirement for covered
entities to obtain authorization for the sale, rental, or barter of
protected health information. Some commenters argued that protected
health information should never be bought or sold by anyone, even with
the individual's authorization.
Response: We removed the reference to sale, rental, or barter in
the final rule because we determined that the term was overly broad.
For example, if a researcher reimbursed a provider for the cost of
configuring health data to be disclosed under the research provisions
at Sec. 164.512(i), there may have been ambiguity that this was a sale
and, therefore, required authorizations from the individuals who were
the subjects of the information. We clarify in the final rule that if
the use or disclosure is otherwise permitted or required under the rule
without authorization, such authorization is not required simply
because the disclosure is made by sale, rental, or barter.
Comment: Many commenters expressed concerns that their health
information will be sold to pharmaceutical companies.
Response: Although we have removed the reference to sale, rental or
barter, the final rule generally would not permit the sale of protected
health information to a pharmaceutical company without the
authorization of individuals who are the subjects of the information.
In some cases, a covered entity could disclose protected health
information to a pharmaceutical company for research purposes if the
disclosure met the requirements of Sec. 164.512(i).
Psychotherapy Notes
Comment: Public response to the concept of providing additional
protections for psychotherapy notes was divided. Many individuals and
most providers, particularly mental health practitioners, advocated
requiring consent for use or disclosure of all or most protected health
information, but particularly sensitive information such as mental
health information, not necessarily limited to psychotherapy notes.
Others thought there should be special protections for psychotherapy
information based on the federal psychotherapist-patient privilege
created by the U.S. Supreme Court in Jaffee v. Redmond and the need for
an atmosphere of trust between therapist and patient that is required
for effective psychotherapy. Several consumer groups recommended
prohibiting disclosure of psychotherapy notes for payment purposes.
Some commenters, however, saw no need for special protections for
psychotherapy communications and thought that the rules should apply
the same protections for all individually identifiable information.
Other commenters who advocated for no special protections based their
opposition on the difficulty in drawing a distinction between physical
and mental health and that special protections should be left to the
states. Many health plans and employers did not support additional
protections for psychotherapy notes because they stated they need
access to this information to assess the adequacy of treatment, the
severity of a patient's condition, the extent of a disability, or the
ability to monitor the effectiveness of an individual's mental health
care and eligibility for benefits. Other commenters, many from
insurance companies, cited the need to have psychotherapy notes to
detect fraud.
A few commenters said that it was not necessary to provide
additional protections to psychotherapy notes because the ``minimum
necessary'' provisions of the NPRM provide sufficient protections.
Response: In the final rule, a covered entity generally must obtain
an authorization for disclosure of psychotherapy notes, or for use by a
person other than the person who created the psychotherapy notes. This
authorization is specific to psychotherapy notes and is in addition to
the consent an individual may have given for the use or disclosure of
other protected health information to carry out treatment, payment, and
health care operations. This additional level of individual control
provides greater protection than a general application of the ``minimum
necessary'' rule. Nothing in this regulation weakens existing rules
applicable to mental health information that provide more stringent
protections. We do not intend to alter the holding in Jaffee v.
Redmond.
Generally, we have not treated sensitive information differently
from other protected health information; however, we have provided
additional protections for psychotherapy notes because of Jaffee v.
Redmond and the unique role of this type of information. There are few
reasons why other health care entities should need access to
psychotherapy notes, and in those cases, the individual is in the best
position to determine if the notes should be disclosed. As we have
defined them, psychotherapy notes are primarily of use to the mental
health professional who wrote them, maintained separately from the
medical record, and not involved in the documentation necessary to
carry out treatment, payment, or health care operations. Since
psychotherapy notes have been defined to exclude information that
health plans would typically need to process a claim for benefits,
special authorization for payment purposes should be rare. Unlike
information shared with other health care providers for the purposes of
treatment, psychotherapy notes are more detailed and subjective and are
today subject to unique privacy and record retention practices. In
fact, it is this separate existence and isolated use that allows us to
grant the extra protection without causing an undue burden on the
health care system.
[[Page 82653]]
Comment: Many commenters suggested we prohibit disclosure of
psychotherapy notes without authorization for uses and disclosures
under proposed Sec. 164.510 of the NPRM, or that protections should be
extended to particular uses and disclosures, such as disclosures for
public health, law enforcement, health oversight, and judicial and
administrative proceedings. One of these commenters stated that the
only purpose for which psychotherapy notes should be disclosed without
authorization is for preventing or lessening a serious or imminent
threat to health or safety (proposed Sec. 154.510(k)). Another
commenter stated that the rule should allow disclosure of psychotherapy
notes without authorization for this purpose, or as required by law in
cases of abuse or neglect.
Other commenters did not want these protections to be extended to
certain national priority activities. They claimed that information
relative to psychotherapy is essential to states' activities to protect
the public from dangerous mentally ill offenders and abusers, to
deliver services to individuals who are unable to authorize release of
health care information, and for public health assessments. One
commenter requested clarification of when psychotherapy notes could be
released in emergency circumstances. Several commenters stated that
psychotherapy notes should not be disclosed for public health purposes.
Response: We agree with the commenters who suggested extending
protections of psychotherapy notes and have limited the purposes for
which psychotherapy notes may be disclosed without authorization for
purposes other than treatment, payment, or health care operations. The
final rule requires covered entities to obtain authorization to use or
disclose psychotherapy notes for purposes listed in Sec. 164.512, with
the following exceptions: An authorization is not required for use or
disclosure of psychotherapy notes when the use or disclosure is
required for enforcement of this rule, in accordance with
Sec. 164.502(a)(2)(ii); when required by law, in accordance with
Sec. 164.512(a); when needed for oversight of the covered health care
provider who created the psychotherapy notes, in accordance with
Sec. 164.512(d); when needed by a coroner or medical examiner, in
accordance with Sec. 164.512(g)(1); or when needed to avert a serious
and imminent threat to health or safety, in accordance with
Sec. 164.512(j)(1)(i).
Comment: A commenter suggested that we follow the federal
regulations governing confidentiality of alcohol and substance abuse
records as a model for limited disclosure of psychotherapy notes for
audits or evaluations. Under these regulations, a third party payor or
a party providing financial assistance may access confidential records
for auditing purposes if the party agrees in writing to keep the
records secure and destroy any identifying information upon completion
of the audit. (42 CFR part 2)
Response: We agree that the federal regulations concerning alcohol
and drug abuse provide a good model for protection of information.
However, according to our fact-finding discussions, audit or evaluation
should not require access to psychotherapy notes. Protected health
information kept in the medical record about an individual should be
sufficient for these purposes. The final rule does not require
authorization for use or disclosure of psychotherapy notes when needed
for oversight of the covered health care provider who created the
psychotherapy notes.
Comment: A provider organization urged that the disclosure of
psychotherapy notes be strictly prohibited except to the extent needed
in litigation brought by the client against the mental health
professional on the grounds of professional malpractice or disclosure
in violation of this section.
Response: We agree that psychotherapy notes should be available for
the defense of the provider who created the notes when the individual
who is the subject of the notes puts the contents of the notes at issue
in a legal case. In the final rule, we allow the provider to disclose
the notes to his or her lawyer for the purpose of preparing a defense.
Any other disclosure related to judicial and administrative proceedings
is governed by Sec. 164.512(e).
Comment: One commenter requested that we prohibit mental health
information that has been disclosed from being re-disclosed without
patient authorization.
Response: Psychotherapy notes may only be disclosed pursuant to an
authorization, except under limited circumstances. Covered entities
must adhere to the terms of authorization and not disclose
psychotherapy notes to persons other than those identified as intended
recipients or for other purposes. A covered entity that receives
psychotherapy notes must adhere to the terms of this rule--including
obtaining an authorization for any further use or disclosure. We do not
have the authority, however, to prohibit non-covered entities from re-
disclosing psychotherapy notes or any other protected health
information.
Comment: A provider organization argued for inclusion of language
in the final rule that specifies that real or perceived ``ownership''
of the mental health record does not negate the requirement that
patients must specifically authorize the disclosure of their
psychotherapy notes. They cited a July 1999 National Mental Health
Association survey, which found that for purposes of utilization
review, every managed care plan policy reviewed ``maintains the right
to access the full medical record (including detailed psychotherapy
notes) of any consumer covered under its benefit plan at its whim.'' At
least one of the major managed health plans surveyed considered the
patient record to be the property of the health plan and governed by
the health plan's policies.
Response: Although a covered entity may own a mental health record,
the ability to use or disclose an individual's information is limited
by state law and this rule. Under this rule, a mental health plan would
not have access to psychotherapy notes created by a covered provider
unless the individual who is the subject of the notes authorized
disclosure to the health plan.
Comment: Some commenters expressed concern regarding the burden
created by having to obtain multiple authorizations and requested
clarification as to whether separate authorization for use and
disclosure of psychotherapy notes is required.
Response: For the reasons explained above, we retain in the final
rule a requirement that a separate authorization must be obtained for
most uses or disclosures of psychotherapy notes, including those for
treatment, payment, and health care operations. The burden of such a
requirement is extremely low, however, because under our definition of
psychotherapy notes, the need for such authorization will be very rare.
Comment: One commenter stated that Medicare should not be able to
require the disclosure of psychotherapy notes because it would destroy
a practitioner's ability to treat patients effectively.
Response: We agree. As in the proposed rule, covered entities may
not disclose psychotherapy notes for payment purposes without an
authorization. If a specific provision of law requires the disclosure
of these notes, a covered entity may make the disclosure under
Sec. 164.512(a). The final rule, however, does not require the
disclosure of these notes to Medicare.
Comment: One commenter expressed concern that by filing a complaint
an
[[Page 82654]]
individual would be required to reveal sensitive information to the
public. Another commenter suggested that complaints regarding
noncompliance in regard to psychotherapy notes should be made to a
panel of mental health professionals designated by the Secretary. This
commenter also proposed that all patient information would be
maintained as privileged, would not be revealed to the public, and
would be kept under seal after the case is reviewed and closed.
Response: We appreciate this concern and the Secretary will ensure
that individually identifiable health information and other personal
information contained in complaints will not be available to the
public. This Department seeks to protect the privacy of individuals to
the fullest extent possible, while permitting the exchange of records
required to fulfill its administrative and program responsibilities.
The Freedom of Information Act, 5 U.S.C. 552, and the HHS implementing
regulation, 45 CFR part 5, protect records about individuals if the
disclosure would constitute an unwarranted invasion of their personal
privacy, as does the Privacy Act, 5 U.S.C. 552a. See the discussion of
FOIA and the Privacy Act in the ``Relationship to Other Federal Laws''
section of the preamble. Information that the Secretary routinely
withholds from the public in its current enforcement activities
includes individual names, addresses, and medical information.
Additionally, the Secretary attempts to guard against the release of
information that might involve a violation of personal privacy by
someone being able to ``read between the lines'' and piece together
items that would constitute information that normally would be
protected from release to the public. In implementing the privacy rule,
the Secretary will continue this practice of protecting personal
information.
It is not clear whether the commenter with regard to the use of
mental health professionals believes that such professionals should be
involved because they would be best able to keep psychotherapy notes
confidential or because such professionals can best understand the
meaning or relevance of such notes. We anticipate that we would not
have to obtain a copy or review psychotherapy notes in investigating
most complaints regarding noncompliance in regard to such notes. There
may be some cases in which a quick review of the notes may be needed,
such as when we need to identify that the information a covered entity
disclosed was in fact psychotherapy notes. If we need to obtain a copy
of psychotherapy notes, we will keep these notes confidential and
secure. Investigative staff will be trained in privacy to ensure that
they fully respect the confidentiality of personal information. In
addition, while the content of these notes is generally not relevant to
violations under this rule, we will secure the expertise of mental
health professionals if needed in reviewing psychotherapy notes.
Comment: A mental health organization recommended prohibiting
health plans and covered health care providers from disclosing
psychotherapy notes to coroners or medical examiners.
Response: In general, we have severely limited disclosures of
psychotherapy notes without the individual's authorization. One case
where the information may prove invaluable, but authorization by the
individual is impossible and authorization by a surrogate is
potentially contraindicated, is in the investigation of the death of
the individual. The final rule allows for disclosures to coroners or
medical examiners in this limited case.
Comment: One commenter recommended prohibiting disclosure without
authorization of psychotherapy notes to government health data systems.
Response: The decision to eliminate the general provision
permitting disclosures to government health data systems addresses this
comment.
Comment: Several commenters were concerned that in practice, a
treatment team in a mental health facility shares information about a
patient in order to care for the patient and that the provision
requiring authorization for use and disclosure of psychotherapy notes
would expose almost all privileged information to disclosure. They
requested that we add a provision that any authorization or disclosure
under that statute shall not constitute a waiver of the
psychotherapist-patient privilege.
Response: Because of the restricted definition we have adopted for
psychotherapy notes, we do not expect that members of a team will share
such information. Information shared in order to care for the patient
is, by definition, not protected as psychotherapy notes. With respect
to waiving privilege, however, we believe that the consents and
authorizations described in Secs. 164.506 and 164.508 should not be
construed as waivers of a patient's evidentiary privilege. See the
discussions under Sec. 164.506 and ``Relationship to Other Laws,''
above.
Research Information Unrelated to Treatment
Definition of Research Information Unrelated to Treatment
Comment: The majority of commenters, including many researchers and
health care providers, objected to the proposed definition of research
information unrelated to treatment, asserting that the privacy rule
should not distinguish research information unrelated to treatment from
other forms of protected health information. Even those who supported
the proposed distinction between research information related and
unrelated to treatment suggested alternative definitions for research
information unrelated to treatment.
A large number of commenters were concerned that the definition of
research information unrelated to treatment was vague and unclear and,
therefore, would be difficult or impossible to apply. These commenters
asserted that in many instances it would not be feasible to ascertain
whether research information bore some relation to treatment. In
addition, several commenters asserted that the need for distinguishing
research information unrelated to treatment from other forms of
protected health information was not necessary because the proposed
rule's general restrictions for the use and disclosure of protected
health information and the existing protections for research
information were sufficiently strong.
Of the commenters who supported the proposed distinction between
research information related and unrelated to treatment, very few
supported the proposed definition of research unrelated to treatment. A
few commenters recommended that the definition incorporate a good faith
provision and apply only to health care providers, because they thought
it was unlikely that a health plan or health care clearinghouse would
be conducting research. One commenter recommended defining research
information unrelated to treatment as information which does not
directly affect the treatment of the individual patient. As a means of
clarifying and standardizing the application of this definition, one
commenter also asserted that the definition should be based on whether
the research information was for publication. In addition, one
commenter specifically objected to the provision of the proposed
definition that would have required that research information unrelated
to treatment be information ``with respect to which the covered entity
has not requested payment from
[[Page 82655]]
a third party payor.'' This commenter asserted that patient protection
should not be dependent on whether a health plan will pay for certain
care.
Response: We agree with the commenters who found the proposed
definition of research information unrelated to treatment to be
impractical and infeasible to apply and have eliminated this definition
and its related provisions in the final rule. Although we share
concerns raised by some commenters that research information generated
from research studies that involve the delivery of treatment to
individual subjects may need additional privacy protection, we agree
with the commenters who asserted that there is not always a clear
distinction between research information that is related to treatment
and research information that is not. We found that the alternative
definitions proposed by commenters did not alleviate the serious
concerns raised by the majority of comments received on this
definition.
Instead, in the final rule, we require covered entities that create
protected health information for the purpose, in whole or in part, of
research that includes treatment of individuals to include additional
elements in authorizations they request for the use or disclosure of
that protected health information. As discussed in Sec. 164.508(f),
these research-related authorizations must include a description of the
extent to which some or all of the protected health information created
for the research will also be used or disclosed for purposes of
treatment, payment, and health care operations. For example, if the
covered entity intends to seek reimbursement from the individual's
health plan for the routine costs of care associated with the research
protocol, it must explain in the authorization the types of information
that it will provide to the health plan for this purpose. This
information, and the circumstances under which disclosures will be made
for treatment, payment, and health care operations, may be more limited
than the information and circumstances described in the covered
entity's general notice of information practices and are binding on the
covered entity.
Under this approach, the covered entity that creates protected
health information for research has discretion to determine whether
there is a subset of research information that will have fewer
allowable disclosures without authorization, and prospective research
subjects will be informed about how research information about them
would be used and disclosed should they agree to participate in the
research study. We believe this provision in the final rule provides
covered entities that participate in research necessary flexibility to
enhance privacy protections for research information and provides
prospective research subjects with needed information to determine
whether their privacy interests would be adequately protected before
agreeing to participate in a research study that involves the delivery
of health care.
The intent of this provision is to permit covered entities that
participate in research to bind themselves to a more limited scope of
uses and disclosures for all or identified subsets of research
information generated from research that involves the delivery of
treatment than it may apply to other protected health information. In
designing their authorizations, we expect covered entities to be
mindful of the often highly sensitive nature of research information
and the impact of individuals' privacy concerns on their willingness to
participate in research. For example, a covered entity conducting a
study which involves the evaluation of a new drug, as well as an
assessment of a new un-validated genetic marker of a particular
disease, could choose to stipulate in the research authorization that
the genetic information generated from this study will not be disclosed
without authorization for some of the public policy purposes that would
otherwise be permitted by the rule under Secs. 164.510 and 164.512 and
by the covered entity's notice. A covered entity may not, however,
include a limitation affecting its right to make a use or disclosure
that is either required by law or is necessary to avert a serious and
imminent threat to health or safety.
The final rule also permits the covered entity to combine the
research authorization under Sec. 164.508(f) with the consent to
participate in research, such as the informed consent document as
stipulated under the Common Rule or the Food and Drug Administration's
human subjects regulations.
Enhance Privacy Protections for Research Information
Comment: A number of commenters argued that research information
unrelated to treatment should have fewer allowable disclosures without
authorization than those that would have been permitted by the proposed
rule. The commenters who made this argument included those commenters
who recommended that the privacy rule not cover the information we
proposed to constitute research information unrelated to treatment, as
well as those who asserted that the rule should cover such information.
These commenters agreed with the concern expressed in the proposed rule
that patients would be reluctant to participate in research if they
feared that research information could be disclosed without their
permission or used against them. They argued that fewer allowable
disclosures should be permitted for research information because the
clinical utility of the research information is most often unknown, and
thus, it is unsuitable for use in clinical decision making. Others also
argued that it is critical to the conduct of clinical research that
researchers be able to provide individual research subjects, and the
public at large, the greatest possible assurance that their privacy and
the confidentiality of any individually identifiable research
information will be protected from disclosure.
Several commenters further recommended that only the following uses
and disclosures be permitted for research information unrelated to
treatment without authorization: (1) For the oversight of the
researcher or the research study; (2) for safety and efficacy reporting
required by FDA; (3) for public health; (4) for emergency
circumstances; or (5) for another research study. Other commenters
recommended that the final rule explicitly prohibit law enforcement
officials from gaining access to research records.
In addition, several commenters asserted that the rule should be
revised to ensure that once protected health information was classified
as research information unrelated to treatment, it could not be re-
classified as something else at a later date. These commenters believed
that if this additional protection were not added, this information
would be vulnerable to disclosure in the future, if the information
were later to gain scientific validity. They argued that individuals
may rely on this higher degree of confidentiality when consenting to
the collection of the information in the first instance, and that
confidentiality should not be betrayed in the future just because the
utility of the information has changed.
Response: We agree with commenters who argued that special
protections may be appropriate for research information in order to
provide research subjects with assurances that their decision to
participate in research will not result in harm stemming from the
misuse of the research information. We are aware that some researchers
currently retain separate research records and medical records as a
means of providing more stringent privacy protections for the research
record. The final rule permits
[[Page 82656]]
covered entities that participate in research to continue to provide
more stringent privacy protections for the research record, and the
Secretary strongly encourages this practice to protect research
participants from being harmed by the misuse of their research
information.
As discussed above, in the final rule, we eliminate the special
rules for this proposed definition of research information unrelated to
treatment and its related provisions, so the comments regarding its
application are moot.
Comment: Some commenters recommended that the final rule prohibit a
covered entity from conditioning treatment, enrollment in a health
plan, or payment on a requirement that the individual authorize the use
or disclosure of information we proposed to constitute research
information unrelated to treatment.
Response: Our decision to eliminate the definition of research
information unrelated to treatment and its related provisions in the
final rule renders this comment moot.
Comment: A few commenters opposed distinguishing between research
information related to treatment and research information unrelated to
treatment, arguing that such a distinction could actually weaken the
protection afforded to clinically-related health information that is
collected in clinical trials. These commenters asserted that
Certificates of Confidentiality shield researchers from being compelled
to disclose individually identifiable health information relating to
biomedical or behavioral research information that an investigator
considers sensitive.
Response: Our decision to eliminate the definition of research
information unrelated to treatment and its related provisions in the
final rule renders this comment moot. We would note that nothing in the
final rule overrides Certificates of Confidentiality, which protect
against the compelled disclosure of identifying information about
subjects of biomedical, behavioral, clinical, and other research as
provided by the Public Health Service Act section 301(d), 42 U.S.C.
241(d).
Privacy Protections for Research Information Too Stringent
Comment: Many of the commenters who opposed the proposed definition
of research information unrelated to treatment and its related
provisions believed that the proposed rule would have required
authorization before research information unrelated to treatment could
have been used or disclosed for any of the public policy purposes
outlined in proposed Sec. 164.510, and that this restriction would have
significantly hindered many important activities. Many of these
commenters specifically opposed this provision, arguing that the
distinction would undermine and impede research by requiring patient
authorization before research information unrelated to treatment could
be used or disclosed for research.
Furthermore, some commenters recommended that the disclosure of
research information should be governed by an informed consent
agreement already in place as part of a clinical protocol, or its
disclosure should be considered by an institutional review board or
privacy board.
Response: Our decision to eliminate the definition of research
information unrelated to treatment and its related provisions in the
final rule renders the first two comments moot.
We disagree with the comment that suggests that existing provisions
under the Common Rule are sufficient to protect the privacy interests
of individuals who are subjects in research that involves the delivery
of treatment. As discussed in the NPRM, not all research is subject to
the Common Rule. In addition, we are not convinced that existing
procedures adequately inform individuals about how their information
will be used as part of the informed consent process. In the final
rule, we provide for additional disclosure to subjects of research that
involves the delivery of treatment as part of the research
authorization under Sec. 164.508(f). We also clarify that the research
authorization could be combined with the consent to participate in
research, such as the informed consent document as stipulated under the
Common Rule or the Food and Drug Administration's human subjects
regulations. The Common Rule (Sec. _.116(a)(5)) requires that
``informed consent'' include ``a statement describing the extent, if
any, to which confidentiality of records identifying the subject will
be maintained.'' We believe that the research authorization
requirements of Sec. 164.508(f) complement the Common Rule's
requirement for informed consent.
The Secretary's Authority
Comment: Several commenters, many from the research community,
asserted that the coverage of ``research information unrelated to
treatment'' was beyond the Department's legal authority since HIPAA did
not give the Secretary authority to regulate researchers. These
commenters argued that the research records held by researchers who are
performing clinical trials and who keep separate research records
should not be subject to the final rule. These commenters strongly
disagreed that a health provider-researcher cannot carry out two
distinct functions while performing research and providing clinical
care to research subjects and, thus, asserted that research information
unrelated to treatment that is kept separate from the medical record,
would not be covered by the privacy rule.
Response: We do not agree the Secretary lacks the authority to
adopt standards relating to research information, including research
information unrelated to treatment. HIPAA provides authority for the
Secretary to set standards for the use and disclosure of individually
identifiable health information created or received by covered
entities. For the reasons commenters identified for why it was not
practical or feasible to divide research information into two
categories--research information related to treatment and research
information unrelated to treatment--we also determined that for a
single research study that includes the treatment of research subjects,
it is not practical or feasible to divide a researcher into two
categories--a researcher who provides treatment and a researcher who
does not provide treatment to research subjects. When a researcher is
interacting with research subjects for a research study that involves
the delivery of health care to subjects, it is not always clear to
either the researcher or the research subject whether a particular
research activity will generate research information that will be
pertinent to the health care of the research subject. Therefore, we
clarify that a researcher may also be a health care provider if that
researcher provides health care, e.g., provides treatment to subjects
in a research study, and otherwise meets the definition of a health
care provider, regardless of whether there is a component of the
research study that is unrelated to the health care of the research
subjects. This researcher/health care provider is then a covered entity
with regard to her provider activities if she conducts standard
transactions.
Valid Authorizations
Comment: In proposed Sec. 164.508(b)(1), we specified that an
authorization containing the applicable required elements ``must be
accepted by the covered entity.'' A few comments requested
clarification of this requirement.
[[Page 82657]]
Response: We agree with the commenters that the proposed provision
was ambiguous and we remove it from the final rule. We note that
nothing in the rule requires covered entities to act on authorizations
that they receive, even if those authorizations are valid. A covered
entity presented with an authorization is permitted to make the
disclosure authorized, but is not required to do so.
We want to be clear, however, that covered entities will be in
compliance with this rule if they use or disclose protected health
information pursuant to an authorization that meets the requirements of
Sec. 164.508. We have made changes in Sec. 164.508(b)(1) to clarify
this point. First, we specify that an authorization containing the
applicable required elements is a valid authorization. A covered entity
may not reject as invalid an authorization containing such elements.
Second, we clarify that a valid authorization may contain elements or
information in addition to the required elements, as long as the
additional elements are not inconsistent with the required elements.
Comment: A few comments requested that we provide a model
authorization or examples of wording meeting the ``plain language''
requirement. One commenter requested changes to the language in the
model authorization to avoid confusion when used in conjunction with an
insurer's authorization form for application for life or disability
income insurance. Many other comments, however, found fault with the
proposed model authorization form.
Response: Because of the myriad of types of forms that could meet
these requirements and the desire to encourage covered entities to
develop forms that meet their specific needs, we do not include a model
authorization form in the final rule. We intend to issue additional
guidance about authorization forms prior to the compliance date. We
also encourage standard-setting organizations to develop model forms
meeting the requirements of this rule.
Defective Authorizations
Comment: Some commenters suggested we insert a ``good-faith
reliance'' or ``substantial compliance'' standard into the
authorization requirements. Commenters suggested that covered entities
should be permitted to rely on an authorization as long as the
individual has signed and dated the document. They stated that
individuals may not fill out portions of a form that they feel are
irrelevant or for which they do not have an answer. They argued that
requiring covered entities to follow up with each individual to
complete the form will cause unwarranted delays. In addition,
commenters were concerned that large covered entities might act in good
faith on a completed authorization, only to find out that a component
of the entity ``knew'' some of the information on the form to be false
or that the authorization had been revoked. These commenters did not
feel that covered entities should be held in violation of the rule in
such situations.
Response: We retain the provision as proposed and include one
additional element: the authorization is invalid if it is combined with
other documents in violation of the standards for compound
authorizations. We also clarify that an authorization is invalid if
material information on the form is known to be false. The elements we
require to be included in the authorization are intended to ensure that
individuals knowingly and willingly authorize the use or disclosure of
protected health information about them. If these elements are missing
or incomplete, the covered entity cannot know which protected health
information to use or disclose to whom and cannot be confident that the
individual intends for the use or disclosure to occur.
We have attempted to make the standards for defective
authorizations as unambiguous as possible. In most cases, the covered
entity will know whether the authorization is defective by looking at
the form itself. Otherwise, the covered entity must know that the
authorization has been revoked, that material information on the form
is false, or that the expiration date or event has occurred. If the
covered entity does not know these things and the authorization is
otherwise satisfactory on its face, the covered entity is permitted to
make the use or disclosure in compliance with this rule.
We have added two provisions to make it easier for covered entities
to ``know'' when an authorization has been revoked. First, under
Sec. 164.508(b)(5), the revocation must be made in writing. Second,
under Sec. 164.508(c)(1)(v), authorizations must include instructions
for how the individual may revoke the authorization. Written
revocations submitted in the manner appropriate for the covered entity
should ease covered entities' compliance burden.
Compound Authorizations
Comment: Many commenters raised concerns about the specificity of
the authorization requirement. Some comments recommended that we permit
covered entities to include multiple uses and disclosures in a single
authorization and allow individuals to authorize or not authorize
specific uses and disclosures in the authorization. Other commenters
asked whether a single authorization is sufficient for multiple uses or
disclosures for the same purpose, for multiple uses and disclosures for
related purposes, and for uses and disclosures of different types of
information for the same purpose. Some comments from health care
providers noted that specific authorizations would aid their compliance
with requests.
Response: As a general rule, we prohibit covered entities from
combining an authorization for the use or disclosure of protected
health information with any other document. For example, an
authorization may not be combined with a consent to receive treatment
or a consent to assign payment of benefits to a provider. We intend the
authorizations required under this rule to be voluntary for
individuals, and, therefore, they need to be separate from other forms
of consent that may be a condition of treatment or payment or that may
otherwise be coerced.
We do, however, permit covered entities to combine authorizations
for uses and disclosures for multiple purposes into a single
authorization. The only limitations are that an authorization for the
use or disclosure of psychotherapy notes may not be combined with an
authorization for the use or disclosure of other types of protected
health information and that an authorization that is a condition of
treatment, payment, enrollment, or eligibility may not be combined with
any other authorization.
In Sec. 164.508(b)(3), we also permit covered entities to combine
an authorization for the use or disclosure of protected health
information created for purposes of research including treatment of
individuals with certain other documents.
We note that covered entities may only make uses or disclosures
pursuant to an authorization that are consistent with the terms of the
authorization. Therefore, if an individual agrees to one of the
disclosures described in the compound authorization but not another,
the covered entity must comply with the individual's decision. For
example, if a covered entity asks an individual to sign an
authorization to disclose protected health information for both
marketing and fundraising purposes, but the individual only agrees to
the fundraising disclosure, the
[[Page 82658]]
covered entity is not permitted to make the marketing disclosure.
Prohibition on Conditioning Treatment, Payment, Eligibility, or
Enrollment
Comment: Many commenters supported the NPRM's prohibition of
covered entities from conditioning treatment or payment on the
individual's authorization of uses and disclosures. Some commenters
requested clarification that employment can be conditioned on an
authorization. Some commenters recommended that we eliminate the
requirement for covered entities to state on the authorization form
that the authorization is not a condition of treatment or payment. Some
commenters suggested that we prohibit the provision of anything of
value, including employment, from being conditioned on receipt of an
authorization.
In addition, many commenters argued that patients should not be
coerced into signing authorizations for a wide variety of purposes as a
condition of obtaining insurance coverage. Some health plans, however,
requested clarification that health plan enrollment and eligibility can
be conditioned on an authorization.
Response: We proposed to prohibit covered entities from
conditioning treatment, payment, or enrollment in a health plan on an
authorization for the use or disclosure of psychotherapy notes (see
proposed Sec. 164.508(a)(3)(iii)). We proposed to prohibit covered
entities from conditioning treatment or payment on authorization for
the use or disclosure of any other protected health information (see
proposed Sec. 164.508(a)(2)(iii)).
We resolve this inconsistency by clarifying in Sec. 164.508(b)(4)
that, with certain exceptions, a covered entity may not condition the
provision of treatment, payment, enrollment in a health plan, or
eligibility for benefits on an authorization for the use or disclosure
of any protected health information, including psychotherapy notes. We
intend to minimize the potential for covered entities to coerce
individuals into signing authorizations for the use or disclosure of
protected health information when such information is not essential to
carrying out the relationship between the individual and the covered
entity.
Pursuant to that goal, we have created limited exceptions to the
prohibition. First, a covered health care provider may condition
research-related treatment of an individual on obtaining the
individual's authorization to use or disclose protected health
information created for the research. Second, except with respect to
psychotherapy notes, a health plan may condition the individual's
enrollment or eligibility in the health plan on obtaining an
authorization for the use or disclosure of protected health information
for making enrollment or eligibility determinations relating to the
individual or for its underwriting or risk rating determinations.
Third, a health plan may condition payment of a claim for specified
benefits on obtaining an authorization under Sec. 164.508(e) for
disclosure to the plan of protected health information necessary to
determine payment of the claim. Fourth, a covered entity may condition
the provision of health care that is solely for the purpose of creating
protected health information for disclosure to a third party (such as
fitness-for-duty exams and physicals necessary to obtain life insurance
coverage) on obtaining an authorization for the disclosure of the
protected health information. We recognize that covered entities need
protected health information in order to carry out these functions and
provide services to the individual; therefore, we allow authorization
for the disclosure of the protected health information to be a
condition of obtaining the services.
We believe that we have prohibited covered entities from
conditioning the services they provide to individuals on obtaining an
authorization for uses and disclosures that are not essential to those
services. Due to our limited authority, however, we cannot entirely
prevent individuals from being coerced into signing these forms. We do
not, for example, have the authority to prohibit an employer from
requiring its employees to sign an authorization as a condition of
employment. Similarly, a program such as the Job Corps may make such an
authorization a condition of enrollment in the Job Corps program. While
the Job Corps may include a health care component, the non-covered
component of the Job Corps may require as a condition of enrollment
that the individual authorize the health care component to disclose
protected health information to the non-covered component. See
Sec. 164.504(b). However, we note that other nondiscrimination laws may
limit the ability to condition these authorizations as well.
Comment: A Medicaid fraud control association stated that many
states require or permit state Medicaid agencies to obtain an
authorization for the use and disclosure of protected health
information for payment purposes as a condition of enrolling an
individual as a Medicaid recipient. The commenter, therefore, urged an
exception to the prohibition on conditioning enrollment on obtaining an
authorization.
Response: As explained above, under Sec. 164.506(a)(4), health
plans and other covered entities may seek the individual's consent for
the covered entity's use and disclosure of protected health information
to carry out treatment, payment, or health care operations. If the
consent is sought in conjunction with enrollment, the health plan may
condition enrollment in the plan on obtaining the individual's consent.
Under Sec. 164.506(a)(5), we specify that a consent obtained by one
covered entity is not effective to permit another covered entity to use
or disclose protected health information for payment purposes. If state
law requires a Medicaid agency to obtain the individual's authorization
for providers to disclose protected health information to the Medicaid
agency for payment purposes, the agency may do so under
Sec. 164.508(e). This authorization must not be a condition of
enrollment or eligibility, but may be a condition of payment of a claim
for specified benefits if the disclosure is necessary to determine
payment of the claim.
Revocation of Authorizations
Comment: Many commenters supported the right to revoke an
authorization. Some comments, however, suggested that we require
authorizations to remain valid for a minimum period of time, such as
one year or the duration of the individual's enrollment in a health
plan.
Response: We retain the right for individuals to revoke an
authorization at any time, with certain exceptions. We believe this
right is essential to ensuring that the authorization is voluntary. If
an individual determines that an authorized use or disclosure is no
longer in her best interest, she should be able to withdraw the
authorization and prevent any further uses or disclosures.
Comment: Several commenters suggested that we not permit
individuals to revoke an authorization if the revocation would prevent
an investigation of material misrepresentation or fraud. Other
commenters similarly suggested that we not permit individuals to revoke
an authorization prior to a claim for benefits if the insurance was
issued in reliance on the authorization.
Response: To address this concern, we include an additional
exception to the right to revoke an authorization. Individuals do not
have the right to revoke an authorization that was obtained as a
condition of insurance coverage during any contestability
[[Page 82659]]
period under other law. For example, if a life insurer obtains the
individual's authorization for the use or disclosure of protected
health information to determine eligibility or premiums under the
policy, the individual does not have the right to revoke the
authorization during any period of time in which the life insurer can
contest a claim for benefits under the policy in accordance with state
law. If an individual were able to revoke the authorization after
enrollment but prior to making a claim, the insurer would be forced to
pay claims without having the necessary information to determine
whether the benefit is due. We believe the existing exception for
covered entities that have acted in reliance on the authorization is
insufficient to address this concern because it is another person, not
the covered entity, that has acted in reliance on the authorization. In
the life insurance example, it is the life insurer that has taken
action (i.e., issued the policy) in reliance on the authorization. The
life insurer is not a covered entity, therefore the covered entity
exception is inapplicable.
Comment: Some comments suggested that a covered entity that had
compiled, but not yet disclosed, protected health information would
have already taken action in reliance on the authorization and could
therefore disclose the information even if the individual revoked the
authorization.
Response: We intend for covered entities to refrain from further
using or disclosing protected health information to the maximum extent
possible once an authorization is revoked. The exception exists only to
the extent the covered entity has taken action in reliance on the
authorization. If the covered entity has not yet used or disclosed the
protected health information, it must refrain from doing so, pursuant
to the revocation. If, however, the covered entity has already
disclosed the information, it is not required to retrieve the
information.
Comment: One comment suggested that the rule allow protected health
information to be only rented, not sold, because there can be no right
to revoke authorization for disclosure of protected health information
that has been sold.
Response: We believe this limitation would be an unwarranted
abrogation of covered entities' business practices and outside the
scope of our authority. We believe individuals should have the right to
authorize any uses or disclosures they feel are appropriate. We have
attempted to create authorization requirements that make the
individual's decisions as clear and voluntary as possible.
Comment: One commenter expressed concern as to whether the proposed
rule's standard to protect the protected health information about a
deceased individual for two years would interfere with the payment of
death benefit claims. The commenter asked that the regulation permit
the beneficiary or payee under a life insurance policy to authorize
disclosure of protected health information pertaining to the cause of
death of a decedent or policyholder. Specifically, the commenter
explained that when substantiating a claim a beneficiary, such as a
fiancee or friend, may be unable to obtain the authorization required
to release information to the insurer, particularly if, for example,
the decedent's estate does not require probate or if the beneficiary is
not on good terms with the decedent's next of kin. Further, the
commenter stated that particularly in cases where the policyholder dies
within two years of the policy's issuance (within the policy's
contestable period) and the cause of death is uncertain, the insurer's
inability to access relevant protected health information would
significantly interfere with claim payments and increase administrative
costs.
Response: We do not believe this will be a problem under the final
regulation, because we create an exception to the right to revoke an
authorization if the authorization was obtained as a condition of
obtaining insurance coverage and other applicable law provides the
insurer that obtained the authorization with the right to contest a
claim under the policy. Thus, if a policyholder dies within the two
year contestability period, the authorization the insurer obtained from
the policyholder prior to death could not be revoked during the
contestability period.
Core Elements and Requirements
Comment: Many commenters raised concerns about the required
elements for a valid authorization. They argued that the requirements
were overly burdensome and that covered entities should have greater
flexibility to craft authorizations that meet their business needs.
Other commenters supported the required elements as proposed because
the elements help to ensure that individuals make meaningful, informed
choices about the use and disclosure of protected health information
about them.
Response: As in the proposed rule, we define specific elements that
must be included in any authorization. We draw on established laws and
guidelines for these requirements. For example, the July 1977 Report of
the Privacy Protection Study Commission recommended that authorizations
obtained by insurance institutions include plain language, the date of
authorization, and identification of the entities authorized to
disclose information, the nature of the information to be disclosed,
the entities authorized to receive information, the purpose(s) for
which the information may be used by the recipients, and an expiration
date.\13\ The Commission made similar recommendations concerning the
content of authorizations obtained by health care providers.\14\ The
National Association of Insurance Commissioners' Health Information
Privacy Model Act requires authorizations to be in writing and include
a description of the types of protected health information to be used
or disclosed, the name and address of the person to whom the
information is to be disclosed, the purpose of the authorization, the
signature of the individual or the individual's representative, and a
statement that the individual may revoke the authorization at any time,
subject to the rights of any person that acted in reliance on the
authorization prior to revocation and provided the revocation is in
writing, dated, and signed. Standards of the American Society for
Testing and Materials recommend that authorizations identify the
subject of the protected health information to be disclosed; the name
of the person or institution that is to release the information; the
name of each individual or institution that is to receive the
information; the purpose or need for the information; the information
to be disclosed; the specific date, event, or condition upon which the
authorization will expire, unless revoked earlier; and the signature
and date signed. They also recommend the authorization include a
statement that the authorization can be revoked or amended, but not
retroactive to a release made in reliance on the authorization.\15\
---------------------------------------------------------------------------
\13\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 196-197.
\14\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 315.
\15\ ASTM, ``Standard Guide for Confidentiality, Privacy, Access
and Data Security, Principles for Health Information Including
Computer-Based Patient Records,'' E 1869-97, Sec. 12.1.4.
---------------------------------------------------------------------------
Comment: Some commenters requested clarification that
authorizations ``initiated by the individual'' include authorizations
initiated by the individual's representative.
[[Page 82660]]
Response: In the final rule, we do not classify authorizations as
those initiated by the individual versus those initiated by a covered
entity. Instead, we establish a core set of elements and requirements
that apply to all authorizations and require certain additional
elements for particular types of authorizations initiated by covered
entities.
Comment: Some commenters urged us to permit authorizations that
designate a class of entities, rather than specifically named entities,
that are authorized to use or disclose protected health information.
Commenters made similar recommendations with respect to the authorized
recipients. Commenters suggested these changes to prevent covered
entities from having to seek, and individuals from having to sign,
multiple authorizations for the same purpose.
Response: We agree. Under Sec. 164.508(c)(1), we require
authorizations to identify both the person(s) authorized to use or
disclose the protected health information and the person(s) authorized
to receive protected health information. In both cases, we permit the
authorization to identify either a specific person or a class of
persons.
Comment: Many commenters requested clarification that covered
entities may rely on electronic authorizations, including electronic
signatures.
Response: All authorizations must be in writing and signed. We
intend e-mail and electronic documents to qualify as written documents.
Electronic signatures are sufficient, provided they meet standards to
be adopted under HIPAA. In addition, we do not intend to interfere with
the application of the Electronic Signature in Global and National
Commerce Act.
Comment: Some commenters requested that we permit covered entities
to use and disclose protected health information pursuant to verbal
authorizations.
Response: To ensure compliance and mutual understanding between
covered entities and individuals, we require all authorizations to be
in writing.
Comment: Some commenters asked whether covered entities can rely on
copies of authorizations rather than the original. Other comments asked
whether covered entities can rely on the assurances of a third party,
such as a government entity, that a valid authorization has been
obtained to use or disclose protected health information. These
commenters suggested that such procedures would promote the timely
provision of benefits for programs that require the collection of
protected health information from multiple sources, such as
determinations of eligibility for disability benefits.
Response: Covered entities must obtain the individual's
authorization to use or disclose protected health information for any
purpose not otherwise permitted or required under this rule. They may
obtain this authorization directly from the individual or from a third
party, such as a government agency, on the individual's behalf. In
accordance with the requirements of Sec. 164.530(j), the covered entity
must retain a written record of authorization forms signed by the
individual. Covered entities must, therefore, obtain the authorization
in writing. They may not rely on assurances from others that a proper
authorization exists. They may, however, rely on copies of
authorizations if doing so is consistent with other law.
Comment: We requested comments on reasonable steps that a covered
entity could take to be assured that the individual who requests the
disclosure is whom she or he purports to be. Some commenters stated
that it would be extremely difficult to verify the identity of the
person signing the authorization, particularly when the authorization
is not obtained in person. Other comments recommended requiring
authorizations to be notarized.
Response: To reduce burden on covered entities, we are not
requiring verification of the identities of individuals signing
authorization forms or notarization of the forms.
Comment: A few commenters asked for clarification regarding the
circumstances in which a covered entity may consider a non-response as
an authorization.
Response: Non-responses to requests for authorizations cannot be
considered authorizations. Authorizations must be signed and have the
other elements of a valid authorization described above.
Comment: Most commenters generally supported the requirement for an
expiration date on the authorization. Commenters recommended expiration
dates from 6 months to 3 years and/or proposed that the expiration be
tied to an event such as duration of enrollment or when an individual
changes health plans. Others requested no expiration requirement for
some or all authorizations.
Response: We have clarified that an authorization may include an
expiration date in the form of a specific date, a specific time period,
or an event directly related to the individual or the purpose of the
authorization. For example, a valid authorization could expire upon the
individual's disenrollment from a health plan or upon termination of a
research project. We prohibit an authorization from having an
indeterminate expiration date.
These changes were intended to address situations in which a
specific date for the termination of the purpose for the authorization
is difficult to determine. An example may be a research study where it
may be difficult to predetermine the length of the project.
Comment: A few commenters requested that the named insured be
permitted to sign an authorization on behalf of dependents.
Response: We disagree with the commenter that a named insured
should always be able to authorize uses and disclosures for other
individuals in the family. Many dependents under group health plans
have their own rights under this rule, and we do not assume that one
member of a family has the authority to authorize uses or disclosures
of the protected health information of other family members.
A named insured may sign a valid authorization for an individual if
the named insured is a personal representative for the individual in
accordance with Sec. 164.502(g). The determination of whether an
individual is a personal representative under this rule is based on
other applicable law that determines when a person can act on behalf of
an individual in making decisions related to health care. This rule
limits a person's rights and authorities as a personal representative
to only the protected health information relevant to the matter for
which he or she is a personal representative under other law. For
example, a parent may be a personal representative of a child for most
health care treatment and payment decisions under state law. In that
case, a parent, who is a named insured for her minor child, would be
able to provide authorization with respect to most protected health
information about her dependent child. However, a wife who is the named
insured for her husband who is a dependent under a health insurance
policy may not be a personal representative for her husband under other
law or may be a personal representative only for limited purposes, such
as for making decisions regarding payment of disputed claims. In this
case, she may have limited authority to access protected health
information related to the payment of disputed claims, but would not
have the authority to authorize that her husband's information be used
for
[[Page 82661]]
marketing purposes, absent any other authority to act for her husband.
See Sec. 164.502(g) for more information regarding personal
representatives.
Comment: One commenter suggested that authorizations should be
dated on the day they are signed.
Response: We agree and have retained this requirement in the final
rule.
Additional Elements and Requirements for Authorizations Requested by
the Covered Entity for Its Own Uses and Disclosures
Comment: Some commenters suggested that we should not require
different elements in authorizations initiated by the covered entity
versus authorizations initiated by the individual. The commenters
argued the standards were unnecessary, confusing, and burdensome.
Response: The proposed authorization requirements are intended to
ensure that an individual's authorization is truly voluntary. The
additional elements required for authorizations initiated by the
covered entity for its own uses and disclosures or for receipt of
protected health information from other covered entities to carry out
treatment, payment, or health care operations address concerns that are
unique to these forms of authorization. (See above regarding
requirements for research authorizations under Sec. 164.508(f).)
First, when applicable, these authorizations must state that the
covered entity will not condition treatment, payment, eligibility, or
enrollment on the individual's providing authorization for the
requested use or disclosure. This statement is not appropriate for
authorizations initiated by the individual or another person who does
not have the ability to withhold services if the individual does not
authorize the use or disclosure.
Second, the authorization must state that the individual may refuse
to sign the authorization. This statement is intended to signal to the
individual that the authorization is voluntary and may not be accurate
if the authorization is obtained by a person other than a covered
entity.
Third, these authorizations must describe the purpose of the use or
disclosure. We do not include this element in the core requirements
because we understand there may be times when the individual does not
want the covered entity maintaining the protected health information to
know the purpose for the use or disclosure. For example, an individual
contemplating litigation may not want the covered entity to know that
litigation is the purpose of the disclosure. If the covered entity is
initiating the authorization for its own use or disclosure, however,
the individual and the covered entity maintaining the protected health
information should have a mutual understanding of the purpose of the
use or disclosure. Similarly, when a covered entity is requesting
authorization for a disclosure by another covered entity that may have
already obtained the individual's consent for the disclosure, the
individual and covered entity that maintains the protected health
information should be aware of this potential conflict.
There are two additional requirements for authorizations requested
by a covered entity for its own use or disclosure of protected health
information it maintains. First, we require the covered entity to
describe the individual's right to inspect or copy the protected health
information to be used or disclosed. Individuals may want to review the
information to be used or disclosed before signing the authorization
and should be reminded of their ability to do so. This requirement is
not appropriate for authorizations for a covered entity to receive
protected health information from another covered entity, however,
because the covered entity requesting the authorization is not the
covered entity that maintains the protected health information and
cannot, therefore, grant or describe the individual's right to access
the information.
If applicable, we also require a covered entity that requests an
authorization for its own use or disclosure to state that the use or
disclosure of the protected health information will result in direct or
indirect remuneration to the entity. Individuals should be aware of any
conflicts of interest or financial incentives on the part of the
covered entity requesting the use or disclosure. These statements are
not appropriate, however, in relation to uses and disclosures to carry
out treatment, payment, and health care operations. Uses and
disclosures for these purposes will often involve remuneration by the
nature of the use or disclosure, not due to any conflict of interest on
the part of either covered entity.
We note that authorizations requested by a covered entity include
authorizations requested by the covered entity's business associate on
the covered entity's behalf. Authorizations requested by a business
associate on the covered entity's behalf and that authorize the use or
disclosure of protected health information by the covered entity or the
business associate must meet the requirements in Sec. 164.508(d).
Similarly, authorizations requested by a business associate on behalf
of a covered entity to accomplish the disclosure of protected health
information to that business associate or covered entity as described
in Sec. 164.508(e) must meet the requirements of that provision.
We disagree that these elements are unnecessary, confusing, or
burdensome. We require them to ensure that the individual has a
complete understanding of what he or she is agreeing to permit.
Comment: Many commenters suggested we include in the regulation
text a provision stated in the preamble that entities and their
business partners must limit their uses and disclosures to the
purpose(s) specified by the individual in the authorization.
Response: We agree. In accordance with Sec. 164.508(a)(1), covered
entities may only use or disclose protected health information
consistent with the authorization. In accordance with
Sec. 164.504(e)(2), a business associate may not make any uses or
disclosures that the covered entity couldn't make.
Comment: Some comments suggested that authorizations should
identify the source and amount of financial gain, if any, resulting
from the proposed disclosure. Others suggested that the proposed
financial gain requirements were too burdensome and would decrease
trust between patients and providers. Commenters recommended that the
requirement either should be eliminated or should only require covered
entities, when applicable, to state that direct and foreseeable
financial gain to the covered entity will result. Others requested
clarification of how the requirement for covered entities to disclose
financial gain relates to the criminal penalties that accrue for
offenses committed with intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal
gain, or malicious harm. Some commenters advocated use of the term
``financial compensation'' rather than ``financial gain'' to avoid
confusion with in-kind compensation rules. Some comments additionally
suggested excluding marketing uses and disclosures from the
requirements regarding financial gain.
Response: We agree that clarification is warranted. In
Sec. 164.508(d)(1)(iv) of the final rule, we require a covered entity
that asks an individual to sign an authorization for the covered
entity's use or disclosure of protected health information and that
will receive direct
[[Page 82662]]
or indirect remuneration from a third party for the use or disclosure,
to state that fact in the authorization. Remuneration from a third
party includes payments such as a fixed price per disclosure,
compensation for the costs of compiling and sending the information to
be disclosed, and, with respect to marketing communications, a
percentage of any sales generated by the marketing communication. For
example, a device manufacturer may offer to pay a fixed price per name
and address of individuals with a particular diagnosis, so that the
device manufacturer can market its new device to people with the
diagnosis. The device manufacturer may also offer the covered entity a
percentage of the profits from any sales generated by the marketing
materials sent. If a covered entity seeks an authorization to make such
a disclosure, the authorization must state that the remuneration will
occur. We believe individuals should have the opportunity to weigh the
covered entity's potential conflict of interest when deciding to
authorize the covered entity's use or disclosure of protected health
information. We believe that the term ``remuneration from a third
party'' clarifies our intent to describe a direct, tangible exchange,
rather than the mere fact that parties intend to profit from their
enterprises.
Comment: One commenter suggested we require covered entities to
request authorizations in a manner that does not in itself disclose
sensitive information.
Response: We agree that covered entities should make reasonable
efforts to avoid unintentional disclosures. In Sec. 164.530(c)(2), we
require covered entities to have in place appropriate administrative,
technical, and physical safeguards to protect the privacy of protected
health information.
Comment: Some commenters requested clarification that covered
entities are permitted to seek authorization at the time of enrollment
or when individuals otherwise first interact with covered entities.
Similarly, commenters requested clarification that covered entities may
disclose protected health information created after the date the
authorization was signed but prior to the expiration date of the
authorization. These commenters were concerned that otherwise multiple
authorizations would be required to accomplish a single purpose. Other
comments suggested that we prohibit prospective authorizations (i.e.,
authorizations requested prior to the creation of the protected health
information to be disclosed under the authorization) because it is not
possible for individuals to make informed decisions about these
authorizations.
Response: We confirm that covered entities may act on
authorizations signed in advance of the creation of the protected
health information to be released. We note, however, that all of the
required elements must be completed, including a description of the
protected health information to be used or disclosed pursuant to the
authorization. This description must identify the information in a
specific and meaningful fashion so that the individual can make an
informed decision as to whether to sign the authorization.
Comment: Some commenters suggested that the final rule prohibit
financial incentives, such as premium discounts, designed to encourage
individuals to sign authorizations.
Response: We do not prohibit or require financial incentives for
authorizations. We have attempted to ensure that authorizations are
entered into voluntary. If a covered entity chooses to offer a
financial incentive for the individual to sign the authorization, and
the individual chooses to accept it, they are free to do so.
Section 164.510--Uses and Disclosures Requiring an Opportunity for
the Individual to Agree or to Object
Section 164.510(a)--Use and Disclosure for Facility Directories
Comment: Many hospital organizations opposed the NPRM's proposed
opt-in approach to disclosure of directory information. These groups
noted the preamble's statement that most patients welcomed the
convenience of having their name, location, and general condition
included in the patient directory. They said that requiring hospitals
to obtain authorization before including patient information in the
directory would cause harm to many patients' needs in an effort to
serve the needs of the small number of patients who may not want their
information to be included. Specifically, they argued that the proposed
approach ultimately could have the effect of making it difficult or
impossible for clergy, family members, and florists to locate patients
for legitimate purposes. In making this argument, commenters pointed to
problems that occurred after enactment of privacy legislation in the
State of Maine in 1999. The legislation, which never was officially
implemented, was interpreted by hospitals to prohibit disclosure of
patient information to directories without written consent. As a
result, when hospitals began complying with the law based on their
interpretation, family members and clergy had difficulty locating
patients in the hospital.
Response: We share commenters' concern about the need to ensure
that family members and clergy who have a legitimate need to locate
patients are not prevented from doing so by excessively stringent
restrictions on disclosure of protected health information to health
care facilities' directories. Accordingly, the final rule takes an opt-
out approach, stating that health care institutions may include the
name, general condition, religious affiliation, and location of a
patient within the facility in the facility's directory unless the
patient explicitly objects to the use or disclosure of protected health
information for directory purposes. To ensure that this opt-out can be
exercised, the final rule requires facilities to notify individuals of
their right not to be included in the directory and to give them the
opportunity to opt out. The final rule indicates that the notice and
opt-out may be oral. The final rule that allows health care facilities
to disclose to clergy the four types of protected health information
specified above without requiring the clergy to ask for the individual
by name will allow the clergy to identify the members of his or her
faith who are in the facility, thus ensuring that this rule will not
significantly interfere with the exercise of religion, including the
clergy's traditional religious mission to provide services to
individuals.
Comment: A small number of commenters recommended requiring written
authorization for all disclosures of protected health information for
directory purposes. These commenters believed that the NPRM's proposed
provision allowing oral agreement would not provide sufficient privacy
protection; that it did not sufficiently hold providers accountable for
complying with patient wishes; and that it could create liability
issues for providers.
Response: The final rule does not require written authorization for
disclosure of protected health information for directory purposes. We
believe that requiring written authorization in these cases would
increase substantially the administrative burdens and costs for covered
health care providers and could lead to significant inconvenience for
families and others attempting to locate individuals in health care
institutions. Experience from the State of Maine suggests that
requiring written authorization before patient information may be
included in facility directories
[[Page 82663]]
can be disruptive for providers, families, clergy, and others.
Comment: Domestic violence organizations raised concerns that
including information about domestic violence victims in health care
facilities' directories could result in further harm to victims. The
NPRM addressed the issue of potential danger to patients by stating
that when patients were incapacitated, covered health care providers
could exercise discretion--consistent with good medical practice and
prior expression of patient preference--regarding whether to disclose
protected health information for directory purposes. Several commenters
recommended prohibiting providers from including information in a
health care facility's directory about incapacitated individuals when
the provider reasonably believed that the injuries to the individual
could have been caused by domestic violence. These groups believed that
such a prohibition was necessary to prevent abusers from locating and
causing further harm to domestic violence patients.
Response: We share commenters' concerns about protecting victims of
domestic violence from further abuse. We are also concerned, however,
that imposing an affirmative duty on institutions not to disclose
information any time injuries to the individual could have been the
result of domestic violence would place too high a burden on health
care facilities, essentially requiring them to rule out domestic
violence as a potential cause of the injuries before disclosing to
family members that an incapacitated person is in the institution.
We do believe, however, that it is appropriate to require covered
health care providers to consider whether including the individual's
name and location in the directory could lead to serious harm. As in
the preamble to the NPRM, in the preamble to the final rule, we
encourage covered health care providers to consider several factors
when deciding whether to include an incapacitated patient's information
in a health care facility's directory. One of these factors is whether
disclosing an individual's presence in the facility could reasonably
cause harm or danger to the individual (for example, if it appeared
that an unconscious patient had been abused and disclosing that the
individual is in the facility could give the attacker sufficient
information to seek out the person and repeat the abuse). Under the
final rule, when the opportunity to object to uses and disclosures for
a facility's directory cannot practicably be provided due to an
individual's incapacity or an emergency treatment circumstance, covered
health care providers may use or disclose some or all of the protected
health information that the rule allows to be included in the
directory, if the disclosure is: (1) consistent with the individual's
prior expressed preference, if known to the covered health care
provider; and (2) in the individual's best interest, as determined by
the covered health care provider in the exercise of professional
judgement. The rule allows covered health care providers making
decisions about incapacitated patients to include some portions of the
patient's information (such as name) but not other information (such as
location in the facility) to protect patient interests.
Section 164.510(b)--Uses and Disclosures for Involvement in the
Individual's Care and Notification Purposes
Comment: A number of comments supported the NPRM's proposed
approach, which would have allowed covered entities to disclose
protected health information to the individual's next of kin, family
members, or other close personal friends when the individual verbally
agreed to the disclosure. These commenters agreed that the presumption
should favor disclosures to the next of kin, and they believed that
health care providers should encourage individuals to share genetic
information and information about transmittable diseases with family
members at risk. Others agreed with the general approach but suggested
the individual's agreement be noted in the medical record. These
commenters also supported the NPRM's proposed reliance on good
professional practices and ethics to determine when disclosures should
be made to the next of kin when the individual's agreement could not
practicably be obtained.
A few commenters recommended that the individual's agreement be in
writing for the protection of the covered entity and to facilitate the
monitoring of compliance with the individual's wishes. These commenters
were concerned that, absent the individual's written agreement, the
covered entity would become embroiled in intra-family disputes
concerning the disclosures. Others argued that the individual's
authorization should be obtained for all disclosures, even to the next
of kin.
One commenter favored disclosures to family members and others
unless the individual actively objected, as long as the disclosure was
consistent with sound professional practice. Others believed that no
agreement by the individual was necessary unless sensitive medical
information would be disclosed or unless the health care provider was
aware of the individual's prior objection. These commenters recommended
that good professional practice and ethics determine when disclosures
were appropriate and that disclosure should relate only to the
individual's current treatment. A health care provider organization
said that the ethical and legal obligations of the medical professional
alone should control in this area, although it believed the proposed
rule was generally consistent with these obligations.
Response: The diversity of comments regarding the proposal on
disclosures to family members, next of kin, and other persons, reflects
a wide range of current practice and individual expectations. We
believe that the NPRM struck the proper balance between the competing
interests of individual privacy and the need that covered health care
providers may have, in some cases, to have routine, informal
conversations with an individual's family and friends regarding the
individual's treatment.
We do not agree with the comments stating that all such disclosures
should be made only with consent or with the individual's written
authorization. The rule does not prohibit obtaining the agreement of
the individual in writing; however, we believe that imposing a
requirement for consent or written authorization in all cases for
disclosures to individuals involved in a person's care would be unduly
burdensome for all parties. In the final rule, we clarify the
circumstances in which such disclosures are permissible. The rule
allows covered entities to disclose to family members, other relatives,
close personal friends of the individual, or any other person
identified by the individual, the protected health information directly
relevant to such person's involvement with the individual's care or
payment related to the individual's health care. In addition, the final
rule allows covered entities to use or disclose protected health
information to notify, or assist in the notification of (including
identifying or locating) a family member, a personal representative of
the individual, or another person responsible for the care of the
individual, of the individual's location, general condition, or death.
The final rule includes separate provisions for situations in which the
individual is present and for when the individual is not present at the
time of disclosure. When the individual is present and can make his or
her own decisions, a covered entity may disclose protected health
information only if the covered entity: (1) Obtains the
[[Page 82664]]
individual's agreement to disclose to the third parties involved in the
individual's care; (2) provides the individual with the opportunity to
object to the disclosure, and the individual does not express an
objection; or (3) reasonably infers from the circumstances, based on
the exercise of professional judgement, that the individual does not
object to the disclosure. The final rule continues to permit
disclosures in circumstances when the individual is not present or when
the opportunity to agree or object to the use or disclosure cannot
practicably be provided due to the individual's incapacity or an
emergency circumstance. In such instances, covered entities may, in the
exercise of professional judgement, determine whether the disclosure is
in the individual's best interests and if so, disclose only the
protected health information that is directly relevant to the person's
involvement with the individual's health care.
As discussed in the preamble for this section, we do not intend to
disrupt most covered entities' current practices with respect to
informing family members and others with whom a patient has a close
personal relationship about a patient's specific health condition when
a patient is incapacitated due to a medical emergency and the family
member or close personal friend comes to the covered entity to ask
about the patient's condition. To the extent that disclosures to family
members and others in these situations currently are allowed under
state law and covered entities' own rules, Sec. 164.510(b) allows
covered entities to continue making them in these situations,
consistent with the exercise of professional judgement as to the
patient's best interest. As indicated in the preamble above, this
section is not intended to provide a loophole for avoiding the rule's
other requirements, and it is not intended to allow disclosures to a
broad range of individuals, such as journalists who may be curious
about a celebrity's health status.
Comments: A few comments supported the NPRM approach because it
permitted the current practice of allowing someone other than the
patient to pick up prescriptions at pharmacies. One commenter noted
that this practice occurs with respect to 25-40% of the prescriptions
dispensed by community retail pharmacies. These commenters strongly
supported the proposal's reliance on the professional judgement of
pharmacists in allowing others to pick up prescriptions for bedridden
or otherwise incapacitated patients, noting that in most cases it would
be impracticable to verify that the person was acting with the
individual's permission. Two commenters requested that the rule
specifically allow this practice. One comment opposed the practice of
giving prescriptions to another person without the individual's
authorization, because a prescription implicitly could disclose medical
information about the individual.
Response: As stated in the NPRM, we intended for this provision to
authorize pharmacies to dispense prescriptions to family or friends who
are sent by the individual to the pharmacy to pick up the prescription.
We believe that stringent consent or verification requirements would
place an unreasonable burden on numerous transactions. In addition,
such requirements would be contrary to the expectations and preferences
of all parties to these transactions. Although prescriptions are
protected health information under the rule, we believe that the risk
to individual privacy in allowing this practice to continue is minimal.
We agree with the suggestion that the final rule should state
explicitly that pharmacies have the authority to operate in this
manner. Therefore, we have added a sentence to Sec. 164.510(b)(3)
allowing covered entities to use professional judgement and experience
with common practice to make reasonable inferences of an individual's
best interest in allowing a person to act on the individual's behalf to
pick up filled prescriptions, medical supplies, X-rays, or other
similar forms of protected health information. In such situations, as
when making disclosures of protected health information about an
individual who is not present or is unable to agree to such
disclosures, covered entities should disclose only information which
directly relates to the person's involvement in the individual's
current health care. Thus, when dispensing a prescription to a friend
who is picking it up on the patient's behalf, the pharmacist should not
disclose unrelated health information about medications that the
patient has taken in the past which could prove embarrassing to the
patient.
Comment: We received a few comments that misunderstood the
provision as addressing disclosures related to deceased individuals.
Response: We understand that use of the term next of kin in this
section may cause confusion. To promote clarity in the final rule, we
eliminate the term ``next of kin,'' as well as the term's proposed
definition. In the final rule, we address comments on next of kin and
the deceased in the section on disclosure of protected health
information about deceased individuals in Sec. 164.512(g).
Comments: A number of commenters expressed concern for the
interaction of the proposed section with state laws. Some of these
comments interpreted the NPRM's use of the term next of kin as
referring to individuals with health care power of attorney and thus
they believed that the proposed rule's approach to next of kin was
inappropriately informal and in conflict with state law. Others noted
that some state laws did not allow health care information to be
disclosed to family or friends without consent or other authorization.
One commenter said that case law may be evolving toward imposing a more
affirmative duty on health care practitioners to inform next of kin in
a variety of circumstances. One commenter noted that state laws may not
define clearly who is considered to be the next of kin.
Response: The intent of this provision was not to interfere with or
change current practice regarding health care powers of attorney or the
designation of other personal representatives. Such designations are
formal, legal actions which give others the ability to exercise the
rights of or make treatment decisions related to individuals. While
persons with health care powers of attorney could have access to
protected health information under the personal representatives
provision (Sec. 164.502(g)), and covered entities may disclose to such
persons under this provision, such disclosures do not give these
individuals substantive authority to act for or on behalf of the
individual with respect to health care decisions. State law
requirements regarding health care powers of attorney continue to
apply.
The comments suggesting that state laws may not allow the
disclosures otherwise permitted by this provision or, conversely, that
they may impose a more affirmative duty, did not provide any specifics
with which to judge the affect of such laws. In general, however, state
laws that are more protective of an individual's privacy interests than
the rule by prohibiting a disclosure of protected health information
continue to apply. The rule's provisions regarding disclosure of
protected health information to family or friends of the individual are
permissive only, enabling covered entities to abide by more stringent
state laws without violating our rules. Furthermore, if the state law
creates an affirmative and binding legal obligation on the covered
entity to make disclosures to family or other persons under specific
circumstances, the final rule allows covered entities to comply
[[Page 82665]]
with these legal obligations. See Sec. 164.512(a).
Comments: A number of commenters supported the proposal to limit
disclosures to family or friends to the protected health information
that is directly relevant to that person's involvement in the
individual's health care. Some comments suggested that this standard
apply to all disclosures to family or friends, even when the individual
has agreed to or not objected to the disclosure. One commenter objected
to the proposal, stating that it would be too difficult to administer.
According to this comment, it is accepted practice for health care
providers to communicate with family and friends about an individual's
condition, regardless of whether the person is responsible for or
otherwise involved in the individual's care.
Other comments expressed concern for disclosures related to
particular types of information. For example, two commenters
recommended that psychotherapy notes not be disclosed without patient
authorization. One commenter suggested that certain sensitive medical
information associated with social stigma not be disclosed to family
members or others without patient consent.
Response: We agree with commenters who advocated limiting
permissible disclosures to relatives and close personal friends to
information consistent with a person's involvement in the individual's
care. Under the final rule, we clarify the NPRM provision to state that
covered entities may disclose protected health information to family
members, relatives, or close personal friends of an individual or any
other person identified by the individual, to the extent that the
information directly relates to the person's involvement in the
individual's current health care. It is not intended to allow
disclosure of past medical history that is not relevant to the
individual's current condition. In addition, as discussed above, we do
not intend to disrupt covered entities' current practices with respect
to disclosing specific information about a patient's condition to
family members or others when the individual is incapacitated due to a
medical emergency and the family member or other individual comes to
the covered entity seeking specific information about the patient's
condition. For example, this section allows a hospital to disclose to a
family member the fact that a patient had a heart attack, and to
provide updated information to the family member about the patient's
progress and prognosis during his or her period of incapacity.
We agree with the recommendation to require written authorization
for a disclosure of psychotherapy notes to family, close personal
friends, or others involved in the individual's care. As discussed
below, the final rule allows disclosure of psychotherapy notes without
authorization in a few limited circumstances; disclosure to individuals
involved in a person's care is not among those circumstances. See
Sec. 164.508 for a further discussion of the final rule's provisions
regarding disclosure of psychotherapy notes.
We do not agree, however, with the suggestion to treat some medical
information as more sensitive than others. In most cases, individuals
will have the opportunity to prohibit or limit such disclosures. For
situations in which an individual is unable to do so, covered entities
may, in the exercise of professional judgement, determine whether the
disclosure is in the individual's best interests and, if so, disclose
only the protected health information that is directly relevant to the
person's involvement with the individual's health care.
Comment: One commenter suggested that this provision should allow
disclosure of protected health information to the clergy and to the Red
Cross. The commenter noted that clergy have ethical obligations to
ensure confidentiality and that the Red Cross often notifies the next
of kin regarding an individual's condition in certain circumstances.
Another commenter recommended allowing disclosures to law enforcement
for the purpose of contacting the next of kin of individuals who have
been injured or killed. One commenter sought clarification that ``close
personal friend'' was intended to include domestic partners and same-
sex couples in committed relationships.
Response: As discussed above, Sec. 164.510(a) allows covered health
care providers to disclose to clergy protected health information from
a health care facility's directory. Under Sec. 164.510(b), an
individual may identify any person, including clergy, as involved in
his or her care. This approach provides more flexibility than the
proposed rule would have provided.
As discussed in the preamble of the final rule, this provision
allows disclosures to domestic partners and others in same-sex
relationships when such individuals are involved in an individual's
care or are the point of contact for notification in a disaster. We do
not intend to change current practices with respect to involvement of
others in an individual's treatment decisions; informal information-
sharing among persons involved; or the sharing of protected health
information during a disaster. As noted above, a power of attorney or
other legal relationship to an individual is not necessary for these
informal discussions about the individual for the purpose of assisting
in or providing a service related to the individual's care.
We agree with the comments noting that the Red Cross and other
organizations may play an important role in locating and communicating
with the family about individuals injured or killed in an accident or
disaster situation. Therefore, the final rule includes new language, in
Sec. 164.510(b)(4), which allows covered entities to use or disclose
protected health information to a public or private entity authorized
by law or its charter to assist in disaster relief efforts, for the
purpose of coordinating with such entities to notify, or assist in the
notification of (including identifying or locating) a family member, an
individual's personal representative, or another person responsible for
the individual's care regarding the individual's location, general
condition, or death. The Red Cross is an example of a private entity
that may obtain protected health information pursuant to these
provisions. We recognize the role of the Red Cross and similar
organizations in disaster relief efforts, and we encourage cooperation
with these entities in notification efforts and other means of
assistance.
Comment: One commenter recommended stating that individuals who are
mentally retarded and unable to agree to disclosures under this
provision do not, thereby, lose their access to further medical
treatment. This commenter also proposed stating that mentally retarded
individuals who are able to provide agreement have the right to control
the disclosure of their protected health information. The commenter
expressed concern that the parent, relative, or other person acting in
loco parentis may not have the individual's best interest in mind in
seeking or authorizing for the individual the disclosure of protected
health information.
Response: The final rule regulates only uses and disclosures of
protected health information, not the delivery of health care. Under
the final rule's section on personal representatives (Sec. 164.502(g)),
a person with authority to make decisions about the health care of an
individual, under applicable law, may make decisions about the
protected health information of that individual, to the extent that the
protected health information is relevant to such person's
representation.
[[Page 82666]]
In the final rule, Sec. 164.510(b) may apply to permit disclosures
to a person other than a personal representative. Under
Sec. 164.510(b), when an individual is present and has the capacity to
make his or her own decisions, a covered entity may disclose protected
health information only if the covered entity: (1) Obtains the
individual's agreement to disclose protected health information to the
third parties involved in the individual's care; (2) provides the
individual with an opportunity to object to such disclosure, and the
individual does not express an objection; or (3) reasonably infers from
the circumstances, based on the exercise of professional judgment, that
the individual does not object to the disclosure. These conditions
apply to disclosure of protected health information about individuals
with mental retardation as well as to disclosures about all other
individuals. Thus we do not believe it is necessary to include in this
section of the final rule any language specifically on persons with
mental retardation.
Comments: A few commenters recommended that disclosures made in
good faith to the family or friends of the individual not be subject to
sanctions by the Secretary, even if the covered entity had not fully
complied with the requirements of this provision. One commenter
believed that a fear of sanction would make covered entities overly
cautious, such that they would not disclose protected health
information to domestic partners or others not recognized by law as
next of kin. Another commenter recommended that sanctions not be
imposed if the covered entity has proper policies in place and has
trained its staff appropriately. According to this commenter, the lack
of documentation of disclosures in a particular case or medical record
should not subject the entity to sanctions if the information was
disclosed in good faith.
Response: We generally agree with commenters regarding disclosure
in good faith pursuant to this provision. As discussed above, the final
rule expands the scope of individuals to whom covered entities may
disclose protected health information pursuant to this section. In
addition, we delete the term next of kin, to avoid the appearance of
requiring any legal determination of a person's relationship in
situations involving informal disclosures. Similarly, consistent with
the informal nature of disclosures pursuant to this section, we do not
require covered entities to document such disclosures. If a covered
entity imposes its own documentation requirements and a particular
covered health care provider does not follow the entity's documentation
requirements, the disclosure is not a violation of this rule.
Comments: The majority of comments on this provision were from
individuals and organizations concerned about domestic violence. Most
of these commenters wanted assurance that domestic violence would be a
consideration in any disclosure to the spouse or relatives of an
individual whom the covered entity suspected to be a victim of domestic
violence or abuse. In particular, these commenters recommended that
disclosures not be made to family members suspected of being the abuser
if to do so would further endanger the individual. Commenters believed
that this limitation was particularly important when the individual was
unconscious or otherwise unable to object to the disclosures.
Response: We agree with the comments that victims of domestic
violence and other forms of abuse need special consideration in order
to avoid further harm, and we provide for discretion of a covered
entity to determine that protected health information not be disclosed
pursuant to Sec. 164.510(b). Section 164.510(b) of the final rule,
disclosures to family or friends involved in the individual's care,
states that when an individual is unable to agree or object to the
disclosure due to incapacity or another emergency situation, a covered
entity must determine based on the exercise of professional judgment
whether it is in the individual's best interest to disclose the
information. As stated in the preamble, we intend for this exercise of
professional judgment in the individual's best interest to account for
the potential for harm to the individual in cases involving domestic
violence. These circumstances are unique and are best decided by a
covered entity, in the exercise of professional judgment, in each
situation rather than by a blanket rule.
Section 164.512--Uses and Disclosures for Which Consent,
Authorization, or Opportunity to Agree or Object Is Not Required
Section 164.512(a)--Uses and Disclosures Required by Law
Comment: Numerous commenters addressed directly or by implication
the question of whether the provision permitting uses and disclosures
of protected health information if required by other law was necessary.
Other commenters generally endorsed the need for such a provision. One
such commenter approved of the provision as a needed fail-safe
mechanism should the enumeration of permissible uses and disclosures of
protected health information in the NPRM prove to be incomplete. Other
commenters cited specific statutes which required access to protected
health information, arguing that such a provision was necessary to
ensure that these legally mandated disclosures would continue to be
permitted. For example, some commenters argued for continued access to
protected health information to investigate and remedy abuse and
neglect as currently required by the Developmental Disabilities
Assistance and Bill of Rights, 42 U.S.C. 6042, and the Protection and
Advocacy for Mentally Ill Individuals Act, 42 U.S.C. 10801.
Some comments urged deletion of the provision for uses and
disclosures required by other law. This concern appeared to be based on
a generalized concern that the provision fostered government intrusion
into individual medical information.
Finally, a number of commenters also urged that the required by law
provision be deleted. These commenters argued that the proposed
provision would have undermined the intent of the statute to preempt
state laws which were less protective of individual privacy. As stated
in these comments, the provision for uses and disclosures required by
other law was ``broadly written and could apply to a variety of state
laws that are contrary to the proposed rule and less protective of
privacy. (Indeed, a law requiring disclosure is the least protective of
privacy since it allows for no discretion.) The breadth of this
provision greatly exceeds the exceptions to preemption contained in
HIPAA.''
Response: We agree with the comments that proposed Sec. 164.510(n)
was necessary to harmonize the rule with existing state and federal
laws mandating uses and disclosures of protected health information.
Therefore, in the final rule, the provision permitting uses and
disclosures as required by other law is retained. To accommodate other
reorganization of the final rule, this provision has been designated as
Sec. 164.512(a).
We do not agree with the comments expressing concern for increased
governmental intrusion into individual privacy under this provision.
The final rule does not create any new duty or obligation to disclose
protected health information. Rather, it permits covered entities to
use or disclose protected health information when they are required by
law to do so.
[[Page 82667]]
We likewise disagree with the characterization of the proposed
provision as inconsistent with or contrary to the preemption standards
in the statute or Part 160 of the rule. As described in the NPRM, we
intend this provision to preserve access to information considered
important enough by state or federal authorities to require its
disclosure by law.
The importance of these required uses or disclosures is evidenced
by the legislative or other public process necessary for the government
to create a legally binding obligation on a covered entity.
Furthermore, such required uses and disclosures arise in a myriad of
other areas of law, ranging from topics addressing national security
(uses and disclosures to obtain security clearances), to public health
(reporting of communicable diseases), to law enforcement (disclosures
of gun shot wounds). Required uses and disclosures also may address
broad national concerns or particular regional or state concerns. It is
not possible, or appropriate, for HHS to reassess the legitimacy of or
the need for each of these mandates in each of their specialized
contexts. In some cases where particular concerns have been raised by
legal mandates in other laws, we allow disclosure as required by law,
and we establish additional requirements to protect privacy (for
example, informing the individual as required in Sec. 164.512(c)) when
covered entities make a legally mandated disclosure.
We also disagree with commenters who suggest that the approach in
the final rule is contrary to the preemption provisions in HIPAA. HIPAA
provides HHS with broad discretion in fashioning privacy protections.
Recognizing the legitimacy of existing legal requirements is certainly
within the Secretary's discretion. Additionally, given the variety of
these laws, the varied contexts in which they arise, and their
significance in ensuring that important public policies are achieved,
we do not believe that Congress intended to preempt each such law
unless HHS specifically recognized the law or purpose in the
regulation.
Comment: A number of commenters urged that the provision permitting
uses and disclosures required by other law be amended by deleting the
last sentence which stated: ``This paragraph does not apply to uses or
disclosures that are covered by paragraphs (b) through (m) of this
section.'' Some commenters sought deletion of this sentence to avoid
any inadvertent preemption of mandatory reporting laws, and requested
clarification of the effect on specific statutes.
The majority of the commenters focused their concerns on the
potential conflict between mandatory reporting laws to law enforcement
and the limitations imposed by proposed Sec. 164.510(f), on uses and
disclosures to law enforcement. For example, the comments raised
concerns that mandatory reporting to law enforcement of injuries
resulting from violent acts and abuse require the health care provider
to initiate such reports to local law enforcement or other state
agencies, while the NPRM would have allowed such reporting on victims
of crimes only in response to specific law enforcement requests for
information. Similarly, mandatory reports of violence-related injuries
may implicate suspected perpetrators, as well as victims, and
compliance with such laws could be blocked by the proposed requirement
that disclosures about suspects was similarly limited to a response to
law enforcement inquiries for the specific purpose of identifying the
suspect. The NPRM also would have limited the type of protected health
information that could have been disclosed about a suspect or fugitive.
In general, commenters sought to resolve this overlap by removing
the condition that the required-by-other-law provision applied only
when no other national priority purpose addressed the particular use or
disclosure. The suggested change would permit the covered entity to
comply with legally mandated uses and disclosures as long as the
relevant requirements of that law were met. Alternatively, other
commenters suggested that the restrictions on disclosures to law
enforcement be lifted to permit full compliance with laws requiring
reporting for these purposes.
Finally, some comments sought clarification of when a use or
disclosure was ``covered by paragraphs (b) through (m).'' These
commenters were confused as to whether a particular use or disclosure
had to be specifically addressed by another provision of the rule or
simply within the scope of the one of the national priority purposes
specified by proposed paragraphs (b) through (m).
Response: We agree with the commenters that the provision as
proposed would have inadvertently interfered with many state and
federal laws mandating the reporting to law enforcement or others of
protected health information.
In response to these comments, we have modified the final rule to
clarify how this section interacts with the other provisions in the
rule.
Comment: A number of commenters sought expanded authority to use
and disclosure protected health information when permitted by other
law, not just when required by law. These comments specified a number
of significant duties or potential societal benefits from disclosures
currently permitted or authorized by law, and they expressed concern
should these beneficial uses and disclosures no longer be allowed if
not specifically recognized by the rule. For example, one commenter
listed 25 disclosures of health records that are currently permitted,
but not required, by state law. This commenter was concerned that many
of these authorized uses and disclosures would not be covered by any of
the national priority purposes specified in the NPRM, and, therefore,
would not be a permissible use or disclosure under the rule. To
preserve these important uses and disclosures, the comments recommended
that provision be made for any use or disclosure which is authorized or
permitted by other law.
Response: We do not agree with the comments that seek general
authority to use and disclose protected health information as
permitted, but not required, by other law. The uses and disclosures
permitted in the final rule reflect those purposes and circumstances
which we believe are of sufficient national importance or relevance to
the needs of the health care system to warrant the use or disclosure of
protected health information in the absence of either the individual's
express authorization or a legal duty to make such use or disclosure.
In permitting specific uses and disclosures that are not required by
law, we have considered the individual privacy interests at stake in
each area and crafted conditions or limitations in each identified area
as appropriate to balance the competing public purposes and individual
privacy needs. A general rule authorizing any use or disclosure that is
permitted, but not required, by other law would undermine the careful
balancing in the final rule.
In making this judgment, we have distinguished between laws that
mandate uses or disclosures and laws that merely permit them. In the
former case, jurisdictions have determined that public policy purposes
cannot be achieved absent the use of certain protected health
information, and we have chosen in general not to disturb their
judgments. On the other hand, where jurisdictions have determined that
certain protected health information is not necessary to achieve
[[Page 82668]]
a public policy purpose, and only have permitted its use or disclosure,
we do not believe that those judgments reflect an interest in use or
disclosure strong enough to override the Congressional goal of
protecting privacy rights.
Moreover, the comments failed to present any compelling
circumstance to warrant such a general provision. Despite commenters'
concerns to the contrary, most of the beneficial uses and disclosures
that the commenters referenced to support a general provision were, in
fact, uses or disclosures already permissible under the rule. For
example, the general statutory authorities relied on by one state
health agency to investigate disease outbreaks or to comply with health
data-gathering guidelines for reporting to certain federal agencies are
permissible disclosures to public health agencies.
Finally, in the final rule, we add new provisions to Sec. 164.512
to address three examples raised by commenters of uses and disclosures
that are authorized or permitted by law, but may not be required by
law. First, commenters expressed concern for the states that provide
for voluntary reporting to law enforcement or state protective services
of domestic violence or of abuse, neglect or exploitation of the
elderly or other vulnerable adults. As discussed below, a new section,
Sec. 164.512(c), has been added to the final rule to specifically
address uses and disclosures of protected health information in cases
of abuse, neglect, or domestic violence. Second, commenters were
concerned about state or federal laws that permitted coordination and
cooperation with organizations or entities involved in cadaveric organ,
eye, or tissue donation and transplantation. In the final rule, we add
a new section, Sec. 164.512(h), to permit disclosures to facilitate
such donation and transplantation functions. Third, a number of
commenters expressed concern for uses and disclosure permitted by law
in certain custodial settings, such as those involving correctional or
detention facilities. In the final rule, we add a new subsection to the
section on uses and disclosures for specialized government functions,
Sec. 164.512(k), to identify custodial settings in which special rules
are necessary and to specify the additional uses and disclosures of the
protected health information of inmates or detainees which are
necessary in such facilities.
Comment: A number of commenters asked for clarification of the term
``law'' and the phrase ``required by law'' for purposes of the
provision permitting uses or disclosures that are required by law. Some
of the commenters noted that ``state law'' was a defined term in Part
160 of the NPRM and that the terms should be used consistently. Other
commenters were concerned about differentiating between laws that
required a use or disclosure and those that merely authorize or permit
a use or disclosure. A number of commenters recommended that the final
rule include a definitive list of the laws that mandate a use or
disclosure of protected health information.
Response: In the final rule, we clarify that, consistent with the
``state law'' definition in Sec. 160.202, ``law'' is intended to be
read broadly to include the full array of binding legal authority, such
as constitutions, statutes, rules, regulations, common law, or other
governmental actions having the effect of law. However, for the
purposes of Sec. 164.512(a), law is not limited to state action;
rather, it encompasses federal, state or local actions with legally
binding effect, as well as those by territorial and tribal governments.
For more detail on the meaning of ``required by law,'' see
Sec. 164.501. Only where the law imposes a duty on the health care
professional to report would the disclosure be considered to be
required by law.
The final rule does not include a definitive list of the laws that
contain legal mandates for disclosures of protected health information.
In light of the breadth of the term ``law'' and number of federal,
state, local, and territorial or tribal authorities that may engage in
the promulgation of binding legal authority, it would be impossible to
compile and maintain such a list. Covered entities have an independent
duty to be aware of their legal obligations to federal, state, local
and territorial or tribal authorities. The rule's approach is simply
intended to avoid any obstruction to the health plan or covered health
care provider's ability to comply with its existing legal obligations.
Comment: A number of commenters recommended that the rule compel
covered entities to use or disclose protected health information as
required by law. They expressed concern that covered entities could
refuse or delay compliance with legally mandated disclosures by
misplaced reliance on a rule that permits, but does not require, a use
or disclosure required by other law.
Response: We do not agree that the final rule should require
covered entities to comply with uses or disclosures of protected health
information mandated by law. The purpose of this rule is to protect
privacy, and to allow those disclosures consistent with sound public
policy. Consistent with this purpose, we mandate disclosure only to the
individual who is the subject of the information, and for purposes of
enforcing the rule. Where a law imposes a legal duty on the covered
entity to use or disclose protected health information, it is
sufficient that the privacy rule permit the covered entity to comply
with such law. The enforcement of that legal duty, however, is a matter
for that other law.
Section 164.512(b)--Uses and Disclosures for Public Health Activities
Comment: Several non-profit entities commented that medical records
research by nonprofit entities to ensure public health goals, such as
disease-specific registries, would not have been covered by this
provision. These organizations collect information without relying on a
government agency or law. Commenters asserted that such activities are
essential and must continue. They generally supported the provisions
allowing the collection of individually identifiable health information
without authorization for registries. One stated that both governmental
and non-governmental cancer registries should be exempt from the
regulation. They stated that ``such entities, by their very nature,
collect health information for legitimate public health and research
purposes.'' Another, however, addressed its comments only to
``disclosure to non-government entities operating such system as
required or authorized by law.''
Response: We acknowledge that such entities may be engaged in
disease-specific or other data collection activities that provide a
benefit to their members and others affected by a particular malady and
that they contribute to the public health and scientific database on
low incidence or little known conditions. However, in the absence of
some nexus to a government public health authority or other underlying
legal authority, it is unclear upon what basis covered entities can
determine which registries or collections are ``legitimate'' and how
the confidentiality of the registry information will be protected.
Commenters did not suggest methods for ``validating'' these private
registry programs, and no such methods currently exist at the federal
level. It is unknown whether any states have such a program. Broadening
the exemption could provide a loophole for private data collections for
inappropriate
[[Page 82669]]
purposes or uses under a ``public health'' mask.
In this rule, we do not seek to make judgments as to the legitimacy
of private entities' disease-specific registries or of private data
collection endeavors. Rather, we establish the general terms and
conditions for disclosure and use of protected health information.
Under the final rule, covered entities may obtain authorization to
disclose protected health information to private entities seeking to
establish registries or other databases; they may disclose protected
health information as required by law; or they may disclose protected
health information to such entities if they meet the conditions of one
of the provisions of Secs. 164.510 or 164.512. We believe that the
circumstances under which covered entities may disclose protected
health information to private entities should be limited to specified
national priority purposes, as reflected through the FDA requirements
or directives listed in Sec. 164.512(b)(iii), and to enable recalls,
repairs, or replacements of products regulated by the FDA. Disclosures
by covered health care providers who are workforce members of an
employer or are conducting evaluations relating to work-related
injuries or illnesses or workplace surveillance also may disclose
protected health information to employers of findings of such
evaluations that are necessary for the employer to comply with
requirements under OSHA and related laws.
Comment: Several commenters said that the NPRM did not indicate how
to distinguish between public health data collections and government
health data systems. They suggested eliminating proposed
Sec. 164.510(g) on disclosures and uses for government health data
systems, because they believed that such disclosures and uses were
adequately covered by proposed Sec. 164.510(b) on public health.
Response: As discussed below, we agree with the commenters who
suggested that the proposed provision that would have permitted
disclosures to government health data bases was overly broad, and we
remove it from the final rule. We reviewed the important purposes for
which some commenters said government agencies needed protected health
information, and we believe that most of those needs can be met through
the other categories of permitted uses and disclosures without
authorization allowed under the final rule, including provisions
permitting covered entities to disclose information (subject to certain
limitations) to government agencies for public health, health
oversight, law enforcement, and otherwise as required by law. For
example, the final rule continues to allow collection of protected
health information without authorization to monitor trends in the
spread of infectious disease, morbidity and mortality.
Comment: Several commenters recommended expanding the scope of
disclosures permissible under proposed Sec. 164.510(b)(1)(iii), which
would have allowed covered entities to disclose protected health
information to private entities that could demonstrate that they were
acting to comply with requirements, or at the direction, of a public
health authority. These commenters said that they needed to collect
individually identifiable health information in the process of drug and
device development, approval, and post-market surveillance--activities
that are related to, and necessary for, the FDA regulatory process.
However, they noted that the specific data collections involved were
not required by FDA regulations. Some commenters said that they often
devised their own data collection methods, and that health care
providers disclosed information to companies voluntarily for activities
such as post-marketing surveillance and efficacy surveys. Commenters
said they used this information to comply with FDA requirements such as
reporting adverse events, filing other reports, or recordkeeping.
Commenters indicated that the FDA encouraged but did not require them
to establish other data collection mechanisms, such as pregnancy
registries that track maternal exposure to drugs and the outcomes.
Accordingly, several commenters recommended modifying proposed
Sec. 164.510(b) to allow covered entities to disclose protected health
information without authorization to manufacturers registered with the
FDA to manufacture, distribute, or sell a prescription drug, device, or
biological product, in connection with post-marketing safety and
efficacy surveillance or for the entity to obtain information about the
drug, device, or product or its use. One commenter suggested including
in the regulation an illustrative list of examples of FDA-related
requirements, and stating in the preamble that all activities taken in
furtherance of compliance with FDA regulations are ``public health
activities.''
Response: We recognize that the FDA conducts or oversees many
activities that are critical to help ensure the safety or effectiveness
of the many products it regulates. These activities include, for
example, reporting of adverse events, product defects and problems;
product tracking; and post-marketing surveillance. In addition, we
believe that removing defective or harmful products from the market is
a critical national priority and is an important tool in FDA efforts to
promote the safety and efficacy of the products it regulates. We
understand that in most cases, the FDA lacks statutory authority to
require product recalls. We also recognize that the FDA typically does
not conduct recalls, repairs, or product replacement surveillance
directly, but rather, that it relies on the private entities it
regulates to collect data, notify patients when applicable, repair and
replace products, and undertake other activities to promote the safety
and effectiveness of FDA-regulated products.
We believe, however, that modifying the NPRM to allow disclosure of
protected health information to private entities as part of any data-
gathering activity related to a drug, device, or biological product or
its use, or for any activity that is consistent with, or that appears
to promote objectives specified, in FDA regulation would represent an
inappropriately broad exception to the general requirement to obtain
authorization prior to disclosure. Such a change could allow, for
example, drug companies to collect protected health information without
authorization to use for the purpose of marketing pharmaceuticals. We
do not agree that all activities taken to promote compliance with FDA
regulations represent public health activities as that term is defined
in this rule. In addition, we believe it would not be appropriate to
include in the regulation text an ``illustrative list'' of requirements
``related to'' the FDA. The regulation text and preamble list the FDA-
related activities for which we believe disclosure of protected health
information to private entities without authorization is warranted.
We believe it is appropriate to allow disclosure of protected
health information without authorization to private entities only: For
purposes that the FDA has, in effect, identified as national priorities
by issuing regulations or express directions requiring such disclosure;
or if such disclosure is necessary for a product recall. For example,
we believe it is appropriate to allow covered health care providers to
disclose to a medical device manufacturer recalling defective heart
valves the names and last known addresses of patients in whom the
provider implanted the valves. Thus, in the final rule, we allow
covered entities to disclose protected health information to entities
subject to FDA jurisdiction for the following activities: To report
adverse events (or similar reports with
[[Page 82670]]
respect to food or dietary supplements), product defects or problems
(including problems with the use or labeling of a product), or
biological product deviations, if the disclosure is made to the person
required or directed to report such information to the FDA; to track
products if the disclosure is made to a person required or directed by
the FDA to track the product; to enable product recalls, repairs, or
replacement (including locating and notifying individuals who have
received products of product recalls, withdrawals, or other problems);
or to conduct post-marketing surveillance to comply with requirements
or at the direction of the FDA. The preamble above provides further
detail on the meaning of some of the terms in this list. Covered
entities may disclose protected health information to entities for
activities other than those described above only as required by law;
with authorization; or if permissible under another section of this
rule.
We understand that many private registries, such as pregnancy
registries, currently obtain patient authorization for data collection.
We believe the approach of Sec. 164.512(b) strikes an appropriate
balance between the objective of promoting patient privacy and control
over their health information and the objective of allowing private
entities to collect data that ultimately may have important public
health benefits.
Comment: One commenter remarked that our proposal may impede fetal/
infant mortality and child fatality reviews.
Response: The final rule permits a covered entity to disclose
protected health information to a public health authority authorized by
law to conduct public health activities, including the collection of
data relevant to death or disease, in accordance with Sec. 164.512(b).
Such activities may also meet the definition of ``health care
operations.'' We therefore do not believe this rule impedes these
activities.
Comment: Several comments requested that the final regulation
clarify that employers be permitted to use and/or disclose protected
health information pursuant to the requirements of the Occupational
Safety and Health Act and its accompanying regulations (``OSHA''). A
few comments asserted that the regulation should not only permit
employers to use and disclose protected health information without
first obtaining an authorization consistent with OSHA requirements, but
also permit them to use and disclose protected health information if
the use or disclosure is consistent with the spirit of OSHA. One
commenter supported the permissibility of these types of uses and
disclosures, but warned that the regulation should not grant employers
unfettered access to the entire medical record of employees for the
purpose of meeting OSHA requirements. Other commenters noted that OSHA
not only requires disclosures to the Occupational Safety and Health
Administration, but also to third parties, such as employers and
employee representatives. Thus, this comment asked HHS to clarify that
disclosures to third parties required by OSHA are also permissible
under the regulation.
Response: Employers as such are not covered entities under HIPAA
and we generally do not have authority over their actions. When an
employer has a health care component, such as an on-site medical
clinic, and the components meets the requirements of a covered health
care provider, health plan or health care clearinghouse, the uses and
disclosures of protected health information by the health care
component, including disclosures to the larger employer entity, are
covered by this rule and must comply with its provisions.
A covered entity, including a covered health care provider, may
disclose protected health information to OSHA under Sec. 164.512(a), if
the disclosure is required by law, or if the disclosure is a
discretionary one for public health activities, under Sec. 164.512(b).
Employers may also request employees to provide authorization for the
employer to obtain protected health information from covered entities
to conduct analyses of work-related health issues. See Sec. 164.508.
We also permit covered health care providers who provide health
care as a workforce member of an employer or at the request of an
employer to disclose protected health information to the employer
concerning work-related injuries or illnesses or workplace medical
surveillance in situations where the employer has a duty to keep
records on or act on such information under the OSHA or similar laws.
We added this provision to ensure that employers are able to obtain the
information that they need to meet federal and state laws designed to
promote safer and healthier workplaces. These laws are vital to
protecting the health and safety of workers and we permit specified
covered health care providers to disclose protected health information
as necessary to carry out these purposes.
Comment: A few comments suggested that the final regulation clarify
how it would interact with existing and pending OSHA requirements. One
of these comments requested that the Secretary delay the effective date
of the regulation until reviews of existing requirements are complete.
Response: As noted in the ``Relationship to Other Federal Laws''
section of the preamble, we are not undertaking a complete review of
all existing laws with which covered entities might have to comply.
Instead we have described a general framework under which such laws may
be evaluated. We believe that adopting national standards to protect
the privacy of individually identifiable health information is an
urgent national priority. We do not believe that it is appropriate to
delay the effective date of this regulation.
Comment: One commenter asserted that the proposed regulation
conflicted with the OSHA regulation requirement that when a designated
representative (to whom the employee has already provided a written
authorization to obtain access) requests a release form for access to
employee medical records, the form must include the purpose for which
the disclosure is sought, which the proposed privacy regulation does
not require.
Response: We do not agree that this difference creates a conflict
for covered entities. If an employer seeks to obtain a valid
authorization under Sec. 164.508, it may add a purpose statement to the
authorization so that it complies with OSHA's requirements and is a
valid authorization under Sec. 164.508 upon which a covered entity may
rely to make a disclosure of protected health information to the
employer.
Comment: One commenter stated that access to workplace medical
records by the occupational medical physicians is fundamental to
workplace and community health and safety. Access is necessary whether
it is a single location or multiple sites of the same company, such as
production facilities of a national company located throughout the
country.
Response: We permit covered health care providers who provide
health care as a workforce member of an employer or at the request of
an employer to disclose protected health information to the employer
concerning work-related injuries or illnesses or workplace medical
surveillance, as described in this paragraph. Information obtained by
an employer under this paragraph would be available for it to use,
consistent with other laws and regulations, as it chooses and
throughout the national company. We do not regulate uses or disclosures
of individually identifiable health
[[Page 82671]]
information by employers acting as employers.
Section 164.512(c)--Disclosures About Victims of Abuse, Neglect, or
Domestic Violence
The NPRM did not include a paragraph specifically addressing
covered entities' disclosures of protected health information regarding
victims of abuse, neglect, or domestic violence. Rather, the NPRM
addressed disclosures about child abuse pursuant to proposed
Sec. 164.510(b), which would have allowed covered entities to report
child abuse to a public health authority or to another appropriate
authority authorized by law to receive reports of child abuse or
neglect. We respond to comments regarding victims of domestic violence
or abuse throughout the final rule where relevant. (See responses to
comments on Secs. 164.502(g), 164.510(b), 164.512(f)(3), 164.522, and
164.524.)
Comment: Several commenters urged us to require that victims of
domestic violence be notified about requests for or disclosures of
protected health information about them, so that victims could take
safety precautions.
Response: We agree that, in balancing the burdens on covered
entities from such a notification requirement against the benefits to
be gained, victims of domestic abuse merit heightened concern. For this
reason, we generally require covered entities to inform the individual
when they disclose protected health information to authorized
government authorities. As the Family Violence Prevention Fund has
noted in its Health Privacy Principles for Protecting Victims of
Domestic Violence (October 2000), victims of domestic violence and
abuse sometimes are subject to retaliatory violence. By informing a
victim of abuse or domestic violence of a disclosure to law enforcement
or other authorities, covered entities give victims the opportunity to
take appropriate safety precautions. See the above preamble discussion
of Sec. 164.512(c) for more detail about the requirements for
disclosing protected health information about victims of domestic
violence.
Comment: Some commenters argued that a consent requirement should
apply at a minimum to disclosures involving victims of crime or victims
of domestic violence.
Response: We agree, and we modify the proposed rule to require
covered entities to obtain an individual's agreement prior to
disclosing protected health information in most instances involving
victims of a crime or of abuse, neglect, or domestic violence. See the
above preamble discussions of Sec. 164.512(c), on disclosures about
victims of abuse, neglect, or domestic violence, and
Sec. 164.512(f)(3), on disclosures to law enforcement about crime
victims.
Section 164.512(d)--Uses and Disclosures for Health Oversight
Activities
Comment: A couple of commenters supported the NPRM's approach to
health oversight. Several other commenters generally supported the
NPRM's approach to disclosure of protected health information for
national priority purposes, and they recommended some clarification
regarding disclosure for health oversight. Two commenters recommended
clarifying in the final rule that disclosure is allowed to all federal,
state, and local agencies that use protected health information to
carry out legally mandated responsibilities.
Response: The final rule permits disclosures to public agencies
that meet the definition of a health oversight agency and for oversight
of the particular areas described in the statute. Section 164.512(a) of
the final rule permits disclosures that are required by law. As
discussed in the responses to comments of Sec. 164.512(a), we do not in
the final rule permit disclosures merely authorized by other laws that
do not fit within the other public policy purposes recognized by the
rule.
Comment: One commenter recommended clarifying in the final rule
that covered entities are not required to establish business partner
contracts with health oversight agencies or public health authorities
to release individually identifiable information to them for purposes
exempt from HIPAA and sanctioned by state law.
Response: The final rule does not require covered entities to
establish business associate contracts with health oversight agencies
when they disclose protected health information to these agencies for
oversight purposes.
Comment: Two commenters recommended clarifying in the regulation
text that the health oversight section does not create a new right of
access to protected health information.
Response: We agree and include such a statement in the preamble of
Sec. 164.512(d) of the final rule.
Comment: Several commenters were concerned that the proposed
oversight section allowed but did not require disclosure of protected
health information to health oversight agencies for oversight
activities.
Response: This rule's purpose is to protect the privacy of
individually identifiable health information. Except to enforce the
rule and to establish individuals' right to access their own protected
health information (see Sec. 164.502(a)(2)), we do not require
disclosure of protected health information to any person or entity. We
allow such disclosure for situations in which other laws require
disclosure.
Comment: Some commenters were concerned that the NPRM would have
allowed health oversight agencies to re-use and redisclose protected
health information to other entities, and they were particularly
concerned about re-disclosure to and re-use by law enforcement
agencies. One commenter believed that government agencies would use the
label of health oversight to gain access to protected health
information from covered entities--thereby avoiding the procedural
requirements of the law enforcement section (proposed Sec. 164.510(f))
and subsequently would turn over information to law enforcement
officials. Thus, these groups were concerned that the potential for
oversight access to protected health information under the rule to
become the ``back door'' to law enforcement access to such information.
Based on their concerns, these commenters recommended establishing
a general prohibition on the re-use and re-disclosure of protected
health information obtained by health oversight agencies in actions
against individuals. One health plan expressed general concern about
re-disclosure among all of the public agencies covered in the proposed
Sec. 164.510. It recommended building safeguards into the rule to
prevent information gathered for one purpose (for example, public
health) from being used for another purpose (such as health oversight).
Many of the commenters concerned about re-disclosure of protected
health information obtained for oversight purposes said that if the
Secretary lacked statutory authority to regulate oversight agencies'
re-disclosure of protected health information and the re-use of this
information by other agencies covered in proposed Sec. 164.510, the
President should issue an Executive Order barring such re-disclosure
and re-use. One of these groups specified that the Executive Order
should bar re-use and re-disclosure of protected health information in
actions against individuals.
In contrast, some commenters advocated information-sharing between
law enforcement and oversight agencies. Most of these commenters
recognized that the NPRM would have allowed re-use and re-disclosure of
protected health information from oversight to law
[[Page 82672]]
enforcement agencies, and they supported this approach.
Response: We believe that the language we have added to the rule,
at Sec. 164.512(d)(2) and the corresponding explanation in the
preamble, to clarify the boundary between disclosures for health
oversight and for law enforcement purposes should partially address the
concern expressed by some that oversight agencies will be the back door
for access by law enforcement. In situations when the individual is the
subject of an investigation or activity and the investigation or
activity is not related to health care fraud, the requirements for
disclosure to law enforcement must be met, and an oversight agency
cannot request the information under its more general oversight
authority.
We acknowledge, however, that there will be instances under the
rule when a health oversight agency (or a law enforcement agency in its
oversight capacity) that has obtained protected health information
appropriately will be able to redisclose the information to a law
enforcement agency for law enforcement purposes. Under HIPAA, we have
the authority to restrict re-disclosure of protected health information
only by covered entities. Re-disclosures by public agencies such as
oversight agencies are not within the purview of this rule. We support
the enactment of comprehensive privacy legislation that would govern
such public agencies' re-use and re-disclosure of this information.
Furthermore, in an effort to prevent health oversight provisions from
becoming the back door to law enforcement access to protected health
information, the President is issuing an Executive Order that places
strict limitations on the use of protected health information gathered
in the course of an oversight investigation for law enforcement
activities. For example, such use will be subject to review by the
Deputy Attorney General.
Comment: Several commenters recommended modifying the proposed
oversight section to require health oversight officials to justify and
document their need for identifiable information.
Response: We encourage covered entities to work with health
oversight agencies to determine the scope of information needed for
health oversight inquiries. However, we believe that requiring covered
entities to obtain extensive documentation of health oversight
information needs could compromise health oversight agencies' ability
to complete investigations, particularly when an oversight agency is
investigating the covered entity from which it is seeking information.
Comment: Several commenters believed that health oversight
activities could be conducted without access to individually
identifiable health information. Some of these groups recommended
requiring information provided to health oversight agencies to be de-
identified to the extent possible.
Response: We encourage health oversight agencies to use de-
identified information whenever possible to complete their
investigations. We recognize, however, that in some cases, health
oversight agencies need identifiable information to complete their
investigations. For example, as noted in the preamble to the NPRM, to
determine whether a hospital has engaged in fraudulent billing
practices, it may be necessary to examine billing records for a set of
individual cases. Similarly, to determine whether a health plan is
complying with federal or state health care quality standards, it may
be necessary to examine individually identifiable health information in
comparison with such standards. Thus, to allow health oversight
agencies to conduct the activities that are central to their mission,
the final rule does not require covered entities to de-identify
protected health information before disclosing it to health oversight
organizations.
Comment: One commenter recommended requiring whistleblowers,
pursuant to proposed Sec. 164.518(a)(4) of the NPRM, to raise the issue
of a possible violation of law with the affected covered entity before
disclosing such information to an oversight agency, attorney, or law
enforcement official.
Response: We believe that such a requirement would be
inappropriate, because it would create the potential for covered
entities that are the subject of whistleblowing to take action to evade
law enforcement and oversight action.
Comment: One commenter recommended providing an exemption from the
proposed rule's requirements for accounting for disclosures when such
disclosures were for health oversight purposes.
Response: We recognize that in some cases, informing individuals
that their protected health information has been disclosed to a law
enforcement official or to a health oversight agency could compromise
the ability of law enforcement and oversight officials to perform their
duties appropriately. Therefore, in the final rule, we retain the
approach of proposed Sec. 164.515 of the NPRM. Section 164.528(a)(2) of
the final rule states that an individual's right to receive an
accounting of disclosures to a health oversight agency, law enforcement
official, or for national security or intelligence purposes may be
temporarily suspended for the time specified by the agency or official.
As described in Sec. 164.528(a)(2), for such a suspension to occur, the
agency or official must provide the affected covered entity with a
written request stating that an accounting to the individual would be
reasonably likely to impede the agency's activity. The request must
specify the time for which the suspension is required. We believe that
providing a permanent exemption to the right to accounting for
disclosures for health oversight purposes would fail to ensure that
individuals are sufficiently informed about the extent of disclosures
of their protected health information.
Comment: One commenter recommended making disclosures to health
oversight agencies subject to a modified version of the NPRM's proposed
three-part test governing disclosure of protected health information to
law enforcement pursuant to an administrative request (as described in
proposed Sec. 164.510(f)(1)).
Response: We disagree that it would be appropriate to apply the
procedural requirements for law enforcement to health oversight. We
apply more extensive procedural requirements to law enforcement
disclosures than to disclosures for health oversight because we believe
that law enforcement investigations more often involve situations in
which the individual is the subject of the investigation (and thus
could suffer adverse consequences), and we believe that it is
appropriate to provide greater protection to individuals in such cases.
Health oversight involves investigations of institutions that use
health information as part of business functions, or of individuals
whose health information has been used to obtain a public benefit.
These circumstances justify broader access to information.
Overlap Between Law Enforcement and Oversight
Comment: Some commenters expressed concern that the NPRM's
provisions permitting disclosures for health oversight and disclosures
for law enforcement overlapped, and that the overlap could create
confusion among covered entities, members of the public, and government
agencies. The commenters identified particular factors that could lead
to confusion, including that (1) the phrase ``criminal, civil, or
administrative proceeding'' appeared in the definitions of both law
enforcement
[[Page 82673]]
and oversight; (2) the examples of oversight agencies listed in the
preamble included a number of organizations that also conduct law
enforcement activities; (3) the NPRM addressed the issue of disclosures
to investigate health care fraud in the law enforcement section
(Sec. 164.510(f)(5)), yet health care fraud investigations are central
to the mission of some health care oversight agencies; (4) the NPRM
established more stringent rules for disclosure of protected health
information pursuant to an administrative subpoena issued for law
enforcement than for disclosure pursuant to an oversight agency's
administrative subpoena; and (5) the preamble, but not the NPRM
regulation text, indicated that agencies conducting both oversight and
law enforcement activities would be subject to the oversight
requirements when conducting oversight activities.
Some commenters said that covered entities would be confused by the
overlap between law enforcement and oversight and that this concern
would lead to litigation over which rules should apply when an entity
engaged in more than one of the activities listed under the exceptions
in proposed Sec. 164.510. Other commenters believed that covered
entities could manipulate the NPRM's ambiguities in their favor, claim
that the more stringent law enforcement disclosure rules always should
apply, and thereby delay investigations. A few comments suggested that
the confusion could be clarified by making the regulation text
consistent with the preamble, by stating that when agencies conducting
both law enforcement and oversight seek protected health information as
part of their oversight activities, the oversight rules would apply.
Response: We agree that the boundary between disclosures for health
oversight and disclosures for law enforcement proposed in the NPRM
could have been more clear. Because many investigations, particularly
investigations involving public benefit programs, have both health
oversight and law enforcement aspects to them, and because the same
agencies often perform both functions, drawing any distinction between
the two functions is necessarily difficult. For example, traditional
law enforcement agencies, such as the Federal Bureau of Investigation,
have a significant role in health oversight. At the same time,
traditional health oversight agencies, such as federal Offices of
Inspectors General, often participate in criminal investigations.
To clarify the boundary between law enforcement and oversight for
purposes of complying with this rule, we add new language in the final
rule, at Sec. 164.512(d)(2). This section indicates that health
oversight activities do not include an investigation or activity in
which the individual is the subject of the investigation or activity
and the investigation or activity does not arise out of and is not
directly related to health care fraud. In this rule, we describe
investigations involving suspected health care fraud as investigations
related to: (1) The receipt of health care; (2) a claim for public
benefits related to health; or (3) qualification for, or receipt of
public benefits or services where a patient's health is integral to the
claim for public benefits or services. In such cases, where the
individual is the subject of the investigation and the investigation
does not relate to health care fraud, identified as investigations
regarding issues (a) through (c), the rules regarding disclosure for
law enforcement purposes (see Sec. 164.512(f)) apply.
Where the individual is not the subject of the activity or
investigation, or where the investigation or activity relates to health
care fraud, a covered entity may make a disclosure pursuant to
Sec. 164.512(d)(1), allowing uses and disclosures for health oversight
activities. For example, when the U.S. Department of Labor's Pension
and Welfare Benefits Administration (PWBA) needs to analyze protected
health information about health plan enrollees in order to conduct an
audit or investigation of the health plan (i.e., the enrollees are not
subjects of the investigation) to investigate potential fraud by the
health plan, the health plan may disclose protected health information
to the PWBA under the health oversight rules.
To clarify further that health oversight disclosure rules apply
generally in health care fraud investigations (subject to the exception
described above), in the final rule, we eliminate proposed
Sec. 164.510(f)(5)(i), which would have established requirements for
disclosure related to health fraud for law enforcement purposes. All
disclosures of protected health information that would have been
permitted under proposed Sec. 164.510(f)(5)(i) are permitted under
Sec. 164.512(d).
We also recognize that sections 201 and 202 of HIPAA, which
established a federal Fraud and Abuse Control Program and the Medicare
Integrity Program, identified health care fraud-fighting as a critical
national priority. Accordingly, under the final rule, in joint law
enforcement/oversight investigations involving suspected health care
fraud, the health oversight disclosures apply, even if the individual
also is the subject of the investigation.
We also recognize that in some cases, health oversight agencies may
conduct joint investigations with other oversight agencies involved in
investigating claims for benefits unrelated to health. For example, in
some cases, a state Medicaid agency may be working with officials of
the Food Stamps program to investigate suspected fraud involving
Medicaid and Food Stamps. While this issue was not raised specifically
in the comments, we add new language (Sec. 164.512(d)(3)) to provide
guidance to covered entities in such situations. Specifically, we
clarify that if a health oversight investigation is conducted in
conjunction with an oversight activity related to a claim for benefits
unrelated to health, the joint activity or investigation is considered
health oversight for purposes of the rule, and the covered entities may
disclose protected health information pursuant to the health oversight
provisions.
Comment: An individual commenter recommended requiring
authorization for disclosure of patient records in fraud
investigations, unless the individual was the subject or target of the
investigation. This commenter recommended requiring a search warrant
for cases in which the individual was the subject and stating that
fraud investigators should have access to the minimum necessary patient
information.
Response: As described above, we recognize that in some cases,
activities include elements of both law enforcement and health
oversight. Because we consider both of these activities to be critical
national priorities, we do not require covered entities to obtain
authorization for disclosure of protected health information to law
enforcement or health oversight agencies--including those oversight
activities related to health care fraud. We believe that investigations
involving health care fraud represent health oversight rather than law
enforcement. Accordingly, as indicated above, we remove proposed
Sec. 164.510(f)(5)(i) from the law enforcement section of the proposed
rule and clarify that all disclosures of protected health information
for health oversight are permissible without authorization. As
discussed in greater detail in Sec. 164.514, the final rule's minimum
necessary standard applies to disclosures under Sec. 164.512 unless the
disclosure is required by law under Sec. 164.512(a).
[[Page 82674]]
Comment: A large number of commenters expressed concern about the
potential for health oversight agencies to become, in effect, the
``back door'' for law enforcement access to such information. The
commenters suggested that health oversight agencies could use their
relatively unencumbered access to protected health information to
circumvent the more stringent process requirements that otherwise would
apply to disclosures for law enforcement purposes. These commenters
urged us to prohibit health oversight agencies from re-disclosing
protected health information to law enforcement.
Response: As indicated above, we do not intend for the rule's
permissive approach to health oversight or the absence of specific
documentation to permit the government to gather large amounts of
protected health information for purposes unrelated to health oversight
as defined in the rule, and we do not intend for these oversight
provisions to serve as a ``back door'' for law enforcement access to
protected health information. While we do not have the statutory
authority to regulate law enforcement and oversight agencies' re-use
and re-disclosure of protected health information, we strongly support
enactment of comprehensive privacy legislation that would govern public
agencies' re-use and re-disclosure of this information. Furthermore, in
an effort to prevent health oversight provisions from becoming the back
door to law enforcement access to protected health information, the
President is issuing an Executive Order that places strict limitations
on the use of protected health information gathered in the course of an
oversight investigation for law enforcement activities.
Comment: One commenter asked us to allow the requesting agency to
decide whether a particular request for protected health information
was for law enforcement or oversight purposes.
Response: As described above, we clarify the overlap between law
enforcement disclosures and health oversight disclosures based on the
privacy and liberty interests of the individual (whether the individual
also is the subject of the official inquiry) and the nature of the
public interest (whether the inquiry relates to health care fraud or to
another potential violation of law). We believe it is more appropriate
to establish these criteria than to leave the decision to the
discretion of an agency that has a stake in the outcome of the
investigation.
Section 164.512(e)--Disclosures for Judicial and Administrative
Proceedings
Comment: A few commenters suggested that the final rule not permit
disclosures without an authorization for judicial and administrative
proceedings.
Response: We disagree. Protected health information is necessary
for a variety of reasons in judicial and administrative proceedings.
Often it may be critical evidence that may or may not be about a party.
Requiring an authorization for all such disclosures would severely
impede the review of legal and administrative claims. Thus, we have
tried to balance the need for the information with the individual's
privacy. We believe the approach described above provides individuals
with the opportunity to object to disclosures and provides a mechanism
through which their privacy interests are taken into account.
Comment: A few commenters sought clarification about the
interaction between permissible disclosures for judicial and
administrative proceedings, law enforcement, and health oversight.
Response: In the final rule, we state that the provision permitting
disclosures without an authorization for judicial and administrative
proceedings does not supersede other provisions in Sec. 164.512 that
would otherwise permit or restrict the use or disclosure of protected
health information. Additionally, in the descriptive preamble of
Sec. 164.512, we provide further explanation of how these provisions
relate to one another.
Comments: Many commenters urged the Secretary to revise the rule to
state that it does not preempt or supersede existing rules and statutes
governing judicial proceedings, including rules of evidence, procedure,
and discovery. One commenter asserted that dishonest health care
providers and others should not be able to withhold their records by
arguing that state subpoena and criminal discovery statutes compelling
disclosure are preempted by the privacy regulation. Other commenters
maintained that there is no need to replace providers' current
practice, which typically requires either a signed authorization from
the patient or a subpoena to release medical information.
Response: These comments are similar to many of the more general
preemption comments we received. For a full discussion of the
Secretary's response on preemption issues, see part 160--subpart B.
Comment: One commenter stated that the proposed rule creates a
conflict with existing rules and statutes governing judicial
proceedings, including rules of evidence and discovery. This commenter
stated that the rule runs afoul of state judicial procedures for
enforcement of subpoenas that require judicial involvement only when a
party seeks to enforce a subpoena.
Response: We disagree with this comment. The final rule permits
covered entities to disclose protected health information for any
judicial or administrative procedure in response to a subpoena,
discovery request, or other lawful process if the covered entity has
received satisfactory assurances that the party seeking the disclosure
has made reasonable efforts to ensure that the individual has been
given notice of the request or has made reasonable efforts to secure a
qualified protective order from a court or administrative tribunal. A
covered entity may disclose protected health information in response to
a subpoena, discovery request, or other lawful process without a
satisfactory assurance if it has made reasonable efforts to provide the
individual with such notice or to seek a qualified protected order
itself. These rules do not require covered entities or parties seeking
the disclosure of protected health information to involve the
judiciary; they may choose the notification option rather than seeking
a qualified protective order.
Many states have already enacted laws that incorporate these
concepts. In California, for instance, an individual must be given ten
days notice that his or her medical records are being subpoenaed from a
health care provider and state law requires that the party seeking the
records furnishes the health care provider with proof that the notice
was given to the individual. In Montana, a party seeking discovery or
compulsory process of medical records must give notice to the
individual at least ten days in advance of serving the request on a
health care provider, Service of the request must be accompanied by
written certification that the procedure has been followed. In Rhode
Island, an individual must be given notice that his or her medical
records are being subpoenaed and notice of his or her right to object.
The party serving the subpoena on the health care provider must provide
written certification to the provider that: (1) This procedure has been
followed, (2) twenty days have passed from the date of service, and (3)
no challenge has been made to the disclosure or the court has ordered
disclosure after resolution of a legal court challenge. In Washington,
an individual must be given at least fourteen days from the date of
service of notice that his or her health information is the subject of
a
[[Page 82675]]
discovery request or compulsory process to obtain a protective order.
The notice must identify the health care provider from whom the
information is sought, specify the health care information that is
sought, and the date by which a protective order must be obtained in
order to prevent the provider from disclosing the information.
Comment: A few commenters expressed concern that the rule would
place unnecessary additional burdens on health care providers because
when they receive a request for disclosure in connection with an
administrative or judicial procedure, they would have to determine
whether the litigant's health was at issue before they made the
disclosure. A number of commenters complained that this requirement
would make it too easy for litigants to obtain protected health
information. One commenter argued that litigants should not be able to
circumvent state evidentiary rules that would otherwise govern
disclosure of protected health information simply upon counsel's
statement that the other party's medical condition or history is at
issue.
Other commenters, however, urged that disclosure without
authorization should be permitted whenever a patient places his or her
medical condition or history at issue and recommended requiring the
request for information to include a certification to this effect. Only
if another party to litigation has raised a medical question, do these
commenters believe a court order should be required. Similarly, one
commenter supported a general requirement that disclosure without
authorization be permitted only with a court order unless the patient
has placed his or her physical or mental condition at issue.
Response: We agree with the concerns expressed by several
commenters about this provision and have eliminated this requirement
from the final rule.
Comment: A number of commenters stated that the proposed rule
should be modified to permit disclosure without authorization pursuant
to a lawful subpoena. One commenter argued that the provision would
limit the scope of the Inspector General's subpoena power for judicial
and administrative proceedings to information concerning a litigant
whose health condition or history is at issue, and would impose a
requirement that the Inspector General provide a written certification
to that effect. Other commenters stated that the proposed rule would
seriously impair the ability of state agencies to conduct
administrative hearings on physician licensing and disciplinary
matters. These commenters stated that current practice is to obtain
information using subpoenas.
Other commenters argued that disclosure of protected health
information for judicial and administrative proceedings should require
a court order and/or judicial review unless the subject of the
information consents to disclosure. These commenters believed that an
attorney's certification should not be considered sufficient authority
to override an individual's privacy, and that the proposed rule made it
too easy for a party to litigation to obtain information about the
other party.
Response: As a general matter, we agree with these comments. As
noted, the final rule deletes the provision that would permit a covered
entity to disclose protected health information pursuant to an
attorney's certification that the individual is a party to the
litigation and has put his or her medical condition at issue. Under the
final rule, covered entities may disclose protected health information
in response to a court or administrative order, provided that only the
protected health information expressly authorized by the order is
disclosed. Covered entities may also disclose protected health
information in response to a subpoena, discovery request, or other
lawful process without a court order, but only if the covered entity
receives satisfactory assurances that the party seeking disclosure has
made reasonable efforts to ensure that the individual has been notified
of the request or that reasonable efforts have been made by the party
seeking the information to secure a qualified protective order.
Additionally, a covered entity may disclose protected health
information in response to a subpoena, discovery request, or other
lawful process without a satisfactory assurance if it makes reasonable
efforts to provide the individual with such notice or to seek a
qualified protected order itself.
We also note that the final rule specifically provides that nothing
in Subchapter C should be construed to diminish the authority of any
Inspector General, including authority provided in the Inspector
General Act of 1978.
Comment: A number of commenters expressed concern that the proposed
rule would not permit covered entities to introduce material evidence
in proceedings in which, for example, the provisions of an insurance
contract are at issue, or when a billing or payment issue is presented.
They noted that although the litigant may be the owner of an insurance
policy, he or she may not be the insured individual to whom the health
information pertains. In addition, they stated that the medical
condition or history of a deceased person may be at issue when the
deceased person is not a party.
Response: We disagree. Under the final rule, a covered entity may
disclose protected health information without an authorization pursuant
to a court or administrative order. It may also disclose protected
health information with an authorization for judicial or administrative
proceedings in response to a subpoena, discovery request, or other
lawful process without a court order, if the party seeking the
disclosure provides the covered entity with satisfactory assurances
that it has made reasonable efforts to ensure that the individual has
been notified of the request or to seek a qualified protective order.
Additionally, a covered entity may disclose protected health
information in response to a subpoena, discovery request, or other
lawful process without a satisfactory assurance if it makes reasonable
efforts to provide the individual with such notice or to seek a
qualified protected order itself. Therefore, a party may obtain the
information even if the subject of the information is not a party to
the litigation or deceased.
Comment: A few commenters argued that disclosure of protected
health information should be limited only to those cases in which the
individual has consented or a court order has been issued compelling
disclosure.
Response: The Secretary believes that such an approach would impose
an unreasonable burden on covered entities and the judicial system and
that greater flexibility is necessary to assure that the judicial and
administrative systems function smoothly. We understand that even those
states that have enacted specific statutes to protect the privacy of
health information have not imposed requirements as strict as these
commenters would suggest.
Comment: Many commenters asked that the final rule require the
notification of the disclosure be provided to the individual whose
health information is subject to disclosure prior to the disclosure as
part of a judicial or administrative proceeding. Most of these
commenters also asked that the rule require that the individual who is
the subject of a disclosure be given an opportunity to object to the
disclosure. A few commenters suggested that patients be given ten days
to object before requested information may be disclosed and recommend
that the rule require the requester to provide a certification that
notice has been provided and that ten days have passed
[[Page 82676]]
with no objection from the subject of the information. Some commenters
suggested that if a subpoena for disclosure is not accompanied by a
court order, the covered entities be prohibited from disclosing
protected health information unless the individual has been given
notice and an opportunity to object. Another commenter recommended
requiring, in most circumstances, notice and an opportunity to object
before a court order is issued and requiring the requestor of
information to provide a signed document attesting the date of
notification and forbid disclosure until ten days after notice is
given.
Response: We agree that in some cases the provision of notice with
an opportunity to object to the disclosure is appropriate. Thus, in the
final rule we provide that a covered entity may disclose protected
health information in response to a subpoena, discovery request or
other lawful process that is not accompanied by a court order if it
receives satisfactory assurance from the party seeking the request that
the requesting party has made a good faith attempt to provide written
notice to the individual that includes sufficient information about the
litigation or proceeding to permit the individual to raise an objection
to the court or administrative tribunal and that the time for the
individual to raise objections has elapsed (and that none were filed or
all have been resolved). Covered entities may make reasonable efforts
to provide such notice as well.
In certain instances, however, the final rule permits covered
entities to disclose protected health information for judicial and
administrative proceedings without notice to the individual if the
party seeking the request has made reasonable efforts to seek a
qualified protective order, as described in the rule. A covered entity
may also make reasonable efforts to seek a qualified protective order
in order to make the disclosure. Additionally, a covered entity may
disclose protected health information for judicial and administrative
proceedings in response to an order of a court or administrative
tribunal provided that the disclosure is limited to only that
information that is expressly authorized by the order. The Secretary
believes notice is not necessary in these instances because a court or
administrative tribunal is in the best position to evaluate the merits
of the arguments of the party seeking disclosure and the party who
seeks to block it before it issues the order and that imposing further
procedural obstacles before a covered entity may honor that disclosure
request is unnecessary.
Comment: Many commenters urged the Secretary to require specific
criteria for court and administrative orders. Many of these commenters
proposed that a provision be added to the rule that would require court
and administrative orders to safeguard the disclosure and use of
protected health information. These commenters urged that the
information sought must be relevant and material, as specific and
narrowly drawn as reasonably practicable, and only disclosed if de-
identified information could not reasonably be used.
Response: The Secretary's authority is limited to covered entities.
Therefore, we do not impose requirements on courts and administrative
tribunals. However, we note that the final rule limits the permitted
disclosures by covered entities in court or administrative proceedings
to only that information which is specified in the order from a court
or an administrative body should provide a degree of protection for
individuals from unnecessary disclosure.
Comment: Several commenters asked that the ``minimum necessary''
standard not apply to disclosures made pursuant to a court order
because individuals could then use the rule to contest the scope of
discovery requests. However, many other commenters recommended that the
rule permit disclosure only of information ``reasonably necessary'' to
respond to a subpoena. These commenters raised concerns with applying
the ``minimum necessary'' standard in judicial and administrative
proceedings, but did not believe the holder of protected health
information should have blanket authority to disclose all protected
health information. Some of the commenters urged that disclosure of any
information about third parties that may be included in the medical
records of another person-- for example, the HIV status of a partner--
be prohibited. Finally, some commenters disagreed with the proposed
rule because it did not require covered entities to evaluate the
validity of subpoenas and discovery requests to determine whether these
requests ask for the ``minimum necessary'' or ``reasonably necessary''
amount of information.
Response: Under the final rule, if the disclosure is pursuant to an
order of a court or administrative tribunal, covered entities may
disclose only the protected health information expressly authorized by
the order. In these instances, a covered entity is not required to make
a determination whether or not the order might otherwise meet the
minimum necessary requirement.
If the disclosure is pursuant to a satisfactory assurance from the
party seeking the disclosure, at least a good faith attempt has been
made to notify the individual in writing of the disclosure before it is
made or the parties have sought a qualified protective order that
prohibits them from using or disclosing the protected health
information for any purpose other than the litigation or proceeding for
which the information was requested and that the information will be
returned to the covered entity or destroyed at the end of the
litigation or the proceeding. Alternatively, the covered entity may
seek such notice or qualified protective order itself. This approach
provides the individual with protections and places the burden on the
parties to resolve their differences about the appropriateness and
scope of disclosure as part of the judicial or administrative procedure
itself before the order is issued, rather than requiring the covered
entity to get involved in evaluating the merits of the dispute in order
to determine whether or not the particular request is appropriate or
too broad. In these cases, the covered entity must disclose only the
protected health information that is the minimum amount necessary to
achieve the purpose for which the information is sought.
We share the concern of the commenters that covered entities should
redact any information about third parties before disclosing an
individual's protected health information. During the fact-finding
stage of our consideration of revisions to the proposed rule, we
discussed this issue with representatives of covered entities.
Currently, information about third parties is sometimes redacted by
medical records personnel responding to requests for information. In
particular, information regarding HIV status is treated with special
sensitivity by these professionals. Although we considered including a
special provision in the final rule prohibiting such disclosure, we
decided that the revisions made to the proposed rule would provide
sufficient protection. By restricting disclosure of protected health
information to only that information specified in a court or
administrative order or released pursuant to other types of lawful
process only if the individual had notice and an opportunity to object
or if the information was subject to a protective order, individuals
who are concerned about disclosure of information concerning third
parties will have the opportunity to raise that
[[Page 82677]]
issue prior to the request for disclosure being presented to the
covered entity. We are reluctant to put the covered entity in the
position of having to resolve disputes concerning the type of
information that may be disclosed when that dispute should more
appropriately be settled through the judicial or administrative
procedure itself.
Comment: One commenter asked that the final regulation clarify that
a court order is not required when disclosure would otherwise be
permitted under the rule. This commenter noted that the preamble states
that the requirement for a court order would not apply if the
disclosure would otherwise be permitted under the rule. For example,
disclosures of protected health information pursuant to administrative,
civil, and criminal proceedings relating to ``health oversight'' are
permitted, even if no court or administrative orders have been issued.
However, the commenter was concerned that this principle only appeared
in the preamble and not in the rule itself.
Response: Section 164.512(e)(4) of the final regulation contains
this clarification.
Comment: One commenter was concerned that the rule is unclear as to
whether governmental entities are given a special right to ``use''
protected health information that private parties do not have under the
proposed regulation or whether governmental entities that seek or use
protected health information are treated the same as private parties in
their use of such information. This commenter urged that we clarify our
intent regarding the use of protected health information by
governmental entities.
Response: Generally governmental entities are treated the same as
private entities under the rule. In a few clearly defined cases, a
special rule applies. For instance, under Sec. 164.504(e)(3), when a
covered entity and its business associate are both governmental
entities, they may enter into a memorandum of understanding or adopt a
regulation with the force and effect of law that incorporates the
requirements of a business associate contract, rather than having to
negotiate a business associate contract itself.
Comment: One commenter recommended that final rule state that
information developed as part of a quality improvement or medical error
reduction program may not be disclosed under this provision. The
commenter explained that peer review information developed to identify
and correct systemic problems in delivery of care must be protected
from disclosure to allow a full discussion of the root causes of such
events so they may be identified and addressed. According to the
commenter, this is consistent with peer review protections afforded
this information by the states.
Response: The question of whether or not such information should be
protected is currently the subject of debate in Congress and in the
states. It would be premature for us to adopt a position on this issue
until a clear consensus emerges. Under the final rule, no special
protection against disclosure is provided for peer review information
of the type the commenter describes. However, unless the request for
disclosure fits within one of the categories of permitted or required
disclosures under the regulation, it may not be disclosed. For
instance, if disclosure of peer review information is required by
another law (such as Medicare or a state law), covered entities subject
to that law may disclose protected health information consistent with
the law.
Comment: One commenter stated that the requirements of this section
are in conflict with Medicare contractor current practices, as defined
by the HCFA Office of General Counsel and suggested that the final rule
include more specific guidelines.
Response: Because the commenter failed to indicate the nature of
these conflicts, we are unable to respond.
Comment: One commenter stated that the rule should require rather
than permit disclosure pursuant to court orders.
Response: Under the statutory framework adopted by Congress in
HIPAA, a presumption is established that the data contained in an
individual's medical record belongs to the individual and must be
protected from disclosure to third parties. The only instance in which
covered entities holding that information must disclose it is if the
individual requests access to the information himself or herself. In
the final rule (as in the proposed rule), covered entities may use or
disclose protected health information under certain enumerated
circumstances, but are not required to do so. We do not believe that
this basic principle should be compromised merely because a court order
has been issued. Consistent with this principle, we provide covered
entities with the flexibility to deal with circumstances in which the
covered entity may have valid reasons for declining to release the
protected health information without violating this regulation.
Comment: One commenter noted that in some states, public health
records are not subject to discovery, and that the proposed rule would
not permit disclosure of protected health information pursuant to court
order or subpoena if the disclosure is not allowed by state law. The
commenter requested clarification as to whether a subpoena in a federal
civil action would require disclosure if a state law prohibiting the
release of public health records existed.
Response: As explained above, the final rule permits, but does not
require, disclosure of protected health information pursuant to a court
order. Under the applicable preemption provisions of HIPAA, state laws
relating to the privacy of medical information that are more stringent
than the federal rules are not preempted. To the extent that an
applicable state law precludes disclosure of protected health
information that would otherwise be permitted under the final rule,
state law governs.
Comment: A number of commenters expressed concern that the proposed
rule would negatively impact state and federal benefits programs,
particularly social security and workers' compensation. One commenter
requested that the final rule remove any possible ambiguity about
application of the rule to the Social Security Administration's (SSA)
evidence requests by permitting disclosure to all administrative level
of benefit programs. In addition, several commenters stated that
requiring SSA or states to provide the covered entity holding the
protected health information with an individual's consent before it
could disclose the information would create a huge administrative and
paperwork burden with no added value to the individual. In addition,
several other commenters indicated that states that make disability
determinations for SSA also support special accommodation for SSA's
determination process. They expressed concern that providers will
narrowly interpret the HIPAA requirements, resulting in significant
increases in processing time and program costs for obtaining medical
evidence (especially purchased consultative examinations when evidence
of record cannot be obtained). A few commenters were especially
concerned about the impact on states and SSA if the final rule were to
eliminate the NPRM's provision for a broad consent for ``all evidence
from all sources.''
Some commenters also note that it would be inappropriate for a
provider to make a minimum necessary determination in response to a
request from SSA because the provider usually will not know the legal
parameters of SSA's programs, or have access to the
[[Page 82678]]
individual's other sources of evidence. In addition, one commenter
urged the Secretary to be sensitive to these concerns about delay and
other negative impacts on the timely determination of disability by SSA
for mentally impaired individuals.
Response: Under the final rule, covered entities may disclose
protected health information pursuant to an administrative order so the
flow of protected health information from covered entities to SSA and
the states should not be disrupted.
Although some commenters urged that special rules should be
included for state and federal agencies that need protected health
information, the Secretary rejects that suggestion because, wherever
possible, the public and the private sectors should operate under the
same rules regarding the disclosure of health information. To the
extent the activities of SSA constitute an actual administrative
tribunal, covered entities must follow the requirements of
Sec. 164.512(e), if they wish to disclose protected health information
to SSA in those circumstances. Not all administrative inquiries are
administrative tribunals, however. If SSA's request for protected
health information comes within another category of permissible
exemptions, a covered entity, following the requirements of the
applicable section, may disclose the information to SSA. For example,
if SSA seeks information for purposes of health oversight, a covered
entity that wishes to disclose the information to SSA may do so under
Sec. 164.512(d) and not Sec. 164.512(e). If the disclosure does not
come within one of the other permissible disclosures would a covered
entity need to meet the requirements of Sec. 164.512(e). If the SSA
request does not come within another permissible disclosure, the agency
will be treated like anyone else under the rules.
The Secretary recognizes that even under current circumstances,
professional medical records personnel do not always respond
unquestioningly to an agency's request for health information. During
the fact finding process, professionals charged with managing provider
response to requests for protected health information indicated to us
that when an agency's request for protected health information is over
broad, the medical records professional will contact the agency and
negotiate a more limited request. In balancing the interests of
individuals against the need of governmental entities to receive
protected health information, we think that applying the minimum
necessary standard is appropriate and that covered entities should be
responsible for ensuring that they disclose only that protected health
information that is necessary to achieve the purpose for which the
information is sought.
Comment: In a similar vein, one commenter expressed concern that
the proposed rule would adversely affect the informal administrative
process usually followed in processing workers' compensation claims.
Using formal discovery is not always possible, because some programs do
not permit it. The commenter urged that the final rule must permit
administrative agencies, employers, and workers' compensation carriers
to use less formal means to obtain relevant medical evidence while the
matter is pending before the agency. This commenter asked that the rule
be revised to permit covered entities to disclose protected health
information without authorization for purposes of federal or state
benefits determinations at all levels of processing, from the initial
application through continuing disability reviews.
Response: If the disclosure is required by a law relating to
workers' compensation, a covered entity may disclose protected health
information as authorized by and to the extent necessary to comply with
that law under Sec. 164.512(l). If the request for protected health
information in connection with a workers' compensation claim is part of
an administrative proceeding, a covered entity must meet the
requirements set forth in Sec. 164.512(e), and discussed above, before
disclosing the information. As noted, one permissible manner by which a
covered entity may disclose protected health information under
Sec. 164.512(e) is if the party seeking the disclosure makes reasonable
efforts to provide notice to the individual as required by this
provision. Under this method, the less formal process noted by the
commenter would not be disturbed. Covered entity may disclose protected
health information in response to other types of requests only as
permitted by this regulation.
Section 164.512(f)--Disclosures for Law Enforcement Purposes
General Comments on Proposed Sec. 164.510(f)
Comment: Some commenters argued that current law enforcement use of
protected health information was legitimate and important. These
commenters cited examples of investigations and prosecutions for which
protected health information is needed, from white collar insurance
fraud to violent assault, to provide incriminating evidence or to
exonerate a suspect, to determine what charges are warranted and for
bail decisions. For example, one commenter argued that disclosure of
protected health information for law enforcement purposes should be
exempt from the rule, because the proposed regulation would hamper Drug
Enforcement Administration investigations. A few commenters argued that
effective law enforcement requires early access to as much information
as possible, to rule out suspects, assess severity of criminal acts,
and for other purposes. A few commenters noted the difficulties
criminal investigators and prosecutors face when fighting complex
criminal schemes. In general, these commenters argued that all
disclosures of protected health information to law enforcement should
be allowed, or for elimination of the process requirements proposed in
Sec. 164.510(f)(1).
Response: The importance and legitimacy of law enforcement
activities are beyond question, and they are not at issue in this
regulation. We permit disclosure of protected health information to law
enforcement officials without authorization in some situations
precisely because of the importance of these activities to public
safety. At the same time, individuals' privacy interests also are
important and legitimate. As with all the other disclosures of
protected health information permitted under this regulation, the rules
we impose attempt to balance competing and legitimate interests.
Comment: Law enforcement representatives stated that law
enforcement agencies had a good track record of protecting patient
privacy and that additional restrictions on their access and use of
information were not warranted. Some commenters argued that no new
limitations on law enforcement access to protected health information
were necessary, because sufficient safeguards exist in state and
federal laws to prevent inappropriate disclosure of protected health
information by law enforcement.
Response: Disclosure of protected health information by law
enforcement is not at issue in this regulation. Law enforcement access
to protected health information in the first instance, absent any re-
disclosure by law enforcement, impinges on individuals' privacy
interests and must therefore be justified by a public purpose that
outweighs individuals' privacy interests.
We do not agree that sufficient safeguards already exist in this
area. We are not aware of, and the comments did
[[Page 82679]]
not provide, evidence of a minimum set of protections for individuals
relating to access by law enforcement to their protected health
information. Federal and state laws in this area vary considerably, as
they do for other areas addressed in this final rule. The need for
standards in this area is no less critical than in the other areas
addressed by this rule.
Comment: Many commenters argued that no disclosures of protected
health information should be made to law enforcement (absent
authorization) without a warrant issued by a judicial officer after a
finding of probable cause. Others argued that a warrant or subpoena
should be required prior to disclosure of protected health information
unless the disclosure is for the purposes of identifying a suspect,
fugitive, material witness, or missing persons, as described in
proposed Sec. 164.510(f)(2). Some commenters argued that judicial
review prior to release of protected health information to law
enforcement should be required absent the exigent and urgent
circumstances identified in the NPRM in Sec. 164.510(f)(3) and (5), or
absent ``a compelling need'' or similar circumstances.
Response: In the final rule, we attempt to match the level of
procedural protection for privacy required by this rule with the nature
of the law enforcement need for access, the existence of other
procedural protections, and individuals' privacy interests. Where other
rules already impose procedural protections, this rule generally relies
on those protections rather than imposing new ones. Thus, where access
to protected health information is granted after review by an
independent judicial officer (such as a court order or court-ordered
warrant, or a subpoena or summons issued by a judicial officer), no
further requirements are necessary. Similarly, because information
disclosed to a grand jury is vital to law enforcement purposes and is
covered by secrecy protection, this rule allows disclosure with no
further process.
We set somewhat stricter standards for disclosure of protected
health information pursuant to administrative process, such as
administrative subpoenas, summonses, and civil or authorized
investigative demands. In these cases, the level of existing procedural
protections is lower than for judicially-approved or grand jury
disclosures. We therefore require a greater showing, specifically, the
three-part test described in Sec. 164.512(f)(1)(ii), before the covered
entity is permitted to release protected health information. Where the
information to be disclosed is about the victim of a crime, privacy
interests are heightened and we require the victim's agreement prior to
disclosure in most instances.
In the limited circumstances where law enforcement interests are
heightened, we allow disclosure of protected health information without
prior legal process or agreement, but we impose procedural protections
such as limits on the information that may lawfully be disclosed,
limits on the circumstances in which the information may be disclosed,
and requirements for verifying the identity and authority of the person
requesting the disclosures. For example, in some cases law enforcement
officials may seek limited but focused information needed to obtain a
warrant. A witness to a shooting may know the time of the incident and
the fact that the perpetrator was shot in the left arm, but not the
identity of the perpetrator. Law enforcement would then have a
legitimate need to ask local emergency rooms whether anyone had
presented with a bullet wound to the left arm near the time of the
incident. Law enforcement may not have sufficient information to obtain
a warrant, but instead would be seeking such information. In such
cases, when only limited identifying information is disclosed and the
purpose is solely to ascertain the identity of a person, the invasion
of privacy would be outweighed by the public interest. For such
circumstances, we allow disclosure of protected health information in
response to a law enforcement inquiry where law enforcement is seeking
to identify a suspect, fugitive, material witness, or missing person,
but allow only disclosure of a limited list of information.
Similarly, it is in the public interest to allow covered entities
to take appropriate steps to protect the integrity and safety of their
operations. Therefore, we permit covered entities on their own
initiative to disclose to law enforcement officials protected health
information for this purpose. However, we limit such disclosures to
protected health information that the covered entity believes in good
faith constitutes evidence of criminal conduct that occurred on the
premises of the covered entity.
We shape the rule's provisions with respect to law enforcement
according to the limited scope of our regulatory authority under HIPAA,
which applies only to the covered entities and not to law enforcement
officials. We believe the rule sets the correct standards for when an
exception to the rule of non-disclosure is appropriate for law
enforcement purposes. There may be advantages, however, to legislation
that applies the appropriate standards directly to judicial officers,
prosecutors in grand juries, and to those making administrative or
other requests for protected health information, rather than to covered
entities. These advantages could include measures to hold officials
accountable if they seek or receive protected health information
contrary to the legal standard. In Congressional consideration of law
enforcement access, there have also been useful discussions of other
topics, such as limits on re-use of protected health information
gathered in the course of health oversight activities. The limitations
on our regulatory authority provide additional reason to support
comprehensive medical privacy legislation.
Comment: A few commenters cited existing sanctions for law
enforcement officials who violate the rights of individuals in
obtaining evidence, ranging from suppression of that evidence to
monetary penalties, and argued that such sanctions are sufficient to
protect patients' privacy interests.
Response: After-the-fact sanctions are important, but they are
effective only when coupled with laws that establish the ground rules
for appropriate behavior. That is, a sanction applies only where some
other rule has been violated. This regulation sets such basic ground
rules. Further, under the HIPAA statutory authority, we cannot impose
sanctions on law enforcement officials or require suppression of
evidence. We must therefore rely on rules that regulate disclosure of
protected health information by covered entities in the first instance.
Comment: Several commenters argued that disclosure of protected
health information under Sec. 164.510(f) should be mandatory, not just
permitted. Others argued that we should mandate disclosure of protected
health information in response to Inspector General subpoenas. A few
commenters argued that we should require all covered entities to
include disclosure of protected health information to law enforcement
in their required notice of privacy practices.
Response: The purpose of this regulation is to protect individuals'
privacy interests, consistent with other important public activities.
Other laws set the rules governing those public activities, including
when health information is necessary for their effective operation. See
discussion of Sec. 164.512(a).
[[Page 82680]]
Comment: Some commenters questioned whether the Secretary had
statutory authority to directly or indirectly impose new procedural or
substantive requirements on otherwise lawful legal process issued under
existing federal and state rules. They argued that, while the
provisions are imposed on ``covered entities,'' the rule would result
in law enforcement officials being compelled to modify current
practices to harmonize them with the requirements this rule imposes on
covered entities. A number of state law enforcement agencies argued
that the rule would place new burdens on state administrative subpoenas
and requests that are intrusive in state functions. At least one
commenter argued that the requirement for prior process places
unreasonable restrictions on the right of the states to regulate law
enforcement activities.
Response: This rule regulates the ability of health care
clearinghouses, health plans, and covered health care providers to use
and disclose health information. It does not regulate the behavior of
law enforcement officials or the courts, nor does it prevent states
from regulating law enforcement officials. All regulations have some
effects on entities that are not directly regulated. We have considered
those effects in this instance and have determined that the provisions
of the rule are necessary to protect the privacy of individuals.
Comment: One commenter argued that state licensing boards should be
exempt from restrictions placed on law enforcement officials, because
state licensing and law enforcement are different activities.
Response: Each state's law determines what authorities are granted
to state licensing boards. Because state laws differ in this regard, we
cannot make a blanket determination that state licensing officials are
or are not law enforcement officials under this regulation. We note,
however, that the oversight of licensed providers generally is included
as a health oversight activity at Sec. 164.512(d).
Relationship to Existing Rules and Practices
Comment: Many commenters expressed concern that the proposed rule
would have expanded current law enforcement access to protected health
information. Many commenters said that the NPRM would have weakened
their current privacy practices with respect to law enforcement access
to health records. For example, some of the commenters arguing that a
warrant or subpoena should be required prior to disclosure of protected
health information unless the disclosure is for the purposes of
identifying a suspect, fugitive, material witness, or missing persons,
did so because they believed that such a rule would be consistent with
current state law practices.
Response: This regulation does not expand current law enforcement
access to protected health information. We do not mandate any
disclosures of protected health information to law enforcement
officials, nor do we make lawful any disclosures of protected health
information which are unlawful under other rules and regulations.
Similarly, this regulation does not describe a set of ``best
practices.'' Nothing in this regulation should cause a covered entity
to change practices that are more protective of privacy than the floor
of protections provided in this regulation.
This regulation sets forth the minimum practices which a covered
entity must undertake in order to avoid sanctions under the HIPAA. We
expect and encourage covered entities to exercise their judgment and
professional ethics in using and disclosing health information, and to
continue any current practices that provide privacy protections greater
than those mandated in this regulation.
Comment: Many commenters asserted that, today, consent or judicial
review always is required prior to release of protected health
information to law enforcement; therefore, they said that the proposed
rule would have lessened existing privacy protections.
Response: In many situations today, law enforcement officials
lawfully obtain health information absent any prior legal process and
absent exigent circumstances. The comments we received on the NPRM,
both from law enforcement and consumer advocacy groups, describe many
such situations. Moreover, this rule sets forth minimum privacy
protections and does not preempt more stringent, pre-existing
standards.
Comment: Some commenters argued that health records should be
entitled to at least as much protection as cable subscription records
and video rental records.
Response: We agree. The Secretary, in presenting her initial
recommendations on the protection of health information to the Congress
in 1997, stated that, ``When Congress looked at the privacy threats to
our credit records, our video records, and our motor vehicle records,
it acted quickly to protect them. It is time to do the same with our
health care records' (Testimony of Donna E. Shalala, Secretary, U. S.
Department of Health and Human Services, before the Senate Committee on
Labor & Human Resources, September 11, 1997). However, the limited
jurisdiction conferred on us by the HIPAA does not allow us to impose
such restrictions on law enforcement officials or the courts.
Comment: At least one commenter argued that the regulation should
allow current routine uses for law enforcement under the Privacy Act.
Response: This issue is discussed in the ``Relationship to Other
Federal Laws'' preamble discussion of the Privacy Act.
Comment: A few commenters expressed concern that people will 8be
less likely to provide protected health information for public health
purposes if they fear the information could be used for law enforcement
purposes.
Response: This regulation does not affect law enforcement access to
records held by public health authorities, nor does it expand current
law enforcement access to records held by covered entities. These
agencies are for the most part not covered entities under HIPAA.
Therefore, this regulation should not reduce current cooperation with
public health efforts.
Relationship to Other Provisions of This Regulation
Comment: Several commenters pointed out an unintended interaction
between proposed Secs. 164.510(f) and 164.510(n). Because proposed
Sec. 164.510(n), allowing disclosures mandated by other laws, applied
only if the disclosure would not fall into one of the categories of
disclosures provided for in Sec. 164.510 (b)-(m), disclosures of
protected health information mandated for law enforcement purposes by
other law would have been preempted.
Response: We agree, and in the final rule we address this
unintended interaction. It is not our intent to preempt these laws. To
clarify the interaction between these provisions, in the final rule we
have specifically added language to the paragraph addressing
disclosures for law enforcement that permits covered entities to comply
with legal mandates, and have included a specific cross reference in
the provision of the final rule that permits covered entities to make
other disclosures required by law. See Sec. 164.512(a).
Comment: Several commenters argued that, when a victim of abuse or
of a crime has requested restrictions on disclosure, the restrictions
should be communicated to any law enforcement officials who receive
that protected health information.
Response: We do not have the authority to regulate law enforcement
[[Page 82681]]
use and disclosure of protected health information, and therefore we
could not enforce any such restrictions communicated to law enforcement
officials. For this reason, we determined that the benefits to be
gained from requiring communication of restrictions would not outweigh
the burdens such a requirement would place on covered entities. We
expect that professional ethics will guide health care providers'
communications to law enforcement officials about the welfare of
victims of abuse or other crime.
Comment: Some commenters argued against imposing the ``minimum
necessary'' requirement on disclosure of protected health information
to law enforcement officials. Some law enforcement commenters expressed
concern that the ``minimum necessary'' test could be ``manipulated'' by
a covered entity that wished to withhold relevant evidence. A number of
covered entities complained that they were ill-equipped to substitute
their judgment for that of law enforcement for what was the minimum
amount necessary, and they also argued that the burden of determining
the ``minimum necessary'information should be transferred to law
enforcement agencies. Some commenters argued that imposing such
``uninformed'' discretion on covered entities would delay or thwart
legitimate investigations, and would result in withholding information
that might exculpate an individual or might be necessary to present a
defendant's case. One comment suggested that covered entities have
``immunity'' for providing too much information to law enforcement.
Response: The ``minimum necessary'' standard is discussed at
Sec. 164.514.
Comment: A few commenters asked us to clarify when a disclosure is
for a ``Judicial or Administrative Proceeding'' and when it is for
``Law Enforcement'' purposes.
Response: In the final rule we have clarified that Sec. 164.512(e)
relating to disclosures for judicial or administrative proceedings does
not supersede the authority of a covered entity to make disclosures
under other provisions of the rule.
Use of Protected Health Information After Disclosure to Law Enforcement
Comment: Many commenters recommended that we restrict law
enforcement officials' re-use and re-disclosure of protected health
information. Some commenters asked us to impose such restrictions,
while other commenters noted that the need for such restrictions
underscores the need for legislation. Another argued for judicial
review prior to release of protected health information to law
enforcement because this regulation cannot limit further uses or
disclosures of protected health information once it is in the hands of
law enforcement agencies.
Response: We agree that there are advantages to legislation that
imposes appropriate restrictions directly on the re-use and re-
disclosure of protected health information by many persons who may
lawfully receive protected health information under this regulation,
but whom we cannot regulate under the HIPAA legislative authority,
including law enforcement agencies.
Comment: A few commenters expressed concern that protected health
information about persons who are not suspects may be used in court and
thereby become public knowledge. These commenters urged us to take
steps to minimize or prevent such protected health information from
becoming part of the public record.
Response: We agree that individuals should be protected from
unnecessary public disclosure of health information about them.
However, we do not have the statutory authority in this regulation to
require courts to impose protective orders. To the extent possible
within the HIPAA statutory authority, we address this problem in
Sec. 164.512(e), Judicial and Administrative Proceedings.
Comment: Some commenters argued that evidence obtained in violation
of the regulation should be inadmissible at trial.
Response: In this regulation, we do not have the authority to
regulate the courts. We can neither require nor prohibit courts from
excluding evidence obtain in violation of this regulation.
Comments Regarding Proposed Sec. 164.510(f)(1), Disclosures to Law
Enforcement Pursuant to Process
Comments Supporting or Opposing a Requirement of Consent or Court Order
Comment: Some commenters argued that a rule that required a court
order for every instance that law enforcement sought protected health
information would impose substantial financial and administrative
burdens on federal and state law enforcement and courts. Other
commenters argued that imposing a new requirement of prior judicial
process would compromise the time-sensitive nature of many
investigations.
Response: We do not impose such a requirement in this regulation.
Comment: Many commenters argued that proposed Sec. 164.510(f)(1)
would have given law enforcement officials the choice of obtaining
records with or without a court order, and that law enforcement ``will
choose the least restrictive means of obtaining records, those that do
not require review by a judge or a prosecutor.'' Several commenters
argued that this provision would have provided the illusion of
barriers--but no real barriers--to law enforcement access to protected
health information. A few argued that this provision would have allowed
law enforcement to regulate itself.
Response: We agree with commenters that, in some cases, a law
enforcement official may have discretion to seek health information
under more than one legal avenue. Allowing a choice in these
circumstances does not mean an absence of real limits. Where law
enforcement officials choose to obtain protected health information
through administrative process, they must meet the three-part test
required by this regulation.
Comment: At least one commenter argued for judicial review prior to
disclosure of health information because the rule will become the ``de
facto'' standard for release of protected health information.
Response: We do not intend for this regulation to become the ``de
facto'' standard for release of protected health information. Nothing
in this regulation limits the ability of states and other governmental
authorities to impose stricter requirements on law enforcement access
to protected health information. Similarly, we do not limit the ability
of covered entities to adopt stricter policies for disclosure of
protected health information not mandated by other laws.
Comment: A few commenters expressed concern that proposed
Sec. 164.510(f)(1) would have overburdened the judicial system.
Response: The comments did not provide any factual basis for
evaluating this concern.
Comment: Some commenters argued that, while a court order should be
required, the standard of proof should be something other than
``probable cause.'' For example, one commenter argued that the court
should apply the three-part test proposed in Sec. 164.510(f)(1)(i)(C).
Another commenter suggested a three-part test: The information is
necessary, the need cannot be met with non-identifiable information,
and the need of law enforcement outweighs the privacy interest of the
patient. Some commenters suggested that we impose a ``clear and
convincing'' standard. Another suggested that we require clear and
convincing evidence that: (1) The
[[Page 82682]]
information sought is relevant and material to a legitimate criminal
investigation; (2) the request is as specific and narrow as is
reasonably practicable; (3) de-identified information, for example
coded records, could not reasonably be used; (4) on balance, the need
for the information outweighs the potential harm to the individuals and
to patient care generally; and (5) safeguards appropriate to the
situation have been considered and imposed. This comment also suggested
the following as such appropriate safeguard: granting only the right to
inspect and take notes; allowing copying of only certain portions of
records; prohibiting removing records from the premises; placing limits
on subsequent use and disclosure; and requiring return or destruction
of the information at the earliest possible time.) Others said the
court order should impose a ``minimum necessary'' standard.
Response: We have not revised the regulation in response to
comments suggesting that we impose additional standards relating to
disclosures to comply with court orders. Unlike administrative
subpoenas, where there is no independent review of the order, court
orders are issued by an independent judicial officer, and we believe
that covered entities should be permitted under this rule to comply
with them. Court orders are issued in a wide variety of cases, and we
do not know what hardships might arise by imposing standards that would
require judicial officers to make specific findings related to privacy.
Comment: At least one commenter argued that the proposed rule would
have placed too much burden on covered entities to evaluate whether to
release information in response to a court order. This comment
suggested that the regulation allow disclosure to attorneys for
assessment of what the covered entity should release in response to a
court order.
Response: This regulation does not change current requirements on
or rights of covered entities with respect to court orders for the
release of health information. Where such disclosures are required
today, they continue to be required under this rule. Where other law
allows a covered entity to challenge a court order today, this rule
will not reduce the ability of a covered entity to mount such a
challenge. Under Sec. 164.514, a covered entity will be permitted to
rely on the face of a court order to meet this rule's requirements for
verification of the legal authority of the request for information. A
covered entity may disclose protected health information to its
attorneys as needed, to perform health care operations, including to
assess the covered entity's appropriate response to court orders. See
definition of ``health care operations'' under Sec. 164.501.
Comment: Many commenters argued that the regulation should prohibit
disclosures of protected health information to law enforcement absent
patient consent.
Response: We disagree with the comment. Requiring consent prior to
any release of protected health information to a law enforcement
official would unduly jeopardize public safety. Law enforcement
officials need protected health information for their investigations in
a variety of circumstances. The medical condition of a defendant could
be relevant to whether a crime was committed, or to the seriousness of
a crime. The medical condition of a witness could be relevant to the
reliability of that witness. Health information may be needed from
emergency rooms to locate a fleeing prison escapee or criminal suspect
who was injured and is believed to have stopped to seek medical care.
These and other uses of medical information are in the public
interest. Requiring the authorization of the subject prior to
disclosure could make apprehension or conviction of some criminals
difficult or impossible. In many instances, it would not be possible to
obtain such consent, for example because the subject of the information
could not be located in time (or at all). In other instances, the
covered entity may not wish to undertake the burden of obtaining the
consent. Rather than an across-the-board consent requirement, to
protect individuals' privacy interests while also promoting public
safety, we impose a set of procedural safeguards (described in more
detail elsewhere in this regulation) that covered entities must ensure
are met before disclosing protected health information to law
enforcement officials.
In most instances, such procedural safeguards consist of some prior
legal process, such as a warrant, grand jury subpoena, or an
administrative subpoena that meets a three-part test for protecting
privacy interests. When the information to be disclosed is about the
victim of a crime, privacy interests are heightened and we require the
victim's agreement prior to disclosure in most instances. In the
limited circumstances where law enforcement interests are heightened
and we allow disclosure of protected health information without prior
legal process or agreement, the procedural protections include limits
on the information that may lawfully be disclosed, the circumstances in
which the information may be disclosed, and requirements for verifying
the identity and authority of the person requesting the disclosures.
We also allow disclosure of protected health information to law
enforcement officials without consent when other law mandates the
disclosures. When such other law exists, another public entity has made
the determination that law enforcement interests outweigh the
individual's privacy interests in the situations described in that
other law, and we do not upset that determination in this regulation.
Comment: Several commenters recommended requiring that individuals
receive notice and opportunity to contest the validity of legal process
under which their protected health information will be disclosed, prior
to disclosure of their records to law enforcement. Some of these
commenters recommended adding this requirement to provisions proposed
in the NPRM, while others recommended establishing this requirement as
part of a new requirement for a judicial warrant prior to all
disclosures of protected health information to law enforcement. At
least one of these commenters proposed an exception to such a notice
requirement where notice might lead to destruction of the records.
Response: Above we discuss the reasons why we believe it is
inappropriate to require consent or a judicial order prior to any
release of protected health information to law enforcement. Many of
those reasons apply here, and they lead us not to impose such a notice
requirement.
Comment: A few commenters believed that the proposed requirements
in Sec. 164.510(f)(1) would hinder investigations under the Civil
Rights for Institutionalized Persons Act (CRIPA).
Response: We did not intend that provision to apply to
investigations under CRIPA, and we clarify in the final rule that
covered entities may disclose protected health information for such
investigations under the health oversight provisions of this regulation
(see Sec. 164.512(d) for further detail).
Comments Suggesting Changes to the Proposed Three-Part Test
Comment: Many commenters argued for changes to the proposed three-
part test that would make the test more difficult to meet. Many of
these urged greater, but unspecified, restrictions. Others argued that
the proposed test was too stringent, and that it would have hampered
criminal investigations and prosecutions. Some argued that it
[[Page 82683]]
was too difficult for law enforcement to be specific at the beginning
of an investigation. Some argued that there was no need to change
current practices, and they asked for elimination of the three-part
test because it was ``more stringent'' than current practices and would
make protected health information more difficult to obtain for law
enforcement purposes. These commenters urged elimination of the three-
part test so that administrative bodies could continue current
practices without additional restrictions. Some of these argued for
elimination of the three-part test for all administrative subpoenas;
others argued for elimination of the three-part test for administrative
subpoenas from various Inspectors General offices. A few commenters
argued that the provisions in proposed Sec. 164.510(f)(1) should be
eliminated because they would have burdened criminal investigations and
prosecutions but would have served ``no useful public purpose.''
Response: We designed the proposed three-part test to require proof
that the government's interest in the health information was
sufficiently important and sufficiently focused to overcome the
individual's privacy interest. If the test were weakened or eliminated,
the individual's privacy interest would be insufficiently protected. At
the same time, if the test were significantly more difficult to meet,
law enforcement's ability to protect the public interest could be
unduly compromised.
Comment: At least one comment argued that, in the absence of a
judicial order, protected health information should be released only
pursuant to specific statutory authority.
Response: It is impossible to predict all the facts and
circumstances, for today and into the future, in which law
enforcement's interest in health information outweigh individuals'
privacy interests. Recognizing this, states and other governments have
not acted to list all the instances in which health information should
be available to law enforcement officials. Rather, they specify some
such instances, and rely on statutory, constitutional, and other
limitations to place boundaries on the activities of law enforcement
officials. Since the statutory authority to which the commenter refers
does not often exist, many uses of protected health information that
are in the public interest (described above in more detail) would not
be possible under such an approach.
Comment: At least one commenter, an administrative agency,
expressed concern that the proposed rule would have required its
subpoenas to be approved by a judicial officer.
Response: This rule does not require judicial approval of
administrative subpoenas. Administrative agencies can avoid the need
for judicial review under this regulation by issuing subpoenas for
protected health information only where the three-part test has been
met.
Comment: Some commenters suggested alternative requirements for law
enforcement access to protected health information. A few suggested
replacing the three-part test with a requirement that the request for
protected health information from law enforcement be in writing and
signed by a supervisory official, and/or that the request ``provide
enough information about their needs to allow application of the
minimum purpose rule.''
Response: A rule requiring only that the request for information be
in writing and signed fails to impose appropriate substantive standards
for release of health information. A rule requiring only sufficient
information for the covered entity to make a ``minimum necessary''
determination would leave these decisions entirely to covered entities'
discretion. We believe that protection of individuals' privacy
interests must start with a minimum floor of protections applicable to
all. We believe that while covered entities may be free to provide
additional protections (within the limits of the law), they should not
have the ability to allow unjustified access to health information.
Comment: Some commenters argued that the requirement for an
unspecified ``finding'' for a court order should be removed from the
proposed rule, because it would have been confusing and would have
provided no guidance to a court as to what finding would be sufficient.
Response: We agree that the requirement would have been confusing,
and we delete this language from the final regulation.
Comment: A few commenters argued that the proposed three-part test
should not be applied where existing federal or state law established a
standard for issuing administrative process.
Response: It is the content of such a standard, not its mere
existence, that determines whether the standard strikes an appropriate
balance between individuals' privacy interests and the public interest
in effective law enforcement activities. We assume that current
authorities to issue administrative subpoena are all subject to some
standards. When an existing standard provides at least as much
protection as the three-part test imposed by this regulation, the
existing standard is not disturbed by this rule. When, however, an
existing standard for issuing administrative process provides less
protection, this rule imposes new requirements.
Comment: Some covered entities said that they should not have been
asked to determine whether the proposed three-part test has been met.
Some argued that they were ill-equipped to make a judgment on whether
an administrative subpoena actually met the three-part test, or that it
was unfair to place the burden of making such determinations on covered
entities. Some argued that the burden should have been on law
enforcement, and that it was inappropriate to shift the burden to
covered entities. Other commenters argued that the proposal would have
given too much discretion to the record holders to withhold evidence
without having sufficient expertise or information on which to make
such judgments. At least one comment said that this aspect of the
proposal would have caused delay and expense in the detection and
prevention of health care fraud. The commenter believed that this delay
and expense could be prevented by shifting to law enforcement and
health care oversight the responsibility to determine whether standards
have been met.
At least one commenter recommended eliminating the three-part test
for disclosures of protected health information by small providers.
Some commenters argued that allowing covered entities to rely on
law enforcement representation that the three-part test has been met
would render the test meaningless.
Response: Because the statute does not bring law enforcement
officials within the scope of this regulation, the rule must rely on
covered entities to implement standards that protect individuals'
privacy interests, including the three-part test for disclosure
pursuant to administrative subpoenas. To reduce the burden on covered
entities, we do not require a covered entity to second-guess
representations by law enforcement officials that the three part test
has been met. Rather, we allow covered entities to disclose protected
health information to law enforcement when the subpoena or other
administrative request indicates on its face that the three-part test
has been met, or where a separate document so indicates. Because we
allow such reliance, we do not believe that it is necessary or
appropriate to reduce privacy protections for individuals who obtain
care from small health care providers.
[[Page 82684]]
Comment: Some commenters ask for modification of the three-part
test to include a balancing of the interests of law enforcement and the
privacy of the individual, pointing to such provisions in the Leahy-
Kennedy bill.
Response: We agree with the comment that the balancing of these
interests is important in this circumstance. We designed the
regulation's three-part test to accomplish that result.
Comment: At least one commenter recommended that ``relevant and
material'' be changed to ``relevant,'' because ``relevant'' is a term
at the core of civil discovery rules and is thus well understood, and
because it would be difficult to determine whether information is
``material'' prior to seeing the documents. As an alternative, this
commenter suggested explaining what we meant by ``material.''
Response: Like the term ``relevant,'' the term ``material'' is
commonly used in legal standards and well understood.
Comment: At least one commenter suggested deleting the phrase
``reasonably practical'' from the second prong of the test, because,
the commenter believed, it was not clear who would decide what is
``reasonably practical'' if the law enforcement agency and covered
entity disagreed.
Response: We allow covered entities to rely on a representation on
the face of the subpoena that the three-part test, including the
``reasonably practical'' criteria, is met. If a covered entity believes
that a subpoena is not valid, it may challenge that subpoena in court
just as it may challenge any subpoena that today it believes is not
lawfully issued. This is true regardless of the specific test that a
subpoena must meet, and is not a function of the ``reasonably
practical'' criteria.
Comment: Some commenters requested elimination of the third prong
of the test. One of these commenters suggested that the regulation
should specify when de-identified information could not be used.
Another recommended deleting the phrase ``could not reasonably be
used'' from the third prong of the test, because the commenter believed
it was not clear who would determine whether de-identified information
``could reasonably be used'' if the law enforcement agency and covered
entity disagreed.
Response: We cannot anticipate in regulation all the facts and
circumstances surrounding every law enforcement activity today, or in
the future as technologies change. Such a rigid approach could not
account for the variety of situations faced by covered entities and law
enforcement officials, and would become obsolete over time. Thus, we
believe it would not be appropriate to specify when de-identified
information can or cannot be used to meet legitimate law enforcement
needs.
In the final rule, we allow the covered entity to rely on a
representation on the face of the subpoena (or similar document) that
the three-part test, including the ``could not reasonably be used''
criteria, is met. If a covered entity believes that a subpoena is not
valid, it may challenge that subpoena in court just as it may challenge
today any subpoena that it believes is not lawfully issued. This is
true regardless of the specific test that a subpoena must meet, and it
is not a function of the ``could not reasonably be used'' criteria.
Comments Regarding Proposed Sec. 164.510(f)(2), Limited Information for
Identifying Purposes
Comment: A number of commenters recommended deletion of this
provision. These commenters argued that the legal process requirements
in proposed Sec. 164.510(f)(1) should apply when protected health
information is disclosed for identification purposes. At least one
privacy group recommended that if the provision were not eliminated in
its entirety, ``suspects'' should be removed from the list of
individuals whose protected health information may be disclosed for
identifying purposes. Many commenters expressed concern that this
provision would allow compilation of large data bases of health
information that could be use for purposes beyond those specified in
this provision.
Response: We retain this provision in the final rule. We continue
to believe that identifying fugitives, material witnesses, missing
persons, and suspects is an important national priority and that
allowing disclosure of limited identifying information for this purpose
is in the public interest. Eliminating this provision--or eliminating
suspects from the list of types of individuals about whom disclosure of
protected health information to law enforcement is allowed--would
impede law enforcement agencies'' ability to apprehend fugitives and
suspects and to identify material witnesses and missing persons. As a
result, criminals could remain at large for longer periods of time,
thereby posing a threat to public safety, and missing persons could be
more difficult to locate and thus endangered.
However, as described above and in the following paragraphs, we
make significant changes to this provision, to narrow the information
that may be disclosed and make clear the limited purpose of the
provision. For example, the proposed rule did not state explicitly
whether covered entities would have been allowed to initiate--in the
absence of a request from law enforcement--disclosure of protected
health information to law enforcement officials for the purpose of
identifying a suspect, fugitive, material witness or missing person. In
the final rule, we clarify that covered entities may disclose protected
health information for identifying purposes only in response to a
request by a law enforcement official or agency. A ``request by a law
enforcement official or agency'' is not limited to direct requests, but
also includes oral or written requests by individuals acting on behalf
of a law enforcement agency, such as a media organization broadcasting
a request for the public's assistance in identifying a suspect on the
evening news. It includes ``Wanted'' posters, public announcements, and
similar requests to the general public for assistance in locating
suspects or fugitives.
Comment: A few commenters recommended additional restrictions on
disclosure of protected health information for identification purposes.
For example, one commenter recommended that the provision should either
(1) require that the information to be disclosed for identifying
purposes be relevant and material to a legitimate law enforcement
inquiry and that the request be as specific and narrowly drawn as
possible; or (2) limit disclosures to circumstances in which (a) a
crime of violence has occurred and the perpetrator is at large, (b) the
perpetrator received an injury during the commission of the crime, (c)
the inquiry states with specificity the type of injury received and the
time period during which treatment would have been provided, and (d)
``probable cause'' exists to believe the perpetrator received treatment
from the provider.
Response: We do not agree that these additional restrictions are
appropriate for disclosures of limited identifying information for
purposes of locating or identifying suspects, fugitives, material
witnesses or missing persons. The purpose of this provision is to
permit law enforcement to obtain limited time-sensitive information
without the process requirements applicable to disclosures for other
purposes. Only limited information may be disclosed under this
provision, and disclosure is permitted only in limited circumstances.
We believe that these
[[Page 82685]]
safeguards are sufficient, and that creating additional restrictions
would undermine the purpose of the provision and that it would hinder
law enforcement's ability to obtain essential, time-sensitive
information.
Comment: A number of law enforcement agencies recommended that the
provision in the proposed rule be broadened to permit disclosure to law
enforcement officials for the purpose of ``locating'' as well as
``identifying'' a suspect, fugitive, material witness or missing
person.
Response: We agree with the comment and have changed the provision
in the final rule. We believe that locating suspects, fugitives,
material witnesses and missing persons is an important public policy
priority, and that it can be critical to identifying these individuals.
Further, efforts to locate suspects, fugitives, material witnesses, and
missing persons can be at least as time-sensitive as identifying such
individuals.
Comment: Several law enforcement agencies requested that the
provision be broadened to permit disclosure of additional pieces of
identifying information, such as ABO blood type and Rh factor, DNA
information, dental records, fingerprints, and/or body fluid and tissue
typing, samples and analysis. These commenters stated that additional
identifying information may be necessary to permit identification of
suspects, fugitives, material witnesses or missing persons. On the
other hand, privacy and consumer advocates, as well as many
individuals, were concerned that this section would allow all
computerized medical records to be stored in a large law enforcement
data base that could be scanned for matches of blood, DNA, or other
individually identifiable information.
Response: The final rule seeks to strike a balance in protecting
privacy and facilitating legitimate law enforcement inquiries.
Specifically, we have broadened the NPRM's list of data elements that
may be disclosed pursuant to this section, to include disclosure of ABO
blood type and rh factor for the purpose of identifying or locating
suspects, fugitives, material witnesses or missing persons. We agree
with the commenters that these pieces of information are important to
law enforcement investigations and are no more invasive of privacy than
the other pieces of protected health information that may be disclosed
under this provision.
However, as explained below, protected health information
associated with DNA and DNA analysis; dental records; or typing,
samples or analyses of tissues and bodily fluids other than blood
(e.g., saliva) cannot be disclosed for the location and identification
purposes described in this section. Allowing disclosure of this
information is not necessary to accomplish the purpose of this
provision, and would be substantially more intrusive into individuals'
privacy. In addition, we understand commenters' concern about the
potential for such information to be compiled in law enforcement data
bases. Allowing disclosure of such information could make individuals
reluctant to seek care out of fear that health information about them
could be compiled in such a data base.
Comment: Many commenters argued that proposed Sec. 164.510(f)(2)
should be deleted because it would permit law enforcement to engage in
``fishing expeditions'' or to create large data bases that could be
searched for suspects and others.
Response: Some of this fear may have stemmed from the inclusion of
the phrase ``other distinguishing characteristic''--which could be
construed broadly--in the list of items that could have been disclosed
pursuant to this section. In the final rule, we delete the phrase
``other distinguishing characteristic'' from the list of items that can
be disclosed pursuant to Sec. 164.512(f)(2). In its place, we allow
disclosure of a description of distinguishing physical characteristics,
such as scars, tattoos, height, weight, gender, race, hair and eye
color, and the presence or absence of facial hair such as a beard or
moustache. We believe that such a change, in addition to the changes
described in the paragraph above, responds to commenters' concern that
the NPRM would have allowed creation of a government data base of
personal identifying information. Further, this modification provides
additional guidance to covered entities regarding the type of
information that may be disclosed under this provision.
Comment: At least one commenter recommended removing social
security numbers (SSNs) from the list of items that may be disclosed
pursuant to proposed Sec. 164.510(f)(2). The commenter was concerned
that including SSNs in the (f)(2) list would cause law enforcement
agencies to demand that providers collect SSNs. In addition, the
commenter was concerned that allowing disclosure of SSNs could lead to
theft of identity by unscrupulous persons in policy departments and
health care organizations.
Response: We disagree. We believe that on balance, the potential
benefits from use of SSNs for this purpose outweigh the potential
privacy intrusion from such use of SSNs. For example, SSNs can help law
enforcement officials identify suspects are using aliases.
Comments Regarding Proposed Sec. 164.510(f)(3), Information About a
Victim of Crime or Abuse
Comment: Some law enforcement organizations expressed concern that
proposed Sec. 164.510(f)(3) could inhibit compliance with state
mandatory reporting laws.
Response: We recognize that the NPRM could have preempted such
state mandatory reporting laws, due to the combined impact of proposed
Secs. 164.510(m) and 164.510(f). As explained in detail in
Sec. 164.512(a) above, we did not intend that result, and we modify the
final rule to make clear that this rule does not preempt state
mandatory reporting laws.
Comment: Many commenters, including consumer and provider groups,
expressed concern that allowing covered entities to disclose protected
health information without authorization to law enforcement regarding
victims of crime, abuse, and other harm could endanger victims,
particularly victims of domestic violence, who could suffer further
abuse if their abuser learned that the information had been reported.
Provider groups also expressed concern about undermining provider-
patient relationships. Some law enforcement representatives noted that
in many cases, health care providers' voluntary reports of abuse or
harm can be critical for the successful prosecution of violent crime.
They argued, that by precluding providers from voluntarily reporting to
law enforcement evidence of potential abuse, the proposed rule could
make it more difficult to apprehend and prosecute criminals.
Response: We recognize the need for heightened sensitivity to the
danger facing victims of crime in general, and victims of domestic
abuse or neglect in particular. As discussed above, the final rule
includes a new section (Sec. 164.512(c)) establishing strict conditions
for disclosure of protected health information about victims of abuse,
neglect, and domestic violence.
Victims of crime other than abuse, neglect, or domestic violence
can also be placed in further danger by disclosure of protected health
information relating to the crime. In Sec. 164.512(f)(3) of the final
rule, we establish conditions for disclosure of protected health
information in these circumstances, and we make significant
modifications to the proposed rule's provision for such disclosures.
Under the final rule, unless a state or other
[[Page 82686]]
government authority has enacted a law requiring disclosure of
protected health information about a victim to law enforcement
officials, in most instances, covered entities must obtain the victim's
agreement before disclosing such information to law enforcement
officials. This requirement gives victims control over decision making
about their health information where their safety could be at issue,
helps promote trust between patients and providers, and is consistent
with health care providers' ethical obligation to seek patient
authorization whenever possible before disclosing protected health
information.
At the same time, the rule strikes a balance between protecting
victims and providing law enforcement access to information about
potential crimes that cause harm to individuals, by waiving the
requirement for agreement in two situations. In allowing covered
entities to disclose protected health information about a crime victim
pursuant to a state or other mandatory reporting law, we defer to other
governmental bodies' judgments on when certain public policy objectives
are important enough to warrant mandatory disclosure of protected
health information to law enforcement. While some mandatory reporting
laws are written more broadly than others, we believe that it is
neither appropriate nor practicable to distinguish in federal
regulations between what we consider overly broad and sufficiently
focused mandatory reporting laws.
The final rule waives the requirement for agreement if the covered
entity is unable to obtain the individual's agreement due to incapacity
or other emergency circumstance, and (1) the law enforcement official
represents that the information is needed to determine whether a
violation of law by a person other than the victim has occurred and the
information is not intended to be used against the victim; (2) the law
enforcement official represents that immediate law enforcement activity
that depends on the disclosure would be materially and adversely
affected by waiting until the individual is able to agree to the
disclosure; and (3) the covered entity determines, in the exercise of
professional judgment, that the disclosure is in the individual's best
interests. By allowing covered entities, in the exercise of
professional judgment, to determine whether such disclosures are in the
individual's best interests, the final rule recognizes the importance
of the provider-patient relationship.
In addition, the final rule allows covered entities to initiate
disclosures of protected health information about victims without the
victim's permission to law enforcement officials only if such
disclosure is required under a state mandatory reporting law. In other
circumstances, plans and providers may disclose protected health
information only in response to a request from a law enforcement
official. We believe that such an approach recognizes the importance of
promoting trust between victims and their health care providers. If
providers could initiate reports of victim information to law
enforcement officials absent a legal reporting mandate, victims may
avoid give their providers health information that could facilitate
their treatment, or they may avoid seeking treatment completely.
Comment: Many commenters believed that access to medical records
pursuant to this provision should occur only after judicial review.
Others believed that it should occur only with patient consent or after
notifying the patient of the disclosure to law enforcement. Similarly,
some commenters said that the minimum necessary standard should apply
to this provision, and they recommended restrictions on law enforcement
agencies' re-use of the information.
Response: As discussed above, the final rule generally requires
individual agreement as a condition for disclosure of a victim's health
information; this requirement provides greater privacy protection and
individual control than would a requirement for judicial review. We
also discuss above the situations in which this requirement for
agreement may be waived, and why that is appropriate. The requirement
that covered entities disclose the minimum necessary protected health
information consistent with the purpose of the disclosure applies to
disclosures of protected health information about victims to law
enforcement, unless the disclosure is required by law. (See
Sec. 164.514 for more detail on the requirements for minimum necessary
use and disclosure of protected health information.) As described
above, HIPAA does not provide statutory authority for HHS to regulate
law enforcement agencies' re-use of protected health information that
they obtain pursuant to this rule.
Comment: A few commenters expressed concern that the NPRM would not
have required law enforcement agencies' requests for protected health
information about victims to be in writing. They believed that written
requests could promote clarity in law enforcement requests, as well as
greater accountability among law enforcement officials seeking
information.
Response: We do not impose this requirement in the final rule. We
believe that such a requirement would not provide significant new
protection for victims and would unduly impede the completion of
legitimate law enforcement investigations.
Comment: A provider group was concerned that it would be difficult
for covered entities to evaluate law enforcement officials' claims that
information is needed and that law enforcement activity may be
necessary. Some comments from providers and individuals expressed
concern that the proposed rule would have provided open-ended access by
law enforcement to victims' medical records because of this difficulty
in evaluating law enforcement claims of their need for the information.
Response: We modify the NPRM in several ways that reduce covered
entities' decisionmaking burdens. The final rule clarifies that covered
entities may disclose protected health information about a victim of
crime where a report is required by state or other law, and it requires
the victim's agreement for disclosure in most other instances. The
covered entity must make the decision whether to disclose only in
limited circumstances: when there is no mandatory reporting law; or
when the victim is unable to provide agreement and the law enforcement
official represents that: the protected health information is needed to
determine whether a violation of law by a person other than the victim
has occurred, that the information will not be used against the victim,
and that immediate law enforcement activity that depends on such
information would be materially and adversely affected by waiting until
the individual is able to agree to the disclosure. In these
circumstances, we believe it is appropriate to rely on the covered
entity, in the exercise of professional judgment, to determine whether
the disclosure is in the individual's best interests. Other sections of
this rule allow covered entities to reasonably rely on certain
representations by law enforcement officials (see Sec. 164.514,
regarding verification,) and require disclosure of the minimum
necessary protected health information for this purpose. Together,
these provisions do not allow open-ended access or place undue
responsibility on providers.
Comments Regarding Proposed Sec. 164.510(f)(4), Intelligence and
National Security Activities
In the final rule, we recognize that disclosures for intelligence
and national security activities do not always involve
[[Page 82687]]
law enforcement. Therefore, we delete the provisions of proposed
Sec. 164.510(f)(4), and we address disclosures for intelligence and
national security activities in Sec. 164.512(k), on uses and
disclosures for specialized government functions. Comments and
responses on these issues are included below, in the comments for that
section.
Comments Regarding Proposed Sec. 164.510(f)(5), Health Care Fraud,
Crimes on the Premises, and Crimes Witnessed by the Covered Entity's
Workforce
Comment: Many commenters noted that proposed Sec. 164.510(f)(5)(i),
which covered disclosures for investigations and prosecutions of health
care fraud, overlapped with proposed Sec. 164.510(c) which covered
disclosures for health oversight activities.
Response: As discussed more fully in Sec. 164.512(d) of this
preamble, above, we agree that proposed Sec. 164.510(f)(5)(i) created
confusion because all disclosures covered by that provision were
already permitted under proposed Sec. 164.510(c) without prior process.
In the final rule, therefore, we delete proposed Sec. 164.510(f)(5)(i).
Comment: One commenter was concerned the proposed provision would
not have allowed an emergency room physician to report evidence of
abuse when the suspected abuse had not been committed on the covered
entity's premises.
Response: Crimes on the premises are only one type of crime that
providers may report to law enforcement officials. The rules for
reporting evidence of abuse to law enforcement officials are described
in Sec. 164.512(c) of the rule, and described in detail in
Sec. 164.512(c) of the preamble. An emergency room physician may report
evidence of abuse if the conditions in Sec. 164.512(c) are met,
regardless of where the abuse occurred.
Comment: One commenter argued that covered entities should be
permitted to disclose information that ``indicates the potential
existence'' of evidence, not just information that ``constitutes
evidence'' of crimes on the premises or crimes witnessed by a member of
the covered entity's workforce.
Response: We agree that covered entities should not be required to
guess correctly whether information will be admitted to court as
evidence. For this reason, we include a good-faith standard in this
provision. Covered entities may disclose information that it believes
in good faith constitutes evidence of a crime on the premises. If the
covered entity discloses protected health information in good faith but
is wrong in its belief that the information is evidence of a violation
of law, the covered entity will not be subject to sanction under this
regulation.
Section 164.512(g)--Uses and Disclosures About Decedents
Coroners and Medical Examiners
Comment: We received several comments, for example, from state and
county health departments, a private foundation, and a provider
organization, in support of the NPRM provision allowing disclosure
without authorization to coroners and medical examiners.
Response: The final rule retains the NPRM's basic approach to
disclosure of coroners and medical examiners. It allows covered
entities to disclose protected health information without authorization
to coroners and medical examiners, for identification of a deceased
person, determining cause of death, or other duties authorized by law.
Comment: In the preamble to the NPRM, we said we had considered but
rejected the option of requiring covered entities to redact from
individuals' medical records any information identifying other persons
before disclosing the record to a coroner or medical examiner. We
solicited comment on whether health care providers routinely identify
other persons specifically in an individual's medical record and if so,
whether in the final rule we should require health care providers to
redact information about the other person before providing it to a
coroner or medical examiner.
A few commenters said that medical records typically do not include
information about persons other than the patient. One commenter said
that patient medical records occasionally reference others such as
relatives or employers. These commenters recommended requiring
redaction of such information in any report sent to a coroner or
medical examiner. On the other hand, other commenters said that
redaction should not be required. These commenters generally based
their recommendation on the burden and delay associated with redaction.
In addition to citing the complexity and time involved in redaction of
medical records provided to coroners, one commenter said that health
plans and covered health care providers were not trained to determine
the identifiable information necessary for coroners and medical
examiners to do thorough investigations. Another commenter said that
redaction should not be required because coroners and medical examiners
needed some additional family information to determine what would be
done with the deceased after their post-mortem investigation is
completed.
Response: We recognize the burden associated with redacting medical
records to remove the names of persons other than the patient. In
addition, as stated in the preamble to the NPRM, we recognize that
there is a limited time period after death within which an autopsy must
be conducted. We believe that the delay associated with this burden
could make it impossible to conduct a post-mortem investigation within
the required time frame. In addition, we agree that health plans and
covered health care providers may lack the training necessary to
determine the identifiable information necessary for coroners and
medical examiners to do thorough investigations. Thus, in the final
rule, we do not require health plans or covered providers to redact
information about persons other than the patient who may be identified
in a patient's medical record before disclosing the record to a coroner
or medical examiner.
Comment: One commenter said that medical records sent to coroners
and medical examiners were considered their work product and thus were
not released from their offices to anyone else. The commenter
recommended that HHS establish regulations on how to dispose of medical
records and that we create a ``no re-release'' statement to ensure that
individual privacy is maintained without compromising coroners' or
medical examiners' access to protected health information. The
organization said that such a policy should apply regardless of whether
the investigation was civil or criminal.
Response: HIPAA does not provide HHS with statutory authority to
regulate coroners' or medical examiners' re-use or re-disclosure of
protected health information unless the coroner or medical examiner is
also a covered entity. However, we consistently have supported
comprehensive privacy legislation to regulate disclosure and use of
individually identifiable health information by all entities that have
access to it.
Funeral Directors
Comment: One commenter recommended modifying the proposed rule to
allow disclosure without authorization to funeral directors. To
accomplish this change, the commenter suggested either: (1) Adding
another subsection to proposed Sec. 164.510 of the NPRM, to allow
disclosure without authorization to funeral directors as needed to make
arrangements for
[[Page 82688]]
funeral services and for disposition of a deceased person's remains; or
(2) revising proposed Sec. 164.510(e) to allow disclosure of protected
health information to both coroners and funeral directors. According to
this commenter, funeral directors often need certain protected health
information for the embalming process, because a person's medical
condition may affect the way in which embalming is performed. For
example, the commenter noted, funeral directors increasingly receive
bodies after organ and tissue donation, which has implications for
funeral home staff duties associated with embalming.
Response: We agree with the commenter. In the final rule, we permit
covered entities to disclose protected health information to funeral
directors, consistent with applicable law, as necessary to carry out
their duties with respect to a decedent. When necessary for funeral
directors to carry out their duties, covered entities may disclose
protected health information prior to and in reasonable anticipation of
the individual's death.
Comment: One commenter recommended clarifying in the final rule
that it does not restrict law enforcement agencies' release of medical
information that many state records laws require to be reported, for
example, as part of autopsy reports. The commenter recommended stating
that law enforcement officials may independently gather medical
information, that such information would not be covered by these rules,
and that it would continue to be covered under applicable state and
federal access laws.
Response: HIPAA does not give HHS statutory authority to regulate
law enforcement officials' use or disclosure of protected health
information. As stated elsewhere, we continue to support enactment of
comprehensive privacy legislation to cover disclosure and use of all
individually identifiable health information.
Comment: One commenter recommended prohibiting health plans and
covered health care providers from disclosing psychotherapy notes to
coroners or medical examiners.
Response: We disagree with the commenter who asserted that
psychotherapy notes should only be used by or disclosed to coroners and
medical examiners with authorization. Psychotherapy notes are sometimes
needed by coroners and medical examiners to determine cause of death,
such as in cases where suicide is suspected as the cause of death. We
understand that several states require the disclosure of protected
health information, including psychotherapy notes, to medical examiners
and coroners. However, in the absence of a state law requiring such
disclosure, we do not intend to prohibit coroners or medical examiners
from obtaining the protected health information necessary to determine
an individual's cause of death.
Section 164.512(h)--Uses and Disclosures for Organ Donation and
Transplantation Purposes
Comment: Commenters noted that under the organ donation system,
information about a patient is disclosed before seeking consent for
donation from families. These commenters offered suggestions for
ensuring that the system could continue to operate without consent for
information sharing with organ procurement organizations and tissue
banks. Commenters suggested that organ and tissue procurement
organizations should be ``covered entities'' or that the procurement of
organs and tissues be included in the definition of health care
operations or treatment, or in the definition of emergency
circumstances.
Response: We agree that organ and tissue donation is a special
situation due to the need to protect potential donors' families from
the stress of considering whether their loved one should be a donor
before a determination has been made that donation would be medically
suitable. Rather than list the entities that are ``covered entities''
or modify the definitions of health care operations and treatment or
emergency circumstances to explicitly include organ procurement
organizations and tissue banks, we have modified Sec. 164.512 to permit
covered entities to use or disclose protected health information to
organ procurement organizations or other entities engaged in the
procurement, banking, or transplantation of cadaveric organs, eyes, or
tissues.
Comment: Commenters asked that the rule clarify that organ
procurement organizations are health care providers but not business
partners of the hospitals.
Response: We agree that organ procurement organizations and tissue
banks are generally not business associates of hospitals.
Disclosures and Uses for Government Health Data Systems
Comment: We received a number of comments supporting the exception
for disclosure of protected health information to government health
data systems. Some supporters stated a general belief that the uses of
such information were important to improve and protect the health of
the public. Commenters said that state agencies used the information
from government health data systems to contribute to the improvement of
the health care system by helping prevent fraud and abuse and helping
improve health care quality, efficiency, and cost-effectiveness.
Commenters asserted that state agencies take action to ensure that data
they release based on these data systems do not identify individuals
We also received a large volume of comments opposed to the
exception for use and disclosure of protected health information for
government health data systems. Many commenters expressed general
concern that the provision threatened their privacy, and many believed
that their health information would be subject to abuse by government
employees. Commenters expressed concern that the provision would
facilitate collection of protected health information in one large,
centralized government health database that could threaten privacy.
Others argued that the proposed rule would facilitate law enforcement
access to protected health information and could, in fact, become a
database for law enforcement use.
Many commenters asserted that this provision would make individuals
concerned about confiding in their health care providers. Some
commenters argued that the government should not be allowed to collect
individually identifiable health information without patient consent,
and that the government could use de-identified data to perform the
public policy analyses. Many individual commenters said that HHS lacked
statutory and Constitutional authority to give the government access
and control of their medical records without consent.
Many commenters believed that the NPRM language on government
health data systems was too broad and would allow virtually any
government collection of data to be covered. They argued that the
government health data system exception was unnecessary because there
were other provisions in the proposed rules providing sufficient
authority for government agencies to obtain the information they need.
Some commenters were concerned that the NPRM's government health
data system provisions would allow disclosure of protected health
information for purposes unrelated to health care. These commenters
recommended narrowing the provision to allow disclosure of protected
health
[[Page 82689]]
information without consent to government health data systems in
support of health care-related policy, planning, regulatory, or
management functions. Others recommended narrowing the exception to
allow use and disclosure of protected health information for government
health databases only when a specific statute or regulation has
authorized collection of protected health information for a specific
purpose.
Response: We agree with the commenters who suggested that the
proposed provision that would have permitted disclosures to government
health data bases was overly broad, and we remove it from the final
rule.
We reviewed the important purposes identified in the comments for
government access to protected health information, and believe that the
disclosures of protected health information that should appropriately
be made without individuals' authorization can be achieved through the
other disclosures provided for in the final rule, including provisions
permitting covered entities to disclose information (subject to certain
limitations) to government agencies for public health, research, health
oversight, law enforcement, and otherwise as required by law. For
example, the final rule continues to allow a covered entity to disclose
protected health information without authorization to a public health
authority to monitor trends in the spread of infectious disease,
morbidity, and mortality. Under the rule's health oversight provision,
covered entities can continue to disclose protected health information
to public agencies for purposes such as analyzing the cost and quality
of services provided by covered entities; evaluating the effectiveness
of federal, state, and local public programs; examining trends in
health insurance coverage of the population; and analyzing variations
in access to health coverage among various segments of the population.
We believe that it is better to remove the proposed provision for
government health data systems generally and to rely on other, more
narrowly tailored provisions in the rule to authorize appropriate
disclosures to government agencies.
Comment: Some provider groups, private companies, and industry
organizations recommended expanding the exception for government health
data systems to include data collected by private entities. These
commenters said that such an expansion would be justified, because
private entities often perform the same functions as public agencies
collecting health data.
Response: We eliminate the exception for government health data
systems because it was over broad and the uses and disclosures we were
trying to permit are permitted by other provisions. We note that
private organizations may use or disclose protected health information
pursuant to multiple provisions of the rule.
Comment: One commenter recommended clarifying in the final rule
that the government health data system provisions apply to: (1)
Manufacturers providing data to HCFA and its contractors to help the
agency make reimbursement and related decisions; and to (2) third-party
payors that must provide data collected by device manufacturers to HCFA
to help the agency make reimbursement and related decisions.
Response: The decision to eliminate the general provision
permitting disclosures to government health data systems makes this
issue moot with respect to such disclosures. We note that the
information used by manufacturers to support coverage determinations
often is gathered pursuant to patient authorization (as part of
informed consent for research) or as an approved research project.
There also are many cases in which information can be de-identified
before it is disclosed. Where HCFA hires a contractor to collect such
protected health information, the contractor may do so under HCFA's
authority, subject to the business associate provisions of this rule.
Comment: One commenter recommended stating in the final rule that
de-identified information from government health data systems can be
disclosed to other entities.
Response: HHS does not have the authority to regulate re-use or re-
disclosure of information by agencies or institutions that are not
covered entities under the rule. However, we support the policies and
procedures that public agencies already have implemented to de-identify
any information that they redisclose, and we encourage the continuation
of these activities.
Disclosures for Payment Processes
Proposed Sec. 164.510(j) of the NPRM would have allowed disclosure
of protected health information without authorization for banking and
payment processes. In the final rule, we eliminate this provision.
Disclosures that would have been allowed under it, as well as comments
received on proposed Sec. 164.510(j), are addressed under Sec. 164.501
of the final rule, under the definition of ``payment.''
Section 164.512(i)--Uses and Disclosures for Research Purposes
Documentation Requirements of IRB or Privacy Board Approval of Waiver
Comment: A number of commenters argued that the proposed research
requirements of Sec. 164.510(j) exceeded the Secretary's authority
under section 246(c) of HIPAA. In particular, several commenters argued
that the Department was proposing to extend the Common Rule and the use
of the IRB or privacy boards beyond federally-funded research projects,
without the necessary authority under HIPAA to do so. One commenter
stated that, ``Section 246(c) of HIPAA requires the Secretary to issue
a regulation setting privacy standards for individually identifiable
health information transmitted in connection with the transactions
described in section 1173(a),'' and thus concluded that the disclosure
of health information to researchers is not covered. Some of these
commenters also argued that the documentation requirements of proposed
Sec. 164.510(j), did not shield the NPRM from having the effect of
regulating research by placing the onus on covered health care
providers to seek documentation that certain standards had been
satisfied before providing protected health information to researchers.
These commenters argued that the proposed rule had the clear and
intended effect of directly regulating researchers who wish to obtain
protected health information from a covered entity.
Response: As discussed above, we do not agree with commenters that
the Secretary's authority is limited to individually identifiable
health information transmitted in connection with the transactions
described in section 1173(a) of HIPAA. We also disagree that the
proposed research documentation requirements would have constituted the
unauthorized regulation of researchers. The proposed requirements
established conditions for the use of protected health information by
covered entities for research and the disclosure of protected health
information by covered entities to researchers. HIPAA authorizes the
Secretary to regulate such uses and disclosures, and the final rule
retains documentation requirements similar to those proposed.
Comment: Several commenters believed that the NPRM was proposing
either directly or indirectly to modify the Common Rule and, therefore,
stated that such modification was beyond the Secretary's authority
under HIPAA. Many of these commenters arrived at this conclusion
because the waiver of
[[Page 82690]]
authorization criteria proposed in Sec. 164.510(j) differed from the
Common Rule's criteria for the waiver of informed consent (Common Rule,
Sec. __ .116(d)).
Response: We do not agree that the proposed provision relating to
research would have modified the Common Rule. The provisions that we
proposed and provisions that we include in the final rule place
conditions that must be met before a covered entity may use or disclose
protected health information. Those conditions are in addition to any
conditions required of research entities under the Common Rule. Covered
entities will certainly be subject to laws and regulations in addition
to the rule, but the rule does not require compliance with these other
laws or regulations. For covered health care providers and health plans
that are subject to both the final rule and the Common Rule, both sets
of regulations will need to be followed.
Comment: A few commenters suggested that the Common Rule should be
extended to all research, regardless of funding source.
Response: We generally agree with the commenters on the need to
provide protections to all human subjects research, regardless of
funding source. HIPAA, however, did not provide the Department with
authority to extend the Common Rule beyond its current purview. For
research that relies on the use or disclosure of protected health
information by covered entities without authorization, the final rule
applies the Common Rule's principles for protecting research subjects
by, in most instances, requiring documentation of independent board
review, and a finding that specified criteria designed to protect the
privacy of prospective research subjects have been met.
Comment: A large number of commenters agreed that the research use
and disclosure of protected health information should not require
authorization. Of these commenters, many supported the proposed rule's
approach to research uses and disclosures without authorization,
including many from health care provider organizations, the mental
health community, and members of Congress. Others, while they agreed
that the research use and disclosure should not require authorization
disagreed with the NPRM's approach and proposed alternative models.
The commenters who supported the NPRM's approach to permitting
researchers access to protected health information without
authorization argued that it was appropriate to apply ``Common Rule-
like'' provisions to privately funded research. In addition, several
commenters explicitly argued that the option to use a privacy board, in
lieu of an IRB, must be maintained because requiring IRB review to
include all aspects of patient privacy could diffuse focus and
significantly compromise an IRB's ability to execute its primary
patient protection role. Furthermore, several commenters believed that
privacy board review should be permitted, but wanted equal oversight
and accountability for privacy boards and IRBs.
Many other commenters agreed that the research use and disclosure
should not require authorization, but disagreed with the proposed
rule's approach and proposed alternative models. Several of these
commenters argued that the final rule should eliminate the option for
privacy board review and that all research to be subject to IRB review.
These commenters stated that having separate and unequal systems to
approve research based on its funding source would complicate
compliance and go against the spirit of the regulations. Several of
these commenters, many from patient and provider organizations, opposed
the permitted use of privacy boards to review research studies and
instead argued that IRB review should be required for all studies
involving the use or disclosure of protected health information. These
commenters argued that although privacy board requirements would be
similar, they are not equitable; for example, only three of the Common
Rule's six requirements for the membership of IRBs were proposed to be
required for the membership on privacy boards, and there was no
proposed requirement for annual review of ongoing research studies that
used protected health information. Several commenters were concerned
that the proposed option to obtain documentation of privacy board
review, in lieu of IRB review, would perpetuate the divide in the
oversight of federally-funded versus publically-funded research, rather
than eliminate the differential oversight of publically-and privately-
funded research, with the former still being held to a stricter
standard. Some of these commenters argued that these unequal
protections would be especially apparent for the disclosure of research
with authorization, since under the Common Rule, IRB review of human
subjects studies is required, regardless of the subject's consent,
before the study may be conducted.
Response: Although we share the concern raised by commenters that
the option for the documentation of privacy board approval for an
alteration or waiver of authorization may perpetuate the unequal
mechanisms of protecting the privacy of human research subjects for
federally-funded versus publically-funded research, the final rule is
limited by HIPAA to addressing only the use and disclosure of protected
health information by covered entities, not the protection of human
research subjects more generally. Therefore, the rule cannot
standardize human subjects protections throughout the country. Given
the limited scope of the final rule with regard to research, the
Department believes that the option to obtain documentation of privacy
board approval for an alteration or waiver of authorization in lieu of
IRB approval provides covered entities with needed flexibility.
Therefore, in the final rule we have retained the option for covered
entities to rely on documentation of privacy board approval that
specified criteria have been met.
We disagree with the rationale suggested by commenters who argued
that the option for privacy board review must be maintained because
requiring IRB review to include all aspects of patient privacy could
diffuse focus and significantly compromise an IRB's ability to execute
its primary patient protection role. For research that involves the use
of individually identifiable health information, assessing the risk to
the privacy of research subjects is currently one of the key risks that
must be assessed and addressed by IRBs. In fact, we expect that it will
be appropriate for many research organizations that have existing IRBs
to rely on these IRBs to meet the documentation requirements of
Sec. 164.512(i).
Comment: One health care provider organization recommended that the
IRB or privacy board mechanism of review should be applied to non-
research uses and disclosures.
Response: We disagree. Imposing documentation of privacy board
approval for other public policy uses and disclosures permitted by
Sec. 164.512 would result in undue delays in the use or disclosure of
protected health information that could harm individuals and the
public. For example, requiring that covered health care providers
obtain third-party review before permitting them to alert a public
health authority that an individual was infected with a serious
communicable disease could cause delay appropriate intervention by a
public health authority and could present a serious threat to the
health of many individuals.
Comment: A number of commenters, including several members of
Congress,
[[Page 82691]]
argued that since the research provisions in proposed Sec. 164.510(j)
were modeled on the existing system of human subjects protections, they
were inadequate and would shatter public trust if implemented.
Similarly, some commenters, asserted that IRBs are not accustomed to
reviewing and approving utilization reviews, outcomes research, or
disease management programs and, therefore, IRB review may not be an
effective tool for protecting patient privacy in connection with these
activities. Some of these commenters noted that proposed
Sec. 164.510(j) would exacerbate the problems inherent in the current
federal human subjects protection system especially in light of the
recent GAO reports that indicate the IRB system is already over-
extended. Furthermore, a few commenters argued that the Common Rule's
requirements may be suited for interventional research involving human
subjects, but is ill suited to the archival and health services
research typically performed using medical records without
authorization. Therefore, these commenters concluded that extending
``Common Rule-like'' provisions to the private sector would be
inadequate to protect human subjects and would result in significant
and unnecessary cost increases.
Response: While the vast majority of government-supported and
regulated research adheres to strict protocols and the highest ethical
standards, we agree that the federal system of human subjects
protections can and must be strengthened. To work toward this goal, on
May 23, the Secretary announced several additional initiatives to
enhance the safety of subjects in clinical trials, strengthen
government oversight of medical research, and reinforce clinical
researchers' responsibility to follow federal guidelines. As part of
this initiative, the National Institutes of Health have undertaken an
aggressive effort to ensure IRB members and IRB staff receive
appropriate training in bioethics and other issues related to research
involving human subjects, including research that involves the use of
individually identifiable health information. With these added
improvements, we believe that the federal system of human subjects
protections continues to be a good model to protect the privacy of
individually identifiable health information that is used for research
purposes. This model of privacy protection is also consistent with the
recent recommendations of both the Institute of Medicine in their
report entitled, ``Protecting Data Privacy in Health Services
Research,'' and the Joint Commission on Accreditation of Healthcare
Organizations and the National Committee for Quality Assurance in their
report entitled, ``Protecting Personal Health Information: A Framework
for Meeting the Challenges in a Managed Care Environment.'' Both of
these reports similarly concluded that health services research that
involves the use of individually identifiable health information should
undergo IRB review or review by another board with sufficient expertise
in privacy and confidentiality protection.
Furthermore, it is important to recognize that the Common Rule
applies not only to interventional research, but also to research that
uses individually identifiable health information, including archival
research and health services research. The National Bioethics Advisory
Commission (NBAC) is currently developing a report on the federal
oversight of human subjects research, which is expected to address the
unique issues raised by non-interventional human subjects research. The
Department looks forward to receiving NBAC's report, and carefully
considering the Commission's recommendations. This final rule is the
first step in enhancing patients' privacy and we will propose
modifications to the rule if changes are warranted by the Commission's
findings and recommendations.
Comment: Many commenters argued that the proposed research
provision would have a chilling affect on the willingness of health
plans and covered providers to participate in research because of the
criminal and civil penalties that could be imposed for failing to meet
the requirements that would have been required by proposed
Sec. 164.510(j). Some of these commenters cautioned, that over time,
research could be severely hindered if covered entities choose not to
disclose protected health information to researchers. In addition, one
commenter recommended that a more reasonable approach would be to
require IRB or privacy board approval only if the results of the
research were to be broadly published. Another commenter expressed
concern that the privacy rule could influence IRBs or privacy boards to
refuse to recognize the validity of decisions by other IRBs or privacy
boards and specifically recommended that the privacy rule include a
preamble statement that: (1) The ``risk'' balancing consider only the
risk to the patient, not the risk to the institution, and (2) add a
phrase that the decision by the initial IRB or privacy board to approve
the research shall be given deference by other IRBs or privacy boards.
This commenter also recommended that to determine whether IRBs or
privacy boards were giving such deference to prior IRB or privacy board
review, HHS should monitor the disapproval rate by IRB or privacy
boards conducting secondary reviews.
Response: As the largest federal sponsor of medical research, we
understand the important role of research in improving our Nation's
health. However, the benefits of research must be balanced against the
risks, including the privacy risks, for those who participate in
research. An individual's rights and welfare must never be sacrificed
for scientific or medical progress. We believe that the requirements
for the use and disclosure of protected health information for research
without authorization provides an appropriate balance. We understand
that some covered health care providers and health plans may conclude
that the rule's documentation requirements for research uses and
disclosures are too burdensome.
We rejected the recommendation that documentation of IRB or privacy
board approval of the waiver of authorization should only be required
if the research were to be ``broadly published.'' Research findings
that are published in de-identified form have little influence on the
privacy interests of individuals. We believe that it is the use or
disclosure of individually identifiable health information to a
researcher that poses the greater risk to individuals' privacy, not
publication of de-identified information.
We agree with the commenters that IRB or privacy board review
should address the privacy interests of individuals and not
institutions. This provision is intended to protect individuals from
unnecessary uses and disclosures of their health information and does
not address institutional privacy.
We disagree with the comment that documentation of IRB or privacy
board approval of the waiver of authorization should be given deference
by other IRBs or privacy boards conducting secondary reviews. We do not
believe that it is appropriate to restrict the deliberations or
judgments of privacy boards, nor do we have the authority under this
rule to instruct IRBs on this issue. Instead, we reiterate that all
disclosures for research purposes under Sec. 164.512(i) are voluntary,
and that institutions may choose to impose more stringent requirements
for any use and disclosure permitted under Sec. 164.512.
[[Page 82692]]
Comment: Some commenters were concerned about the implications of
proposed Sec. 164.510(j) on multi-center research. These commenters
argued that for multi-center research, researchers may require
protected health information from multiple covered entities, each of
whom may have different requirements for the documentation of IRB or
privacy board review. Therefore, there was concern that documentation
that may suffice for one covered entity, may not for another, thereby
hindering multi-center research.
Response: Since Sec. 164.512(i) establishes minimum documentation
standards for covered health care providers and health plans using or
disclosing protected health information for research purposes, we
understand that some covered providers and health plans may choose to
require additional documentation requirements for researchers. We note,
however, that nothing in the final rule would preclude a covered health
care provider or health plan from developing the consistent
documentation requirements provided they meet the requirements of
Sec. 164.512(i).
Comment: One commenter who was also concerned that the minimum
necessary requirements of proposed Sec. 164.506(b) would negatively
affect multi-center research because covered entities participating in
multi-site research studies would no longer be permitted to rely upon
the consent form approved by a central IRB, and nor would participating
entities be permitted to report data to the researcher using the case
report form approved by the central IRB to guide what data points to
include. This commenter noted that the requirement that each site would
need to undertake a separate minimum necessary review for each
disclosure would erect significant barriers to the conduct of research
and may compromise the integrity and validity of data combined from
multiple sites. This commenter recommended that the Secretary absolve a
covered entity of the responsibility to make its own individual minimum
necessary determinations if the entity is disclosing information
pursuant to an IRB or privacy board-approved protocol.
Response: The minimum necessary requirements in the final rule have
been revised to permit covered entities to rely on the documentation of
IRB or privacy board approval as meeting the minimum necessary
requirements of Sec. 164.514. However, we anticipate that much multi-
site research, such as multi-site clinical trials, will be conducted
with patients' informed consent as required by the Common Rule and
FDA's protection of human subjects regulations, and that patients'
authorization will also be sought for the use or disclosure of
protected health information for such studies. Therefore, it should be
noted that the minimum necessary requirements do not apply for uses or
disclosures made with an authorization. In addition, the final rule
allows a covered health care provider or health plan to use or disclose
protected health information pursuant to an authorization that was
approved by a single IRB or privacy board, provided the authorization
met the requirements of Sec. 164.508. The final rule does not, however,
require IRB or privacy board review for the use or disclosure of
protected health information for research conducted with individuals'
authorization.
Comment: Some commenters believed that proposed Sec. 164.510(j)
would have required documentation of both IRB and privacy board review
before a covered entity would be permitted to disclose protected health
information for research purposes without an individual's
authorization.
Response: This is incorrect. Section 164.512(i)(1)(i) of the final
rule requires documentation of alteration or waiver approval by either
an IRB or a privacy board.
Comment: Some commenters believed that the proposed rule would have
required that patients be notified whenever protected health
information about themselves was disclosed for research purposes.
Response: This is incorrect. Covered entities are not required to
inform individuals that protected health information about themselves
has been disclosed for research purposes. However, as required in
Sec. 164.520 of the final rule, the covered entity must include
research disclosures in their notice of information practices. In
addition, as required by Sec. 164.528 of the rule, covered health care
providers and health plans must provide individuals, upon request, with
an accounting of disclosures made of protected health information about
the individual.
Comment: One commenter recommended that IRB and privacy boards also
be required to be accredited.
Response: While we agree that the issue of accrediting IRBs and
privacy boards deserves further consideration, we believe it is
premature to require covered entities to ensure that the IRB or privacy
board that approves an alteration or waiver of authorization is
accredited. Currently, there are no accepted accreditation standards
for IRBs or privacy boards, nor a designated accreditation body.
Recognizing the need for and value of greater uniformity and public
accountability in the review and approval process, HHS, with support
from the Office of Human Research Protection, National Institutes of
Health, Food and Drug Administration, Centers for Disease Control and
Prevention, and Agency for Health Care Research and Quality, has
engaged the Institute of Medicine to recommend uniform performance
resource-based standards for private, voluntary accreditation of IRBs.
This effort will draw upon work already undertaken by major national
organizations to develop and test these standards by the spring of
2001, followed by initiation of a formal accreditation process before
the end of next year. Once the Department has received the Institute of
Medicine's recommended accreditation standards and process for IRBs, we
plan to consider whether this accreditation model would also be
applicable to privacy boards.
Comment: A few commenters also noted that if both an IRB and a
privacy board reviewed a research study and came to conflicting
decisions, proposed Sec. 164.510(j) was unclear about which board's
decision would prevail.
Response: The final rule does not stipulate which board's decision
would prevail if an IRB and a privacy board came to conflicting
decisions. The final rule requires covered entities to obtain
documentation that one IRB or privacy board has approved of the
alteration or waiver of authorization. The covered entity, however, has
discretion to request information about the findings of all IRBs and/or
privacy boards that have reviewed a research proposal. We strongly
encourage researchers to notify IRBs and privacy boards of any prior
IRB or privacy board review of a research protocol.
Comment: Many commenters noted that the NPRM included no guidance
on how the privacy board should approve or deny researchers' requests.
Some of these commenters recommended that the regulation stipulate that
privacy boards be required to follow the same voting rules as required
under the Common Rule.
Response: We agree that the Common Rule (Sec. __.108(b)) provides a
good model of voting procedures for privacy boards and incorporate such
procedures to the extent they are relevant. In the final rule, we
require that the documentation of alteration or waiver of authorization
state that the alteration or waiver has been reviewed and approved by
either (1) an IRB that has followed the voting requirements of the
Common Rule (Sec. __.108(b)), or the expedited review
[[Page 82693]]
procedures of the Common Rule (Sec. __.110); or (2) unless an expedited
review procedure is used, a privacy board that has reviewed the
proposed research at a convened meeting at which a majority of the
privacy board members are present, including at least one member who is
not affiliated with the covered entity, not affiliated with any entity
conducting or sponsoring the research, and not related to any person
who is affiliated with any such entities, and the alteration or waiver
of authorization is approved by the majority of privacy board members
present at the meeting.
Comment: A few commenters were concerned that the research
provisions would be especially onerous for small non-governmental
entities, furthering the federal monopoly on research.
Response: We understand that the documentation requirements of
Sec. 164.512(i), as well as other provisions in the final rule, may be
more onerous for small entities than for larger entities. We believe,
however, that when protected health information is to be used or
disclosed for research without an individual's authorization, the
additional privacy protections in Sec. 164.512(i) are essential to
reduce the risk of harm to the individual.
Comment: One commenter believed that it was paradoxical that, under
the proposed rule, the disclosure of protected health information for
research conducted with an authorization would have been more heavily
burdened than research that was conducted without authorization, which
they reasoned was far less likely to bring personal benefit to the
research subjects.
Response: It was not our intent to impose more requirements on
covered entities using or disclosing protected health information for
research conducted with authorization than for research conducted
without authorization. In fact, the proposed rule would have required
only authorization as stipulated in proposed Sec. 164.508 for research
disclosures made with authorization, and would have been exempt from
the documentation requirements in proposed Sec. 164.510(j). We retain
this treatment in the final rule. We disagree with the commenter who
asserted that the requirements for research conducted with
authorization are more burdensome for covered health care providers and
plans than the documentation provisions of this paragraph.
Comment: A number of comments, mostly from the pharmaceutical
industry, recommended that the final rule state that privacy boards be
permitted to waive authorization only with respect to research uses of
medical information collected in the course of treatment or health care
operations, and not with respect to clinical research. Similarly, one
commenter recommended that IRBs and privacy boards be authorized to
review privacy issues only, not the entire research project. These
commenters were concerned that by granting waiver authority to privacy
boards and IRBs, and by incorporating the Common Rule waiver criteria
into the waiver criteria included in the proposed rule, the Secretary
has set the stage for privacy boards to review and approve waivers in
circumstances that involve interventional research that is not subject
to the Common Rule.
Response: We agree with the commenters who recommended that the
final rule clarify that the documentation of IRB or privacy board
approval of the waiver of authorization would be based only on an
assessment of the privacy risks associated with a research study, not
an assessment of all relevant risks to participants. In the final rule,
we have amended the language in the waiver criteria to make clear that
these criteria relate only to the privacy interests of the individual.
We anticipate, however, that the vast majority of uses and disclosures
of protected health information for interventional research will be
made with individuals' authorization. Therefore, we expect it will be
rare that a researcher will seek IRB or privacy board approval for the
alteration or waiver of authorization, but seek informed consent for
participation for the interventional component of the research study.
Furthermore, we believe that interventional research, such as most
clinical trials, could not meet the waiver criteria in the final rule
(Sec. 164.512(i)(2)(ii)(C)), which states ``the research could not
practicably be conducted without the alteration or waiver.'' If a
researcher is to have direct contact with research subjects, the
researcher should in virtually all cases be able to seek and obtain
patients' authorization for the use and disclosure of protected health
information about themselves for the research study.
Comment: A few commenters recommended that the rule explicitly
state that covered entities would be permitted to rely upon an IRB or
privacy boards' representation that the research proposal meets the
requirements of proposed Sec. 164.510(j).
Response: We agree with this comment. The final rule clarifies that
covered health care providers and health plans are allowed to rely on
an IRB's or privacy board's representation that the research proposal
meets the requirements of Sec. 164.512(i).
Comment: One commenter recommended that IRBs be required to
maintain web sites with information on proposed and approved projects.
Response: We agree that it could be useful for IRBs and privacy
boards to maintain web sites with information on proposed and approved
projects. However, requiring this of IRBs and privacy boards is beyond
the scope of our authority under HIPAA. In addition, this
recommendation raises concerns that would need to be addressed,
including concerns about protecting the confidentiality of research
participants and propriety information that may be contained in
research proposals. For these reasons, we decided not to incorporate
this requirement into the final rule.
Comment: One commenter recommended that HHS collect data on
research-related breaches of confidentiality and investigate existing
anecdotal reports of such breaches.
Response: This recommendation is beyond HHS' legal authority, since
HIPAA did not give us the authority to regulate researchers. Therefore,
this recommendation was not included in the final rule.
Comment: A number of commenters were concerned that HIPAA did not
give the Secretary the authority to protect information once it was
disclosed to researchers who were not covered entities.
Response: The Secretary shares these commenters' concerns about the
Department's limited authority under HIPAA. We strongly support the
enactment of additional federal legislation to fill these crucial gaps
in the Secretary's authority.
Comment: One commenter recommended that covered entities should be
required to retain the IRB's or privacy board's documentation of
approval of the waiver of individuals' authorization for at least six
years from when the waiver was obtained.
Response: We agree with this comment and have included such a
requirement in the final rule. See Sec. 164.530(j).
Comment: One commenter recommended that whenever health information
is used for research or administrative purposes, a plan is in place to
evaluate whether to and how to feed patient-specific information back
into the health system to benefit an individual or group of patients
from whom the health information was derived.
Response: While we agree that this recommendation is consistent
with the
[[Page 82694]]
responsible conduct of research, HIPAA did not give us the authority to
regulate research. Therefore, this recommendation was not included in
the final rule.
Comment: A few commenters recommended that contracts between
covered entities and researcher be pursued. Comments received in favor
of requiring contractual agreements argued that such a contract would
be enforceable under law, and should prohibit secondary disclosures by
researchers. Some of these commenters recommended that contracts
between covered entities and researchers should be the same as, or
modeled on, the proposed requirements for business partners. In
addition, some commenters argued that contracts between covered
entities and researchers should be required as a means of placing equal
responsibility on the researcher for protecting protected health
information and for not improperly re-identifying information.
Response: In the final rule, we have added an additional waiver
criteria to require that there are adequate written assurances from the
researcher that protected health information will not be re-used or
disclosed to any other person or entity, except as required by law, for
authorized oversight of the research project, or for other research for
which the use or disclosure of protected health information would be
permitted by this subpart. We believe that this additional waiver
criteria provides additional assurance that protected health
information will not be misused by researchers, while not imposing the
additional burdens of a contractual requirement on covered health care
providers and health plans. We were not persuaded by the comments
received that contractual requirements would provide necessary
additional protections, that would not also be provided by the less
burdensome waiver criteria for adequate written assurance that the
researcher will not re-use or disclose protected health information,
with few exceptions. Our intent was to strengthen and extend existing
privacy safeguards for protected health information that is used or
disclosed for research, while not creating unnecessary disincentives to
covered health care providers and health plans who choose to use or
disclose protected health information for research purposes.
Comment: Some commenters explicitly opposed requiring contracts
between covered entities and researchers as a condition of permitting
the use or disclosure of protected health information for research
purposes. These commenters argued that such a contractual requirement
would be too onerous for covered entities and researchers and would
hinder or halt important research.
Response: We agree with the arguments raised by these commenters,
and thus, the final rule does not require contracts between covered
entities and researchers as a condition of using or disclosing
protected health information for research purposes without
authorization.
Comment: A large number of commenters strongly supported requiring
patient consent before protected health information could be used or
disclosed, including but not limited to use and disclosure for research
purposes. These commenters argued that the unconsented-to use of their
medical records abridged their autonomy right to decide whether or not
to participate in research. A few referenced the Nuremberg Code in
support of their view, noting that the Nuremberg Code required
individual consent for participation in research.
Response: We agree that it is of foremost importance that
individuals' privacy rights and welfare be safeguarded when protected
health information about themselves is used or disclosed for research
studies. We also strongly believe that continued improvements in the
nation's health requires that researchers be permitted access to
protected health information without authorization in certain
circumstances. Additional privacy protections are needed, however, and
we have included several in the final rule. If covered entities plan to
disclose protected health without individuals' authorization for
research purposes, individuals must be informed of this through the
covered entity's notice to patients of their information practices. In
addition, before covered health care providers or health plans may use
or disclose protected health information for research without
authorization, they must obtain documentation that an IRB or privacy
board has found that specified waiver criteria have been met, unless
the research will include protected health information about deceased
individuals only, or is solely for reviews that are preparatory to
research.
While it is true that the first provision of the Nuremberg Code
states that ``the voluntary consent of the human subject is absolutely
essential,'' it is important to understand the context of this
important document in the history of protecting human subjects research
from harm. The Nuremberg Code was developed for the Nuremberg Military
Tribunal as standards by which to judge the human experimentation
conducted by the Nazis, and was one of the first documents setting
forth principles for the ethical conduct of human subjects research.
The acts of atrocious cruelty that the Nuremberg Code was developed to
address, focused on preventing the violations to human rights and
dignity that occurred in the name of ``medical advancement.'' The Code,
however, did not directly address the ethical conduct of non-
interventional research, such as medical records research, where the
risk of harm to participants can be unlike those associated with
clinical research.
We believe that the our proposed requirements for the use or
disclosure of protected health information for research are consistent
with the ethical principles of ``respect for persons,''
``beneficence,'' and ``justice,'' which were established by the Belmont
Report in 1978, and are now accepted as the quintessential requirements
for the ethical conduct of research involving human subjects, including
research using individually identifiable health information. These
ethical principles formed the foundation for the requirements in the
Common Rule, on which our proposed requirements for research uses and
disclosures were modeled.
Comment: Many commenters recommended that the privacy rule permit
individuals to opt out of having their records used for the identified
``important'' public policy purposes in Sec. 164.510, including for
research purposes. These commenters asserted that permitting the use
and disclosure of their protected health information without their
consent, or without an opportunity to ``opt out'' of having their
information used or disclosed, abridged individuals' right to decide
who should be permitted access to their medical records. In addition,
one commenter argued that although the research community has been
sharply critical of a Minnesota law that limits access to health
records (Minnesota Statute Section 144.335 (1998)), researchers have
cited a lack of response to mailed consent forms as the primary factor
behind a decrease in the percentage of medical records available for
research. This commenter argued that an opt-out provision would not be
subject to this ``nonresponder'' problem.
Response: We believe that a meaningful right to ``opt out'' of a
research study requires that individuals be contacted and informed
about the study for which protected health information about themselves
is being requested by a researcher. We concluded, therefore, that an
``opt out'' provision of this nature may suffer from
[[Page 82695]]
the same decliner bias that has been experienced by researchers who are
subject to laws that require patient consent for medical records
research. Furthermore, evidence on the effect of a mandatory ``opt
out'' provision for medical records research is only fragmentary at
this time, but at least one study has preliminarily suggested that
those who refuse to consent for research access to their medical
records may differ in statistically significant ways from those who
consent with respect to variables such as age and disease category (SJ
Jacobsen et al. ``Potential Effect of Authorization Bias on Medical
Records Research.'' Mayo Clin Proc 74: (1999) 330-338). For these
reasons, we disagree with the commenters who recommended that an ``opt
out'' provision be included in the final rule. In the final rule, we do
require covered entities to include research disclosures in their
notice of information practices. Therefore, individuals who do not wish
for protected health information about themselves to be disclosed for
research purposes without their authorization could select a health
care provider or health plan on this basis. In addition, the final rule
also permits covered health care providers or health plans to agree not
to disclose protected health information for research purposes, even if
research disclosures would otherwise be permitted under their notice of
information practices. Such an agreement between a covered health care
provider or health plan and an individual would not be enforceable
under the final rule, but might be enforceable under applicable state
law.
Comment: Some commenters explicitly recommended that there should
be no provision permitting individuals to opt out of having their
information used for research purposes.
Response: We agree with these commenters for the reasons discussed
above.
IRB and Privacy Board Review
Comments: The NPRM imposed no requirements for the location or
sponsorship of the IRB or privacy board. One commenter supported the
proposed approach to permit covered entities to rely on documentation
of a waiver by a IRB or privacy board that was convened by the covered
entity, the researcher, or another entity.
In contrast, a few commenters recommended that the NPRM require
that the IRB or privacy board be outside of the entity conducting the
research, although the rationale for these recommendations was not
provided. Several industry and consumer groups alternatively
recommended that the regulation require that privacy boards be based at
the covered entity. These comments argued that ``if the privacy board
is to be based at the entity receiving data, and that entity is not a
covered entity, there will be little ability to enforce the regulation
or study the effectiveness of the standards.''
Response: We agree with the comment supporting the proposed rule's
provision to impose no requirements for the location or sponsorship of
the IRB or privacy board that was convened to review a research
proposal for the alteration or waiver of authorization criteria. In the
absence of a rationale, we were not persuaded by the comments asserting
that the IRB or privacy board should be convened outside of the covered
entity. In addition, while we agree with the comments that asserted HHS
would have a greater ability to enforce the rule if a privacy board was
established at the covered entity rather than an uncovered entity, we
concluded that the additional burden that such a requirement would
place on covered entities was unwarranted. Furthermore, under the
Common Rule and FDA's protection of human subjects regulations, IRB
review often occurs at the site of the recipient researchers'
institution, and it was not our intent to change this practice.
Therefore, in the final rule, we continue to impose no requirements for
the location or sponsorship of the IRB or privacy board.
Privacy Board Membership
Comment: Some commenters were concerned that the proposed
composition of the privacy board did not adequately address potential
conflicts of interest of the board members, particularly since the
proposed rule would have permitted the board's ``unaffiliated'' member
to be affiliated with the entity disclosing the protected health
information for research purposes. To address this concern, some
commenters recommended that the required composition of privacy boards
be modified to require ``* * * at least one member who is not
affiliated with the entity receiving or disclosing protected health
information.'' These commenters believed that this addition would be
more sound and more consistent with the Common Rule's requirements for
the composition of IRBs. Furthermore, it was argued that this
requirement would prohibit covered entities from creating a privacy
board comprised entirely of its own employees.
Response: We agree with these comments. In the final rule we have
revised the proposed membership for privacy board to reduce potential
conflict of interest among board members. The final rule requires that
documentation of alteration or waiver from a privacy board, is only
valid under Sec. 164.512(i) if the privacy board includes at least one
member who is not affiliated with the covered entity, not affiliated
with any entity conducting or sponsoring the research, and not related
to a person who is affiliated with such entities.
Comment: One commenter recommended that privacy boards be required
to include more than one unaffiliated member to address concerns about
conflict of interest among members.
Response: We disagree that privacy boards should be required to
include more than one unaffiliated member. We believe that the revised
membership criterion for the unaffiliated member of the privacy board,
and the criterion that requires that the board have no member
participating in a review of any project in which the member has a
conflict of interest, are sufficient to ensure that no member of the
board has a conflict of interest in a research proposal under their
review.
Comment: Many commenters also recommended that the membership of
privacy boards be required to be more similar to that of IRBs. These
commenters were concerned that privacy boards, as described in the
proposed rule, would not have the needed expertise to adequately review
and oversee research involving the use of protected health information.
A few of these commenters also recommended that IRBs be required to
have at least one member trained in privacy or security matters.
Response: We disagree with the comments asserting that the
membership of privacy boards should be required be more similar to
IRBs. Unlike IRBs, privacy boards only have responsibility for
reviewing research proposals that involve the use or disclosure of
protected health information without authorization. We agree, however,
that the proposed rule may not have ensured that the privacy board had
the necessary expertise to protect adequately individuals' privacy
rights and interests. Therefore, in the final rule, we have modified
one of the membership criteria for privacy board to require that the
board has members with varying backgrounds and appropriate professional
competency as necessary to review the effect of the research protocol
on the individual's privacy rights and related interests.
Comment: Two commenters recommended that IRBs and privacy
[[Page 82696]]
boards be required to include patient advocates.
Response: The Secretary's legal authority under HIPAA does not
permit HHS to modify the membership of IRBs. Moreover, we disagree with
the comments recommending that IRBs and privacy board should be
required to include patient advocates. We were not persuaded that
patient advocates are the only persons with the needed expertise to
protect patients' privacy rights and interests. Therefore, in the final
rule, we do not require that patient advocates be included as members
of a privacy board. However, under the final rule, IRBs and privacy
board members could include patient advocates provided they met the
required membership criteria in Sec. 164.512(i).
Comment: A few commenters requested clarification of the term
``conflict of interest'' as it pertained to the proposed rule's
criteria for IRB and privacy board membership. In particular, some
commenters recommended that the final rule clarify what degree of
involvement in a research project by a privacy board member would
constitute a conflict, thereby precluding that individual's
participation in a review. One commenter specifically requested
clarification about whether employment by the covered entity
constituted a conflict of interest, particularly if the covered entity
is receiving a financial gain from the conduct of the research.
Response: We understand that determining what constitutes conflict
of interest can be complex. We do not believe that employees of covered
entities or employees of the research institution requesting protected
health information for research purposes are necessarily conflicted,
even if those employees may benefit financially from the research.
However, there are many factors that should be considered in assessing
whether a member of an IRB has a conflict of interest, including
financial and intellectual conflicts.
As part of a separate, but related effort to the final rule, during
the summer of 2000, HHS held a conference on human subject protection
and financial conflicts of interest. In addition, HHS solicited
comments from the public about financial conflicts of interest
associated with human subjects research for researchers, IRB members
and staff, and research sponsors. The findings from the conference and
the public comments received are forming the basis for guidance that
HHS is now developing on financial conflicts of interest.
Privacy Training for IRB and Privacy Boards
Comment: A few commenters expressed support for training IRB
members and chairs about privacy issues, recommending that such
training either be required or that it be encouraged in the final rule.
Response: We agree with these comments and thus encourage
institutions that administer IRBs and privacy boards to ensure that the
members of these boards are adequately trained to protect the privacy
rights and welfare of individuals about whom protected health
information is used for research purposes. In the final rule, we
require that privacy board members have varying backgrounds and
appropriate professional competency as necessary to review the effect
of the research protocol on the individual's privacy rights and related
interests. We believe that this criterion for privacy board membership
requires that members already have the necessary knowledge or that they
be trained to address privacy issues that arise in the conduct of
research that involves the use of protected health information. In
addition, we note that the Common Rule (Sec. ____.107(a)) already
imposes a general requirement that IRB members posses adequate training
and experience to adequately evaluate the research which it reviews.
IRBs are also authorized to obtain the services of consultants
(Sec. ____.107(f)) to provide expertise not available on the IRB. We
believe that these existing requirements in the Common Rule already
require that an IRB have the necessary privacy expertise.
Waiver Criteria
Comment: A large number of comments supported the proposed rule's
criteria for the waiver of authorization by an IRB or privacy board.
Response: While we agree that several of the waiver criteria should
be retained in the final rule, we have made changes to the waiver
criteria to address some of the comments we received on specific
criteria. These reason for these changes are discussed in the response
to comments below.
Comment: In addition to the proposed waiver criteria, several
commenters recommended that the final rule also instruct IRBs and
privacy boards to consider the type of protected health information and
the sensitivity of the information to be disclosed in determining
whether to grant a waiver, in whole or in part, of the authorization
requirements.
Response: We agree with these comments, but believe that the
requirement to consider the type and sensitivity of protected health
information was already encompassed by the proposed waiver criteria. We
encourage and expect that IRBs and privacy boards will take into
consideration the type and sensitivity of protected health information,
as appropriate, in considering the waiver criteria included in the
final rule.
Comment: Many commenters were concerned that the criteria were not
appropriate in the context of privacy risks and recommended that the
waiver criteria be rewritten to more precisely focus on the protection
of patient privacy. In addition, some commenters argued that the
proposed waiver criteria were redundant with the Common Rule and were
confusing because they mix elements of the Common Rule's waiver
criteria--some of which they argued were relevant only to
interventional research. In particular, a number of commenters raised
these concerns about proposed criterion (ii). Some of these commenters
suggested that the word ``privacy'' be inserted before ``rights.''
Response: We agree with these comments. To focus all of the
criterion on individuals' privacy interests, in the final rule, we have
modified one of the proposed waiver criteria, eliminated one proposed
criterion, and added an additional criterion : (1) the proposed
criterion which stated, ``the waiver will not adversely affect the
rights and welfare of the subjects,'' has been revised in the final
rule as follows: ``the alteration or waiver will not adversely affect
the privacy rights and the welfare of the individuals;'' (2) the
proposed criterion which stated, ``whenever appropriate, the subjects
will be provided with additional pertinent information after
participation,'' has been eliminated; and (3) a criterion has been
added in the final rule which states, ``there are adequate written
assurances that the protected health information will not be re-used or
disclosed to any other person or entity, except as required by law, for
authorized oversight of the research project, or for other research for
which the use or disclosure of protected health information would be
permitted by this subpart.'' In addressing these criteria, we expect
that IRBs and privacy boards will not only consider the immediate
privacy interests of the individual that would arise from the proposed
research study, but also the possible implications from a loss of
privacy, such as the loss of employment, loss or change in cost of
health insurance, and social stigma.
[[Page 82697]]
Comment: A number of commenters were concerned about the
interaction between the proposed rule and the Common Rule. One
commenter opposed the four proposed waiver criteria which differed from
the Common Rule's criteria for the waiver of informed consent
(Sec. ____.116(d)) on the grounds that the four criteria proposed in
addition to the Common Rule's waiver criteria would apply only to the
research use and disclosure of protected health information by covered
entities. This commenter argued that this would lead to different
standards for the protection of other kinds of individually
identifiable health information used in research that will fall outside
of the scope of the final rule. This commenter concluded that this
inconsistency would be difficult for IRBs to administer, difficult for
IRB members to distinguish, and would be ethically questionable. For
these reasons, many commenters recommended that the final rule should
permit the waiver criteria of the Common Rule, to be used in lieu of
the waiver criteria identified in the proposed rule.
Response: We disagree with the comments recommending that the
waiver criteria of the Common Rule should be permitted to be used in
lieu of the waiver criteria identified in the proposed rule. The Common
Rule's waiver criteria were designed to protect research subjects from
all harms associated with research, not specifically to protect
individuals' privacy interests. We understand that the waiver criteria
in the final rule may initially cause confusion for IRBs and
researchers that must attend to both the final rule and the Common
Rule, but we believe that the additional waiver criteria adopted in the
final rule are essential to ensure that individuals' privacy rights and
welfare are adequately safeguarded when protected health information
about themselves is used for research without their authorization. We
agree that ensuring that the privacy rights and welfare of all human
subjects--involved in all forms of research--is ethically required, and
the new Office of Human Research Protection will immediately initiate
plans to review the confidentiality provisions of the Common Rule.
In addition, at the request of the President, the National
Bioethics Advisory Commission has begun an examination of the current
federal human system for the protection of human subjects in research.
The current scope of the federal regulatory protections for protecting
human subjects in research is just one of the issues that will be
addressed in the by the Commission's report, and the Department looks
forward to receiving the Commission's recommendations.
Concerns About Specific Waiver Criteria
Comment: One commenter argued that the term ``welfare'' was vague
and recommended that it be deleted from the proposed waiver of
authorization criterion which stated, ``the waiver will not adversely
affect the rights and welfare of the subjects.''
Response: We disagree with the comment recommending that the final
rule eliminate the term ``welfare'' from this waiver criterion. As
discussed in the National Bioethics Advisory Commission's 1999 report
entitled, ``Research Involving Human Biological Materials: Ethical
Issues and Policy Guidance,'' ``Failure to obtain consent may adversely
affect the rights and welfare of subjects in two basic ways. First, the
subject may be improperly denied the opportunity to choose whether to
assume the risks that the research presents, and second, the subject
may be harmed or wronged as a result of his or her involvement in
research to which he or she has not consented * * *. Subjects' interest
in controlling information about themselves is tied to their interest
in, for example, not being stigmatized and not being discriminated
against in employment and insurance.'' Although this statement by the
Commission was made in the context of research involving human
biological materials, we believe research that involves the use of
protected health information similarly requires that social and
psychological harms be considered when assessing whether an alteration
or waiver will adversely affect the privacy rights and welfare of
individuals. We believe it would be insufficient to attend only to
individuals' privacy ``rights'' since some of the harms that could
result from a breach of privacy, such as stigmatization, and
discrimination in employment or insurance, may not be tied directly to
an individuals' ``rights,'' but would have a significant impact on
their welfare. Therefore, in the final rule, we have retained the term
``welfare'' in this criterion for the alteration or waiver of
authorization but modified the criterion as follows to focus more
specifically on privacy concerns and to clarify that it pertains to
alterations of authorization: ``the alteration or waiver will not
adversely affect the privacy rights and the welfare of the
individual.''
Comment: A few commenters recommended that the proposed waiver
criteria that stated, ``the research could not practicably be conducted
without the waiver,'' be modified to eliminate the term
``practicably.'' These commenters believed that determining
``practicably'' was subjective and that its elimination would
facilitate IRBs' and privacy boards' implementation of this criterion.
In addition, one commenter was concerned that this term could be
construed to require authorization if enough weight is given to a
privacy interest, and little weight is given to cost or administrative
burden. This commenter recommended that the criterion be changed to
allow a waiver if the ``disclosure is necessary to accomplish the
research or statistical purpose for which the disclosure is to be
made.''
Response: We disagree with the comments recommending that the term
``practicability'' be deleted from this waiver criterion. We believe
that an assessment of practicability is necessary to account for
research that may be possible to conduct with authorization but that
would be impracticable if authorization were required. For example, in
research study that involves thousands of records, it may be possible
to track down all potential subjects, but doing so may entail costs
that would make the research impracticable. In addition, IRBs have
experience implementing this criterion since it is nearly identical to
a waiver criterion in the Common Rule (Sec. __.116(d)(3)).
We also disagree with the recommendation to change the criterion to
state, ``disclosure is necessary to accomplish the research or
statistical purpose for which the disclosure is to be made.'' We
believe it is essential that consideration be given as to whether it
would be practicable for research to be conducted with authorization in
determining whether a waiver of authorization is justified. If the
research could practicably be conducted with authorization, then
authorization must be sought. Authorization must not be waived simply
for convenience.
Therefore, in the final rule, we have retained this criterion and
clarified that it also applies to alterations of authorization. This
waiver criterion in the final rule states, ``the research could not
practicably be conducted without the alteration or waiver.''
Comment: Some commenters argued that the criterion which stated,
``whenever appropriate, the subjects will be provided with additional
pertinent information after participation,'' should be deleted. Some
comments recommended that the criterion should be deleted for privacy
reasons, arguing that it would be inappropriate to create a reason for
the researcher to contact the individual
[[Page 82698]]
whose data were analyzed, without IRB review of the proposed contact as
a patient intervention. Other commenters argued for the deletion of the
criterion on grounds that requiring researchers to contact patients
whose records were used for archival research would be unduly
burdensome, while adding little to the patient's base of information.
Several commenters also argued that the criterion was not pertinent to
non-interventional retrospective research requiring access to archived
protected health information.
In addition, one commenter asserted that this criterion was
inconsistent with the Secretary's rationale for prohibiting disclosures
of ``research information unrelated to treatment'' for purposes other
than research. This commenter argued that the privacy regulations
should not mandate that a covered entity provide information with
unknown validity or utility directly to patients. This commenter
recommended that a patient's physician, not the researcher, should be
the one to contact a patient to discuss the significance of new
research findings for that individual patient's care.
Response: Although we disagree with the arguments made by
commenters recommending that this criterion be eliminated in the final
rule, we concluded that the criterion was not directly related to
ensuring the privacy rights and welfare of individuals. Therefore, we
eliminated this criterion in the final rule.
Comment: A few commenters recommended that the criterion, which
required that ``the research would be impracticable to conduct without
access to and use of the protected health information,'' be deleted
because it would be too subjective to be meaningful.
Response: We disagree with comments asserting that this proposed
criterion would be too subjective. We believe that researchers should
be required to demonstrate to an IRB or privacy board why protected
health information is necessary for their research proposal. If a
researcher could practicably use de-identified health information for a
research study, protected health information should not be used or
disclosed for the study without individuals' authorization. Therefore,
we retain this criterion in the final rule. In considering this
criterion, we expect IRBs and privacy boards to consider the amount of
information that is needed for the study. To ensure the covered health
care provider or health plan is informed of what information the IRB or
privacy board has determined may be used or disclosed without
authorization, the final rule also requires that the documentation of
IRB or privacy board approval of the alteration or waiver describe the
protected health information for which use or access has been
determined to be necessary.
Comment: A large number of comments objected to the proposed waiver
criterion, which stated that, ``the research is of sufficient
importance so as to outweigh the intrusion of the privacy of the
individual whose information is subject to the disclosure.'' The
majority of these commenters argued that the criterion was overly
subjective, and that due to its subjectivity, IRBs and privacy boards
would inevitably apply it inconsistently. Several commenters asserted
that this criterion was unsound in that it would impose on reviewing
bodies the explicit requirement to form and debate conflicting value
judgments about the relative weights of the research proposal versus an
individual's right to privacy. Furthermore these commenters argued that
this criterion was also unnecessary because the Common Rule already has
a requirement that deals with this issue more appropriately. In
addition, one commenter argued that the rule eliminate this criterion
because common purposes should not override individual rights in a
democratic society. Based on these arguments, these commenters
recommended that this criterion be deleted.
Response: We disagree that it is inappropriate to ask IRBs and
privacy boards to ensure that there is a just balance between the
expected benefits and risks to individual participants from the
research. As noted by several commenters, IRBs currently conduct such a
balancing of risks and benefits because the Common Rule contains a
similar criterion for the approval of human subjects research
(Sec. __.111(a)(2)). However, we disagree with the comments asserting
that the proposed criterion was unnecessary because the Common Rule
already contains a similar criterion. The Common Rule does not
explicitly address the privacy interests of research participants and
does not apply to all research that involves the use or disclosure of
protected health information. However, we agree that the relevant
Common Rule criterion for the approval of human subjects research
provides better guidance to IRBs and privacy boards for assessing the
privacy risks and benefits of a research proposal. Therefore, in the
final rule, we modeled the criterion on the relevant Common Rule
requirement for the approval of human subjects research, and revised
the proposed criterion to state: ``the privacy risks to individuals
whose protected health information is to be used or disclosed are
reasonable in relation to the anticipated benefits if any to the
individuals, and the importance of the knowledge that may reasonably be
expected to result from the research.''
Comment: One commenter asserted that as long as the research
organization has adequate privacy protections in place to keep the
information from being further disclosed, it is unnecessary for the IRB
or privacy board to make a judgment on whether the value of the
research outweighs the privacy intrusion.
Response: The Department disagrees with the assertion that adequate
safeguards of protected health information are sufficient to ensure
that the privacy rights and welfare of individuals are adequately
protected. We believe it is imperative that there be an assessment of
the privacy risks and anticipated benefits of a research study that
proposes to use protected health information without authorization. For
example, if a research study was so scientifically flawed that it would
provide no useful knowledge, any risk to patient privacy that might
result from the use or disclosure of protected health information
without individuals' authorization would be too great.
Comment: A few commenters asserted that the proposed criterion
requiring ``an adequate plan to destroy the identifiers at the earliest
opportunity consistent with the conduct of the research, unless there
is a health or research justification for retaining identifiers,''
conflicted with the regulations of the FDA on clinical record keeping
(21 CFR 812.140(d)) and the International Standard Organization on
control of quality records (ISO 13483, 4.16), which require that
relevant data be kept for the life of a device.
In addition, one commenter asserted that this criterion could
prevent follow up care. Similarly, other commenters argued that the new
waiver criteria would be likely to confuse IRBs and may impair
researchers' ability to go back to IRBs to request extensions of time
for which samples or data can be stored if researchers are unable to
anticipate future uses of the data.
Response: We do not agree with the comment that there is a conflict
between either the FDA or the ISO regulations and the proposed waiver
criteria in the rule. We believe that compliance with such
recordkeeping requirements would be ``consistent with the conduct of
research'' which is subject to such requirements. Nonetheless, to avoid
any confusion, in the final rule we have added the phrase ``or such
retention is
[[Page 82699]]
otherwise required by law'' to this waiver criterion.
We also disagree with the comments that this criterion would
prevent follow up care to individuals or unduly impair researchers from
retaining identifiers on data for future research. We believe that
patient care would qualify as a ``health * * * justification for
retaining identifiers.'' In addition, we understand that researchers
may not always be able to anticipate that the protected health
information they receive from a covered health care provider or health
plan for one research project may be useful for the conduct of future
research studies. However, we believe that the concomitant risk to
patient privacy of permitting researchers to retain identifiers they
obtained without authorization would undermine patient trust, unless
researchers could identify a health or research justification for
retaining the identifiers. In the final rule, an IRB or privacy board
is not required to establish a time limit on a researcher's retention
of identifiers.
Additional Waiver Criteria
Comment: A few comments recommended that there be a additional
waiver criterion to safeguard or limit subsequent use or disclosure of
protected health information by the researcher.
Response: We agree with these comments. In the final rule, we
include a waiver criterion requiring ``there are adequate written
assurances that the protected health information will not be re-used or
disclosed to any other person or entity, except as required by law, for
authorized oversight of the research project, or for other research for
which the use or disclosure of protected health information would be
permitted by this subpart.''
Waiving Authorization, in Whole or in Part
Comment: A few commenters requested that the final rule clarify
what ``in whole or in part'' means if authorization is waived or
altered.
Response: In the proposed rule, it was HHS' intent to permit IRBs
and privacy boards to either waive all of the elements for
authorization, or alternatively, waive only some of the elements of
authorization. Furthermore, we also intended to permit IRBs and privacy
boards to alter the authorization requirements. Therefore, in the final
rule, we clarify that the alteration to and waiver of authorization, in
whole or in part, are permitted as stipulated in Sec. 164.512(i).
Expedited Review
Comment: One commenter asserted that the proposed rule would
prohibit expedited review as permitted under the Common Rule. Many
commenters supported the proposal in the rule to incorporate the Common
Rule's provision for expedited review, and strongly recommended that
this provision be retained in the final rule. Several of these
commenters argued that the expedited review mechanism provides IRBs
with the much-needed flexibility to focus volunteer-IRB members'
limited resources.
Response: We agree that expedited review should be available, and
included a provision permitting expedited review under specified
conditions. We understand that the National Bioethics Advisory
Commission is currently developing a report on the federal oversight of
human subjects research, which is expected to address the Common Rule's
requirements for expedited review. HHS looks forward to receiving the
National Bioethics Advisory Commission's report, and will modify the
provisions for expedited review in the privacy rule if changes are
warranted by the Commission's findings and recommendations.
Required Signature
Comment: A few commenters asserted that the proposed requirement
that the written documentation of IRB or privacy board approval be
signed by the chair of the IRB or the privacy board was too
restrictive. Some commenters recommended that the final rule permit the
documentation of IRB or privacy board approval to be signed by persons
other than the IRB or privacy board chair, including: (1) Any person
authorized to exercise executive authority under IRB's or privacy
board's written procedures; (2) the IRB's or privacy board's acting
chair or vice chair in the absence of the chair, if permitted by IRB
procedures; and (3) the covered entity's privacy official.
Response: We agree with the commenters who argued that the final
rule should permit the documentation of IRB or privacy board approval
to be signed by someone other than the chair of the board. In the final
rule, we permit the documentation of alteration or waiver of
authorization to be signed by the chair or other member, as designated
by the chair of the IRB or privacy board, as applicable.
Research Use and Disclosure With Authorization
Comment: Some commenters, including several industry and consumer
groups, argued that the proposed rule would establish a two-tiered
system for public and private research. Privately funded research
conducted with an authorization for the use or disclosure of protected
health information would not require IRB or privacy board review, while
publically funded research conducted with authorization would require
IRB review as required by the Common Rule. Many of these commenters
argued that authorization is insufficient to protect patients involved
in research studies and recommended that IRB or privacy board review
should be required for all research regardless of sponsor. These
commenters asserted that it is not sufficient to obtain authorization,
and that IRBs and privacy boards should review the authorization
document, and assess the risks and benefits to individuals posed by the
research.
Response: For the reasons we rejected the recommendation that we
eliminate the option for privacy board review and require IRB review
for the waiver of authorization, we also decided against requiring
documentation of IRB or privacy board approval for research conducted
with authorization. HHS strongly agrees that IRB review is essential
for the adequate protection of human subjects involved in research,
regardless of whether informed consent and/or individuals'
authorization is obtained. In fact, IRB review may be even more
important for research conducted with subjects' informed consent and
authorization since such research may present greater than minimal risk
to participants. However, HHS' authority under HIPAA is limited to
safeguarding the privacy of protected health information, and does not
extend to protecting human subjects more broadly. Therefore, in the
final rule we have not required documentation of IRB or privacy board
review for the research use or disclosure of protected health
information conducted with individuals' authorization. As mentioned
above, HHS looks forward to receiving the recommendations of the
National Bioethics Advisory Commission, which is currently examining
the current scope of federal regulatory protections for protecting
human subjects in research as part of its overarching report on the
federal oversight of human subjects protections.
Comment: Due to concern about several of the elements of
authorization, many commenters recommended that the final rule
stipulate that ``informed consent'' obtained pursuant to the Common
Rule be deemed to meet the requirements for ``authorization.'' These
commenters argued that the NPRM's
[[Page 82700]]
additional authorization requirements offered no additional protection
to research participants but would be a substantive impediment to
research.
Response: We disagree with the comments asserting that the proposed
requirements for authorization for the use or disclosure of protected
health information would have offered research subjects no additional
privacy protection. Because the purposes of authorization and informed
consent differ, the proposed rule's requirements for authorization
pursuant to a request from a researcher (Sec. 164.508) and the Common
Rule's requirements for informed consent (Common Rule, Sec. __.116)
contain important differences. For example, unlike the Common Rule, the
proposed rule would have required that the authorization include a
description of the information to be used or disclosed that identifies
the information in a specific and meaningful way, an expiration date,
and where, use of disclosure of the requested information will result
in financial gain to the entity, a statement that such gain will
result. We believe that the authorization requirements provide
individuals with information necessary to determine whether to
authorize a specific use or disclosure of protected health information
about themselves, that are not required by the Common Rule.
Therefore, in the final rule, we retain the requirement for
authorization for all uses and disclosures of protected health
information not otherwise permitted without authorization by the rule.
Some of the proposed requirements for authorization were modified in
the final rule as discussed in the preamble on Sec. 164.508. The
comments received on specific proposed elements of authorization as
they would have pertained to research are addressed below.
Comment: A number of commenters, including several from industry
and consumer groups, recommended that the final rule require patients'
informed consent as stipulated in the Common Rule. These commenters
asserted that the proposed authorization document was inadequate for
research uses and disclosures of protected health information since it
included fewer elements than required for informed consent under the
Common Rule, including for example, the Common Rule's requirement that
the informed consent document include: (1) A description of any
reasonably foreseeable risks or discomforts to the subject; (2) a
description of any benefits to the subject or to others which may
reasonably be expected from the research (Common Rule, Sec. __.116(a)).
Response: While we agree that the ethical conduct of research
requires the voluntary informed consent of research subjects, as
stipulated in the Common Rule, as we have stated elsewhere, the privacy
rule is limited to protecting the confidentiality of individually
identifiable health information, and not protecting human subjects more
broadly. Therefore, we believe it would not be within the scope of the
final rule to require informed consent as stipulated by the Common Rule
for research uses and disclosures of protected health information.
Comment: Several commenters specifically objected to the
authorization requirement for a ``expiration date.'' To remedy this
concern, many of these commenters proposed that the rule exempt
research from the requirement for an expiration date if an IRB has
reviewed and approved the research study. In particular, some
commenters asserted that the requirement for an expiration date would
be impracticable in the context of clinical trials, where the duration
of the study depends on several different factors that cannot be
predicted in advance. These commenters argued that determining an exact
date would be impossible due to the legal requirements that
manufactures and the Food and Drug Administration be able to
retrospectively audit the source documents when patient data are used
in clinical trials. In addition, some commenters asserted that a
requirement for an expiration date would force researchers to designate
specific expiration dates so far into the future as to render them
meaningless.
Response: We agree with commenters that an expiration date is not
always possible or meaningful. In the final rule, we continue to
require an identifiable expiration, but permit it to be a specific date
or an event directly relevant to the individual or the purpose of the
authorization (e.g., for the duration of a specific research study) in
which the individual is a participant.
Comment: A number of commenters, including those from the
pharmaceutical industry, were concerned about the authorization
requirement that gave patients the right to revoke consent for
participation in clinical research. These commenters argued that such a
right to revoke authorization for the use of their protected health
information would require complete elimination of the information from
the record. Some stated that in the conduct of clinical trials, the
retrieval of individually identifiable health information that has
already been blinded and anonymized, is not only burdensome, but should
this become a widespread practice, would render the trial invalid. One
commenter suggested that the Secretary modify the proposed regulation
to allow IRBs or privacy boards to determine the duration of
authorizations and the circumstances under which a research participant
should be permitted to retroactively revoke his or her authorization to
use data already collected by the researcher.
Response: We agree with these concerns. In the final rule we have
clarified that an individual cannot revoke an authorization to the
extent that action has been taken in reliance on the authorization.
Therefore, if a covered entity has already used or disclosed protected
health information for a research study pursuant to an authorization
obtained as required by Sec. 164.508, the covered entity is not
required under the rule, unless it agreed otherwise, to destroy
protected health information that was collected, nor retrieve protected
health information that was disclosed under such an authorization.
However, once an individual has revoked an authorization, no additional
protected health information may be used or disclosed unless otherwise
permitted by this rule.
Comment: Some commenters were concerned that the authorization
requirement to disclose ``financial gain'' would be problematic as it
would pertain to research. These commenters asserted that this
requirement could mislead patients and would make it more difficult to
attract volunteers to participate in research. One commenter
recommended that the statement be revised to state ``that the clinical
investigator will be compensated for the value of his/her services in
administrating this clinical trial.'' Another commenter recommended
that the authorization requirement for disclosure of financial gain be
defined in accordance with FDA's financial disclosure rules.
Response: We strongly believe that a requirement for the disclosure
of financial gain is imperative to ensure that individuals are informed
about how and why protected health information about themselves will be
used or disclosed. We agree, however, that the language of the proposed
requirement could cause confusion, because most activities involve some
type of financial gain. Therefore, in the final rule, we have modified
the language to provide that when the covered entity initiates
[[Page 82701]]
the authorization and the covered entity will receive direct or
indirect remuneration (rather than financial gain) from a third party
in exchange for using or disclosing the health information, the
authorization must include a statement that such remuneration will
result.
Comment: A few commenters asserted that the requirement to include
a statement in which the patient acknowledged that information used or
disclosed to any entity other than a health plan or health care
provider may no longer be protected by federal privacy law would be
inconsistent with existing protections implemented by IRBs under the
Common Rule. In particular they stated that this inconsistency exists
because IRBs are required to consider the protections in place to
protect patients' confidential information and that IRBs are charged
with ensuring that researchers comply with the confidentiality
provisions of the informed consent document.
Response: We disagree that this proposed requirement would pose a
conflict with the Common Rule since the requirement was for a statement
that the ``information may no longer be protected by the federal
privacy law.'' This statement does not pertain to the protections
provided under the Common Rule. In addition, while we anticipate that
IRBs and privacy boards will most often waive all or none of the
authorization requirements, we clarify an IRB or privacy board could
alter this requirement, among others, if the documentation requirements
of Sec. 164.512(i) have been met.
Reviews Preparatory to Research
Comment: Some industry groups expressed concern that the research
provision would prohibit physicians from using patient information to
recruit subjects into clinical trials. These commenters recommended
that researchers continue to have access to hospitals' and clinics'
patient information in order to recruit patients for studies.
Response: Under the proposed rule, even if the researcher only
viewed the medical record at the site of the covered entity and did not
record the protected health information in a manner that patients could
be identified, such an activity would have constituted a use or
disclosure that would have been subject to proposed Sec. 164.508 or
proposed Sec. 164.510. Based on the comments received and the fact
finding we conducted with the research community, we concluded that
documentation of IRB or privacy board approval could halt the
development of research hypotheses that require access to protected
health information before a formal protocol can be developed and
brought to an IRB or privacy board for approval. To avoid this
unintended result, the final rule permits covered health care providers
and health plans to use or disclose protected health information for
research if the covered entity obtains from the researcher
representations that: (1) Use or disclosure is sought solely to review
protected health information as necessary to prepare a research
protocol or for similar purposes preparatory to research; (2) no
protected health information is to be removed from the covered entity
by the researcher in the course of the review; and (3) the protected
health information for which use or access is sought is necessary for
the research purposes.
Comment: A few commenters asserted that the final rule should
eliminate the possibility that research requiring access to protected
health information could be determined to be ``exempt'' from IRB
review, as provided by the Common Rule (Sec. __.101(b)(4)).
Response: The rule did not propose nor intend to modify any aspect
of the Common Rule, including the provision that exempts from coverage,
``research involving the collection or study of existing data,
documents, records, pathological specimens, or diagnostic specimens, if
these sources are publically available, or if the information is
recorded by the investigator in such a manner that subjects cannot be
identified, directly or indirectly through identifiers linked to the
subjects' (Sec. __.101(b)(4)). For the reasons discussed above, we have
included a provision in the final rule for reviews preparatory to
research that was modeled on this exemption to the Common Rule.
Deceased Persons Exception for Research
Comment: A few commenters expressed support for the proposal to
allow use and disclosure of protected health information about
decedents for research purposes without the protections afforded to the
protected health information of living individuals. One commenter, for
example, explained that it extensively uses such information in its
research, and any restrictions were likely to impede its efforts.
Alternately, a number of commenters provided arguments for eliminating
the research exception for deceased persons. They commented that the
same concerns regarding use and disclosure of genetic and hereditary
information for other purposes apply in the research context. They
believed that in many cases the risk of identification was greater in
the research context because researchers may attempt to identify
genetic and hereditary conditions of the deceased. Finally, they argued
that while information of the deceased does not necessarily identify
living relatives by name, living relatives could be identified and
suffer the same harm as if their own medical records were used or
disclosed for research purposes. Another commenter stated that the
exception was unnecessary, and that existing research could and should
proceed under the requirements in proposed Sec. 164.510 that dictated
the IRB/privacy board approval process or be conducted using de-
identified information. This commenter further stated that in this way,
at least there would be some degree of assurance that all reasonable
steps are taken to protect deceased persons' and their families'
confidentiality.
Response: Although we understand the concerns raised by commenters,
we believe those concerns are outweighed by the need to keep the
research-related policies in this rule as consistent as possible with
standard research practice under the Common Rule, which does not
consider deceased persons to be ``human subjects.'' Thus, we retain the
exception in the final rule. With regard to the protected health
information about a deceased individual, therefore, a covered entity is
permitted to use or disclose such information for research purposes
without obtaining authorization from a personal representative and
absent approval by an IRB or privacy board as governed by
Sec. 164.512(i). We note that the National Bioethics Advisory Committee
(NBAC) is currently considering revising the Common Rule's definition
of ``human subject'' with regard to coverage of the deceased. However,
at this time, NBAC's deliberations on this issue are not yet completed
and any reliance on such discussions would be premature.
The final rule requires at Sec. 164.512(i)(1)(iii) that covered
entities obtain from the researcher (1) representation that the use or
disclosure is sought solely for research on the protected health
information of decedents; (2) documentation, at the request of the
covered entity, of the death of such individuals; and (3)
representation that the protected health information for which use or
disclosure is sought is necessary for the research purposes. It is our
intention with this change to reduce the burden and ambiguity on the
part of the covered entity to determine whether or not the
[[Page 82702]]
request is for protected health information of a deceased individual.
Comment: Some commenters, in their support of the research
exception, requested that HHS clarify in the final rule that protected
health information obtained during the donation process of eyes and eye
tissue could continue to be used or disclosed to or by eye banks for
research purposes without an authorization and without IRB approval.
They expressed concern over the impediments to this type of research
these approvals would impose, such as added administrative burden and
vulnerabilities to the time sensitive nature of the process.
Another commenter similarly expressed the position that, with
regard to uses and disclosures of protected health information for
tissue, fluid, or organ donation, the regulation should not present an
obstacle to the transfer of donations unsuitable for transplant to the
research community. However, they believed that consent can be obtained
for such purposes since the donor or donor's family must generally
consent to any transplant purposes, it would seem to be a minimal
additional obligation to seek consent for research purposes at the same
time, should the material be unsuitable for transplant.
Response: Protected health information about a deceased individual,
including information related to eyes and eye tissue, can be used or
disclosed further for research purposes by a covered entity in
accordance with Sec. 164.512(i)(1)(iii) without authorization or IRB or
privacy board approval. This rule does not address whether organs
unsuitable for transplant may be transferred to researchers with or
without consent.
Modification of the Common Rule
Comment: We received a number of comments that interpreted the
proposed rule as having unnecessarily and inappropriately amended the
Common Rule. Assuming that the Common Rule was being modified, these
comments argued that the rule was legally deficient under the
Administrative Procedures Act, the Regulatory Flexibility Act, and
other controlling Executive orders or laws.
In addition, one research organization expressed concern that, by
involving IRBs in the process of approving a waiver of authorization
for disclosure purposes and establishing new criteria for such waiver
approvals, the proposed rule would have subjected covered entities
whose IRBs failed to comply with the requirements for reviewing and
approving research to potential sanctions under HIPAA. The comment
recommended that the rule be changed to eliminate such a punitive
result. Specifically, the comment recommended that the existing Common
Rule structure be preserved for IRB-approved research, and that the
waiver of authorization criteria for privacy purposes be kept separate
from the other functions of the IRB.
Response: We disagree with the comments asserting the proposed rule
attempted to change the Common Rule. It was not our intent to modify or
amend the Common Rule or to regulate the activities of the IRBs with
respect to the underlying research. We therefore reject the comments
about legal deficiencies in the rule which are based on the mistaken
perception that the Common Rule was being amended. The proposed rule
established new requirements for covered entities before they could use
or disclose protected health information for research without
authorization. The proposed rule provided that one method by which a
covered entity could obtain the necessary documentation was to receive
it from an IRB. We did not mandate IRBs to perform such reviews, and we
expressly provided for means other than through IRBs for covered
entities to obtain the required documentation.
In the final rule, we also have clarified our intent not to
interfere with existing requirements for IRBs by amending the language
in the waiver criteria to make clear that these criteria relate to the
privacy interests of the individual and are separate from the criteria
that would be applied by an IRB to any evaluation of the underlying
research. Moreover, we have restructured the final rule to also make
clear that we are regulating only the content and conditions of the
documentation upon which a covered entity may rely in making a
disclosure of protected health information for research purposes.
We cannot and do not purport to regulate IRBs or modify the Common
Rule through this regulation. We cannot under this rule penalize an IRB
for failure to comply with the Common Rule, nor can we sanction an IRB
based on the documentation requirements in the rule. Health plans and
covered health care providers may rely on documentation from an IRB or
privacy board concerning the alteration or waiver of authorization for
the disclosure of protected health information for research purposes,
provided the documentation, on its face, meets the requirements in the
rule. Health plans and covered health care providers will not be
penalized for relying on facially adequate documentation from an IRB.
Health plans and covered health providers will only be penalized for
their own errors or omissions in following the requirements of the
rule, and not those of the IRB.
Use Versus Disclosure
Comment: Many of the comments supported the proposed rule's
provision that would have imposed the same requirements for both
research uses and research disclosures of protected health information.
Response: We agree with these comments. In the final rule we retain
identical use and disclosure requirements for research uses and
disclosures of protected health information by covered entities.
Comment: In contrast, a few commenters recommended that there be
fewer requirements on covered entities for internal research uses of
protected health information.
Response: For the reasons discussed above in Sec. 164.501 on the
definition of ``research,'' we disagree that an individual's privacy
interest is of less concern when covered entities use protected health
information for research purposes than when covered entities disclose
protected health information for research purposes. Therefore, in the
final rule, the research-related requirements of Sec. 164.512(i) apply
to both uses and disclosures of protected health information for
research purposes without authorization.
Additional Resources for IRBs
Comment: A few commenters recommended that HHS work to provide
additional resources to IRBs to assist them in meeting their new
responsibilities.
Response: This recommendation is beyond our statutory authority
under HIPAA, and therefore, cannot be addressed by the final rule.
However, we fully agree that steps should be taken to moderate the
workload of IRBs and to ensure adequate resources for their activities.
Through the Office for Human Research Protections, the Department is
committed to working with institutions and IRBs to identify efficient
ways to optimize utilization of resources, and is committed to
developing guidelines for appropriate staffing and workload levels for
IRBs.
Additional Suggested Requirements
Comment: One commenter recommended that the documentation of IRB or
privacy board approval also be required to state that, ``the health
researcher has fully disclosed which of
[[Page 82703]]
the protected health information to be collected or created would be
linked to other protected health information, and that appropriate
safeguards be employed to protect information against re-identification
or subsequent unauthorized linkages.''
Response: The proposed provision for the use or disclosure of
protected health information for research purposes without
authorization only pertained to individually identifiable health
information. Therefore, since the information to be obtained would be
individually identifiable, we concluded that it was illogical to
require IRBs and privacy boards document that the researcher had
``fully disclosed that * * * appropriate safeguards be employed to
protect information against re-identification or subsequent
unauthorized linkages.'' Therefore, we did not incorporate this
recommendation into the final rule.
Section 164.512(j)--Uses and Disclosures To Avert a Serious Threat to
Health or Safety
Comment: Several commenters generally stated support for proposed
Sec. 164.510(k), which was titled ``Uses and Disclosures in Emergency
Circumstances.'' One commenter said that ``narrow exceptions to
confidentiality should be permitted for emergency situations such as
duty to warn, duty to protect, and urgent law enforcement needs.''
Another commented that the standard `` * * * based on a reasonable
belief that the disclosures are necessary to prevent or lessen a
serious and imminent threat to the health or safety of an individual''
would apply in only narrow treatment circumstances. Some commenters
suggested that the provision be further narrowed, for example, with
language specifically identifying ``imminent threats'' and a ``chain-
of-command clearance process,'' or by limiting permissible disclosures
under this provision to ``public health emergencies,'' or ``national
emergencies.'' Others proposed procedural requirements, such as
specifying that such determinations may only be made by the patient's
treating physician, a licensed mental health care professional, or as
validated by three physicians. One commenter recommended stating that
the rule is not intended to create a duty to warn or to disclose
protected health information but rather permits such disclosure in
emergency circumstances, consistent with other applicable legal or
ethical standards.
Response: We agree with the commenters who noted that the proposed
provision would apply in rare circumstances. We clarify, however, that
we did not intend for the proposed provision to apply to emergency
treatment scenarios as discussed below. In the final rule, to avoid
confusion over the circumstances in which we intend this section to
apply, we retitle it ``Uses and Disclosures to Avert a Serious Threat
to Health or Safety.''
We do not believe it would be appropriate to narrow further the
scope of permissible disclosures under this section to respond to
specifically identified ``imminent threats,'' a ``public health
emergency,'' or a ``national emergency.'' We believe it would be
impossible to enumerate all of the scenarios that may warrant
disclosure of protected health information pursuant to this section.
Such cases may involve a small number of people and may not necessarily
involve a public health emergency or a national emergency.
Furthermore, in response to comments arguing that the proposed
provision was too broad, we note that under both the NPRM and the final
rule, we allow but do not require disclosures in situations involving
serious and imminent threats to health or safety. Health plans and
covered health care providers may make the disclosures allowed under
Sec. 164.512(j) consistent with applicable law and standards of ethical
conduct.
As indicated in the preamble to the NPRM, the proposed approach is
consistent with statutory and case law addressing this issue. The most
well-known case on the topic is Tarasoff v. Regents of the University
of California, 17 Cal. 3d 425 (1976), which established a duty to warn
those at risk of harm when a therapist's patient made credible threats
against the physical safety of a specific person. The Supreme Court of
California found that the therapist involved in the case had an
obligation to use reasonable care to protect the intended victim of his
patient against danger, including warning the victim of the peril. Many
states have adopted, in statute or through case law, versions of the
Tarasoff duty to warn or protect. Although Tarasoff involved a
psychiatrist, this provision is not limited to disclosures by
psychiatrists or other mental health professionals. As stated in the
preamble of the NPRM, we clarify that Sec. 164.512(j) is not intended
to create a duty to warn or disclose protected health information.
Comment: Several comments addressed the portion of proposed
Sec. 164.510(k) that would have provided a presumption of reasonable
belief to covered entities that disclosed protected health information
pursuant to this provision, when such disclosures were made in good
faith, based on credible representation by a person with apparent
knowledge or authority. Some commenters recommended that this standard
be applied to all permissible disclosures without consent or to such
disclosures to law enforcement officials.
Alternatively, a group representing health care provider management
firms believed that the proposed presumption of reasonable belief would
not have provided covered entities with sufficient protection from
liability exposure associated with improper uses or disclosures. This
commenter recommended that a general good-faith standard apply to
covered entities' decisions to disclose protected health information to
law enforcement officials. A health plan said that HHS should consider
applying the standard of reasonable belief to all uses and disclosures
that would have been allowed under proposed Sec. 164.510. Another
commenter questioned how the good-faith presumption would apply if the
information came from a confidential informant or from a person rather
than a doctor, law enforcement official, or government official. (The
NPRM listed doctors, law enforcement officials, and other government
officials as examples of persons who may make credible representations
pursuant to this section.)
Response: As discussed above, this provision is intended to apply
in rare circumstances--circumstances that occur much less frequently
than those described in other parts of the rule. Due to the importance
of averting serious and imminent threats to health and safety, we
believe it is appropriate to apply a presumption of good faith to
covered entities disclosing protected health information under this
section. We believe that the extremely time-sensitive and urgent
conditions surrounding the need to avert a serious and imminent threat
to the health or safety are fundamentally different from those involved
in disclosures that may be made pursuant to other sections of the rule.
Therefore, we do not believe it would be appropriate to apply to other
sections of the rule the presumption of good faith that applies in
Sec. 164.512(j). We clarify that we intend for the presumption of good
faith to apply if the disclosure is made in good faith based upon a
credible representation by any person with apparent knowledge or
authority--not just by doctors, law enforcement or other government
officials. Our listing of these persons in the NPRM was illustrative
only, and it was not intended to limit the types of
[[Page 82704]]
persons who could make such a credible representation to a covered
entity.
Comment: One commenter questioned under what circumstances proposed
Sec. 164.510(k) would apply instead of proposed Sec. 164.510(f)(5),
``Urgent Circumstances,'' which permitted covered entities to disclose
protected health information to law enforcement officials about
individuals who are or are suspected to be victims of a crime, abuse,
or other harm, if the law enforcement official represents that the
information is needed to determine whether a violation of law by a
person other than the victim has occurred and immediate law enforcement
activity that depends upon obtaining such information may be necessary.
Response: First, we note that inclusion of this provision as
Sec. 164.510(f)(5) was a drafting error which subsequently was
clarified in technical corrections to the NPRM. In fact, proposed
Sec. 164.510(f)(3) addressed the identical circumstances, which in this
subsection were titled ``Information about a Victim of Crime or
Abuse.'' The scenarios described under Sec. 164.510(f)(3) may or may
not involve serious and imminent threats to health or safety.
Second, as discussed in the main section of the preamble to
Sec. 164.512(j), we recognize that in some situations, more than one
section of this rule potentially could apply with respect to a covered
entity's potential disclosure of protected health information. We
clarify that if a situation fits one section of the rule (e.g.,
Sec. 164.512(j) on serious and imminent threats to health or safety),
health plans and covered health care providers may disclose protected
health information pursuant to that section, regardless of whether the
disclosure also could be made pursuant to another section (e.g.,
Secs. 164.512(f)(2) or 164.512(f)(3), regarding disclosure of protected
health information about suspects or victims to law enforcement
officials), except as otherwise stated in the rule.
Comment: A state health department indicated that the disclosures
permitted under this section may be seen as conflicting with existing
law in many states.
Response: As indicated in the regulation text for Sec. 164.512(j),
this section allows disclosure consistent with applicable law and
standards of ethical conduct. We do not preempt any state law that
would prohibit disclosure of protected health information in the
circumstances to which this section applies. (See Part 160, Subpart B.)
Comment: Many commenters stated that the rule should require that
any disclosures should not modify ``duty to warn'' case law or
statutes.
Response: The rule does not affect case law or statutes regarding
``duty to warn.'' In Sec. 164.512(j), we specifically permit covered
entities to disclose protected health information without authorization
for the purpose of protecting individuals from imminent threats to
health and safety, consistent with state laws and ethical obligations.
Section 164.512(k)--Uses and Disclosures for Specialized Government
Functions
Military Purposes
Armed Forces Personnel and Veterans
Comment: A few comments opposed the proposed rule's provisions on
the military, believing that they were too broad. Although
acknowledging that the Armed Forces may have legitimate needs for
access to protected health data, the commenters believed that the rule
failed to provide adequate procedural protections to individuals. A few
comments said that, except in limited circumstances or emergencies,
covered entities should be required to obtain authorization before
using or disclosing protected health information. A few comments also
expressed concern over the proposed rule's lack of specific safeguards
to protect the health information of victims of domestic violence and
abuse. While the commenters said they understood why the military
needed access to health information, they did not believe the rule
would impede such access by providing safeguards for victims of
domestic violence or abuse.
Response: We note that the military comprises a unique society and
that members of the Armed Forces do not have the same freedoms as do
civilians. The Supreme Court held in Goldman v. Weinberger, 475 US 503
(1986), that the military must be able to command its members to
sacrifice a great many freedoms enjoyed by civilians and to endure
certain limits on the freedoms they do enjoy. The Supreme Court also
held in Parker v. Levy, 417 US 733 (1974), that the different character
of the military community and its mission required a different
application of Constitutional protections. What is permissible in the
civilian world may be impermissible in the military. We also note that
individuals entering military service are aware that they will not
have, and enjoy, the same rights as others.
The proposed rule would have authorized covered entities to use and
disclose protected health information about armed forces personnel only
for activities considered necessary by appropriate military command
authorities to assure the proper execution of the military mission. In
order for the military mission to be achieved and maintained, military
command authorities need protected health information to make
determinations regarding individuals' medical fitness to perform
assigned military duties.
The proposed rule required the Department of Defense (DoD) to
publish a notice in the Federal Register identifying its intended uses
and disclosures of protected health information, and we have retained
this approach in the final rule. This notice will serve to limit
command authorities' access to protected health information to
circumstances in which disclosure of protected health information is
necessary to assure proper execution of the military mission.
With respect to comments regarding the lack of procedural
safeguards for individuals, including those who are victims of domestic
violence and abuse, we note that the rule does not provide new
authority for covered entities providing health care to individuals who
are Armed Forces personnel to use and disclose protected health
information. Rather, the rule allows the Armed Forces to use and
disclose such information only for those military mission purposes
which will be published separately in the Federal Register. In
addition, we note that the Privacy Act of 1974, as implemented by the
DoD, provides numerous protections to individuals.
We modify the proposal to publish privacy rules for the military in
the Federal Register. The NPRM would have required this notice to
include information on the activities for which use or disclosure of
protected health information would occur in order to assure proper
execution of the military mission. We believe that this proposed
portion of the notice is redundant and thus unnecessary in light the
rule's application to military services. In the final rule, we
eliminate this proposed section of the notice, and we state that health
plans and covered health care providers may use and disclose protected
health information of Armed Forces personnel for activities considered
necessary by appropriate military command authorities to assure the
proper execution of a military mission, where the appropriate military
authority has published a Federal Register notice identifying: (1) The
appropriate military command authorities; and (2) the purposes for
[[Page 82705]]
which protected health information may be used or disclosed.
Comment: A few commenters, members of the affected beneficiary
class, which numbers approximately 2.6 million (active duty and reserve
military personnel), opposed proposed Sec. 164.510(m) because it would
have allowed a non-governmental covered entity to provide protected
health information without authorization to the military. These
commenters were concerned that military officials could use the
information as the basis for taking action against individuals.
Response: The Secretary does not have the authority under HIPAA to
regulate the military's re-use or re-disclosure of protected health
information obtained from health plans and covered health care
providers. This provision's primary intent is to ensure that proper
military command authorities can obtain needed medical information held
by covered entities so that they can make appropriate determinations
regarding the individual's medical fitness or suitability for military
service. Determination that an individual is not medically qualified
for military service would lead to his or her discharge from or
rejection for service in the military. Such actions are necessary in
order for the Armed Forces to have medically qualified personnel, ready
to perform assigned duties. Medically unqualified personnel not only
jeopardize the possible success of a mission, but also pose an
unacceptable risk or danger to others. We have allowed such uses and
disclosures for military activities because it is in the Nation's
interest.
Separation or Discharge from Military Service
Comment: The preamble to the NPRM solicited comments on the
proposal to permit the DoD to transfer, without authorization, a
service member's military medical record to the Department of Veterans
Affairs (DVA) when the individual completed his or her term of military
service. A few commenters opposed the proposal, believing that
authorization should be obtained. Both the DoD and the DVA supported
the proposal, noting that transfer allows the DVA to make timely
determinations as to whether a veteran is eligible for benefits under
programs administered by the DVA.
Response: We note that the transfer program was established based
on recommendations by Congress, veterans groups, and veterans; that it
has existed for many years; and that there has been no objection to, or
problems associated with, the program. We also note that the Department
of Transportation (DoT) and the Department of Veterans Affairs operate
an analogous transfer program with respect to United States Coast Guard
personnel, who comprise part of the U.S. Armed Forces. The protected
health information involved the DoD/DVA transfer program is being
disclosed and used for a limited purpose that directly benefits the
individual. This information is covered by, and thus subject to the
protections of, the Privacy Act. For these reasons, the final rule
retains the DoD/DVA transfer program proposed in the NPRM. In addition,
we expand the NPRM's proposed provisions regarding the Department of
Veterans Affairs to include the DoT/DVA program, to authorize the
continued transfer of these records.
Comment: The Department of Veterans Affairs supported the NPRM's
proposal to allow it to use and disclose protected health information
among components of the Department so that it could make determinations
on whether an individual was entitled to benefits under laws
administered by the Department. Some commenters said that the
permissible disclosure pursuant to this section appeared to be
sufficiently narrow in scope, to respond to an apparent need. Some
commenters also said that the DVA's ability to make benefit
determinations would be hampered if an individual declined to authorize
release of his or her protected health information. A few commenters,
however, questioned whether such an exchange of information currently
occurs between the components. A few commenters also believed the
proposed rule should be expanded to permit sharing of information with
other agencies that administer benefit programs.
Response: The final rule retains the NPRM's approach regarding use
and disclosure of protected health information without authorization
among components of the DVA for the purpose of making eligibility
determinations based on commenters' assessment that the provision was
narrow in scope and that an alternative approach could negatively
affect benefit determinations for veterans. We modify the NPRM language
slightly, to clarify that it refers to a health plan or covered health
care provider that is a component of the DVA. These component entities
may use or disclose protected health information without authorization
among various components of the Department to determine eligibility for
or entitlement to veterans' benefits. The final rule does not expand
the scope of permissible disclosures under this provision to allow the
DVA to share such information with other agencies. Other agencies may
obtain this information only with authorization, subject to the
requirements of Sec. 164.508.
Foreign Military Personnel
Comments: A few comments opposed the exclusion of foreign
diplomatic and military personnel from coverage under the rule. These
commenters said that the mechanisms that would be necessary to identify
these personnel for the purpose of exempting them from the rule's
standards would create significant administrative difficulties. In
addition, they believed that this provision would have prohibited
covered entities from making disclosures allowed under the rule. Some
commenters were concerned that implementation of the proposed provision
would result in disparate treatment of foreign military and diplomatic
personnel with regard to other laws, and that it would allow
exploitation of these individuals' health information. These commenters
believed that the proposed rule's exclusion of foreign military and
diplomatic personnel was unnecessarily broad and that it should be
narrowed to meet a perceived need. Finally, they noted that the
proposed exclusion could be affected by the European Union's Data
Protection Directive.
Response: We agree with the commenters' statement that the NPRM's
exclusion of foreign military and diplomatic personnel from the rule's
provisions was overly broad. Thus, the final rule's protections apply
to these personnel. The rule covers foreign military personnel under
the same provisions that apply to all other members of the U.S. Armed
Forces, as described above. Foreign military authorities need access to
protected health information for the same reason as must United States
military authorities: to ensure that members of the armed services are
medically qualified to perform their assigned duties. Under the final
rule, foreign diplomatic personnel have the same protections as other
individuals.
Intelligence Community
Comments: A few commenters opposed the NPRM's provisions regarding
protected health information of intelligence community employees and
their dependents being considered for postings overseas, on the grounds
that the scope of permissible disclosure without authorization was too
broad. While acknowledging that the intelligence community may have
legitimate needs for its employees' protected health information, the
commenters believed that the NPRM
[[Page 82706]]
failed to provide adequate procedural protections for the employees'
information. A few comments also said that the intelligence community
should be able to obtain their employees' health information only with
authorization. In addition, commenters said that the intelligence
community should make disclosure of protected health information a
condition of employment.
Response: Again, we agree that the NPRM's provision allowing
disclosure of the protected health information of intelligence
community employees without authorization was overly broad. Thus we
eliminate it in the final rule. The intelligence community can obtain
this information with authorization (pursuant to Sec. 164.508), for
example, when employees or their family members are being considered
for an oversees assignment and when individuals are applying for
employment with or seeking a contract from an intelligence community
agency.
National Security and Intelligence Activities and Protective Services
for the President and Others
Comment: A number of comments opposed the proposed ``intelligence
and national security activities'' provision of the law enforcement
section (Sec. 164.510(f)(4)), suggesting that it was overly broad.
These commenters were concerned that the provision lacked sufficient
procedural safeguards to prevent abuse of protected health information.
The Central Intelligence Agency (CIA) and the Department of Defense
(DoD) also expressed concern over the provision's scope. The agencies
said that if implemented as written, the provision would have failed to
accomplish fully its intended purpose of allowing the disclosure of
protected health information to officials carrying out intelligence and
national security activities other than law enforcement activities. The
CIA and DoD believed that the provision should be moved to another
section of the rule, possibly to proposed Sec. 164.510(m) on
specialized classes, so that authorized intelligence and national
security officials could obtain individuals' protected health
information without authorization when lawfully engaged in intelligence
and national security activities.
Response: In the final rule, we clarify that this provision does
not provide new authority for intelligence and national security
officials to acquire health information that they otherwise would not
be able to obtain. Furthermore, the rule does not confer new authority
for intelligence, national security, or Presidential protective service
activities. Rather, the activities permissible under this section are
limited to those authorized under current law and regulation (e.g., for
intelligence activities, 50 U.S.C. 401, et seq., Executive Order 12333,
and agency implementing regulatory authorities). For example, the
provision regarding national security activities pertains only to
foreign persons that are the subjects of legitimate and lawful
intelligence, counterintelligence, or other national security
activities. In addition, the provision regarding protective services
pertains only to those persons who are the subjects of legitimate
investigations for threatening or otherwise exhibiting an inappropriate
direction of interest toward U.S. Secret Service protectees pursuant to
18 U.S.C. 871, 879, and 3056. Finally, the rule leaves intact the
existing State Department regulations that strictly limit the
disclosure of health information pertaining to employees (e.g., Privacy
Issuances at State-24 Medical Records).
We believe that because intelligence/national security activities
and Presidential/other protective service activities are discrete
functions serving different purposes, they should be treated
consistently but separately under the rule. For example, medical
information is used as a complement to other investigative data that
are pertinent to conducting comprehensive threat assessment and risk
prevention activities pursuant to 18 U.S.C. 3056. In addition,
information on the health of world leaders is important for the
provision of protective services and other functions. Thus,
Sec. 164.512(k) of the final rule includes separate subsections for
national security/intelligence activities and for disclosures related
to protective services to the President and others.
We note that the rule does not require or compel a health plan or
covered health care provider to disclose protected health information.
Rather, two subsections of Sec. 164.512(k) allow covered entities to
disclose information for intelligence and national security activities
and for protective services to the President and others only to
authorized federal officials conducting these activities, when such
officials are performing functions authorized by law.
We agree with DoD and CIA that the NPRM, by including these
provisions in the law enforcement section (proposed Sec. 164.510(f)),
would have allowed covered entities to disclose protected health
information for national security, intelligence, and Presidential
protective activities only to law enforcement officials. We recognize
that many officials authorized by law to carry out intelligence,
national security, and Presidential protective functions are not law
enforcement officials. Therefore, the final rule allows covered
entities to disclose protected health information pursuant to this
provision not only to law enforcement officials, but to all federal
officials authorized by law to carry out the relevant activities. In
addition, we remove this provision from the law enforcement section and
include it in Sec. 164.512(k) on uses and disclosures for specialized
government functions
Medical Suitability Determinations
Comment: A few comments opposed the NPRM's provision allowing the
Department of State to use protected health information for medical
clearance determinations. These commenters believed that the scope of
permissible disclosures under the proposed provision was too broad.
While acknowledging that the Department may have legitimate needs for
access to protected health data, the commenters believed that
implementation of the proposed provision would not have provided
adequate procedural safeguards for the affected State Department
employees. A few comments said that the State Department should be able
to obtain protected health information for medical clearance
determinations only with authorization. A few comments also said that
the Department should be able to disclose such information only when
required for national security purposes. Some commenters believed that
the State Department should be subject to the Federal Register notice
requirement that the NPRM would have applied to the Department of
Defense. A few comments also opposed the proposed provision on the
basis that it would conflict with the Rehabilitation Act of 1973 or
that it appeared to represent an invitation to discriminate against
individuals with mental disorders.
Response: We agree with commenters who believed that the NPRM's
provision regarding the State Department's use of protected health
information without authorization was unnecessarily broad. Therefore,
in the final rule, we restrict significantly the scope of protected
health information that the State Department may use and disclose
without authorization. First, we allow health plans and covered health
care providers that are a component of the State Department to use and
disclose protected health information without authorization when making
medical suitability determinations for security clearance purposes. For
the purposes of a security investigation, these
[[Page 82707]]
components may disclose to authorized State Department officials
whether or not the individual was determined to be medically suitable.
Furthermore, we note that the rule does not confer authority on the
Department to disclose such information that it did not previously
possess. The Department remains subject to applicable law regarding
such disclosures, including the Rehabilitation Act of 1973.
The preamble to the NPRM solicited comment on whether there was a
need to add national security determinations under Executive Order
10450 to the rule's provision on State Department uses and disclosures
of protected health information for security determinations. While we
did not receive comment on this issue, we believe that a limited
addition is warranted and appropriate. Executive Orders 10450 and 12968
direct Executive branch agencies to make certain determinations
regarding whether their employees' access to classified information is
consistent with the national security interests of the United States.
Specifically, the Executive Orders state that access to classified
information shall be granted only to those individuals whose personal
and professional history affirmatively indicates, inter alia, strength
of character, trustworthiness, reliability, and sound judgment. In
reviewing the personal history of an individual, Executive branch
agencies may investigate and consider any matter, including a mental
health issue or other medical condition, that relates directly to any
of the enumerated factors.
In the vast majority of cases, Executive agencies require their
security clearance investigators to obtain the individual's express
consent in the form of a medical release, pursuant to which the agency
can conduct its background investigation and obtain any necessary
health information. This rule does not interfere with agencies' ability
to require medical releases for purposes of security clearances under
these Executive Orders.
In the case of the Department of State, however, it may be
impracticable or infeasible to obtain an employee's authorization when
exigent circumstances arise overseas. For example, when a Foreign
Service Officer is serving at an overseas post and he or she develops a
critical medical problem which may or may not require a medical
evacuation or other equally severe response, the Department's medical
staff have access to the employee's medical records for the purpose of
making a medical suitability determination under Executive Orders 10450
and 12968. To restrict the Department's access to information at such a
crucial time due to a lack of employee authorization leaves the
Department no option but to suspend the employee's security clearance.
This action automatically would result in an immediate forced departure
from post, which negatively would affect both the Department, due to
the unexpected loss of personnel, and the individual, due to the fact
that a forced departure can have a long-term impact on his or her
career in the Foreign Service.
For this reason, the rule contains a limited security clearance
exemption for the Department of State. The exemption allows the
Department's own medical staff to continue to have access to an
employee's medical file for the purpose of making a medical suitability
determination for security purposes. The medical staff can convey a
simple ``yes'' or ``no'' response to those individuals conducting the
security investigation within the Department. In this way, the
Department is able to make security determinations in exigent
circumstances without disclosing any specific medical information to
any employees other than the medical personnel who otherwise have
routine access to these same medical records in an everyday non-
security context.
Second, and similarly, the final rule establishes a similar system
for disclosures of protected health information necessary to determine
worldwide availability or availability for mandatory service abroad
under sections 101(a)(4) and 504 of the Foreign Service Act. The Act
requires that Foreign Service members be suitable for posting
throughout the world and for certain specific assignments. For this
reason, we permit a limited exemption to serve the purposes of the
statute. Again, the medical staff can convey availability
determinations to State Department officials who need to know if
certain Foreign Service members are available to serve at post.
Third, and finally, the final rule recognizes the special statutory
obligations that the State Department has regarding family members of
Foreign Service members under sections 101(b)(5) and 904 of the Foreign
Service Act. Section 101(b)(5) of the Foreign Service Act requires the
Department of State to mitigate the impact of hardships, disruptions,
and other unusual conditions on families of Foreign Service Officers.
Section 904 requires the Department to establish a health care program
to promote and maintain the physical and mental health of Foreign
Service member family members. The final rule permits disclosure of
protected health information to officials who need protected health
information to determine whether a family member can accompany a
Foreign Service member abroad.
Given the limited applicability of the rule, we believe it is not
necessary for the State Department to publish a notice in the Federal
Register to identify the purposes for which the information may be used
or disclosed. The final rule identifies these purposes, as described
above.
Correctional Institutions
Comments about the rule's application to correctional institutions
are addressed in Sec. 164.501, under the definition of ``individual.''
Section 164.512(l)--Disclosures for Workers' Compensation
Comment: Several commenters stated that workers' compensation
carriers are excepted under the HIPAA definition of group health plan
and therefore we have no authority to regulate them in this rule. These
commenters suggested clarifying that the provisions of the proposed
rule did not apply to certain types of insurance entities, such as
workers' compensation carriers, and that such non-covered entities
should have full access to protected health information without meeting
the requirements of the rule. Other commenters argued that a complete
exemption for workers' compensation carriers was inappropriate.
Response: We agree with commenters that the proposed rule did not
intend to regulate workers' compensation carriers. In the final rule we
have incorporated a provision that clarifies that the term ``health
plan'' excludes ``any policy, plan, or program to the extent that it
provides, or pays for the cost of, excepted benefits as defined in
section 2791(c)(1) of the PHS Act.'' See discussion above under the
definition of ``health plan'' in Sec. 164.501.
Comment: Some commenters argued that the privacy rule should defer
to other laws that regulate the disclosure of information to employers
and workers' compensation carriers. They commented that many states
have laws that require sharing of information--without consent--between
providers and employers or workers' compensation carriers.
Response: We agree that the privacy rule should permit disclosures
necessary for the administration of state and other workers'
compensation systems. To assure that workers' compensations systems are
not disrupted, we have added a new
[[Page 82708]]
provisions to the final rule. The new Sec. 164.512(l) permits covered
entities to disclose protected health information as authorized by and
to the extent necessary to comply with workers' compensation or other
similar programs established by law that provide benefits for work-
related injuries or illnesses without regard to fault. We also note
that where a state or other law requires a use or disclosure of
protected health information under a workers' compensation or similar
scheme, the disclosure would be permitted under Sec. 164.512(a).
Comment: Several commenters stated that if workers' compensation
carriers are to receive protected health information, they should only
receive the minimum necessary as required in Sec. 164.514. The
commenters argued that employers and workers' compensation carriers
should not have access to the entire medical history or portions of the
medical history that have nothing to do with the injury in question.
Further, the covered provider and not the employer or carrier should
determine minimum necessary since the provider is a covered entity and
only covered entities are subject to sanctions for violations of the
rule. These commenters stated that the rule should clearly indicate the
ability of covered entities to refuse to disclose protected health
information if it went beyond the scope of the injury. Workers'
compensation carriers, on the other hand, argued that permitting
providers to determine the minimum necessary was inappropriate because
determining eligibility for benefits is an insurance function, not a
medical function. They stated that workers' compensation carriers need
access to the full range of information regarding treatment for the
injury underlying the claim, the claimants' current condition, and any
preexisting conditions that can either mitigate the claim or aggravate
the impact of the injury.
Response: Under the final rule, covered entities must comply with
the minimum necessary provisions unless the disclosure is required by
law. Our review of state workers' compensation laws suggests that many
of these laws address the issue of the scope of information that is
available to carriers and employers. The rule permits a provider to
disclose information that is authorized by such a law to the extent
necessary to comply with such law. Where the law is silent, the
workers' compensation carrier and covered health care provider will
need to discuss what information is necessary for the carrier to
administer the claim, and the health care provider may disclose that
information. We note that if the workers' compensation insurer has
secured an authorization from the individual for the release of
protected health information, the covered entity may release the
protected health information described in the authorization.
Section 164.514 Requirements for Uses and Disclosures
Section 164.514(a)-(c)--De-identification
General Approach
Comments: The comments on this topic almost unanimously supported
the concept of de-identification and efforts to expand its use.
Although a few comments suggested deleting one of the proposed methods
or the other, most appeared to support the two method approach for
entities with differing levels of statistical expertise.
Many of the comments argued that the standard for creation of de-
identified information should be whether there is a ``reasonable basis
to believe'' that the information has been de-identified. Others
suggested that the ``reasonable basis'' standard was too vague.
A few commenters suggested that we consider information to be de-
identified if all personal identifiers that directly reveal the
identity of the individual or provide a direct means of identifying
individuals have been removed, encrypted or replaced with a code.
Essentially, this recommendation would require only removal of
``direct'' identifiers (e.g., name, address, and ID numbers) and allow
retention of all ``indirect'' identifiers (e.g., zip code and birth
date) in ``de-identified'' information. These comments did not suggest
a list or further definition of what identifiers should be considered
``direct'' identifiers.
Some commenters suggested that the standard be modified to reflect
a single standard that applies to all covered entities in the interest
of reducing uncertainty and complexity. According to these comments,
the standard for covered entities to meet for de-identification of
protected health information should be generally accepted standards in
the scientific and statistical community, rather than focusing on a
specified list of identifiers that must be removed.
A few commenters believed that no record of information about an
individual can be truly de-identified and that all such information
should be treated and protected as identifiable because more and more
information about individuals is being made available to the public,
such as voter registration lists and motor vehicle and driver's license
lists, that would enable someone to match (and identify) records that
otherwise appear to be not identifiable.
Response: In the final rule, we reformulate the method for de-
identification to more explicitly use the statutory standard of ``a
reasonable basis to believe that the information can be used to
identify the individual''--just as information is ``individually
identifiable'' if there is a reasonable basis to believe that it can be
used to identify the individual, it is ``de-identified'' if there is no
reasonable basis to believe it can be so used. We also define more
precisely how the standard should be applied.
We did not accept comments that suggested that we allow only one
method of de-identifying information. We find support for both methods
in the comments but find no compelling logic for how the competing
interests could be met cost-effectively with only one method.
We also disagree with the comments that advocated using a standard
which required removing only the direct identifiers. Although such an
approach may be more convenient for covered entities, we judged that
the resulting information would often remain identifiable, and its
dissemination could result in significant violations of privacy. While
we encourage covered entities to remove direct identifiers whenever
possible as a method of enhancing privacy, we do not believe that the
resulting information is sufficiently blinded as to permit its general
dissemination without the protections provided by this rule.
We agree with the comments that said that records of information
about individuals cannot be truly de-identified, if that means that the
probability of attribution to an individual must be absolutely zero.
However, the statutory standard does not allow us to take such a
position, but envisions a reasonable balance between risk of
identification and usefulness of the information.
We disagree with those comments that advocated releasing only truly
anonymous information (which has been changed sufficiently so that it
no longer represents actual information about real individuals) and
those that supported using only sophisticated statistical analysis
before allowing uncontrolled disclosures. Although these approaches
would provide a marginally higher level of privacy protection, they
would preclude many of the laudable and valuable uses discussed in the
NPRM (in Sec. 164.506(d)) and would impose too great a burden on
[[Page 82709]]
less sophisticated covered entities to be justified by the small
decrease in an already small risk of identification.
We conclude that compared to the alternatives advanced by the
comments, the approach proposed in the NPRM, as refined and modified
below in response to the comments, most closely meets the intent of the
statute.
Comments: A few comments complained that the proposed standards
were so strict that they would expose covered entities to liability
because arguably no information could ever be de-identified.
Response: In the final rule we have modified the mechanisms by
which a covered entity may demonstrate that it has complied with the
standard in ways that provide greater certainty. In the standard method
for de-identification, we have clarified the professional standard to
be used, and anticipate issuing further guidance for covered entities
to use in applying the standard. In the safe harbor method, we reduced
the amount of judgment that a covered entity must apply. We believe
that these mechanisms for de-identification are sufficiently well-
defined to protect covered entities that follow them from undue
liability.
Comments: Several comments suggested that the rule prohibit any
linking of de-identified data, regardless of the probability of
identification.
Response: Since our methods of de-identification include
consideration of how the information might be used in combination with
other information, we believe that linking de-identified information
does not pose a significantly increased risk of privacy violations. In
addition, since our authority extends only to the regulation of
individually identifiable health information, we cannot regulate de-
identified information because it no longer meets the definition of
individually identifiable health information. We also have no authority
to regulate entities that might receive and desire to link such
information yet that are not covered entities; thus such a prohibition
would have little protective effect.
Comments: Several commenters suggested that we create incentives
for covered entities to use de-identified information. One commenter
suggested that we mandate an assessment to see if de-identified
information could be used before the use or disclosure of identified
information would be allowed.
Response: We believe that this final rule establishes a reasonable
mechanism for the creation of de-identified information and the fact
that this de-identified information can be used without having to
follow the policies, procedures, and documentation required to use
individually identifiable health information should provide an
incentive to encourage its use where appropriate. We disagree with the
comment suggesting that we require an assessment of whether de-
identified information could be used for each use or disclosure. We
believe that such a requirement would be too burdensome on covered
entities, particularly with respect to internal uses, where entire
records are often used by medical and other personnel. For disclosures,
we believe that such an assessment would add little to the protection
provided by the minimum necessary requirements in this final rule.
Comments: One commenter asked if de-identification was equivalent
to destruction of the protected health information (as required under
several of the provisions of this final rule).
Response: The process of de-identification creates a new dataset in
addition to the source dataset containing the protected health
information. This process does not substitute for actual destruction of
the source data.
Modifications to the Proposed Standard for De-Identification
Comments: Several commenters called for clarification of proposed
language in the NPRM that would have permitted a covered entity to
treat information as de-identified, even if specified identifiers were
retained, as long as the probability of identifying subject individuals
would be very low. Commenters expressed concern that the ``very low''
standard was vague. These comments expressed concern that covered
entities would not have a clear and easy way to know when information
meets this part of the standard.
Response: We agree with the comments that covered entities may need
additional guidance on the types of analyses that they should perform
in determining when the probability of re-identification of information
is very low. We note that in the final rule, we reformulate the
standard somewhat to require that a person with appropriate knowledge
and experience apply generally accepted statistical and scientific
methods relevant to the task to make a determination that the risk of
re-identification is very small. In this context, we do not view the
difference between a very low probability and a very small risk to be
substantive. After consulting representatives of the federal agencies
that routinely de-identify and anonymize information for public release
\16\ we attempt here to provide some guidance for the method of de-
identification.
---------------------------------------------------------------------------
\16\ Confidentiality and Data Access Committee, Federal
Committee on Statistical Methodology, Office of Management and
Budget.
---------------------------------------------------------------------------
As requested by some commenters, we include in the final rule a
requirement that covered entities (not following the safe harbor
approach) apply generally accepted statistical and scientific
principles and methods for rendering information not individually
identifiable when determining if information is de-identified. Although
such guidance will change over time to keep up with technology and the
current availability of public information from other sources, as a
starting point the Secretary approves the use of the following as
guidance to such generally accepted statistical and scientific
principles and methods:
(1) Statistical Policy Working Paper 22--Report on Statistical
Disclosure Limitation Methodology (http://www.fcsm.gov/working-papers/wp22.html) (prepared by the Subcommittee on Disclosure Limitation
Methodology, Federal Committee on Statistical Methodology, Office of
Management and Budget); and
(2) The Checklist on Disclosure Potential of Proposed Data Releases
(http://www.fcsm.gov/docs/checklist__799.doc) (prepared by the
Confidentiality and Data Access Committee, Federal Committee on
Statistical Methodology, Office of Management and Budget).
We agree with commenters that such guidance will need to be updated
over time and we will provide such guidance in the future.
According to the Statistical Policy Working Paper 22, the two main
sources of disclosure risk for de-identified records about individuals
are the existence of records with very unique characteristics (e.g.,
unusual occupation or very high salary or age) and the existence of
external sources of records with matching data elements which can be
used to link with the de-identified information and identify
individuals (e.g., voter registration records or driver's license
records). The risk of disclosure increases as the number of variables
common to both types of records increases, as the accuracy or
resolution of the data increases, and as the number of external sources
increases. As outlined in Statistical Policy Working Paper 22, an
expert disclosure analysis would also consider the probability that an
individual who is the target of an attempt at re-identification is
represented on both
[[Page 82710]]
files, the probability that the matching variables are recorded
identically on the two types of records, the probability that the
target individual is unique in the population for the matching
variables, and the degree of confidence that a match would correctly
identify a unique person.
Statistical Policy Working Paper 22 also describes many techniques
that can be used to reduce the risk of disclosure that should be
considered by an expert when de-identifying health information. In
addition to removing all direct identifiers, these include the obvious
choices based on the above causes of the risk; namely, reducing the
number of variables on which a match might be made and limiting the
distribution of the records through a ``data use agreement'' or
``restricted access agreement'' in which the recipient agrees to limits
on who can use/receive the data. The techniques also include more
sophisticated manipulations: recoding variables into fewer categories
to provide less precise detail (including rounding of continuous
variables); setting top-codes and bottom-codes to limit details for
extreme values; disturbing the data by adding noise by swapping certain
variables between records, replacing some variables in random records
with mathematically imputed values or averages across small random
groups of records, or randomly deleting or duplicating a small sample
of records; and replacing actual records with synthetic records that
preserve certain statistical properties of the original data.
Modifications to the ``Safe Harbor''
Comments: Many commenters argued that stripping all 19 identifiers
is unnecessary for purposes of de-identification. They felt that such
items as zip code, city (or county), and birth date, for example, do
not identify the individual and only such identifiers as name, street
address, phone numbers, fax numbers, email, Social Security number,
driver's license number, voter registration number, motor vehicle
registration, identifiable photographs, finger prints, voice prints,
web universal resource locator, and Internet protocol address number
need to be removed to reasonably believe that data has been de-
identified.
Other commenters felt that removing the full list of identifiers
would significantly reduce the usefulness of the data. Many of these
comments focused on research and, to a lesser extent, marketing and
undefined ``statistical analysis.'' Commenters who represented various
industries and research institutions expressed concern that they would
not be able to continue current activities such as development of
service provider networks, conducting ``analysis'' on behalf of the
plan, studying use of medication and medical devices, community
studies, marketing and strategic planning, childhood immunization
initiatives, patient satisfaction surveys, and solicitation of
contributions. The requirements in the NPRM to strip off zip code and
date of birth were of particular concern. These commenters stated that
their ability to do research and quality analysis with this data would
be compromised without access to some level of information about
patient age and/or geographic location.
Response: While we understand that removing the specified
identifiers may reduce the usefulness of the resulting data to third
parties, we remain convinced by the evidence found in the MIT study
that we referred to in the preamble to the proposed rule \17\ and the
analyses discussed below that there remains a significant risk of
identification of the subjects of health information from the inclusion
of indirect identifiers such as birth date and zip code and that in
many cases there will be a reasonable basis to believe that such
information remains identifiable. We note that a covered entity not
relying on the safe harbor may determine that information from which
sufficient other identifiers have been removed but which retains birth
date or zip code is not reasonably identifiable. As discussed above,
such a determination must be made by a person with appropriate
knowledge and expertise applying generally accepted statistical and
scientific methods for rendering information not identifiable.
---------------------------------------------------------------------------
\17\ Sweeney, L. Guaranteeing Anonymity when Sharing Medical
Data, the Datafly System. Masys, D., Ed. Proceedings, American
Medical Informatics Association, Nashville, TN: Hanley & Belfus,
Inc., 1997:51-55.
---------------------------------------------------------------------------
Although we have determined that all of the specified identifiers
must be removed before a covered entity meets the safe harbor
requirements, we made modifications in the final rule to the specified
identifiers on the list to permit some information about age and
geographic area to be retained in de-identified information.
For age, we specify that, in most cases, year of birth may be
retained, which can be combined with the age of the subject to provide
sufficient information about age for most uses. After considering
current and evolving practices and consulting with federal experts on
this topic, including members of the Confidentiality and Data Access
Committee of the Federal Committee on Statistical Methodology, Office
of Management and Budget, we concluded that in general, age is
sufficiently broad to be allowed in de-identified information, although
all dates that might be directly related to the subject of the
information must be removed or aggregated to the level of year to
prevent deduction of birth dates. Extreme ages--90 and over--must be
aggregated further (to a category of 90+, for example) to avoid
identification of very old individuals (because they are relatively
rare). This reflects the minimum requirement of the current
recommendations of the Bureau of the Census.\18\ For research or other
studies relating to young children or infants, we note that the rule
would not prohibit age of an individual from being expressed as an age
in months, days, or hours.
---------------------------------------------------------------------------
\18\ The U.S. Census Bureau's Recommendations Concerning the
Census 2000 Public Use Microdata Sample (PUMS) Files [http://
www.ipums.org/~census2000/2000pums__bureau.pdf], Population
Division, U.S. Census Bureau, November 3, 2000.
---------------------------------------------------------------------------
For geographic area, we specify that the initial three digits of
zip codes may be retained for any three-digit zip code that contains
more than 20,000 people as determined by the Bureau of the Census. As
discussed more below, there are currently only 18 three-digit zip codes
containing fewer than 20,000 people. We note that this number may
change when information from the 2000 Decennial Census is analyzed.
In response to concerns expressed in the comments about the need
for information on geographic area, we investigated the potential of
allowing 5-digit zip codes or 3-digit zip codes to remain in the de-
identified information. According to 1990 Census data, the populations
in geographical areas delineated by 3-digit zip codes vary a great
deal, from a low of 394 to a high of 3,006,997, with an average size of
282,304. There are two 3-digit zip codes containing fewer than 500
people and six 3-digit zip codes containing fewer than 10,000 people
each.\19\ Of the total of 881 3-digit zip codes, there are 18 with
fewer than 20,000 people, 71 with fewer than 50,000 people, and 215
containing fewer than 100,000 population. We also looked at two-digit
zip codes (the first 2 digits of the 5-digit zip code) and found that
the smallest of the 98 2-digit zip codes contains 188,638 people.
---------------------------------------------------------------------------
\19\ Figures derived from US Census data on 1990 Decennial
Census of Population and Housing, Summary Tape File 3B (STF3B).
These data are available to the public (for a fee) at http://www.census.gov/mp/www/rom/msrom6af.html.
---------------------------------------------------------------------------
We also investigated the practices of several other federal
agencies which are mandated by Congress to release data
[[Page 82711]]
from national surveys while preserving confidentiality and which have
been dealing with these issues for decades. The problems and solutions
being used by these agencies are laid out in detail in the Statistical
Policy Working Paper 22 cited earlier.
To protect the privacy of individuals providing information to the
Bureau of Census, the Bureau has determined that a geographical region
must contain at least 100,000 people.\20\ This standard has been used
by the Bureau of the Census for many years and is supported by
simulation studies using Census data.\21\ These studies showed that
after a certain point, increasing the size of a geographic area does
not significantly decrease the percentage of unique records (i.e.,
those that could be identified if sampled), but that the point of
diminishing returns is dependent on the number and type of demographic
variables on which matching might occur. For a small number of
demographic variables (6), this point was quite low (about 20,000
population), but it rose quickly to about 50,000 for 10 variables and
to about 80,000 for 15 variables. The Bureau of the Census releases
sets of data to the public that it considers safe from re-
identification because it limits geographical areas to those containing
at least 100,000 people and limits the number and detail of the
demographic variables in the data. At the point of approximately
100,000 population, 7.3% of records were unique (and therefore
potentially identifiable) on 6 demographic variables from the 1990
Census Short Form: Age in years (90 categories), race (up to 180
categories), sex (2 categories), relationship to householder (14
categories), Hispanic (2 categories), and tenure (owner vs. renter in 5
categories). Using 6 variables derived from the Long Form data, age (10
categories), race (6 categories), sex (2 categories), marital status (5
categories), occupation (54 categories), and personal income (10
categories), raised the percentage to 9.8%.
---------------------------------------------------------------------------
\20\ Statistical Policy Working Paper 22--Report on Statistical
Disclosure Limitation Methodology (http://www.fcsm.gov/working-papers/wp22.html) (prepared by the Subcommittee on Disclosure
Limitation Methodology, Federal Committee on Statistical
Methodology, Office of Management and Budget).
\21\ The Geographic Component of Disclosure Risk for Microdata.
Brian Greenberg and Laura Voshell. Bureau of the Census Statistical
Research Division Report: Census/SRD/RR-90-13, October, 1990.
---------------------------------------------------------------------------
We also examined the results of an NCHS simulation study using
national survey data\22\ to see if some scientific support could be
found for a compromise. The study took random samples from populations
of different sizes and then compared the samples to the whole
population to see how many records were identifiable, that is, matched
uniquely to a unique person in the whole population on the basis of 9
demographic variables: Age (85 categories), race (4 categories), gender
(2 categories), ethnicity (2 categories), marital status (3
categories), income (3 categories), employment status (2 categories),
working class (4 categories), and occupation (42 categories). Even when
some of the variables are aggregated or coded, from the perspective of
a large statistical agency desiring to release data to the public, the
study concluded that a population size of 500,000 was not sufficient to
provide a reasonable guarantee that certain individuals could not be
identified. About 2.5 % of the sample from the population of 500,000
was uniquely identifiable, regardless of sample size. This percentage
rose as the size of the population decreased, to about 14% for a
population of 100,000 and to about 25% for a population of 25,000.
Eliminating the occupation variable (which is less likely to be found
in health data) reduced this percentage significantly to about 0.4 %,
3%, and 10% respectively. These percentages of unique records (and thus
the potentials for re-identification) are highly dependent on the
number of variables (which must also be available in other databases
which are identified to be considered in a disclosure risk analysis),
the categorical breakdowns of those variables, and the level of
geographic detail included.
---------------------------------------------------------------------------
\22\ A Simulation Study of the Identifiability of Survey
Respondents when their Community of Residence is Known. John Horm,
Natonal Center for Health Statistics, 2000.
---------------------------------------------------------------------------
With respect to how we might clarify the requirement to achieve a
``low probability'' that information could be identified, the
Statistical Policy Working Paper 22 referenced above discusses the
attempts of several researchers to define mathematical measures of
disclosure risk only to conclude that ``more research into defining a
computable measure of risk is necessary.'' When we considered whether
we could specify a maximum level of risk of disclosure with some
precision (such as a probability or risk of identification of 0.01), we
concluded that it is premature to assign mathematical precision to the
``art'' of de-identification.
After evaluating current practices and recognizing the expressed
need for some geographic indicators in otherwise de-identified
databases, we concluded that permitting geographic identifiers that
define populations of greater than 20,000 individuals is an appropriate
standard that balances privacy interests against desirable uses of de-
identified data. In making this determination, we focused on the
studies by the Bureau of Census cited above which seemed to indicate
that a population size of 20,000 was an appropriate cut off if there
were relatively few (6) demographic variables in the database. Our
belief is that, after removing the required identifiers to meet the
safe harbor standards, the number of demographic variables retained in
the databases will be relatively small, so that it is appropriate to
accept a relatively low number as a minimum geographic size.
In applying this provision, covered entities must replace the
(currently 18) forbidden 3-digit zip codes with zeros and thus treat
them as a single geographic area (with >20,000 population). The list of
the forbidden 3-digit zip codes will be maintained as part of the
updated Secretarial guidance referred to above. Currently, they are:
022, 036, 059, 102, 203, 555, 556, 692, 821, 823, 830, 831, 878, 879,
884, 893, 987, and 994. This will result in an average 3-digit zip code
area population of 287,858 which should result in an average of about
4% unique records using the 6 variables described above from the Census
Short Form. Although this level of unique records will be much higher
in the smaller geographic areas, the actual risk of identification will
be much lower because of the limited availability of comparable data in
publically available, identified databases, and will be further reduced
by the low probability that someone will expend the resources to try to
identify records when the chance of success is so small and uncertain.
We think this compromise will meet the current need for an easy method
to identify geographic area while providing adequate protection from
re-identification. If a greater level of geographical detail is
required for a particular use, the information will have to be obtained
through another permitted mechanism or be subjected to a specific de-
identification determination as described above. We will monitor the
availability of identified public data and the concomitant re-
identification risks, both theoretical and actual, and adjust this safe
harbor in the future as necessary.
As we stated above, we understand that many commenters would prefer
a looser standard for determining when information is de-identified,
both generally and with respect to the standards for identifying
geographic
[[Page 82712]]
area. However, because public databases (such as voter records or
driver's license records) that include demographic information about a
geographically defined population are available, a surprisingly large
percentage of records of health information that contain similar
demographic information can be identified. Although the number of these
databases seems to be increasing, the number of demographic variables
within them still appears to be fairly limited. The number of cases of
privacy violation from health records which have been identified in
this way is small to date. However, the risk of identification
increases with decreasing population size, with increasing amounts of
demographic information (both in level of detail and number of
variables), and with the uniqueness of the combination of such
information in the population. That is, an 18-year-old single white
male student is not at risk of identification in a database from a
large city such as New York. However, if the database were about a
small town where most of the inhabitants were older, retired people of
a specific minority race or ethnic group, that same person might be
unique in that community and easily identified. We believe that the
policy that we have articulated reaches the appropriate balance between
reasonably protecting privacy and providing a sufficient level of
information to make de-identified databases useful.
Comments: Some comments noted that identifiers that accompany
photographic images are often needed to interpret the image and that it
would be difficult to use the image alone to identify the individual.
Response: We agree that our proposed requirement to remove all
photographic images was more than necessary. Many photographs of
lesions, for example, which cannot usually be used alone to identify an
individual, are included in health records. In this final rule, the
only absolute requirement is the removal of full-face photographs, and
we depend on the ``catch-all'' of ``any other unique * * *
characteristic * * * '' to pick up the unusual case where another type
of photographic image might be used to identify an individual.
Comments: A number of commenters felt that the proposed bar for
removal had been set too high; that the removal of these 19 identifiers
created a difficult standard, since some identifiers may be buried in
lengthy text fields.
Response: We understand that some of the identifiers on our list
for removal may be buried in text fields, but we see no alternative
that protects privacy. In addition, we believe that such unstructured
text fields have little or no value in a de-identified information set
and would be removed in any case. With time, we expect that such
identifiers will be kept out of places where they are hard to locate
and expunge.
Comments: Some commenters asserted that this requirement creates a
disincentive for covered entities to de-identify data and would
compromise the Secretary's desire to see de-identified data used for a
multitude of purposes. Others stated that the ``no reason to believe''
test creates an unreasonable burden on covered entities, and would
actually chill the release of de-identified information, and set an
impossible standard.
Response: We recognize that the proposed standards might have
imposed a burden that could have prevented the widespread use of de-
identified information. We believe that our modifications to the final
rule discussed above will make the process less burdensome and remove
some of the disincentive. However, we could not loosen the standards as
far as many commenters wanted without seriously jeopardizing the
privacy of the subjects of the information. As discussed above, we
modify the ``no reason to know'' standard that was part of the safe
harbor provision and replace it in the final rule with an ``actual
knowledge'' standard. We believe that this change provides additional
certainty to covered entities using the safe harbor and should
eliminate any chilling effect.
Comments: Although most commenters wanted to see data elements
taken off the list, there were a small number of commenters that wanted
to see data items added to the list. They believed that it is also
necessary to remove clinical trial record numbers, device model serial
numbers, and all proper nouns from the records.
Response: In response to these requests, we have slightly revised
the list of identifiers that must be removed under the safe harbor
provision. Clinical trial record numbers are included in the general
category of ``any other unique identifying number, characteristic, or
code.'' These record numbers cannot be included with de-identified
information because, although the availability of clinical trial
numbers may be limited, they are used for other purposes besides de-
identification/re-identification, such as identifying clinical trial
records, and may be disclosed under certain circumstances. Thus, they
do not meet the criteria in the rule for use as a unique record
identifier for de-identified records. Device model serial numbers are
included in ``any device identifier or serial number'' and must be
removed. We considered the request to remove all proper nouns to be
very burdensome to implement for very little increase in privacy and
likely to be arbitrary in operation, and so it is not included in the
final rule.
Re-Identification
Comments: One commenter wanted to know if the rule requires that
covered entities retain the ability to re-identify de-identified
information.
Response: The rule does not require covered entities to retain the
ability to re-identify de-identified information, but it does allow
them to retain this ability.
Comments: A few commenters asked us to prohibit anyone from re-
identifying de-identified health information.
Response: We do not have the authority to regulate persons other
than covered entities, so we cannot affect attempts by entities outside
of this rule to re-identify information. Under the rule, we permit the
covered entity that created the de-identified information to re-
identify it. However, we include a requirement that, when a unique
record identifier is included in the de-identified information, such
identifier must not be such that someone other than the covered entity
could use it to identify the individual (such as when a derivative of
the individual's name is used as the unique record identifier).
Section 164.514(d)--Minimum Necessary
Comment: A large number of commenters objected to the application
of the proposed ``minimum necessary'' standard for uses and disclosures
of protected health information to uses and disclosures for treatment
purposes. Some suggested that the final regulation should establish a
good faith exception or safe harbor for disclosures made for treatment.
The overwhelming majority of commenters, generally from the medical
community, argued that application of the proposed standard would be
contrary to sound medical practice, increase medical errors, and lead
to an increase in liability. Some likened the standard to a ``gag
clause'' in that it limited the exchange of information critical for
quality patient care. They found the standard unworkable in daily
treatment situations. They argued that this standard would be
potentially dangerous in that it could cause practitioners to withhold
information that could be essential for later care. Commenters asserted
that caregivers need to be able to give and receive a
[[Page 82713]]
complete picture of the patient's health to make a diagnosis and
develop a treatment plan.
Other commenters noted that the complexity of medicine is such that
it is unreasonable to think that anyone will know the exact parameters
of the information another caregiver will need for proper diagnosis and
treatment or that a plan will need to support quality assurance and
improvement activities. They therefore suggested that the minimum
necessary standard be applied instead as an administrative requirement.
Providers also emphasized that they already have an ethical duty to
limit the sharing of unnecessary medical information, and most already
have well-developed guidelines and practice standards in place.
Concerns were also voiced that attempts to provide the minimum
necessary information in the treatment setting would lead to multiple
editions of a record or creation of summaries that turn out to omit
crucial information resulting in confusion and error.
Response: In response to these concerns, we substantially revise
the minimum necessary requirements. As suggested by certain commenters,
we provide, in Sec. 164.502(b), that disclosures of protected health
information to or requests by health care providers for treatment are
not subject to the minimum necessary standard. We also modify the
requirements for uses of protected health information. This final rule
requires covered entities to make determinations of minimum necessary
use, including use for treatment purposes, based on the role of the
person or class of workforce members rather than at the level of
specific uses. A covered entity must establish policies and procedures
that identify the types of persons who are to have access to designated
categories of information and the conditions, if any, of that access.
We establish no requirements specific to a particular use of
information. Covered entities are responsible for establishing and
documenting these policies and procedures. This approach is consistent
with the argument of many commenters that guidelines and practice
standards are appropriate means for protecting the privacy of patient
information.
Comment: Some commenters argued that the standard should be
retained in the treatment setting for uses and disclosures pertaining
to mental health information. Some of these commenters asserted that
other providers do not need to know the mental status of a patient for
treatment purposes.
Response: We agree that the standard should be retained for uses of
mental health information in the treatment setting. However, we believe
that the arguments for excepting disclosures of protected health
information for treatment purposes from application of the minimum
necessary standard are also persuasive with respect to mental health
information. An individual's mental health can interact with proper
treatment for other conditions in many ways. Psychoactive medications
may have harmful interactions with drugs routinely prescribed for other
purposes; an individual's mental health history may help another health
care provider understand the individual's ability to abide by a
complicated treatment regimen. For these reasons, it is also not
reasonable to presume that, in every case, a health care provider will
not need to know an individual's mental health status to provide
appropriate treatment.
Providers' comments noted existing ethical duties to limit the
sharing of unnecessary medical information, and well-developed
guidelines and practice standards for this purpose. Under this rule,
providers may use these tools to guide their discretion in disclosing
health information for treatment.
Comment: Several commenters urged that covered entities should be
required to conspicuously label records to show that they are not
complete. They argued that absent such labeling, patient care could be
compromised.
Response: We believe that the final policy to except disclosures of
protected health information for treatment purposes from application of
the minimum necessary standard addresses these commenters' concerns.
Comment: Some commenters argued that the audit exception to the
minimum necessary requirements needs to be clarified or expanded,
because ``audit'' and ``payment'' are essentially the same thing.
Response: We eliminate this exception. The proposed exclusion of
disclosures to health plans for audit purposes is replaced with a
general requirement that covered entities must limit requests to other
covered entities for individually identifiable health information to
what is reasonably necessary for the purpose intended.
Comment: Many commenters argued that the proposed standard was
unworkable as applied to ``uses'' by a covered entity's employees,
because the proposal appeared not to allow providers to create general
policy as to the types of records that particular employees may have
access to but instead required that each decision be made
``individually,'' which providers interpret as ``case-by-case.''
Commenters argued that the standard with regard to ``uses'' would be
impossible to implement and prohibitively expensive, requiring both
medical and legal input to each disclosure decision.
Some commenters recommended deletion of the minimum necessary
standard with regard to ``uses.'' Other commenters specifically
recommended deletion of the requirement that the standard be applied on
an individual, case-by-case basis. Rather, they suggested that the
covered entity be allowed to establish general policies to meet the
requirement. Another commenter similarly urged that the standard not
apply to internal disclosures or for internal health care operations
such as quality improvement/assurance activities. The commenter
recommended that medical groups be allowed to develop their own
standards to ensure that these activities are carried out in a manner
that best helps the group and its patients.
Other commenters expressed confusion and requested clarification as
to how the standard as proposed would actually work in day-to-day
operations within an entity.
Response: Commenters' arguments regarding the workability of this
standard as proposed were persuasive, and we therefore make significant
modification to address these comments and improve the workability of
the standard. For all uses and many disclosures, we require covered
entities to include in their policies and procedures (see
Sec. 164.530), which may be standard protocols, for ``minimum
necessary'' uses and disclosures. We require implementation of such
policies in lieu of making the ``minimum necessary'' determination for
each separate use and disclosure.
For uses, covered entities must implement policies and procedures
that restrict access to and use of protected health information based
on the specific professional roles of members of the covered entity's
workforce. The policies and procedures must identify the persons or
classes of persons in the entity's workforce who need access to
protected health information to carry out their duties and the category
or categories of protected health information to which such persons or
classes need access. These role-based access rules must also identify
the conditions, as appropriate, that would apply to such access. For
example, an institutional health care provider could allow physicians
access to all records under the condition that the viewing of medical
records of patients not under their care is recorded and reviewed.
Other health professionals' access could
[[Page 82714]]
be limited to time periods when they are on duty. Information available
to staff who are responsible for scheduling surgical procedures could
be limited to certain data. In many instances, use of order forms or
selective copying of relevant portions of a record may be appropriate
policies to meet this requirement.
Routine disclosures also are not subject to individual review;
instead, covered entities must implement policies and procedures (which
may be standard protocols) to limit the protected health information in
routine disclosures to the minimum information reasonably necessary to
achieve the purpose of that type of disclosure. For non-routine
disclosures, a covered entity must develop reasonable criteria to limit
the protected health information disclosed to the minimum necessary to
accomplish the purpose for which disclosure is sought, and to implement
procedures for review of disclosures on an individual basis.
We modify the proposed standard to require the covered entity to
make ``reasonable efforts'' to meet the minimum necessary standard (not
``all'reasonable efforts, as proposed). What is reasonable will vary
with the circumstances. When it is practical to use order forms or
selective copying of relevant portions of the record, the covered
entity is required to do so. Similarly, this flexibility in the
standard takes into account the ability of the covered entity to
configure its record system to allow selective access to only certain
fields, and the practicality of organizing systems to allow this
capacity. It might be reasonable for a covered entity with a highly
computerized information system to implement a system under which
employees with certain functions have access to only limited fields in
a patient records, while other employees have access to the complete
records. Such a system might not be reasonable for a covered entity
with a largely paper records system.
Covered entities' policies and procedures must provide that
disclosure of an entire medical record will not be made except pursuant
to policies which specifically justify why the entire medical record is
needed.
We believe that these modifications significantly improve the
workability of this standard. At the same time, we believe that asking
covered entities to assess their practices and establish rules for
themselves will lead to significant improvements in the privacy of
health information. See the preamble for Sec. 164.514 for a more
detailed discussion.
Comment: The minimum necessary standard should not be applied to
uses and disclosures for payment or health care operations.
Response: Commenter's arguments for exempting these uses and
disclosures from the minimum necessary standard were not compelling. We
believe that our modifications to application of the minimum necessary
standard to internal uses of protected health information, and to
routine disclosures, address many of the concerns raised, particularly
the concerns about administrative burdens and the concerns about having
the information necessary for day-to-day operations. We do not
eliminate this standard in part because we also remain concerned that
covered entities may be tempted to disclose an entire medical record
when only a few items of information are necessary, to avoid the
administrative step of extracting the necessary information (or
redacting the unnecessary information). We also believe this standard
will cause covered entities to assess their privacy practices, give the
privacy interests of their patients and enrollees greater attention,
and make improvements that might otherwise not have been made. For this
reason, the privacy benefits of retaining the minimum necessary
standard for these purposes outweigh the burdens involved. We note that
the minimum necessary standard is tied to the purpose of the
disclosure; thus, providers may disclose protected health information
as necessary to obtain payment.
Comment: Other commenters urged us to apply a ``good faith''
provision to all disclosures subject to the minimum necessary standard.
Commenters presented a range of options to modify the proposed
provisions which, in their view, would have mitigated their liability
if they failed to comply with minimum necessary standard.
Response: We believe that the modifications to this standard,
described above, substantially address these commenters' concerns. In
addition to allowing the covered entity to use standard protocols for
routine disclosures, we modify the standard to require a covered entity
to make ``reasonable efforts,'' not ``all'' reasonable efforts as
proposed, in making the ``minimum necessary'' disclosure.
Comments: Some commenters complained that language in the proposed
rule was vague and provided little guidance, and should be abandoned.
Response: In the preamble for Sec. 164.504 and these responses to
comments, we provide further guidance on how a covered entity can
develop its policies for the minimum necessary use and disclosure of
protected health information. We do not abandon this standard for the
reasons described above. We remain concerned about the number of
persons who have access to identifiable health information, and believe
that causing covered entities to examine their practices will have
significant privacy benefits.
Comment: Some commenters asked that the minimum necessary standard
should not be applied to disclosures to business partners. Many of
these commenters articulated the burdens they would bear if every
disclosure to a business partner was required to meet the minimum
necessary standard.
Response: We do not agree. In this final rule, we minimize the
burden on covered entities in the following ways: in circumstances
where disclosures are made on a routine, recurring basis, such as in
on-going relationships between covered entities and their business
associates, individual review of each routine disclosure has been
eliminated; covered entities are required only to develop standard
protocols to apply to such routine disclosures made to business
associates (or types of business associates). In addition, we allow
covered entities to rely on the representation of a professional hired
to provide professional services as to what information is the minimum
necessary for that purpose.
Comment: Some commenters were concerned that applying the standard
in research settings will result in providers declining to participate
in research protocols.
Response: We have modified the proposal to reduce the burden on
covered entities that wish to disclose protected health information for
research purposes. The final rule requires covered entities to obtain
documentation or statements from persons requesting protected health
information for research that, among other things, describe the
information necessary for the research. We allow covered entities to
reasonably rely on the documentation or statements as describing the
minimum necessary disclosure.
Comment: Some commenters argued that government requests should not
be subject to the minimum necessary standard, whether or not they are
``authorized by law.''
Response: We found no compelling reason to exempt government
requests from this standard, other than when a disclosure is required
by law. (See preamble to Sec. 164.512(a) for the
[[Page 82715]]
rationale behind this policy). When a disclosure is required by law,
the minimum necessary standard does not apply, whether the recipient of
the information is a government official or a private individual.
At the same time, we understand that when certain government
officials make requests for protected health information, some covered
entities might feel pressure to comply that might not be present when
the request is from a private individuals. For this reason, we allow
(but do not require) covered entities to reasonably rely on the
representations of public officials as to the minimum necessary
information for the purpose.
Comment: Some commenters argued that requests under proposed
Sec. 164.510 should not be subject to the minimum necessary standard,
whether or not they are ``authorized by law.'' Others argued that for
disclosures made for administrative proceedings pursuant to proposed
Sec. 164.510, the minimum necessary standard should apply unless they
are subject to a court order.
Response: We found no compelling reason to exempt disclosures for
purposes listed in the regulation from this standard, other than for
disclosures required by law. When there is no such legal mandate, the
disclosure is voluntary on the part of the covered entity, and it is
therefore reasonable to expect the covered entity to make some effort
to protect privacy before making such a disclosure. If the covered
entity finds that redacting unnecessary information, or extracting the
requested information, prior to making the disclosure, is too
burdensome, it need not make the disclosure. Where there is ambiguity
regarding what information is needed, some effort on the part of the
covered entity can be expected in these circumstances.
We also found no compelling reason to limit the exemption for
disclosures ``required by law'' to those made pursuant to a court
order. The judgment of a state legislature or regulatory body that a
disclosure is required is entitled to no less deference than the same
decision made by a court. For further rationale for this policy, see
the preamble to Sec. 164.512(a).
Comment: Some commenters argued that, in cases where a request for
disclosure is not required by law, covered entities should be permitted
to rely on the representations by public officials, that they have
requested no more than the minimum amount necessary.
Response: We agree, and retain the proposed provision which allows
reasonable reliance on the representations of public officials.
Comment: Some commenters argued that it is inappropriate to require
covered entities to distinguish between disclosures that are ``required
by law'' and those that are merely ``authorized by law,'' for the
purposes of determining when the standard applies.
Response: We do not agree. Covered entities have an independent
duty to be aware of their legal obligations to federal, state, local
and territorial or tribal authorities. In addition, Sec. 164.514(h)
allows covered entities to reasonably rely on the oral or written
representation of public officials that a disclosure is required by
law.
Comment: The minimum necessary standard should not be applied to
pharmacists, or to emergency services.
Response: We believe that the final rule's exemption of disclosures
of protected health information to health care providers for treatment
purposes from the minimum necessary standard addresses these commenters
concerns about emergency services. Together with the other changes we
make to the proposed standard, we believe we have also addressed most
of the commenters' concerns about pharmacists. With respect to
pharmacists, the comments offered no persuasive reasons to treat
pharmacists differently from other health care providers. Our reasons
for retaining this standard for other uses and disclosures of protected
health information are explained above.
Comment: A number of commenters argued that the standard should not
apply to disclosures to attorneys, because it would interfere with the
professional duties and judgment of attorneys in their representation
of covered entities. Commenters stated that if a layperson within a
covered entity makes an improper decision as to what the minimum
necessary information is in regard to a request by the entity's
attorney, the attorney may end up lacking information that is vital to
representation. These commenters stated that attorneys are usually
going to be in a better position to determine what information is truly
the minimum necessary for effective counsel and representation of the
client.
Response: We found no compelling reason to treat attorneys
differently from other business associates. However, to ensure that
this rule does not inadvertently cause covered entities to second-guess
the professional judgment of the attorneys and other professionals they
hire, we modify the proposed policies to explicitly allow covered
entities to rely on the representation of a professional hired to
provide professional services as to what information is the minimum
necessary for that purpose.
Comment: Commenters from the law enforcement community expressed
concern that providers may attempt to misuse the minimum necessary
standard as a means to restrict access to information, particularly
with regard to disclosures for health oversight or to law enforcement
officials.
Response: The minimum necessary standard does not apply to
disclosures required by law. Since the disclosures to law enforcement
officials to which this standard applies are all voluntary, there would
be no need for a covered entity to ``manipulate'' the standard; it
could decline to make the disclosure.
Comment: Some commenters argued that the only exception to the
application of the standard should be when an individual requests
access to his or her own information. Many of these commenters
expressed specific concerns about victims of domestic violence and
other forms of abuse.
Response: We do not agree with the general assertion that
disclosure to the individual is the only appropriate exception to the
minimum necessary standard. There are other, limited, circumstances in
which application of the minimum necessary standard could cause
significant harm. For reasons described above, disclosures of protected
health information for treatment purposes are not subject to this
standard. Similarly, as described in detail in the preamble to
Sec. 164.512(a), where another public body has mandated the disclosure
of health information, upsetting that judgment in this regulation would
not be appropriate.
The more specific concerns expressed about victims of domestic
violence and other forms of abuse are addressed in a new provision
regarding disclosure of protected health information related to
domestic violence and abuse (see Sec. 164.512(c)), and in new
limitations on disclosures to persons involved in the individual's care
(see Sec. 164.510(b)). We believe that the limitations we place on
disclosure of health information in those circumstances address the
concerns of these commenters.
Comment: Some commenters argued that disclosures to next of kin
should be restricted to minimum necessary protected health information,
and to protected health information about only the current medical
condition.
Response: In the final regulation, we change the proposed provision
regarding ``next of kin'' to more clearly focus on the disclosures we
intended to target: Disclosures to persons involved
[[Page 82716]]
in the individual's care. We allow such disclosure only with the
agreement of the individual, or where the covered entity has offered
the individual the opportunity to object to the disclosure and the
individual did not object. If the opportunity to object cannot
practicably be provided because of the incapacity of the individual or
other emergency, we require covered entities to exercise professional
judgment in the best interest of the patient in deciding whether to
disclose information. In such cases, we permit disclosure only of that
information directly relevant to the person's involvement with the
individual's health care. (This provision also includes limited
disclosure to certain persons seeking to identify or locate an
individual.) See Sec. 164.510(b).
Some additional concerns expressed about victims of domestic
violence and other forms of abuse are also addressed in a new section
on disclosure of protected health information related to domestic
violence and abuse. See Sec. 164.512(c). We believe that the
limitations we place on disclosure of health information in these
provisions address the concerns of these commenters.
Comment: Some commenters argued that covered entities should be
required to determine whether de-identified information could be used
before disclosing information under the minimum necessary standard.
Response: We believe that requiring covered entities' policies and
procedures for minimum necessary disclosures to address whether de-
identified information could be used in all instances would impose
burdens on some covered entities that could outweigh the benefits of
such a requirement. There is significant variation in the
sophistication of covered entities' information systems. Some covered
entities can reasonably implement policies and procedures that make
significant use of de-identified information; other covered entities
would find such a requirement excessively burdensome. For this reason,
we chose instead to require ``reasonable efforts,'' which can vary
according to the situation of each covered entity.
In addition, we believe that the fact that we allow de-identified
information to be disclosed without regard to the policies, procedures,
and documentation required for disclosure of identifiable health
information will provide an incentive to encourage its use where
appropriate.
Comment: Several commenters argued that standard transactions
should not be subject to the standard.
Response: We agree that data elements that are required or
situationally required in the standard transactions should not be, and
are not, subject to this standard. However, in many cases, covered
entities have significant discretion as to the information included in
these transactions. Therefore, this standard does apply to those
optional data elements.
Comment: Some commenters asked for clarification to understand how
the minimum necessary standard is intended to interact with the
security NPRM.
Response: The proposed Security Rule included requirements for
electronic health information systems to include access management
controls. Under this regulation, the covered entity's privacy policies
will determine who has access to what protected health information. We
will make every effort to ensure consistency prior to publishing the
final Security Rule.
Comment: Many commenters, representing health care providers,
argued that if the request was being made by a health plan, the health
plan should be required to request only the minimum protected health
information necessary. Some of these commenters stated that the
requestor is in a better position to know the minimum amount of
information needed for their purposes. Some of these commenters argued
that the minimum necessary standard should be imposed only on the
requesting entity. A few of these commenters argued that both the
disclosing and the requesting entity should be subject to the minimum
necessary standard, to create ``internal tension'' to assure the
standard is honored.
Response: We agree, and in the final rule we require that a request
for protected health information made by one covered entity to another
covered entity must be limited to the minimum amount necessary for the
purpose. As with uses and disclosures of protected health information,
covered entities may have standard protocols for routine requests.
Similarly, this requirement does not apply to requests made to health
care providers for treatment purposes. We modify the rule to balance
this provision; that is, it now applies both to disclosure of and
requests for protected health information. We also allow, but do not
require, the covered entity releasing the information to reasonably
rely on the assertion of a requesting covered entity that it is
requesting only the minimum protected health information necessary.
Comment: A few commenters suggested that there should be a process
for resolving disputes between covered entities over what constitutes
the ``minimum necessary'' information.
Response: We do not intend that this rule change the way covered
entities currently handle their differences regarding the disclosure of
health information. We understand that the scope of information
requested from providers by health plans is a source of tension in the
industry today, and we believe it would not be appropriate to use this
regulation to affect that debate. As discussed above, we require both
the requesting and the disclosing covered entity to take privacy
concerns into account, but do not inject additional tension into the
on-going discussions.
Section 164.514(e)--Marketing
Comment: Many commenters requested clarification of the boundaries
between treatment, payment, health care operations, and marketing. Some
of these commenters requested clarification of the apparent
inconsistency between language in proposed Sec. 164.506(a)(1)(i) (a
covered entity is permitted to use or disclose protected health
information without authorization ``to carry out'' treatment, payment,
or health care operations) and proposed Sec. 164.508(a)(2)(A) (a
covered entity must obtain an authorization for all uses and
disclosures that are not ``compatible with or directly related to''
treatment, payment, and health care operations). They suggested
retaining the language in proposed Sec. 164.508(a)(2)(A), which would
permit a broader range of uses and disclosures without authorization,
in order to engage in health promotion activities that might otherwise
be considered marketing.
Response: In the final rule, we make several changes to the
definitions of treatment, payment, and health care operations that are
intended to clarify the uses and disclosures of protected health
information that may be made for each purpose. See Sec. 164.501 and the
corresponding preamble discussion regarding the definitions of these
terms. We also have added a definition of the term ``marketing'' to
help establish the boundary between marketing and treatment, payment,
and health care operations. See Sec. 164.501. We also clarify the
conditions under which authorization is or is not required for uses and
disclosures of protected health information for marketing purposes. See
Sec. 164.514(e). Due to these changes, we believe it is appropriate to
retain the wording from proposed Sec. 164.506(a)(1)(i).
[[Page 82717]]
Comment: We received a wide variety of suggestions with respect to
authorization for uses and disclosures of protected health information
for marketing purposes. Some commenters supported requiring
authorization for all such uses and disclosures. Other commenters
suggested permitting all such uses and disclosures without
authorization.
Some commenters suggested we distinguish between marketing to
benefit the covered entity and marketing to benefit a third party. For
example, a few commenters suggested we should prohibit covered entities
from seeking authorization for any use or disclosure for marketing
purposes that benefit a third party. These commenters argued that the
third parties should be required to obtain the individual's
authorization directly from the individual, not through a covered
entity, due to the potential for conflicts of interest.
While a few commenters suggested that we require covered entities
to obtain authorization to use or disclose protected health information
for the purpose of marketing its own products and services, the
majority argued these types of marketing activities are vital to
covered entities and their customers and should therefore be permitted
to occur without authorization. For example, commenters suggested
covered entities should be able to use and disclose protected health
information without authorization in order to provide appointment
reminders, newsletters, information about new initiatives, and program
bulletins.
Finally, many commenters argued we should not require authorization
for the use or disclosure of protected health information to market any
health-related goods and services, even if those goods and services are
offered by a third party. Some of these commenters suggested that
individuals should have an opportunity to opt out of these types of
marketing activities rather than requiring authorization.
Response: We have modified the final rule in ways that address a
number of the issues raised in the comments. First, the final rule
defines the term marketing, and excepts certain communications from the
definition. See Sec. 164.501. These exceptions include communications
made by covered entities for the purpose of describing network
providers or other available products, services, or benefits and
communications made by covered entities for certain treatment-related
purposes. These exceptions only apply to oral communications or to
written communications for which the covered entity receives no third-
party remuneration. The exceptions to the definition of marketing fall
within the definitions of treatment and/or health care operations, and
therefore uses, or disclosures to a business associate, of protected
health information for these purposes are permissible under the rule
without authorization.
The final rule also permits covered entities to use protected
health information to market health-related products and services,
whether they are the products and services of the covered entity or of
a third party, subject to a number of limitations. See Sec. 164.514(e).
We permit these uses to allow entities in the health sector to inform
their patients and enrollees about products that may benefit them. The
final rule contains significant restrictions, including requirements
that the covered entity disclose itself as the source of a marketing
communication, that it disclose any direct or indirect remuneration
from third parties for making the disclosure, and that, except in the
cases of general communications such as a newsletter, the communication
disclose how the individual can opt-out of receiving additional
marketing communications. Additional requirements are imposed if the
communication is targeted based on the health status or condition of
the proposed recipients.
We believe that these modifications address many of the issues
raised by commenters and provide a substantial amount of flexibility as
to when a covered entity may communicate about a health-related product
or service to a patient or enrollee. These communications may include
appointment reminders, newsletters, and information about new health
products. These changes, however, do not permit a covered entity to
disclose protected health information to third parties for marketing
(other than to a business associate to make a marketing communication
on behalf of the covered entity) without authorization under
Sec. 164.508.
Comment: A few commenters suggested we prohibit health care
clearinghouses from seeking authorization for the use or disclosure of
protected health information for marketing purposes.
Response: We do not prohibit clearinghouses from seeking
authorizations for these purposes. We believe, however, that health
care clearinghouses will almost always create or obtain protected
health information in a business associate capacity. Business
associates may only engage in activities involving the use or
disclosure of protected health information, including seeking or acting
on an authorization, to the extent their contracts allow them to do so.
When a clearinghouse creates or receives protected health information
other than as a business associate of a covered entity, it is permitted
and required to obtain authorizations to the same extent as any other
covered entity.
Comment: A few commenters suggested we require covered entities to
publicly disclose, on the covered entity's website or upon request, all
of their marketing arrangements.
Response: While we agree that such a requirement would provide
individuals with additional information about how their information
would be used, we do not feel that such a significant intrusion into
the business practices of the covered entity is warranted.
Comment: Some commenters argued that if an activity falls within
the scope of payment, it should not be considered marketing. Commenters
strongly supported an approach which would bar an activity from being
construed as ``marketing'' even if performing that activity would
result in financial gain to the covered entity. In a similar vein, we
were urged to adopt the position that if an activity was considered
payment, treatment or health care operations, it could not be further
evaluated to determine whether it should be excluded as marketing.
Response: We considered the approach offered by commenters but
decided against it. Some activities, such as the marketing of a covered
entity's own health-related products or services, are now included in
the definition of health care operations, provided certain requirements
are met. Other types of activities, such as the sale of a patient list
to a marketing firm, would not be permitted under this rule without
authorization from the individual. We do not believe that we can
envision every possible disclosure of health information that would
violate the privacy of an individual, so any list would be incomplete.
Therefore, whether or not a particular activity is considered
marketing, payment, treatment or health care operations will be a fact-
based determination based on the activity's congruence with the
particular definition.
Comment: Some industry groups stated that if an activity involves
selling products, it is not disease management. They suggested we adopt
a definition of disease management that differentiates use of
information for the best interests of patient from uses undertaken for
``ulterior purposes'' such as advertising, marketing, or promoting
separate products.
[[Page 82718]]
Response: We agree in general that the sale of unrelated products
to individuals is not a population-based activity that supports
treatment and payment. However, in certain circumstances marketing
activities are permitted as a health care operation; see the definition
of ``health care operations'' in Sec. 164.501 and the related marketing
requirements of Sec. 164.514.
Comment: Some commenters complained that the absence of a
definition for disease management created uncertainty, in view of the
proposed rule's requirement to get authorization for marketing. They
expressed concern that the effect would be to require patient consent
for many activities that are desirable, not practicably done if
authorization is required, and otherwise classifiable as treatment,
payment, or health care operations. Examples provided include reminders
for appointments, reminders to get preventive services like mammograms,
and information about home management of chronic illnesses. They also
stated that the proposed rule would prevent many disease management and
preventive health activities.
Response: We agree that the distinction in the NPRM between disease
management and marketing was unclear. Rather than provide a definition
of disease management, this final rule defines marketing. We note that
overlap between disease management and marketing exists today in
practice and they cannot be distinguished easily with a definitional
label. However, for purposes of this rule, the revised language makes
clear for what activities an authorization is required. We note that
under this rule many of the activities mentioned by commenters will not
require authorizations under most circumstances. See the discussion of
disease management under the definition of ``treatment'' in
Sec. 164.501.
Section 164.514(f)--Fundraising
Comment: Many comments objected to the requirement that an
authorization from the individual be obtained for use and disclosure of
protected health information for fundraising purposes. They argued
that, in the case of not-for-profit health care providers, having to
obtain authorization would be time consuming and costly, and that such
a requirement would lead to a decrease in charitable giving. The
commenters also urged that fundraising be included within the
definition of health care operations. Numerous commenters suggested
that they did not need unfettered access to patient information in
order to carry out their fundraising campaigns. They stated that a
limited data set restricted to name, address, and telephone number
would be sufficient to meet their needs. Several commenters suggested
that we create a voluntary opt-out provision so people can avoid
solicitations.
Response: We agree with commenters that our proposal could have
adversely effected charitable giving, and accordingly make several
modifications to the proposal. First, the final rule allows a covered
entity to use or disclose to a business associate protected health
information without authorization to identify individuals for
fundraising for its own benefit. Permissible fundraising activities
include appeals for money, sponsorship of events, etc. They do not
include royalties or remittances for the sale of products of third
parties (except auctions, rummage sales, etc).
Second, the final rule allows a covered entity to disclose
protected health information without authorization to an
institutionally related foundation that has as its mission to benefit
the covered entity. This special provision is necessary to accommodate
tax code provisions which may not allow such foundations to be business
associates of their associated covered entity.
We also agree that broad access to protected health information is
unnecessary for fundraising and unnecessarily intrudes on individual
privacy. The final rule limits protected health information to be used
or disclosed for fundraising to demographic information and the date
that treatment occurred. Demographic information is not defined in the
rule, but will generally include in this context name, address and
other contact information, age, gender, and insurance status. The term
does not include any information about the illness or treatment.
We also agree that a voluntary opt-out is an appropriate
protection, and require in Sec. 164.520 that covered entities provide
information on their fundraising activities in their ``Notice of
Information Practices.'' As part of the notice and in any fundraising
materials, covered entities must provide information explaining how
individuals may opt out of fundraising communications.
Comment: Some commenters stated that use and disclosure of
protected health information for fundraising, without authorization
should be limited to not-for-profit entities. They suggested that not-
for-profit entities were in greater need of charitable contributions
and as such, they should be exempt from the authorization requirement
while for-profit organizations should have to comply with the
requirement.
Response: We do not agree that the profit status of a covered
entity should determine its allowable use of protected health
information for fundraising. Many for-profit entities provide the same
services and have similar missions to not-for-profit entities.
Therefore, the final rule does not make this distinction.
Comment: Several commenters suggested that the final rule should
allow the internal use of protected health information for fundraising,
without authorization, but not disclosure for fundraising. These
commenters suggested that by limiting access of protected health
information to only internal development offices concerns about misuse
would be reduced.
Response: We do not agree. A number of commenters noted that they
have related charitable foundations that raise funds for the covered
entity, and we permit disclosures to such foundations to ensure that
this rule does not interfere with charitable giving.
Comment: Several commenters asked us to address the content of
fundraising letters. They pointed out that disease or condition-
specific letters requesting contributions, if opened by the wrong
person, could reveal personal information about the intended recipient.
Response: We agree that such communications raise privacy concerns.
In the final rule, we limit the information that can be used or
disclosed for fundraising, and exclude information about diagnosis,
nature of services, or treatment.
Section 164.514(g)--Verification
Comment: A few commenters suggested that verification guidelines
may need to be different as they apply to emergency clinical situations
as opposed to routine data collection where delays do not threaten
health.
Response: We agree, and make special provisions in Secs. 164.510
and 164.512 for disclosures of protected health information by a
covered entity without authorization where the individual is unable to
agree or object to disclosure due to incapacity or other emergency
circumstance.
For example, a health care provider may need to make disclosures to
family members, close personal friends, and others involved in the
individual's care in emergency situations. Similarly, a health care
provider may need to respond to a request from a hospital seeking
protected health information in
[[Page 82719]]
a circumstance described as an emergency. In each case, we require only
that the covered entity exercise professional judgment, in the best
interest of the patient, in deciding whether to make a disclosure.
Based on the comments and our fact finding, this reflects current
practice.
Comment: A few commenters stated the rules should include
provisions for electronic verification of identity (such as Public Key
Infrastructure (PKI)) as established in the regulations on Security and
Electronic Signatures. One commenter suggested that some kind of PKI
credentialing certificate should be required.
Response: This regulation does not address specific technical
protocols utilized to meet the verification requirements. If the
requirements of the rule are otherwise met, the mechanism for meeting
them can be determined by the covered entity.
Comment: A few commenters wanted more clarification on the
verification procedures. One commenter wanted to know if contract
number is enough for verification. A few commenters wanted to know if a
callback or authorization on a letterhead is acceptable. A few
commenters wanted to know if plans are considered to ``routinely do
business'' with all of their members.
Response: In the final rule, we modify the proposed provision and
require covered entities to have policies and procedures reasonably
designed to verify the identify and authority of persons requesting
protected health information. Whether knowledge of a contract number is
reasonable evidence of authority and identity will depend on the
circumstances. Call-backs and letterhead are typically used today for
verification, and are acceptable under this rule if reasonable under
the circumstances. For communications with health plan members, the
covered entity will already have information about each individual,
collected during enrollment, that can be used to establish identity,
especially for verbal or electronic inquiries. For example, today many
health plans ask for the social security or policy number of
individuals seeking information or assistance by telephone. How this
verification is done is left up to the covered entity.
Comment: One commenter expressed the need for consistency on
verification requirements between this rule and the Security
regulation.
Response: We will make every effort to ensure consistency prior to
publishing the final Security Rule.
Comment: One commenter stated that the verification language in
proposed Sec. 164.518(c)(2)(ii)(B)(1) would have created a presumption
that ``a request for disclosure made by official legal process issued
by a[n] administrative body'' is reasonable legal authority to disclose
the protected health information. The commenter was concerned that this
provision could be interpreted to permit a state agency to demand the
disclosure of protected health information merely on the basis of a
letter signed by an agency representative. The commenter believed that
the rule specifically should defer to state or federal law on the
disclosure of protected health information pursuant to legal process.
Response: The verification provisions in this rule are minimum
requirements that covered entities must meet before disclosing
protected health information under this regulation. They do not mandate
disclosure, nor do they preempt state laws which impose additional
restrictions on disclosure. Where state law regarding disclosures is
more stringent, the covered entity must adhere to state law.
Comment: A few commenters wanted the verification requirements to
apply to disclosures of protected health information for treatment,
payment and operations purposes.
Response: We agree. This verification requirement applies to all
disclosures of protected health information permitted by this rule,
including for treatment, payment and operations, where the identity of
the recipient is not known to the covered entity. Routine
communications between providers, where existing relationships have
been established, do not require special verification procedures.
Comment: A few commenters were concerned that a verbal inquiry for
next of kin verification is not consistent with the verification
guidelines of this verification subsection and that verbal inquiry
would create problems because anyone who purports to be a next of kin
could easily obtain information under false pretenses.
Response: In the final rule in Sec. 164.514, we require the covered
entity to verify the identity and authority of persons requesting
protected health information, where the identity and authority of such
person is not known to the covered entity. This applies to next of kin
situations. Procedures for disclosures to next of kin, other family
members and persons assisting in an individual's care are also
discussed in Sec. 164.510(b), which allows the covered entity to
exercise professional judgment as to whether the disclosure is in the
individual's best interest when the individual is not available to
agree to the disclosure or is incapacitated. Requiring written proof of
identity in many of these situations, such as when a family member is
seeking to locate a relative in an emergency or disaster situation,
would create enormous burden without a corresponding enhancement of
privacy, and could cause unnecessary delays in these situations. We
therefore believe that reliance on professional judgment provides a
better framework for balancing the need for privacy with the need to
locate and identify individuals.
Comment: A few commenters stated that the verification requirements
will provide great uncertainty to providers who receive authorizations
from life, disability income and long-term care insurers in the course
of underwriting and claims investigation. They are unaware of any
breaches of confidentiality associated with these circumstances and
believe the rule creates a solution to a non-existent problem. Another
commenter stated that it is too burdensome for health care providers to
verify requests that are normally received verbally or via fax.
Response: This rule requires covered health care providers to
adhere to current best practices for verification. That is, when the
requester is not known to the covered provider, the provider makes a
reasonable effort to determine that the protected health information is
being sent to the entity authorized to receive it. Our fact finding
reveals that this is often done by sending the information to a
recognizable organizational address or if being transmitted by fax or
phone by calling the requester back through the main organization
switchboard rather than through a direct phone number. We agree that
these procedures seem to work reasonably well in current practice and
are sufficient to meet the relevant requirements in the final rule.
Comments: One comment suggested requiring a form of photo
identification such as a driver's license or certain personal
information such as date of birth to verify the identity of the
individual.
Response: These are exactly the types of standard procedures for
verifying the identity of individuals that are envisioned by the final
rule. Most health care entities already conduct such procedures
successfully. However, it is unwise to prescribe specific means of
verification for all situations. Instead, we require policies and
procedures reasonably designed for purposes of verification.
Comment: One professional association said that the example
procedure described in the NPRM for asking questions to verify that an
adult
[[Page 82720]]
acting for a young child had the requisite relationship to the child
would be quite complex and difficult in practice. The comment asked for
specific guidance as to what questions would constitute an adequate
attempt to verify such a relationship.
Response: The final rule requires the covered entity to implement
policies and procedures that are reasonably designed to comply with the
verification requirement in Sec. 164.514. It would not be possible to
create the requested specific guidance which could deal with the
infinite variety of situations that providers must face, especially the
complex ones such as that described by the commenter. As with many of
the requirements of this final rule, health care providers are given
latitude and expected to make decisions regarding disclosures, based on
their professional judgment and experience with common practice, in the
best interest of the individual.
Comment: One commenter asserted that ascertaining whether a
requestor has the appropriate legal authority is beyond the scope of
the training or expertise of most employees in a physician's office.
They believe that health care providers must be able to reasonably rely
on the authority of the requestor.
Response: In the final regulation we require covered entities to
have policies and procedures reasonably designed to verify the identify
and authority of persons requesting health information. Where the
requester is a public official and legal authority is at issue, we
provide detailed descriptions of the acceptable methods for such
verification in the final rule. For others, the covered entity must
implement policies and procedures that are reasonably designed to
comply with the requirement to verify the identity and authority of a
requestor, but only if the requestor is unknown to the covered entity.
As described above, we expect these policies and procedures to document
currently used best practices and reliance on professional judgment in
the best interest of the individual.
Comment: One commenter expressed concern that the verification/
identification procedures may eliminate or significantly reduce their
ability to utilize medical records copy services. As written, they
believe the NPRM provides the latitude to set up copy service
arrangements, but any change that would add restrictions would
adversely affect their ability to process an individual's disability
claim.
Response: The covered entity can establish reasonable policies and
procedures to address verification in routine disclosures under
business associate agreements, with, for example, medical records copy
services. Nothing in the verification provisions would preclude those
activities, nor have we significantly modified the NPRM provision on
this issue.
Section 164.520--Notice of Privacy Practices for Protected Health
Information
Comment: Many commenters supported the proposal to require covered
entities to produce a notice of information practices. They stated that
such notice would improve individuals' understanding of how their
information may be used and disclosed and would help to build trust
between individuals and covered entities. A few comments, however,
argued that the notice requirement would be administratively burdensome
and expensive without providing significant benefit to individuals.
Response: We retain the requirement for covered health care
providers and health plans to produce a notice of information
practices. We additionally require health care clearinghouses that
create or receive protected health information other than as a business
associate of another covered entity to produce a notice. We believe the
notice will provide individuals with a clearer understanding of how
their information may be used and disclosed and is essential to inform
individuals of their privacy rights. The notice will focus individuals
on privacy issues, and prompt individuals to have discussions about
privacy issues with their health plans, health care providers, and
other persons.
The importance of providing individuals with notice of the uses and
disclosures of their information and of their rights with respect to
that information is well supported by industry groups, and is
recognized in current state and federal law. The July 1977 Report of
the Privacy Protection Study Commission recommended that ``each
medical-care provider be required to notify an individual on whom it
maintains a medical record of the disclosures that may be made of
information in the record without the individual's express
authorization.'' \23\ The Commission also recommended that ``an
insurance institution * * * notify (an applicant or principal insured)
as to: * * * the types of parties to whom and circumstances under which
information about the individual may be disclosed without his
authorization, and the types of information that may be disclosed;
[and] * * * the procedures whereby the individual may correct, amend,
delete, or dispute any resulting record about himself.'' \24\ The
Privacy Act (5 U.S.C. 552a) requires government agencies to provide
notice of the routine uses of information the agency collects and the
rights individuals have with respect to that information. In its report
``Best Principles for Health Privacy,'' the Health Privacy Working
Group stated, ``Individuals should be given notice about the use and
disclosure of their health information and their rights with regard to
that information.'' \25\ The National Association of Insurance
Commissioners' Health Information Privacy Model Act requires carriers
to provide a written notice of health information policies, standards,
and procedures, including a description of the uses and disclosures
prohibited and permitted by the Act, the procedures for authorizing and
limiting disclosures and for revoking authorizations, and the
procedures for accessing and amending protected health information.
---------------------------------------------------------------------------
\23\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 313.
\24\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 192.
\25\ Health Privacy Working Group, ``Best Principles for Health
Privacy,'' Health Privacy Project, Institute for Health Care
Research and Policy, Georgetown University, July 1999, p.19.
---------------------------------------------------------------------------
Some states require additional notice. For example, Hawaii requires
health care providers and health plans, among others, to produce a
notice of confidentiality practices, including a description of the
individual's privacy rights and a description of the uses and
disclosures of protected health information permitted under state law
without the individual's authorization. (HRS section 323C-13)
Today, health plan hand books and evidences of coverage include
some of what is required to be in the notice. Industry and standard-
setting organizations have also developed notice requirements. The
National Committee for Quality Assurance accreditation guidelines state
that an accredited managed care organization ``communicates to
prospective members its policies and practices regarding the
collection, use, and disclosure of medical information [and] * * *
informs members * * * of its policies and procedures on * * * allowing
members access to their medical records.'' \26\ Standards of the
American Society for Testing and Materials state,
[[Page 82721]]
``Organizations and individuals who collect, process, handle, or
maintain health information should provide individuals and the public
with a notice of information practices.'' They recommend that the
notice include, among other elements, ``a description of the rights of
individuals, including the right to inspect and copy information and
the right to seek amendments [and] a description of the types of uses
and disclosures that are permitted or required by law without the
individual's authorization.'' \27\ We build on this well-established
principle in this final rule.
---------------------------------------------------------------------------
\26\ National Committee on Quality Assurance, ``Surveyor
Guidelines for the Accreditation of MCOs,'' effective July 1, 2000--
June 30, 2001, p. 324.
\27\ ASTM, ``Standard Guide for Confidentiality, Privacy, Access
and Data Security, Principles for Health Information Including
Computer-Based Patient Records,'' E 1869-97, Sec. 9.2.
---------------------------------------------------------------------------
Comment: We received many comments on the model notice provided in
the proposed rule. Some commenters argued that patients seeing similar
documents would be less likely to become disoriented when examining a
new notice. Other commenters, however, opposed the inclusion of a model
notice or expressed concern about particular language included in the
model. They maintained that a uniform model notice would never capture
the varying practices of covered entities. Many commenters opposed
requirements for a particular format or specific language in the
notice. They stated that covered entities should be afforded maximum
flexibility in fashioning their notices. Other commenters requested
inclusion of specific language as a header to indicate the importance
of the notice. A few commenters recommended specific formatting
requirements, such as font size or type.
Response: On the whole, we found commenters' arguments for
flexibility in the regulation more persuasive than those arguing for
more standardization. We agree that a uniform notice would not capture
the wide variation in information practices across covered entities. We
therefore do not include a model notice in the final rule, and do not
require inclusion of specific language in the notice (except for a
standard header). We also do not require particular formatting. We do,
however, require the notice to be written in plain language. (See above
for guidance on writing documents in plain language.) We also agree
with commenters that the notice should contain a standard header to
draw the individual's attention to the notice and facilitate the
individual's ability to recognize the notice across covered entities.
We believe that post-publication guidance will be a more effective
mechanism for helping covered entities design their notices than the
regulation itself. After the rule is published, we can provide guidance
on notice content and format tailored to different types of health
plans and providers. We believe such specially designed guidance will
be more useful than a one-size-fits-all model notice we might publish
with this regulation.
Comment: Commenters suggested that the rule should require that the
notice regarding privacy practices include specific provisions related
to health information of unemancipated minors.
Response: Although we agree that minors and their parents should be
made aware of practices related to confidentiality of protected health
information of unemancipated minors, we do not require covered entities
that treat minors or use their protected health information to include
provisions in their notice that are not required of other covered
entities. In general, the content of notice requirements in
Sec. 164.520(b) do not vary based on the status of the individual being
served. We have decided to maintain consistency by declining to
prescribe specific notice requirements for minors. The rule does permit
a covered entity to provide individuals with notice of its policies and
procedures with respect to anticipated uses and disclosures of
protected health information (Sec. 164.520(b)(2)), and providers are
encouraged to do so.
Comment: Some commenters argued that covered entities should not be
required to distinguish between those uses and disclosures that are
required by law and those that are permitted by law without
authorization, because these distinctions may not always be clear and
will vary across jurisdictions. Some commenters maintained that simply
stating that the covered entity would make all disclosures required by
law would be sufficient. Other comments suggested that covered entities
should be able to produce very broadly stated notices so that repeated
revisions and mailings of those revisions would not be necessary.
Response: While we believe that covered entities have an
independent duty to understand the laws to which they are subject, we
also recognize that it could be difficult to convey such legal
distinctions clearly and concisely in a notice. We therefore eliminate
the proposed requirement for covered entities to distinguish between
those uses and disclosures that are required by and those that are
permitted by law. We instead require that covered entities describe
each purpose for which they are permitted or required to use or
disclose protected health information under this rule and other
applicable law without individual consent or authorization.
Specifically, covered entities must describe the types of uses and
disclosures they are permitted to make for treatment, payment, and
health care operations. They must also describe each of the purposes
for which the covered entity is permitted or required by this subpart
to use or disclose protected health information without the
individual's written consent or authorization (even if they do not plan
to make a permissive use or disclosure). We believe this requirement
provides individuals with sufficient information to understand how
information about them can be used and disclosed and to prompt them to
ask for additional information to obtain a clearer understanding, while
minimizing covered entities' burden.
A notice that stated only that the covered entity would make all
disclosures required by law, as suggested by some of these commenters,
would fail to inform individuals of the uses and disclosures of
information about them that are permitted, but not required, by law. We
clarify that each and every disclosure required by law need not be
listed on the notice. Rather, the covered entity can include a general
statement that disclosures required by law will be made.
Comment: Some comments argued that the covered entity should not
have to provide notice about uses and disclosures that are permitted
under the rule without authorization. Other comments suggested that the
notice should inform individuals about all of the uses and disclosures
that may be made, with or without the individual's authorization.
Response: When the individual's permission is not required for uses
and disclosures of information, we believe providing the required
notice is the most effective means of ensuring that individuals are
aware of how information about them may be shared. The notice need not
describe uses and disclosures for which the individual's permission is
required, because the individual will be informed of these at the time
permission to use or disclose the information is requested.
We additionally require covered entities, even those required to
obtain the individual's consent for use and disclosure of protected
health information for treatment, payment, and health care operations,
to describe those uses and disclosures in their notice. (See
Sec. 164.506 and the corresponding preamble discussion regarding
consent requirements.) We require these uses
[[Page 82722]]
and disclosures to be described in the notice in part in order to
reduce the administrative burden on covered providers that are required
to obtain consent. Rather than obtaining a new consent each time the
covered provider's information policies and procedures are materially
revised, covered providers may revise and redistribute their notice. We
also expect that the description of how information may be used to
carry out treatment, payment, and health care operations in the notice
will be more detailed than in the more general consent document.
Comment: Some commenters argued that covered entities should not be
required to provide notice of the right to request restrictions,
because doing so would be burdensome to the covered entity and
distracting to the individual; because individuals have the right
whether they are informed of such right or not; and because the
requirement would be unlikely to improve patient care.
Response: We disagree. We believe that the ability of an individual
to request restrictions is an important privacy right and that
informing people of their rights improves their ability to exercise
those rights. We do not believe that adding a sentence to the notice is
burdensome to covered entities.
Comment: We received comments supporting inclusion of a contact
point in the notice, so that individuals will not be forced to make
multiple calls to find someone who can assist them with the issues in
the notice.
Response: We retain the requirement, but clarify that the title of
the contact person is sufficient. A person's name is not required.
Comment: Some commenters argued that we could facilitate compliance
by requiring the notice to include the proposed requirement that
covered entities use and disclose only the minimum necessary protected
health information.
Response: We do not agree that adding such a requirement would
strengthen the notice. The purpose of the notice is to inform
individuals of their privacy rights, and of the purposes for which
protected health information about them may be used or disclosed.
Informing individuals that covered entities may use and disclose only
the minimum necessary protected health information for a purpose would
not increase individuals' understanding of their rights or the purposes
for which information may be used or disclosed.
Comment: A few commenters supported allowing covered entities to
apply changes in their information practices to protected health
information obtained prior to the change. They argued that requiring
different protections for information obtained at different times would
be inefficient and extremely difficult to administer. Some comments
supported requiring covered entities to state in the notice that the
information policies and procedures are subject to change.
Response: We agree. In the final rule, we provide a mechanism by
which covered entities may revise their privacy practices and apply
those revisions to protected health information they already maintain.
We permit, but do not require, covered entities to reserve the right to
change their practices and apply the revised practices to information
previously created or obtained. If a covered entity wishes to reserve
this right, it must make a statement to that effect in its notice. If
it does not make such a statement, the covered entity may still revise
its privacy practices, but it may apply the revised practices only to
protected health information created or obtained after the effective
date of the notice in which the revised practices are reflected. See
Sec. 164.530(i) and the corresponding preamble discussion of
requirements regarding changes to information policies and procedures.
Comment: Some commenters requested clarification of the term
``material changes'' so that entities will be comfortable that they act
properly after making changes to their information practices. Some
comments stated that entities should notify individuals whenever a new
category of disclosures to be made without authorization is created.
Response: The concept of ``material change'' appears in other
notice laws, such as the ERISA requirements for summary plan
descriptions. We therefore retain the ``materiality'' condition for
revision of notices, and encourage covered entities to draw on the
concept as it has developed through those other laws. We agree that the
addition of a new category of use or disclosure of health information
that may be made without authorization would likely qualify as a
material change.
Comment: We proposed to permit covered entities to implement
revised policies and procedures without first revising the notice if a
compelling reason existed to do so. Some commenters objected to this
proposal because they were concerned that the ``compelling reason''
exception would give covered entities broad discretion to engage in
post hoc violations of its own information practices.
Response: We agree and eliminate this provision. Covered entities
may not implement revised information policies and procedures before
properly documenting the revisions and updating their notice. See
Sec. 164.530(i). Because in the final rule we require the notice to
include all disclosures that may be made, not only those the covered
entity intends to make, we no longer need this provision to accommodate
emergencies.
Comment: Some comments suggested that we require covered entities
to maintain a log of all past notices, with changes from the previous
notice highlighted. They further suggested we require covered entities
to post this log on their web sites.
Response: In accordance with Sec. 164.530(j)(2), a covered entity
must retain for six years a copy of each notice it issues. We do not
require highlighting of changes to the notice or posting of prior
notices, due to the associated administrative burdens and the
complexity such a requirement would build into the notice over time. We
encourage covered entities, however, to make such materials available
upon request.
Comment: Several commenters requested clarification about when,
relative to the compliance date, covered entities are required to
produce their notice. One commenter suggested that covered entities be
allowed a period not less than 180 days after adoption of the final
rule to develop and distribute the notice. Other comments requested
that the notice compliance date be consistent with other HIPAA
regulations.
Response: We require covered entities to have a notice available
upon request as of the compliance date of this rule (or the compliance
date of the covered entity if such date is later). See Sec. 164.534 and
the corresponding preamble discussion of the compliance date.
Comment: Some commenters suggested that covered entities,
particularly covered health care providers, should be required to
discuss the notice with individuals. They argued that posting a notice
or otherwise providing the notice in writing may not achieve the goal
of informing individuals of how their information will be handled,
because some individuals may not be literate or able to function at the
reading level used in the notice. Others argued that entities should
have the flexibility to choose alternative modes of communicating the
information in the notice, including voice disclosure. In contrast,
some commenters were concerned that requirements to provide the notice
in plain language or in languages other than English would be overly
burdensome.
[[Page 82723]]
Response: We require covered entities to write the notice in plain
language so that the average reader will be able to understand the
notice. We encourage, but do not require, covered entities to consider
alternative means of communicating with certain populations. We note
that any covered entity that is a recipient of federal financial
assistance is generally obligated under Title VI of the Civil Rights
Act of 1964 to provide material ordinarily distributed to the public in
the primary languages of persons with limited English proficiency in
the recipients' service areas. While we believe the notice will prompt
individuals to initiate discussions with their health plans and health
care providers about the use and disclosure of health information, we
believe this should be a matter left to each individual and that
requiring covered entities to initiate discussions with each individual
would be overly burdensome.
Comment: Some commenters suggested that covered entities,
particularly health plans, should be permitted to distribute their
notice in a newsletter or other communication with individuals.
Response: We agree, so long as the notice is sufficiently separate
from other important documents. We therefore prohibit covered entities
from combining the notice in a single document with either a consent
(Sec. 164.506) or an authorization (Sec. 164.508), but do not otherwise
prohibit covered entities from including the notice in or with other
documents the covered entity shares with individuals.
Comment: Some comments suggested that covered entities should not
be required to respond to requests for the notice from the general
public. These comments indicated that the requirement would place an
undue burden on covered entities without benefitting individuals.
Response: We proposed that the notice be publicly available so that
individuals may use the notice to compare covered entities' privacy
practices and to select a health plan or health care provider
accordingly. We therefore retain the proposed requirement for covered
entities to provide the notice to any person who requests a copy,
including members of the general public.
Comment: Many commenters argued that the distribution requirements
for health plans should be less burdensome. Some suggested requiring
distribution upon material revision, but not every three years. Some
suggested that health plans should only be required to distribute their
notice annually or upon re-enrollment. Some suggested that health plans
should only have to distribute their notice upon initial enrollment,
not re-enrollment. Other commenters supported the proposed approach.
Response: We agree that the notice distribution requirements for
health plans can be less burdensome than in the NPRM while still being
effective. In the final rule, we reduce health plans' distribution
burden in several ways. First, we require health plans to remind
individuals every three years of the availability of the notice and of
how to obtain a copy of the notice, rather than requiring the notice to
be distributed every three years as proposed. Second, we clarify that
health plans only have to distribute the notice to new enrollees on
enrollment, not to current members of the health plan upon re-
enrollment. Third, we specifically allow all covered entities to
distribute the notice electronically in accordance with
Sec. 164.520(c)(3).
We retain the requirement for health plans to distribute the notice
within 60 days of a material revision. We believe the revised
distribution requirements will ensure that individuals are adequately
informed of health plans' information practices and any changes to
those procedures, without unduly burdening health plans.
Comment: Many commenters argued that health plans should not be
required to distribute their notice to every person covered by the
plan. They argued that distributing the notice to every family member
would be unnecessarily duplicative, costly, and difficult to
administer. They suggested that health plans only be required to
distribute the notice to the primary participant or to each household
with one or more insured individuals.
Response: We agree, and clarify in the final rule that a health
plan may satisfy the distribution requirement by providing the notice
to the named insured on behalf of the dependents of that named insured.
For example, a group health plan may satisfy its notice requirement by
providing a single notice to each covered employee of the plan sponsor.
We do not require the group health plan to distribute the notice to
each covered employee and to each covered dependent of those employees.
Comment: Many comments requested clarification about health plans'
ability to distribute the notice via other entities. Some commenters
suggested that group health plans should be able to satisfy the
distribution requirement by providing copies of the notice to plan
sponsors for delivery to employees. Others requested clarification that
covered health care providers are only required to distribute their own
notice and that health plans should be prohibited from using their
affiliated providers to distribute the health plan's notice.
Response: We require health plans to distribute their notice to
individuals covered by the health plan. Health plans may elect to hire
or otherwise arrange for others, including group health plan sponsors
and health care providers affiliated with the health plan, to carry out
this distribution. We require covered providers to distribute only
their own notices, and neither require nor prohibit health plans and
health care providers from devising whatever arrangements they find
suitable to meet the requirements of this rule. However, if a covered
entity arranges for another person or entity to distribute the covered
entity's notice on its behalf and individuals do not receive such
notice, the covered entity would be in violation of the rule.
Comment: Some comments stated that covered providers without direct
patient contact, such as clinical laboratories, might not have
sufficient patient contact information to be able to mail the notice.
They suggested we require or allow such providers to form agreements
with referring providers or other entities to distribute notices on
their behalf or to include their practices in the referring entity's
own notice.
Response: We agree with commenters' concerns about the potential
administrative and financial burdens of requiring covered providers
that have indirect treatment relationships with individuals, such as
clinical laboratories, to distribute the notice. Therefore, we require
these covered providers to provide the notice only upon request. In
addition, these covered providers may elect to reach agreements with
other entities distribute their notice on their behalf, or to
participate in an organized health care arrangement that produces a
joint notice. See Sec. 164.520(d) and the corresponding preamble
discussion of joint notice requirements.
Comment: Some commenters requested that covered health care
providers be permitted to distribute their notice prior to an
individual's initial visit so that patients could review the
information in advance of the visit. They suggested that distribution
in advance would reduce the amount of time covered health care
providers' staff would have to spend explaining the notice to patients
in the office. Other comments argued that providers should
[[Page 82724]]
distribute their notice to patients at the time the individual visits
the provider, because providers lack the administrative infrastructure
necessary to develop and distribute mass communications and generally
have difficulty identifying active patients.
Response: In the final rule, we clarify that covered providers with
direct treatment relationships must provide the notice to patients no
later than the first service delivery to the patient after the
compliance date. For the reasons identified by these commenters, we do
not require covered providers to send their notice to the patient in
advance of the patient's visit. We do not prohibit distribution in
advance, but only require distribution to the patient as of the time of
the visit. We believe this flexibility will allow each covered provider
to develop procedures that best meet its and its patients' needs.
Comment: Some comments suggested that covered providers should be
required to distribute the notice as of the compliance date. They noted
that if the covered provider waited to distribute the notice until
first service delivery, it would be possible (pursuant to the rule) for
a use or disclosure to be made without the individual's authorization,
but before the individual receives the notice.
Response: Because health care providers generally lack the
administrative infrastructure necessary to develop and distribute mass
communications and generally have difficulty identifying active
patients, we do not require covered providers to distribute the notice
until the first service delivery after the compliance date. We
acknowledge that this policy allows uses and disclosure of health
information without individuals' consent or authorization before the
individual receives the notice. We require covered entities, including
covered providers, to have the notice available upon request as of the
compliance date of the rule. Individuals may request a copy of the
notice from their provider at any time.
Comment: Many commenters were concerned with the requirement that
covered providers post their notice. Some commenters suggested that
covered hospital-based providers should be able to satisfy the
distribution requirements by posting their notice in multiple locations
at the hospital, rather than handing the notice to patients--
particularly with respect to distribution after material revisions have
been made. Some additionally suggested that these covered providers
should have copies of the notice available on site. Some commenters
emphasized that the notice must be clear and conspicuous to give
individuals meaningful and effective notice of their rights. Other
commenters noted that posting the notice will not inform former
patients who no longer see the provider.
Response: We clarify in the final rule that the requirement to post
a notice does not substitute for the requirement to give individuals a
notice or make notices available upon request. Covered providers with
direct treatment relationships, including covered hospitals, must give
a copy of the notice to the individual as of first service delivery
after the compliance date. After giving the individual a copy of the
notice as of that first visit, the covered provider has no other
obligation to actively distribute the notice. We believe it is
unnecessarily burdensome to require covered providers to mail the
notice to all current and former patients each time the notice is
revised, because unlike health plans, providers may have a difficult
time identifying active patients. All individuals, including those who
no longer see the covered provider, have the right to receive a copy of
the notice on request.
If the covered provider maintains a physical delivery site, it must
also post the notice (including revisions to the notice) in a clear and
prominent location where it is reasonable to expect individuals seeking
service from the covered provider to be able to read the notice. The
covered provider must also have the notice available on site for
individuals to be able to request and take with them.
Comment: Some comments requested clarification about the
distribution requirements for a covered entity that is a health plan
and a covered health care provider.
Response: Under Sec. 164.504(g), discussed above, covered entities
that conduct multiple types of covered functions, such as the kind of
entities described in the above comments, are required to comply with
the provisions applicable to a particular type of health care function
when acting in that capacity. Thus, in the example described above, the
covered entity is required by Sec. 164.504(g) to follow the
requirements for health plans with respect to its actions as a health
plan and to follow the requirements for health care providers with
respect to its actions as a health care provider.
Comment: We received many comments about the ability of covered
entities to distribute their notices electronically. Many commenters
suggested that we permit covered entities to distribute the notice
electronically, either via a web site or e-mail. They argued that
covered entities are increasingly using electronic technology to
communicate with patients and otherwise administer benefits. They also
noted that other regulations permit similar documents, such as ERISA-
required summary plan descriptions, to be delivered electronically.
Some commenters suggested that electronic distribution should be
permitted unless the individual specifically requests a hard copy or
lacks electronic access. Some argued that entities should be able to
choose a least-cost alternative that allows for periodic changes
without excessive mailing costs. A few commenters suggested requiring
covered entities to distribute notices electronically.
Response: We clarify in the final rule that covered entities may
elect to distribute their notice electronically, provided the
individual agrees to receiving the notice electronically and has not
withdrawn such agreement. We do not require any particular form of
agreement. For example, a covered provider could ask an individual at
the time the individual requests a copy of the notice whether she
prefers to receive it in hard copy or electronic form. A health plan
could ask an individual applying for coverage to provide an e-mail
address where the health plan can send the individual information. If
the individual provides an e-mail address, the health plan can infer
agreement to obtain information electronically.
An individual who has agreed to receive the notice electronically,
however, retains the right to request a hard copy of the notice. This
right must be described in the notice. In addition, if the covered
entity knows that electronic transmission of the notice has failed, the
covered entity must produce a hard copy of the notice. We believe this
provision allows covered entities flexibility to provide the notice in
the form that best meets their needs without compromising individuals'
right to adequate notice of covered entities' information practices.
We note that covered entities may also be subject to the Electronic
Signatures in Global and National Commerce Act. This rule is not
intended to alter covered entities' requirements under that Act.
Comment: Some commenters were concerned that covered providers with
``face-to-face'' patient contact would have a competitive disadvantage
against covered internet-based providers, because the face-to-face
providers would be required to distribute the notice in hard copy while
internet-based providers could satisfy the requirement
[[Page 82725]]
by requiring review of the notice on the web site before processing an
order. They suggested allowing face-to-face covered providers to
satisfy the distribution requirement by asking patients to review the
notice posted on site.
Response: We clarify in the final rule that covered health care
providers that provide services to individuals over the internet have
direct treatment relationships with those individuals. Covered
internet-based providers, therefore, must distribute the notice at the
first service delivery after the compliance date by automatically and
contemporaneously providing the notice electronically in response to
the individual's first request for service, provided the individual
agrees to receiving the notice electronically.
Even though we require all covered entity web sites to post the
entity's notice prominently, we note that such posting is not
sufficient to meet the distribution requirements. A covered internet-
based provider must send the notice electronically at the individual's
first request for service, just as other covered providers with direct
treatment relationships must give individuals a copy of the notice as
of the first service delivery after the compliance date.
We do not intend to create competitive advantages among covered
providers. A web-based and a non-web-based covered provider each have
the same alternatives available for distribution of the notice. Both
types of covered providers may provide either a paper copy or an
electronic copy of the notice.
Comment: We received several comments suggesting that some covered
entities should be exempted from the notice requirement or permitted to
combine notices with other covered entities. Many comments argued that
the notice requirement would be burdensome for hospital-based
physicians and result in numerous, duplicative notices that would be
meaningless or confusing to patients. Other comments suggested that
multiple health plans offered through the same employer should be
permitted to produce a single notice.
Response: We retain the requirement for all covered health care
providers and health plans to produce a notice of information
practices. Health care clearinghouses are required to produce a notice
of information practices only to the extent the clearinghouse creates
or receives protected health information other than as a business
associate of a covered entity. See Sec. 164.500(b)(2). Two other types
of covered entities are not required to produce a notice: a
correctional institution that is a covered entity and a group health
plan that provides benefits only through one or more contracts of
insurance with health insurance issuers or HMOs.
We clarify in Sec. 164.504(d), however, that affiliated covered
entities under common ownership or control may designate themselves as
a single covered entity for purposes of this rule. An affiliated
covered entity is only required to produce a single notice.
In addition, covered entities that participate in an organized
health care arrangement--which could include hospitals and their
associated physicians--may choose to produce a single, joint notice, if
certain requirements are met. See Sec. 164.501 and the corresponding
preamble discussion of organized health care arrangements.
We clarify that each covered entity included in a joint notice must
meet the applicable distribution requirements. If any one of the
covered entities, however, provides the notice to a given individual,
the distribution requirement with respect to that individual is met for
all of the covered entities included in the joint notice. For example,
a covered hospital and its attending physicians may elect to produce a
joint notice. When an individual is first seen at the hospital, the
hospital must provide the individual with a copy of the joint notice.
Once the hospital has done so, the notice distribution requirement for
all of the attending physicians that provide treatment to the
individual at the hospital and that are included in the joint notice is
satisfied.
Comment: We solicited and received comments on whether to require
covered entities to obtain the individual's signature on the notice.
Some commenters suggested that requiring a signature would convey the
importance of the notice, would make it more likely that individuals
read the notice, and could have some of the same benefits of a consent.
They noted that at least one state already requires entities to make a
reasonable effort to obtain a signed notice. Other comments noted that
the signature would be useful for compliance and risk management
purposes because it would document that the individual had received the
notice.
The majority of commenters on this topic, however, argued that a
signed acknowledgment would be administratively burdensome,
inconsistent with the intent of the Administrative Simplification
requirements of HIPAA, impossible to achieve for incapacitated
individuals, difficult to achieve for covered entities that do not have
direct contact with patients, inconsistent with other notice
requirements under other laws, misleading to individuals who might
interpret their signature as an agreement, inimical to the concept of
permitting uses and disclosures without authorization, and an
insufficient substitute for authorization.
Response: We agree with the majority of commenters and do not
require covered entities to obtain the individual's signed
acknowledgment of receipt of the notice. We believe that we satisfied
most of the arguments in support of requiring a signature with the new
policy requiring covered health care providers with direct treatment
relationships to obtain a consent for uses and disclosures of protected
health information to carry out treatment, payment, and health care
operations. See Sec. 164.506 and the corresponding preamble discussion
of consent requirements. We note that this rule does not preempt other
applicable laws that require a signed notice and does not prohibit a
covered entity from requesting an individual to sign the notice.
Comment: Some commenters supported requiring covered entities to
adhere to their privacy practices, as described in their notice. They
argued that the notice is meaningless if a covered entity does not
actually have to follow the practices contained in its notice. Other
commenters were concerned that the rule would prevent a covered entity
from using or disclosing protected health information in otherwise
lawful and legitimate ways because of an intentional or inadvertent
omission from its published notice. Some of these commenters suggested
requiring the notice to include a description of some or all
disclosures that are required or permitted by law. Some commenters
stated that the adherence requirement should be eliminated because it
would generally inhibit covered entities' ability to innovate and would
be burdensome.
Response: We agree that the value of the notice would be
significantly diminished absent a requirement that covered entities
adhere to the statements they make in their notices. We therefore
retain the requirement for covered entities to adhere to the terms of
the notice. See Sec. 164.502(i).
Many of these commenters' concerns regarding a covered entity's
inability to use or disclose protected health information due to an
intentional or inadvertent omission from the notice are addressed in
our revisions to the proposed content requirements for the notice.
Rather than require covered entities to describe only those uses and
[[Page 82726]]
disclosures they anticipate making, as proposed, we require covered
entities to describe all uses and disclosures they are required or
permitted to make under the rule without the individual's consent or
authorization. We permit a covered entity to provide a statement that
it will disclose protected health information that is otherwise
required by law, as permitted in Sec. 164.512(a), without requiring
them to list all state laws that may require disclosure. Because the
notice must describe all legally permissible uses and disclosures, the
notice will not generally preclude covered entities from making any
uses or disclosures they could otherwise make without individual
consent or authorization. This change will also ensure that individuals
are aware of all possible uses and disclosures that may occur without
their consent or authorization, regardless of the covered entity's
current practices.
We encourage covered entities, however, to additionally describe
the more limited uses and disclosures they actually anticipate making
in order to give individuals a more accurate understanding of how
information about them will be shared. We expect that certain covered
entities will want to distinguish themselves on the basis of their
privacy protections. We note that a covered entity that chooses to
exercise this option must clearly state that, at a minimum, the covered
entity may make disclosures that are required by law and that are
necessary to avert a serious and imminent threat to health or safety.
Section 164.522--Rights To Request Privacy Protection for Protected
Health Information
Section 164.522(a)--Right of an Individual To Request Restriction of
Uses and Disclosures
Comment: Several commenters supported the language in the NPRM
regarding the right to request restrictions. One commenter specifically
stated that this is a balanced approach that addresses the needs of the
few who would have reason to restrict disclosures without negatively
affecting the majority of individuals. At least one commenter explained
that if we required consent or authorization for use and disclosure of
protected health information for treatment, payment, and health care
operations then we must also have a right to request restrictions of
such disclosure in order to make the consent meaningful.
Many commenters requested that we delete this provision, claiming
it would interfere with patient care, payment, and data integrity. Most
of the commenters that presented this position asserted that the
framework of giving patients control over the use or disclosure of
their information is contrary to good patient care because incomplete
medical records may lead to medical errors, misdiagnoses, or
inappropriate treatment decisions. Other commenters asserted that
covered entities need complete data sets on the populations they serve
to effectively conduct research and quality improvement projects and
that restrictions would hinder research, skew findings, impede quality
improvement, and compromise accreditation and performance measurement.
Response: We acknowledge that widespread restrictions on the use
and disclosure of protected health information could result in some
difficulties related to payment, research, quality assurance, etc.
However, in our efforts to protect the privacy of health information
about individuals, we have sought a balance in determining the
appropriate level of individual control and the smooth operation of the
health care system. In the final rule, we require certain covered
providers and permit all covered entities to obtain consent from
individuals for use and disclosure of protected health information for
treatment, payment, and health care operations (see Sec. 164.506). In
order to give individuals some control over their health information
for uses and disclosures of protected health information for treatment,
payment, and health care operations, we provide individuals with the
opportunity to request restrictions of such uses and disclosures.
Because the right to request restrictions encourages discussions
about how protected health information may be used and disclosed and
about an individual's concerns about such uses and disclosures, it may
improve communications between a provider and patient and thereby
improve care. According to a 1999 survey on the Confidentiality of
Medical Records by the California HealthCare Foundation, one out of
every six people engage in behavior to protect themselves from unwanted
disclosures of health information, such as lying to providers or
avoiding seeking care. This indicates that, without the ability to
request restrictions, individuals would have incentives to remain
silent about important health information that could have an effect on
their health and health care, rather than consulting a health care
provider.
Further, this policy is not a dramatic change from the status quo.
Today, many state laws restrict disclosures for certain types of health
information without patient's authorization. Even if there is no
mandated requirement to restrict disclosures of health information,
providers may agree to requests for restrictions of disclosures when a
patient expresses particular sensitivity and concern for the disclosure
of health information.
We agree that there may be instances in which a restriction could
negatively affect patient care. Therefore, we include protections
against this occurrence. First, the right to request restrictions is a
right of individuals to make the request. A covered entity may refuse
to restrict uses and disclosures or may agree only to certain aspects
of the individual's request if there is concern for the quality of
patient care in the future. For example, if a covered provider believes
that it is not in the patient's best medical interest to have such a
restriction, the provider may discuss the request for restriction with
the patient and give the patient the opportunity to explain the concern
for disclosure. Also, a covered provider who is concerned about the
implications on future treatment can agree to use and disclose
sensitive protected health information for treatment purposes only and
agree not to disclose information for payment and operation purposes.
Second, a covered provider need not comply with a restriction that has
been agreed to if the individual who requested the restriction is in
need of emergency treatment and the restricted protected health
information is needed to provide the emergency treatment. This
exception should limit the harm to health that may otherwise result
from restricting the use or disclosure of protected health information.
We encourage covered providers to discuss with individuals that the
information may be used or disclosed in emergencies. We require that
the covered entity that discloses restricted protected health
information in an emergency request that the health care provider that
receives such information not further use or re-disclose the
information.
Comment: Some health plans stated that an institutionalized right
to restrict can interfere with proper payment and can make it easier
for unscrupulous providers or patients to commit fraud on insurance
plans. They were concerned that individuals could enter into
restrictions with providers to withhold information to insurance
companies so that the insurance company would not know about certain
conditions when underwriting a policy.
[[Page 82727]]
Response: This rule does not enhance the ability of unscrupulous
patients or health care providers to engage in deceptive or fraudulent
withholding of information. This rule grants a right to request a
restriction, not an absolute right to restrict. Individuals can make
such requests today. Other laws criminalize insurance fraud; this
regulation does not change those laws.
Comment: One commenter asserted that patients cannot anticipate the
significance that one aspect of their medical information will have on
treatment of other medical conditions, and therefore, allowing them to
restrict use or disclosure of some information is contrary to the
patient's best interest.
Response: We agree that patients may find it difficult to make such
a calculus, and that it is incumbent on health care providers to help
them do so. Health care providers may deny requests for or limit the
scope of the restriction requested if they believe the restriction is
not in the patient's best interest.
Comment: One commenter asked whether an individual's restriction to
disclosure of information will be a bar to liability for misdiagnosis
or failure to diagnose by a covered entity who can trace its error back
to the lack of information resulting from such restriction.
Response: Decisions regarding liability and professional standards
are determined by state and other law. This rule does not establish or
limit liability for covered entities under those laws. We expect that
the individual's request to restrict the disclosure of their protected
health information would be considered in the decision of whether or
not a covered entity is liable.
Comment: One commenter requested that we allow health plans to deny
coverage or reimbursement when a covered health care provider's
agreement to restrict use or disclosure prevents the plan from getting
the information that is necessary to determine eligibility or coverage.
Response: In this rule, we do not modify insurers' rules regarding
information necessary for payment. We recognize that restricting the
disclosure of information may result in a denial of payment. We expect
covered providers to explain this possibility to individuals when
considering their requests for restrictions and to make alternative
payment arrangements with individuals if necessary.
Comment: Some commenters discussed the administrative burden and
cost of the requirement that individuals have the right to request
restrictions and that trying to segregate certain portions of
information for protection may be impossible. Others stated that the
administrative burden would make providers unable to accommodate
restrictions, and would therefore give patients false expectations that
their right to request restrictions may be acted upon. One commenter
expressed concern that large covered providers would have a
particularly difficult time establishing a policy whereby the covered
entity could agree to restrictions and would have an even more
difficult time implementing the restrictions since records may be kept
in multiple locations and accessed by multiple people within the
organization. Still other commenters believed that the right to request
restrictions would invite argument, delay, and litigation.
Response: We do not believe that this requirement is a significant
change from current practice. Providers already respond to requests by
patients regarding sensitive information, and are subject to state law
requirements not to disclose certain types of information without
authorization. This right to request is permissive so that covered
entities can balance the needs of particular individuals with the
entity's ability to manage specific accommodations.
Comment: Some commenters were concerned that a covered entity would
agree to a restriction and then realize later that the information must
be disclosed to another caregiver for important medical care purposes.
Response: Some individuals seek treatment only on the condition
that information about that treatment will not be shared with others.
We believe it is necessary and appropriate, therefore, that when a
covered provider agrees to such a restriction, the individual must be
able to rely on that promise. We strongly encourage covered providers
to consider future treatment implications of agreeing to a restriction.
We encourage covered entities to inform others of the existence of a
restriction when appropriate, provided that such notice does not amount
to a de facto disclosure of the restricted information. If the covered
provider subject to the restriction believes that disclosing the
protected health information that was created or obtained subject to
the restriction is necessary to avert harm (and it is not for emergency
treatment), the provider must ask the individual for permission to
terminate or modify the restriction. If the individual agrees to the
termination of the restriction, the provider must document this
termination by noting this agreement in the medical record or by
obtaining a written agreement of termination from the individual and
may use or disclose the information for treatment. If the individual
does not agree to terminate or modify the restriction, however, the
provider must continue to honor the restriction with respect to
protected health information that was created or received subject to
the restriction. We note that if the restricted protected health
information is needed to provide emergency treatment to the individual
who requested the restriction, the covered entity may use or disclose
such information for such treatment.
Comment: Commenters asked that we require covered entities to keep
an accounting of the requests for restrictions and to report this
information to the Department in order for the Department to determine
whether covered entities are showing ``good faith'' in dealing with
these requests.
Response: We require that covered entities that agree to
restrictions with individuals document such restrictions. A covered
entity must retain such documentation for six years from the date of
its creation or the date when it last was in effect, whichever is
later. We do not require covered entities to keep a record of all
requests made, including those not agreed to, nor that they report such
requests to the Department. The decision to agree to restrictions is
that of the covered entity. Because there is no requirement to agree to
a restriction, there is no reason to impose the burden to document
requests that are denied. Any reporting requirement could undermine the
purpose of this provision by causing the sharing, or appearance of
sharing, of information for which individuals are seeking extra
protection.
Comment: One commenter asserted that providers that currently allow
such restrictions will choose not to do so under the rule based on the
guidance of legal counsel and loss prevention managers, and suggested
that the Secretary promote competition among providers with respect to
privacy by developing a third-party ranking mechanism.
Response: We believe that providers will do what is best for their
patients, in accordance with their ethics codes, and will continue to
find ways to accommodate requested restrictions when they believe that
it is in the patients' best interests. We anticipate that providers who
find such action to be of commercial benefit will notify consumers of
their willingness to be responsive to such requests. Involving third
parties could undermine the purpose of this provision, by causing the
sharing, or appearance of sharing, of information for which individuals
are seeking extra protection.
[[Page 82728]]
Comment: One commenter said that any agreement regarding patient-
requested restrictions should be in writing before a covered provider
would be held to standards for compliance.
Response: We agree that agreed to restrictions must be documented
in writing, and we require that covered entities that agree to
restrictions document those restrictions in accordance with
Sec. 164.530(j). The writing need not be formal; a notation in the
medical record will suffice. We disagree with the request that an
agreed to restriction be reduced to writing in order to be enforced. If
we adopted the requested policy, a covered entity could agree to a
restriction with an individual, but avoid being held to this agreed to
restriction under the rule by failing to document the restriction. This
would give a covered entity the opportunity to agree to a restriction
and then, at its sole discretion, determine if it is enforceable by
deciding whether or not to make a note of the restriction in the record
about the individual. Because the covered entity has the ability to
agree or fail to agree to a restriction, we believe that once the
restriction is agreed to, the covered entity must honor the agreement.
Any other result would be deceptive to the individual and could lead an
individual to disclose health information under the assumption that the
uses and disclosures will be restricted. Under Sec. 164.522, a covered
entity could be found to be in violation of the rule if it fails to put
an agreed-upon restriction in writing and also if it uses or discloses
protected health information inconsistent with the restriction.
Comment: Some commenters said that the right to request
restrictions should be extended to some of the uses and disclosures
permitted without authorization in Sec. 164.510 of the NPRM, such as
disclosures to next of kin, for judicial and administrative
proceedings, for law enforcement, and for governmental health data
systems. Other commenters said that these uses and disclosures should
be preserved without an opportunity for individuals to opt out.
Response: We have not extended the right to request restrictions
under this rule to disclosures permitted in Sec. 164.512 of the final
rule. However, we do not preempt other law that would enforce such
agreed-upon restrictions. As discussed in more detail, above, we have
extended the right to request restrictions to disclosures to persons
assisting in the individual's care, such as next of kin, under
Sec. 164.510(b). Any restriction that a covered entity agrees to with
respect to persons assisting in the individual's care in accordance
with the rule will be enforceable under the rule.
Comment: A few commenters raised the question of the effect of a
restriction agreed to by one covered entity that is part of a larger
covered entity, particularly a hospital. Commenters were also concerned
about who may speak on behalf of the covered entity.
Response: All covered entities are required to establish policies
and procedures for providing individuals the right to request
restrictions, including policies for who may agree to such restrictions
on the covered entity's behalf. Hospitals and other large entities that
are concerned about employees agreeing to restrictions on behalf of the
organization will have to make sure that their policies are
communicated appropriately to those employees. The circumstances under
which members of a covered entity's workforce can bind the covered
entity are a function of other law, not of this regulation.
Comment: Commenters expressed confusion about the intended effect
of any agreed-upon restrictions on downstream covered entities. They
asserted that it would be extremely difficult for a requested
restriction to be followed through the health care system and that it
would be unfair to hold covered entities to a restriction when they did
not agree to such restriction. Specifically, commenters asked whether a
covered provider that receives protected health information in
compliance with this rule from a physician or medical group that has
agreed to limit certain uses of the information must comply with the
original restriction. Other commenters expressed concern that not
applying a restriction to downstream covered entities is a loophole and
that all downstream covered providers and health plans should be bound
by the restrictions.
Response: Under the final rule, a restriction that is agreed to
between an individual and a covered entity is only binding on the
covered entity that agreed to the restriction and not on downstream
entities. It would also be binding on any business associate of the
covered entity since a business associate can not use or disclose
protected health information in any manner that a covered entity would
not be permitted to use or disclose such information. We realize that
this may limit the ability of an individual to successfully restrict a
use or disclosure under all circumstances, but we take this approach
for two reasons. First, we allow covered entities to refuse
individuals' requests for restrictions. Requiring downstream covered
entities to abide by a restriction would be tantamount to forcing them
to agree to a request to which they otherwise may not have agreed.
Second, some covered entities have information systems which will allow
them to accommodate such requests, while others do not. If the
downstream provider is in the latter category, the administrative
burden of such a requirement would be unmanageable.
We encourage covered entities to explain this limitation to
individuals when they agree to restrictions, so individuals will
understand that they need to ask all their health plans and providers
for desired restrictions. We also require that a covered entity that
discloses protected health information to a health care provider for
emergency treatment, in accordance with Sec. 164.522 (a)(iii), to
request that the recipient not further use or disclose the information.
Comment: One commenter requested that agreed-to restrictions of a
covered entity not be applied to business associates.
Response: As stated in Sec. 164.504(e)(2), business associates are
acting on behalf of, or performing services for, the covered entity and
may not, with two narrow exceptions, use or disclose protected health
information in a manner that would violate this rule if done by the
covered entity. Business associates are agents of the covered entity
with respect to protected health information they obtain through the
business relationship. If the covered entity agrees to a restriction
and, therefore, is bound to such restriction, the business associate
will also be required to comply with the restriction. If the covered
entity has agreed to a restriction, the satisfactory assurances from
the business associate, as required in Sec. 164.504(e), must include
assurances that protected health information will not be used or
disclosed in violation of an agreed to restriction.
Comment: One commenter requested clarification that the right to
request restrictions cannot be used to restrict the creation of de-
identified information.
Response: We found no reason to treat the use of protected health
information to create de-identified information different from other
uses of protected health information. The right to request restriction
applies to any use or disclosure of protected health information to
carry out treatment, payment, or health care operations. If the covered
entity uses protected health information to create de-identified
information, the covered entity need not agree to a restriction of this
use.
[[Page 82729]]
Comment: Some commenters stated that individuals should be given a
true right to restrict uses and disclosures of protected health
information in certain defined circumstances (such as for sensitive
information) rather than a right to request restrictions.
Response: We are concerned that a right to restrict could create
conflicts with the professional ethical obligations of providers and
others. We believe it is better policy to allow covered entities to
refuse to honor restrictions that they believe are not appropriate and
leave the individual with the option of seeking service from a
different covered entity. In addition, many covered entities have
information systems that would make it difficult or impossible to
accommodate certain restrictions.
Comment: Some commenters requested that self-pay patients have
additional rights to restrict protected health information. Others
believed that this policy would result in de facto discrimination
against those patients that could not afford to pay out-of-pocket.
Response: Under the final rule, the decision whether to tie an
agreement to restrict to the way the individual pays for services is
left to each covered entity. We have not provided self-pay patients
with any special rights under the rule.
Comment: Some commenters suggested that we require restrictions to
be clearly noted so that insurers and other providers would be aware
that they were not being provided with complete information.
Response: Under the final rule, we do not require or prohibit a
covered entity to note the existence of an omission of information. We
encourage covered entities to inform others of the existence of a
restriction, in accordance with professional practice and ethics, when
appropriate to do so. In deciding whether or not to disclose the
existence of a restriction, we encourage the covered entity to
carefully consider whether disclosing the existence is tantamount to
disclosure of the restricted protected health information so as to not
violate the agreed to restriction.
Comment: A few commenters said that covered entities should have
the right to modify or revoke an agreement to restrict use or
disclosure of protected health information.
Response: We agree that, as circumstances change, covered entities
should be able to revisit restrictions to which they had previously
agreed. At the same time, individuals should be able to rely on
agreements to restrict the use or disclosure of information that they
believe is particularly sensitive. If a covered entity would like to
revoke or modify an agreed-upon restriction, the covered entity must
renegotiate the agreement with the individual. If the individual agrees
to modify or terminate the restriction, the covered entity must get
written agreement from the individual or must document the oral
agreement. If the individual does not agree to terminate or modify the
restriction, the covered entity must inform the individual that it is
modifying or terminating its agreement to the restriction and any
modification or termination would apply only with respect to protected
health information created or received after the covered entity
informed the individual of the termination. Any protected health
information created or received during the time between when the
restriction was agreed to and when the covered entity informed the
individual or such modification or termination remains subject to the
restriction.
Comment: Many commenters advocated for stronger rights to request
restrictions, particularly that victims of domestic violence should
have an absolute right to restrict disclosure of information.
Response: We address restrictions for disclosures in two different
ways, the right to request restrictions (Sec. 164.522(a)) and
confidential communications (Sec. 164.522(b)). We have provided all
individuals with a right to request restrictions on uses or disclosures
of treatment, payment, and health care operations. This is not an
absolute right to restrict. Covered entities are not required to agree
to requested restrictions; however, if they do, the rule would require
them to act in accordance with the restrictions. (See the preamble
regarding Sec. 164.522 for a more comprehensive discussion of the right
to request restrictions.)
In the final rule, we create a new provision that provides
individuals with a right to confidential communications, in response to
these comments. This provision grants individuals with a right to
restrict disclosures of information related to communications made by a
covered entity to the individual, by allowing the individual to request
that such communications be made to the person at an alternative
location or by an alternative means. For example, a woman who lives
with an abusive man and is concerned that his knowledge of her health
care treatment may lead to additional abuse can request that any mail
from the provider be sent to a friend's home or that telephone calls by
a covered provider be made to her at work. Other reasonable
accommodations may be requested as well, such as requesting that a
covered provider never contact the individual by a phone, but only
contact her by electronic mail. A provider must accommodate an
individual's request for confidential communications, under this
section, without requiring an explanation as to the reason for the
request as a condition of accommodating the request. The individual
does not need to be in an abusive situation to make such requests of a
covered provider. The only conditions that a covered provider may place
on an individual is that the request be reasonable with respect to the
administrative burden on the provider, the request to be in writing,
the request specify an alternative address or other method of contact,
and that (where relevant) the individual provide information about how
payment will be handled. What is reasonable may vary by the size or
type of covered entity; however, additional modest cost to the provider
would not be unreasonable.
An individual also has a right to restrict communications from a
health plan. The right is the same as with covered providers except it
is limited to cases where the disclosure of information could endanger
the individual. A health plan may require an individual to state this
fact as a condition of accommodating the individual's request for
confidential communications. This would provide victims of domestic
violence the right to control such disclosures.
Comment: Commenters opposed the provision of the NPRM
(Sec. 164.506(c)(1)(ii)(B)) stating that an individual's right to
request restrictions on use or disclosure of protected health
information would not apply in emergency situations as set forth in
proposed Sec. 164.510(k). Commenters asserted that victims who have
been harmed by violence may first turn to emergency services for help
and that, in such situations, the victim should be able to request that
the perpetrator not be told of his or her condition or whereabouts.
Response: We agree with some of the commenters' concerns. In the
final rule, the right to request restrictions is available to all
individuals regardless of the circumstance or the setting in which the
individual is obtaining care. For example, an individual that seeks
care in an emergency room has the same right to request a restriction
as an individual seeking care in the office of a covered physician.
However, we continue to permit a covered entity to disclose
protected health information to a health care
[[Page 82730]]
provider in an emergency treatment situation if the restricted
protected health information is needed to provide the emergency
treatment or if the disclosure is necessary to avoid serious and
imminent threats to public health and safety. Although we understand
the concern of the commenters, we believe that these exceptions are
limited and will not cause a covered entity to disclose information to
a perpetrator of a crime. We are concerned that a covered provider
would be required to delay necessary care if a covered entity had to
determine if a restriction exists at the time of such emergency. Even
if a covered entity knew that there was a restriction, we permitted
this limited exception for emergency situations because, as we had
stated in the preamble for Sec. 164.506 of the NPRM, an emergency
situation may not provide sufficient opportunity for a patient and
health care provider to discuss the potential implications of
restricting use and disclosure of protected health information on that
emergency. We also believe that the importance of avoiding serious and
imminent threats to health and safety and the ethical and legal
obligations of covered health care providers' to make disclosures for
these purposes is so significant that it is not appropriate to apply
the right to request restrictions on such disclosures.
We note that we have included other provisions in the final rule
intended to avoid or minimize harm to victims of domestic violence.
Specifically, we include provisions in the final rule that allow
individuals to opt out of certain types of disclosures and require
covered entities to use professional judgment to determine whether
disclosure of protected health information is in a patient's best
interest (see Sec. 164.510(a) on use and disclosure for facility
directories and Sec. 164.510(b) on uses and disclosures for assisting
in an individual's care and notification purposes). Although an agreed
to restriction under Sec. 164.522 would apply to uses and disclosures
for assisting in an individual's care, the opt out provision in
Sec. 164.510(b) can be more helpful to a person who is a victim of
domestic violence because the individual can opt out of such disclosure
without obtaining the agreement of the covered provider. We permit a
covered entity to elect not to treat a person as a personal
representative (see Sec. 164.502(g)) or to deny access to a personal
representative (see Sec. 164.524(a)(3)(iii)) where there are concerns
related to abuse. We also include a new Sec. 164.512(c) which
recognizes the unique circumstances surrounding disclosure of protected
health information about victims of abuse, neglect, and domestic
violence.
Section 164.522(b)--Confidential Communications Requirements
Comment: Several commenters requested that we add a new section to
prevent disclosure of sensitive health care services to members of the
patient's family through communications to the individual's home, such
as appointment notices, confirmation or scheduling of appointments, or
mailing a bill or explanation of benefits, by requiring covered
entities to agree to correspond with the patient in another way. Some
commenters stated that this is necessary in order to protect
inadvertent disclosure of sensitive information and to protect victims
of domestic violence from disclosure to an abuser. A few commenters
suggested that a covered entity should be required to obtain an
individual's authorization prior to communicating with the individual
at the individual's home with respect to health care relating to
sensitive subjects such as reproductive health, sexually transmissible
diseases, substance abuse or mental health.
Response: We agree with commenters' concerns regarding covered
entities' communications with individuals. We created a new provision,
Sec. 164.522(b), to address confidential communications by covered
entities. This provision gives individuals the right to request that
they receive communications from covered entities at an alternative
address or by an alternative means, regardless of the nature of the
protected health information involved. Covered providers are required
to accommodate reasonable requests by individuals and may not require
the individual to explain the basis for the request as a condition of
accommodation. Health plans are required to accommodate reasonable
requests by individuals as well; however, they may require the
individual to provide a statement that disclosure of the information
could endanger the individual, and they may condition the accommodation
on the receipt of such statement.
Under the rule, we have required covered providers to accommodate
requests for communications to alternative addresses or by alternative
means, regardless of the reason, to limit risk of harm. Providers have
more frequent one-on-one communications with patients, making the
safety concerns from an inadvertent disclosure more substantial and the
need for confidential communications more compelling. We have made the
requirement for covered providers absolute and not contingent on the
reason for the request because we wanted to make it relatively easy for
victims of domestic violence, who face real safety concerns by
disclosures of health information, to limit the potential for such
disclosures.
The standard we created for health plans is different from the
requirement for covered providers, in that we only require health plans
to make requested accommodations for confidential communications when
the individual asserts that disclosure could be dangerous to the
individual. We address health plan requirements in this way because
health plans are often issued to a family member (the employee), rather
than to each individual member of a family, and therefore, health plans
tend to communicate with the named insured rather than with individual
family members. Requiring plans to accommodate a restriction for one
individual could be administratively more difficult than it is for
providers that regularly communicate with individuals. However, in the
case of domestic violence or potential abuse, the level of harm that
can result from a disclosure of protected health information tips the
balance in favor of requiring such restriction to prevent inadvertent
disclosure. We have adopted the policy recommended by the National
Association of Insurance Commissioners in the Health Information Policy
Model Act (1998) as this best reflects the balance of the appropriate
level of regulation of the industry compared with the need to protect
individuals from harm that may result from inadvertent disclosure of
information. This policy is also consistent with recommendations made
in the Family Violence Prevention Fund's publication ``Health Privacy
Principles for Protecting Victims of Domestic Violence'' (October
2000). Of course, health plans may accommodate requests for
confidential communications without requiring a statement that the
individual would be in danger from disclosure of protected health
information.
Comment: One commenter requested that we create a standard that all
information from a health plan be sent to the patient and not the
policyholder or subscriber.
Response: We require health plans to accommodate certain requests
that information not be sent to a particular location or by particular
means. A health plan must accommodate reasonable requests by
individuals that protected health information about them be sent
directly to them and not to a policyholder or subscriber, if the
[[Page 82731]]
individual states that he or she may be in danger from disclosure of
such information. We did not generally require health plans to send
information to the patient and not the policyholder or subscriber
because we believed it would be administratively burdensome and because
the named insured may have a valid need for such information to manage
payment and benefits.
Sensitive Subjects
Comment: Many commenters requested that additional protections be
placed on sensitive information, including information regarding HIV/
AIDS, sexually transmitted diseases, mental health, substance abuse,
reproductive health, and genetics. Many requested that we ensure the
regulation adequately protects victims of domestic violence. They
asserted that the concern for discrimination or stigma resulting from
disclosure of sensitive health information could dissuade a person from
seeking needed treatment. Some commenters noted that many state laws
provide additional protections for various types of information. They
requested that we develop federal standards to have consistent rules
regarding the protection of sensitive information to achieve the goals
of cost savings and patient protection. Others requested that we
require patient consent or special authorization before certain types
of sensitive information was disclosed, even for treatment, payment,
and health care operations, and some thought we should require a
separate request for each disclosure. Some commenters requested that
the right to request restrictions be replaced with a requirement for an
authorization for specific types of sensitive information. There were
recommendations that we require covered entities to develop internal
policies to address sensitive information.
Other commenters argued that sensitive information should not be
segregated from the record because it may limit a future provider's
access to information necessary for treatment of the individual and it
could further stigmatize a patient by labeling him or her as someone
with sensitive health care issues. These commenters further maintained
that segregation of particular types of information could negatively
affect analysis of community needs, research, and would lead to higher
costs of health care delivery.
Response: We generally do not differentiate among types of
protected health information, because all health information is
sensitive. The level of sensitivity varies not only with the type of
information, but also with the individual and the particular situation
faced by the individual. This is demonstrated by the different types of
information that commenters singled out as meriting special protection,
and in the great variation among state laws in defining and protecting
sensitive information. Most states have a law providing heightened
protection for some type of health information. However, even though
most states have considered the issue of sensitive information, the
variation among states in the type of information that is specially
protected and the requirements for permissible disclosure of such
information demonstrates that there is no national consensus.
Where, as in this case, most states have acted and there is no
predominant rule that emerges from the state experience with this
issue, we have decided to let state law predominate. The final rule
only provides a floor of protection for health information and does not
preempt state laws that provide greater protection than the rule. Where
states have decided to treat certain information as more sensitive than
other information, we do not preempt those laws.
To address the variation in the sensitivity of protected health
information without defining specially sensitive information, we
incorporate opportunities for individuals and covered entities to
address specific sensitivities and concerns about uses and disclosures
of certain protected health information that the patient and provider
believe are particularly sensitive, as follows:
Covered entities are required to provide individuals with
notice of their privacy practices and give individuals the opportunity
to request restrictions of the use and disclosure of protected health
information by the covered entity. (See Sec. 164.522(a) regarding right
to request restrictions.)
Individuals have the right to request, and in some cases
require, that communications from the covered entity to them be made to
an alternative address or by an alternative means than the covered
entity would otherwise use. (See Sec. 164.522(b) regarding confidential
communications.)
Covered entities have the opportunity to decide not to
treat a person as a personal representative when the covered entity has
a reasonable belief that an individual has been subjected to domestic
violence, abuse, or neglect by such person or that treating such person
as a personal representative could endanger the individual. (See
Sec. 164.502(g)(5) regarding personal representatives.)
Covered entities may deny access to protected health
information when there are concerns that the access may result in
varying levels of harm. (See Sec. 164.524(a)(3) regarding denial of
access.)
Covered health care providers may, in some circumstances
and consistent with any known prior preferences of the individual,
exercise professional judgment in the individual's best interest to not
disclose directory information. (See Sec. 164.510(a) regarding
directory information.)
Covered entities may, in some circumstances, exercise
professional judgment in the individual's best interest to limit
disclosure to persons assisting in the individual's care. (See
Sec. 164.510(b) regarding persons assisting in the individual's care.)
This approach allows for state law and personal variation in this
area.
The only type of protected health information that we treat with
heightened protection is psychotherapy notes. We provide a different
level of protection because they are unique types of protected health
information that typically are not used or required for treatment,
payment, or health care operations other than by the mental health
professional that created the notes. (See Sec. 164.508(a)(2) regarding
psychotherapy notes.)
Section 164.524--Access of Individuals to Protected Health
Information
Comment: Some commenters recommended that there be no access to
disease registries.
Response: Most entities that maintain disease registries are not
covered entities under this regulation; examples of such non-covered
entities are public health agencies and pharmaceutical companies. If,
however, a disease registry is maintained by a covered entity and is
used to make decisions about individuals, this rule requires the
covered entity to provide access to information about a requesting
individual unless one of the rule's conditions for denial of access is
met. We found no persuasive reasons why disease registries should be
given special treatment compared with other information that may be
used to make decisions about an individual.
Comment: Some commenters stated that covered entities should be
held accountable for access to information held by business partners so
that individuals would not have the burden of tracking down their
protected health information from a business partner. Many commenters,
including insurers
[[Page 82732]]
and academic medical centers, recommended that, to reduce burden and
duplication, only the provider who created the protected health
information should be required to provide individuals access to the
information. Commenters also asked that other entities, including
business associates, the Medicare program, and pharmacy benefit
managers, not be required to provide access, in part because they do
not know what information the covered entity already has and they may
not have all the information requested. A few commenters also argued
that billing companies should not have to provide access because they
have a fiduciary responsibility to their physician clients to maintain
the confidentiality of records.
Response: A general principle in responding to all of these points
is that a covered entity is required to provide access to protected
health information in accordance with the rule regardless of whether
the covered entity created such information or not. Thus, we agree with
the first point: in order to meet its requirements for providing
access, a covered entity must not only provide access to such protected
health information it holds, but must also provide access to such
information in a designated record set of its business associate,
pursuant to its business associate contract, unless the information is
the same as information maintained directly by the covered entity. We
require this because an individual may not be aware of business
associate relationships. Requiring an individual to track down
protected health information held by a business associate would
significantly limit access. In addition, we do not permit a covered
entity to limit its duty to provide access by giving protected health
information to a business associate.
We disagree with the second point: if the individual directs an
access request to a covered entity that has the protected health
information requested, the covered entity must provide access (unless
it may deny access in accordance with this rule). In order to assure
that an individual can exercise his or her access rights, we do not
require the individual to make a separate request to each originating
provider. The originating provider may no longer be in business or may
no longer have the information, or the non-originating provider may
have the information in a modified or enhanced form.
We disagree with the third point: other entities must provide
access only if they are covered entities or business associates of
covered entities, and they must provide access only to protected health
information that they maintain (or that their business associates
maintain). It would not be efficient to require a covered entity to
compare another entity's information with that of the entity to which
the request was addressed. (See the discussion regarding covered
entities for information about whether a pharmacy benefit manager is a
covered entity.)
We disagree with the fourth point: a billing company will be
required by its business associate contract only to provide the
requested protected health information to its physician client. This
action will not violate any fiduciary responsibility. The physician
client would in turn be required by the rule to provide access to the
individual.
Comment: Some commenters asked for clarification that the
clearinghouse function of turning non-standardized data into
standardized data does not create non-duplicative data and that
``duplicate'' does not mean ``identical.'' A few commenters suggested
that duplicated information in a covered entity's designated record set
be supplied only once per request.
Response: We consider as duplicative information the same
information in different formats, media, or presentations, or which
have been standardized. Business associates who have materially altered
protected health information are obligated to provide individuals
access to it. Summary information and reports, including those of lab
results, are not the same as the underlying information on which the
summaries or reports were based. A clean document is not a duplicate of
the same document with notations. If the same information is kept in
more than one location, the covered entity has to produce the
information only once per request for access.
Comment: A few commenters suggested requiring covered entities to
disclose to third parties without exception at the requests of
individuals. It was argued that this would facilitate disability
determinations when third parties need information to evaluate
individuals' entitlement to benefits. Commenters argued that since
covered entities may deny access to individuals under certain
circumstances, individuals must have another method of providing third
parties with their protected health information.
Response: We allow covered entities to forward protected health
information about an individual to a third party, pursuant to the
individual's authorization under Sec. 164.508. We do not require
covered entities to disclose information pursuant to such
authorizations because the focus of the rule is privacy of protected
health information. Requiring disclosures in all circumstances would be
counter to this goal. In addition, a requirement of disclosing
protected health information to a third party is not a necessary
substitute for the right of access to individuals, because we allow
denial of access to individuals under rare circumstances. However, if
the third party is a personal representative of the individual in
accordance with Sec. 164.502(g) and there is no concern regarding abuse
or harm to the individual or another person, we require the covered
entity to provide access to that third party on the individual's
behalf, subject to specific limitations. We note that a personal
representative may obtain access on the individual's behalf in some
cases where covered entity may deny access to the individual. For
example, an inmate may be denied a copy of protected health
information, but a personal representative may be able to obtain a copy
on the individual's behalf. See Sec. 164.502(g) and the corresponding
preamble discussion regarding the ability of a personal representative
to act on an individual's behalf.
Comment: The majority of commenters supported granting individuals
the right to access protected health information for as long as the
covered entity maintains the protected health information; commenters
argued that to do otherwise would interfere with existing record
retention laws. Some commenters advocated for limiting the right to
information that is less than one or two years old. A few commenters
explained that frequent changes in technology makes it more difficult
to access stored data. The commenters noted that the information
obtained prior to the effective date of the rule should not be required
to be accessible.
Response: We agree with the majority of commenters and retain the
proposal to require covered entities to provide access for as long as
the entity maintains the protected health information. We do not agree
that information created prior to the effective date of the rule should
not be accessible. The reasons for granting individuals access to
information about them do not vary with the date the information was
created.
Comment: A few commenters argued that there should be no grounds
for denying access, stating that individuals should always have the
right to inspect and copy their protected health information.
[[Page 82733]]
Response: While we agree that in the vast majority of instances
individuals should have access to information about them, we cannot
agree that a blanket rule would be appropriate. For example, where a
professional familiar with the particular circumstances believes that
providing such access is likely to endanger a person's life or physical
safety, or where granting such access would violate the privacy of
other individuals, the benefits of allowing access may not outweigh the
harm. Similarly, we allow denial of access where disclosure would
reveal the source of confidential information because we do not want to
interfere with a covered entity's ability to maintain implicit or
explicit promises of confidence.
We create narrow exceptions to the rule of open access, and we
expect covered entities to employ these exceptions rarely, if at all.
Moreover, we require covered entities to provide access to any
protected health information requested after excluding only the
information that is subject to a denial. The categories of permissible
denials are not mandatory, but are a means of preserving the
flexibility and judgment of covered entities under appropriate
circumstances.
Comment: Many commenters supported our proposal to allow covered
entities to deny an individual access to protected health information
if a professional determines either that such access is likely to
endanger the life or physical safety of a person or, if the information
is about another person, access is reasonably likely to cause
substantial harm to such person.
Some commenters requested that the rule also permit covered
entities to deny a request if access might be reasonably likely to
cause psychological or mental harm, or emotional distress. Other
commenters, however, were particularly concerned about access to mental
health information, stating that the lack of access creates resentment
and distrust in patients.
Response: We disagree with the comments suggesting that we expand
the grounds for denial of access to an individual to include a
likelihood of psychological or mental harm of the individual. We did
not find persuasive evidence that this is a problem sufficient to
outweigh the reasons for providing open access. We do allow a denial
for access based on a likelihood of substantial psychological or mental
harm, but only if the protected health information includes information
about another person and the harm may be inflicted on such other person
or if the person requesting the access is a personal representative of
the individual and the harm may be inflicted on the individual or
another person.
We generally agree with the commenters concerns that denying access
specifically to mental health records could create distrust. To balance
this concern with other commenters' concerns about the potential for
psychological harm, however, we exclude psychotherapy notes from the
right of access. This is the only distinction we make between mental
health information and other types of protected health information in
the access provisions of this rule. Unlike other types of protected
health information, these notes are not widely disseminated through the
health care system. We believe that the individual's privacy interests
in having access to these notes, therefore, are outweighed by the
potential harm caused by such access. We encourage covered entities
that maintain psychotherapy notes, however, to provide individuals
access to these notes when they believe it is appropriate to do so.
Comment: Some commenters believed that there is a potential for
abuse of the provision allowing denial of access because of likely harm
to self. They questioned whether there is any experience from the
Privacy Act of 1974 to suggest that patients who requested and received
their records have ever endangered themselves as a result.
Response: We are unaware of such problems from access to records
that have been provided under the Privacy Act but, since these are
private matters, such problems might not come to our attention. We
believe it is more prudent to preserve the flexibility and judgment of
health care professionals familiar with the individuals and facts
surrounding a request for records than to impose the blanket rule
suggested by these commenters.
Comment: Commenters asserted that the NPRM did not adequately
protect vulnerable individuals who depend on others to exercise their
rights under the rule. They requested that the rule permit a covered
entity to deny access when the information is requested by someone
other than the subject of the information and, in the opinion of a
licensed health care professional, access to the information could harm
the individual or another person.
Response: We agree with the commenters that such protection is
warranted and add a provision in Sec. 164.524(a)(3), which permits a
covered health care provider to deny access if a personal
representative of the individual is making the request for access and a
licensed health care professional has determined, in the exercise of
professional judgment, that providing access to such personal
representative could result in substantial harm to the individual or
another person. Access can be denied even if the potential harm may be
inflicted by someone other than the personal representative.
This provision is designed to strike a balance between the
competing interests of ensuring access to protected health information
and protecting the individual or others from harm. The ``substantial
harm'' standard will ensure that a covered entity cannot deny access in
cases where the harm is de minimus.
The amount of discretion that a covered entity has to deny access
to a personal representative is generally greater than the amount of
discretion that a covered entity has to deny access to an individual.
Under the final rule, a covered entity may deny access to an individual
if a licensed health care professional determines that the access
requested is reasonably likely to endanger the life or physical safety
of the individual or another person. In this case, concerns about
psychological or emotional harm would not be sufficient to justify
denial of access. We establish a relatively high threshold because we
want to assure that individuals have broad access to health information
about them, and due to the potential harm that comes from denial of
access, we believe denials should be permitted only in limited
circumstances.
The final rule grants covered entities greater discretion to deny
access to a personal representative than to an individual in order to
provide protection to those vulnerable people who depend on others to
exercise their rights under the rule and who may be subjected to abuse
or neglect. This provision applies to personal representatives of
minors as well as other individuals. The same standard for denial of
access on the basis of potential harm that applies to personal
representatives also applies when an individual is seeking access to
his or her protected health information, and the information makes
reference to another person. Under these circumstances, a covered
entity may deny a request for access if such access is reasonably
likely to cause substantial harm to such other person. The standard for
this provision and for the provision regarding access by personal
representatives is the same because both circumstances involve one
person obtaining information about another person, and in both cases
the covered entity is balancing the right of access of one person
against the right of
[[Page 82734]]
a second person not to be harmed by the disclosure.
Under any of these grounds for denial of access to protected health
information, the covered entity is not required to deny access to a
personal representative under these circumstances, but has the
discretion to do so.
In addition to denial of access rights, we also address the
concerns raised by abusive or potentially abusive situations in the
section regarding personal representatives by giving covered entities
discretion to not recognize a person as a personal representative of an
individual if the covered entity has a reasonable belief that the
individual has been subjected to domestic violence, abuse, or neglect
by or would be in danger from a person seeking to act as the personal
representative. (See Sec. 164.502(g))
Comment: A number of commenters were concerned that this provision
would lead to liability for covered entities if the release of
information results in harm to individuals. Commenters requested a
``good faith'' standard in this provision to relieve covered entities
of liability if individuals suffer harm as a result of seeing their
protected health information or if the information is found to be
erroneous. A few commenters suggested requiring providers (when
applicable) to include with any disclosure to a third party a statement
that, in the provider's opinion, the information should not be
disclosed to the patient.
Response: We do not intend to create a new duty to withhold
information nor to affect other laws on this issue. Some state laws
include policies similar to this rule, and we are not aware of
liability arising as a result.
Comment: Some commenters suggested that both the individual's
health care professional and a second professional in the relevant
field of medicine should review each request. Many commenters suggested
that individuals have a right to have an independent review of any
denial of access, e.g., review by a health care professional of the
individual's choice.
Response: We agree with the commenters who suggest that denial on
grounds of harm to self or others should be determined by a health
professional, and retain this requirement in the final rule. We
disagree, however, that all denials should be reviewed by a
professional of the individual's choice. We are concerned that the
burden such a requirement would place on covered entities would be
significantly greater than any benefits to the individual. We believe
that any health professional, not just one of the individual's choice,
will exercise appropriate professional judgment. To address some of
these concerns, however, we add a provision for the review of denials
requiring the exercise of professional judgment. If a covered entity
denies access based on harm to self or others, the individual has the
right to have the denial reviewed by another health care professional
who did not participate in the original decision to deny access.
Comment: A few commenters objected to the proposal to allow covered
entities to deny a request for access to health information if the
information was obtained from a confidential source that may be
revealed upon the individual's access. They argued that this could be
subject to abuse and the information could be inherently less reliable,
making the patient's access to it even more important.
Response: While we acknowledge that information provided by
confidential sources could be inaccurate, we are concerned that
allowing unfettered access to such information could undermine the
trust between a health care provider and patients other than the
individual. We retain the proposed policy because we do not want to
interfere with a covered entity's ability to obtain important
information that can assist in the provision of health care or to
maintain implicit or explicit promises of confidence, which may be
necessary to obtain such information. We believe the concerns raised
about abuse are mitigated by the fact that the provision does not apply
to promises of confidentiality made to a health care provider. We note
that a covered entity may provide access to such information.
Comment: Some commenters were concerned that the NPRM did not allow
access to information unrelated to treatment, and thus did not permit
access to research information.
Response: In the final rule, we eliminate the proposed special
provision for ``research information unrelated to treatment.'' The only
restriction on access to research information in this rule applies
where the individual agrees in advance to denial of access when
consenting to participate in research that includes treatment. In this
circumstance, the individual's right of access to protected health
information created in the course of the research may be suspended for
as long as the research is in progress, but access rights resume after
such time. In other instances, we make no distinction between research
information and other information in the access provisions in this
rule.
Comment: A few commenters supported the proposed provision
temporarily denying access to information obtained during a clinical
trial if participants agreed to the denial of access when consenting to
participate in the trial. Some commenters believed there should be no
access to any research information. Other commenters believed denial
should occur only if the trial would be compromised. Several
recommended conditioning the provision. Some recommended that access
expires upon completion of the trial unless there is a health risk. A
few commenters suggested that access should be allowed only if it is
included in the informed consent and that the informed consent should
note that some information may not be released to the individual,
particularly research information that has not yet been validated.
Other commenters believed that there should be access if the research
is not subject to IRB or privacy board review or if the information can
be disclosed to third parties.
Response: We agree with the commenters that support temporary
denial of access to information from research that includes treatment
if the subject has agreed in advance, and with those who suggested that
the denial of access expire upon completion of the research, and retain
these provisions in the final rule. We disagree with the commenters who
advocate for further denial of this information. These comments did not
explain why an individual's interest in access to health information
used to make decisions about them is less compelling with respect to
research information. Under this rule, all protected health information
for research is subject either to privacy board or IRB review unless a
specific authorization to use protected health information for research
is obtained from the individual. Thus, this is not a criterion we can
use to determine access rights.
Comment: A few commenters believed that it would be ``extremely
disruptive of and dangerous'' to patients to have access to records
regarding their current care and that state law provides sufficient
protection of patients' rights in this regard.
Response: We do not agree. Information about current care has
immediate and direct impact on individuals. Where a health care
professional familiar with the circumstances believes that it is
reasonably likely that access to records would endanger the life or
physical safety of the individual or another
[[Page 82735]]
person, the regulation allows the professional to withhold access.
Comment: Several commenters requested clarification that a patient
not be denied access to protected health information because of failure
to pay a bill. A few commenters requested clarification that entities
may not deny requests simply because producing the information would be
too burdensome.
Response: We agree with these comments, and confirm that neither
failure to pay a bill nor burden are lawful reasons to deny access
under this rule. Covered entities may deny access only for the reasons
provided in the rule.
Comment: Some commenters requested that the final rule not include
detailed procedural requirements about how to respond to requests for
access. Others made specific recommendations on the procedures for
providing access, including requiring written requests, requiring
specific requests instead of blanket requests, and limiting the
frequency of requests. Commenters generally argued against requiring
covered entities to acknowledge requests, except under certain
circumstances, because of the potential burden on entities.
Response: We intend to provide sufficient procedural guidelines to
ensure that individuals have access to their protected health
information, while maintaining the flexibility for covered entities to
implement policies and procedures that are appropriate to their needs
and capabilities. We believe that a limit on the frequency of requests
individuals may make would arbitrarily infringe on the individual's
right of access and have, therefore, not included such a limitation. To
limit covered entities' burden, we do not require covered entities to
acknowledge receipt of the individuals' requests, other than to notify
the individual once a decision on the request has been made. We also
permit a covered entity to require an individual to make a request for
access in writing and to discuss a request with an individual to
clarify which information the individual is actually requesting. If
individuals agree, covered entities may provide access to a subset of
information rather than all protected health information in a
designated record set. We believe these changes provide covered
entities with greater flexibility without compromising individuals'
access rights.
Comment: Commenters offered varying suggestions for required
response time, ranging from 48 hours because of the convenience of
electronic records to 60 days because of the potential burden. Others
argued against a finite time period, suggesting the response time be
based on mutual convenience of covered entities and individuals,
reasonableness, and exigencies. Commenters also varied on suggested
extension periods, from one 30-day extension to three 30-day extensions
to one 90-day extension, with special provisions for off-site records.
Response: We are imposing a time limit because individuals are
entitled to know when to expect a response. Timely access to protected
health information is important because such information may be
necessary for the individual to obtain additional health care services,
insurance coverage, or disability benefits, and the covered entity may
be the only source for such information. To provide additional
flexibility, we eliminate the requirement that access be provided as
soon as possible and we lengthen the deadline for access to off-site
records. For on-site records, covered entities must act on a request
within 30 days of receipt of the request. For off-site records,
entities must complete action within 60 days. We also permit covered
entities to extend the deadline by up to 30 days if they are unable to
complete action on the request within the standard deadline. These time
limits are intended to be an outside deadline rather than an
expectation. We expect covered entities to be attentive to the
circumstances surrounding each request and respond in an appropriate
time frame.
Comment: A few commenters suggested that, upon individuals'
requests, covered entities should be required to provide protected
health information in a format that would be understandable to a
patient, including explanations of codes or abbreviations. The
commenters suggested that covered entities be permitted to provide
summaries of pertinent information instead of full copies of records;
for example, a summary may be more helpful for the patient's purpose
than a series of indecipherable billing codes.
Response: We agree with these commenters' point that some health
information is difficult to interpret. We clarify, therefore, that the
covered entity may provide summary information in lieu of the
underlying records. A summary may only be provided if the covered
entity and the individual agree, in advance, to the summary and to any
fees imposed by the covered entity for providing such summary. We
similarly permit a covered entity to provide an explanation of the
information. If the covered entity charges a fee for providing an
explanation, it must obtain the individual's agreement to the fee in
advance.
Comment: Though there were recommendations that fees be limited to
the costs of copying, the majority of commenters on this topic
requested that covered entities be able to charge a reasonable, cost-
based fee. Commenters suggested that calculation of access costs
involve factors such as labor costs for verification of requests, labor
and software costs for logging of requests, labor costs for retrieval,
labor costs for copying, expense costs for copying, capital cost for
copying, expense costs for mailing, postal costs for mailing, billing
and bad-debt expenses, and labor costs for refiling. Several commenters
recommended specific fee structures.
Response: We agree that covered entities should be able to recoup
their reasonable costs for copying of protected health information, and
include such provision in the regulation. We are not specifying a set
fee because copying costs could vary significantly depending on the
size of the covered entity and the form of such copy (e.g., paper,
electronic, film). Rather, covered entities are permitted to charge a
reasonable, cost-based fee for copying (including the costs of supplies
and labor), postage, and summary or explanation (if requested and
agreed to by the individual) of information supplied. The rule limits
the types of costs that may be imposed for providing access to
protected health information, but does not preempt applicable state
laws regarding specific allowable fees for such costs. The inclusion of
a copying fee is not intended to impede the ability of individuals to
copy their records.
Comment: Many commenters stated that if a covered entity denies a
request for access because the entity does not hold the protected
health information requested, the covered entity should provide, if
known, the name and address of the entity that holds the information.
Some of these commenters additionally noted that the Uniform Insurance
Information and Patient Protection Act, adopted by 16 states, already
imposes this notification requirement on insurance entities. Some
commenters also suggested requiring providers who leave practice or
move offices to inform individuals of that fact and of how to obtain
their records.
Response: We agree that, when covered entities deny requests for
access because they do not hold the protected health information
requested, they should inform individuals of the holder of the
information, if known; we include this provision in the final rule. We
do not require health care providers to
[[Page 82736]]
notify all patients when they move or leave practice, because the
volume of such notifications would be unduly burdensome.
Section 164.526--Amendment of Protected Health Information
Comment: Many commenters strongly encouraged the Secretary to adopt
``appendment'' rather than ``amendment and correction'' procedures.
They argued that the term ``correction'' implies a deletion of
information and that the proposed rule would have allowed covered
entities to remove portions of the record at their discretion.
Commenters indicated that appendment rather than correction procedures
will ensure the integrity of the medical record and allow subsequent
health care providers access to the original information as well as the
appended information. They also indicated appendment procedures will
protect both individuals and covered entities since medical records are
sometimes needed for litigation or other legal proceedings.
Response: We agree with commenters' concerns about the term
``correction.'' We have revised the rule and deleted ``correction''
from this provision in order to clarify that covered entities are not
required by this rule to delete any information from the designated
record set. We do not intend to alter medical record retention laws or
current practice, except to require covered entities to append
information as requested to ensure that a record is accurate and
complete. If a covered entity prefers to comply with this provision by
deleting the erroneous information, and applicable record retention
laws allow such deletion, the entity may do so. For example, an
individual may inform the entity that someone else's X-rays are in the
individual's medical record. If the entity agrees that the X-ray is
inaccurately filed, the entity may choose to so indicate and note where
in the record the correct X-ray can be found. Alternatively, the entity
may choose to remove the X-ray from the record and replace it with the
correct X-ray, if applicable law allows the entity to do so. We intend
the term ``amendment'' to encompass either action.
We believe this approach is consistent with well-established
privacy principles, with other law, and with industry standards and
ethical guidelines. The July 1977 Report of the Privacy Protection
Study Commission recommended that health care providers and other
organizations that maintain medical-record information have procedures
for individuals to correct or amend the information.\28\ The Privacy
Act (5 U.S.C. 552a) requires government agencies to permit individuals
to request amendment of any record the individual believes is not
accurate, relevant, timely, or complete. In its report ``Best
Principles for Health Privacy,'' the Health Privacy Working Group
recommended, ``An individual should have the right to supplement his or
her own medical record. Supplementation should not be implied to mean
deletion or alteration of the medical record.'' \29\ The National
Association of Insurance Commissioners' Health Information Privacy
Model Act establishes the right of an individual who is the subject of
protected health information to amend protected health information to
correct any inaccuracies. The National Conference of Commissioners on
Uniform State Laws' Uniform Health Care Information Act states,
``Because accurate health-care information is not only important to the
delivery of health care, but for patient applications for life,
disability and health insurance, employment, and a great many other
issues that might be involved in civil litigation, this Act allows a
patient to request an amendment in his record.''
---------------------------------------------------------------------------
\28\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 300-303.
\29\ Health Privacy Working Group, ``Best Principles for Health
Privacy,'' Health Privacy Project, Institute for Health Care
Research and Policy, Georgetown University, July 1999.
---------------------------------------------------------------------------
Some states also establish a right for individuals to amend health
information about them. For example, Hawaii law (HRS section 323C-12)
states, ``An individual or the individual's authorized representative
may request in writing that a health care provider that generated
certain health care information append additional information to the
record in order to improve the accuracy or completeness of the
information; provided that appending this information does not erase or
obliterate any of the original information.'' Montana law (MCA section
50-16-543) states, ``For purposes of accuracy or completeness, a
patient may request in writing that a health care provider correct or
amend its record of the patient's health care information to which he
has access.'' Connecticut, Georgia, and Maine provide individuals a
right to request correction, amendment, or deletion of recorded
personal information about them maintained by an insurance institution.
Many other states have similar provisions.
Industry and standard-setting organizations have also developed
policies for amendment of health information. The National Committee
for Quality Assurance and the Joint Commission on Accreditation of
Healthcare Organizations issued recommendations stating, ``The
opportunity for patients to review their records will enable them to
correct any errors and may provide them with a better understanding of
their health status and treatment. Amending records does not erase the
original information. It inserts the correct information with a
notation about the date the correct information was available and any
explanation about the reason for the error.'' \30\ Standards of the
American Society for Testing and Materials state, ``An individual has a
right to amend by adding information to his or her record or database
to correct inaccurate information in his or her patient record and in
secondary records and databases which contain patient identifiable
health information.'' \31\ We build on this well-established principle
in this final rule.
---------------------------------------------------------------------------
\30\ National Committee on Quality Assurance and the Joint
Commission on Accreditation of Healthcare Organizations,
``Protecting Personal Health Information: A Framework for Meeting
the Challenges in a Managed Care Environment,''1998, p. 25.
\31\ ASTM, ``Standard Guide for Confidentiality, Privacy, Access
and Data Security, Principles for Health Information Including
Computer-Based Patient Records,'' E 1869-97, Sec. 11.1.1.
---------------------------------------------------------------------------
Comment: Some commenters supported the proposal to allow
individuals to request amendment for as long as the covered provider or
plan maintains the information. A few argued that the provision should
be time-limited, e.g., that covered entities should not have to amend
protected health information that is more than two years old. Other
comments suggested that the provision should only be applied to
protected health information created after the compliance date of the
regulation.
Response: The purpose of this provision is to create a mechanism
whereby individuals can ensure that information about them is as
accurate as possible as it travels through the health care system and
is used to make decisions, including treatment decisions, about them.
To achieve this result, individuals must have the ability to request
amendment for as long as the information used to make decisions about
them exists. We therefore retain the proposed approach. For these
reasons, we also require covered entities to address requests for
amendment of all protected health information within designated record
sets, including information created or obtained prior to
[[Page 82737]]
the compliance date, for as long as the entity maintains the
information.
Comment: A few commenters were concerned that the proposal implied
that the individual is in control of and may personally change the
medical record. These commenters opposed such an approach.
Response: We do not give individuals the right to alter their
medical records. Individuals may request amendment, but they have no
authority to determine the final outcome of the request and may not
make actual changes to the medical record. The covered entity must
review the individual's request and make appropriate decisions. We have
clarified this intent in Sec. 164.526(a)(1) by stating that individuals
have a right to have a covered entity amend protected health
information and in Sec. 164.526(b)(2) by stating that covered entities
must act on an individual's request for amendment.
Comment: Some comments argued that there is no free-text field in
some current transaction formats that would accommodate the extra text
required to comply with the amendment provisions (e.g., sending
statements of disagreement along with all future disclosures of the
information at issue). Commenters argued that this provision will
burden the efficient transmission of information, contrary to HIPAA
requirements.
Response: We believe that most amendments can be incorporated into
the standard transactions as corrections of erroneous data. We agree
that some of the standard transactions cannot currently accommodate
additional material such as statements of disagreement and rebuttals to
such statements. To accommodate these rare situations, we modify the
requirements in Sec. 164.526(d)(iii). The provision now states that if
a standard transaction does not permit the inclusion of the additional
material required by this section, the covered entity may separately
transmit the additional material to the recipient of the standard
transaction. Commenters interested in modifying the standard
transactions to allow the incorporation of additional materials may
also bring the issue up for resolution through the process established
by the Transactions Rule and described in its preamble.
Comment: The NPRM proposed to allow amendment of protected health
information in designated record sets. Some commenters supported the
concept of a designated record set and stated that it appropriately
limits the type of information available for amendment to information
directly related to treatment. Other commenters were concerned about
the burden this provision will create due to the volume of information
that will be available for amendment. They were primarily concerned
with the potential for frivolous, minor, or technical requests. They
argued that for purposes of amendment, this definition should be
limited to information used to make medical or treatment decisions
about the individual. A few commenters requested clarification that
individuals do not have a right to seek amendment unless there is
verifiable information to support their claim or they can otherwise
convince the entity that the information is inaccurate or incomplete.
Response: We believe that the same information available for
inspection should also be subject to requests for amendment, because
the purpose of these provisions is the same: To give consumers access
to and the chance to correct errors in information that may be used to
make decisions that affect their interests. We thus retain use of the
``designated record set'' in this provision. However, we share
commenters'' concerns about the potential for minor or technical
requests. To address this concern, we have clarified that covered
entities may deny a request for amendment if the request is not in
writing and does not articulate a reason to support the request, as
long as the covered entity informs the individual of these requirements
in advance.
Comment: Many commenters noted the potentially negative impact of
the proposal to allow covered entities to deny a request for amendment
if the covered entity did not create the information at issue. Some
commenters pointed out that the originator of the information may no
longer exist or the individual may not know who created the information
in question. Other commenters supported the proposal that only the
originator of the information is responsible for amendments to it. They
argued that any extension of this provision requiring covered entities
to amend information they have not created is administratively and
financially burdensome.
Response: In light of the comments, we modify the rule to require
the holder of the information to consider a request for amendment if
the individual requesting amendment provides a reasonable basis to
believe that the originator of the information is no longer available
to act on a request. For example, if a request indicates that the
information at issue was created by a hospital that has closed, and the
request is not denied on other grounds, then the entity must amend the
information. This provision is necessary to preserve an individual's
right to amend protected health information about them in certain
circumstances.
Comment: Some commenters stated that the written contract between a
covered entity and its business associate should stipulate that the
business associate is required to amend protected health information in
accordance with the amendment provisions. Otherwise, these commenters
argued, there would be a gap in the individual's right to have
erroneous information corrected, because the covered entity could deny
a request for amendment of information created by a business associate.
Response: We agree that information created by the covered entity
or by the covered entity's business associates should be subject to
amendment. This requirement is consistent with the requirement to make
information created by a business associate available for inspection
and copying. We have revised the rule to require covered entities to
specify in the business associate contract that the business associate
will make protected health information available for amendment and will
incorporate amendments accordingly. (See Sec. 164.504(e).)
Comment: One commenter argued that covered entities should be
required to presume information must be corrected where an individual
informs the entity that an adjudicative process has made a finding of
medical identity theft.
Response: Identity theft is one of many reasons why protected
health information may be inaccurate, and is one of many subjects that
may result in an adjudicative process relevant to the accuracy of
protective health information. We believe that this provision
accommodates this situation without a special provision for identity
theft.
Comment: Some commenters asserted that the proposed rule's
requirement that action must be taken on individuals' requests within
60 days of the receipt of the request was unreasonable and burdensome.
A few commenters proposed up to three 30-day extensions for
``extraordinary'' (as defined by the entity) requests.
Response: We agree that 60 days will not always be a sufficient
amount of time to adequately respond to these requests. Therefore, we
have revised this provision to allow covered entities the option of a
30-day extension to deal with requests that require additional response
time. However, we expect that 60 days will be adequate for most cases.
Comment: One commenter questioned whether a covered entity could
[[Page 82738]]
appropriately respond to a request by amending the record, without
indicating whether it believes the information at issue is accurate and
complete.
Response: An amendment need not include a statement by the covered
entity as to whether the information is or is not accurate and
complete. A covered entity may choose to amend a record even if it
believes the information at issue is accurate and complete. If a
request for amendment is accepted, the covered entity must notify the
individual that the record has been amended. This notification need not
include any explanation as to why the request was accepted. A
notification of a denied request, however, must contain the basis for
the denial.
Comment: A few commenters suggested that when an amendment is made,
the date should be noted. Some also suggested that the physician should
sign the notation.
Response: We believe such a requirement would create a burden that
is not necessary to protect individuals' interests, and so have not
accepted this suggestion. We believe that the requirements of
Sec. 164.526(c) regarding actions a covered entity must take when
accepting a request will provide an adequate record of the amendment. A
covered entity may date and sign an amendment at its discretion.
Comment: The NPRM proposed that covered entities, upon accepting a
request for amendment, make reasonable efforts to notify those persons
the individual identifies, and other persons whom the covered entity
knows have received the erroneous or incomplete information and who may
have relied, or could foreseeably rely, on such information to the
detriment of the individual. Many commenters argued that this
notification requirement was too burdensome and should be narrowed.
They expressed concern that covered entities would have to notify
anyone who might have received the information, even persons identified
by the individual with whom the covered entity had no contact. Other
commenters also contended that this provision would require covered
entities to determine the reliance another entity might place on the
information and suggested that particular part of the notification
requirements be removed. Another commenter suggested that the
notification provision be eliminated entirely, believing that it was
unnecessary.
Response: Although there is some associated administrative burden
with this provision, we believe it is a necessary requirement to
effectively communicate amendments of erroneous or incomplete
information to other parties. The negative effects of erroneous or
incomplete medical information can be devastating. This requirement
allows individuals to exercise some control in determining recipients
they consider important to be notified, and requires the covered entity
to communicate amendments to other persons that the covered entity
knows have the erroneous or incomplete information and may take some
action in reliance on the erroneous or incomplete information to the
detriment of the individual. We have added language to clarify that the
covered entity must obtain the individual's agreement to have the
amendment shared with the persons the individual and covered entity
identifies. We believe these notification requirements appropriately
balance covered entities' burden and individuals' interest in
protecting the accuracy of medical information used to make decisions
about them. We therefore retain the notification provisions
substantially as proposed.
Comment: Some commenters argued against the proposed provision
requiring a covered entity that receives a notice of amendment to
notify its business associates, ``as appropriate,'' of necessary
amendments. Some argued that covered entities should only be required
to inform business associates of these changes if the amendment could
affect the individual's further treatment, citing the administrative
and financial burden of notifying all business associates of changes
that may not have a detrimental effect on the patient. Other commenters
suggested that covered entities should only be required to inform
business associates whom they reasonably know to be in possession of
the information.
Response: We agree with commenters that clarification is warranted.
Our intent is that covered entities must meet the requirements of this
rule with respect to protected health information they maintain,
including protected health information maintained on their behalf by
their business associates. We clarify this intent by revising the
definition of designated record set (see Sec. 164.501) to include
records maintained ``by or for'' a covered entity. Section 164.526(e)
requires a covered entity that is informed of an amendment made by
another covered entity to incorporate that amendment into designated
record sets, whether the designated record set is maintained by the
covered entity or for the covered entity by a business associate. If a
business associate maintains the record at issue on the covered
entity's behalf, the covered entity must fulfill its requirement by
informing the business associate of the amendment to the record. The
contract with the business associate must require the business
associate to incorporate any such amendments. (See Sec. 164.504(e).)
Comment: Some commenters supported the proposal to require covered
entities to provide notification of the covered entity's statement of
denial and the individual's statement of disagreement in any subsequent
disclosures of the information to which the dispute relates. They
argued that we should extend this provision to prior recipients of
disputed information who have relied on it. These commenters noted an
inconsistency in the proposed approach, since notification of accepted
amendments is provided to certain previous recipients of erroneous
health information and to recipients of future disclosures. They
contended there is not a good justification for the different treatment
and believed that the notification standard should be the same,
regardless of whether the covered entity accepts the request for
amendment.
These commenters also recommended that the individual be notified
of the covered entity's intention to rebut a statement of disagreement.
They suggested requiring covered entities to send a copy of the
statement of rebuttal to the individual.
Response: Where a request for amendment is accepted, the covered
entity knows that protected health information about the individual is
inaccurate or incomplete or the amendment is otherwise warranted; in
these circumstances, it is reasonable to ask the covered entity to
notify certain previous recipients of the information that reliance on
such information could be harmful. Where, however, the request for
amendment is denied, the covered entity believes that the relevant
information is accurate and complete or the amendment is otherwise
unacceptable. In this circumstance, the burden of prior notification
outweighs the potential benefits. We therefore do not require
notification of prior recipients.
We agree, however, that individuals should know how a covered
entity has responded to their requests, and therefore add a requirement
that covered entities also provide a copy of any rebuttal statements to
the individual.
[[Page 82739]]
Section 164.528--Accounting of Disclosures of Protected Health
Information
Comment: Many commenters expressed support for the concept of the
right to receive an accounting of disclosures. Others opposed even the
concept. One commenter said that it is likely that some individuals
will request an accounting of disclosures from each of his or her
health care providers and payors merely to challenge the disclosures
that the covered entity made.
Some commenters also questioned the value to the individual of
providing the right to an accounting. One commenter stated that such a
provision would be meaningless because those who deliberately
perpetrate an abuse are unlikely to note their breach in a log.
Response: The final rule retains the right of an individual to
receive an accounting of disclosures of protected health information.
The provision serves multiple purposes. It provides a means of
informing the individual as to which information has been sent to which
recipients. This information, in turn, enables individuals to exercise
certain other rights under the rule, such as the rights to inspection
and amendment, with greater precision and ease. The accounting also
allows individuals to monitor how covered entities are complying with
the rule. Though covered entities who deliberately make disclosures in
violation of the rule may be unlikely to note such a breach in the
accounting, other covered entities may document inappropriate
disclosures that they make out of ignorance and not malfeasance. The
accounting will enable the individual to address such concerns with the
covered entity.
We believe this approach is consistent with well-established
privacy principles, with other law, and with industry standards and
ethical guidelines. The July 1977 Report of the Privacy Protection
Study Commission recommended that a health care provider should not
disclose individually-identifiable information for certain purposes
without the individual's authorization unless ``an accounting of such
disclosures is kept and the individual who is the subject of the
information being disclosed can find out that the disclosure has been
made and to whom.'' \32\ With certain exceptions, the Privacy Act (5
U.S.C. 552a) requires government agencies to ``keep an accurate
accounting of * * * the date, nature, and purpose of each disclosure of
a record to any person or to another agency * * * and * * * the name
and address of the person or agency to whom the disclosure is made.''
The National Association of Insurance Commissioners' Health Information
Privacy Model Act requires carriers to provide to individuals on
request ``information regarding disclosure of that individual's
protected health information that is sufficient to exercise the right
to amend the information.'' We build on these standards in this final
rule.
---------------------------------------------------------------------------
\32\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, pp. 306-307.
---------------------------------------------------------------------------
Comment: Many commenters disagreed with the NPRM's exception for
treatment, payment, and health care operations. Some commenters wanted
treatment, payment, and health care operations disclosures to be
included in an accounting because they believed that improper
disclosures of protected health information were likely to be committed
by parties within the entity who have access to protected health
information for treatment, payment, and health care operations related
purposes. They suggested that requiring covered entities to record
treatment, payment, and health care operations disclosures would either
prevent improper disclosures or enable transgressions to be tracked.
One commenter reasoned that disclosures for treatment, payment, and
health care operations purposes should be tracked since these
disclosures would be made without the individual's consent. Others
argued that if an individual's authorization is not required for a
disclosure, then the disclosure should not have to be tracked for a
future accounting to the individual.
One commenter requested that the provision be restated so that no
accounting is required for disclosures ``compatible with or directly
related to'' treatment, payment or health care operations. This comment
indicated that the change would make Sec. 164.515(a)(1) of the NPRM
consistent with Sec. 164.508(a)(2)(i)(A) of the NPRM.
Response: We do not accept the comments suggesting removing the
exception for disclosures for treatment, payment, and health care
operations. While including all disclosures within the accounting would
provide more information to individuals about to whom their information
has been disclosed, we believe that documenting all disclosures made
for treatment, payment, and health care operations purposes would be
unduly burdensome on entities and would result in accountings so
voluminous as to be of questionable value. Individuals who seek
treatment and payment expect that their information will be used and
disclosed for these purposes. In many cases, under this final rule, the
individual will have consented to these uses and disclosures. Thus, the
additional information that would be gained from including these
disclosures would not outweigh the added burdens on covered entities.
We believe that retaining the exclusion of disclosures to carry out
treatment, payment, and health care operations makes for a manageable
accounting both from the point of view of entities and of individuals.
We have conformed the language in this section with language in other
sections of the rule regarding uses and disclosures to carry out
treatment, payment, and health care operations. See Sec. 164.508 and
the corresponding preamble discussion regarding our decision to use
this language.
Comments: A few commenters called for a record of all disclosures,
including a right of access to a full audit trail where one exists.
Some commenters stated while audit trails for paper records are too
expensive to require, the privacy rule should not discourage audit
trails, at least for computer-based records. They speculated that an
important reason for maintaining a full audit trail is that most abuses
are the result of activity by insiders. On the other hand, other
commenters pointed out that an enormous volume of records would be
created if the rule requires recording all accesses in the manner of a
full audit trail.
One commenter supported the NPRM's reference to the proposed HIPAA
Security Rule, agreeing that access control and disclosure requirements
under this rule should be coordinated with the final HIPAA Security
Rule. The commenter recommended that HHS add a reference to the final
HIPAA Security Rule in this section and keep specific audit log and
reporting requirements generic in the privacy rule.
Response: Audit trails and the accounting of disclosures serve
different functions. In the security field, an audit trail is typically
a record of each time a sensitive record is altered, how it was altered
and by whom, but does not usually record each time a record is used or
viewed. The accounting required by this rule provides individuals with
information about to whom a disclosure is made. An accounting, as
described in this rule, would not capture uses. To the extent that an
audit trail would capture uses, consumers reviewing an audit trail may
not be able to distinguish between
[[Page 82740]]
accesses of the protected health information for use and accesses for
disclosure. Further, it is not clear the degree to which the field is
technologically poised to provide audit trails. Some entities could
provide audit trails to individuals upon their request, but we are
concerned that many could not.
We agree that it is important to coordinate this provision of the
privacy rule with the Security Rule when it is issued as a final rule.
Comments: We received many comments from researchers expressing
concerns about the potential impact of requiring an accounting of
disclosures related to research. The majority feared that the
accounting provision would prove so burdensome that many entities would
decline to participate in research. Many commenters believed that
disclosure of protected health information for research presents little
risk to individual privacy and feared that the accounting requirement
could shut down research.
Some commenters pointed out that often only a few data elements or
a single element is extracted from the patient record and disclosed to
a researcher, and that having to account for so singular a disclosure
from what could potentially be an enormous number of records imposes a
significant burden. Some said that the impact would be particularly
harmful to longitudinal studies, where the disclosures of protected
health information occur over an extended period of time. A number of
commenters suggested that we not require accounting of disclosures for
research, registries, and surveillance systems or other databases
unless the disclosure results in the actual physical release of the
patient's entire medical record, rather than the disclosure of discrete
elements of information contained within the record.
We also were asked by commenters to provide an exclusion for
research subject to IRB oversight or research that has been granted a
waiver of authorization pursuant to proposed Sec. 164.510, to exempt
``in-house'' research from the accounting provision, and to allow
covered entities to describe the type of disclosures they have made to
research projects, without specifically listing each disclosure.
Commenters suggested that covered entities could include in an
accounting a listing of the various research projects in which they
participated during the time period at issue, without regard to whether
a particular individual's protected health information was disclosed to
the project.
Response: We disagree with suggestions from commenters that an
accounting of disclosures is not necessary for research. While it is
possible that informing individuals about the disclosures made of their
health information may on occasion discourage worthwhile activities, we
believe that individuals have a right to know who is using their health
information and for what purposes. This information gives individuals
more control over their health information and a better base of
knowledge from which to make informed decisions.
For the same reasons, we also do not believe that IRB or privacy
board review substitutes for providing individuals the right to know
how their information has been disclosed. We permit IRBs or privacy
boards to determine that a research project would not be feasible if
authorization were required because we understand that it could be
virtually impossible to get authorization for archival research
involving large numbers of individuals or where the location of the
individuals is not easy to ascertain. While providing an accounting of
disclosures for research may entail some burden, it is feasible, and we
do not believe that IRBs or privacy boards would have a basis for
waiving such a requirement. We also note that the majority of comments
that we received from individuals supported including more information
in the accounting, not less.
We understand that requiring covered entities to include
disclosures for research in the accounting of disclosures entails some
burden, but we believe that the benefits described above outweigh the
burden.
We do not agree with commenters that we should exempt disclosures
where only a few data elements are released or in the case of data
released without individuals' names. We recognize that information
other than names can identify an individual. We also recognize that
even a few data elements could be clues to an individual's identity.
The actual volume of information released is not an appropriate
indicator of whether an individual could have a concern about privacy.
We disagree with comments that suggested that it would be
sufficient to provide individuals with a general list of research
projects to which information has been disclosed by the covered entity.
We believe that individuals are entitled to a level of specificity
about disclosures of protected health information about them and should
know to which research projects their protected health information has
been disclosed, rather than to which projects protected health
information may have been disclosed. However, we have added a provision
allowing for a summary accounting of recurrent disclosures. For
multiple disclosures to the same recipient pursuant to a single
authorization or for a single purpose permitted under the rule without
authorization, the covered entity may provide a summary accounting
addressing the series of disclosures rather than a detailed accounting
of each disclosure in the series. This change is designed to ease the
burden on covered entities involved in longitudinal projects.
With regard to the suggestion that we exempt ``in-house'' research
from the accounting provision, we note that only disclosures of
protected health information must appear in an accounting.
Comments: Several commenters noted that disclosures for public
health activities may be of interest to individuals, but add to the
burden imposed on entities. Furthermore, some expressed fear that
priority public health activities would be compromised by the
accounting provision. One commenter from a health department said that
covered entities should not be required to provide an accounting to
certain index cases, where such disclosures create other hazards, such
as potential harm to the reporting provider. This commenter also
speculated that knowing protected health information had been disclosed
for these public health purposes might cause people to avoid treatment
in order to avoid being reported to the public health department.
A provider association expressed concern about the effect that the
accounting provision might have on a non-governmental, centralized
disease registry that it operates. The provider organization feared
that individuals might request that their protected health information
be eliminated in the databank, which would make the data less useful.
Response: As in the discussion of research above, we reject the
contention that we should withhold information from individuals about
where their information has been disclosed because informing them could
occasionally discourage some worthwhile activities. We also believe
that, on balance, individuals' interest in having broad access to this
information outweighs concerns about the rare instances in which
providing this information might raise concerns about harm to the
person who made the disclosure. As we stated above, we believe that
individuals have
[[Page 82741]]
a right to know who is using their health information and for what
purposes. This information gives individuals more control over their
health information and a better base of knowledge from which to make
informed decisions.
Comment: We received many comments about the proposed time-limited
exclusion for law enforcement and health oversight. Several commenters
noted that it is nearly impossible to accurately project the length of
an investigation, especially during its early stages. Some recommended
we permit a deadline based on the end of an event, such as conclusion
of an investigation. One commenter recommended amending the standard
such that covered entities would never be required to give an
accounting of disclosures to health oversight or law enforcement
agencies. The commenter noted that there are public policy reasons for
limiting the extent to which a criminal investigation is made known
publicly, including the possibility that suspects may destroy or
falsify evidence, hide assets, or flee. The commenter also pointed out
that disclosure of an investigation may unfairly stigmatize a person or
entity who is eventually found to be innocent of any wrongdoing.
On the other hand, many commenters disagreed with the exemption for
recording disclosures related to oversight activities and law
enforcement. Many of these commenters stated that the exclusion would
permit broad exceptions for government purposes while holding
disclosures for private purposes to a more burdensome standard.
Some commenters felt that the NPRM made it too easy for law
enforcement to obtain an exception. They suggested that law enforcement
should not be excepted from the accounting provision unless there is a
court order. One commenter recommended that a written request for
exclusion be dated, signed by a supervisory official, and contain a
certification that the official is personally familiar with the purpose
of the request and the justification for exclusion from accounting.
Response: We do not agree with comments suggesting that we
permanently exclude disclosures for oversight or law enforcement from
the accounting. We believe generally that individuals have a right to
know who is obtaining their health information and for what purposes.
At the same time, we agree with commenters that were concerned that
an accounting could tip off subjects of investigations. We have
retained a time-limed exclusion period similar to that proposed in the
NPRM. To protect the integrity of investigations, in the final rule we
require covered entities to exclude disclosures to a health oversight
agency or law enforcement official for the time specified by that
agency or official, if the agency or official states that including the
disclosure in an accounting to the individual would be reasonably
likely to impede the agency or official's activities. We require the
statement from the agency or official to provide a specific time frame
for the exclusion. For example, pursuant to a law enforcement
official's statement, a covered entity could exclude a law enforcement
disclosure from the accounting for a period of three months from the
date of the official's statement or until a date specified in the
statement.
In the final rule, we permit the covered entity to exclude the
disclosure from an accounting to an individual if the agency or
official makes the statement orally and the covered entity documents
the statement and the identify of the agency or official that made the
statement. We recognize that in urgent situations, agencies and
officials may not be able to provide statements in writing. If the
agency or official's statement is made orally, however, the disclosure
can be excluded from an accounting to the individual for no longer than
30 days from the oral statement. For exclusions longer than 30 days, a
covered entity must receive a written statement.
We believe these requirements appropriately balance individuals'
rights to be informed of the disclosures of protected health
information while recognizing the public's interest in maintaining the
integrity of health oversight and law enforcement activities.
Comment: One commenter stated that under Minnesota law, providers
who are mandated reporters of abuse are limited as to whom they may
reveal the report of abuse (generally law enforcement authorities and
other providers only). This is because certain abusers, such as
parents, by law may have access to a victim's (child's) records. The
commenter requested clarification as to whether these disclosures are
exempt from the accounting requirement or whether preemption would
apply.
Response: While we do not except mandatory disclosures of abuse
from the accounting for disclosure requirement, we believe the
commenter's concerns are addressed in several ways. First, nothing in
this regulation invalidates or limits the authority or procedures
established under state law providing for the reporting of child abuse.
Thus, with respect to child abuse the Minnesota law's procedures are
not preempted even though they are less stringent with respect to
privacy. Second, with respect to abuse of persons other than children,
we allow covered entities to refuse to treat a person as an
individual's personal representative if the covered entity believes
that the individual has been subjected to domestic violence, abuse, or
neglect from the person. Thus, the abuser would not have access to the
accounting. We also note that a covered entity must exclude a
disclosure, including disclosures to report abuse, from the accounting
for specified period of time if the law enforcement official to whom
the report is made requests such exclusion.
Comment: A few comments noted the lack of exception for disclosures
made to intelligence agencies.
Response: We agree with the comments and have added an exemption
for disclosures made for national security or intelligence purposes
under Sec. 164.512(k)(2). Individuals do not have a right to an
accounting of disclosures for these purposes.
Comment: Commenters noted that the burden associated with this
provision would, in part, be determined by other provisions of the
rule, including the definitions of ``individually identifiable,''
``treatment,'' and ``health care operations.'' They expressed concern
that the covered entity would have to be able to organize on a patient
by patient basis thousands of disclosures of information, which they
described as ``routine.'' These commenters point to disclosures for
patient directory information, routine banking and payment processes,
uses and disclosures in emergency circumstances, disclosures to next of
kin, and release of admissions statistics to a health oversight agency.
Response: We disagree with the commenters that ambiguity in other
areas of the rule increase the burden associated with maintaining an
accounting. The definitions of treatment, payment, and health
operations are necessarily broad and there is no accounting required
for disclosures for these purposes. These terms cover the vast majority
of routine disclosures for health care purposes. (See Sec. 164.501 and
the associated preamble for a discussion of changes made to these
definitions.)
The disclosures permitted under Sec. 164.512 are for national
priority purposes, and determining whether a disclosure fits within the
section is necessary before the disclosure can be
[[Page 82742]]
made. There is no additional burden, once such a determination is made,
in determining whether it must be included in the accounting.
We agree with the commenters that there are areas where we can
reduce burden by removing additional disclosures from the accounting
requirement, without compromising individuals' rights to know how their
information is being disclosed. In the final rule, covered entities are
not required to include the following disclosures in the accounting:
disclosures to the individual, disclosures for facility directories
under Sec. 164.510(a), or disclosures to persons assisting in the
individual's care or for other notification purposes under
Sec. 164.510(b). For each of these types of disclosures, the individual
is likely to already know about the disclosure or to have agreed to the
disclosure, making the inclusion of such disclosures in the accounting
less important to the individual and unnecessarily burdensome to the
covered entity.
Comment: Many commenters objected to requiring business partners to
provide an accounting to covered entities upon their request. They
cited the encumbrance associated with re-contracting with the various
business partners, as well as the burden associated with establishing
this type of record keeping.
Response: Individuals have a right to know to whom and for what
purpose their protected health information has been disclosed by a
covered entity. The fact that a covered entity uses a business
associate to carry out a function does not diminish an individual's
right to know.
Comments: One commenter requested clarification as to how far a
covered entity's responsibility would extend, asking whether an entity
had to track only their direct disclosures or subsequent re-
disclosures.
Response: Covered entities are required to account for their
disclosures, as well as the disclosures of their business associates,
of protected health information. Because business associates act on
behalf of covered entities, it is essential that their disclosures be
included in any accounting that an individual requests from a covered
entity. Covered entities are not responsible, however, for the actions
of persons who are not their business associates. Once a covered entity
has accounted for a disclosure to any person other than a business
associate, it is not responsible for accounting for any further uses or
disclosures of the information by that other person.
Comments: Some commenters said that the accounting provision
described in the NPRM was ambiguous and created uncertainty as to
whether it addresses disclosures only, as the title would indicate, or
whether it includes accounting of uses. They urged that the standard
address disclosures only, and not uses, which would make implementation
far more practicable and less burdensome.
Response: The final rule requires disclosures, not uses, to be
included in an accounting. See Sec. 164.501 for definitions of ``use''
and ``disclosure.''
Comments: We received many comments from providers and other
representatives of various segments of the health care industry,
expressing the view that a centralized system of recording disclosures
was not possible given the complexity of the health care system, in
which disclosures are made by numerous departments within entities. For
example, commenters stated that a hospital medical records department
generally makes notations regarding information it releases, but that
these notations do not include disclosures that the emergency
department may make. Several commenters proposed that the rule provide
for patients to receive only an accounting of disclosures made by
medical records departments or some other central location, which would
relieve the burden of centralizing accounting for those entities who
depend on paper records and tracking systems.
Response: We disagree with commenters' arguments that covered
entities should not be held accountable for the actions of their
subdivisions or workforce members. Covered entities are responsible for
accounting for the disclosures of protected health information made by
the covered entity, in accordance with this rule. The particular person
or department within the entity that made the disclosure is immaterial
to the covered entity's obligation. In the final rule, we require
covered entities to document each disclosure that is required to be
included in an accounting. We do not, however, require this
documentation to be maintained in a central registry. A covered
hospital, for example, could maintain separate documentation of
disclosures that are made from the medical records department and the
emergency department. At the time an individual requests an accounting,
this documentation could be integrated to provide a single accounting
of disclosures made by the covered hospital. Alternatively, the covered
hospital could centralize its processes for making and documenting
disclosures. We believe this provision provides covered entities with
sufficient flexibility to meet their business needs without
compromising individuals' rights to know how information about them is
disclosed.
Comments: Commenters stated that the accounting requirements placed
undue burden on covered entities that use paper, rather than
electronic, records.
Response: We do not agree that the current reliance on paper
records makes the accounting provision unduly burdensome. Covered
entities must use the paper records in order to make a disclosure, and
have the opportunity when they do so to make a notation in the record
or in a separate log. We require an accounting only for disclosures for
purposes other than treatment, payment, and health care operations.
Such disclosures are not so numerous that they cannot be accounted for,
even if paper records are involved.
Comments: The exception to the accounting provision for disclosures
of protected health information for treatment, payment, and health care
operations purposes was viewed favorably by many respondents. However,
at least one commenter stated that since covered entities must
differentiate between disclosures that require documentation and those
that do not, they will have to document each instance when a patient's
medical record is disclosed to determine the reason for the disclosure.
This commenter also argued that the administrative burden of requiring
customer services representatives to ask in which category the
information falls and then to keep a record that they asked the
question and record the answer would be overwhelming for plans. The
commenter concluded that the burden of documentation on a covered
entity would not be relieved by the stipulation that documentation is
not required for treatment, payment, and health care operations.
Response: We disagree. Covered entities are not required to
document every disclosure in order to differentiate those for
treatment, payment, and health care operations from those for purposes
for which an accounting is required. We require that, when a disclosure
is made for which an accounting is required, the covered entity be able
to produce an accounting of those disclosures upon request. We do not
require a covered entity to be able to account for every disclosure. In
addition, we believe that we have addressed many of the commenters'
concerns by clarifying in the final rule that disclosures to the
[[Page 82743]]
individual, regardless of the purpose for the disclosure, are not
subject to the accounting requirement.
Comments: An insurer explained that in the context of underwriting,
it may have frequent and multiple disclosures of protected health
information to an agent, third party medical provider, or other entity
or individual. It requested we reduce the burden of accounting for such
disclosures.
Response: We add a provision allowing for a summary accounting of
recurrent disclosures. For multiple disclosures to the same recipient
pursuant to a single authorization or for a single purpose permitted
under the rule without authorization, the covered entity may provide a
summary accounting addressing the series of disclosures rather than a
detailed accounting of each disclosure in the series.
Comment: Several commenters said that it was unreasonable to expect
covered entities to track disclosures that are requested by the
individual. They believed that consumers should be responsible for
keeping track of their own requests.
Other commenters asked that we specify that entities need not
retain and provide copies of the individual's authorization to disclose
protected health information. Some commenters were particularly
concerned that if they maintain all patient information on a computer
system, it would be impossible to link the paper authorization with the
patient's electronic records.
Another commenter suggested we allow entities to submit copies of
authorizations after the 30-day deadline for responding to the
individual, as long as the accounting itself is furnished within the
30-day window.
Response: In the final rule we do not require disclosures to the
individual to be included in the accounting. Other disclosures
requested by the individual must be included in the accounting, unless
they are otherwise excepted from the requirement. We do not agree that
individuals should be required to track these disclosures themselves.
In many cases, an authorization may authorize a disclosure by more than
one entity, or by a class of entities, such as all physicians who have
provided medical treatment to the individual. Absent the accounting,
the individual cannot know whether a particular covered entity has
acted on the authorization.
We agree, however, that it is unnecessarily burdensome to require
covered entities to provide the individual with a copy of the
authorization. We remove the requirement. Instead, we require the
accounting to contain a brief statement describing the purpose for
which the protected health information was disclosed. The statement
must be sufficient to reasonably inform the individual of the basis for
the disclosure. Alternatively, the covered entity may provide a copy of
the authorization or a copy of the written request for disclosure, if
any, under Secs. 164.502(a)(2)(ii) or 164.512.
Comments: We received many comments regarding the amount of
information required in the accounting. A few commenters requested that
we include additional elements in the accounting, such as the method of
transmittal and identity of the employee who accessed the information.
Other commenters, however, felt that the proposed requirements went
beyond what is necessary to inform the individual of disclosures.
Another commenter stated that if the individual's right to obtain an
accounting extends to disclosures that do not require a signed
authorization, then the accounting should be limited to a disclosure of
the manner and purpose of disclosures, as opposed to an individual
accounting of each entity to whom the protected health information was
disclosed. An insurer stated that this section of the proposed rule
should be revised to provide more general, rather than detailed,
guidelines for accounting of disclosures. The commenter believed that
its type of business should be allowed to provide general information
regarding the disclosure of protected health information to outside
entities, particularly with regard to entities with which the insurer
maintains an ongoing, standard relationship (such as a reinsurer).
Response: In general, we have retained the proposed approach, which
we believe strikes an appropriate balance between the individual's
right to know to whom and for what purposes their protected health
information has been disclosed and the burden placed on covered
entities. In the final rule, we clarify that the accounting must
include the address of the recipient only if the address is known to
the covered entity. As noted above, we also add a provision allowing
for a summary accounting of recurrent disclosures. We note that some of
the activities of concern to commenters may fall under the definition
of health care operations (see Sec. 164.501 and the associated
preamble).
Comment: A commenter asked that we limit the accounting to
information pertaining to the medical record itself, as opposed to
protected health information more generally. Similarly, commenters
suggested that the accounting be limited to release of the medical
record only.
Response: We disagree. Protected health information exists in many
forms and resides in many sources. An individual's right to know to
whom and for what purposes his or her protected health information has
been disclosed would be severely limited if it pertained only to
disclosure of the medical record, or information taken only from the
record.
Comment: A commenter asked that we make clear that only disclosures
external to the organization are within the accounting requirement.
Response: We agree. The requirement only applies to disclosures of
protected health information, as defined in Sec. 164.501.
Comment: Some commenters requested that we establish a limit on the
number of times an individual could request an accounting. One comment
suggested we permit individuals to request one accounting per year;
another suggested two accountings per year, except in ``emergency
situations.'' Others recommended that we enable entities to recoup some
of the costs associated with implementation by allowing the entity to
charge for an accounting.
Response: We agree that covered entities should be able to defray
costs of excessive requests. The final rule provides individuals with
the right to receive one accounting without charge in a twelve-month
period. For additional requests by an individual within a twelve-month
period, the covered entity may charge a reasonable, cost-based fee. If
it imposes such a fee, the covered entity must inform the individual of
the fee in advance and provide the individual with an opportunity to
withdraw or modify the request to avoid or reduce the fee.
Comment: In the NPRM, we solicited comments on the appropriate
duration of the individual's right to an accounting. Some commenters
supported the NPRM's requirement that the right exist for as long as
the covered entities maintains the protected health information. One
commenter, however, noted that most audit control systems do not retain
data on activity for indefinite periods of time.
Other commenters noted that laws governing the length of retention
of clinical records vary by state and by provider type and suggested
that entities be allowed to adhere to state laws or policies
established by professional organizations or accrediting bodies. Some
commenters suggested that the
[[Page 82744]]
language be clarified to state that whatever minimum requirements are
in place for the record should also guide covered entities in retaining
their capacity to account for disclosures over that same time, but no
longer.
Several commenters asked us to consider specific time limits. It
was pointed out that proposed Sec. 164.520(f)(6) of the NPRM set a six-
year time limit for retaining certain information including
authorization forms and contracts with business partners. Included in
this list was the accounting of disclosures, but this requirement was
inconsistent with the more open-ended language in Sec. 164.515.
Commenters suggested that deferring to this six-year limit would make
this provision consistent with other record retention provisions of the
standard and might relieve some of the burden associated with
implementation. Other specific time frames suggested were two years,
three years, five years, and seven years.
Another option suggested by commenters was to keep the accounting
record for as long as entities have the information maintained and
``active'' on their systems. Information permanently taken off the
covered entity's system and sent to ``dead storage'' would not be
covered. One commenter further recommended that we not require entities
to maintain records or account for prior disclosures for members who
have ``disenrolled.''
Response: We agree with commenters who suggested we establish a
specific period for which an individual may request an accounting. In
the final rule, we provide that individuals have a right to an
accounting of the applicable disclosures that have been made in the
six-year period prior to a request for an accounting. We adopt this
time frame to conform with the other documentation retention
requirements in the rule. We also note that an individual may request,
and a covered entity may then provide, an accounting of disclosures for
a period of time less than six years from the date of the request. For
example, an individual could request an accounting only of disclosures
that occurred during the year prior to the request. In addition, we
note that covered entities do not have to account for disclosures that
occurred prior to the compliance date of this rule.
Comments: Commenters asked that we provide more time for entities
to respond to requests for accounting. Suggestions ranged from 60 days
to 90 days. Another writer suggested that entities be able to take up
to three 30-day extensions from the original 30-day deadline.
Commenters raised concerns about the proposed requirement that a
covered health care provider or health plan act as soon as possible.
Response: We agree with concerns raised by commenters and in the
final rule, covered entities are required to provide a requested
accounting no later than 60 days after receipt of the request. We also
provide for one 30 day extension if the covered entity is unable to
provide the accounting within the standard time frame. We eliminate the
requirement for a covered entity to act as soon as possible.
We recognize that circumstances may arise in which an individual
will request an accounting on an expedited basis. We encourage covered
entities to implement procedures for handling such requests. The time
limitation is intended to be an outside deadline, rather than an
expectation. We expect covered entities always to be attentive to the
circumstances surrounding each request and to respond in an appropriate
time frame.
Comment: A commenter asked that we provide an exemption for
disclosures related to computer upgrades, when protected health
information is disclosed to another entity solely for the purpose of
establishing or checking a computer system.
Response: This activity falls within the definition of health care
operations and is, therefore, excluded from the accounting requirement.
Section 164.530--Administrative Requirements
Section 164.530(a)--Designation of a Privacy Official and Contact
Person
Comment: Many of the commenters on this topic objected to the cost
of establishing a privacy official, including the need to hire
additional staff, which might need to include a lawyer or other highly
paid individual.
Response: We believe that designation of a privacy official is
essential to ensure a central point of accountability within each
covered entity for privacy-related issues. The privacy official is
charged with developing and implementing the policies and procedures
for the covered entity, as required throughout the regulation, and for
compliance with the regulation generally. While the costs for these
activities are part of the costs of compliance with this rule, not
extra costs associated with the designation of a privacy official, we
do anticipate that there will be some cost associated with this
requirement. The privacy official role may be an additional
responsibility given to an existing employee in the covered entity,
such as an office manager in a small entity or an information officer
or compliance official in a larger institution. Cost estimates for the
privacy official are discussed in detail in the overall cost analysis.
Comment: A few commenters argued for more flexibility in meeting
the requirement for accountability. One health care provider maintained
that covered entities should be able to establish their own system of
accountability. For example, most physician offices already have the
patient protections incorporated in the proposed administrative
requirements--the commenter urged that the regulation should explicitly
promote the application of flexibility and scalability. A national
physician association noted that, in small offices, in particular,
responsibility for the policies and procedures should be allowed to be
shared among several people. A major manufacturing corporation asserted
that mandating a privacy official is unnecessary and that it would be
preferable to ask for the development of policies that are designed to
ensure that processes are maintained to assure compliance.
Response: We believe that a single focal point is needed to achieve
the necessary accountability. At the same time, we recognize that
covered entities are organized differently and have different
information systems. We therefore do not prescribe who within a covered
entity must serve as the privacy official, nor do we prohibit combining
this function with other duties. Duties may be delegated and shared, so
long as there is one point of accountability for the covered entity's
policies and procedures and compliance with this regulation.
Comment: Some commenters echoed the proposal of a professional
information management association that the regulation establish formal
qualifications for the privacy official, suggesting that this should be
a credentialed information management professional with specified
minimum training standards. One commenter emphasized that the privacy
official should be sufficiently high in management to have influence.
Response: While there may be some advantages to establishing formal
qualifications, we concluded the disadvantages outweigh the advantages.
Since the job of privacy official will differ substantially among
organizations of varying size and function, specifying a single set of
qualifications would sacrifice flexibility and scalability in
implementation.
[[Page 82745]]
Comment: A few commenters suggested that we provide guidance on the
tasks of the privacy official. One noted that this would reduce the
burden on covered entities to clearly identify those tasks during the
initial HIPAA implementation phase.
Response: The regulation itself outlines the tasks of the privacy
official, by specifying the policies and procedures required, and
otherwise explaining the duties of covered entities. Given the wide
variation in the function and size of covered entities, providing
further detail here would unnecessarily reduce flexibility for covered
entities. We will, however, provide technical assistance in the form of
guidance on the various provisions of the regulation before the
compliance date.
Comment: Some comments expressed concern that the regulation would
require a company with subsidiaries to appoint a privacy official
within each subsidiary. Instead they argued that the corporate entity
should have the option of designating a single corporate official
rather than one at each subsidiary.
Response: In the final regulation, we give covered entities with
multiple subsidiaries that meet the definition of covered entities
under this rule the flexibility to designate whether such subsidiaries
are each a separate covered entity or are together a single covered
entity. (See Sec. 164.504(b) for the rules requiring such designation.)
If only one covered entity is designated for the subsidiaries, only one
privacy officer is needed. Further, we do not prohibit the privacy
official of one covered entity from serving as the privacy official of
another covered entity, so long as all the requirements of this rule
are met for each such covered entity.
Section 164.530(b)--Training
Comment: A few commenters felt that the proposed provision was too
stringent, and that the content of the training program should be left
to the reasonable discretion of the covered entity.
Response: We clarify that we do not prescribe the content of the
required training; the nature of the training program is left to the
discretion of the covered entity. The scenarios in the NPRM preamble of
potential approaches to training for different sized covered entities
were intended as examples of the flexibility and scalability of this
requirement.
Comment: Most commenters on this provision asserted that
recertification/retraining every three years is excessive, restrictive,
and costly. Commenters felt that retraining intervals should be left to
the discretion of the covered entity. Some commenters supported
retraining only in the event of a material change. Some commenters
supported the training requirement as specified in the NPRM.
Response: For the reasons cited by the commenters, we eliminate the
triennial recertification requirements in the final rule. We also
clarify that retraining is not required every three years. Retraining
is only required in the case of material changes to the privacy
policies and procedures of the covered entity.
Comment: Several commenters objected to the burden imposed by
required signatures from employees after they are trained. Many
commenters suggested that electronic signatures be accepted for various
reasons. Some felt that it would be less costly than manually
producing, processing, and retaining the hard copies of the forms. Some
suggested sending out the notice to the personal workstation via email
or some other electronic format and having staff reply via email. One
commenter suggested that the covered entity might opt to give web based
training instead of classroom or some other type. The commenter
indicated that with web based training, the covered entity could record
whether or not an employee had received his or her training through the
use of a guest book or registration form on the web site. Thus, a
physical signature should not be required.
Response: We agree that there are many appropriate mechanisms by
which covered entities can implement their training programs, and
therefore remove this requirement for signature. We establish only a
general requirement that covered entities document compliance with the
training requirement.
Comment: Some commenters were concerned that there was no proposed
requirement for business associates to receive training and/or to train
their employees. The commenters believed that if the business associate
violated any privacy requirements, the covered entity would be held
accountable. These commenters urged the Secretary to require periodic
training for appropriate management personnel assigned outside of the
component unit of the covered entity, including business associates.
Other commenters felt that it would not be fair to require covered
entities to impose training requirements on business associates.
Response: We do not have the statutory authority directly to
require business associates to train their employees. We also believe
it would be unnecessarily burdensome to require covered entities to
monitor business associates' establishment of specific training
requirements. Covered entities' responsibility for breaches of privacy
by their business associates is described in Secs. 164.504(e) and
164.530(f). If a covered entity believes that including a training
requirement in one or more of its business associate contracts is an
appropriate means of protecting the health information provided to the
business associate, it is free to do so.
Comments: Many commenters argued that training, as well as all of
the other administrative requirements, are too costly for covered
entities and that small practices would not be able to bear the added
costs. Commenters also suggested that HHS should provide training
materials at little, or no, cost to the covered entity.
Response: For the final regulation, we make several changes to the
proposed provisions. We believe that these changes address the issue of
administrative cost and burden to the greatest extent possible,
consistent with protecting the privacy of health information. In
enforcing the privacy rule, we expect to provide general training
materials. We also hope to work with professional associations and
other groups that target classes of providers, plans and patients, in
developing specialized material for these groups.
We note that, under long-standing legal principles, entities are
generally responsible for the actions of their workforce. The
requirement to train workforce members to implement the covered
entity's privacy policies and procedures, and do such things as pass
evidence of potential problems to those responsible, is in line with
these principles. For example, the comments and our fact finding
indicate that, today, many hospitals require their workforce members to
sign a confidentiality agreement, and include confidentiality matters
in their employee handbooks.
Section 164.530(c)--Safeguards
Comments: A few comments assert that the rule requires some
institutions that do not have adequate resources to develop costly
physical and technical safeguards without providing a funding mechanism
to do so. Another comment said that the vague definitions of adequate
and appropriate safeguards could be interpreted by HHS to require the
purchase of new computer systems and reprogram many old ones. A few
other comments suggested that the safeguards language was vague and
asked for more specifics.
Response: We require covered entities to maintain safeguards
adequate for their operations, but do not require that
[[Page 82746]]
specific technologies be used to do so. Safeguards need not be
expensive or high-tech to be effective. Sometimes, it is an adequate
safeguard to put a lock on a door and only give the keys to those who
need access. As described in more detail in the preamble discussion of
Sec. 164.530, we do not require covered entities to guarantee the
safety of protected health information against all assaults. This
requirement is flexible and scalable to allow implementation of
required safeguards at a reasonable cost.
Comments: A few commenters noted that once protected health
information becomes non-electronic, by being printed for example, it
escapes the protection of the safeguards in the proposed Security Rule.
They asked if this safeguards requirement is intended to install
similar security protections for non-electronic information.
Response: This provision is not intended to incorporate the
provisions in the proposed Security regulation into this regulation, or
to otherwise require application of those provisions to paper records.
Comments: Some commenters said that it was unclear what
``appropriate'' safeguards were required by the rule and who
establishes the criteria for them. A few noted that the privacy
safeguards were not exactly the same as the security safeguards, or
that the ``other safeguards'' section was too vague to implement. They
asked for more clarification of safeguards requirements and flexible
solutions.
Response: In the preamble discussion of Sec. 164.530, we provide
examples of types of safeguards that can be appropriate to satisfy this
requirement. Other sections of this regulation require specific
safeguards for specific circumstances. The discussion of the
requirements for ``minimum necessary'' uses and disclosures of
protected health information includes related guidance for developing
role-based access policies for a covered entity's workforce. The
requirements for ``component entities'' include requirements for
firewalls to prevent access by unauthorized persons. The proposed
Security Rule included further details on what safeguards would be
appropriate for electronic information systems. The flexibility and
scalability of these rules allows covered entities to analyze their own
needs and implement solutions appropriate for their own environment.
Comments: A few comments asked for a requirement for a firewall
between a health care component and the rest of a larger organization
as another appropriate safeguard.
Response: We agree, and have incorporated such a requirement in
Sec. 164.504.
Comments: One commenter agreed with the need for administrative,
physical, and technical safeguards, but took issue with our
specification of the type of documentation or proof that the covered
entity is taking action to safeguard protected health information.
Response: This privacy rule does not require specific forms of
proof for safeguards.
Comments: A few commenters asked that, for the requirement for a
signed certification of training and the requirements for verification
of identity, we consider the use of electronic signatures that meet the
requirements in the proposed security regulation to meet the
requirements of this rule.
Response: In this final rule, we drop the requirements for signed
certifications of training. Signatures are required elsewhere in this
regulation, for example, for a valid authorization. In the relevant
sections we clarify that electronic signatures are sufficient provided
they meet standards to be adopted under HIPAA. In addition, we do not
intend to interfere with the application of the Electronic Signature in
Global and National Commerce Act.
Comments: A few commenters requested that the privacy requirements
for appropriate administrative, technical, and physical safeguards be
considered to have been met if the requirements of the proposed
Security Rule have been met. Others requested that the safeguards
requirements of the final Privacy Rule mirror or be harmonized with the
final Security Rule so they do not result in redundant or conflicting
requirements.
Response: Unlike the proposed regulation, the final regulation
covers all protected health information, not just information that had
at some point been electronic. Thus, these commenters' assumption that
the proposed Privacy Rule and the proposed Security Rule covered the
same information is not the case, and taking the approach suggested by
these comments would leave a significant number of health records
unprotected. The safeguards required by this regulation are appropriate
for both paper and electronic information. We will take care to ensure
that the final Security Rule works in tandem with these requirements.
Comments: One commenter requested that the final privacy rule be
published before the final Security Rule, recognizing that the privacy
policies must be in place before the security technology used to
implement them could be worked out. Another commenter asked that the
final Security Rule be published immediately and not wait for an
expected delay while privacy policies are worked out.
Response: Now that this final privacy rule has been published in a
timely manner, the final Security Rule can be harmonized with it and
published soon.
Comments: Several commenters echoed an association recommendation
that, for those organizations that have implemented a computer based
patient record that is compliant with the requirements of the proposed
Security Rule, the minimum necessary rule should be considered to have
been met by the implementation of role-based access controls.
Response: The privacy regulation applies to paper records to which
the proposed Security Rule does not apply. Thus, taking the approach
suggested by these comments would leave a significant number of health
records unprotected. Further, since the final Security Rule is not yet
published and the number of covered entities that have implemented this
type of computer-based patient record systems is still small, we cannot
make a blanket statement. We note that this regulation requires covered
entities to develop role-based access rules, in order to implement the
requirements for ``minimum necessary'' uses and disclosures of
protected health information. Thus, this regulation provides a
foundation for the type of electronic system to which these comments
refer.
Section 164.530(d)--Complaints to the Covered Entity
Comment: Several commenters felt that some form of due process is
needed when it comes to internal complaints. Specifically, they wanted
to be assured that the covered entity actually hears the complaints
made by the individual and that the covered entity resolves the
complaint within a reasonable time frame. Without due process the
commenters felt that the internal complaint process is open ended. Some
commenters wanted the final rule to include an appeals process for
individuals if a covered entity's determination in regards to the
complaint is unfavorable to the individual.
Response: We do not require covered entities to implement any
particular due process or appeals process for complaints, because we
are concerned about the burden this could impose on covered entities.
We provide individuals with an alternative to take their complaints to
the Secretary. We believe that this provides incentives for
[[Page 82747]]
covered entities to implement a complaint process that resolves
complaints to individuals' satisfaction.
Comment: Some commenters felt that the individual making the
complaint should exhaust all other avenues to resolve their issues
before filing a complaint with the Secretary. A number of commenters
felt that any complaint being filed with the Secretary should include
documentation of the reviews done by the covered entity.
Response: We reject these suggestions, for two reasons. First, we
want to avoid establishing particular process requirements for covered
entities' complaint programs. Also, this rule does not require the
covered entity to share any information with the complainant, only to
document the receipt of the complaint and the resolution, if any.
Therefore, we cannot expect the complainant to have this information
available to submit to the Secretary. Second, we believe the individual
making the complaint should have the right to share the complaint with
the Secretary at any point in time. This approach is consistent with
existing civil rights enforcement programs for which the Department is
responsible. Based on that experience, we believe that most complaints
will come first to covered entities for disposition.
Comment: Some commenters wanted the Department to prescribe a
minimum amount of time before the covered entity could dispose of the
complaints. They felt that storing these complaints indefinitely would
be cumbersome and expensive.
Response: We agree, and in the final rule require covered entities
to keep all items that must be documented, including complaints, for at
least six years from the date of creation.
Comments: Some commenters objected to the need for covered entities
to have at least one employee, if not more, to deal with complaints.
They felt that this would be costly and is redundant in light of the
designation of a contact person to receive complaints.
Response: We do not require assignment of dedicated staff to handle
complaints. The covered entity can determine staffing based on its
needs and business practices. We believe that consumers need one clear
point of contact for complaints, in order that this provision
effectively inform consumers how to lodge complaints and so that the
compliant will get to someone who knows how to respond. The contact
person (or office) is for receipt of complaints, but need not handle
the complaints.
Section 164.530(e)--Sanctions
Comment: Commenters argued that most covered entities already have
strict sanctions in place for violations of a patient's privacy, either
due to current laws, contractual obligations, or good operating
practices. Requiring covered entities to create a formal sanctioning
process would be superfluous.
Response: We believe it is important for the covered entity to have
these sanction policies and procedures documented so that employees are
aware of what actions are prohibited and punishable. For entities that
already have sanctions policies in place, it should not be problematic
to document those policies. We do not define the particular sanctions
that covered entities must impose.
Comment: Several commenters agreed that training should be provided
and expectations should be clear so that individuals are not sanctioned
for doing things that they did not know were wrong or inappropriate. A
good faith exception should be included in the final rule to protect
these individuals.
Response: We agree that employees should be trained to understand
the covered entity's expectations and understand the consequences of
any violation. This is why we are requiring each covered entity to
train its workforce. However, we disagree that a good faith exception
is explicitly needed in the final rule. We leave the details of
sanctions policies to the discretion of the covered entity. We believe
it is more appropriate to leave this judgment to the covered entity
that will be familiar with the circumstances of the violation, rather
than to specify such requirements in the regulation.
Comment: Some commenters felt that the sanctions need to reach
business partners as well, not just employees of the covered entities.
These commenters felt all violators should be sanctioned, including
government officials and agencies.
Response: All members of a covered entity's workforce are subject
to sanctions for violations, including government officials who are
part of a covered entity's workforce. Requirements for addressing
privacy violations by business associates are discussed in
Secs. 164.504(e) and 164.530(f).
Comments: Many commenters appreciated the flexibility left to the
covered entities to determine sanctions. However, some were concerned
that the covered entity would need to predict each type of violation
and the associated sanction. They argue that, if the Department could
not determine this in the NPRM, then the covered entities should be
allowed to come up with sanctions as appropriate at the time of the
violation. Some commenters wanted a better explanation and
understanding of what HHS' expectation is of when is it appropriate to
apply sanctions. Some commenters felt that the sanctioning requirement
is nebulous and requires independent judgment of compliance; as a
result it is hard to enforce. Offending individuals may use the
vagueness of the standard as an defense.
Response: We agree with the commenters that argue that covered
entities should be allowed to determine the specific sanctions as
appropriate at the time of the violation. We believe it is more
appropriate to leave this judgment to the covered entity, because the
covered entity will be familiar with the circumstances of the violation
and the best way to improve compliance.
Comment: A commenter felt that the self-imposition of this
requirement is an inadequate protection, as there is an inherent
conflict of interest when an entity must sanction one of its own.
Response: We believe it is in the covered entity's best interests
to appropriately sanction those individuals who do not follow the
outlined policies and procedures. Allowing violations to go unpunished
may lead bigger problems later, and result in complaints being
registered with the Department by aggrieved parties and/or an
enforcement action.
Comment: This provision should cover all violations, not just
repeat violations.
Response: We do not limit this requirement to repeat offenses.
Section 164.530(f)--Duty To Mitigate
Comments: A few commenters felt that any duty to mitigate would be
onerous, especially for small entities. One commenter supported an
affirmative duty to mitigate for employees of the covered entity, as
long as there is no prescribed mitigation policy. One commenter stated
that a requirement for mitigation is unnecessary because any prudent
entity would do it.
Some practitioner organizations as well as a health plan, expressed
concern about the obligation to mitigate in the context of the business
associate relationship. Arguing that it is unnecessary for the
regulation to explicitly extend the duty to mitigate to business
associates, commenters noted that: Any prudent entity would discipline
a vendor or employee that violates a regulation; that the matter is
best left to the terms of the contract, and that it is difficult and
expensive for a
[[Page 82748]]
business associate to have a separate set of procedures on mitigation
for each client/provider. One commenter suggested that the federal
government should fund the monitoring needed to administer the
requirement.
Response: Eliminating the requirement to mitigate harm would
undermine the purposes of this rule by reducing covered entities'
accountability to their patients for failure to protect their
confidential data. To minimize burden, we do not prescribe what
mitigation policies and procedures must be implemented. We require only
that the covered entity mitigate harm. We also assume that violations
will be rare, and so the duty to mitigate harm will rarely be
triggered. To the extent a covered entity already has methods for
mitigating harm, this rule will not pose significant burden, since we
don't require the covered entity to follow any prescribed method or set
of rules.
We also modify the NPRM to impose the duty to mitigate only where
the covered entity has actual knowledge of harm. Further reducing
burden, the rule requires mitigation ``to the extent practicable.'' It
does not require the covered entity to eliminate the harm unless that
is practicable. For example, if protected health information is
advertently provided to a third party without authorization in a
domestic abuse situation, the covered entity would be expected to
promptly contact the patient as well as appropriate authorities and
apprize them of the potential danger.
The harm to the individual is the same, whether the privacy breach
was caused by a member of the covered entity's workforce, or by a
contractor. We believe the cost of this requirement to be minimal for
covered entities that engage in prudent business practices for
exchanging protected health information with their business associates.
Comment: A few commenters noted that it is difficult to determine
whether a violation has resulted in a deleterious effect, especially as
the entity cannot know all places to which information has gone and
uses that have been made of it. Consequently, there should be a duty to
mitigate even if a deleterious effect cannot be shown, because the
individual has no other redress.
Response: As noted above, this provision only applies if the
covered entity has actual knowledge of the harm, and requires
mitigation ``to the extent practicable.'' The covered entity is
expected to take reasonable steps based on knowledge of where the
information has been disclosed, how it might be used to cause harm to
the patient or another individual, and what steps can actually have a
mitigating effect in that specific situation.
Comments: Commenters stated that the language of the regulation was
in some places vague and imprecise thus providing covered entities with
insufficient guidance and allowing variation in interpretation.
Commenters also noted that this could result in inconsistency in
implementation as well as permitting such inconsistency to be used as a
defense by an offending entity. Particular language for which at least
one commenter requested clarification included ``reasonable steps'' and
what is entailed in the duty to mitigate.
Response: We considered ways in which we might increase
specificity, including defining ``to the extent practicable'' and
``reasonable steps'' and relating the mitigating action to the
deleterious impact. While this approach could remove from the covered
entity the burden of decision-making about actions that need to be
taken, we believe that other factors outweighed this potential benefit.
Not only would there be a loss of desirable flexibility in
implementation, but it would not be possible to define ``to the extent
practicable'' in a way that makes sense for all types of covered
entities. We believe that allowing flexibility and judgment by those
familiar with the circumstances to dictate the approach is the best
approach to mitigating harm.
Section 164.530(g)--Refraining From Intimidating or Retaliatory Acts
Comment: Several commenters stated that the regulation should
prohibit covered entities from engaging in intimidating or retaliatory
acts against any person, not just against the ``individual,'' as
proposed. They suggested adding ``or other person or entity'' after
``any individual.''
Response: We agree, and allow any person to file a compliant with
the Secretary. ``Person'' is not limited to natural persons, but
includes any type of organization, association or group such as other
covered entities, health oversight agencies and advocacy groups.
Comment: A few commenters suggested deleting this provision in its
entirety. One commenter indicated that the whistleblower and
retaliation provisions could be inappropriately used against a hospital
and that the whistleblower's ability to report numerous violations will
result in a dangerous expansion of liability. Another commenter stated
that covered entities could not take action against an employee who had
violated the employer's privacy provisions if this employee files a
complaint with the Secretary.
Several commenters suggested deleting ``in any manner'' and ``or
opposing any act or practice made unlawful by this subpart'' in
Sec. 164.522(d)(4). The commenters indicated that, as proposed, the
rule would make it difficult to enforce compliance within the
workforce. One commenter stated that the proposed 164.522(d)(4) ``is
extremely broad and may allow an employee to reveal protected health
information to fellow employees, the media and others (e.g., an
employee may show a medical record to a friend or relative before
filing a complaint with the Department). This commenter further stated
that covered entities will ``absolutely be prevented from prohibiting
such conduct.'' One commenter suggested adding that a covered entity
may take disciplinary action against any member of its work force or
any business partner who uses or discloses individually identifiable
health information in violation of this subpart in any manner other
than through the processes set forth in the regulation.
Response: To respond to these comments, we make several changes to
the proposed provision.
First, where the activity does not involve the filing of a
complaint under Sec. 160.306 of this part or participation in an
investigation or proceeding initiated by the government under the rule,
we delete the phrase ``in any manner'' and add a requirement that the
individual's opposition to ``any act or practice'' made unlawful by
this subpart be in good faith, and that the expression of that
opposition must be reasonable. Second, we add a requirement that the
individual's opposition to ``any act or practice'' made unlawful by
this subpart must not involve a disclosure of protected health
information that is in violation of this subpart. Thus, the employee
who discloses protected health information to the media or friends is
not protected. In providing interpretations of the retaliation
provision, we will consider existing interpretations of similar
provisions such as the guidance issued by EEOC in this regard.
Section 164.530(h)--Waiver of Rights
There are no comments directly about this section because it was
not included in the proposed rule.
Section 164.530(i)--Policies and Procedures and Sec. 164.530(j)--
Documentation Requirements
Comments: Many of the comments to this provision addressed the
costs and
[[Page 82749]]
complexity of the regulation as a whole, not the additional costs of
documenting policies and procedures per se. Some did, either implicitly
or explicitly, object to the need to develop and document policies and
procedures as creating excessive administrative burden. Many of these
commenters also asserted that there is a contradiction between the
administrative burden of this provision and one of the statutory
purposes of this section of the HIPAA to reduce costs through
administrative simplification. Suggested alternatives were generally
reliance on existing regulations and ethical standards, or on current
business practices.
Response: A specific discussion of cost and burden is found in the
Regulatory Impact Analysis of this final rule.
We do not believe there is a contradiction between the
administrative costs of this provision and of the goal of
administrative simplification. In the Administrative Simplification
provisions of the HIPAA, Congress combined a mandate to facilitate the
efficiencies and cost savings for the health care industry that the
increasing use of electronic technology affords, with a mandate to
improve privacy and confidentiality protections. Congress recognized,
and we agree, that the benefits of electronic commerce can also cause
increased vulnerability to inappropriate access and use of medical
information, and so must be balanced with increased privacy
protections. By including the mandate for privacy standards in section
264 of the HIPAA, Congress determined that existing regulations and
ethical standards, and current business practices were insufficient to
provide the necessary protections.
Congress mandated that the total benefits associated with
administrative simplification must outweigh its costs, including the
costs of implementing the privacy regulation. We are well within this
mandate.
Comments: Several commenters suggested that the documentation
requirements not be established as a standard under the regulation,
because standards are subject to penalties. They recommend we delete
the documentation standards and instead provide specific guidance and
technical assistance. Several commenters objected to the suggestion in
the NPRM that professional associations assist their members by
developing appropriate policies for their membership. Several
commentators representing professional associations believed this to be
an onerous and costly burden for the associations, and suggested
instead that we develop specific models which might require only minor
modification. Some of these same associations were also concerned about
liability issues in developing such guidelines. One commenter argued
that sample forms, procedures, and policies should be provided as part
of the Final Rule, so that practitioners would not be overburdened in
meeting the demands of the regulations. They urged us to apply this
provision only to larger entities.
Response: The purpose of requiring covered entities to develop
policies and procedures for implementing this regulation is to ensure
that important decisions affecting individuals' rights and privacy
interests are made thoughtfully, not on an ad hoc basis. The purpose of
requiring covered entities to maintain written documentation of these
policies is to facilitate workforce training, and to facilitate
creation of the required notice of information practices. We further
believe that requiring written documentation of key decisions about
privacy will enhance accountability, both within the covered entity and
to the Department, for compliance with this regulation.
We do not include more specific guidance on the content of the
required policies and procedures because of the vast difference in the
size of covered entities and types of covered entities' businesses. We
believe that covered entities should have the flexibility to design the
policies and procedures best suited to their business and information
practices. We do not exempt smaller entities, because the privacy of
their patients is no less important than the privacy of individuals who
seek care from large providers. Rather, to address this concern we
ensure that the requirements of the rule are flexible so that smaller
covered entities need not follow detailed rules that might be
appropriate for larger entities with complex information systems.
We understand that smaller covered entities may require some
assistance, and intend to provide such technical assistance after
publication of this rule. We hope to work with professional
associations and other groups that target classes of providers, plans
and patients, in developing specialized material for these groups. Our
discussions with several such organizations indicate their intent to
work on various aspects of model documentation, including forms.
Because the associations' comments regarding concerns about liability
did not provide sufficient details, we cannot address them here.
Comment: Many commenters discussed the need for a recognition of
scalability of the policies and procedures of an entity based on size,
capabilities, and needs of the participants. It was noted that the
actual language of the draft regulations under Sec. 164.520 did not
address scalability, and suggested that some scalability standard be
formally incorporated into the regulatory language and not rely solely
on the NPRM introductory commentary.
Response: In Sec. 164.530(i)(1) of the final rule, we specify that
we require covered entities to implement policies and procedures that
take into account the size of the covered entity and the types of
activities that relate to protected health information undertaken by
the covered entity.
Comment: One commenter objected to our proposal to allow covered
entities to make uses or disclosures not permitted by their current
notice if a compelling reason exists to make the use or disclosure and
the entity documents the reasons and changes its policies within 30
days of the use or disclosure. The commenter argued that the subjective
language of the regulation might give entities the ability to engage in
post hoc justifications for violations of their own information
practices and policies. The commenter suggested that there should be an
objective standard for reviewing the covered entity's reasons before
allowing the covered entity to amend its policies.
Response: We eliminate this provision from the final rule. The
final rule requires each covered entity to include in its notice of
information practices a statement of all permitted uses under this
rule, not just those in which the covered entity actually engages in at
the time of that notice.
Comment: Some commenters expressed concern that the required
retention period in the NPRM applied to the retention of medical
records.
Response: The retention requirement of this regulation only applies
to the documentation required by the rule, for example, keeping a
record of accounting for disclosures or copies of policies and
procedures. It does not apply to medical records.
Comments: Comments on the six year retention period were mixed.
Some commenters endorsed the six-year retention period for maintaining
documentation. One of the comments stated this retention period would
assist physicians legally. Other commenters believed that the retention
period would be an undue burden. One commenter noted that most State
Board of Pharmacy regulations require
[[Page 82750]]
pharmacies to keep records for two years, so the six year retention
period would triple document retention costs.
Response: We established the retention period at six years because
this is the statute of limitations for the civil monetary penalties.
This rule does not apply to all pharmacy records, but only to the
documentation required by this rule.
Section 164.530(k)--Group Health Plans
There were no comments directly about this section because it was
not included in the proposed rule.
Section 164.532--Transition Provisions
Comment: Commenters urged the Department to clarify whether the
``reach of the transition requirement'' is limited to a particular time
frame, to the provider's activities in a particular job, or work for a
particular employer. For example, one commenter questioned how long a
nurse is a covered entity after she moves from a job reviewing files
with protected health information to an administrative job that does
not handle protected health information; or whether an occupational
health nurse who used to transmit first reports of injury to her
company's workers' compensation carrier last year but no longer does so
this year because of a carrier change still is a covered entity.
Response: Because this comment addresses a question of enforcement,
we will address it in the enforcement regulation.
Comment: Several commenters sought clarification as to the
application of the privacy rule to research already begun prior to the
effective date or compliance date of the final rule. These commenters
argued that applying the privacy rule to research already begun prior
the rule's effective date would substantially overburden IRBs and that
the resulting research interruptions could harm participants and
threaten the reliability and validity of conclusions based upon
clinical trial data. The commenters recommended that the rule
grandfather in any ongoing research that has been approved by and is
under the supervision of an IRB.
Response: We generally agree with the concerns raised by
commenters. In the final rule, we have provided that covered entities
may rely upon consents, authorizations, or other express legal
permissions obtained from an individual for a specific research project
that includes the treatment of individuals to use or disclose protected
health information the covered entity obtained before or after the
applicable compliance date of this rule as long as certain requirements
are met. These consents, authorizations, or other express legal
permissions may specifically permit a use or disclosure of individually
identifiable health information for purposes of the project or be a
general consent of the individual to participate in the project. A
covered entity may use or disclose protected health information it
created or received before or after the applicable compliance date of
this rule for purposes of the project provided that the covered entity
complies with all limitations expressed in the consent, authorization,
or permission.
In regard to research projects that include the treatment of
individuals, such as clinical trials, covered entities engaged in these
projects will have obtained at least an informed consent from the
individual to participate in the project. In some cases, the researcher
may also have obtained a consent, authorization, or other express legal
permission to use or disclose individually identifiable health
information in a specific manner. To avoid disrupting ongoing research
and because the participants have already agreed to participate in the
project (which expressly permits or implies the use or disclosure of
their protected health information), we have grandfathered in these
consents, authorizations, and other express legal permissions.
It is unlikely that a research project that includes the treatment
of individuals could proceed under the Common Rule with a waiver of
informed consent. However, to the extent such a waiver has been
granted, we believe individuals participating in the project should be
able to determine how their protected health information is used or
disclosed. Therefore, we require researchers engaged in research
projects that include the treatment of individuals who obtained an IRB
waiver of informed consent under the Common Rule to obtain an
authorization or a waiver of such authorization from an IRB or a
privacy board under Sec. 164.512(i) of this rule.
If a covered entity obtained a consent, authorization, or other
express legal permission from the individual who is the subject of the
research, it would be able to rely upon that consent, authorization, or
permission, consistent with any limitations it expressed, to use or
disclose the protected health information it created or received prior
to or after the compliance date of this regulation. If a covered entity
wishes to use or disclose protected health information but no such
consent, authorization, or permission exists, it must obtain an
authorization pursuant to Sec. 164.508 or obtain a waiver of
authorization under Sec. 164.512(i). To the extent such a project is
ongoing and the researchers are unable to locate the individuals whose
protected health information they are using or disclosing, we believe
the IRB or privacy board under the criteria set forth in
Sec. 164.512(i) will be able to take that circumstance into account
when conducting its review. In most instances, we believe this type of
research will be able to obtain a waiver of authorization and be able
to continue uninterrupted.
Comment: Several comments raised questions about the application of
the rule to individually identifiable information created prior to (1)
the effective date of the rule, and (2) the compliance dates of the
rule. One commenter suggested that the rule should apply only to
information gathered after the effective date of the final rule. A drug
manufacturer asked what would be the effect of the rule on research on
records compiled before the effective date of the rule.
Response: We disagree with the commenter's suggestion. The
requirements of this regulation apply to all protected health
information held by a covered entity, regardless of when or how the
covered entity obtained the information. Congress required us to
adopted privacy standards that apply to individually identifiable
health information. While it limited the compliance date for health
plans, covered health care providers, and healthcare clearinghouses, it
did not provide similar limiting language with regard to individually
identifiable health information. Therefore, uses and disclosures of
protected health information made by a covered entity after the
compliance date of this regulation must meet the requirements of these
rules. Uses or disclosures of individually identifiable health
information made prior to the compliance date are not affected; covered
entities will not be sanctioned under this rule based on past uses or
disclosures that are inconsistent with this regulation.
Consistent with the definition of individually identifiable health
information in HIPAA, of which protected health information is a
subset, we do not distinguish between protected health information in
research records and protected health information in other records.
Thus, a covered entity's research records are subject to this
regulation to the extent they contain protected health information.
[[Page 82751]]
Section 164.534--Effective Date and Compliance Date
Section 1175(b)(1)(A) of the Act requires all covered entities
other than small health plans to comply with a standard or
implementation specification ``not later than 24 months after the date
on which an initial standard or implementation specification is adopted
or established''; section 1175(b)(1)(B) provides that small health
plans must comply not later than 36 months after that date. The
proposed rule provided, at proposed Sec. 164.524 (which was titled
``Effective date''), that a covered entity was required to be in
compliance with the proposed subpart E not later than 24 months
following the effective date of the rule, except that small health
plans were required to be in compliance not later than 36 months
following the effective date of the rule.
The final rules retain these dates in the text of Subpart E, but
denominate them as ``compliance dates,'' to distinguish the statutory
dates from the date on which the rules become effective. The effective
date of the final rules is 60 days following publication in the Federal
Register.
Meaning of Effective Date
Comment: A number of commenters expressed confusion about the
difference between the effective date of the rule and the effective
date on which compliance was required (the statutory compliance dates
set out at section 1175(b)(1), summarized above).
Response: The Department agrees that the title of proposed
Sec. 164.524 was confusing. Similar comments were received on the
Transactions Rule. Those comments were addressed by treating the
``effective date'' of the rule as the date on which adoption takes
effect (the ``Effective Date'' heading at the beginning of the
preamble), while the dates provided for by section 1175(b)(1) of the
statute were denominated as ``compliance dates.'' These changes are
reflected in the definition of ``compliance date'' in Sec. 160.103
below (initially published as part of the Transactions Rule) and are
also reflected at Sec. 164.524 below. Section 164.524 below has also
been reorganized to follow the organization of the analogous provisions
of the Transactions Rule. The underlying policy, however, remains as
proposed.
Extend the Compliance Date
Comment: Some commenters recommended that the compliance date be
extended. A number of comments objected that the time frame for
compliance with the proposed standards is unrealistically short. It was
pointed out that providers and others would have to do the following,
among other things, prior to the applicable compliance date: assess
their current systems and departments, determine which state laws were
preempted and which were not, update and reprogram computer systems,
train workers, create and implement the required privacy policies and
procedures, and create or update contracts with business partners. One
comment also noted that the task of coming into compliance during the
same time period with the other regulations being issued under HIPAA
would further complicate the task. These comments generally supported
an extension of the compliance dates by one or more years. Other
comments supported extending the compliance dates on the ground that
the complexity of the tasks involved in implementing the regulation
would be a heavy financial burden for providers and others, and that
they should be given more time to comply, in order to spread the
associated capital and workforce costs over a longer period. It was
also suggested that there be provision for granting extensions of the
compliance date, based on some criteria, such as a good faith effort to
comply or that the compliance dates be extended to two years following
completion of a ``state-by-state preemption analysis'' by the
Department.
Response: The Secretary acknowledges that covered entities will
have to make changes to their policies and procedures during the period
between the effective date of the rules below and the applicable
compliance dates. The delayed compliance dates which the statute
provides for constitute a recognition of the fact changes will be
required and are intended to permit covered entities to manage and
implement these changes in an orderly fashion. However, because the
time frames for compliance with the initial standards are established
by statute, the Secretary has no discretion to extend them: Compliance
is statutorily required ``not later than'' the applicable compliance
date. Nor do we believe that it would be advisable to accomplish this
result by delaying the effective date of the final rules beyond 60
days. Since the Transactions Rule is now in effect, it is imperative to
bring the privacy protections afforded by the rules below into effect
as soon as possible. Retaining the delayed effective date of 60 days,
as originally contemplated, will minimize the gap between transactions
covered by those rules and not also afforded protection under the rules
below.
Phase-in Requirements
Comment: Several comments suggested that the privacy standards be
phased in gradually, to ease the manpower and cost burdens of
compliance. A couple of equipment manufacturing groups suggested that
updating of various types of equipment would be necessary for
compliance purposes, and suggested a phased approach to this--for
example, an initial phase consisting of preparation of policies, plans,
and risk assessments, a second phase consisting of bringing new
equipment into compliance, and a final phase consisting of bringing
existing equipment into compliance.
Response: As noted in the preceding response, section 1175(b)(1)
does not allow the Secretary discretion to change the time frame within
which compliance must be achieved. Congress appears to have intended
the phasing in of compliance to occur during the two-year compliance
period, not thereafter.
Compliance Gap Vis-a-Vis State Laws and Small Health Plans
Comment: Several comments stated that, as drafted, the preemption
provisions would be effective as of the rule's effective date (i.e., 60
days following publication), even though covered entities would not be
required to comply with the rules for at least another two years.
According to these comments, the ``preempted'' state laws would not be
in effect in the interim, so that the actual privacy protection would
decrease during that period. A couple of comments also expressed
concern about how the preemption provisions would work, given the one-
year difference in applicable compliance dates for small health plans
and other covered entities. A state medical society pointed out that
this gap would also be very troublesome for providers who deal with
both ``small health plans'' and other health plans. One comment asked
what entities that decided to come into compliance early would have to
do with respect to conflicting state laws and suggested that, since all
parties ``need to know with confidence which laws govern at the moment,
* * * [t]here should be uniform effective dates.''
Response: We agree that clarification is needed with respect to the
applicability of state laws in the interim between the effective date
and the compliance dates. What the comments summarized above appeared
to assume is that the preemption provisions of section 1178 operate to
broadly and generally invalidate any state law that comes within their
ambit. We do not agree that this is the effect of section
[[Page 82752]]
1178. Rather, what section 1178 does--where it acts to preempt--is to
preempt the state law in question with respect to the actions of
covered entities to which the state law applies. Thus, if a provision
of state law is preempted by section 1178, covered entities within that
state to which the state law applies do not have to comply with it, and
must instead comply with the contrary federal standard, requirement, or
implementation specification. However, as compliance with the contrary
federal standard, requirement, or implementation specification is not
required until the applicable compliance date, we do not view the state
law in question as meeting the test of being ``contrary.'' That is,
since compliance with the federal standard, requirement, or
implementation standard is not required prior to the applicable
compliance date, it is possible for covered entities to comply with the
state law in question. See Sec. 160.202 (definition of ``contrary'').
Thus, since the state law is not ``contrary'' to an applicable federal
standard, requirement, or implementation specification in the period
before which compliance is required, it is not preempted.
Several implications of this analysis should be spelled out. First,
one conclusion that flows from this analysis is that preemption is
specific to covered entities and does not represent a general
invalidation of state law, as suggested by many commenters. Second,
because preemption is covered entity-specific, preemption will occur at
different times for small health plans than it will occur for all other
covered entities. That is, the preemption of a given state law for a
covered entity, such as a provider, that is covered by the 24-month
compliance date of section 1175(b)(1)(A) will occur 12 months earlier
than the preemption of the same state law for a small health plan that
is covered by the 36-month compliance date of section 1175(b)(1)(B).
Third, the preemption occurs only for covered entities; a state law
that is preempted under section 1178(a)(1) would not be preempted for
persons and entities to which it applies who are not covered entities.
Thus, to the extent covered entities or non-covered entities follow the
federal standards on a voluntary basis (i.e., the covered entity prior
to the applicable compliance date, the non-covered entity at any time),
the state law in question will not be preempted for them.
Small Health Plans
Comment: Several comments, pointing to the ``Small Business''
discussion in the preamble to the proposed rules, applauded the
decision to extend the compliance date to three years for small
businesses. It was requested that the final rules clarify that the
three year compliance date applies to small doctors offices and other
small entities, as well as to small health plans.
Response: We recognize that our discussion in the preamble to the
proposed rules may have suggested that more covered entities came
within the 36 month compliance date than is in fact the case. Again,
this is an area in which we are limited by statute. Under section
1175(b) of the Act, only small health plans have three years to come
into compliance with the standards below. Thus, other ``small
businesses'' that are covered entities must comply by the two-year
compliance date.
Coordination With the Security Standard
Comment: Several comments suggested that the security standard be
issued either with or after the privacy standards. It was argued that
both sets of standards deal with protecting health information and will
require extensive personnel training and revisions to business
practices, so that coordinating them would make sense. An equipment
manufacturers group also pointed out that it would be logical for
covered entities and their business partners to know what privacy
policies are required in purchasing security systems, and that ``the
policies on privacy are implemented through the security standards
rather than having already finalized security standards drive policy.''
Response: We agree with these comments, and are making every effort
to coordinate the final security standards with the privacy standards
below. The privacy standards below are being published ahead of the
security standards, which is also responsive to the stated concerns.
Prospective Application
Comment: Several comments raised questions about the application of
the rule to individually identifiable information created prior to (1)
the effective date of the rule, and (2) the compliance dates of the
rule. One provider group suggested that the rule should apply only to
information gathered after the effective date of the final rule. A drug
manufacturer asked what would be the effect of the rule on research on
records compiled before the effective date of the rule.
Response: These comments are addressed in connection with the
discussion of Sec. 164.532 above.
Impact Analyses
Cost/Benefit Analysis
Comment: Many commenters made general statements to the effect that
the cost estimates for implementing the provisions of the proposed
regulation were incomplete or greatly understated.
Response: The proposal, including the cost analysis, is, in effect,
a first draft. The purpose of the proposal was to solicit public
comment and to use those comments to refine the final regulation. As a
result of the public comment, the Department has significantly refined
our initial cost estimates for implementing this regulation. The cost
analysis below reflects a much more complete analysis of the major
components of the regulation than was presented in the proposal.
Comment: Numerous commenters noted that significant areas of
potential cost had not been estimated and that if they were estimated,
they would greatly increase the total cost of the regulation. Potential
cost areas identified by various respondents as omitted from the
analyses include the minimum disclosure requirements; the requisite
monitoring by covered entities of business partners with whom they
share private health information; creation of de-identified
information; internal complaint processes; sanctions and enforcement;
the designation of a privacy official and creation of a privacy board;
new requirements for research/optional disclosures; and future
litigation costs.
Response: We noted in the proposed rule that we did not have data
from which to estimate the costs of many provisions, and solicited
comments providing such data. The final analysis below reflects the
best estimate possible for these areas, based on the information
available. The data and the underlying assumptions are explained in the
cost analysis section below.
Comment: A number of comments suggested that the final regulation
be delayed until more thorough analyses could be undertaken and
completed. One commenter stated that the Department should refrain from
implementing the regulation until a more realistic assessment of costs
could be made and include local governments in the process. Similarly,
a commenter requested that the Department assemble an outside panel of
health industry experts, including systems analysts, legal counsel, and
management consultants to develop stronger estimates.
Response: The Department has engaged in extensive research, data
collection and fact-finding to improve
[[Page 82753]]
the quality of its economic analysis. This has included comments from
and discussions with the kinds of experts one commenter suggested. The
estimates represent a reasonable assessment of the policies proposed.
Comment: Several commenters indicated that the proposed regulation
would impose significant new costs on providers' practices.
Furthermore, they believe that it runs counter to the explicit
statutory intent of HIPAA's Administrative Simplification provisions
which require that ``any standard adopted * * * shall be consistent
with the objective of reducing the administrative costs of providing
and paying for health care.''
Response: As the Department explained in the Transactions Rule,
this provision applies to the administrative simplification regulations
of HIPAA in the aggregate. The Transactions Rule is estimated to save
the health care system $29.9 billion in nominal dollars over ten years.
Other regulations published pursuant to the administrative
simplification authority in HIPAA, including the privacy regulation,
will result in costs, but these costs are within the statutory
directive so long as they do not exceed the $29.9 billion in estimated
savings. Furthermore, as explained in the Transactions Rule, and the
preamble to this rule, assuring privacy is essential to sustaining many
of the advances that computers will provide. If people do not have
confidence that their medical privacy will be protected, they will be
much less likely to allow their records to be used for any purpose or
might even avoid obtaining necessary medical care.
Comment: Several commenters criticized the omission of aggregate,
quantifiable benefit estimates in the proposed rule. Some respondents
argued that the analysis in the proposed rule used ``de minimis'' cost
estimates to argue only that benefits would certainly exceed such a low
barrier. These commenters further characterized the benefits analysis
in the Notice of Proposed Rulemaking as ``hand waving'' used to divert
attention from the fact that no real cost-benefit comparison is
presented. Another commenter stated that the benefit estimates rely
heavily on anecdotal and unsubstantiated inferences. This respondent
believes that the benefit estimates are based on postulated, but
largely unsubstantiated causal linkages between increased privacy and
earlier diagnosis and medical treatment.
Response: The benefits of privacy are diffused and intangible but
real. Medical privacy is not a good people buy or sell in a market;
therefore, it is very difficult to quantify. The benefits discussion in
the proposal reflects this difficulty. The examples presented in the
proposal were meant to be illustrative of the benefits based on a few
areas of medicine where some relevant data was available.
Unfortunately, no commenters provided either a better methodological
approach or better data for assessing the overall benefits of privacy.
Therefore, we believe the analysis in the proposal represents a valid
illustration of the benefits of privacy, and we do not believe it is
feasible to provide an overall dollar estimate of the benefits of
privacy in the aggregate.
Comment: One commenter criticized the benefit analysis as being
incomplete because it did not consider the potential cost of new
treatments that might be engendered by increased confidence in medical
privacy resulting from the regulation.
Response: There is no data or model to reliably assess such long-
term behavioral and scientific changes, nor to determine what portion
of the increasingly rapid evolution of new improved treatments might
stem from improved privacy protections. Moreover, to be complete, such
analysis would have to include the savings that might be realized from
earlier detection and treatment. It is not possible at this time to
project the magnitude or even the direction of the net effects of the
response to privacy that the commenter suggests.
Scope of the Regulation
Comment: Numerous commenters noted the potential cost and burden of
keeping track in medical records of information which had been
transmitted electronically, which would be subject to the rule, as
opposed to information that had only been maintained in paper form.
Response: This argument was found to have considerable merit and
was one of the reasons that the Department concluded that the final
regulation should apply to all medical records maintained by covered
entities, including information that had never been transmitted
electronically. The costs analysis below reflects the change in scope.
Notice Requirements
Comment: Several commenters expressed their belief that the
administrative and cost burdens associated with the notice requirements
were understated in the proposed rule. While some respondents took
issue with the policy development cost estimates associated with the
notice, more were focused on its projected implementation and
production costs. For example, one respondent stated that determining
``first service'' would be an onerous task for many small practices,
and that provider staff will now have to manually review each patient's
chart or access a computer system to determine whether the patient has
been seen since implementation of the rule.
Response: The policy in the final rule has been changed to make the
privacy policy notice to patients less burdensome. Providers will be
able to distribute the notice when a patient is seen and will not have
to distribute it to a patient more than once, unless substantive
changes are made in the notice. This change will significantly reduce
the cost of distributing the privacy notices.
Comment: Some commenters also took issue with the methodology used
to calculate the cost estimates for notices. These respondents believe
that the survey data used in the proposed rule to estimate the costs
(i.e., ``encounters,'' ``patients,'' and ``episodes'' per year) are
very different concepts that, when used together, render the purported
total meaningless. Commenters further stated that they can verify the
estimate of 543 million patients cited as being seen at least once
every five years.
Response: In the course of receiving treatment, a patient may go to
a number of medical organizations. For example, a person might see a
doctor in a physician's office, be admitted to a hospital, and later go
to a pharmacy for medication. Each time a person ``encounters'' a
facility, a medical record may be started or additions made to an
existing record. The concept in the proposal was to identify the number
of record sets that a person might have for purposes of estimating
notice and copying costs. For example, whether a person made one or ten
visits in the course of a year to a specific doctor would, for our
purposes, be one record set because in each visit the doctor would most
likely be adding information to an existing medical record. The
comments demonstrated that we had not explained the concept well. As
explained below we modified the concept to more effectively measure the
number of record sets that exist and explain it more clearly.
Comment: Several commenters criticized the lack of supporting
evidence for the cost estimates of notice development and
dissemination. Another opinion voiced in the comments is that the
estimated cost for plans of $0.75 per insured person is so low that it
may cover postage, but it
[[Page 82754]]
cannot include labor and capital usage costs.
Response: Based on comments and additional fact finding, the
Department was able to gain a better understanding of how covered
entities would develop policies and disseminate information. The cost
analysis below explains more fully how we derived the final cost
estimates for these areas.
Comment: A commenter noted that privacy policy costs assume that
national associations will develop privacy policies for members but HHS
analysis does not account for the cost to the national associations. A
provider cost range of $300-$3,000 is without justification and seems
low.
Response: The cost to the national associations was included in the
proposal estimates, and it is included in the final analysis (see
below).
Comment: A commenter states that the notice costs discussion mixes
the terms ``patients'', ``encounters'' and ``episodes'' and 397 million
encounter estimate is unclear.
Response: A clearer explanation of the concepts employed in this
analysis is provided below.
Systems Compliance Costs
Comment: Numerous commenters questioned the methodology used to
estimate the systems compliance cost and stated that the ensuing cost
estimates were grossly understated. Some stated that the regulation
will impose significant information technology costs to comply with
requirement to account for disclosures, additional costs for hiring new
personnel to develop privacy policies, and higher costs for training
personnel.
Response: Significant comments were received regarding the cost of
systems compliance. In response, the Department retained the assistance
of consultants with extensive expertise in health care information
technology. We have relied on their work to revise our estimates, as
described below. The analysis does not include ``systems compliance''
as a cost item, per se. Rather, in the final analysis we organized
estimates around the major policy provisions so the public could more
clearly see the costs associated with them. To the extent that the
policy might require systems changes (and a number of them do), we have
incorporated those costs in the provision's estimate.
Comment: Items explicitly identified by commenters as significantly
adding to systems compliance costs include tracking disclosures of
protected health information and patient authorizations; restricting
access to the data; accommodating minimum disclosure provisions;
installing notices and disclaimers; creating de-identified data;
tracking uses of protected health information by business partners;
tracking amendments and corrections; increased systems capacity; and
annual systems maintenance. The commenters noted that some of the
aforementioned items are acknowledged in the proposed rule as future
costs to covered entities, but several others are singularly ignored.
Response: The Department recognizes the validity of much of this
criticism. Unfortunately, other than general criticism, commenters
provided no specific data or methodological information which might be
used to improve the estimates. Therefore, the Department retained
consultants with extensive expertise in these areas to assess the
proposed regulation, which helped the Department refine its policies
and cost estimates.
In addition, it is important to note that the other HIPAA
administrative simplification regulations will require systems changes.
As explained generally in the cost analysis for the electronic
Transactions rule, it is assumed that providers and vendors will
undertake systems changes for these regulations collectively, thereby
minimizing the cost of changes.
Inspection and Copying
Comment: Numerous commenters disagreed with the cost estimates in
the NPRM for inspection and copying of patient records, believing that
they were too low.
Response: The Department has investigated the potential costs
through a careful reading of the comments and subsequent factfinding
discussions with a variety of providers. We believe the estimates,
explained more fully below, represent a reasonable estimate in the
aggregate. It is important to note, however, that this analysis is not
measuring the cost of all inspection and copying because a considerable
amount of this already occurs. The Department is only measuring the
incremental increase likely to occur as a result of this regulation.
Comment: One commenter speculates that, even at a minimum charge of
$.50/page, (and not including search and retrieval charges), costs
could run as high as $450 million annually.
Response: The $0.50 per page in the proposal represent an average
of several data sources. Subsequently, an industry commenter, which
provided extensive medical records copying, stated that this was a
reasonable average cost. Hence, we retained the number for the final
estimate.
Comment: One respondent states that, since the proposed rules give
patients the right to inspect and copy their medical records regardless
of storage medium, HHS must make a distinction in its cost estimates
between records stored electronically and those which must be accessed
by manual means, since these costs will differ.
Response: The cost estimates made for regulations are not intended
to provide such refined gradations; rather, they are intended to show
the overall costs for the regulation as a whole and its major
components. For inspections and copying (and virtually all other areas
for which estimates are made) estimates are based on averages;
particular providers may experience greater or lesser costs than the
average cost used in this analysis.
Comment: Several commenters noted that the Department did not
appear to include the cost of establishing storage systems, retrieval
fees and the cost of searching for records, and that these costs, if
included, would significantly increase the Department's estimate.
Response: Currently, providers keep and maintain medical records
and often provide copies to other providers and patients. Therefore,
much of the cost of maintaining records already exists. Indeed, based
on public comments, the Department has concluded that there will be
relatively few additional copies requested as the result of this
regulation (see below). We have measured and attributed to this
regulation the incremental cost, which is the standard for conducting
this kind of analysis.
Comment: A federal agency expressed concern over the proposal to
allow covered entities to charge a fee for copying personal health
information based on reasonable costs. The agency requests personal
health information from many covered entities and pays a fee that it
establishes. Allowing covered entities to establish the fee, the agency
fears, may cost them significantly more than the current amounts they
pay and as a result, could adversely affect their program.
Response: The proposal and the final rule establish the right to
access and copy records only for individuals, not other entities; the
``reasonable fee'' is only applicable to the individual's request. The
Department's expectation is that other existing practices regarding
fees, if any, for the exchange of records not requested by an
individual will not be affected by this rule.
[[Page 82755]]
Appending Records (Amendment and Correction)
Comment: The proposed rule estimated the cost of amending and
correcting patients' records at $75 per instance and $260 million per
year for small entities. At least one commenter stated that such
requests will rise significantly upon implementation of the regulations
and increase in direct proportion to the number of patients served.
Another commenter described the more subtle costs associated with
record amendment and correction, which would include a case-by-case
clinical determination by providers on whether to grant such requests,
forwarding the ensuing record changes to business partners, and issuing
written statements to patients on the reasons for denials, including a
recourse for complaints.
Response: The comments were considered in revising the proposal,
and the decision was made to clarify in the final regulation that
providers must only append the record (the policy is explained further
in the preamble and the regulation text). The provider is now only
required to note in the medical record any comments from the patient;
they may, but are not required to, correct any errors. This change in
policy significantly reduces the cost from the initial proposal
estimate.
Comment: Several commenters criticized the proposed rule's lack of
justification for assumptions regarding the percentage of patients who
request inspection and copying, who also request amendment and
correction. Another commenter pointed out that the cost estimate for
amendment and correction is dependent on a base assumption that only
1.5 percent of patients will request inspection of their records. As
such, if this estimate were too low by just one percentage point, then
the estimates for inspection and copying plus the costs for amendment
and correction could rise by 67 percent.
Response: Based on information and data received in the public
comments, the estimate for the number of people requesting inspection
and copying has been revised. No commenter provided specific
information on the number of amended record requests that might result,
but the Department subsequently engaged in fact-finding and made
appropriate adjustments in its estimates. The revisions are explained
further below.
Consent and Authorizations
Comment: One respondent indicated that the development, collection,
and data entry of all the authorizations will create a new transaction
type for employers, health plans, and providers, and result in
duplicated efforts among them. This commenter estimates that the costs
of mailing, re-mailing, answering inquiries, making outbound calls and
performing data entry in newly created authorization computer systems
could result in expenses of close to $2.0 billion nationally. Another
commenter indicated that authorization costs will be at least double
the notice dissemination costs due to the cost of both outbound and
return postage.
Response: Public commenters and subsequent factfinding clearly
indicate that most providers with patient contact already obtain
authorizations for release of records, so for them there is virtually
no new cost. Further, this comment does not reflect the actual
regulatory requirement. For example, there is no need to engage in
mailing and re-mailing of forms, and we do not foresee any reason why
there should be any significant calls involved.
Comment: A commenter criticized the percentage (1%) that we used to
calculate the number of health care encounters expected to result in
requests to withhold the release of protected information. This
respondent postulates that even if one in six patients who encounter
the U.S. health care system opt to restrict access to their records,
the total expected national cost per year could rise to $900 million.
Response: The final regulation requirements regarding the release
of protected health information has been substantially changed, thereby
greatly reducing the potential cost burden. A fuller explanation of the
cost is provided below in the regulatory impact analysis.
Comment: An additional issue raised by commenters was the added
cost of seeking authorizations for health promotion and disease
management activities, health care operations that traditionally did
not require such action.
Response: In the final regulation, a covered entity can use medical
information collected for treatment or operations for its own health
promotion and disease management efforts without obtaining additional
authorization. Therefore, there is no additional cost incurred.
Business Associates
Comment: A number of commenters were concerned about the cost of
monitoring business partners. Specifically, one commenter stated that
the provisions of the proposed regulation pertaining to business
partners would likely force the discontinuation of outsourcing for some
functions, thereby driving up the administrative cost of health care.
Response: The final regulation clarifies the obligations of the
business associates in assuring privacy. As explained in the preamble,
business associates must take reasonable steps to assure
confidentiality of health records they may have, and the covered entity
must take appropriate action if they become aware of a violation of the
agreement they have with the business associate. This does not
represent an unreasonable burden; indeed, the provider is required to
take the same kind of precautions and provide the same kind of
oversight that they would in many other kinds of contractual
relationships to assure they obtain the quality and level of
performance that they would expect from a business associate.
Comment: HHS failed to consider enforcement costs associated with
monitoring partners and litigation costs arising from covered entities
seeking restitution from business partners whose behavior puts the
covered entity at risk for noncompliance.
Response: The Department acknowledged in the proposal that it was
not estimating the cost of compliance with the business associates
provision because of inadequate information. It requested information
on this issue, but no specific information was provided in the
comments. However, based on revisions in the final policy and
subsequent factfinding, the Department has provided an estimate for
this requirement, as explained below.
Training
Comment: Many of the commenters believe that the Department used
unrealistic assumptions in the development of the estimated cost of the
training provisions and they provided their own estimates.
Response: The commenters' estimates varied widely, and could not be
used by the Department in revising its analysis because there was
inadequate explanation of how the estimates were made.
Comment: Several commenters argued that if even an hour of time of
each of the entity's employees is spent on training instead of ``work''
and they are paid the minimum wage, an entity would incur $100 of cost
for training no more than 20 employees. The commenters noted that the
provision of health care services is a labor-intensive enterprise, and
many covered entities have thousands of employees, most of whom make
well in excess of minimum
[[Page 82756]]
wage. They questioned whether the estimates include time taken from the
employee's actual duties (opportunity cost) and the cost of a trainer
and materials.
Response: As explained in more detail below, the Department made
extensive revisions in its training estimate, including the number of
workers in the health care sector, the cost of workers in training
based on average industry wages, and training costs (instructors and
materials). The revised estimate is a more complete and accurate
estimate of the costs likely to be borne as a result of the final
regulation.
Comment: One commenter estimated that simply training an employee
could have a burdensome impact on his company. He argued, for example,
a 10-hour annual requirement takes 0.5% of an employee's time if they
work a 2000-hour year, but factoring in sick and vacation leave, the
effects of industry turnover could significantly increase the effect.
Response: In the analysis below, the Department has factored in
turnover rates, employment growth and greater utilization based on data
obtained from broad-based surveys and a public comment.
Comment: Some commenters felt that the regulatory training
provisions are overly burdensome. Specific concerns centered around the
requirement to train all individuals who may come in contact with
protected health information and the requirement to have such
individuals sign a new certifying statement at least every three years.
Some commenters felt that the content of the training program should be
left to the discretion of the covered entity.
Response: Changes and clarifications in the training requirements
are made in the final regulation, explained below. For example, the
certification requirement has been eliminated. As in the NPRM, the
content of the training program is left to the discretion of the
covered entity. These changes are expected to lessen the training
burden and are reflected in the final cost estimates.
Compliance and Enforcement
Comment: A Member of Congress and a number of privacy and consumer
groups expressed their concern with whether the Office for Civil Rights
(OCR) in HHS has adequate funding to carry out the major responsibility
of enforcing the complaint process established by this rule. The Member
stated that ``[d]ue to the limited enforcement ability allowed for in
this rule by HIPAA, it is essential that OCR have the capacity to
enforce the regulations. Now is the time for The Secretary to begin
building the necessary infrastructure to enforce the regulation
effectively.''
Response: The Secretary agrees with the commenters and is committed
to an effective enforcement program. We will work with Congress to
ensure that the Department has the necessary funds to secure voluntary
compliance through education and technical assistance, to investigate
complaints and conduct compliance reviews, to provide states with
exception determinations and to use civil and criminal penalties when
necessary.
Economic Effect on Small Entities
Comment: Many commenters stated that the cost estimates on the
effect of the proposed regulation on small businesses were understated
or incomplete.
Response: The Department conducted a thorough review of potential
data sources that would improve the quality of the analysis of the
effects on small business. The final regulatory flexibility analysis
below is based on the best data available (much of it from the Small
Business Administration) and represents a reliable estimate for the
effects on small entities in various segments of the health care
industry. It is important to note that the estimates are for small
business segments in the aggregate; the cost to individual firms will
vary, perhaps considerably, based on its particular circumstances.
Comment: The cost of implementing privacy regulations, when added
to the cost of other required HIPAA regulations, could increase
overhead significantly. As shown in the 1993 Workgroup on Electronic
Data Interchange (WEDI) Report, providers will bear the larger share of
implementation costs and will save less than payors.
Response: The regulatory flexibility analysis below shows generally
the marginal effect of the privacy regulation on small entities.
Collectively, the HIPAA administrative standards will save money in the
health care system. As important, given the rapid expansion of
electronic commerce, it is probable that small entities would need to
comply with standards for electronic commerce in order to complete
effectively, even if the standards were voluntary. The establishment of
uniform standards through regulation help small entities because they
will not have to invest in multiple systems, which is what they would
confront if the system remained voluntary.
Comment: One respondent believed that the initial and ongoing costs
for small provider offices could be as much as 11 times higher than the
estimates provided in the proposed rule. Other commenters stated that
the estimates for small entities are ``absurdly low''.
Response: Although there were a number of commenters highly
critical of the small business analysis, none provided alternative
estimates or even provided a rationale for their statements. Many
appeared to assume that all costs associated with medical record
confidentiality should be estimated. This represents a misunderstanding
of the purpose of the analysis: to estimate the incremental effects of
this regulation, i.e., the new costs (and savings) that will result
from changes required by the regulation. The Department has made
substantial changes in the final small entities analysis (below),
reflecting policy changes in the final rule and additional information
and data collected by the Department since the issuance of the proposal
last fall. We believe that these estimates reasonably reflect the costs
that various types of small entities will experience in general, though
the actual costs of particular providers might vary considerably based
on their current practices and technology.
Comment: A respondent expressed the belief that small providers
would bear a disproportionate share of the regulation's administrative
burden because of the likelihood of larger companies incurring fewer
marginal costs due to greater in-house resources to aid in the legal
and technical analysis of the proposed rule.
Response: As explained below, the Department does not agree with
the assertion that small entities will be disproportionately affected.
Based on discussions with a number of groups, the Department expects
many professional and trade associations to provide their members with
analysis of the regulation, including model policies, statements and
basic training materials. This will minimize the cost for most small
entities. Providers that use protected health information for voluntary
practices, such as marketing or research, are more likely to need
specific legal and technical assistance, but these are likely to be
larger providers.
Comment: Several commenters took issue with the ``top-down''
approach that we used to estimate costs for small businesses, believing
that this methodology provided only a single point estimate, gave no
indication of the variation around the estimate, and was subject to
numerous methodological errors since the entities to which the
numerator pertained may not have been
[[Page 82757]]
the same as the denominator. These respondents further recommended that
we prepare a ``bottom-up'' analysis using case studies and/or a survey
of providers to refine the estimates.
Response: The purpose of the regulatory flexibility analysis is to
provide a better insight into the relative burden of small businesses
compared to larger firms in complying with a regulation. There may be
considerable variance around average costs within particular industry
sectors, even among small businesses within them. The estimates are
based on the best data available, including information from the Small
Business Administration, the Census Bureau, and public comments.
Comment: A commenter stated that the proposal's cost estimate does
not account for additional administrative costs imposed on physicians,
such as requirements to rewrite contracts with business partners.
Response: Such costs are included in the analysis below.
Comment: Numerous public comments were directed specifically at the
systems compliance cost estimates for small businesses. One respondent
maintained that the initial upgrade cost alone would range from $50
thousand to more than $1 million per covered entity.
Response: The cost estimates for systems compliance varied
enormously; unfortunately, none of the commenters provided
documentation of how they made their estimates, preventing us from
comparing their data and assumptions to the Department's. Because of
concern about the costs in this area, however, the Department retained
an outside consultant to provide greater expertise and analysis. The
product of this effort has been incorporated in the analysis below.
Comment: One commenter stated that just the development and
documentation of new health information policies and procedures (which
would require an analysis of the federal regulations and state law
privacy provisions), would cost far more than the $396 cited in the
Notice of Proposed Rulemaking as the average start-up cost for small
businesses.
Response: As explained below in the cost analysis, the Department
anticipates that most of the policies and procedures that will be
required under the final rule will be largely standardized,
particularly for small businesses. Thus, much of the work and cost can
be done by trade associations and professional groups, thereby
minimizing the costs and allowing it to be spread over a large
membership base.
Comment: A number of comments criticized the initial estimates for
notices, inspection and copying, amendments and correction, and
training as they relate to small businesses.
Response: The Department has made substantial revisions in its
estimates for all of these areas which is explained below in the
regulatory flexibility analysis.
Comment: One commenter noted that there appeared to be a
discrepancy in the number of small entities cited. There is no
explanation for the difference and no explanation for difference
between ``establishments'' and ``entities.''
Response: There are discrepancies among the data bases on the
number of ``establishments'' and ``entities'' or ``firms''. The problem
arises because most surveys count (or survey) establishments, which are
physical sites. A single firm or entity may have many establishments.
Moreover, although an establishment may have only a few employees, the
firm may have a large number of workers (the total of all its various
establishments) and therefore not be a small entity.
As discussed below, there is some discrepancy between the aggregate
numbers we use for the regulatory impact analysis (RIA) and the
regulatory flexibility analysis (RFA). We concluded that for purposes
of the RFA, which is intended to measure the effects on small entities,
we would use Small Business Administration data, which defines entities
based on revenues rather than physical establishments to count the
number of small entities in various SIC. This provides a more accurate
estimate of small entities affected. For the RIA, which is measuring
total effects, we believe the establishment based surveys provide a
more reliable count.
Comment: Because small businesses must notify patients of their
privacy policies on patients' first visit after the effective date of
the regulation, several commenters argued that staff would have to
search records either manually or by computer on a daily basis to
determine if patients had been seen since the regulation was
implemented.
Response: Under the final regulation, all covered entities will
have to provide patients copies of their privacy policy at the first
visit after the effective date of the regulation. The Department does
not view this as burdensome. We expect that providers will simply place
a note or marker at the beginning of a file (electronic or paper) when
a patient is given the notice. This is neither time-consuming nor
expensive, and it will not require constant searches of records.
Comment: A commenter stated that the definitions of small business,
small entity, and a small health plan are inconsistent because the NPRM
includes firms with annual receipts of $5 million or less and non-
profits.
Response: The Small Business Administration, whose definitions we
use for this analysis, includes firms with $5 million or less in
receipts and all non-profits as ``small businesses.'' We recognize that
some health plans, though very large in terms of receipts (and insured
lives), nonetheless would be considered ``small businesses'' under this
definition because they are non-profits. In the final regulatory
flexibility analysis, we generally have maintained the Small Business
Administration definitions because it is the accepted standard for
these analyses. However, we have added several categories, such as IRBs
and employer sponsored group health plans, which are not small
entities, per se, but will be effected by the final rule and we were
able to identify costs imposed by the regulation on them.
Comment: The same commenter wanted clarification that all non-
profit organizations are small entities and that the extended effective
date for compliance applies to them.
Response: For purposes of the regulatory flexibility analysis, the
Department is utilizing the Small Business Administration guidelines.
However, under HIPAA the Secretary may extend the effective compliance
date from 24 months to 36 months for ``small health plans''. The
Secretary is given the explicit discretion of defining the term for
purposes of compliance with the regulation. For compliance purposes,
the Secretary has decided to define ``small health plans'' as those
with receipts of $5 million or less, regardless of their tax status. As
noted above, some non-profit plans are large in terms of revenues
(i.e., their revenues exceed $5 million annually). The Department
determined that such plans do not need extra time for compliance.
Comment: Several commenters requested that ``small providers''
[undefined] be permitted to take 36 months to come into compliance with
the final regulation, just as small health plans will be permitted to
do so.
Response: Congress specified small health plans, but not small
providers, as needing extra time to comply. The majority of providers
affected by the regulation are ``small'', based on the SBA definitions;
in other words, granting the delay would be tantamount to make the
effective date three years rather than two. In making policy decisions
for the final regulation, extensive consideration was given to
minimizing the cost and administrative burden associated with
implementing
[[Page 82758]]
the rule. The Department believes that the requirements of the final
rule will not be difficult to fulfill, and therefore, it has maintained
the two year effective date.
External Studies
Comment: One commenter submitted a detailed analysis of privacy
legislation that was pending and concluded that they might cost over
$40 billion.
Response: The study did not analyze the policies in the proposal,
and therefore, the estimates do not reflect the costs that would have
been imposed by the proposed regulation. In fact, the analysis was
prepared before the Administration's proposed privacy regulation was
even published. As a result, the analysis is of limited relevance to
the regulation actually proposed.
The following are examples of assumptions and costs in the analysis
that do not match privacy policies or requirements stated in the
proposed rule.
1. Authorizations: The study assumed rules requiring new
authorizations from current subscribers to use their data for
treatment, payment of claims, or other health plan operations. The
proposed rule would have prohibited providers or plans from obtaining
patient authorization to use data for treatment, payment or health care
operations, and the final rule makes obtaining consent for these
purposes voluntary for all health plans and for providers that do not
have direct treatment relationships with individuals.
2. Disclosure History: The study assumes that providers, health
plans, and clearinghouses would have to track all disclosures of health
information. Under the NPRM and the final rule, plans, providers and
clearinghouses are only required to account for disclosures that are
not for treatment, payment, and health care operations, a small
minority of all disclosures.
3. Inspection, Copying, and Amendment: The study assumed
requirements to allow patients and their subscribers to inspect, copy,
and amend all information that includes their name, social security
number or other identifying feature (e.g. customer service calls,
internal memorandum, claim runs). However, the study assumed broader
access than provided in the rule, which requires access only to
information in records used to make decisions about individuals, not
all records with identifiable information.
4. Infrastructure development: The study attributed significant
costs to infrastructure implementation of (computer systems, training,
and other compliance costs). As explained below, the compliance
requirements are much less extensive than assumed in this study. For
example, many providers and plans will not be required to modify their
privacy systems but will only be required to document their practices
and notify patients of these practices, and others will be able to
purchase low-cost, off-the-shelf software that will facilitate the new
requirements. The final regulation will not require massive capital
expenditures; we assumed, based on our consultants' work, that
providers will rely on low-cost incremental adjustments initially, and
as their technology becomes outdated, they will replace it with new
systems that incorporate the HIPAA standard requirements.
Although many of the policy assumptions in the study are
fundamentally different than those in the proposed or final regulation,
the study did provide some assistance to the Department in preparing
its final analysis. The Department compared data, methodologies and
model assumptions, which helped us think more critically about our own
analysis and enhanced the quality of our final work.
Comment: One commenter submitted a detailed analysis of the NPRM
Regulatory Impact Analysis and concluded that it might cost over $64
billion over 5 years. This analysis provided an interesting framework
for analyzing the provision for the rule. More precisely, the analysis
generally attempted to identify the number of entities would be
required to comply with each of the significant provision of the
proposed rule, then estimated the numbers of hours required to comply
per entity, and finally, estimated an hourly wage.
Response: HHS adopted this general structure for the final RIA
because it provided a better framework for analysis than what the
Department had done in the NPRM. However, HHS did not agree with many
of the specific assumptions used by in this analysis, for several
reasons. First, in some instances the assumptions were no longer
relevant because the requirements of the NPRM were altered in the final
rule. For other assumptions, HHS found more appropriate data sources
for the number of covered entities, wages rates and trend rates or
other factors affecting costs. In addition, HHS believes that in a few
instances, this analysis over-estimated what is required of covered
entities to comply. Based on public comments and its own factfinding,
the Department believes many of its assumptions used in the final
analysis more accurately reflect what is likely to be the real cost of
the regulation.
IV. Final Regulatory Impact Analysis
5 U.S.C. 804(2) (as added by section 251 of Pub. L. 104-21),
specifies that a ``major rule'' is any rule that the Office of
Management and Budget finds is likely to result in:
An annual effect on the economy of $100 million or more;
A major increase in costs or prices for consumers,
individual industries, federal, state, or local government agencies, or
geographic regions; or
Significant adverse effects in competition, employment,
investment productivity, innovation, or on the ability of United States
based enterprises to compete with foreign-based enterprises in domestic
and export markets. The impact of this final rule will be over $1
billion in the first year of implementation. Therefore, this rule is a
major rule as defined in 5 U.S.C. 804(2).
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, when regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects; distributive impacts; and equity). According to Executive
Order 12866, a regulatory action is ``significant'' if it meets any one
of a number of specified conditions, including having an annual effect
on the economy of $100 million or more adversely affecting in a
material way a sector of the economy, competition, or jobs, or if it
raises novel legal or policy issues. The purpose of the regulatory
impact analysis is to assist decision-makers in understanding the
potential ramifications of a regulation as it is being developed. The
analysis is also intended to assist the public in understanding the
general economic ramifications of a regulation, both in the aggregate
as well as the major policy areas of a regulation and how they are
likely to affect the major industries or sectors of the economy covered
by it.
In accordance with the Small Business Regulatory Enforcement and
Fairness Act (Pub. L. 104-121), the Administrator of the Office of
Information and Regulatory Affairs of the Office of Management and
Budget (OMB) has determined that this rule is a major rule for the
purpose of congressional review.
The proposal for the privacy regulation included a preliminary
regulatory impact analysis (RIA) which estimated the cost of the rule
at $3.8 billion over five years. The preliminary
[[Page 82759]]
analysis also noted that a number of significant areas were not
included in the estimate due to inadequate information. The proposal
solicited public comment on these and all other aspects of the
analysis. In this preamble, the Department has summarized the public
comments pertinent to the cost analysis and its response to them.
However, because of the extensive policy changes incorporated in the
final regulation, additional data collected from the public comments
and the Department's fact-finding, and changes in the methodology
underlying the estimates, the Department is setting forth in this
section a more complete explanation of its revised estimates and how
they were obtained. This will facilitate a better understanding by the
public of how the estimates were developed and provide more insight
into how the Department believes the regulation will ultimately affect
the health care sector.
The impact analysis measures the effect of the regulation on
current practices. In the case of privacy, as discussed in the
preamble, there already exists considerable, though quite varied,
efforts to protect the confidentiality of medical information. The RIA
is measuring the change in these current practices and the cost of new
and additional responsibilities that are required to conform to the new
regulation.
To achieve a reasonable level of privacy protection, the Department
defined three objectives for the final rule: (1) To establish national
baseline standards, implementation specifications, and requirements for
health information privacy protection, (2) to protect the privacy of
individually identifiable health information maintained or transmitted
by covered entities, and (3) to protect the privacy of all individually
identifiable health information within covered entities, regardless of
its form.
Establishing minimum standards, implementation specifications, and
requirements for health information privacy protection creates a level
baseline of privacy protection for patients across states. The Health
Privacy Project's report, The State of Health Privacy: An Uneven
Terrain \33\ makes it clear that under the current system of state
laws, privacy protection is extremely variable. The Department's
statutory authority under HIPAA which allows the privacy regulation to
preempt any state law if such law is contrary to and not more stringent
than privacy protection pursuant to this regulation. This sets a floor,
but permits a state to create laws that are more protective of privacy.
We discuss preemption in greater detail in other parts of the preamble.
---------------------------------------------------------------------------
\33\ Janlori Goldman, Institute for Health Care Research and
Policy, Georgetown University: http://www.healthprivacy.org/resources>.
---------------------------------------------------------------------------
The second objective is to establish a uniform base of privacy
protection for individually identifiable health information maintained
or transmitted by covered entities. HIPAA restricts the type of
entities covered by the rule to three broad categories: health care
providers that transmit health information in HIPAA standard
transactions, health plans, and health care clearinghouses. However,
there are similar public and private entities that are not within the
Department's authority to regulate under HIPAA. For example, life
insurance companies are not covered by this rule but may have access to
a large amount of individually identifiable health information.
The third objective is to protect the privacy of all individually
identifiable health information held by covered entities, including
their business associates. Health information is currently stored and
transmitted in multiple forms, including electronic, paper, and oral
forms. To provide consistent protection to information, and to avoid
requiring covered entities from distinguishing between health
information that has been transmitted or maintained electronically and
that which has not, this rule covers all individually identifiable
health information in any form maintained or transmitted by a covered
entity.
For purposes of this cost analysis, the Department has assumed all
health care providers will be affected by the rule. This results in an
overestimation of costs because there are providers that do not engage
in any HIPAA standard transactions, and therefore, are not affected.
The Department could not obtain any reliable data on the number of such
providers, but the available data suggest that there are very few such
entities, and given the expected increase in all forms of electronic
health care in the coming decade, the number of paper-only providers is
likely to decrease.
A. Relationship of This Analysis to Analyses in Other HIPAA Regulations
Congress has recognized that privacy standards, implementation
specifications and requirements must accompany the electronic data
interchange standards, implementation specifications and requirements
because the increased ease of transmitting and sharing individually
identifiable health information will result in an increase in concern
regarding privacy and confidentiality of such information. The bulk of
the first Administrative Simplification section that was debated on the
floor of the Senate in 1994 (as part of the Health Security Act) was
made up of privacy provisions. The requirement for the issuance of
concomitant privacy measures remained a part of the HIPAA bill passed
by the House of Representatives in 1996, but the requirement for
privacy measures was removed in conference. Instead, Congress added
section 264 to Title II of HIPAA, which directs the Secretary to
develop and submit to Congress recommendations addressing at least the
following:
(1) The rights that an individual who is a subject of individually
identifiable health information should have.
(2) The procedures that should be established for the exercise of
such rights.
(3) The uses and disclosures of such information that should be
authorized or required. The Secretary's Recommendations were submitted
to Congress on September 11, 1997, and are summarized below. Section
264(c)(1) of HIPAA provides that: If legislation governing standards
with respect to the privacy of individually identifiable health
information transmitted in connection with the transactions described
in section 1173(a) of the Social Security Act (as added by section 262)
is not enacted by (August 21, 1999), the Secretary of Health and Human
Services shall promulgate final regulations containing such standards
not later than (February 21, 2000). Such regulations shall address at
least the subjects described in subsection (regarding recommendations).
Because the Congress did not enact legislation governing standards
with respect to the privacy of individually identifiable health
information prior to August 21, 1999, the Department has, in accordance
with this statutory mandate, developed final rules setting forth
standards to protect the privacy of such information.
Title II of the Health Insurance Portability and Accountability Act
(HIPAA) also provides a statutory framework for the promulgation of
other administrative simplification regulations. On August 17, 2000,
the Transactions Rule was published. Proposals for health care provider
identifier (May 1998), employer identifier (June 1998), and security
and electronic signature standards (August 1998) have also been
published. These
[[Page 82760]]
regulations are expected to be made final in the foreseeable future.
HIPAA states that, ``any standard adopted under this part shall be
consistent with the objective of reducing the administrative costs of
providing and paying for health care.'' (Section 1172 (b)). This
provision refers to the administrative simplification regulations in
their totality, including this rule regarding privacy standards. The
savings and costs generated by the various standards should result in a
net savings to the health care system. The Transactions Rule shows a
net savings of $29.9 billion over ten years (2002-2011), or a net
present value savings of $19 billion. This estimate does not include
the growth in ``e-health'' and ``e-commerce'' that may be spurred by
the adoption of uniform codes and standards.
This final Privacy Rule is estimated to produce net costs of $18.0
billion, with net present value costs of $11.8 billion (2003 dollars)
over ten years (2003-2012). This estimate is based on some costs
already having been incurred due to the requirements of the
Transactions Rule, which included an estimate of a net savings to the
health care system of $29.9 billion over ten years (2002 dollars) and a
net present value of $19.1 billion. The Department expects that the
savings and costs generated by all administrative simplification
standards should result in a net savings to the health care system.
B. Summary of Costs and Benefits
Measuring both the economic costs and benefits of health
information privacy is difficult. Traditionally, privacy has been
addressed by state laws, contracts, and professional practices and
guidelines. Moreover, these practices have been evolving as computers
have dramatically increased the potential use of medical data; the
scope and form of health information is likely to be very different ten
years from now than it is today. This final regulation is both altering
current health information privacy practice and shaping its evolution
as electronic uses expand.
To estimate costs, the Department used information from published
studies, trade groups and associations, public comments to the proposed
regulation, and fact-finding by staff. The analysis focused on the
major policy areas in the regulation that would result in significant
costs. Given the vast array of institutions affected by this regulation
and the considerable variation in practices, the Department sought to
identify the ``typical'' current practice for each of the major policy
areas and estimate the cost of change resulting from the regulation.
Because of the paucity of data and incomplete information on current
practices, the Department has consistently made conservative
assumptions (that is, given uncertainty, we have made assumptions that,
if incorrect, are more likely to overstate rather than understate the
true cost).
Benefits are difficult to measure because people conceive of
privacy primarily as a right, not as a commodity. Furthermore, a wide
gap appears to exist between what people perceive to be the level of
privacy afforded health information about them and what actually occurs
with the use of such information today. Arguably, the ``cost'' of the
privacy regulation is the amount necessary to bring health information
privacy to these perceived levels.
The benefits of enhanced privacy protections for individually
identifiable health information are significant, even though they are
hard to quantify. The Department solicited comments on this issue, but
no commenters offered a better alternative. Therefore, the Department
is essentially reiterating the analysis it offered in the proposed
Privacy Rule. The illustrative examples set forth below, using existing
data on mental health, cancer screening, and HIV/AIDS patients, suggest
the level of economic and health benefits that might accrue to
individuals and society. Moreover, the benefits of improved privacy
protection are likely to increase in the future as patients gain trust
in health care practitioners' ability to maintain the confidentiality
of their health information.
The estimated cost of compliance with the final rule is $17.6
billion over the ten year period, 2003-2012.\34\ This includes the cost
of all the major requirements for the rule, including costs to federal,
state and local governments. The net present value of the final rule,
applying a 11.2 percent discount rate \35\, is $11.8 billion.\36\
---------------------------------------------------------------------------
\34\ The proposed privacy rule provided an estimate for a five-
year period. However, the Transactions Rule provided a cost estimate
for a ten year period. The decision was made to provide the final
privacy estimates in a ten year period so that it would be possible
to compare the costs and benefits of the two regulations.
\35\ This based on a seven percent real discount rate, explained
in OMB Circular A-94, and a projected 4.2 percent inflation rate
projected over the ten-year period covered by this analysis.
\36\ The regulatory impact analysis in the Transactions Rule
showed a net savings of $29.9 billion (net present value of $19.1
billion in 2002 dollars). The cost estimates included all electronic
systems changes that would be necessitated by the HIPAA
administrative standards (e.g., security, safeguards, and electronic
signatures; eligibility for a health plan; and remittance advice and
payment claim status), except privacy. At the time the Transactions
Rule was developed, the industry provided estimates for the systems
changes in the aggregate. The industry argued that affected parties
would seek to make all electronic changes in one effort because that
approach would be the most cost-efficient. The Department agreed,
and therefore, it ``bundled'' all the system change cost in the
Transactions Rule estimate. Privacy was not included because at the
time the Department had not made a decision to develop a privacy
rule. As the Department develops other HIPAA administrative
simplification standards, there may be additional costs and savings
due to the non-electronic components of those regulations, and they
will be identified in regulatory impact analyses that accompany
those regulations. The Department anticipates that such costs and
savings will be relatively small compared to the privacy and
Transactions rules. The Department anticipates that the net economic
impact of the rules will be a net savings to the health care system.
---------------------------------------------------------------------------
The first year estimate is $3.2 billion (this includes expenditures
that may be incurred before the effective date in 2003). This
represents about 0.23 percent of projected national health expenditures
for 2003.\37\ By 2008, seven years after the rule's effective date, the
rule is estimated to cost 0.07 percent of projected national health
expenditures.
---------------------------------------------------------------------------
\37\ Health spending projections from National Health
Expenditure Projections 1998-2008 (January 2000), Health Care
Financing Administration, Office of the Actuary, http://hcfa.hhs.gov/stats/nhe-proj/>.
---------------------------------------------------------------------------
The largest cost items are the requirement to have a privacy
official, $5.9 billion over ten years, and the requirement that
disclosures of protected health information only involve the minimum
amount necessary, $5.8 billion over ten years (see Table 1). These
costs reflect the change that affected organizations will have to
undertake to implement and maintain compliance with the requirements of
the rule and achieve enhanced privacy of protected health information.
[[Page 82761]]
Table 1.--The Cost of Complying With the Proposed Privacy Regulation
[In dollars]
------------------------------------------------------------------------
Initial or Average Ten year
first year annual cost cost (2003-
Provision cost (2003, ($million, 2012)
$million) years 2-10) ($million)
------------------------------------------------------------------------
Policy Development............... 597.7 0 597.7
Minimum Necessary................ 926.2 536.7 5,756.7
Privacy Officials................ 723.2 575.8 5,905.8
Disclosure Tracking/History...... 261.5 95.9 1,125.1
Business Associates.............. 299.7 55.6 800.3
Notice Distribution.............. 50.8 37.8 391.0
Consent.......................... 166.1 6.8 227.5
Inspection/Copying............... 1.3 1.7 16.8
Amendment........................ 5.0 8.2 78.8
Requirements on Research......... 40.2 60.5 584.8
Training......................... 287.1 50.0 737.2
De-Identification of Information. 124.2 117.0 1,177.4
Employers with Insured Group 52.4 0 52.4
Health Plans....................
Internal Complaints.............. 6.6 10.7 103.2
--------------------------------------
Total *...................... 3,242.0 1,556.9 17,554.7
--------------------------------------
Net Present Value................ 3,242.0 917.8 11,801.8
------------------------------------------------------------------------
* Note: Numbers may not add due to rounding.
C. Need for the Final Rule
The need for a national health information privacy framework is
described in detail in Section I of the preamble above. In short,
privacy is a necessary foundation for delivery of high quality health
care--the entire health care system is built upon the willingness of
individuals to share the most intimate details of their lives with
their health care providers. At the same time, there is increasing
public concern about loss of privacy generally, and health privacy in
particular. The growing use of interconnected electronic media for
business and personal activities, our increasing ability to know an
individual's genetic make-up, and the increasing complexity of the
health care system each bring the potential for tremendous benefits to
individuals and society, but each also brings new potential for
invasions of our privacy.
Concerns about the lack of attention to information privacy in the
health care industry are not merely theoretical. Section I of the
preamble, above, lists numerous examples of the kinds of deliberate or
accidental privacy violations that call for a national legal framework
of health privacy protections. Disclosure of health information about
an individual can have significant implications well beyond the
physical health of that person, including the loss of a job, alienation
of family and friends, the loss of health insurance, and public
humiliation. The answer to these concerns is not for consumers to
withdraw from the health care system, but for society to establish a
clear national legal framework for privacy.
This section adds to the discussion in Section I, above, a
discussion of the market failures inherent in the current system which
create additional and compelling reasons to establish national health
information privacy standards. Market failures will arise to the extent
that privacy is less well protected than the parties would have agreed
to, if they were fully informed and had the ability to monitor and
enforce contracts. The chief market failures with respect to privacy of
health information concern information, negotiation, and enforcement
costs between the entity and the individual. The information costs
arise because of the information asymmetry between the company and the
patient--the company typically knows far more than the patient about
how the protected health information will be used by that company. A
health care provider or plan, for instance, knows many details about
how protected health information may be generated, combined with other
databases, or sold to third parties.
Absent this regulation, patients face at least two layers of cost
in learning about how their information is used. First, as with many
aspects of health care, patients face the challenge of trying to
understand technical medical terminology and practices. A patient
generally will have difficulty understanding medical records and the
implications of transferring health information about them to a third
party. Second, in the absence of consistent national rules, patients
may face significant costs in trying to learn and understand the nature
of a company's privacy policies.
The costs of learning about companies' policies are magnified by
the difficulty patients face in detecting whether companies, in fact,
are complying with those policies. Patients might try to adopt
strategies for monitoring whether companies have complied with their
announced policies. These sorts of strategies, however, are both costly
(in time and effort) and likely to be ineffective. In addition, modern
health care often requires protected health information to flow
legitimately among multiple entities for purposes of treatment,
payment, health care operations, and other necessary uses. Even if the
patient could identify the provider whose data ultimately leaked, the
patient could not easily tell which of those multiple entities had
impermissibly transferred her information. Therefore, the cost and
ineffectiveness of monitoring leads to less than optimal protection of
individually identifiable health information.
The incentives facing a company that acquires individually
identifiable health information also discourage privacy protection. A
company gains the full benefit of using such information, including its
own marketing efforts or its ability to sell the information to third
parties. The company, however, does not suffer the losses from
disclosure of protected health information; the patient does. Because
of imperfect monitoring, customers often will not
[[Page 82762]]
learn of, and thus not be able to take efficient action to prevent uses
or disclosures of sensitive information. Because the company
internalizes the gains from using the information, but does not bear a
significant share, if any, of the cost to patients (in terms of lost
privacy), it will have a systematic incentive to over-use individually
identifiable health information. In market failure terms, companies
will have an incentive to use individually identifiable health
information where the patient would not have freely agreed to such use.
These difficulties are exacerbated by the third-party nature of
many health insurance and payment systems. Even where individuals would
wish to bargain for privacy, they may lack the legal standing to do so.
For instance, employers often negotiate the terms of health plans with
insurers. The employee may have no voice in the privacy or other terms
of the plan, facing a take-it-or-leave-it choice of whether to be
covered by insurance. The current system leads to significant market
failures in bargaining privacy protection. Many privacy-protective
agreements that patients would wish to make, absent barriers to
bargaining, will not be reached.
The economic arguments become more compelling as the medical system
shifts from predominantly paper to predominantly electronic records.
Rapid changes in information technology should result in increased
market failures in the markets for individually identifiable health
information. Improvements in computers and networking mean that the
costs of gathering, analyzing, and disseminating electronic data are
plunging. Market forces are leading many health care providers and
health plans to shift from paper to electronic records, due both to
lower cost and the increased functionality provided by having
information in electronic form. These market changes will be
accelerated by the administrative simplification implemented by the
other regulations promulgated under HIPAA. A chief goal of
administrative simplification, in fact, is to create a more efficient
flow of medical information, where appropriate. This privacy regulation
is an integral part of the overall effort of administrative
simplification; it creates a framework for more efficient flows for
certain purposes, including treatment and payment, while restricting
flows in other circumstances except where appropriate institutional
safeguards exist.
If the medical system shifts predominantly to electronic records in
the near future, accompanying privacy rules will become more critical
to prevent unanticipated, inappropriate, or unnecessary uses or
disclosures of individually identifiable health information without
patient consent and without effective institutional controls against
further dissemination. In terms of the market failure, it will become
more difficult for patients to know how their health provider or health
plan is using health information about them. It will become more
difficult to monitor the subsequent flows of individually identifiable
health information, as the number of electronic flows and possible
points of leakage both increase. Similarly, the costs and difficulties
of bargaining to get the patients' desired level of use will likely
rise due to the greater number and types of entities that receive
protected health information.
As the benefits section, below, discusses in more detail, the
protection of privacy and correcting the market failure also have
practical implications. Where patients are concerned about lack of
privacy protections, they might fail to get medical treatment that they
would otherwise seek. This failure to get treatment may be especially
likely for certain conditions, including mental health, and HIV.
Similarly, patients who are concerned about lack of privacy protections
may report health information inaccurately to their providers when they
do seek treatment. For instance, they might decide not to mention that
they are taking prescription drugs that indicate that they have an
embarrassing condition. These inaccurate reports may lead to mis-
diagnosis and less-than-optimal treatment, including inappropriate
additional medications. In short, the lack of privacy safeguards can
lead to efficiency losses in the form of forgone or inappropriate
treatment.
In summarizing the economic arguments supporting the need for this
regulation, the discussion here has emphasized the market failures that
will be addressed by this regulation. These arguments become
considerably stronger with the shift from predominantly paper to
predominantly electronic records. As discussed in the benefits section
below, the proposed privacy protections may prevent or reduce the risk
of unfair treatment or discrimination against vulnerable categories of
persons, such as those who are HIV positive, and thereby, foster better
health. The proposed regulation may also help educate providers, health
plans, and the general public about how protected health information is
used. This education, in turn, may lead to better information practices
in the future.
D. Baseline Privacy Protections
An analysis of the costs and benefits of the regulation requires a
baseline from which to measure the regulation's effects. For some
regulations, the baseline is relatively straightforward. For instance,
an industry might widely use a particular technology, but a new
regulation may require a different technology, which would not
otherwise have been adopted by the industry. In this example, the old
and widely used technology provides the baseline for measuring the
effects of the regulation. The costs and the benefits are the
difference between keeping the old technology and implementing the new
technology.
Where the underlying technology and industry practices are rapidly
changing, however, it can be far more difficult to determine the
baseline and thereby measure the costs and benefits of a regulation.
There is no simple way to know what technology industry would have
chosen to introduce if the regulation had never existed, nor how
industry practices would have evolved.
Today, the entities covered by the HIPAA privacy regulation are in
the midst of a shift from primarily paper records to electronic
records. As covered entities spend significant resources on hardware,
software, and other information technology costs, questions arise about
which of these costs are fairly attributable to the privacy regulations
as opposed to costs that would have been expended even in the absence
of the regulations. Industry practices generally are rapidly evolving,
as described in more detail in Part I of this preamble. New
technological or other measure taken to protect privacy are in part
attributable to the expected expense of shifting to electronic medical
records, rather than being solely attributable to the new regulations.
In addition, the existence of privacy rules in other sectors of the
economy help set a norm for what practices will be considered good
practices for health information. The level of privacy protection that
would exist in the health care sector, in the absence of regulations,
thus would likely be affected by regulatory and related developments in
other sectors. In short, it is therefore difficult to project a cost or
benefits baseline for this rule.
The common security practice of using ``firewalls'' illustrates how
each of the three baselines might apply. Under the first baseline, the
full cost of implementing firewalls should be included in a Regulatory
Impact
[[Page 82763]]
Analysis for a rule that expects entities to have firewalls. Because
current law has not required firewalls, a new rule expecting this
security measure must include the full cost of creating firewalls. This
approach, however, would seem to overstate the cost of such a
regulation. Firewalls would seem to be an integral part of the decision
to move to an on-line, electronic system of records. Firewalls are also
being widely deployed by users and industries where no binding security
or privacy regulations have been proposed.
Under the second baseline, the touchstone is the level of risk of
security breaches for individually identifiable health information
under current practices. There is quite possibly a greater risk of
breach for an electronic system of records, especially where such
records are accessible globally through the Internet, than for patient
records dispersed among various doctors' offices in paper form. Using
the second baseline, the costs of firewalls for electronic systems
should not be counted as a cost of the regulation except where
firewalls create greater security than existed under the previous,
paper-based system.
Finally, the third baseline would require an estimate of the
typical level of firewall protections that covered entities would adopt
in the absence of regulation, and include in the Regulatory Impact
Analysis only the costs that exceed what would otherwise have been
adopted. For this analysis, the Department has generally assumed that
the status quo would otherwise exist throughout the ten-year period (in
a few areas we explicitly discuss likely changes). We made this
decision for two reasons. First, predicting the level of change that
would otherwise occur is highly problematic. Second, it is a
``conservative'' assumption--that is, any error will likely be an
overstatement of the true costs of the regulation.
Privacy practices are most often shaped by professional
organizations that publish ethical codes of conduct and by state law.
On occasion, state laws defer to professional conduct codes. At
present, where professional organizations and states have developed
only limited guidelines for privacy practices, an entity may implement
privacy practices independently. However, it is worth noting that
changes in privacy protection continue to increase in various areas.
For example, European Union countries may only send individually
identifiable information to companies, including U.S. firms, that
comply with their privacy standards, and the growing use of health data
in other areas of commerce, such as finance and general commercial
marketing, have also increased the demand for privacy in ways that were
not of concern in the past.
1. Professional Codes of Ethics
The Department examined statements issued by five major
professional groups, one national electronic network association and a
leading managed care association.\38\ There are a number of common
themes that all the organizations appear to subscribe to:
---------------------------------------------------------------------------
\38\ American Association of Health Plans, Code of Conduct;
http:www.aahp.org.; American Dental Association, Principles of
Ethics and Professional Conduct; http://www.ada.org.; American
Hospital Association, ``Disclosure of Medical Record Information,''
Management Advisory: Information Management; 1990, AHA: Chicago,
IL.; American Medical Association, AMA Policy Finder--Current
Opinions Council on Ethical and Judicial Affairs; several documents
available through the Policy Finder at http:www.ama-assn.org.;
American Psychiatric Association, ``APA Outlines Standards Needed to
Protect Patient's Medical Record''; Release No. 99-32, May 27, 1999;
http:www.psych.org.
---------------------------------------------------------------------------
The need to maintain and protect an individual's health
information;
The development of policies to ensure the confidentiality
of individually identifiable health information;
A restriction that only the minimum necessary information
should be released to accomplish the purpose for which the information
is sought.
Beyond these principles, the major associations differ with respect
to the methods used to protect individually identifiable health
information. There is no common professional standard across the health
care field with respect to the protection of individually identifiable
health information. One critical area of difference is the extent to
which professional organizations should release individually
identifiable health information. A major mental health association
advocates the release of identifiable patient information `` * * * only
when de-identified data are inadequate for the purpose at hand.'' A
major association of physicians counsels members who use electronically
maintained and transmitted data to require that they and their patients
know in advance who has access to protected patient data, and the
purposes for which the data will be used. In another document, the
association advises physicians not to ``sell'' patient information to
data collection companies without fully informing their patients of
this practice and receiving authorization in advance to release of the
information.
Only two of the five professional groups state that patients have
the right to review their medical records. One group declares this as a
fundamental patient right, while the second association qualifies its
position by stating that the physician has the final word on whether a
patient has access to his or her health information. This association
also recommends that its members respond to requests for access to
patient information within ten days, and recommends that entities allow
for an appeal process when patients are denied access. The association
further recommends that when a patient contests the accuracy of the
information in his or her record and the entity refuses to accept the
patient's change, the patient's statement should be included as a
permanent part of the patient's record.
In addition, three of the five professional groups endorse the
maintenance of audit trails that can track the history of disclosures
of individually identifiable health information.
The one set of standards that we reviewed from a health network
association advocated the protection of individually identifiable
health information from disclosure without patient authorization and
emphasized that encrypting information should be a principal means of
protecting individually identifiable health information. The statements
of a leading managed care association, while endorsing the general
principles of privacy protection, were vague on the release of
information for purposes other than treatment. The association
suggested allowing the use of protected health information without the
patient's authorization for what they term ``health promotion.'' It is
possible that the use of protected health information for ``health
promotion'' may be construed under the rule as part of marketing
activities.
Based on the review of the leading association standards, we
believe that the final rule embodies most or all of the major
principles expressed in the standards. However, there are some major
areas of difference between the rule and the professional standards
reviewed. The final rule generally provides stronger, more consistent,
and more comprehensive guarantees of privacy for individually
identifiable health information than the professional standards. The
differences between the rule and the professional codes include the
individual's right of access to health information in the covered
entity's possession, relationships between contractors and covered
entities, and the requirement that covered entities make their privacy
policies and practices available to patients through a notice
[[Page 82764]]
and the ability to respond to questions related to the notice. Because
the regulation requires that (with a few exceptions) patients have
access to their protected health information that a covered entity
possesses, large numbers of health care providers may have to modify
their current practices in order to allow patient access, and to
establish a review process if they deny a patient access. Also, none of
the privacy protection standards reviewed require that health care
providers or health plans prepare a formal statement of privacy
practices for patients (although the major physician association urges
members to inform patients about who would have access to their
protected health information and how their health information would be
used). Only one HMO association explicitly made reference to
information released for legitimate research purposes. The regulation
allows for the release of protected health information for research
purposes without an individual's authorization, but only if the
research where such authorization is waived by an institutional
research board or an equivalent privacy board. This research
requirement may cause some groups to revise their disclosure
authorization standards.
2. State Laws
The second body of privacy protections is found in a complex, and
often confusing, myriad of state laws and requirements. To determine
whether or not the final rule would preempt a state law, first we
identified the relevant laws, and second, we addressed whether state or
federal law provides individuals with greater privacy protection.
Identifying the Relevant State Statutes: Health information privacy
provisions can be found in laws applicable to many issues including
insurance, worker's compensation, public health, birth and death
records, adoptions, education, and welfare. In many cases, state laws
were enacted to address a specific situation, such as the reporting of
HIV/AIDS, or medical conditions that would impair a person's ability to
drive a car. For example, Florida has over 60 laws that apply to
protected health information. According to the Georgetown Privacy
Project,\39\ Florida is not unique. Every state has laws and
regulations covering some aspect of medical information privacy. For
the purpose of this analysis, we simply acknowledge the variation in
state requirements.
---------------------------------------------------------------------------
\39\ Ibid, Goldman, p. 6.
---------------------------------------------------------------------------
We recognize that covered entities will need to learn the laws of
their states in order to comply with such laws that are not contrary to
the rule, or that are contrary to and more stringent than the rule.
This analysis should be completed in the context of individual markets;
therefore, we expect that professional associations or individual
businesses will complete this task.
Recognizing the limits of our ability to effectively summarize
state privacy laws, we discuss conclusions generated by the Georgetown
University Privacy Project's report, The State of Health Privacy: An
Uneven Terrain. The Georgetown report is among the most comprehensive
examination of state health privacy laws currently published, although
it is not exhaustive. The report, which was completed in July 1999, is
based on a 50-state survey.
To facilitate discussion, we have organized the analysis into two
sections: access to health information and disclosure of health
information. Our analysis is intended to suggest areas where the final
rule appears to preempt various state laws; it is not designed to be a
definitive or wholly comprehensive state-by-state comparison.
Access to Subject's Information: In general, state statutes provide
individuals with some access to medical records about them. However,
only a few states allow individuals access to health information held
by all their health care providers and health plans. In 33 states,
individuals may access their hospital and health facility records. Only
13 states guarantee individuals access to their HMO records, and 16
states provide individuals access to their medical information when it
is held by insurers. Seven states have no statutory right of patient
access; three states and the District of Columbia have laws that only
assure individuals' right to access their mental health records. Only
one state permits individuals access to records about them held by
health care providers, but it excludes pharmacists from the definition
of provider. Thirteen states grant individuals statutory right of
access to pharmacy records.
The amount that entities are allowed to charge for copying of
individuals' records varies widely from state to state. A study
conducted by the American Health Information Management Association
\40\ found considerable variation in the amounts, structure, and
combination of fees for search and retrieval, and the copying of the
record.
---------------------------------------------------------------------------
\40\ ``Practice Briefs,'' Journal of AHIMA; Harry Rhodes, Joan
C. Larson, Association of Health Information Outsourcing Service;
January 1999.
---------------------------------------------------------------------------
In 35 states, there are laws or regulations that set a basis for
charging individuals inspecting and copying fees. Charges vary not only
by state, but also by the purpose of the request and the facility
holding the health information. Also, charges vary by the number of
pages and whether the request is for X-rays or for standard medical
information.
Of the 35 states with laws regulating inspection and copying
charges, seven states either do not allow charges for retrieval of
records or require that the entity provide the first copy free of
charge. Some states may prohibit hospitals from charging patients a
retrieval and copying fee, but allow clinics to do so. Many states
allow fee structures, while eleven states specify only that the record
holder may charge ``reasonable/actual costs.''
According to the report by the Georgetown Privacy Project, among
states that do grant access to patient records, the most common basis
for denying individuals access is concern for the life and safety of
the individual or others.
The amount of time an entity is given to supply the individual with
his or her record varies widely. Many states allow individuals to amend
or correct inaccurate health information, especially information held
by insurers. However, few states provide the right to insert a
statement in the record challenging the covered entity's information
when the individual and entity disagree.\41\
---------------------------------------------------------------------------
\41\ Ibid, Goldman, p. 20.
---------------------------------------------------------------------------
Disclosure of Health Information: State laws vary widely with
respect to disclosure of individually identifiable health information.
Generally, states have applied restrictions on the disclosure of health
information either to specific entities or for specific health
conditions. Only three state laws place broad limits on disclosure of
individually identifiable health information without regard for
policies and procedures developed by covered entities. Most states
require patient authorization before an entity may disclose health
information to certain recipients, but the patient often does not have
an opportunity to object to any disclosures.\42\
---------------------------------------------------------------------------
\42\ Ibid, Goldman, p. 21.
---------------------------------------------------------------------------
It is also important to point out that none of the states appear to
offer individuals the right to restrict disclosure of their health
information for treatment.
[[Page 82765]]
State statutes often have exceptions to requiring authorization
before disclosure. The most common exceptions are for purposes of
treatment, payment, or auditing and quality assurance functions.
Restrictions on re-disclosure of individually identifiable health
information also vary widely from state to state. Some states restrict
the re-disclosure of health information, and others do not. The
Georgetown report cites state laws that require providers to adhere to
professional codes of conduct and ethics with respect to disclosure and
re-disclosure of protected health information.
Most states have adopted specific measures to provide additional
protections for health information regarding certain sensitive
conditions or illnesses. The conditions and illnesses most commonly
afforded added privacy protection are:
Information derived from genetic testing;
Communicable and sexually-transmitted diseases;
Mental health; and
Abuse, neglect, domestic violence, and sexual assault.
Some states place restrictions on releasing condition-specific
health information for research purposes, while others allow release of
information for research without the patient's authorization. States
frequently require that researchers studying genetic diseases, HIV/
AIDS, and other sexually transmitted diseases have different
authorization and privacy controls than those used for other types of
research. Some states require approval from an IRB or agreements that
the data will be destroyed or identifiers removed at the earliest
possible time. Another approach has been for states to require
researchers to obtain sensitive, identifiable information from a state
public health department. One state does not allow automatic release of
protected health information for research purposes without notifying
the subjects that their health information may be used in research and
allowing them an opportunity to object to the use of their
information.\43\
---------------------------------------------------------------------------
\43\ ``Medical records and privacy: Empirical effects of
legislation; A memorial to Alice Hersh''; McCarthy, Douglas B;
Shatin, Deborah; et al. Health Service Research: April 1, 1999; No.
1, Vol. 34; p. 417. The article details the effects of the Minnesota
law conditioning disclosure of protected health information on
patient authorization.
---------------------------------------------------------------------------
Comparing state statutes to the final rule: The variability of
state law regarding privacy of individually identifiable health
information and the limitations of the applicability of many such laws
demonstrates the need for uniformity and minimum standards for privacy
protection. This regulation is designed to meet these goals while
allowing stricter state laws to be enacted and remain effective. A
comparison of state privacy laws with the final regulation highlights
several of the rule's key implications:
No state law requires covered entities to make their
privacy and access policies available to patients. Thus, all covered
entities that have direct contact with patients will be required by
this rule to prepare a statement of their privacy protection and access
policies. This necessarily assumes that entities have to develop
procedures if they do not already have them in place.
The rule will affect more entities than are covered or
encompassed under many state laws.
Among the three categories of covered entities, it appears
that health plans will be the most significantly affected by the access
provisions of the rule. Based on the Health Insurance Association of
America (HIAA) data\44\, there are approximately 94.7 million non-
elderly persons with private health insurance in the 35 states that do
not provide patients a legal right to inspect and copy their records.
---------------------------------------------------------------------------
\44\ Source Book of Health Insurance Data: 1997-1998, Health
Insurance Association of America, 1998. p. 33.
---------------------------------------------------------------------------
Under the rule, covered entities will have to obtain an
individual's authorization before they could use or disclose their
information for purposes other than treatment, payment, and health care
operations--except in the situations explicitly defined as allowable
disclosures without authorization. Although the final rule would
establish a generally uniform disclosure and re-disclosure requirement
for all covered entities, the entities that currently have the greatest
ability and economic incentives to use and disclose protected health
information for marketing services to both patients and health care
providers without individual authorization.
While the final rule appears to encompass many of the
requirements found in current state laws, it also is clear that within
state laws, there are many provisions that cover specific cases and
health conditions. Certainly, in states that have no restrictions on
disclosure, the rule will establish a baseline standard. But in states
that do place conditions on the disclosure of protected health
information, the rule may place additional requirements on covered
entities.
3. Other Federal Laws
The relationship with other federal statutes is discussed above in
the preamble.
E. Costs
Covered entities will be implementing the privacy final rules at
the same time many of the administrative simplification standards are
being implemented. As described in the overall impact analysis for the
Transactions Rule, the data handling change occurring due to the other
HIPAA standards will have both costs and benefits. To the extent the
changes required for the privacy standards, implementation
specifications, and requirements can be made concurrently with the
changes required by the other regulations, costs for the combined
implementation should be only marginally higher than for the
administrative simplification standards alone. The extent of this
incremental cost is uncertain, in the same way that the costs
associated with each of the individual administrative simplification
standards is uncertain.
The costs associated with implementing the requirements under this
Privacy Rule will be directly related to the number of affected
entities and the number of affected transactions in each entity. There
are approximately 12,200 health plans (including self-insured employer
and government health plans that are at least partially self-
administered)\45\, 6480 hospitals, and 630,000 non-hospital providers
that will bear implementation costs under the final rule.
---------------------------------------------------------------------------
\45\ ``Health plans,'' for purposes of the regulatory impact and
regulatory flexibility analyses, include licensed insurance carriers
who sell health products; third party administrators that will have
to comply with the regulation for the benefit of the plan sponsor;
and self-insured health plans that are at least partially
administered by the plan sponsor.
---------------------------------------------------------------------------
The relationship between the HIPAA security and privacy standards
is particularly relevant. On August 17, 2000, the Secretary published a
final rule to implement the HIPAA standards on electronic transactions.
That rule adopted standards for eight electronic code sets to be used
for those transactions. The proposed rule for security and electronic
signature standards was published on August 12, 1998. That proposal
specified the security requirements for covered entities that transmit
and store information specified in Part C, Title II of the Act. In
general, that proposed rule proposed administrative and technical
standards for protecting ``* * * any health information pertaining to
an individual that is electronically
[[Page 82766]]
maintained or transmitted.'' (63 FR 43243). The final Security Rule
will detail the system and administrative requirements that a covered
entity must meet in order to assure itself and the Secretary that
health information is safe from destruction and tampering from people
without authorization for its access.
By contrast, the Privacy Rule describes the requirements that
govern the circumstances under which protected health information must
be used or disclosed with and without patient involvement and when a
patient may have access to his or her protected health information.
While the vast majority of health care entities are privately owned
and operated, we note that federal, state, and local government
providers are reflected in the total costs as well. Federal, state, and
locally funded hospitals represent approximately 26 percent of
hospitals in the United States. This is a significant portion of
hospitals, but it represents a relatively small proportion of all
provider entities. We estimated that the number of government providers
who are employed at locations other than government hospitals is
significantly smaller (approximately two percent of all providers).
Weighting the relative number of government hospital and non-hospital
providers by the revenue these types of providers generate, we estimate
that health care services provided directly by government entities
represent 3.4 percent of total health care services. Indian Health
Service and tribal facilities costs are included in the total, since
the adjustments made to the original private provider data to reflect
federal providers included them. In developing the rule, the Department
consulted with states, representatives of the National Congress of
American Indians, representatives of the National Indian Health Board,
and a representative of the self-governance tribes. During the
consultation we discussed issues regarding the application of Title II
of HIPAA to the states and tribes.
The costs associated with this final rule involve, for each
provision, consideration of both the degree to which covered entities
must modify their existing records management systems and privacy
policies under the final rule, and the extent to which there is a
change in behavior by both patients and the covered entities as a
result of the final rule. The following sections examine these
provisions as they apply to the various covered entities under the
final rule. The major costs that covered entities will incur are one-
time costs associated with implementation of the final rules, and
ongoing costs that result in continuous requirements in the final rule.
The Department has quantified the costs imposed by the final
regulation to the extent possible. The cost of many provisions were
estimated by first using data from the Census Bureau's Statistics of
U.S. Business to identify the number of non-hospital health care
providers, hospitals and health plans. Then, using the Census Bureau's
Current Population Survey (CPS) wage data for the classes of employees
affected by the rule, the Department identified the hourly wage of the
type of employee assumed to be mostly likely responsible for compliance
with a given provision. Where the Department believed a number of
different types of employees might be responsible for complying with a
certain provision, as is often expected to be the case, the Department
established a weighted-average wage based on the types of employees
involved. Finally, the Department made assumptions regarding the number
of person-hours per institution required to comply with the rule.
The Department cannot determine precisely how many person-hours per
institution will be required to comply with a given provision, however,
the Department attempted to establish reasonable estimates based on
fact-finding discussions with private sector health care providers, the
advice of the Department's consultants, and the Department's own best
judgement of the level of burden required to comply with a given
provision. Moreover, the Department recognizes that the number of hours
required to comply with a given requirement of the rule will vary from
provider to provider and health plan to health plan, particularly given
the flexibility and scalability permitted under the rule. Therefore,
the Department considers the estimates to be averages across the entire
class of health care providers, hospitals, or health plans in question.
Underlying all annual cost estimates are growth projections. For
growth in the number of patients, the Department used data from the
National Ambulatory Medical Care Survey, the National Hospital
Ambulatory Medical Care Survey, the National Home and Hospice Survey,
the National Nursing Home Survey, and information from the American
Hospital Association. For growth in the number of health care workers,
the Department used data from the Bureau of Health Professions in the
Department's Health Resources Services Administration (HRSA). For
insurance coverage growth (private and military coverage), we used a
five-year average annual growth rate in employer-sponsored, individual,
military, and overall coverage growth from the Census Bureau's CPS,
1995-1999. To estimate growth in the number of Medicare and Medicaid
enrollees, the Department used the enrollment projections of the Health
Care Financing Administration's Office of the Actuary. For growth in
the number of hospitals, health care providers and health plans, trend
rates were derived from the Census Bureau's Statistics of U.S.
Businesses, using SIC code-specific five-year annual average growth
rate from 1992-1997 (the most recent data available). For wage growth,
the Department used the same assumptions made in the Medicare Trustees'
Hospital Insurance Trust Fund report for 2000.
In some areas, the Department was able to obtain very reliable
data, such as survey data from the Statistics of U.S. Businesses and
the Medical Expenditures Panel Survey (MEPS). In numerous areas,
however, there was too little information or data to support
quantitative estimates. As a result, the Department relied on data
provided in the public comments or subsequent fact-finding to provide a
basis for making key assumptions. We were able to provide a reasonable
cost estimate for virtually all aspects of the regulation, except law
enforcement. In this latter area, the Department was unable to obtain
sufficient data about current practices (e.g., the number of criminal
and civil investigations that may involve requests for protected health
information, the number of subpoenas for protected health information,
etc.) to determine the marginal effects of the regulation. As discussed
more fully below, the Department believes the effects of the final rule
are marginal because the policies adopted in the final rule appear to
largely reflect current practice.
The NPRM included an estimate of $3.8 billion for the privacy
proposal. The estimate for the final rule is $18.0 billion. Much of the
difference can be explained by two factors. First, the NPRM estimate
was for five years; the final rule estimate is for ten years. The
Department chose the longer period for the final rule because ten years
was also the period of analysis in the Transactions Rule RIA, and we
wanted to facilitate comparisons, given that the net benefits and costs
of the administrative simplification rules should be considered
together. Second, the final impact analysis includes cost estimates for
a number of key provisions that were not estimated in the NPRM because
the Department did not have adequate information at the time.
[[Page 82767]]
Although we received little useable data in the public comments (see
comment and response section), the Department was able to undertake
more extensive fact-finding and collect sufficient information to make
informed assumptions about the level of effort and time various
provisions of the final rule are likely to impose on different types of
affected entities.
The estimate of $18.0 billion represents a gross cost, not a net
cost. As discussed more fully below in the benefits section, the
benefits of enhanced privacy and confidentiality of personal health
information are very significant. If people believe their information
will be used properly and not disseminated beyond certain bounds
without their knowledge and consent, they will be much more likely to
seek proper health care, provide all relevant health information, and
abide by their providers' recommendations. In addition, more confidence
by individuals and covered entities that privacy will be maintained
will lead to an increase in electronic transactions and the
efficiencies and cost savings that stem from such action. The benefits
section quantifies some examples of benefits. The Department was not
able to identify data sources or models that would permit us to measure
benefits more broadly or accurately. The inability to quantify
benefits, however, does not lessen the importance or value that is
ultimately realized by having a national standard for health
information privacy.
The largest initial costs resulting from the final Privacy Rule
stem primarily from the requirement that covered entities use and
disclose only the minimum necessary protected health information, that
covered entities develop policies and codify their privacy procedures,
and that covered entities designate a privacy official and train all
personnel with access to individually identifiable health information.
The largest ongoing costs will result from the minimum necessary
provisions pertaining internal uses of individually identifiable health
information, and the cost of a privacy official. In addition, covered
entities will have recurring costs for training, disclosure tracking
and notice requirements. A smaller number of large entities may have
significant costs for de-identification of protected health information
and additional requirements for research.
The privacy costs are in addition to the Transactions Rule
estimates. The cost of complying with the regulation represents
approximately 0.23 percent of projected national health expenditures
the first year the regulation is enacted. The costs for the first eight
years of the final regulation represents 0.07 percent of the increase
in national health care costs experienced over the same period.\46\
---------------------------------------------------------------------------
\46\ Health Care Finance Administration, Office of the Actuary,
2000. Estimates for the national health care expenditure accounts
are only available through 2008; hence, we are only able to make the
comparison through that year.
---------------------------------------------------------------------------
Minimum Necessary
The ``minimum necessary'' policy in the final rule has essentially
three components: first, it does not pertain to certain uses and
disclosures including treatment-related exchange of information among
health care providers; second, for disclosures that are made on a
routine and recurring basis, such as insurance claims, a covered entity
is required to have policies and procedures for governing such
exchanges (but the rule does not require a case-by-case determination);
and third, providers must have a process for reviewing non-routine
requests on a case-by-case basis to assure that only the minimum
necessary information is disclosed.
Based on public comments and subsequent fact-finding, the
Department has concluded that the requirements of the final rule are
generally similar to the current practice of most providers. For
standard disclosure requests, for example, providers generally have
established procedures for determining how much health information is
released. For non-routine disclosures, providers have indicated that
they currently ask questions to discern how much health information is
necessary for such disclosure. Under the final rule, we anticipate
providers will have to be more thorough in their policies and
procedures and more vigilant in their oversight of them; hence, the
costs of this provision are significant.
To make the final estimates for this provision, the Department
considered the minimum necessary requirement in two parts. First,
providers, hospitals, and health plans will need to establish policies
and procedures which govern uses and disclosures of protected health
information. Next, these entities will need to adjust current practices
that do not comply with the rule, such as updating passwords and making
revisions to software.
To determine the policies and procedures for the minimum necessary
requirement, the Department assumed that each hospital would spend 160
hours, health plans would spend 107 hours, and non-hospital providers
would spend 8 hours. As noted above, the time estimates for this and
other provisions of the rule are considered an average number of
person-hours for the institutions involved. An underlying assumption is
that some hospitals, and to a lesser extent health plans, are part of
chains or larger entities that will be able to prepare the basic
materials at a corporate level for a number of covered entities.
Once the policies and procedures are established, the Department
estimates there will be costs resulting from implementing the new
policies and procedures to restrict internal uses of protected health
information to the minimum necessary. Initially, this will require 560
hours for hospitals, 160 hours for health plans, and 12 hours for non-
hospital providers.\47\ The wage for health care providers and
hospitals is estimated at $47.28, a weighted average of various health
care professionals based on CPS data; the wage for health plans is
estimated to be $33.82, based on average wages in the insurance
industry (note that all wage assumptions in this impact analysis assume
a 39 percent load for benefits, the standard Bureau of Labor Statistics
assumption). In addition, there will be time required on an annual
basis to ensure that the implemented practices continue to meet the
requirements of the rule. Therefore, the Department estimates that on
an annual ongoing basis (after the first year), hospitals will require
320 hours, health plans 100 hours, and non-hospital providers 8 hours
to comply with this provision.
---------------------------------------------------------------------------
\47\ These estimates were, in part, derived from a report
prepared for the Department by the Gartner Group, consultants in
health care information technology: ``Gartner DHHS Privacy
Regulation Study,'' by Jim Klein and Wes Rishel, submitted to the
Office of the Assistant Secretary for Policy and Evaluation on
October 20, 2000.
---------------------------------------------------------------------------
The initial cost attributable to the minimum necessary provision is
$926 million. The total cost of the provision is $5.757 billion. (These
estimates are for the cost of complying with the minimum necessary
provisions that restrict internal uses to the minimum necessary. The
Department has estimated in the business associates section below the
requirement limiting disclosures outside the covered entity to the
minimum amount necessary.)
Privacy Official
The final rule requires entities to designate a privacy official
who will be responsible for the development and implementation of
privacy policies and procedures. In this cost analysis, the Department
has estimated each of the primary administrative requirements of the
rule (e.g., training, policy and
[[Page 82768]]
procedure development, etc), including the development and
implementation costs associated with each specific requirement. These
activities will certainly involve the privacy official to some degree;
thus, some costs for the privacy official, particularly in the initial
years, are subsumed in other cost requirements. Nonetheless, we
anticipate that there will be additional ongoing responsibilities that
the privacy official will have to address, such as coordinating between
departments, evaluating procedures and assuring compliance. To avoid
double-counting, the cost calculated in this section is only for the
ongoing, operational functions of a privacy official (e.g., clarifying
procedures for staff) that are in addition to items discussed in other
sections of this impact analysis.
The Department assumes the privacy official role will be an
additional responsibility given to an existing employee in the covered
entity, such as an office manager in a small entity or a compliance
official in a larger institution. Moreover, today any covered entity
that handles individually identifiable health information has one or
more people with responsibility for handling and protecting the
confidentiality of such information. As a result of the specific
requirement for a privacy official, the Department assumes covered
entities will centralize this function, but the overall effort is not
likely to increase significantly. Specifically, the Department has
assumed non-hospital providers will need to devote, on average, an
additional 30 minutes per week of an official's time (i.e., 26 hours
per year) to compliance with the final regulation for the first two
years and 15 minutes per week for the remaining eight years (i.e., 13
hours per year). For hospitals and health plans, which are more likely
to have a greater diversity of activities involving privacy issues, we
have assumed three hours per week for the first two years (i.e., 156
hours per year), and 1.5 hours per week for the remaining eight years
(i.e., 78 hours per year).
For non-hospital providers, the time was calculated at a wage of
$34.13 per hour, which is the average wage for managers of medicine and
health according to the CPS. For hospitals, we used a wage of $79.44,
which is the rate for senior planning officers.\48\ For health plans,
the Department assumed a wage of $88.42 based on the wage for top
claims executives.\49\ Although individual hospitals and health plans
may not necessarily select their planning officers or claims executives
to be their privacy officials, we believe they will be of comparable
responsibility, and therefore comparable pay, in larger institutions.
---------------------------------------------------------------------------
\48\ ``Top Compensation in the Healthcare Industry, 1997'',
Coopers & Lybrand, New York, NY.,
http://www.pohly.com/salary/2.shtml>.
\49\ ``A Unifif Survey of Compensation in Financial Services:
2000,'' July 2000, Unifi Network Survey unit, PriceWaterhouseCoopers
LLP and Global HR Solutions LLC, Westport, Ct., http://public.wsj.com/careers/resources/documents/20000912-insuranceexecs-tab.htm>.
---------------------------------------------------------------------------
The initial year cost for privacy officials will be $723 million;
the ten-year cost will be $5.9 billion.
Internal Complaints
The final rule requires each covered entity to have an internal
process to allow an individual to file a complaint concerning the
covered entity's compliance with its privacy policies and procedures.
The requirement includes designating a contact person or office
responsible for receiving complaints and documenting the disposition of
them, if any. This function may be performed by the privacy official,
but because it is a distinct right under the final rule and may be
performed by someone else, we are costing it separately.
The covered entity only is required to receive and document a
complaint (no response is required), which we assume will take, on
average, ten minutes (the complaint can be oral or in writing). The
Department believes that such complaints will be uncommon. We have
assumed that one in every thousand patients will file a complaint,
which is approximately 10.6 million complaints over ten years. Based on
a weighted-average hourly wage of $47.28 at ten minutes per complaint,
the cost of this policy is $6.6 million in the first year. Using wage
growth and patient growth assumptions, the cost of this policy is $103
million over ten years.
Disclosure Tracking and History
The final rule requires providers to be able to produce a record of
all disclosures of protected health information, except in certain
circumstances. The exceptions include disclosures for treatment,
payment, health care operations, or disclosures to an individual. This
requirement will require a notation in the record (electronic or paper)
of when, to whom, and what information was disclosed, as well as the
purpose of such disclosure or a copy of an individual's written
authorization or request for a disclosure.
Based on information from several hospital sources, the Department
assumes that all hospitals already track disclosures of individually
identifiable health information and that 15 percent of all patient
records held by a hospital will have an annual disclosure that will
have to be recorded in an individual's record. It was more difficult to
obtain a reliable estimate for non-hospital providers, though it
appears that they receive many fewer requests. The Department assumed a
ten percent rate for ambulatory care patients and five percent, for
nursing homes, home health, dental and pharmacy providers. (It was
difficult to obtain any reliable data for these latter groups, but
those we talked to said that they had very few, and some indicated that
they currently keep track of them in the records.) These estimated
percentages represent about 63 million disclosures that will have to be
recorded in the first year, with each recording estimated to require
two minutes. At the average nurse's salary of $30.39 per hour, the cost
in the first year is $25.7 million. For health plans, the Department
assumed that disclosures of protected health information are more rare
than for health care providers. Therefore, the Department assumed that
there will be disclosures of protected health information for five
percent of covered lives. At the average wage for the insurance
industry of $33.82 per hour, the initial cost for health plans is $6.8
million. Using our standard growth rates for wages, patients, and
covered entities, the ten-year cost for providers and health plans is
$519 million.
In addition, although hospitals generally track patient disclosures
today, the Department assumes that hospitals will seek to update
software systems to assure full compliance. Based on software upgrade
costs provided by the Department's private sector consultants with
expertise in the area (the Gartner Group), the Department assumed that
each upgrade would cost $35,000 initially and $6,300 annually
thereafter, for a total cost of $572 million over ten years.
The final rule also requires covered entities to provide
individuals with an accounting of disclosures upon request. The
Department assumes that few patients will request a history of
disclosures of their protected medical information. Therefore, we
estimate that one in a thousand patients will request such an
accounting each year, which is approximately 850,000 requests. If it
takes an average of five minutes to copy any disclosures and the work
is done by a nurse, the cost for the first year will be $2.1 million.
The total ten-year cost is $33.8 million.
[[Page 82769]]
De-Identification of Information
The rule allows covered entities to determine that health
information is de-identified (i.e., that it is not individually
identifiable health information) if certain conditions are met.
Currently, some entities release de-identified information for research
purposes. De-identified information may originate from automated
systems (such as records maintained by pharmacy benefit managers) and
non-automated systems (such as individual medical records maintained by
providers). As compared with current practice, the rule requires that
an expanded list of identifiers be removed for the data (such as
driver's license numbers, and detailed geographic and certain age
information). For example, as noted in a number of public comments,
currently complete birth dates (day, month, and year) and zip codes are
often included in de-identified information. The final rule requires
that only the year of birth (except in certain circumstances) and the
first three digits of the zip code can be included in de-identified
information.
These changes will not require extensive change from current
practice. Providers generally remove most of the 19 identifiers listed
in the final rule. The Department relied on Gartner Group estimates
that some additional programmer time will be required by covered
entities that produce de-identified information to make revisions in
their procedures to eliminate additional identifiers. Entities that de-
identify information will have to review existing and future data flows
to assure compliance with the final rule. For example, an automated
system may need to be re-programmed to remove additional identifiers
from otherwise protected health information. (The costs of educating
staff about the de-identification requirements are included in the cost
estimate for training staff on privacy policies.)
The Department was not able to obtain any reliable information on
the volume of medical data that is currently de-identified. To provide
some measure of the potential magnitude, we assumed that health plans
and hospitals would have an average of two existing agreements that
would need to be reviewed and modified. Based on information provided
by our consultants, we estimate that these agreements would require an
average of 152 hours by hospitals and 116 hours by health plans to
review and revise existing agreements to conform to the final rule.
Using the weighted average wage of $47.28, the initial costs will be
$124 million. Using our standard growth rates for wages, patients, and
covered entities, the total cost of the provision is $1.1 billion over
ten years.
The Department expects that the final rule and the increasing trend
toward computerization of large record sets will result over time in
de-identification being performed by relatively few firms or
associations. Whether the covered entity is a small provider with
relatively few files or a hospital or health plan with large record
files, it will be more efficient to contract with specialists in these
firms or associations (as ``business associates'' of the covered
entity) to de-identify files. The process will be different but the
ultimate cost is likely to be the same or only slightly higher, if at
all, than the costs for de-identification today. The estimate is for
the costs required to conform existing and future agreements to the
provisions of the rule. The Department has not quantified the benefits
that might arise from changes in the market for de-identified
information because the centralization and efficiency that will come
from it will not be fully realized for several years, and we do not
have a reliable means of estimating such changes.
Policy and Procedures Development
The final regulation imposes a variety of requirements which
collectively will necessitate entities to develop policies and
procedures (henceforth in this section to be referred to as policies)
to establish and maintain compliance with the regulation. These include
policies such as those for inspection and copying, amending records,
and receiving complaints.\50\ In developing the final regulations,
simplifying the administrative burden was a significant consideration.
To the extent practical, consistent with maintaining adequate
protection of protected health information, the final rule is designed
to encourage the development of policies by professional associations
and others, that will reduce costs and facilitate greater consistency
across providers and other covered entities.
---------------------------------------------------------------------------
\50\ The cost for policies for minimum necessary, because they
will be distinct and extensive, are presented separately, above.
---------------------------------------------------------------------------
The development of policies will occur at two levels: first, at the
association or other large scale levels; and second, at the entity
level. Because of the generic nature of many of the final rule's
provisions, the Department anticipates that trade, professional
associations, and other groups serving large numbers of members or
clients will develop materials that can be used broadly. These will
likely include the model privacy practice notice that all covered
entities will have to provide patients; general descriptions of the
regulation's requirements appropriate for various types of health care
providers; checklists of steps entities will have to take to comply;
training materials; and recommended procedures or guidelines. The
Department spoke with a number of professional associations, and they
confirmed that they would expect to provide such materials for their
members at either the federal or state level.
Using Faulkner and Gray's Health Data Directory 2000, we identified
216 associations that would be likely to provide guidance to members.
In addition, we assume three organizations (i.e., one for hospitals,
health plans, and other health care providers) in each state would also
provide some additional services to help covered entities coordinate
the requirements of this rule with state laws and requirements. The
Department assumed that these associations would each provide 320 hours
of legal analysis at $150 per hour, and 640 hours of senior analysts
time at $50 per hour. This equals $17.3 million. Hourly rates for legal
council are the average billing rate for a staff attorney.\51\ The
senior analysts rates are based on a salary of $75,000 per year, plus
benefits, which was provided by a major professional association.
---------------------------------------------------------------------------
\51\ ``The Altman Weil 1999 Survey of Law Firm Economics,''
http://www.altmanweil.com/publications/survey/sife99/standard.htm>.
---------------------------------------------------------------------------
For larger health care entities such as hospitals and health plans,
the Department assumed that the complexity of their operations would
require them to seek more customized assistance from outside council or
consultants. Therefore, the Department assumes that each hospital and
health plan (including self-administered, self-insured health plans)
will, on average, require 40 hours of outside assistance. The resulting
cost for external policy development is estimated to be $112 million.
All covered entities are expected to require some time for internal
policy development beyond what is provided by associations or outside
consultants. For most non-hospital providers, the external assistance
will provide most of the necessary information. Therefore, we expect
these health care providers will need only eight hours to adapt these
policies for their specific use (training cost is estimated separately
in the impact analysis). Hospitals and
[[Page 82770]]
health plans, which employ more individuals and are involved in a wider
array of endeavors, are likely to require more specific policies
tailored to their operations to comply with the final rule. For these
entities, we assume an average of 320 hours of policy development per
institution. The total cost for internal policy development is
estimated to be $468 million.
The total cost for policy, plan, and procedures development for the
final regulation is estimated to be $598 million. All of these costs
are initial costs.
Training
The final regulation's requirements provide covered entities with
considerable flexibility in how to best fulfill the necessary training
of their workforce. As a result, the actual practices may vary
substantially based on such factors as the number of members of the
workforce, the types of operations, worker turnover, and experience of
the workforce. Training is estimated to cost $737 million over ten
years. The Department estimates that at the time of the effective date,
approximately 6.7 million health care workers will have to be trained,
and in the subsequent ten years, 7 million more will have to be trained
because of worker turnover. The estimate of employee numbers are based
on 2000 CPS data regarding the number of health care workers who
indicated they worked for a health care institution. To estimate a
workforce turnover rate, the Department relied on a study submitted in
the public comments which used a turnover rate of ten percent or less,
depending on the labor category. To be conservative, the Department
assumed ten percent for all categories.
Covered entities will need to provide members of the workforce with
varying amounts of training depending on their responsibilities, but on
average, the Department estimates that each member of the workforce who
is likely to have access to protected health information will require
one hour of training in the policies and procedures of the covered
entity. The initial training cost estimate is based on teacher training
with an average class size of ten. After the initial training, the
Department expects some training (for example, new employees in larger
institutions) will be done by videotape, video conference, or computer,
all of which are likely to be less expensive. Training materials were
assumed to cost an average of $2 per worker. The opportunity cost for
the training time is based on the average wage for each health care
labor category listed in the CPS, plus a 39 percent load for benefits.
Wages were increased based on the wage inflation factor utilized for
the short-term assumptions (which covers ten years) in the Medicare
Trustees' Annual Report for 1999.
Notice
This section describes only the cost associated with the production
and provision of a notice. The cost of developing the policy stated in
the notice is covered under policies and procedures, above.
Covered health care providers with direct treatment relationships
are required to provide a notice of privacy practices no later than the
date of the first service delivery to individuals after the compliance
date for the covered health care provider. The Department assumed that
for most types of health care providers (such as physicians, dentists,
and pharmacists) one notice would be distributed to each patient during
his or her first visit following the compliance date for the covered
provider, but not for subsequent visits. For hospitals, however, the
Department assumed that a notice would be provided at each admission,
regardless of how many visits an individual has in a given year. In
subsequent years, the Department assumed that non-hospital providers
would only provide notices to their new patients, because it is assumed
that providers can distinguish between new and old patients, although
hospitals will continue to provide a notice for each admission. The
total number of notices provided in the initial year is estimated to be
816 million.
Under the final rule, only providers that have direct treatment
relationships with individuals are required to provide notices to them.
To estimate the number of visits that trigger a notice in the initial
year and in subsequent years, the Department relied on the Medical
Expenditure Panel Survey (MEPS, 1996 data) conducted by the
Department's Agency for Healthcare Quality and Research. This data set
provides estimates for the number of total visits to a variety of
health care providers in a given year and estimates of the number of
patients with at least one visit to each type of each care provider. To
estimate the number of new patients in a given year, the Department
used the National Ambulatory Medical Care Survey and the National
Hospital Ambulatory Medical Care Survey, which indicate that for
ambulatory care visits to physician offices and hospital ambulatory
care departments, 13 percent of all patients are new. This data was
used as a proxy for other types of providers, such as dentists and
nursing homes, because the Department did not have estimates for new
patients for other types of providers. The number of new patients was
increased over time to account for growth in the patient population.
Therefore, the number of notices provided in years 2004 through 2012 is
estimated to be 5.3 billion.
For health plans, the Department estimated the number of notices by
trending forward the average annual rate of growth from 1995 through
1998 (the most recent data available) of private policy holders using
the Census Bureau's Current Population Survey, and also by using Health
Care Financing Administration Office of the Actuary's estimates for
growth in Medicare and Medicaid enrollment. It should be noted that the
regulation does not require that the notice be mailed to individuals.
Therefore, the Department assumed that health plans would include their
privacy policy in the annual mailings they make to members, such as by
adding a page to an existing information booklet.
Since clinical laboratories generally do not have direct contact
with patients, they would not normally be required to provide notices.
However, there are some laboratory services that involve direct patient
contact, such as patients who have tests performed in a laboratory or
at a health fair. We found no data from which we could estimate the
number of such visits. Therefore, we have assumed that labs would incur
no costs as a result of this requirement.
The printing cost of the policy is estimated to be $0.05, based on
data obtained from the Social Security Administration, which does a
significant number of printings for distribution. Some large bulk
users, such as health plans, can probably reproduce the document for
less, and small providers simply may copy the notice, which would also
be less than $0.05. Nonetheless, at $0.05, the total cost of the
initial notice is $50.8 million.
Using our standard growth rate for patients, the total cost for
notices is estimated to be $391 million for the ten-year period.
Requirements on Use and Disclosure for Research
The final regulation places certain requirements on covered
entities that supply individually identifiable health information to
researchers. As a result of these requirements, researchers who seek
such health information and the Institutional Review Boards (IRBs) that
review research projects will have additional responsibilities.
Moreover, a covered entity doing research, or another entity requesting
disclosure of
[[Page 82771]]
protected health information for research that is not currently subject
to IRB review (research that is 100 percent privately funded and which
takes place in institutions which do not have ``multiple project
assurances'') may need to seek IRB or privacy board approval if they
want to avoid the requirement to obtain authorization for use or
disclosure of protected health information for research, thereby
creating the need for additional IRBs and privacy boards that do not
currently exist.
To estimate the additional requirements placed on existing IRBs,
the Department relied on a survey of IRBs conducted by James Bell
Associates on behalf of NIH and on estimates of the total number of
existing IRBs provided by NIH staff. Based on this information, the
Department concluded that of the estimated 4,000 IRBs in existence, the
median number of initial current research project reviews is 133 per
IRB, of which only ten percent do not receive direct consent for the
use of protected health information. (Obtaining consent nullifies the
need for IRB privacy scrutiny.) Therefore, in the first year of
implementation, there will be 76,609 initial reviews affected by the
regulation, and the Department assumes that the requirement to consider
the privacy protections in the research protocols under review will add
an average of 1 hour to each review. The cost to researchers for having
to develop protocols which protect protected health information is
difficult to estimate, but the Department assumes that each of the
affected 76,609 studies will require an average of an additional 8
hours of time for protocol development and implementation. At the
average medical scientist hourly wage of $46.61, the initial cost is
$32.1 million; the total ten-year cost of these requirements is $468
million over ten years.
As stated above, some privately funded research not subject to any
IRB review currently may need to obtain IRB or privacy board approval
under the final rule. Estimating how much research exists which does
not currently go through any IRB review is highly speculative, because
the experts consulted by the Department all agree that there is no data
on the volume of privately funded research. Likewise, public comments
on this subject provided no useful data. However, the Department
assumed that most research that takes place today is subject to IRB
review, given that so much research has some government funding and
many large research institutions have multiple project assurances. As a
result, the Department assumed that the total volume of non-IRB
reviewed research is equal to 25 percent of all IRB-reviewed research,
leading to 19,152 new IRB or privacy board reviews in the first year of
the regulation. Using the same assumptions as used above for wages,
time spent developing privacy protection protocols for researchers, and
time spent by IRB and privacy board members, the total one-year cost
for new IRB and privacy board reviews is $8 million.
For estimating total ten-year costs, the Department used the Bell
study, which showed an average annual growth rate of 3.7 percent in the
number of studies reviewed by IRBs. Using this growth rate, the total
ten-year cost for the new research requirements is $117 million.
Consent
Under the final rule, a covered health care provider with direct
treatment relationships must obtain an individual's consent for use or
disclosure of protected health information for treatment, payment, or
health care operations. Covered providers with indirect treatment
relationships and health plans may obtain such consent if they so
choose. Providers and health plans that seek consent under this rule
can condition treatment or enrollment upon provision of such consent.
Based on public comments and discussions with a wide array of health
care providers, it is apparent that most currently obtain written
consent for use and disclosure of individually identifiable health
information for payment. Under the final rule, they will have to obtain
consent for treatment and health care operations, as well, but this may
entail only minor changes in the language of the consent to incorporate
these other categories and to conform to the rule.
Although the Department was unable to obtain any systematic data,
the anecdotal evidence suggests that most non-hospital providers and
virtually all hospitals follow this practice. For the cost analysis,
the Department assumes that 90 percent of the non-hospital providers
and all hospitals currently obtain some consent for use and disclosure
of individually identifiable health information. For providers that
currently obtain written consent, there is only a nominal cost for
changing the language on the document to conform to the rule. For this
activity, we assumed $0.05 cost per document for revising existing
consent documents.
For the ten percent of treating providers who currently do not
obtain consent, there is the cost of creating consent documents (which
will be standardized), which is also assumed to be $0.05 per document.
It is assumed that all providers required to obtain consent under the
rule will do so upon the first visit, so there will be no mailing cost.
For non-hospital providers, we assume the consent will be maintained in
paper form, which is what most providers currently do (electronic form,
if available, is cheaper to maintain). There is no new cost for records
maintenance because the consent will be kept in active files (paper or
electronic).
The initial cost of the consent requirement is estimated to be $166
million. Using our standard assumptions for patient growth, the total
costs for the ten years is estimated to be $227 million.
Authorizations
Patient authorizations are required for uses or disclosures of
protected health information that are not otherwise explicitly
permitted under the final rule with or without consent. In addition to
uses and disclosures of protected health information for treatment,
payment, and health care operations with or without consent, the rule
also permits certain uses of protected health information, such as
fund-raising for the covered entity and certain types of marketing
activity, without prior consent or authorization. Authorizations are
generally required if a covered entity wants to provide protected
health information to third party for use by the third party for
marketing or for research that is not approved by an IRB or privacy
board.
The requirement for obtaining authorizations for use or disclosure
of protected health information for most marketing activity will make
direct third-party marketing more difficult because covered entities
may not want to obtain and track such authorizations, or they may
obtain too few to make the effort economically worthwhile. However, the
final rule permits an alternative arrangement: the covered entity can
engage in health-related marketing on behalf of a third party,
presumably for a fee. Moreover, the covered entity could retain another
party, through a business associate relationship, to conduct the actual
health-related marketing, such as mailings or telemarketing, under the
covered entity's name. The Department is unable to estimate the cost of
these changes because there is no credible data on the extent of
current third party marketing practices or the price that third party
marketers currently pay for information from covered entities. The
effect of the final rule is to change the
[[Page 82772]]
arrangement of practices to enhance accountability of protected health
information by the covered entity and its business associates; however,
there is nothing inherently costly in these changes.
Examples of other circumstances in which authorizations are
required under the final rule include disclosure of protected health
information to an employer for an employment physical, pre-enrollment
underwriting for insurance, or the sharing of protected health
insurance information by an insurer with an employer. The Department
assumes there is no new cost associated with these requirements because
providers have said that obtaining authorization under such
circumstances is current practice.
To use or disclose psychotherapy notes for most purposes (including
for treatment, payment, or health care operations), a covered entity
must obtain specific authorization by the individual that is distinct
from any authorization for use and disclosure of other protected health
information. This is current practice, so there is no new cost
associated with this provision.
Confidential Communications
The final rule permits individuals to receive communications of
protected health information from a covered health care provider or a
health plan by an alternative means or at an alternative address. A
covered provider and a health plan must accommodate reasonable
requests; however, a health plan may require the individual to state
that disclosure of such information may endanger the individual. A
number of providers and health plans indicated that they currently
provide this service for patients who request it. For providers and
health plans with electronic records system, maintaining separate
addresses for certain information is simple and inexpensive, requiring
little or no change in the system. For providers with paper records,
the cost may be higher because they will have to manually check records
to determine which information must be treated in accordance with such
requests. Although some providers currently provide this service, the
Department was unable to obtain any reliable estimate of the number of
such requests today or the number of providers who perform this
service. The cost attributable to this requirement to send materials to
alternate addresses does not appear to be significant.
Employers With Insured Group Health Plans
Some group health plans will use or maintain protected health
information, particularly group health plans that are self-insured.
Also, some plan sponsors that perform administrative functions on
behalf of their group health plans, may need protected health
information. The final rule permits a group health plan, or a health
insurance issuer or HMO that provides benefits on behalf of the group
health plan, to disclose protected health information to a plan sponsor
who performs administrative functions on its behalf for certain
purposes and if certain requirements are met. The plan documents must
be amended to: describe the permitted uses and disclosures of protected
health information by the plan sponsor; specify that disclosure is
permitted only upon receipt of a certification by the plan sponsor that
the plan documents have been amended and the plan sponsor agrees to
certain restrictions on the use of protected health information; and
provide for adequate firewalls to assure unauthorized personnel do not
have access to individually identifiable health information.
Some plan sponsors may need information, not to administer the
group health plan, but to amend, modify, or terminate the plan. ERISA
case law describes such activities as settlor functions. For example, a
plan sponsor may want to change its contract from a preferred provider
organization to a health maintenance organization (HMO). In order to
obtain premium information, the plan sponsor may need to provide the
HMO with aggregate claims information. Under the rule, the plan sponsor
can obtain summary information with certain identifiers removed, in
order to provide it to the HMO and receive a premium rate.
The Department assumes that most plan sponsors who are small
employers (those with 50 or fewer employees) will elect not to receive
protected health information because they will have little, if any,
need for such data. Any needs that plan sponsors of small group health
plans may have for information can be accomplished by receiving the
information in summary form. The Department has assumed that only 5
percent of plan sponsors of small group health plans that provide
coverage through a contract with an issuer will actually take the steps
necessary to receive protected health information. This is
approximately 96,900 firms. For these firms, the Department assumes it
will take one hour to determine procedural and organization issues and
an additional \1/3\ hour of an attorney's time to make plan document
changes, which will be simple and essentially standardized. This will
cost $7.1 million.
Plan sponsors who are employers of medium (51-199 employees) and
large (over 200 employees) firms that provide health benefits through
contracts with issuers are more likely to want access to protected
health information for plan administration, for example to use it to
audit claims or perform quality assurance functions on behalf of the
group health plan. The Department assumes that 25 percent of plan
sponsors of medium sized firms and 75 percent of larger firms will want
to receive protected health information. This is approximately 38,000
medium size firms and 27,000 larger firms. To provide access to
protected health information by the group health plan, a plan sponsor
will have to assess the current flow of protected health information
from their issuer and determine what information is necessary and
appropriate. The plan sponsors may then have to make internal
organizational changes to assure adequate protection of protected
health information so that the relevant requirements are met for the
group health plan. We assume that medium size firms will take 16 work
hours to complete organizational changes, plus one hour of legal time
to make changes to plan documents and certify to the insurance carrier
that the firm is eligible to receive protected health information. We
assume that larger firms will require 32 hours of internal
organizational work and one hour of legal time. This will cost $52.4
million and is a one-time expense.
Business Associates
The final rule requires a covered entity to have a written contract
or other arrangement that documents satisfactory assurance that
business associate will appropriately safeguard protected health
information in order to disclose it to a business associate based on
such an arrangement. The Department expects business associate
contracts to be fairly standardized, except for language that will have
to be tailored to the specific arrangement between the parties, such as
the allowable uses and disclosures of information. The Department
assumes the standard language initially will be developed by trade and
professional associations for their members. Small providers are likely
to simply adopt the language or make minor modifications, while health
plans and hospitals may start with the prototype language but may make
more specific changes to
[[Page 82773]]
meet their institutional needs. The regulation includes a requirement
that the covered entity take steps to correct, and in some cases
terminate, a contract, if necessary, if they know of violations by a
business associate. This oversight requirement is consistent with
standard oversight of a contract.
The Department could not derive a per entity cost for this work
directly. In lieu of this, we have assumed that the trade and
professional associations' work plus any minor tailoring of it by a
covered entity would amount to one hour per non-hospital provider and
two hours for hospitals and health plans. The larger figure for
hospitals and health plans reflects the fact that they are likely to
have a more extensive array of relationships with business associates.
The cost for the changes in business associate contracts is
estimated to be $103 million. This will be an initial year cost only
because the Department assumes that this contract language will become
standard in future contracts.
In addition, the Department has estimated the cost for business
associates to comply with the minimum necessary provisions. As part of
the minimum necessary provisions, covered entities will have to
establish policies to ensure that only the minimum necessary protected
health information is shared with business associates. To the extent
that data are exchanged, covered entities will have to review the data
and systems programs to assure compliance.
For non-hospital providers, we estimate that the first year will
require an average of three hours to review existing agreements, and
thereafter, they will require an additional hour to assure business
associate compliance. We estimate that hospitals will require an
additional 200 hours the first year and 16 hours in subsequent years;
health plans will require an additional 112 hours the first year and 8
hours in subsequent years. As in other areas, we have assumed a
weighted average wage for the respective sectors.
The cost of the covered entities assuring business associates'
complying with the minimum necessary is $197 million in the first year,
and a total of $697 million over ten years. (These estimates include
the both the cost for the covered entity and the business associates.)
Inspection and Copying
In the NPRM estimate, inspection and copying were a major cost.
Based on data and information from the public comments and further
fact-finding, however, the Department has re-estimated these policies
and found them to be much less expensive.
The public comments demonstrate that copying of records is wide-
spread today. Records are routinely copied, in whole or in part, as
part of treatment or when patients change providers. In addition,
copying occurs as part of legal proceedings. The amount of inspection
and copying of medical records that occurs for these purposes is not
expected to change measurably as a result of the final regulation.
The final regulation establishes the right of individuals to
access, that is to inspect and obtain a copy of, protected health
information about them in designated record sets. Although this is an
important right, the Department does not expect it to result in
dramatic increases in requests from individuals. The Georgetown report
on state privacy laws indicates that 33 states currently give patients
some right to access medical information. The most common right of
access granted by state law is the right to inspect personal
information held by physicians and hospitals. In the process of
developing estimates for the cost of providing access, we assumed that
most providers currently have procedures for allowing patients to
inspect and obtain a copy of individually identifiable health
information about themselves. The economic impact of requiring entities
to allow individuals to access their records should be relatively
small. One public commenter addressed this issue and provided specific
data which supports this conclusion.
Few studies address the cost of providing medical records to
patients. The most recent was a study in 1998 by the Tennessee
Comptroller of the Treasury. It found an average cost of $9.96 per
request, with an average of 31 pages per request. The cost per page of
providing copies was $0.32 per page. This study was performed on
hospitals only. The cost per request may be lower for other types of
providers, since those seeking hospital records are more likely to have
more complicated records than those in a primary care or other types of
offices. An earlier report showed much higher costs than the Tennessee
study. In 1992, Rose Dunn published a report based on her experience as
a manager of medical records. She estimated a 10-page request would
cost $5.32 in labor costs only, equaling labor cost per page of $0.53.
However, this estimate appears to reflect costs before computerization.
The expected time spent per search was 30.6 minutes; 85 percent of this
time could be significantly reduced with computerization (this includes
time taken for file retrieval, photocopying, and re-filing; file
retrieval is the only time cost that would remain under
computerization).
In estimating the cost of copying records, the Department relied on
the public comment from a medical records outsourcing industry
representative, which submitted specific volume and cost data from a
major firm that provides extensive medical record copying services.
According to these data, 900 million pages of medical records are
copied each year in the U.S., the average medical record is 31 pages,
and copying costs are $0.50 per page. In addition, the commenter noted
that only 10 percent of all requests are made directly from patients,
and of those, the majority are for purposes of continuing care
(transfer to another provider), not for purposes of individual
inspection. The Department assumed that 25 percent of direct patient
requests to copy medical records are for purposes of inspecting their
accuracy (i.e., 2.5 percent of all copy requests) or 850,000 in 2003 if
the current practice remained unchanged.
To estimate the marginal increase in copying that might result from
the regulation, the Department assumed that as patients gained more
awareness of their right to inspect and copy their records, more
requests will occur. As a result, the Department assumed a ten percent
increase in the number of requests to inspect and copy medical records
over the current baseline, which would amount to a little over 85,000
additional requests in 2003 at a cost of $1.3 million. Allowing for a
5.3 percent increase in records based on the increase in ambulatory
care visits, the highest growth rate among health service sectors (the
National Ambulatory Medical Care Survey, 1998), the total cost for the
ten-year period would be $16.8 million.
The final rule allows a provider to deny an individual the right to
inspect or obtain a copy of protected health information in a
designated record set under certain circumstances, and it provides, in
certain circumstances, that the patient can request the denial to be
reviewed by another licensed health care professional. The initial
provider can choose a licensed health care professional to render the
second review.
The Department assumes denials and subsequent requests for reviews
will be extremely rare. The Department estimates there are about
932,000 annual requests for inspections (i.e., base plus new requests
resulting from the regulation), or approximately 11 million over the
ten-year period. If one-
[[Page 82774]]
tenth of one percent of these requests were to result in a denial in
accordance with the rule, the result would be 11,890 cases. Not all
these cases would be appealed. If 25 percent were appealed, the result
would be 2,972 cases. If a second provider were to spend 15 minutes
reviewing the case, the cost would be $6,000 in the first year and
$86,360 over ten years.
Amendments to Protected Health Information
Many providers and health plans currently allow patients to amend
the information in their medical record, where appropriate. If an error
exists, both the patient and the provider or health plan benefit from
the correction. However, as with inspection and copying, many states do
not provide individuals with the right to request amendment to
protected health information about themselves. Based on these
assumptions, the Department concludes that the principal economic
effect of the final rule would be to expand the right to request
amendments to protected health information held by a health plan or
provider to those who are not currently covered by amendment
requirements under state laws or codes of conduct. In addition, the
rule may draw additional attention to the issue of inaccuracies in
information and may stimulate patient demand for amendment of medical
records, including in those states that currently provide a right to
amend medical records.
Under the final regulation, if a patient requests an amendment to
his or her medical record, the provider must either accept the
amendment or provide the individual with the opportunity to submit a
statement disagreeing with the denial. The provider must acknowledge
the request and inform the patient of his action.
The cost calculations assume that individuals who request an
opportunity to amend their medical record have already obtained a copy
of it. Therefore, the administrative cost of amending the patient's
record is completely separate from inspection and copying costs.
Based on fact-finding discussions with a variety of providers, the
Department assumes that 25 percent of the projected 850,000 people who
request to inspect their records will seek to amend them. This number
is the existing demand plus the additional requests resulting from the
rule. Over ten years, the number of expected amendment requests will be
2.7 million. Unlike inspections, which currently occur in a small
percentage of cases, our fact-finding suggests that patients very
rarely seek to amend their records, but that the establishment of this
right in the rule will spur more requests. The 25 percent appears to be
high based on our discussions with providers but it is being used to
avoid an underestimation of the cost.
As noted, the provider or health plan is not required to evaluate
any amendment requests, only to append or otherwise link to the request
in the record. We expect the responses will vary: sometimes an
assistant will only make the appropriate notation in the record,
requiring only a few minutes; other times a provider or manager will
review the request and make changes if appropriate, which may require
as much as an hour. To be conservative in its estimate, the Department
has assumed, on average, 30 minutes for each amendment request at a
cost of $47.28 per hour (2000 CPS).
The first-year cost for the amendment policy is estimated to be $5
million. The ten-year cost of this provision is $78.8 million.
Law Enforcement and Judicial and Administrative Proceedings
The law enforcement provisions of the final rule allow disclosure
of protected health information without patient authorization under
four circumstances: (1) Pursuant to legal process or as otherwise
required by law; (2) to locate or identify a suspect, fugitive,
material witness, or missing person; (3) under specified conditions
regarding a victim of crime; and (4) and when a covered entity believes
the protected health information constitutes evidence of a crime
committed on its premises. As under current law and practice, a covered
entity may disclose protected health information to a law enforcement
official if such official.
Based on our fact finding, we are not able to estimate any
additional costs from the final rule regarding disclosures to law
enforcement officials. The final rule makes clear that current court
orders and grand jury subpoenas will continue to provide a basis for
covered entities to disclose protected health information to law
enforcement officials. The three-part test, which covered entities must
use to decide whether to disclose information in response to an
administrative request such as an administrative subpoena, represents a
change from current practice. There will be only minimal costs to draft
the standard language for such subpoenas. We are unable to estimate
other costs attributable to the use of administrative subpoenas. We
have not been able to discover any specific information about the costs
to law enforcement of establishing the predicates for issuing the
administrative subpoena, nor have we been able to estimate the number
of such subpoenas that will likely be issued once the final rule is
implemented.
A covered entity may disclose protected health information in
response to an order in the course of a judicial or administrative
proceeding if reasonable efforts have been made to give the individual,
who is the subject of the protected health information, notice of and
an opportunity to object to the disclosure or to secure a qualified
protective order.
The Department was unable to estimate any additional costs due to
compliance with the final rule's provisions regarding judicial and
administrative proceedings. The provision requiring a covered entity to
make efforts to notify an individual that his or her records will be
used in proceedings is similar to current practice; attorneys for
plaintiffs and defendants agreed that medical records are ordinarily
produced after the relevant party has been notified. With regard to
protective orders, we believe that standard language for such orders
can be created at minimal cost. The cost of complying with such
protective orders will also likely be minimal, because attorney's
client files are ordinarily already treated under safeguards comparable
to those contemplated under the qualified protective orders. The
Department was unable to make an estimate of how many such protective
orders might be created annually.
We thus do not make any estimate of the initial or ongoing costs
for judicial, administrative, or law enforcement proceedings.
Costs to the Federal Government
The rule will have a cost impact on various federal agencies that
administer programs that require the use of individual health
information. The federal costs of complying with the regulation and the
costs when federal government entities are serving as providers are
included in the regulation's total cost estimate outlined in the impact
analysis. Federal agencies or programs clearly affected by the rule are
those that meet the definition of a covered entity. However, non-
covered agencies or programs that handle medical information, either
under permissible exceptions to the disclosure rules or through an
individual's expressed authorization, will likely incur some costs
complying with provisions of this rule. A sample of federal agencies
encompassed by the
[[Page 82775]]
broad scope of this rule include the: Department of Health and Human
Services, Department of Defense, Department of Veterans Affairs,
Department of State, and the Social Security Administration.
The greatest cost and administrative burden on the federal
government will fall to agencies and programs that act as covered
entities, by virtue of being either a health plan or provider. Examples
include the Medicare, Medicaid, Children's Health Insurance and Indian
Health Service programs at the Department of Health and Human Services;
the CHAMPVA health program at the Department of Veterans Affairs; and
the TRICARE health program at the Department of Defense. These and
other health insurance or provider programs operated by the federal
government are subject to requirements placed on covered entities under
this rule, including, but not limited to, those outlined in Section D
of the impact analysis. While many of these federal programs already
afford privacy protections for individual health information through
the Privacy Act and standards set by the Departments and implemented
through their contracts with providers, this rule is nonetheless
expected to create additional requirements. Further, we anticipate that
most federal health programs will, to some extent, need to modify their
existing practices to comply fully with this rule. The cost to federal
programs that function as health plans will be generally the same as
those for the private sector.
A unique cost to the federal government will be in the area of
enforcement. The Office for Civil Rights (OCR), located at the
Department of Health and Human Services, has the primary responsibility
to monitor and audit covered entities. OCR will monitor and audit
covered entities in both the private and government sectors, will
ensure compliance with requirements of this rule, and will investigate
complaints from individuals alleging violations of their privacy
rights. In addition, OCR will be required to recommend penalties and
other remedies as part of their enforcement activities. These
responsibilities represent an expanded role for OCR. Beyond OCR, the
enforcement provisions of this rule may have additional costs to the
federal government through increased litigation, appeals, and inspector
general oversight.
Examples of other unique costs to the federal government may
include such activities as public health surveillance at the Centers
for Disease Control and Prevention, health research projects at the
Agency for Healthcare Research and Quality, clinical trials at the
National Institutes of Health, and law enforcement investigations and
prosecutions by the Federal Bureau of Investigations. For these and
other activities, federal agencies will incur some costs to ensure that
protected health information is handled and tracked in ways that comply
with the requirements of this title.
We estimate that federal costs under this rule will be
approximately $196 million in 2003 and $1.8 billion over ten years. The
ten-year federal cost estimate represents about 10.2 percent of the
privacy regulation's total cost. This estimate was derived in two
steps.
First, we assumed that the proportion of the privacy regulation's
total cost accruing to the federal government in a given year will be
equivalent to the proportion of projected federal costs as a percentage
of national health expenditures for that year. To estimate these
proportions, we used the Health Care Financing Administration's
November 1998 National Health Expenditure projections (the most recent
data available) of federal health expenditures as a percent of national
health expenditures from 2003 through 2008, trended forward to 2012. We
then adjusted these proportions to exclude Medicare and Medicaid
spending, reflecting the fact that the vast majority of participating
Medicare and Medicaid providers will not be able to pass through the
costs of complying with this rule to the federal government because
they are not reimbursed under cost-based payment systems. This
calculation yields a partial federal cost of $166 million in 2003 and
$770 million over ten years.
Second, we add the Medicare and federal Medicaid costs resulting
from the privacy regulation that HCFA's Office of the Actuary project
can be passed through to the federal government. These costs reflect
the actuaries' assumption regarding how much of the total privacy
regulation cost burden will fall on participating Medicare and Medicaid
providers, based on the November 1998 National Health Expenditure data.
Then the actuaries estimate what percentage of the total Medicare and
federal Medicaid burden could be billed to the programs, assuming that
(1) only 3 percent of Medicare providers and 5 percent of Medicaid
providers are still reimbursed under cost-based payment systems, and
(2) over time, some Medicaid costs will be incorporated into the
state's Medicaid expenditure projections that are used to develop the
federal cost share of Medicaid spending. The results of this actuarial
analysis add another $30 million in 2003 and $1.0 billion over ten
years to the federal cost estimate. Together, these three steps
constitute the total federal cost estimate of $236 million in 2003 and
$2.2 billion over ten years.
Costs to State and Local Governments
The rule will also have a cost effect on various state and local
agencies that administer programs requiring the use of individually
identifiable health information. State and local agencies or programs
clearly affected by the rule are those that meet the definition of a
covered entity. The costs when government entities are serving as
providers are included in the total cost estimates. However, non-
covered agencies or programs that handle individually identifiable
health information, either under permissible exceptions to the
disclosure rules or through an individual's expressed authorization,
will likely incur some costs complying with provisions of this rule.
Samples of state and local agencies or programs encompassed by the
broad scope of this rule include: Medicaid, State Children's Health
Insurance Programs, county hospitals, state mental health facilities,
state or local nursing facilities, local health clinics, and public
health surveillance activities, among others. We have included state
and local costs in the estimation of total costs in this section.
The greatest cost and administrative burden on the state and local
government will fall to agencies and programs that act as covered
entities, by virtue of being either a health plan or provider, such as
Medicaid, State Children's Health Insurance Programs, and county
hospitals. These and other health insurance or provider programs
operated by state and local government are subject to requirements
placed on covered entities under this rule, including, but not limited
to, those outlined in this section (Section E) of the impact analysis.
Many of these state and local programs already afford privacy
protections for individually identifiable health information through
the Privacy Act. For example, state governments often become subject to
Privacy Act requirements when they contract with the federal
government. This rule is expected to create additional requirements
beyond those covered by the Privacy Act. Furthermore, we anticipate
that most state and local health programs will, to some extent, need to
modify their existing Privacy Act practices to fully comply with this
rule. The cost to state
[[Page 82776]]
and local programs that function as health plans will be different than
the private sector, much as the federal costs vary from private health
plans.
A preliminary analysis suggests that state and local government
costs will be on the order of $460 million in 2003 and $2.4 billion
over ten years. We assume that the proportion of the privacy
regulation's total cost accruing to state and local governments in a
given year will be equivalent to the proportion of projected state and
local costs as a percentage of national health expenditures for that
year. To estimate these proportions, we used the Health Care Financing
Administration's November 1998 National Health Expenditure projections
of state and local health expenditures as a percent of national health
expenditures from 2003 through 2008, trended forward to 2012. Based on
this approach, we assume that over the entire 2003 to 2012 period, 13.6
percent, or $2.4 billion, of the privacy regulation's total cost will
accrue to state and local governments. Of the $2.4 billion state and
local government cost, 19 percent will be incurred in the regulation's
first year (2003). In each of the out-years (2004-2012), the average
percent of the total cost incurred will be about nine percent per year.
These state and local government costs are included in the total cost
estimates discussed in the regulatory impact analysis.
F. Benefits
There are important societal benefits associated with improving
health information privacy. Confidentiality is a key component of trust
between patients and providers, and some studies indicate that a lack
of privacy may deter patients from obtaining preventive care and
treatment.\52\ For these reasons, traditional approaches to estimating
the value of a commodity cannot fully capture the value of personal
privacy. It may be difficult for individuals to assign value to privacy
protection because most individuals view personal privacy as a right.
Therefore, the benefits of the proposed regulation are impossible to
estimate based on the market value of health information alone.
However, it is possible to evaluate some of the benefits that may
accrue to individuals as a result of proposed regulation, and these
benefits, alone, suggest that the regulation is warranted. Added to
these benefits is the intangible value of privacy, the security that
individuals feel when personal information is kept confidential. This
benefit is very real and very significant but there are no reliable
means of measuring dollar value of such benefit.
---------------------------------------------------------------------------
\52\ Equifax-Harris Consumer Privacy Survey, 1994.
---------------------------------------------------------------------------
As noted in the comment and response section, a number of
commenters raised legitimate criticisms of the Department's approach to
estimating benefits. The Department considered other approaches,
including attempts to measure benefits in the aggregate rather than the
specific examples set forth in the NPRM. However, we were unable to
identify data or models that would provide credible measures. Privacy
has not been studied empirically from an economic perspective, and
therefore, we concluded that the approach taken in the NPRM is still
the most useful means of illustrating that the benefits of the
regulation are significant in relation to the economic costs.
Before beginning the discussion of the benefits, it is important to
create a framework for how the costs and benefits may be viewed in
terms of individuals rather than societal aggregates. We have estimated
the value an insured individual would need to place on increased
privacy to make the privacy regulation a net benefit to those who
receive health insurance. Our estimates are derived from data produced
by the 1998 Current Population Survey from the Census Bureau (the most
recent available at the time of the analysis), which show that 220
million persons are covered by either private or public health
insurance. Joining the Census Bureau data with the costs calculated in
Section E, we have estimated the cost of the regulation to be
approximately $6.25 per year (or approximately $0.52 per month) for
each insured individual (including people in government programs). If
we assume that individuals who use the health care system will be
willing to pay more than this per year to improve health information
privacy, the benefits of the proposed regulation will outweigh the
cost.
This is a conservative estimate of the number of people who will
benefit from the regulation because it assumes that only those
individuals who have health insurance or are in government programs
will use medical services or benefit from the provisions of the
proposed regulation. Currently, there are 42 million Americans who do
not have any form of health care coverage. The estimates do not include
those who pay for medical care directly, without any insurance or
government support. By lowering the number of users in the system, we
have inflated our estimate of the per-person cost of the regulation;
therefore, we assume that our estimate represents the highest possible
cost for an individual.
An alternative approach to determining how people would have to
value increased privacy for this regulation to be beneficial is to look
at the costs divided by the number of encounters with health care
professionals annually. Data from the Medical Expenditure Panel Survey
(MEPS) produced by the Agency for Healthcare Policy Research (AHCPR)
show approximately 776.3 million health care visits (e.g., office
visits, hospital and nursing home stays, etc.) in the first year
(2003). As with the calculation of average annual cost per insured
patient, we divided the total cost of complying with the regulation by
the total annual number of health care visits. The cost of instituting
requirements of the proposed regulation is $0.19 per health care visit.
If we assume that individuals would be willing to pay more than $0.19
per health care visit to improve health information privacy, the
benefits of the proposed regulation outweigh the cost.
Qualitative Discussion
A well designed privacy standard can be expected to build
confidence among the public about the confidentiality of their medical
records. The seriousness of public concerns about privacy in general
are shown in the 1994 Equifax-Harris Consumer Privacy Survey, where
``84 percent of Americans are either very or somewhat concerned about
threats to their personal privacy.'' \53\ A 1999 report, ``Promoting
Health and Protecting Privacy'' notes ``* * * many people fear their
personal health information will be used against them: to deny
insurance, employment, and housing, or to expose them to unwanted
judgements and scrutiny.'' \54\ These concerns would be partly allayed
by the privacy standard.
---------------------------------------------------------------------------
\53\ Consumer Privacy Survey, Harris-Equifax, 1994, p vi.
\54\ Promoting Health: Protecting Privacy, California Health
Care Foundation and Consumers Union, January 1999, p 12.
---------------------------------------------------------------------------
Fear of disclosure of treatment is an impediment to health care for
many Americans. In the 1993 Harris-Equifax Health Information Privacy
Survey, seven percent of respondents said they or a member of their
immediate family had chosen not to seek medical services due to fear of
harm to job prospects or other life opportunities. About two percent
reported having chosen not to file an insurance claim because of
concerns of lack of privacy or confidentiality.\55\ Increased
confidence
[[Page 82777]]
on the part of patients that their privacy would be protected would
lead to increased treatment among people who delay or never begin care,
as well as among people who receive treatment but pay directly (to the
extent that the ability to use their insurance benefits will reduce
cost barriers to more complete treatment). It will also change the
dynamic of current payments. Insured patients currently paying out-of-
pocket to protect confidentiality will be more likely to file with
their insurer and to seek all necessary care. The increased utilization
that would result from increased confidence in privacy could be
beneficial under many circumstances. For many medical conditions, early
and comprehensive treatment can lead to lower costs.
---------------------------------------------------------------------------
\55\ Health Information Survey, Harris-Equifax, 1993, pp 49-50.
---------------------------------------------------------------------------
The following are four examples of areas where increased confidence
in privacy would have significant benefits. They were chosen both
because they are representative of widespread and serious health
problems, and because they are areas where reliable and relatively
complete data are available for this kind of analysis. The logic of the
analysis, however, applies to any health condition, including
relatively minor conditions. We expect that some individuals might be
concerned with maintaining privacy even if they have no significant
health problems because it is likely that they will develop a medical
condition in the future that they will want to keep private.
Cancer
The societal burden of disease imposed by cancer is indisputable.
Cancer is the second leading cause of death in the US,\56\ exceeded
only by heart disease. In 2000, it is estimated that 1.22 million new
cancer cases will be diagnosed.\57\ The estimated prevalence of cancer
cases (both new and existing cases) in 1999 was 8.37 million.\58\ In
addition to mortality, incidence, and prevalence rates, the other
primary methods of assessing the burden of disease are cost-of-illness
and quality of life measures.\59\ Cost of illness measures the economic
costs associated with treating the disease (direct costs) and lost
income associated with morbidity and mortality (indirect costs). The
National Institutes of Health estimates that the overall annual cost of
cancer in 1990 was $96.1 billion; $27.5 billion in direct medical costs
and $68.7 billion for lost income due to morbidity and mortality.\60\
Health-related quality of life measures integrate the mortality and
morbidity effects of disease to produce health status scores for an
individual or population. For example, the Quality Adjusted Life Year
(QALY) combines the pain, suffering, and productivity loss caused by
illness into a single measure. The Disability Adjusted Life Year (DALY)
is based on the sum of life years lost to premature mortality and years
that are lived, adjusted for disability.\61\ The analysis below is
based on the cost-of-illness measure for cancer, which is more
developed than the quality of life measure.
---------------------------------------------------------------------------
\56\ American Cancer Society. http://4a2z.com/cgi/rfr.cgi?4CANCER-2-http://www.cancer.org/frames.html
\57\ American Cancer Society. http://www3.cancer.org/cancerinfo/sitecenter.asp?ctid= 8&scp= 0&scs= 0&scss= 0&scdoc = 40000.
\58\ Polednak, AP. ``Estimating Prevalence of Cancer in the
United States,'' Cancer 1997; 8-:136-41
\59\ Martin Brown, ``The Burden of Illness of Cancer: Economic
Cost and Quality of Life.'' Annual Review of Public Health,
2001:22:91-113.
\60\ Disease-Specific Estimates of Direct and Indirect Costs of
Illness and NIH Support: Fiscal Year 2000 Update. Department of
Health and Human Services, Naitonal Institutes of Health, Office of
the Director, February 2000.
\61\ DALY scores for 10 cancer sites are presented in Brown,
``The Burden of Illness of Cancer: Economic Cost and Quality of
Life,'' figure 1.
---------------------------------------------------------------------------
Among the most important elements in the fight against cancer are
screening, early detection and treatment of the disease. However, many
patients are concerned that cancer detection and treatment will make
them vulnerable to discrimination by insurers or employers. These
privacy concerns have been cited as a reason patients do not seek early
treatment for diseases such as cancer. As a result of forgoing early
treatment, cancer patients may ultimately face a more severe illness
and/or premature death.
Increasing people's confidence in the privacy of their medical
information would encourage more people with cancer to seek cancer
treatment earlier, which would increase cancer survival rates and thus
reduce the lost wages associated with cancer. For example, only 24
percent of ovarian cancers are diagnosed in the early stages. Of these,
approximately 90 percent of patients survive treatment. The survival
rate of women who detect breast cancer early is similarly high; more
than 90 percent of women who detect and treat breast cancer in its
early stages will survive.\62\
---------------------------------------------------------------------------
\62\ Breast Cancer Information Service. http://trfn.clpgh.org/bcis/FAQ/facts2.html
---------------------------------------------------------------------------
We have attempted to estimate the annual savings in foregone wages
that would result from earlier treatment due to enhanced protection of
the privacy of medical records. We do not assume there would be
increased medical costs from earlier treatment because the costs of
earlier and longer cancer treatment are probably offset by the costs of
treating late-stage cancer among people who would otherwise not be
treated until their cases had progressed.
Although figures on the number of individuals who avoid cancer
treatment due to privacy concerns do not exist, some indirect evidence
is available. A 1993 Harris-Equifax Health Information Privacy Survey
(noted earlier) found that seven percent of respondents reported that
they or a member of their immediate family had chosen not to seek
services for a physical or mental health condition due to fear of harm
to job prospects or other life opportunities. It should be noted that
this survey is somewhat dated and represents only one estimate.
Moreover, given the wording of the question, there are other reasons
aside from privacy concerns that led these individuals to respond
affirmatively. However, for the purposes of this estimate, we assume
that privacy concerns were responsible for the majority of positive
responses.
Based on the Harris-Equifax survey estimate that seven percent of
people did not seek services for physical or mental health conditions
due to fears about job prospects or other opportunities, we assume that
the proportion of people diagnosed with cancer who did not seek earlier
treatment due to these fears is also seven percent. Applying this seven
percent figure to the estimated number of total cancer cases (8.37
million) gives us an estimate of 586,000 people who did not seek
earlier cancer treatment due to privacy concerns. We estimate annual
lost wages due to cancer morbidity and mortality per cancer patient by
dividing total lost wages ($68.7 billion) by the number of cancer
patients (8.37 million), which rounds to $8,200. We then assume that
cancer patients who seek earlier treatment would achieve a one-third
reduction in cancer mortality and morbidity due to earlier treatment.
The assumption of a one-third reduction in mortality and morbidity is
derived from a study showing a one-third reduction in colorectal cancer
mortality due to colorectal cancer screening.\63\ We could have chosen
a lower or higher treatment success rate. By multiplying 586,000 by
$8,200 by one-third, we calculate that $1.6 billion in lost wages could
be saved each year by encouraging more people to seek early cancer
treatment through enhanced privacy protections. This estimate
illustrates the potential savings
[[Page 82778]]
in lost wages due to cancer that could be achieved with greater privacy
protections.
---------------------------------------------------------------------------
\63\ Jack S. Mandel, et al., ``Reducing Mortality from
Colorectal Cancer by Screening for Fecal Occult Blood,'' The New
England Journal of Medicine, May 13, 1993, Vol, 328, No. 19.
---------------------------------------------------------------------------
HIV/AIDS
Early detection is essential for the survival of a person with HIV
(Human Immunodeficiency Virus). Concerns about the confidentiality of
HIV status would likely deter some people from getting tested. For this
reason, each state has passed some sort of legislation regarding
confidentiality of an individual's HIV status. However, HIV status can
be revealed indirectly through disclosure of HAART (Highly Active Anti-
Retroviral Therapy) or similar HIV treatment drug use. In addition,
since HIV/AIDS (Acquired Immune Deficiency Syndrome) is often the only
specially protected condition, ``blacked out'' information on medical
charts could indicate HIV positive status.\64\ Strengthening privacy
protections beyond this disease could increase confidence in privacy
regarding HIV as well. Drug therapy for HIV positive persons has proven
to be a life-extending, cost-effective tool.\65\ A 1998 study showed
that beginning treatment with HAART in the early asymptomatic stage is
more cost-effective than beginning it late. After five years, only 15
percent of patients with early treatment are estimated to develop an
ADE (AIDS-defining event), whereas 29 percent would if treatment began
later. Early treatment with HAART prolongs survival (adjusted for
quality of life) by 6.2 percent. The overall cost of early HAART
treatment is estimated at $23,700 per quality-adjusted year of life
saved.\66\
---------------------------------------------------------------------------
\64\ Promoting Health: Protecting Privacy, California Health
Care Foundation and Consumers Union, January 1999, p 13
\65\ For example, Roger Detels, M.D., et al., in ``Effectiveness
of Potent Anti-retroviral Therapy. * * *'' JAMA, 1998; 280:1497-1503
note the impact of therapy on HIV persons with respect to
lengthening the time to development of AIDS, not just delaying death
in persons who already have AIDS.
\66\ John Hornberger et al., ``Early treatment with highly
active anti-retroviral therapy (HAART) is cost-effective compared to
delayed treatment,'' 12th World AIDS conference, 1998.
---------------------------------------------------------------------------
Other Sexually Transmitted Diseases
It is difficult to know how many people are avoiding testing for
STDs despite having a sexually transmitted disease. A 1998 study by the
Kaiser Family Foundation found that the incidence of disease was 15.3
million in 1996, though there is great uncertainty due to under-
reporting.\67\ For a potentially embarrassing disease such as an STD,
seeking treatment requires trust in both the provider and the health
care system for confidentiality of such information. Greater trust
should lead to more testing and greater levels of treatment. Earlier
treatment for curable STDs can mean a decrease in morbidity and the
costs associated with complications. These include expensive fertility
problems, fetal blindness, ectopic pregnancies, and other reproductive
complications.\68\ In addition, there could be greater overall savings
if earlier treatment translates into reduced spread of infections.
---------------------------------------------------------------------------
\67\ Sexually Transmitted Diseases in America, Kaiser Family
Foundation, 1998, p. 12.
\68\ Standard Medical information; see http://www.mayohealth.org
for examples.
---------------------------------------------------------------------------
Mental Health Treatment
When individuals have a better understanding of the privacy
practices that we are requiring in this proposed rule, some will be
less reluctant to seek mental health treatment. One way that
individuals will receive this information is through the notice
requirement. Increased use of mental health and services would be
expected to be beneficial to the persons receiving the care, to their
families, and to society at large. The direct benefit to the individual
from treatment would include improved quality of life, reduced
disability associated with mental conditions, reduced mortality rate,
and increased productivity associated with reduced disability and
mortality. The benefit to families would include quality of life
improvements and reduced medical costs for other family members
associated with abusive behavior by the treated individual.
The potential economic benefits associated with improving privacy
of individually identifiable health information and thus encouraging
some portion of individuals to seek initial mental health treatment or
increase service use are difficult to quantify well. Nevertheless,
using a methodology similar to the one used above to estimate potential
savings in cancer costs, one can lay out a range of possible benefit
levels to illustrate the possibility of cost savings associated with an
expansion of mental health and treatment to individuals who, due to
protections offered by the privacy regulation, might seek treatment
that they otherwise would not have. This can be illustrated by drawing
upon existing data on the economic costs of mental illness and the
treatment effectiveness of interventions.
The 1998 Substance Abuse and Mental Health Statistics Source Book
from the Substance Abuse and Mental Health Services Administration
(SAMHSA) estimates that the economic cost to society of mental illness
in 1994 was about $204.4 billion. About $91.7 billion was due to the
cost of treatment and medical care and $112.6 billion (1994 dollars)
was due to loss of productivity associated with morbidity and mortality
and other related costs, such as crime.\69\ Evidence suggests that
appropriate treatment of mental health disorders can result in 50-80
percent of individuals experiencing improvements in these types of
conditions. Improvements in patient functioning and reduced hospital
stays could result in hundreds of millions of dollars in cost savings
annually.
---------------------------------------------------------------------------
\69\ Substance Abuse and Mental Health Services Administration.
http://www.samhsa.gov/oas/srcbk/costs-02htm. Source of data: DP
Rice, Costs of Mental Illness (unpublished data).
---------------------------------------------------------------------------
Although figures on the number of individuals who avoid mental
health treatment due to privacy concerns do not exist, some indirect
evidence is available. As noted in the cancer discussion, the 1993
Harris-Equifax Health Information Privacy Survey found that 7 percent
of respondents reported that they or a member of their immediate family
had chosen not to seek services for a physical or mental health
condition due to fear of harm to job prospects or other life
opportunities. (See above for limitations to this data).
We assume that the proportion of people with a mental health
disorder who did not seek treatment due to fears about job prospects or
other opportunities is the same as the proportion in the Harris-Equifax
survey sample who did not seek services for physical or mental health
conditions due to the same fears (7 percent). The 1999 Surgeon
General's Report on Mental Health estimates that 28 percent of the U.S.
adult population has a diagnosable mental and/or substance abuse
disorder and 20 percent of the population has a mental and/or substance
abuse disorder for which they do not receive treatment.\70\ Based on
the Surgeon General's Report, we estimate that 15 percent of the adult
population has a mental disorder for which they do not seek
treatment.\71\ Assuming that 7
[[Page 82779]]
percent of those with mental disorders did not seek treatment due to
privacy concerns, we estimate that 1.05 percent of the adult population
\72\ (15 percent multiplied by 7 percent), or 2.07 million people, did
not seek treatment for mental illness due to privacy fears.
---------------------------------------------------------------------------
\70\ Department of Health and Human Services, Mental Health: A
Report of the Surgeon General. Rockville, MD: 1999, page 408.
\71\ According to the Surgeon General's Report, 28 percent of
the adult population have either a mental or addictive disorder,
whether or not they receive services: 19 percent have a mental
disorder alone, 6 percent have a substance abuse disorder alone, and
3 percent have both. Subtracting the 3 percent who have both, about
three-quarters of the population with either a mental or addictive
disorder have a mental disorder and one-quarter have a substance
abuse disorder. We assume that this ratio (three-quarter to one-
quarter) is the same for the adult population with either a mental
or addictive disorder who do not receive services. Thus, we assume
that 15 percent of the population have an untreated mental disorder
(three-quarters of 20 percent) and 5 percent have an untreated
addictive disorder (one-quarter of 20 percent).
\72\ According to the Population Estimates Program, Population
Division, U.S. Census Bureau, the U.S. population age 20 and older
is 197.1 million on Sept. 1, 2000. This estimate of the adult
population is used throughout this section.
---------------------------------------------------------------------------
The indirect (non-treatment) economic cost of mental illness per
person with mental illness is $2,590 ($112.6 billion divided by 43.4
million people with mental illness).\73\ The treatment cost of mental
illness per person with mental illness is $2,110 ($91.7 billion divided
by 43.4 million individuals). If we assume that indirect economic costs
saved by encouraging more individuals with mental illness to enter
treatment are offset by the additional treatment costs, the net savings
is about $480 per person.
---------------------------------------------------------------------------
\73\ The number of adults with mental illness is calculated by
multiplying the U.S. Census Bureau estimate of the U.S. adult
population--197.1 million--by the percent of the adult population
with mental illness--22 percent, according to the Surgeon General's
Report on Mental Health, which says that 19 percent of the
population have a mental disorder alone and three percent have a
mental and substance abuse disorder.
---------------------------------------------------------------------------
As stated above, appropriate treatment of mental health disorders
can result in 50-80 percent of individuals experiencing improvements in
these types of conditions. Therefore, we multiply the number of
individuals with mental disorders who would seek treatment with greater
privacy protections (2.07 million) by the treatment effectiveness rate
by the net savings per effective treatment ($480). Assuming a 50
percent success rate, this equation yields annual savings of $497
million. Assuming an 80 percent success rate, this yields annual
savings of $795 million.
Given the existing data on the annual economic costs of mental
illness and the rates of treatment effectiveness for these disorders,
coupled with assumptions regarding the percentage of individuals who
would seek mental health treatment with greater privacy protections,
the potential net economic benefits could range from approximately $497
million to $795 million annually.
V. Final Regulatory Flexibility Analysis
A. Introduction
Pursuant to the Regulatory Flexibility Act 5 U.S.C. 601 et seq.,
the Department must prepare a regulatory flexibility analysis if the
Secretary certifies that a final rule would have a significant economic
impact on a substantial number of small entities.\74\
---------------------------------------------------------------------------
\74\ ``Entities'' and ``establishments'' are synonymous in this
analysis.
---------------------------------------------------------------------------
This analysis addresses four issues: (1) The need for, and
objective of, the rule; (2) a summary of the public comments to the
NPRM and the Department's response; (3) a description and estimate of
the number of small entities affected by the rule; and (4) a
description of the steps the agency has taken to minimize the economic
impact on small entities, consistent with the law and the intent of the
rule. The following sections provide details on each of these issues. A
description of the projected reporting and record keeping requirements
of the rule are included in Section IX, below.
B. Reasons for Promulgating the Rule
This proposed rule is being promulgated in response to a statutory
mandate to do so under section 264 of Public Law 104-191. Additional
information on the reasons for promulgating the rule can be found in
earlier preamble discussions (see Section I. B. above).
1. Objectives and Legal Basis
This information can be found in earlier preamble discussions (See
I. C. and IV., above).
2. Relevant Federal Provisions
This information can be found in earlier preamble discussions (See
I. C., above).
C. Summary of Public Comments
The Department received only a few comments regarding the Initial
Regulatory Flexibility Analysis (IRFA) contained in the NPRM. A number
of commenters argued that the estimates IRFA were too low or
incomplete. The estimates were incomplete to the extent that a number
of significant policy provisions in the proposal were not estimated
because of too little information at the time. In the final IRFA we
have estimates for these provisions. As for the estimates being too
low, the Department has sought as much information as possible. The
methodology employed for allocating costs to the small business sectors
is explained in the following section.
Most of the other comments pertaining to the IRFA criticized
specific estimates in the NPRM. Generally, the commenters argued that
certain cost elements were not included in the cost estimates presented
in the NPRM. The Department has expanded our description of our data
and methodology in both the final RIA and this final RFA to try to
clarify the data and assumptions made and the rationale for using them.
Finally, a number of commenters suggested that small entities be
exempted from coverage from the final rule, or that they be given more
time to comply. As the Department has explained in the Response to
Comment section above, such changes were considered but rejected. Small
entities constitute the vast majority of all entities that are covered;
to exempt them would essentially nullify the purpose of the rule.
Extensions were also considered but rejected. The rule does not take
effect for two years, which is ample time for small entities to learn
about the rule and make the necessary changes to come into compliance.
D. Economic Effects on Small Entities
1. Number and Types of Small Entities Affected
The Small Business Administration defines small businesses in the
health care sector as those organizations with less than $5 million in
annual revenues. Nonprofit organizations are also considered small
entities;\75\ however, individuals and states are not included in the
definition of a small entity. Similarly, small government jurisdictions
with a population of less than 50,000 are considered small
entities.\76\
---------------------------------------------------------------------------
\75\ ``Entities'' and ``establishments'' are used synonymously
in this RFA.
\76\ ``Small governments'' were not included in this analysis
directly; rather we have included the kinds of institutions within
those governments that are likely to incur costs, such as government
hospitals and clinics.
---------------------------------------------------------------------------
Small business in the health care sector affected by this rule may
include such businesses as: Nonprofit health plans, hospitals, and
skilled nursing facilities (SNFs); small businesses providing health
coverage; small physician practices; pharmacies; laboratories; durable
medical equipment (DME) suppliers; health care clearinghouses; billing
companies; and vendors that supply software applications to health care
entities.
The U.S. Small Business Administration reports that as of 1997,
there were 562,916 small health care entities \77\ classified within
the SIC
[[Page 82780]]
codes we have identified as being covered establishments (Table A).
---------------------------------------------------------------------------
\77\ Entities are the physical location where an enterprise
conducts business. An enterprise may conduct business in more than
one establishment.
[GRAPHIC] [TIFF OMITTED] TR28DE00.000
These small businesses represent 82.6% of all health care
establishments examined.\78\ Small businesses represent a significant
portion of the total number of health care establishments but a small
portion of the revenue stream for all health care establishments. In
1997, the small health care businesses represented generated
approximately $430 billion in annual receipts, or 30.2% of the total
revenue generated by health care establishments (Table B).\79\ The
following sections provide estimates of the number of small health care
establishments that will be required to comply with the rule. Note,
however, that the SBA's published annual receipts of health care
industries differ from the National Health Expenditure data that the
Health Care Financing Administration (HCFA) maintains.
[[Page 82781]]
These data do not provide the specific revenue data required for a RFA;
only the SBA data has the requisite establishment and revenue data for
this analysis.
---------------------------------------------------------------------------
\78\ Office of Advocacy, U.S. Small Business Administration,
from data provided by the Bureau of the Census, Statistics of U.S.
Businesses, 1997.
\79\ Op.cit, 1997.
[GRAPHIC] [TIFF OMITTED] TR28DE00.002
[[Page 82782]]
The Small Business Administration reports that approximately 74
percent of the 18,000 medical laboratories and dental laboratories in
the U.S. are small entities.\80\ Furthermore, based on SBA data, 55
percent of the 3,300 durable medical equipment suppliers that are not
part of drug and proprietary stores in the U.S. are small entities.
Over 90 percent of health practitioner offices are small
businesses.\81\ Doctor offices (90%), dentist offices (99%), osteopathy
(97%) and other health practitioner offices (97%) are primarily
considered small businesses.
---------------------------------------------------------------------------
\80\ Office of Advocacy, U.S. Small Business Administration,
from data provided by the Bureau of the Census, Statistics of U.S.
Businesses, 1997.
\81\ Op.cit., 1997.
---------------------------------------------------------------------------
There are also a number of hospitals, home health agencies, non-
profit nursing facilities, and skilled nursing facilities that will be
affected by the proposed rule. According to the American Hospital
Association, there are approximately 3,131 nonprofit hospitals
nationwide. Additionally, there are 2,788 nonprofit home health
agencies in the U.S. and the Health Care Financing Administration
reports that there are 591 nonprofit nursing facilities and 4,280
nonprofit skilled nursing facilities.\82\
---------------------------------------------------------------------------
\82\ Health Care Financing Administration, OSCAR.
---------------------------------------------------------------------------
Some contractors that are not covered entities but that work with
covered health care entities will be required to adopt policies and
procedures to protect information. We do not expect that the additional
burden placed on contractors will be significant. We have not estimated
the effect of the proposed rule on these entities because we cannot
reasonably anticipate the number or type of contracts affected by the
proposed rule. We also do not know the extent to which contractors
would be required to modify their policy practices as a result of the
rule.
2. Activities and Costs Associated With Compliance
This section summarizes specific activities that covered entities
must undertake to comply with the rule's provisions and options
considered by the Department that would reduce the burden to small
entities. In developing this rule, the Department considered a variety
of alternatives for minimizing the economic burden that it will create
for small entities. We did not exempt small businesses from the rule
because they represent such a large and critical proportion of the
health care industry (82.6 percent); a significant portion of
individually identifiable health information is generated or held by
these small businesses.
The guiding principle in our considerations of how to address the
burden on small entities has been to make provisions performance rather
than specification oriented--that is, the rule states the standard to
be achieved but allows institutions flexibility to determine how to
achieve the standard within certain parameters. Moreover, to the extent
possible, we have allowed entities to determine the extent to which
they will address certain issues. This ability to adapt provisions to
minimize burden has been addressed in the regulatory impact analysis
above, but it will be briefly discussed again in the following section.
Before discussing specific provisions, it is important to note some
of the broader questions that were addressed in formulating this rule.
The Department considered extending the compliance period for small
entities but concluded that it did not have the legal authority to do
so (see discussion above). The rule, pursuant to HIPAA, creates an
extended compliance time of 36 months (rather than 24 months) only for
small health plans and not for other small entities. The Department
also considered giving small entities longer response times for time
limits set forth in the rule, but decided to establish standard time
limits that we believe are reasonable for covered entities of all
sizes, with the understanding that larger entities may not need as much
time as they have been allocated in certain situations. This permits
each covered entity the flexibility to establish policies regarding
time limits that are consistent with the entity's current practices.
Although we considered the needs of small entities during our
discussions of all provisions for this final rule, we are highlighting
the most significant discussions in the following sections:
Scalability
Wherever possible, the final rule provides a covered entity with
flexibility to create policies and procedures that are best suited to
the entity's current practices in order to comply with the standards,
implementation specifications, and requirements of the rule. This
allows the covered entity to assess its own needs in devising,
implementing, and maintaining appropriate privacy policies, procedures,
and documentation to address these regulatory requirements. It also
will allow a covered entity to take advantage of developments and
methods for protecting privacy that will evolve over time in a manner
that is best suited to that institution. This approach allows covered
entities to strike a balance between protecting privacy of individually
identifiable health information and the economic cost of doing so
within prescribed boundaries set forth in the rule. Health care
entities must consider both factors when devising their privacy
solutions. The Department assumes that professional and trade
associations will provide guidance to their members in understanding
the rule and providing guidance on how they can best achieve
compliance. This philosophy is similar to the approach in the
Transactions Rule.
The privacy standard must be implemented by all covered entities,
regardless of size. However, we believe that the flexible approach
under this rule is more efficient and appropriate then a single
approach to safeguarding health information privacy. For example, in a
small physician practice, the office manager might be designated to
serve as the privacy official as one of many of her duties. In a large
health plan, the privacy official position may require more time and
greater privacy experience, or the privacy official may have the
regular support and advice of a privacy staff or board. The entity can
decide how to implement this privacy official requirement based on the
entity's structure and needs.
The Department decided to use this scaled approach to minimize the
burden on all entities, with an emphasis on small entities. The varying
needs and capacities of entities should be reflected in the policies
and procedures adopted by the organization and the overall approach it
takes to achieve compliance.
Minimum Necessary
The ``minimum necessary'' policy in the final rule has essentially
three components: first, it does not pertain to certain uses and
disclosures including treatment-related exchange of information among
health care providers; second, for disclosures that are made on a
routine basis, such as insurance claims, a covered entity is required
to have policies and procedures governing such exchanges (but the rule
does not require a case-by-case determination in such cases); and
third, providers must have a process for reviewing non-routine requests
on a case-by-case basis to assure that only the minimum necessary
information is disclosed. The final rule makes changes to the NPRM that
reduce the burden of compliance on small businesses.
Based on public comments and subsequent fact-finding, the
Department sought to lessen the burden of this
[[Page 82783]]
provision. The NPRM proposed applying the minimum necessary standard to
disclosures to providers for treatment purposes and would have required
individual review of all uses of protected health information. The
final rule exempts disclosures of protected health information from a
covered entity to a health care provider for treatment from the minimum
necessary provision and eliminates the case-by-case determinations that
would have been necessary under the NPRM. The Department has concluded
that the requirements of the final rule are similar to the current
practice of most health care providers. For standard disclosure
requests, for example, providers generally have established procedures.
Under the final rule providers will have to have policies and
procedures to determine the minimum amount of protected health
information to disclose for standard disclosure requests as well, but
may need to review and revise existing procedures to make sure they are
consistent with the final rule. For non-routine disclosures, providers
have indicated that they currently ask questions to discern how much
information should be disclosed. In short, the minimum necessary
requirements of this rule are similar to current practice, particularly
among small providers.
Policy and Procedures
The rule requires that covered entities develop and document
policies and procedures with respect to protected health information to
establish and maintain compliance with the regulation. Through the
standards, requirements, and implementation specifications, we are
proposing a framework for developing and documenting privacy policies
and procedures rather than adopting a rigid, prescriptive approach to
accommodate entities of different sizes, type of activities, and
business practices. Small providers will be able to develop more
limited policies and procedures under the rule, than will large
providers and health plans, based on the volume of protected health
information. We also expect that provider and health plan associations
will develop model policies and procedures for their members, which
will reduce the burden on small businesses.
Privacy Official
The rule requires covered entities to designate a privacy official
who will be responsible for the development and implementation of
privacy policies and procedures. The implementation of this requirement
may vary based on the size of the entity. For example, a small
physician's practice might designate the office manager as the privacy
official in addition to her broader administrative responsibilities.
Once the privacy official has been trained, the time required to
accomplish the duties imposed on such person is not likely to be much
more than under current practice. Therefore, the requirement imposes a
minimal burden on small businesses.
Internal Complaints
The final rule requires covered entities to have an internal
process for individuals to make complaints regarding the covered
entities' privacy policies and procedures required by the rule and its
compliance with such policies. The requirement includes identifying a
contact person or office responsible for receiving complaints and
documenting all complaints received and the disposition of such
complaints, if any. The covered entity only is required to receive and
document a complaint (the complaint can be oral or in writing), which
should take a short amount of time. The Department believes that
complaints about a covered entity's privacy policies and procedures
will be uncommon. Thus, the burden on small businesses should be
minimal.
Training
In developing the NPRM, the Department considered a number of
alternatives for training, including requiring specific training
materials, training certification, and periodic retraining. In the
NPRM, the Department recommended flexibility in the materials and
training method used, but proposed recertification every three years
and retraining in the event of material changes in policy.
Based on public comment, particularly from small businesses, the
Department has lessened the burden in the final rule. As in the
proposal, the final rule requires all employees who are likely to have
contact with protected health information to be trained. Covered
entities will have to train employees by the compliance date specific
to the type of covered entity and train new employees within a
reasonable time of initial employment. In addition, a covered entity
will have to train each member of its workforce whose functions are
affected by a material change in the policies or procedures of such
entity. However, the final rule leaves to the employer the decisions
regarding the nature and method of training to achieve this
requirement. The Department expects a wide variety of options to be
made available by associations, professional groups, and vendors.
Methods might include classroom instruction, videos, booklets, or
brochures tailored to particular levels of need of workers and
employers. Moreover, the recertification requirement of the NPRM has
been dropped to ease the burden on small entities.
Consent
The NPRM proposed prohibiting covered entities from requiring
individuals to provide written consent for the use and disclosure of
protected health information for treatment, payment, and health care
operations purposes. The final rule requires certain health care
providers to obtain written consent before using or disclosing
protected health information for treatment, payment, and health care
operations, with a few exceptions. This requirement was included in the
final rule in response to comments that this reflects current practice
of health care providers health care providers with direct treatment
relationships. Because providers are already obtaining such consent,
this requirement represents a minimal burden.
Notice of Privacy Rights
The rule requires covered entities to prepare and make available a
notice that informs individuals about uses and disclosures of protected
health information that may be made by the covered entity and that
informs of the individual's rights and covered entity's legal duties
with respect to protected health information. The final rule makes
changes to the NPRM that reduce the burden of this provision on covered
entities and allows flexibility. The NPRM proposed that the notice
describe the uses and disclosures of information that the entity
expected to make without individual authorization. The final rule only
requires that the notice describe uses and disclosures that the entity
is permitted or required to make under the rule without an individual's
written consent or authorization. This change will allow entities to
use standardized notice language within a given state, which will
minimize the burden of each covered entity preparing a notice.
Professional associations may develop model language to assist entities
in developing notices required by the rule. While the final rule
specifies minimum notice requirements, it allows entities flexibility
to add more detail about a covered entity's privacy policies.
The NPRM also proposed that health plans distribute the notice
every three years. The final rule reduced this
[[Page 82784]]
burden by requiring health plans (in addition to providing notice to
individuals at enrollment and prior to the compliance date of this
rule) to inform individuals at least once every three years about the
availability of the notice and how to obtain a copy rather than to
distribute a copy of the notice.
In discussing the requirement for covered entities to prepare and
make available a notice, we considered exempting small businesses (83
percent of entities) or extremely small entities (fewer than 10
employees). The Department decided that informing consumers of their
privacy rights and of the activities of covered entities with which
they conduct business was too important a goal of this rule to exempt
any entities.
In addition to requiring a basic notice, we considered requiring a
longer more detailed notice that would be available to individuals on
request. However, we decided that it would be overly burdensome to all
entities, especially small entities, to require two notice.
We believe that the proposed rule appropriately balances the
benefits of providing individuals with information about uses and
disclosures of protected health information with covered entities' need
for flexibility in describing such information.
Access to Protected Health Information
The public comments demonstrate that inspection and copying of
individually identifiable health information is wide-spread today.
Individuals routinely request copies of such information, in whole or
in part, for purposes that include providing health information to
another health care provider or as part of legal proceedings. The
amount of inspection and copying of individually identifiable health
information that occurs for these purposes is not expected to change as
a result of the final regulation.
The final regulation establishes the right of individuals to
inspect and copy protected health information about them. Although this
is an important right, the Department does not expect it to result in
dramatic increases in requests from individuals. We assume that most
health care providers currently have procedures for allowing patients
to inspect and copy this information. The economic impact on small
businesses of requiring covered entities to provide individuals with
access to protected health information should be relatively small.
Moreover, entities can recoup the costs of copying such information by
charging reasonable cost-based fees.
Amendments to Protected Health Information
Many health care providers and health plans currently make
provisions to help patients expedite amendments and corrections of
their medical record where appropriate. If an error exists, both the
patient and the health care provider on health plan benefit from the
correction. However, as with inspection and copying, a person's right
to request amendment and correction of individually identifiable health
information about them is not guaranteed by all states. Based on these
assumptions, the Department concludes that the principal economic
effect of the final rule will be to expand the right to request
amendments to protected health information held by health plans and
covered health care providers to those who are currently granted such
right by state law. In addition, the rule may draw additional attention
to the issue of record inaccuracies and stimulate patient demand for
amendment of medical records.
Under the final regulation, if an individual requests an amendment
to protected health information about him or her, the health care
provider must either accept the amendment or provide the individual
with the opportunity to submit a statement disagreeing with the denial.
We expect the responses to requests will vary; sometimes an assistant
will only make the appropriate notation in the record, requiring only a
few minutes; other times a health care provider or manager will review
the request and make changes if appropriate, which may require as much
as an hour.
Unlike inspections, which currently occur in a small percentage of
cases, fact-finding suggests that individuals rarely seek to amend
their records today, but the establishment of this right in the rule
may spur more requests, including among those who in the past would
have only sought to inspect their records. Nevertheless, we expect that
the absolute number of additional amendment requests caused by the rule
to be small (about 200,000 per per spread over more than 600,000
entities), which will impose only a minor burden on small businesses.
Accounting for Disclosures
The rule grants individuals the right to receive an accounting of
disclosures made by a health care provider or plan for purposes other
than treatment, payment, or health care operations, with certain
exceptions such as disclosures to the individual. The individual may
request an accounting of disclosures made up to six years prior to the
request. In order to fulfill such requests, covered health care
providers and health plans may track disclosures by making a notation
in the individual's medical record regarding the (manual or electronic)
when a disclosure is made. We have learned through fact-finding that
some health care providers currently track various types of
disclosures. Moreover, the Department does not expect many individuals
will request an accounting of disclosures. Thus, this requirement will
impose a minor burden on small businesses.
De-Identification of Information
In this rule, the Department allows covered entities to determine
that health information is de-identified (i.e. that it is not
individually identifiable health information), if certain conditions
are met. Moreover, information that has been de-identified in
accordance with the rule is not considered individually identifiable
information and may be used or disclosed without regard to the
requirements of the regulation. The covered entity may assign a code or
other means of record identification to allow de-identified information
to be re-identified if requirements regarding derivation and security
are met.
As with other components of this rule, the approach used to remove
identifiers from data can be scaled to the size of the entity.
Individually identifiable health information can be de-identified in
one of two ways; by either removing each of the identifiers listed in
the rule or by engaging in a statistical and scientific analysis to
determine that information is very unlikely to identify an individual.
Small entities without the resources to conduct such an analysis can
create de-identified information by removing the full list of possible
identifiers set forth in this regulation. Unless the covered entity
knows that the information could still identify an individual, the
requirement of this rule would be fulfilled. However, larger, more
sophisticated covered entities may close to determine independently
what information needs to be removed based on sophisticated statistical
and scientific analysis.
Efforts to remove identifiers from information are optional. If a
covered entity can not use or disclose protected health information for
a particular purpose but believes that removing identifiers is
excessively burdensome, it can choose not to release the protected
health information, or it can seek an authorization from individuals
for the use or disclosure of protected health
[[Page 82785]]
information including some or all of the identifiers.
Finally, as discussed in the Regulatory Impact Analysis, the
Department believes that very few small entities engage in de-
identification currently. Fewer small entities are expected to engage
in such activity in the future because the increasing trend toward
computerization of large record sets will result in de-identification
being performed by relatively few firms or associations over time. We
expect that a small covered entity will find it more efficient to
contract with specialists in large firms to de-identify protected
health information. Larger entities are more likely to have both the
electronic systems and the volume of records that will make them
attractive for this business.
Monitoring Business Associates
The final rule requires a covered entity with a business associate
to have a written contract or other arrangement that documents
satisfactory assurance that the business associate will appropriately
safeguard protected health information. The Department expects business
associate contracts to be fairly standardized, except for language that
will have to be tailored to the specific arrangement between the
parties, such as the allowable uses and disclosures of information. The
Department assumes the standard language initially will be developed by
trade and professional associations for their members. Small health
care providers are likely to simply adopt the language or make minor
modifications. The regulation includes a requirement that the covered
entity take steps to correct, and in some cases terminate, a contract,
if necessary, if they know of violations by a business associate. This
oversight requirement is consistent with standard oversight of a
contract. The Department expects that most entities, particularly
smaller ones, will utilize standard language that restricts uses and
disclosures of individually identifiable health information their
contracts with business associates. This will limit the burden on small
businesses.
The NPRM proposed that covered entities be held accountable for the
uses and disclosures of individually identifiable health information by
their business associates. An entity would have been in violation of
the rule if it knew of a breach in the contract by a business associate
and failed to cure the breach or terminate the contract. The final rule
reduces the extent to which an entity must monitor the actions of its
business associates. The entity no longer has to ``ensure'' that each
business associate complies with the rule's requirements. Entities will
be required to cure a breach or terminate a contract for business
associate actions only if they knew about a contract violation. The
final rule is consistent with the oversight a business would provide
for any contract, and therefore, the changes in the final rule will
impose no new significant cost for small businesses in monitoring their
business associates' behavior.
Employers With Insured Group Health Plans
Some group health plans will use or maintain individually
identifiable health information, particularly group health plans that
are self-insured. Also, some plan sponsors that perform administrative
functions on behalf of their group health plans may need protected
health information. The final rule permits a group health plan, or a
health insurance issuer or HMO that provides benefits on behalf of the
group health plan, to disclose protected health information to a plan
sponsor who performs administrative functions on its behalf for certain
purposes and if certain requirements are met. The plan documents must
be amended to: describe the permitted uses and disclosures of protected
health information by the plan sponsor; specify that disclosure is
permitted only upon receipt of a certification by the plan sponsor that
the plan documents have been amended and the plan sponsor agrees to
certain restrictions on the use of protected health information; and
provide for adequate firewalls to assure unauthorized personnel do not
have access to individually identifiable health information.
Some plan sponsors may need information, not to administer the
group health plan, but to amend, modify, or terminate the health plan.
ERISA case law describes such activities as settlor functions. For
example a plan sponsor may want to change its contract from a preferred
provider organization to a health maintenance organization (HMO). In
order to obtain premium information, the health plan sponsor may need
to provide the HMO with aggregate claims information. Under the rule,
the health plan sponsor can obtain summary information with certain
identifiers removed, in order to provide it to the HMO and receive a
premium rate.
The Department assumes that most health plan sponsors who are small
employers (those with 50 or fewer employees) will elect not to receive
individually identifiable health information because they will have
little, if any, need for such data. Any needs that sponsors of small
group health plans may have for information can be accomplished by
receiving the information in summary form from their health insurance
issuers.
3. The Burden on a Typical Small Business
The Department expects small entities to face a cost burden as a
result of complying with the proposed regulation. We estimate that the
burden of developing privacy policies and procedures is lower in dollar
terms for small businesses than for large businesses, but we recognize
that the cost of implementing privacy provisions could be a larger
burden to small entities as a proportion of total revenue. Due to these
concerns, we have relied on the principle of scalability throughout the
rule, and have based our cost estimates on the expectation that small
entities will develop less expensive and less complex privacy measures
that comply with the rule than large entities.
In many cases, we have specifically considered the impact that rule
may have on solo practitioners or rural health care providers. If a
health care provider only maintains paper records and does not engage
in any electronic transactions, the regulation would not apply to such
provider. We assume that those providers will be small health care
providers. For small health care providers that are covered health care
providers, we expect that they will not be required to change their
business practices dramatically, because we based many of the
standards, implementation specifications, and requirements on current
practice and we have taken a flexible approach to allow scalability
based on a covered entity's activities and size. In developing policies
and procedures to comply with the proposed regulation, scalability
allows entities to consider their basic functions and the ways in which
protected health information is used or disclosed. All covered entities
must take appropriate steps to address privacy concerns, and in
determining the scope and extent of their compliance activities,
businesses should weigh the costs and benefits of alternative
approaches and should scale their compliance activities to their
structure, functions, and capabilities within the requirements of the
rule.
Cost Assumptions
To determine the cost burden to small businesses of complying with
the final rule, we used as a starting point the overall cost of the
regulation determined
[[Page 82786]]
in the regulatory impact analysis (RIA). Then we adopted a methodology
that apportions the costs found in the RIA to small business by using
Census Bureau's Statistics of U.S. Businesses. This Census Bureau
survey contains data on the number and proportion of establishments, by
Standard Industrial Classification Code (SIC code), that have revenues
of less than $5 million, which meets the Small Business
Administration's definition of a small business in the health care
sector. This data permitted us to calculate the proportion of the cost
of each requirement in the rule that is attributable to small
businesses. This methodology used for the regulatory flexibility
analysis (RFA) section is therefore based on the methodology used in
the (RIA), which was discussed earlier.
The businesses accounted for in the SIC codes contain three groups
of covered entities: non-hospital health care providers, hospitals, and
health plans. Non-hospital health care providers include: drug stores,
offices and clinics of doctors, dentists, osteopaths, and other health
practitioners, nursing and personal care facilities, medical and dental
laboratories, home health care services, miscellaneous health and
allied services, and medical equipment rental and leasing
establishments. Health plans include accident and health insurance and
medical service plans.
Data Adjustments
Several adjustments were made to the SIC code data to more
accurately determine the cost to small and non-profit businesses. For
health plans (SIC code 6320), we adjusted the SIC data to include self-
insured, self-administered health plans because these health plans are
not included in any SIC code, though they are covered entities under
the rule. Similarly, we have added third-party administrators (TPAs)
into this SIC. Although they are not covered entities, TPAs are likely
to be business associates of covered entities. For purposes of the
regulatory analyses, we have assumed that TPAs would bear many of the
same costs of the health plans to assure compliance for the covered
entity. To make this adjustment, we assumed the self-insured/self
administered health plans and TPAs have the average revenue of the
health plans contained in the SIC code, and then added those assumed
revenues to the SIC code and to the total of all health care
expenditures. Moreover, we needed to account for the cost to non-profit
institutions that might receive more than $5 million in revenue,
because all non-profit institutions are small businesses regardless of
revenue. To make this adjustment for hospitals, nursing homes, and home
health agencies, we used data on the number of non-profit institutions
from industry sources and from data reported to HCFA. With this data,
we assumed the current count of establishments in the SIC codes
includes these non-profit entities and that non-profits have the same
distribution of revenues as all establishments reported in the
applicable SIC codes. The proportions discussed below, which determine
the cost for small business, therefore include these non-profit
establishments in SIC codes 8030, 8060, and 8080.
The SIC code tables provided in this RFA do not include several
categories of businesses that are included in the total cost to small
businesses. Claims clearinghouses are not included in the table because
claims clearinghouses report their revenues under the SIC 7374
``Computer Processing and Data Preparation,'' and the vast majority of
businesses in this SIC code are involved in non-medical claims data
processing. In addition, claims processing is often just one business-
line of companies that may be involved in multiple forms of data
processing, and therefore, even if the claims processing line of the
business generates less than $5 million in revenue, the company in
total may exceed the SBA definition for a small business (the total
firm revenue, not each line of business, is the standard for
inclusion). Similarly, fully-insured ERISA health plans sponsored by
employers are not identified as a separate category in the SIC code
tables because employers in virtually all SIC codes may sponsor fully-
insured health plans. We have identified the cost for small fully-
insured ERISA health plans by using the Department of Labor definition
of a small ERISA plan, which is a plan with fewer than 100 insured
participants. Using this definition, the initial cost for small fully-
insured ERISA health plans is $7.1 million. Finally, Institutional
Review Boards (IRBs) will not appear in a separate SIC code because
IRBs are not ``businesses''; rather, they are committees of researchers
who work for institutions where medical research is conducted, such as
universities or teaching hospitals. IRB members usually serve as a
professional courtesy or as part of their employment duties and are not
paid separately for their IRB duties. Although IRBs are not
``businesses'' that generate revenues, we have treated them as small
business for illustrative purposes in this RFA to demonstrate the
additional opportunity costs that will be faced by those researchers
who sit on IRBs. Therefore, assuming IRBs are small businesses, the
initial costs are $.089 million and ongoing costs are approximately
$84.2 million over 9 years.
The Cost Model Methodology
The RIA model employs two basic methodologies to determine the
costs to small businesses that are covered entities. As stated above,
the RFA determines the cost to small businesses by apportioning the
total costs in the RIA using SIC code data. In places where the cost of
a given provision of the final rule is a function of the number of
covered entities, we determined the proportion of entities in each SIC
code that have less than $5 million in revenues (see Table A). We then
multiplied this proportion by the per-entity cost estimate of a given
provision as determined in the RIA. For example, the cost of the
privacy official provision is based on the fact that each covered
entity will need to have a privacy official. Therefore, we multiplied
the total cost of the privacy official, as determined in the RIA, by
the proportion of small businesses in each SIC code to determine the
small business cost. Using hospitals for illustrative purposes, because
small and non-profit hospitals account for 50 percent of all hospitals,
our methodology assigned 50 percent of the cost to small hospitals.
We used a second, though similar, method when the cost of a given
provision in the RIA did not depend on the number of covered entities.
For example, the requirement to provide notice of the privacy policy is
a direct function of the number of patients in the health care system
because the actual number of notices distributed depends on how many
patients are seen. Therefore, for provisions like the notice
requirement, we used SIC code revenue data in a two-step process.
First, we apportioned the cost of each provision among sectors of the
health care industry by SIC code. For example, because hospital revenue
accounts for 27 percent of all health care revenue, we multiplied the
total cost of each such provision by 27 percent to determine the cost
for the hospital sector in total. Then to determine the cost for small
hospitals specifically, we calculated the proportion by the overall
cost. For example, 45.1 percent of all hospital revenue is generated by
small hospital, therefore, the cost to small hospitals was assumed to
account for 45.1 percent of all hospital costs. Estimates, by nature
[[Page 82787]]
are inexact. However, we feel this is a reasonable way to determine the
small business costs attributable to this regulation given the limited
data from which to work.
Total Costs and Costs Per Establishment for Small Business
Based on the methodology described above, the total cost of
complying with the final rule in the initial year of 2003 is $1.9
billion. The ongoing costs to small business from 2004 to 2012 is $9.3
billion. Table C presents the initial and ongoing costs to small
business by each SIC code. According to this table, small doctors
offices, small dentists offices and small hospitals will face the
highest cost of complying with the final rule. However, much of the
reason for the higher costs faced by these three groups of small health
care providers is explained by the fact that there are a significant
number of health care providers in these categories.
BILLING CODE 4150-04-P
[[Page 82788]]
[GRAPHIC] [TIFF OMITTED] TR28DE00.003
[[Page 82789]]
On a per-establishment basis, Table D demonstrates that the average
cost for small business of complying with the proposed rule in the
first year is $4,188 per-establishment. The ongoing costs of privacy
compliance are approximately $2,217 each year thereafter. We estimate
that the average cost of compliance in the first year for each small
non-hospital health care provider is approximately 0.6 percent of per-
establishment revenues. In subsequent years, per-establishment costs
about 0.3 percent of per-establishment revenues. For small hospitals
and health plans, the per-establishment cost of compliance in the first
year is 0.2 percent and 6.3 percent of per-establishment revenues
respectively. For subsequent years, the cost is only 0.1 percent and
2.9 percent of pre-establishment revenues respectively. These costs may
be offset in many firms by the savings realized through requirements of
the Transactions Rule.
[[Page 82790]]
[GRAPHIC] [TIFF OMITTED] TR28DE00.004
[[Page 82791]]
Table E shows the cost to each SIC code of the major cost items of
the final rule. Listed are the top-five most costly provisions of the
rule (to small business) and then the cost of all other remaining
provisions. The costs of the most expensive five provisions represent
90 percent of the cost of the ongoing costs to small business, while
the remaining provisions only represent 7 percent.
[[Page 82792]]
Table E.--Average Annual Ongoing Cost to Small Business of
Implementing Provisions of the Privacy Regulation, After the First
Year \1\
[GRAPHIC] [TIFF OMITTED] TR28DE00.005
[[Page 82793]]
[GRAPHIC] [TIFF OMITTED] TR28DE00.006
[[Page 82794]]
VI. Unfunded Mandates
The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires
cost-benefit and other analyses for rules that would cost more than
$100 million in a single year. The rule qualifies as a significant rule
under the statute. The Department has carried out the cost-benefit
analysis in sections D and E of this document, which includes a
discussion of unfunded costs to state and local governments resulting
from this regulation. In developing this regulation, the Department
adopted the least burdensome alternatives, consistent with achieving
the rule's goals.
A. Future Costs
The Department estimates some of the future costs of the rule in
Section E of the Preliminary Regulatory Impact Analysis of this
document. The estimates made include costs for the ten years after the
effective date. As discussed in section E, state and local government
costs will be in the order of $460 million in 2003 and $2.4 billion
over ten years. Estimates for later years are not practical. The
changes in technology are likely to alter the nature of medical record-
keeping, and the uses of medical data are likely to vary dramatically
over this period. Therefore, any estimates for years beyond 2012 are
not feasible.
B. Particular Regions, Communities, or Industrial Sectors
The rule applies to the health care industry and would, therefore,
affect that industry disproportionately. Any long-run increase in the
costs of health care services would largely be passed on to the entire
population of consumers. However, as discussed in the administrative
implication regulation, the Transactions Rule is estimated to save the
health care industry nearly $30 billion over essentially the same time
period. This more than offsets the costs of the Privacy Rule; indeed,
as discussed above, the establishment of consistent, national standards
for the protection of medical information is essential to fully realize
the savings from electronic transactions standards and other advances
that may be realized through ``e-health'' over the next decade. Without
strong privacy rules, patients and providers may be very reluctant to
fully participate in electronic and e-health opportunities.
C. National Productivity and Economic Growth
The rule is not expected to substantially affect productivity or
economic growth. It is possible that productivity and growth in certain
sectors of the health care industry could be slightly lower than
otherwise because of the need to divert research and development
resources to compliance activities. The diversion of resources to
compliance activities would be temporary. Moreover, the Department
anticipates that, because the benefits of privacy are large, both
productivity and economic growth would be higher than in the absence of
the final rule. In section I.A. of this document, the Department
discusses its expectation that this rule will increase communication
among consumers, health plans, and providers and that implementation of
privacy protections will lead more people to seek health care. The
increased health of the population will lead to increased productivity
and economic growth.
D. Full Employment and Job Creation
Some of the human resources devoted to the delivery of health care
services will be redirected by rule. The rule could lead to some short-
run changes in employment patterns as a result of the structural
changes within the health care industry. The growth of employment (job
creation) for the roles typically associated with health care
profession could also temporarily change but be balanced by an
increased need for those who can assist entities with complying with
this rule. Therefore, while there could be a temporary slowing of
growth in traditional health care professions, that will be offset by a
temporary increase in growth in fields that may assist with compliance
with this rule (e.g. worker training, and management consultants).
E. Exports
Because the rule does not mandate any changes in products, current
export products will not be required to change in any way.
The Department consulted with state and local governments, and
Tribal governments. See sections X and XI, below.
VII. Environmental Impact
The Department has determined under 21 CFR 25.30(k) that this
action is of a type of does not individually or cumulatively have a
significant effect on the human environment. Therefore, neither an
environmental assessment nor an environmental impact statement is
required.
VIII. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 PRA), agencies are
required to provide a 30-day notice in the Federal Register and solicit
public comment before a collection of information requirement is
submitted to the Office of Management and Budget (OMB) for review and
approval. In order to fairly evaluate whether an information collection
should be approved by OMB, section 3506(c)(2)(A) of the PRA requires
that we solicit comment on the following issues:
Whether the information collection is necessary and useful
to carry out the proper functions of the agency;
The accuracy of the agency's estimate of the information
collection burden;
The quality, utility, and clarity of the information to be
collected; and
Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
Under the PRA, the time, effort, and financial resources necessary
to meet the information collection requirements referenced in this
section are to be considered. Due to the complexity of this regulation,
and to avoid redundancy of effort, we are referring readers to Section
V (Final Regulatory Impact Analysis) above, to review the detailed cost
assumptions associated with these PRA requirements. We explicitly seek,
and will consider, public comment on our assumptions as they relate to
the PRA requirements summarized in this section.
Section 160.204--Process for Requesting Exception Determinations
Section 160.204 would require persons requesting to except a
provision of state law from preemption under Sec. 160.203(a) to submit
a written request, that meets the requirements of this section, to the
Secretary to except a provision of state law from preemption under
Sec. 160.203. The burden associated with these requirements is the time
and effort necessary for a state to prepare and submit the written
request for an exception determination to the Secretary for approval.
On an annual basis it is estimated that it will take 40 states 16 hours
each to prepare and submit a request. The total annual burden
associated with this requirement is 640 hours. The Department solicits
public comment on the number of requests and hours for others likely to
submit requests.
Section 160.306--Complaints to the Secretary
A person who believes that a covered entity is not complying with
the applicable requirements of part 160 or the applicable standards,
requirements,
[[Page 82795]]
and implementation specifications of Subpart E of part 164 of this
subchapter may file a complaint with the Secretary. This requirement is
exempt from the PRA as stipulated under 5 CFR 1320.4(a)(2), an audit/
administrative action exemption.
Section 160.310--Responsibilities of Covered Entities
A covered entity must keep such records and submit such compliance
reports, in such time and manner and containing such information,
necessary to enable the Secretary to ascertain whether the covered
entity has complied or is complying with the applicable requirements of
part 160 and the applicable standards, requirements, and implementation
specifications of subpart E of part 164. Refer to Sec. 164.530 for
discussion.
Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
A covered entity is permitted to disclose protected health
information to an individual, and is required to provide and individual
with access to protected health information, in accordance with the
requirements set forth under Sec. 164.524. Refer to Sec. 164.524 for
discussion.
Section 164.504--Uses and Disclosures--Organizational Requirements
Except for disclosures of protected health information by a covered
entity that is a health care provider to another health care provider
for treatment purposes, Sec. 164.504 requires a covered entity to
maintain documentation demonstrating that it meets the requirements set
forth in this section and to demonstrate that it has obtained
satisfactory assurance from business associates that meet the
requirements of this part with each of its business associates. The
burden is 5 minutes per entity times an annual average of 764,799
entities for a total burden of 63,733 burden hours.
Section 164.506--Consent for Treatment, Payment, and Health Care
Operations
Except in certain circumstances, a covered health care provider
that has a direct treatment relationship must obtain an individual's
consent for use or disclosure of protected health information for
treatment, payment, or health care operations. While this requirement
is subject to the PRA, we believe that the burden associated with this
requirement is exempt from the PRA as stipulated under 5 CFR
1320.3(b)(2).
Section 164.508--Uses and Disclosures for Which Individual
Authorization Is Required
Under this section, a covered entity will need to obtain a written
authorization from an individual, before it uses or discloses protected
health information of the individual if the use or disclosure is not
otherwise permitted or required under the rule without authorization.
The burden associated with these requirements is the time and effort
necessary for a covered entity to obtain written authorization prior to
the disclosure of individually identifiable health information. On an
annual basis, we estimate that it will take 764,799 entities, an annual
average burden per entity of one hour for a total annual burden of
764,799 burden hours.
Section 164.510--Uses and Disclosures Requiring an Opportunity for
the Individual To Agree or To Object
Section 164.510 allows, but does not require, covered entities to
use or disclose protected health information: (1) for health care
institutions, directories; and (2) to family members, close friends, or
other persons assisting in an individual's care, as well as government
agencies and disaster relief organizations conducting disaster relief
activities. This section of the rule addresses situations in which the
interaction between the covered entity and the individual is relatively
informal, and agreements may be made orally, without written
authorizations for use or disclosure. In general, to disclose protected
health information for these purposes, covered entities must inform
individuals in advance and must provide a meaningful opportunity for
the individual to prevent or restrict the disclosure. In certain
circumstances, such as in an emergency, when this informal discussion
cannot practicably occur, covered entities can make decisions about
disclosure or use, in accordance with the requirements of this section
based on their professional judgment of what is in the patient's best
interest. While these provisions are subject to the PRA, we believe
that the burden associated with this requirement is exempt from the PRA
as stipulated under 5 CFR 1320.3(b)(2).
Section 164.512--Uses and Disclosures for Which Consent, Individual
Authorization, or Opportunity To Agree or Object Is Not Required
Section 164.1512 includes provisions that allow, but that do not
require, covered entities to disclose protected health information
without individual authorization for a variety of purposes which
represent important national priorities. Pursuant to Sec. 164.512,
covered entities may disclose protected health information for
specified purposes as follows: as required by law; for public health
activities; to public officials regarding victims of abuse, neglect, or
domestic violence; for health oversight; for judicial and
administrative proceedings; for law enforcement; for specified purposes
regarding decedents; for organ donation and transplantation; for
research; to avert an imminent threat to health or safety; for
specialized government functions (such as for intelligence and national
security activities); and to comply with workers' compensation laws.
While these provisions are subject to the PRA, we believe that the
burden associated with this requirement is exempt from the PRA as
stipulated under 5 CFR 1320.3(b)(2).
For research, if a covered entity wants to use or disclose
protected health information without individual authorization, it must
obtain documentation that a waiver, in whole or in part, of the
individual authorization required by Sec. 164.508 for use or disclosure
of protected health information has been approved by either an
Institutional Review Board (IRB), established in accordance with 7 CFR
1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR
1028.107, 21 CFR 56.107, 22 CFR 225.107, 28 CFR 46.107, 32 CFR 219.107,
34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR
690.107, or 49 CFR 11.107; or a privacy board. The burden associated
with these requirements is the time and effort necessary for a covered
entity to maintain documentation demonstrating that they have obtained
IRB or privacy board approval, which meet the requirements of this
section. On an annual basis it is estimated that these requirements
will affect 113,524 IRB reviews. We further estimate that it will take
an average of 5 minutes per review to meet these requirements on an
annual basis. Therefore, the total estimated annual burden associated
with this requirement is 9,460 hours.
Section 164.514--Other Procedural Requirements Relating to Uses and
Disclosures of Protected Health Information
Prior to any disclosure permitted by this subpart, a covered entity
must verify the identity and authority of persons requesting protected
health information, if the identity or authority of such person is not
known to the
[[Page 82796]]
covered entity, and obtain any documentation, statements, or
representations from the person requesting the protected health
information that is required as a condition of the disclosure. In
addition, a covered entity must retain any signed consent pursuant to
Sec. 164.506 and any signed authorization pursuant to Sec. 164.508 for
documentation purposes as required by Sec. 164.530(j). This requirement
is exempt from the PRA as stipulated under 5 CFR 1320.4(a)(1) and
(1)(2).
Section 164.520--Notice of Privacy Practices for Protected Health
Information
Except in certain circumstances set forth in this section,
individuals have a right to adequate notice of the uses and disclosures
of protected health information that may be made by the covered entity,
and of the individual's rights and the covered entity's legal duties
with respect to protected health information. To comply with this
requirement a covered entity must provide a notice, written in plain
language, that includes the elements set forth in this section. For
health plans, there will be an average of 160.2 million notices each
year. We assume that the most efficient means of distribution for
health plans will be to send them out annually as part of the materials
they send to current and potential enrollees, even though it is not
required by the regulation. The number of notices per health plan per
year would be about 10,570. We further estimate that it will require
each health plan, on average, only 10 seconds to disseminate each
notice. The total annual burden associated with this requirement is
calculated to be 267,000 hours. Health care providers with direct
treatment relationships would provide a copy of the notice to an
individual at the time of first service delivery to the individual,
make the notice available at the service delivery site for individuals
to request and take with them, whenever the content of the notice is
revised, make the notice available upon request and post the notice, if
required by this section, and post a copy of the notice in a location
where it is reasonable to expect individuals seeking services from the
provider to be able to read the notice. The annual number of notices
disseminated by all providers is 613 million. We further estimate that
it will require each health provider, on average, 10 seconds to
disseminate each notice. This estimate is based upon the assumption
that the required notice will be incorporated into and disseminated
with other patient materials. The total annual burden associated with
this requirement is calculated to be 1 million hours.
In addition, a covered entity must document compliance with the
notice requirements by retaining copies of the notices issued by the
covered entity. Refer to Sec. 164.530 for discussion.
Section 164.522--Rights To Request Privacy Proteciton for Protected
Health Information
Given that the burden associated with the following information
collection requirements will differ significantly, by the type and size
of health plan or health care provider, we are explicitly soliciting
comment on the burden associated with the following requirements; as
outlined and required by this section, covered entities must provide
individuals with the opportunity to request restrictions related to the
uses or disclosures of protected health information for treatment,
payment, or health care operations. In addition, covered entities must
accommodate requests for confidential communications in certain
situations.
Section 164.524--Access of Individuals to Protected Health
Information
As set forth in this section, covered entities must provide
individuals with access to inspect and obtain a copy of protected
health information about them in designated record sets, for so long as
the protected health information is maintained in the designated record
sets. This includes such information in a business associate's
designated record set that is not a duplicate of the information held
by the health care provider or health plan for so long as the
information is maintained. Where the request is denied in whole or in
part, the covered entity must provide the individual with a written
statement of the basis for the denial and a description of how the
individual may complain to the covered entity pursuant to the complaint
procedures established in Sec. 164.530 or to the Secretary pursuant to
the procedures established in Sec. 160.306 of this subpart. In certain
cases, the covered entity must provide the individual the opportunity
to have another health care professional review the denial. Pursuant to
public comment, we estimate that each disclosure will contain 31 pages
and that 150,000 disclosures will be made on an annual basis at three
minutes per disclosure for a total burden of 7,500 hours. Refer to
section V.E. for detailed discussion related to the costs associated
with meeting these requirements.
Section 164.526--Amendment of Protected Health Information
Given that burden associated with the following information
collection requirements will differ significantly, by the type and size
of health plan or health care provider, we are explicitly soliciting
comment on the burden associated with the following requirements:
Individuals have the right to request amendment of protected health
information about them in designated record sets created by a covered
entity. Where the request is denied, a covered entity must provide the
individual with a written statement of the basis for the denial and an
explanation of how the individual may pursue the matter, including how
to file a complaint with the Secretary pursuant to Sec. 160.306 of this
subpart. As appropriate, a covered entity must identify the protected
health information in the designated record set that is the subject of
the disputed amendment and append or otherwise link the individual's
request for an amendment, the covered entity's denial of the request,
the individual's statement of disagreement, if any, and the covered
entity's rebuttal, if any, to the designated record set.
Section 164.528--Accounting for Disclosures of Protected Health
Information
Based upon public comment it is assumed that it will take 5 minutes
per request times 1,081,000 requests for an annual burden of 90,083
hours. An individual may request that a covered entity provide an
accounting for disclosure for a period of time less than six years from
the date of the individual's request, as outlined in this section.
Section 164.530--Administrative Requirements
A covered entity must maintain such policies and procedures in
written or electronic form where policies or procedures with respect to
protected health information are required by this subpart. Where a
communication is required by this subpart to be in writing, a covered
entity must maintain such writing, or an electronic copy, as
documentation; and where an action or activity is required by this
subpart to be documented, it must maintain a written or electronic
record of such action or activity. While these requirements are subject
to the PRA, we believe the burden associated with these requirements is
exempt from the PRA as stipulated under 5 CFR 1320.3(b)(2).
[[Page 82797]]
We have submitted a copy of this rule to OMB for its review of the
information collection requirements in Secs. 160.204, 160.306, 160.310,
164.502, 164.504, 164.506, 164.508, 164.510, 164.512, 164.514, 164.520,
164.522, 164.524, 164.526, 164.528, and Sec. 164.530. These
requirements are not effective until they have been approved by OMB. If
you comment on any of these information collection and record keeping
requirements, please mail copies directly to the following: Health Care
Financing Administration, Office of Information Services, Division of
HCFA Enterprise Standards, Room N2-14-26, 7500 Security Boulevard,
Baltimore, MD 21244-1850. ATTN: John Burke and to the Office of
Information and Regulatory Affairs, Office of Management and Budget,
Room 10235, New Executive Office Building, Washington, DC 20503. ATTN:
Allison Herron Eydt, HCFA Desk Officer.
IX. Executive Order 13132: Federalism
The Department has examined the effects of provisions in the final
privacy regulation on the relationship between the federal government
and the states, as required by Executive Order 13132 on ``Federalism.''
Our conclusion is that the final rule does have federalism implications
because the rule has substantial direct effects on states, on the
relationship between the national government and states, and on the
distribution of power and responsibilities among the various levels of
government. The federalism implications of the rule, however, flow
from, and are consistent with the underlying statute. The statute
allows us to preempt state or local rules that provide less stringent
privacy protection requirements than federal law is consistent with
this Executive Order. Overall, the final rule attempts to balance both
the autonomy of the states with the necessity to create a federal
benchmark to preserve the privacy of personally identifiable health
information.
It is recognized that the states generally have laws that relate to
the privacy of individually identifiable health information. The HIPAA
statue dictates the relationship between state law and this final rule.
Except for laws that are specifically exempted by the HIPAA statute,
state laws continue to be enforceable, unless they are contrary to Part
C of Title XI of the standards, requirements, or implementation
specifications adopted or pursuant to subpart x. However, under section
264(c)(2), not all contrary provisions of state privacy laws are
preempted; rather, the law provides that contrary provisions of state
law relating to the privacy of individually identifiable health
information that are also ``more stringent'' than the federal
regulatory requirements or implementation specifications will continue
to be enforceable.
Section 3(b) of Executive Order 13132 recognizes that national
action limiting the policymaking discretion of states will be imposed
``* * * only where there is constitutional and statutory authority for
the action and the national activity is appropriate in light of the
presence of a problem of national significance.'' Personal privacy
issues are widely identified as a national concern by virtue of the
scope of interstate health commerce. HIPAA's provisions reflect this
position. HIPAA attempts to facilitate the electronic exchange of
financial and administrative health plan transactions while recognizing
challenges that local, national, and international information sharing
raise to confidentiality and privacy of health information.
Section 3(d)(2) of the Executive Order 13132 requires the federal
government defer to the states to establish standards where possible.
HIPAA requires the Department to establish standards, and we have done
so accordingly. This approach is a key component of the final Privacy
Rule, and it adheres to section 4(a) of Executive Order 13132, which
expressly contemplates preemption when there is a conflict between
exercising state and federal authority under federal statute. Section
262 of HIPAA enacted Section 1178 of the Social Security Act,
developing a ``general rule'' that state laws or provisions that are
contrary to the provisions or requirements of Part C of Title XI, or
the standards or implementation specifications adopted, or established
thereunder are preempted. Several exceptions to this rule exist, each
of which is designed to maintain a high degree of state autonomy.
Moreover, section 4(b) of the Executive Order authorizes preemption
of state law in the federal rule making context when there is ``the
exercise of state authority is directly conflicts with the exercise of
federal authority under federal statute * * *.'' Section 1178 (a)(2)(B)
of HIPAA specifically preempts state laws related to the privacy of
individually identifiable health information unless the state law is
more stringent. Thus, we have interpreted state and local laws and
regulations that would impose less stringent requirements for
protection of individually identifiable health information as
undermining the agency's goal of ensuring that all patients who receive
medical services are assured a minimum level of personal privacy.
Particularly where the absence of privacy protection undermines an
individual's access to health care services, both the personal and
public interest is served by establishing federal rules.
The final rule would establish national minimum standards with
respect to the collection, maintenance, access, use, and disclosure of
individually identifiable health information. The federal law will
preempt state law only where state and federal laws are
``contradictory'' and the federal regulation is judged to establish
``more stringent'' privacy protections than state laws.
As required by the previous Executive Order (E.O. 13132), states
and local governments were given, through the notice of proposed rule
making, an opportunity to participate in the proceedings to preempt
state and local laws (section 4(e)). The Secretary also provided a
review of preemption issues upon requests from states. In addition,
anticipating the promulgation of the Executive Order, appropriate
officials and organizations were consulted before this proposed action
is implemented (Section 3(a) of Executive Order 13132).
The same section also includes some qualitative discussion of costs
that would occur beyond that time period. Most of the costs of proposed
rule, however, would occur in the years immediately after the
publication of a final rule. Future costs beyond the ten year period
will continue but will not be as great as the initial compliance costs.
Finally, we have considered the cost burden that this proposed rule
would impose on state and local health care programs, such as Medicaid,
county hospitals, and other state health benefits programs. As
discussed in Section E of the Regulatory Impact Analysis of this
document, we estimate state and local government costs will be in the
order of $460 million in 2003 and $2.4 billion over ten years.
The agency concludes that the policy in this final document has
been assessed in light of the principles, criteria, and requirements in
Executive Order 13132; that this policy is not inconsistent with that
Order; that this policy will not impose significant additional costs
and burdens on the states; and that this policy will not affect the
ability of the states to discharge traditional state governmental
functions.
During our consultation with the states, representatives from
various state agencies and offices expressed concern that the final
regulation would preempt
[[Page 82798]]
all state privacy laws. As explained in this section, the regulation
would only preempt state laws where there is a direct conflict between
state laws and the regulation, and where the regulation provides more
stringent privacy protection than state law. We discussed this issue
during our consultation with state representatives, who generally
accepted our approach to the preemption issue. During the consultation,
we requested further information from the states about whether they
currently have laws requiring that providers have a ``duty to warn''
family members or third parties about a patient's condition other than
in emergency circumstances. Since the consultation, we have not
received additional comments or questions from the states.
X. Executive Order 13086; Consultation and Coordination With Indian
Tribal Governments
In drafting the proposed rule, the Department consulted with
representatives of the National Congress of American Indians and the
National Indian Health Board, as well as with a representative of the
self-governance Tribes. During the consultation, we discussed issues
regarding the application of Title II of HIPAA to the Tribes, and
potential variations based on the relationship of each Tribe with the
IHS for the purpose of providing health services. Participants raised
questions about the status of Tribal laws regarding the privacy of
health information.
List of Subjects
45 CFR Part 160
Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
Medical research, Medicare, Privacy, Reporting and record keeping
requirements.
45 CFR Part 164
Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
Medical research, Medicare, Privacy, Reporting and record keeping
requirements.
Note: to reader: This final rule is one of several proposed and
final rules that are being published to implement the Administrative
Simplification provisions of the Health Insurance Portability and
Accountability Act of 1996. 45 CFR subchapter C consisting of Parts
160 and 162 was added at 65 FR 50365, Aug. 17, 2000. Part 160
consists of general provisions, Part 162 consists of the various
administrative simplification regulations relating to transactions
and identifiers, and new Part 164 consists of the regulations
implementing the security and privacy requirements of the
legislation.
Dated: December 19, 2000.
Donna Shalala,
Secretary,
For the reasons set forth in the preamble, 45 CFR Subtitle A,
Subchapter C, is amended as follows:
1. Part 160 is revised to read as follows:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
Subpart A--General Provisions
160.101 Statutory basis and purpose.
160.102 Applicability.
160.103 Definitions.
160.104 Modifications.
Subpart B--Preemption of State Law
160.201 Applicability.
160.202 Definitions.
160.203 General rule and exceptions.
160.204 Process for requesting exception determinations.
160.205 Duration of effectiveness of exception determinations.
Subpart C--Compliance and Enforcement
160.300 Applicability.
160.302 Definitions.
160.304 Principles for achieving compliance.
160.306 Complaints to the Secretary.
160.308 Compliance reviews.
160.310 Responsibilities of covered entities.
160.312 Secretarial action regarding complaints and compliance
reviews.
Authority: Sec. 1171 through 1179 of the Social Security Act,
(42 U.S.C. 1320d-1329d-8) as added by sec. 262 of Pub. L. 104-191,
110 Stat. 2021-2031 and sec. 264 of Pub. L. 104-191 (42 U.S.C.
1320d-2(note)).
Subpart A--General Provisions
Sec. 160.101 Statutory basis and purpose.
The requirements of this subchapter implement sections 1171 through
1179 of the Social Security Act (the Act), as added by section 262 of
Public Law 104-191, and section 264 of Public Law 104-191.
Sec. 160.102 Applicability.
(a) Except as otherwise provided, the standards, requirements, and
implementation specifications adopted under this subchapter apply to
the following entities:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in
electronic form in connection with a transaction covered by this
subchapter.
(b) To the extent required under section 201(a)(5) of the Health
Insurance Portability Act of 1996, (Pub. L. 104-191), nothing in this
subchapter shall be construed to diminish the authority of any
Inspector General, including such authority as provided in the
Inspector General Act of 1978, as amended (5 U.S.C. App.).
Sec. 160.103 Definitions.
Except as otherwise provided, the following definitions apply to
this subchapter:
Act means the Social Security Act.
ANSI stands for the American National Standards Institute.
Business associate: (1) Except as provided in paragraph (2) of this
definition, business associate means, with respect to a covered entity,
a person who:
(i) On behalf of such covered entity or of an organized health care
arrangement (as defined in Sec. 164.501 of this subchapter) in which
the covered entity participates, but other than in the capacity of a
member of the workforce of such covered entity or arrangement,
performs, or assists in the performance of:
(A) A function or activity involving the use or disclosure of
individually identifiable health information, including claims
processing or administration, data analysis, processing or
administration, utilization review, quality assurance, billing, benefit
management, practice management, and repricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the
workforce of such covered entity, legal, actuarial, accounting,
consulting, data aggregation (as defined in Sec. 164.501 of this
subchapter), management, administrative, accreditation, or financial
services to or for such covered entity, or to or for an organized
health care arrangement in which the covered entity participates, where
the provision of the service involves the disclosure of individually
identifiable health information from such covered entity or
arrangement, or from another business associate of such covered entity
or arrangement, to the person.
(2) A covered entity participating in an organized health care
arrangement that performs a function or activity as described by
paragraph (1)(i) of this definition for or on behalf of such organized
health care arrangement, or that provides a service as described in
paragraph (1)(ii) of this definition to or for such organized health
care arrangement, does not, simply through the performance of such
function or activity or the provision of such service,
[[Page 82799]]
become a business associate of other covered entities participating in
such organized health care arrangement.
(3) A covered entity may be a business associate of another covered
entity.
Compliance date means the date by which a covered entity must
comply with a standard, implementation specification, requirement, or
modification adopted under this subchapter.
Covered entity means:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in
electronic form in connection with a transaction covered by this
subchapter.
Group health plan (also see definition of health plan in this
section) means an employee welfare benefit plan (as defined in section
3(1) of the Employee Retirement Income and Security Act of 1974
(ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans,
to the extent that the plan provides medical care (as defined in
section 2791(a)(2) of the Public Health Service Act (PHS Act), 42
U.S.C. 300gg-91(a)(2)), including items and services paid for as
medical care, to employees or their dependents directly or through
insurance, reimbursement, or otherwise, that:
(1) Has 50 or more participants (as defined in section 3(7) of
ERISA, 29 U.S.C. 1002(7)); or
(2) Is administered by an entity other than the employer that
established and maintains the plan.
HCFA stands for Health Care Financing Administration within the
Department of Health and Human Services.
HHS stands for the Department of Health and Human Services.
Health care means care, services, or supplies related to the health
of an individual. Health care includes, but is not limited to, the
following:
(1) Preventive, diagnostic, therapeutic, rehabilitative,
maintenance, or palliative care, and counseling, service, assessment,
or procedure with respect to the physical or mental condition, or
functional status, of an individual or that affects the structure or
function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item
in accordance with a prescription.
Health care clearinghouse means a public or private entity,
including a billing service, repricing company, community health
management information system or community health information system,
and ``value-added'' networks and switches, that does either of the
following functions:
(1) Processes or facilitates the processing of health information
received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard
transaction.
(2) Receives a standard transaction from another entity and
processes or facilitates the processing of health information into
nonstandard format or nonstandard data content for the receiving
entity.
Health care provider means a provider of services (as defined in
section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical
or health services (as defined in section 1861(s) of the Act, 42 U.S.C.
1395x(s)), and any other person or organization who furnishes, bills,
or is paid for health care in the normal course of business.
Health information means any information, whether oral or recorded
in any form or medium, that:
(1) Is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or university,
or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual.
Health insurance issuer (as defined in section 2791(b)(2) of the
PHS Act, 42 U.S.C. 300gg-91(b)(2) and used in the definition of health
plan in this section) means an insurance company, insurance service, or
insurance organization (including an HMO) that is licensed to engage in
the business of insurance in a State and is subject to State law that
regulates insurance. Such term does not include a group health plan.
Health maintenance organization (HMO) (as defined in section
2791(b)(3) of the PHS Act, 42 U.S.C. 300gg-91(b)(3) and used in the
definition of health plan in this section) means a federally qualified
HMO, an organization recognized as an HMO under State law, or a similar
organization regulated for solvency under State law in the same manner
and to the same extent as such an HMO.
Health plan means an individual or group plan that provides, or
pays the cost of, medical care (as defined in section 2791(a)(2) of the
PHS Act, 42 U.S.C. 300gg-91(a)(2)).
(1) Health plan includes the following, singly or in combination:
(i) A group health plan, as defined in this section.
(ii) A health insurance issuer, as defined in this section.
(iii) An HMO, as defined in this section.
(iv) Part A or Part B of the Medicare program under title XVIII of
the Act.
(v) The Medicaid program under title XIX of the Act, 42 U.S.C.
1396, et seq.
(vi) An issuer of a Medicare supplemental policy (as defined in
section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).
(vii) An issuer of a long-term care policy, excluding a nursing
home fixed-indemnity policy.
(viii) An employee welfare benefit plan or any other arrangement
that is established or maintained for the purpose of offering or
providing health benefits to the employees of two or more employers.
(ix) The health care program for active military personnel under
title 10 of the United States Code.
(x) The veterans health care program under 38 U.S.C. chapter 17.
(xi) The Civilian Health and Medical Program of the Uniformed
Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)).
(xii) The Indian Health Service program under the Indian Health
Care Improvement Act, 25 U.S.C. 1601, et seq.
(xiii) The Federal Employees Health Benefits Program under 5 U.S.C.
8902, et seq.
(xiv) An approved State child health plan under title XXI of the
Act, providing benefits for child health assistance that meet the
requirements of section 2103 of the Act, 42 U.S.C. 1397, et seq.
(xv) The Medicare+Choice program under Part C of title XVIII of the
Act, 42 U.S.C. 1395w-21 through 1395w-28.
(xvi) A high risk pool that is a mechanism established under State
law to provide health insurance coverage or comparable coverage to
eligible individuals.
(xvii) Any other individual or group plan, or combination of
individual or group plans, that provides or pays for the cost of
medical care (as defined in section 2791(a)(2) of the PHS Act, 42
U.S.C. 300gg-91(a)(2)).
(2) Health plan excludes:
(i) Any policy, plan, or program to the extent that it provides, or
pays for the cost of, excepted benefits that are listed in section
2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and
(ii) A government-funded program (other than one listed in
paragraph (1)(i)-(xvi) of this definition):
(A) Whose principal purpose is other than providing, or paying the
cost of, health care; or
[[Page 82800]]
(B) Whose principal activity is:
(1) The direct provision of health care to persons; or
(2) The making of grants to fund the direct provision of health
care to persons.
Implementation specification means specific requirements or
instructions for implementing a standard.
Modify or modification refers to a change adopted by the Secretary,
through regulation, to a standard or an implementation specification.
Secretary means the Secretary of Health and Human Services or any
other officer or employee of HHS to whom the authority involved has
been delegated.
Small health plan means a health plan with annual receipts of $5
million or less.
Standard means a rule, condition, or requirement:
(1) Describing the following information for products, systems,
services or practices:
(i) Classification of components.
(ii) Specification of materials, performance, or operations; or
(iii) Delineation of procedures; or
(2) With respect to the privacy of individually identifiable health
information.
Standard setting organization (SSO) means an organization
accredited by the American National Standards Institute that develops
and maintains standards for information transactions or data elements,
or any other standard that is necessary for, or will facilitate the
implementation of, this part.
State refers to one of the following:
(1) For a health plan established or regulated by Federal law,
State has the meaning set forth in the applicable section of the United
States Code for such health plan.
(2) For all other purposes, State means any of the several States,
the District of Columbia, the Commonwealth of Puerto Rico, the Virgin
Islands, and Guam.
Trading partner agreement means an agreement related to the
exchange of information in electronic transactions, whether the
agreement is distinct or part of a larger agreement, between each party
to the agreement. (For example, a trading partner agreement may
specify, among other things, the duties and responsibilities of each
party to the agreement in conducting a standard transaction.)
Transaction means the transmission of information between two
parties to carry out financial or administrative activities related to
health care. It includes the following types of information
transmissions:
(1) Health care claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Other transactions that the Secretary may prescribe by regulation.
Workforce means employees, volunteers, trainees, and other persons
whose conduct, in the performance of work for a covered entity, is
under the direct control of such entity, whether or not they are paid
by the covered entity.
Sec. 160.104 Modifications.
(a) Except as provided in paragraph (b) of this section, the
Secretary may adopt a modification to a standard or implementation
specification adopted under this subchapter no more frequently than
once every 12 months.
(b) The Secretary may adopt a modification at any time during the
first year after the standard or implementation specification is
initially adopted, if the Secretary determines that the modification is
necessary to permit compliance with the standard or implementation
specification.
(c) The Secretary will establish the compliance date for any
standard or implementation specification modified under this section.
(1) The compliance date for a modification is no earlier than 180
days after the effective date of the final rule in which the Secretary
adopts the modification.
(2) The Secretary may consider the extent of the modification and
the time needed to comply with the modification in determining the
compliance date for the modification.
(3) The Secretary may extend the compliance date for small health
plans, as the Secretary determines is appropriate.
Subpart B--Preemption of State Law
Sec. 160.201 Applicability.
The provisions of this subpart implement section 1178 of the Act,
as added by section 262 of Public Law 104-191.
Sec. 160.202 Definitions.
For purposes of this subpart, the following terms have the
following meanings:
Contrary, when used to compare a provision of State law to a
standard, requirement, or implementation specification adopted under
this subchapter, means:
(1) A covered entity would find it impossible to comply with both
the State and federal requirements; or
(2) The provision of State law stands as an obstacle to the
accomplishment and execution of the full purposes and objectives of
part C of title XI of the Act or section 264 of Pub. L. 104-191, as
applicable.
More stringent means, in the context of a comparison of a provision
of State law and a standard, requirement, or implementation
specification adopted under subpart E of part 164 of this subchapter, a
State law that meets one or more of the following criteria:
(1) With respect to a use or disclosure, the law prohibits or
restricts a use or disclosure in circumstances under which such use or
disclosure otherwise would be permitted under this subchapter, except
if the disclosure is:
(i) Required by the Secretary in connection with determining
whether a covered entity is in compliance with this subchapter; or
(ii) To the individual who is the subject of the individually
identifiable health information.
(2) With respect to the rights of an individual who is the subject
of the individually identifiable health information of access to or
amendment of individually identifiable health information, permits
greater rights of access or amendment, as applicable; provided that,
nothing in this subchapter may be construed to preempt any State law to
the extent that it authorizes or prohibits disclosure of protected
health information about a minor to a parent, guardian, or person
acting in loco parentis of such minor.
(3) With respect to information to be provided to an individual who
is the subject of the individually identifiable health information
about a use, a disclosure, rights, and remedies, provides the greater
amount of information.
(4) With respect to the form or substance of an authorization or
consent for use or disclosure of individually identifiable health
information, provides requirements that narrow the scope or duration,
increase the privacy protections afforded (such as by expanding the
criteria for), or reduce the coercive effect of the circumstances
surrounding the authorization or consent, as applicable.
(5) With respect to recordkeeping or requirements relating to
accounting of disclosures, provides for the retention or reporting of
more detailed information or for a longer duration.
[[Page 82801]]
(6) With respect to any other matter, provides greater privacy
protection for the individual who is the subject of the individually
identifiable health information.
Relates to the privacy of individually identifiable health
information means, with respect to a State law, that the State law has
the specific purpose of protecting the privacy of health information or
affects the privacy of health information in a direct, clear, and
substantial way.
State law means a constitution, statute, regulation, rule, common
law, or other State action having the force and effect of law.
Sec. 160.203 General rule and exceptions.
A standard, requirement, or implementation specification adopted
under this subchapter that is contrary to a provision of State law
preempts the provision of State law. This general rule applies, except
if one or more of the following conditions is met:
(a) A determination is made by the Secretary under Sec. 160.204
that the provision of State law:
(1) Is necessary:
(i) To prevent fraud and abuse related to the provision of or
payment for health care;
(ii) To ensure appropriate State regulation of insurance and health
plans to the extent expressly authorized by statute or regulation;
(iii) For State reporting on health care delivery or costs; or
(iv) For purposes of serving a compelling need related to public
health, safety, or welfare, and, if a standard, requirement, or
implementation specification under part 164 of this subchapter is at
issue, if the Secretary determines that the intrusion into privacy is
warranted when balanced against the need to be served; or
(2) Has as its principal purpose the regulation of the manufacture,
registration, distribution, dispensing, or other control of any
controlled substances (as defined in 21 U.S.C. 802), or that is deemed
a controlled substance by State law.
(b) The provision of State law relates to the privacy of health
information and is more stringent than a standard, requirement, or
implementation specification adopted under subpart E of part 164 of
this subchapter.
(c) The provision of State law, including State procedures
established under such law, as applicable, provides for the reporting
of disease or injury, child abuse, birth, or death, or for the conduct
of public health surveillance, investigation, or intervention.
(d) The provision of State law requires a health plan to report, or
to provide access to, information for the purpose of management audits,
financial audits, program monitoring and evaluation, or the licensure
or certification of facilities or individuals.
Sec. 160.204 Process for requesting exception determinations.
(a) A request to except a provision of State law from preemption
under Sec. 160.203(a) may be submitted to the Secretary. A request by a
State must be submitted through its chief elected official, or his or
her designee. The request must be in writing and include the following
information:
(1) The State law for which the exception is requested;
(2) The particular standard, requirement, or implementation
specification for which the exception is requested;
(3) The part of the standard or other provision that will not be
implemented based on the exception or the additional data to be
collected based on the exception, as appropriate;
(4) How health care providers, health plans, and other entities
would be affected by the exception;
(5) The reasons why the State law should not be preempted by the
federal standard, requirement, or implementation specification,
including how the State law meets one or more of the criteria at
Sec. 160.203(a); and
(6) Any other information the Secretary may request in order to
make the determination.
(b) Requests for exception under this section must be submitted to
the Secretary at an address that will be published in the Federal
Register. Until the Secretary's determination is made, the standard,
requirement, or implementation specification under this subchapter
remains in effect.
(c) The Secretary's determination under this section will be made
on the basis of the extent to which the information provided and other
factors demonstrate that one or more of the criteria at Sec. 160.203(a)
has been met.
Sec. 160.205 Duration of effectiveness of exception determinations.
An exception granted under this subpart remains in effect until:
(a) Either the State law or the federal standard, requirement, or
implementation specification that provided the basis for the exception
is materially changed such that the ground for the exception no longer
exists; or
(b) The Secretary revokes the exception, based on a determination
that the ground supporting the need for the exception no longer exists.
Subpart C--Compliance and Enforcement
Sec. 160.300 Applicability.
This subpart applies to actions by the Secretary, covered entities,
and others with respect to ascertaining the compliance by covered
entities with and the enforcement of the applicable requirements of
this part 160 and the applicable standards, requirements, and
implementation specifications of subpart E of part 164 of this
subchapter.
Sec. 160.302 Definitions.
As used in this subpart, terms defined in Sec. 164.501 of this
subchapter have the same meanings given to them in that section.
Sec. 160.304 Principles for achieving compliance.
(a) Cooperation. The Secretary will, to the extent practicable,
seek the cooperation of covered entities in obtaining compliance with
the applicable requirements of this part 160 and the applicable
standards, requirements, and implementation specifications of subpart E
of part 164 of this subchapter.
(b) Assistance. The Secretary may provide technical assistance to
covered entities to help them comply voluntarily with the applicable
requirements of this part 160 or the applicable standards,
requirements, and implementation specifications of subpart E of part
164 of this subchapter.
Sec. 160.306 Complaints to the Secretary.
(a) Right to file a complaint. A person who believes a covered
entity is not complying with the applicable requirements of this part
160 or the applicable standards, requirements, and implementation
specifications of subpart E of part 164 of this subchapter may file a
complaint with the Secretary.
(b) Requirements for filing complaints. Complaints under this
section must meet the following requirements:
(1) A complaint must be filed in writing, either on paper or
electronically.
(2) A complaint must name the entity that is the subject of the
complaint and describe the acts or omissions believed to be in
violation of the applicable requirements of this part 160 or the
applicable standards, requirements, and implementation specifications
of subpart E of part 164 of this subchapter.
(3) A complaint must be filed within 180 days of when the
complainant knew or should have known that the act or omission
complained of occurred, unless this time limit is waived by the
Secretary for good cause shown.
[[Page 82802]]
(4) The Secretary may prescribe additional procedures for the
filing of complaints, as well as the place and manner of filing, by
notice in the Federal Register.
(c) Investigation. The Secretary may investigate complaints filed
under this section. Such investigation may include a review of the
pertinent policies, procedures, or practices of the covered entity and
of the circumstances regarding any alleged acts or omissions concerning
compliance.
Sec. 160.308 Compliance reviews.
The Secretary may conduct compliance reviews to determine whether
covered entities are complying with the applicable requirements of this
part 160 and the applicable standards, requirements, and implementation
specifications of subpart E of part 164 of this subchapter.
Sec. 160.310 Responsibilities of covered entities.
(a) Provide records and compliance reports. A covered entity must
keep such records and submit such compliance reports, in such time and
manner and containing such information, as the Secretary may determine
to be necessary to enable the Secretary to ascertain whether the
covered entity has complied or is complying with the applicable
requirements of this part 160 and the applicable standards,
requirements, and implementation specifications of subpart E of part
164 of this subchapter.
(b) Cooperate with complaint investigations and compliance reviews.
A covered entity must cooperate with the Secretary, if the Secretary
undertakes an investigation or compliance review of the policies,
procedures, or practices of a covered entity to determine whether it is
complying with the applicable requirements of this part 160 and the
standards, requirements, and implementation specifications of subpart E
of part 164 of this subchapter.
(c) Permit access to information. (1) A covered entity must permit
access by the Secretary during normal business hours to its facilities,
books, records, accounts, and other sources of information, including
protected health information, that are pertinent to ascertaining
compliance with the applicable requirements of this part 160 and the
applicable standards, requirements, and implementation specifications
of subpart E of part 164 of this subchapter. If the Secretary
determines that exigent circumstances exist, such as when documents may
be hidden or destroyed, a covered entity must permit access by the
Secretary at any time and without notice.
(2) If any information required of a covered entity under this
section is in the exclusive possession of any other agency,
institution, or person and the other agency, institution, or person
fails or refuses to furnish the information, the covered entity must so
certify and set forth what efforts it has made to obtain the
information.
(3) Protected health information obtained by the Secretary in
connection with an investigation or compliance review under this
subpart will not be disclosed by the Secretary, except if necessary for
ascertaining or enforcing compliance with the applicable requirements
of this part 160 and the applicable standards, requirements, and
implementation specifications of subpart E of part 164 of this
subchapter, or if otherwise required by law.
Sec. 160.312 Secretarial action regarding complaints and compliance
reviews.
(a) Resolution where noncompliance is indicated. (1) If an
investigation pursuant to Sec. 160.306 or a compliance review pursuant
to Sec. 160.308 indicates a failure to comply, the Secretary will so
inform the covered entity and, if the matter arose from a complaint,
the complainant, in writing and attempt to resolve the matter by
informal means whenever possible.
(2) If the Secretary finds the covered entity is not in compliance
and determines that the matter cannot be resolved by informal means,
the Secretary may issue to the covered entity and, if the matter arose
from a complaint, to the complainant written findings documenting the
non-compliance.
(b) Resolution when no violation is found. If, after an
investigation or compliance review, the Secretary determines that
further action is not warranted, the Secretary will so inform the
covered entity and, if the matter arose from a complaint, the
complainant in writing.
2. A new Part 164 is added to read as follows:
PART 164--SECURITY AND PRIVACY
Subpart A--General Provisions
Sec.
164.102 Statutory basis.
164.104 Applicability.
164.106 Relationship to other parts.
Subparts B-D--[Reserved]
Subpart E--Privacy of Individually Identifiable Health Information
164.500 Applicability.
164.501 Definitions.
164.502 Uses and disclosures of protected health information:
General rules.
164.504 Uses and disclosures: Organizational requirements.
164.506 Consent for uses or disclosures to carry out treatment,
payment, and health care operations.
164.508 Uses and disclosures for which an authorization is
required.
164.510 Uses and disclosures requiring an opportunity for the
individual to agree or to object.
164.512 Uses and disclosures for which consent, an authorization,
or opportunity to agree or object is not required.
164.514 Other requirements relating to uses and disclosures of
protected health information.
164.520 Notice of privacy practices for protected health
information.
164.522 Rights to request privacy protection for protected health
information.
164.524 Access of individuals to protected health information.
164.526 Amendment of protected health information.
164.528 Accounting of disclosures of protected health information.
164.530 Administrative requirements.
164.532 Transition requirements.
164.534 Compliance dates for initial implementation of the privacy
standards.
Authority: 42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L.
104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320(d-2(note)).
Subpart A--General Provisions
Sec. 164.102 Statutory basis.
The provisions of this part are adopted pursuant to the Secretary's
authority to prescribe standards, requirements, and implementation
standards under part C of title XI of the Act and section 264 of Public
Law 104-191.
Sec. 164.104 Applicability.
Except as otherwise provided, the provisions of this part apply to
covered entities: health plans, health care clearinghouses, and health
care providers who transmit health information in electronic form in
connection with any transaction referred to in section 1173(a)(1) of
the Act.
Sec. 164.106 Relationship to other parts.
In complying with the requirements of this part, covered entities
are required to comply with the applicable provisions of parts 160 and
162 of this subchapter.
Subpart B-D--[Reserved]
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.500 Applicability.
(a) Except as otherwise provided herein, the standards,
requirements, and
[[Page 82803]]
implementation specifications of this subpart apply to covered entities
with respect to protected health information.
(b) Health care clearinghouses must comply with the standards,
requirements, and implementation specifications as follows:
(1) When a health care clearinghouse creates or receives protected
health information as a business associate of another covered entity,
the clearinghouse must comply with:
(i) Section 164.500 relating to applicability;
(ii) Section 164.501 relating to definitions;
(iii) Section 164.502 relating to uses and disclosures of protected
health information, except that a clearinghouse is prohibited from
using or disclosing protected health information other than as
permitted in the business associate contract under which it created or
received the protected health information;
(iv) Section 164.504 relating to the organizational requirements
for covered entities, including the designation of health care
components of a covered entity;
(v) Section 164.512 relating to uses and disclosures for which
consent, individual authorization or an opportunity to agree or object
is not required, except that a clearinghouse is prohibited from using
or disclosing protected health information other than as permitted in
the business associate contract under which it created or received the
protected health information;
(vi) Section 164.532 relating to transition requirements; and
(vii) Section 164.534 relating to compliance dates for initial
implementation of the privacy standards.
(2) When a health care clearinghouse creates or receives protected
health information other than as a business associate of a covered
entity, the clearinghouse must comply with all of the standards,
requirements, and implementation specifications of this subpart.
(c) The standards, requirements, and implementation specifications
of this subpart do not apply to the Department of Defense or to any
other federal agency, or non-governmental organization acting on its
behalf, when providing health care to overseas foreign national
beneficiaries.
Sec. 164.501 Definitions.
As used in this subpart, the following terms have the following
meanings:
Correctional institution means any penal or correctional facility,
jail, reformatory, detention center, work farm, halfway house, or
residential community program center operated by, or under contract to,
the United States, a State, a territory, a political subdivision of a
State or territory, or an Indian tribe, for the confinement or
rehabilitation of persons charged with or convicted of a criminal
offense or other persons held in lawful custody. Other persons held in
lawful custody includes juvenile offenders adjudicated delinquent,
aliens detained awaiting deportation, persons committed to mental
institutions through the criminal justice system, witnesses, or others
awaiting charges or trial.
Covered functions means those functions of a covered entity the
performance of which makes the entity a health plan, health care
provider, or health care clearinghouse.
Data aggregation means, with respect to protected health
information created or received by a business associate in its capacity
as the business associate of a covered entity, the combining of such
protected health information by the business associate with the
protected health information received by the business associate in its
capacity as a business associate of another covered entity, to permit
data analyses that relate to the health care operations of the
respective covered entities.
Designated record set means:
(1) A group of records maintained by or for a covered entity that
is:
(i) The medical records and billing records about individuals
maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or
medical management record systems maintained by or for a health plan;
or
(iii) Used, in whole or in part, by or for the covered entity to
make decisions about individuals.
(2) For purposes of this paragraph, the term record means any item,
collection, or grouping of information that includes protected health
information and is maintained, collected, used, or disseminated by or
for a covered entity.
Direct treatment relationship means a treatment relationship
between an individual and a health care provider that is not an
indirect treatment relationship.
Disclosure means the release, transfer, provision of access to, or
divulging in any other manner of information outside the entity holding
the information.
Health care operations means any of the following activities of the
covered entity to the extent that the activities are related to covered
functions, and any of the following activities of an organized health
care arrangement in which the covered entity participates:
(1) Conducting quality assessment and improvement activities,
including outcomes evaluation and development of clinical guidelines,
provided that the obtaining of generalizable knowledge is not the
primary purpose of any studies resulting from such activities;
population-based activities relating to improving health or reducing
health care costs, protocol development, case management and care
coordination, contacting of health care providers and patients with
information about treatment alternatives; and related functions that do
not include treatment;
(2) Reviewing the competence or qualifications of health care
professionals, evaluating practitioner and provider performance, health
plan performance, conducting training programs in which students,
trainees, or practitioners in areas of health care learn under
supervision to practice or improve their skills as health care
providers, training of non-health care professionals, accreditation,
certification, licensing, or credentialing activities;
(3) Underwriting, premium rating, and other activities relating to
the creation, renewal or replacement of a contract of health insurance
or health benefits, and ceding, securing, or placing a contract for
reinsurance of risk relating to claims for health care (including stop-
loss insurance and excess of loss insurance), provided that the
requirements of Sec. 164.514(g) are met, if applicable;
(4) Conducting or arranging for medical review, legal services, and
auditing functions, including fraud and abuse detection and compliance
programs;
(5) Business planning and development, such as conducting cost-
management and planning-related analyses related to managing and
operating the entity, including formulary development and
administration, development or improvement of methods of payment or
coverage policies; and
(6) Business management and general administrative activities of
the entity, including, but not limited to:
(i) Management activities relating to implementation of and
compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for
policy holders, plan sponsors, or other customers, provided that
protected health information is not disclosed to such policy holder,
plan sponsor, or customer.
(iii) Resolution of internal grievances;
[[Page 82804]]
(iv) Due diligence in connection with the sale or transfer of
assets to a potential successor in interest, if the potential successor
in interest is a covered entity or, following completion of the sale or
transfer, will become a covered entity; and
(v) Consistent with the applicable requirements of Sec. 164.514,
creating de-identified health information, fundraising for the benefit
of the covered entity, and marketing for which an individual
authorization is not required as described in Sec. 164.514(e)(2).
Health oversight agency means an agency or authority of the United
States, a State, a territory, a political subdivision of a State or
territory, or an Indian tribe, or a person or entity acting under a
grant of authority from or contract with such public agency, including
the employees or agents of such public agency or its contractors or
persons or entities to whom it has granted authority, that is
authorized by law to oversee the health care system (whether public or
private) or government programs in which health information is
necessary to determine eligibility or compliance, or to enforce civil
rights laws for which health information is relevant.
Indirect treatment relationship means a relationship between an
individual and a health care provider in which:
(1) The health care provider delivers health care to the individual
based on the orders of another health care provider; and
(2) The health care provider typically provides services or
products, or reports the diagnosis or results associated with the
health care, directly to another health care provider, who provides the
services or products or reports to the individual.
Individual means the person who is the subject of protected health
information.
Individually identifiable health information is information that is
a subset of health information, including demographic information
collected from an individual, and:
(1) Is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe
the information can be used to identify the individual.
Inmate means a person incarcerated in or otherwise confined to a
correctional institution.
Law enforcement official means an officer or employee of any agency
or authority of the United States, a State, a territory, a political
subdivision of a State or territory, or an Indian tribe, who is
empowered by law to:
(1) Investigate or conduct an official inquiry into a potential
violation of law; or
(2) Prosecute or otherwise conduct a criminal, civil, or
administrative proceeding arising from an alleged violation of law.
Marketing means to make a communication about a product or service
a purpose of which is to encourage recipients of the communication to
purchase or use the product or service.
(1) Marketing does not include communications that meet the
requirements of paragraph (2) of this definition and that are made by a
covered entity:
(i) For the purpose of describing the entities participating in a
health care provider network or health plan network, or for the purpose
of describing if and the extent to which a product or service (or
payment for such product or service) is provided by a covered entity or
included in a plan of benefits; or
(ii) That are tailored to the circumstances of a particular
individual and the communications are:
(A) Made by a health care provider to an individual as part of the
treatment of the individual, and for the purpose of furthering the
treatment of that individual; or
(B) Made by a health care provider or health plan to an individual
in the course of managing the treatment of that individual, or for the
purpose of directing or recommending to that individual alternative
treatments, therapies, health care providers, or settings of care.
(2) A communication described in paragraph (1) of this definition
is not included in marketing if:
(i) The communication is made orally; or
(ii) The communication is in writing and the covered entity does
not receive direct or indirect remuneration from a third party for
making the communication.
Organized health care arrangement means:
(1) A clinically integrated care setting in which individuals
typically receive health care from more than one health care provider;
(2) An organized system of health care in which more than one
covered entity participates, and in which the participating covered
entities:
(i) Hold themselves out to the public as participating in a joint
arrangement; and
(ii) Participate in joint activities that include at least one of
the following:
(A) Utilization review, in which health care decisions by
participating covered entities are reviewed by other participating
covered entities or by a third party on their behalf;
(B) Quality assessment and improvement activities, in which
treatment provided by participating covered entities is assessed by
other participating covered entities or by a third party on their
behalf; or
(C) Payment activities, if the financial risk for delivering health
care is shared, in part or in whole, by participating covered entities
through the joint arrangement and if protected health information
created or received by a covered entity is reviewed by other
participating covered entities or by a third party on their behalf for
the purpose of administering the sharing of financial risk.
(3) A group health plan and a health insurance issuer or HMO with
respect to such group health plan, but only with respect to protected
health information created or received by such health insurance issuer
or HMO that relates to individuals who are or who have been
participants or beneficiaries in such group health plan;
(4) A group health plan and one or more other group health plans
each of which are maintained by the same plan sponsor; or
(5) The group health plans described in paragraph (4) of this
definition and health insurance issuers or HMOs with respect to such
group health plans, but only with respect to protected health
information created or received by such health insurance issuers or
HMOs that relates to individuals who are or have been participants or
beneficiaries in any of such group health plans.
Payment means:
(1) The activities undertaken by:
(i) A health plan to obtain premiums or to determine or fulfill its
responsibility for coverage and provision of benefits under the health
plan; or
(ii) A covered health care provider or health plan to obtain or
provide reimbursement for the provision of health care; and
(2) The activities in paragraph (1) of this definition relate to
the individual to whom health care is provided and include, but are not
limited to:
[[Page 82805]]
(i) Determinations of eligibility or coverage (including
coordination of benefits or the determination of cost sharing amounts),
and adjudication or subrogation of health benefit claims;
(ii) Risk adjusting amounts due based on enrollee health status and
demographic characteristics;
(iii) Billing, claims management, collection activities, obtaining
payment under a contract for reinsurance (including stop-loss insurance
and excess of loss insurance), and related health care data processing;
(iv) Review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges;
(v) Utilization review activities, including precertification and
preauthorization of services, concurrent and retrospective review of
services; and
(vi) Disclosure to consumer reporting agencies of any of the
following protected health information relating to collection of
premiums or reimbursement:
(A) Name and address;
(B) Date of birth;
(C) Social security number;
(D) Payment history;
(E) Account number; and
(F) Name and address of the health care provider and/or health
plan.
Plan sponsor is defined as defined at section 3(16)(B) of ERISA, 29
U.S.C. 1002(16)(B).
Protected health information means individually identifiable health
information:
(1) Except as provided in paragraph (2) of this definition, that
is:
(i) Transmitted by electronic media;
(ii) Maintained in any medium described in the definition of
electronic media at Sec. 162.103 of this subchapter; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable
health information in:
(i) Education records covered by the Family Educational Right and
Privacy Act, as amended, 20 U.S.C. 1232g; and
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).
Psychotherapy notes means notes recorded (in any medium) by a
health care provider who is a mental health professional documenting or
analyzing the contents of conversation during a private counseling
session or a group, joint, or family counseling session and that are
separated from the rest of the individual's medical record.
Psychotherapy notes excludes medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies
of treatment furnished, results of clinical tests, and any summary of
the following items: Diagnosis, functional status, the treatment plan,
symptoms, prognosis, and progress to date.
Public health authority means an agency or authority of the United
States, a State, a territory, a political subdivision of a State or
territory, or an Indian tribe, or a person or entity acting under a
grant of authority from or contract with such public agency, including
the employees or agents of such public agency or its contractors or
persons or entities to whom it has granted authority, that is
responsible for public health matters as part of its official mandate.
Required by law means a mandate contained in law that compels a
covered entity to make a use or disclosure of protected health
information and that is enforceable in a court of law. Required by law
includes, but is not limited to, court orders and court-ordered
warrants; subpoenas or summons issued by a court, grand jury, a
governmental or tribal inspector general, or an administrative body
authorized to require the production of information; a civil or an
authorized investigative demand; Medicare conditions of participation
with respect to health care providers participating in the program; and
statutes or regulations that require the production of information,
including statutes or regulations that require such information if
payment is sought under a government program providing public benefits.
Research means a systematic investigation, including research
development, testing, and evaluation, designed to develop or contribute
to generalizable knowledge.
Treatment means the provision, coordination, or management of
health care and related services by one or more health care providers,
including the coordination or management of health care by a health
care provider with a third party; consultation between health care
providers relating to a patient; or the referral of a patient for
health care from one health care provider to another.
Use means, with respect to individually identifiable health
information, the sharing, employment, application, utilization,
examination, or analysis of such information within an entity that
maintains such information.
Sec. 164.502 Uses and disclosures of protected health information:
general rules.
(a) Standard. A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart or
by subpart C of part 160 of this subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted
to use or disclose protected health information as follows:
(i) To the individual;
(ii) Pursuant to and in compliance with a consent that complies
with Sec. 164.506, to carry out treatment, payment, or health care
operations;
(iii) Without consent, if consent is not required under
Sec. 164.506(a) and has not been sought under Sec. 164.506(a)(4), to
carry out treatment, payment, or health care operations, except with
respect to psychotherapy notes;
(iv) Pursuant to and in compliance with a valid authorization under
Sec. 164.508;
(v) Pursuant to an agreement under, or as otherwise permitted by,
Sec. 164.510; and
(vi) As permitted by and in compliance with this section,
Sec. 164.512, or Sec. 164.514(e), (f), and (g).
(2) Required disclosures. A covered entity is required to disclose
protected health information:
(i) To an individual, when requested under, and required by
Sec. 164.524 or Sec. 164.528; and
(ii) When required by the Secretary under subpart C of part 160 of
this subchapter to investigate or determine the covered entity's
compliance with this subpart.
(b) Standard: Minimum necessary. (1) Minimum necessary applies.
When using or disclosing protected health information or when
requesting protected health information from another covered entity, a
covered entity must make reasonable efforts to limit protected health
information to the minimum necessary to accomplish the intended purpose
of the use, disclosure, or request.
(2) Minimum necessary does not apply. This requirement does not
apply to:
(i) Disclosures to or requests by a health care provider for
treatment;
(ii) Uses or disclosures made to the individual, as permitted under
paragraph (a)(1)(i) of this section, as required by paragraph (a)(2)(i)
of this section, or pursuant to an authorization under Sec. 164.508,
except for authorizations requested by the covered entity under
Sec. 164.508(d), (e), or (f);
(iii) Disclosures made to the Secretary in accordance with subpart
C of part 160 of this subchapter;
[[Page 82806]]
(iv) Uses or disclosures that are required by law, as described by
Sec. 164.512(a); and
(v) Uses or disclosures that are required for compliance with
applicable requirements of this subchapter.
(c) Standard: Uses and disclosures of protected health information
subject to an agreed upon restriction. A covered entity that has agreed
to a restriction pursuant to Sec. 164.522(a)(1) may not use or disclose
the protected health information covered by the restriction in
violation of such restriction, except as otherwise provided in
Sec. 164.522(a).
(d) Standard: Uses and disclosures of de-identified protected
health information.
(1) Uses and disclosures to create de-identified information. A
covered entity may use protected health information to create
information that is not individually identifiable health information or
disclose protected health information only to a business associate for
such purpose, whether or not the de-identified information is to be
used by the covered entity.
(2) Uses and disclosures of de-identified information. Health
information that meets the standard and implementation specifications
for de-identification under Sec. 164.514(a) and (b) is considered not
to be individually identifiable health information, i.e., de-
identified. The requirements of this subpart do not apply to
information that has been de-identified in accordance with the
applicable requirements of Sec. 164.514, provided that:
(i) Disclosure of a code or other means of record identification
designed to enable coded or otherwise de-identified information to be
re-identified constitutes disclosure of protected health information;
and
(ii) If de-identified information is re-identified, a covered
entity may use or disclose such re-identified information only as
permitted or required by this subpart.
(e)(1) Standard: Disclosures to business associates. (i) A covered
entity may disclose protected health information to a business
associate and may allow a business associate to create or receive
protected health information on its behalf, if the covered entity
obtains satisfactory assurance that the business associate will
appropriately safeguard the information.
(ii) This standard does not apply:
(A) With respect to disclosures by a covered entity to a health
care provider concerning the treatment of the individual;
(B) With respect to disclosures by a group health plan or a health
insurance issuer or HMO with respect to a group health plan to the plan
sponsor, to the extent that the requirements of Sec. 164.504(f) apply
and are met; or
(C) With respect to uses or disclosures by a health plan that is a
government program providing public benefits, if eligibility for, or
enrollment in, the health plan is determined by an agency other than
the agency administering the health plan, or if the protected health
information used to determine enrollment or eligibility in the health
plan is collected by an agency other than the agency administering the
health plan, and such activity is authorized by law, with respect to
the collection and sharing of individually identifiable health
information for the performance of such functions by the health plan
and the agency other than the agency administering the health plan.
(iii) A covered entity that violates the satisfactory assurances it
provided as a business associate of another covered entity will be in
noncompliance with the standards, implementation specifications, and
requirements of this paragraph and Sec. 164.504(e).
(2) Implementation specification: documentation. A covered entity
must document the satisfactory assurances required by paragraph (e)(1)
of this section through a written contract or other written agreement
or arrangement with the business associate that meets the applicable
requirements of Sec. 164.504(e).
(f) Standard: Deceased individuals. A covered entity must comply
with the requirements of this subpart with respect to the protected
health information of a deceased individual.
(g)(1) Standard: Personal representatives. As specified in this
paragraph, a covered entity must, except as provided in paragraphs
(g)(3) and (g)(5) of this section, treat a personal representative as
the individual for purposes of this subchapter.
(2) Implementation specification: adults and emancipated minors. If
under applicable law a person has authority to act on behalf of an
individual who is an adult or an emancipated minor in making decisions
related to health care, a covered entity must treat such person as a
personal representative under this subchapter, with respect to
protected health information relevant to such personal representation.
(3) Implementation specification: unemancipated minors. If under
applicable law a parent, guardian, or other person acting in loco
parentis has authority to act on behalf of an individual who is an
unemancipated minor in making decisions related to health care, a
covered entity must treat such person as a personal representative
under this subchapter, with respect to protected health information
relevant to such personal representation, except that such person may
not be a personal representative of an unemancipated minor, and the
minor has the authority to act as an individual, with respect to
protected health information pertaining to a health care service, if:
(i) The minor consents to such health care service; no other
consent to such health care service is required by law, regardless of
whether the consent of another person has also been obtained; and the
minor has not requested that such person be treated as the personal
representative;
(ii) The minor may lawfully obtain such health care service without
the consent of a parent, guardian, or other person acting in loco
parentis, and the minor, a court, or another person authorized by law
consents to such health care service; or
(iii) A parent, guardian, or other person acting in loco parentis
assents to an agreement of confidentiality between a covered health
care provider and the minor with respect to such health care service.
(4) Implementation specification: Deceased individuals. If under
applicable law an executor, administrator, or other person has
authority to act on behalf of a deceased individual or of the
individual's estate, a covered entity must treat such person as a
personal representative under this subchapter, with respect to
protected health information relevant to such personal representation.
(5) Implementation specification: Abuse, neglect, endangerment
situations. Notwithstanding a State law or any requirement of this
paragraph to the contrary, a covered entity may elect not to treat a
person as the personal representative of an individual if:
(i) The covered entity has a reasonable belief that:
(A) The individual has been or may be subjected to domestic
violence, abuse, or neglect by such person; or
(B) Treating such person as the personal representative could
endanger the individual; and
(ii) The covered entity, in the exercise of professional judgment,
decides that it is not in the best interest of the individual to treat
the person as the individual's personal representative.
(h) Standard: Confidential communications. A covered health care
provider or health plan must comply with the applicable requirements of
Sec. 164.522(b) in communicating protected health information.
[[Page 82807]]
(i) Standard: Uses and disclosures consistent with notice. A
covered entity that is required by Sec. 164.520 to have a notice may
not use or disclose protected health information in a manner
inconsistent with such notice. A covered entity that is required by
Sec. 164.520(b)(1)(iii) to include a specific statement in its notice
if it intends to engage in an activity listed in
Sec. 164.520(b)(1)(iii)(A)-(C), may not use or disclose protected
health information for such activities, unless the required statement
is included in the notice.
(j) Standard: Disclosures by whistleblowers and workforce member
crime victims.
(1) Disclosures by whistleblowers. A covered entity is not
considered to have violated the requirements of this subpart if a
member of its workforce or a business associate discloses protected
health information, provided that:
(i) The workforce member or business associate believes in good
faith that the covered entity has engaged in conduct that is unlawful
or otherwise violates professional or clinical standards, or that the
care, services, or conditions provided by the covered entity
potentially endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized
by law to investigate or otherwise oversee the relevant conduct or
conditions of the covered entity or to an appropriate health care
accreditation organization for the purpose of reporting the allegation
of failure to meet professional standards or misconduct by the covered
entity; or
(B) An attorney retained by or on behalf of the workforce member or
business associate for the purpose of determining the legal options of
the workforce member or business associate with regard to the conduct
described in paragraph (j)(1)(i) of this section.
(2) Disclosures by workforce members who are victims of a crime. A
covered entity is not considered to have violated the requirements of
this subpart if a member of its workforce who is the victim of a
criminal act discloses protected health information to a law
enforcement official, provided that:
(i) The protected health information disclosed is about the
suspected perpetrator of the criminal act; and
(ii) The protected health information disclosed is limited to the
information listed in Sec. 164.512(f)(2)(i).
Sec. 164.504 Uses and disclosures: Organizational requirements.
(a) Definitions. As used in this section:
Common control exists if an entity has the power, directly or
indirectly, significantly to influence or direct the actions or
policies of another entity.
Common ownership exists if an entity or entities possess an
ownership or equity interest of 5 percent or more in another entity.
Health care component has the following meaning:
(1) Components of a covered entity that perform covered functions
are part of the health care component.
(2) Another component of the covered entity is part of the entity's
health care component to the extent that:
(i) It performs, with respect to a component that performs covered
functions, activities that would make such other component a business
associate of the component that performs covered functions if the two
components were separate legal entities; and
(ii) The activities involve the use or disclosure of protected
health information that such other component creates or receives from
or on behalf of the component that performs covered functions.
Hybrid entity means a single legal entity that is a covered entity
and whose covered functions are not its primary functions.
Plan administration functions means administration functions
performed by the plan sponsor of a group health plan on behalf of the
group health plan and excludes functions performed by the plan sponsor
in connection with any other benefit or benefit plan of the plan
sponsor.
Summary health information means information, that may be
individually identifiable health information, and:
(1) That summarizes the claims history, claims expenses, or type of
claims experienced by individuals for whom a plan sponsor has provided
health benefits under a group health plan; and
(2) From which the information described at Sec. 164.514(b)(2)(i)
has been deleted, except that the geographic information described in
Sec. 164.514(b)(2)(i)(B) need only be aggregated to the level of a five
digit zip code.
(b) Standard: Health care component. If a covered entity is a
hybrid entity, the requirements of this subpart, other than the
requirements of this section, apply only to the health care
component(s) of the entity, as specified in this section.
(c)(1) Implementation specification: Application of other
provisions. In applying a provision of this subpart, other than this
section, to a hybrid entity:
(i) A reference in such provision to a ``covered entity'' refers to
a health care component of the covered entity;
(ii) A reference in such provision to a ``health plan,'' ``covered
health care provider,'' or ``health care clearinghouse'' refers to a
health care component of the covered entity if such health care
component performs the functions of a health plan, covered health care
provider, or health care clearinghouse, as applicable; and
(iii) A reference in such provision to ``protected health
information'' refers to protected health information that is created or
received by or on behalf of the health care component of the covered
entity.
(2) Implementation specifications: Safeguard requirements. The
covered entity that is a hybrid entity must ensure that a health care
component of the entity complies with the applicable requirements of
this subpart. In particular, and without limiting this requirement,
such covered entity must ensure that:
(i) Its health care component does not disclose protected health
information to another component of the covered entity in circumstances
in which this subpart would prohibit such disclosure if the health care
component and the other component were separate and distinct legal
entities;
(ii) A component that is described by paragraph (2)(i) of the
definition of health care component in this section does not use or
disclose protected health information that is within paragraph (2)(ii)
of such definition for purposes of its activities other than those
described by paragraph (2)(i) of such definition in a way prohibited by
this subpart; and
(iii) If a person performs duties for both the health care
component in the capacity of a member of the workforce of such
component and for another component of the entity in the same capacity
with respect to that component, such workforce member must not use or
disclose protected health information created or received in the course
of or incident to the member's work for the health care component in a
way prohibited by this subpart.
(3) Implementation specifications: Responsibilities of the covered
entity. A covered entity that is a hybrid entity has the following
responsibilities:
(i) For purposes of subpart C of part 160 of this subchapter,
pertaining to compliance and enforcement, the covered entity has the
responsibility to comply with this subpart.
(ii) The covered entity has the responsibility for complying with
[[Page 82808]]
Sec. 164.530(i), pertaining to the implementation of policies and
procedures to ensure compliance with this subpart, including the
safeguard requirements in paragraph (c)(2) of this section.
(iii) The covered entity is responsible for designating the
components that are part of one or more health care components of the
covered entity and documenting the designation as required by
Sec. 164.530(j).
(d)(1) Standard: Affiliated covered entities. Legally separate
covered entities that are affiliated may designate themselves as a
single covered entity for purposes of this subpart.
(2) Implementation specifications: Requirements for designation of
an affiliated covered entity. (i) Legally separate covered entities may
designate themselves (including any health care component of such
covered entity) as a single affiliated covered entity, for purposes of
this subpart, if all of the covered entities designated are under
common ownership or control.
(ii) The designation of an affiliated covered entity must be
documented and the documentation maintained as required by
Sec. 164.530(j).
(3) Implementation specifications: Safeguard requirements. An
affiliated covered entity must ensure that:
(i) The affiliated covered entity's use and disclosure of protected
health information comply with the applicable requirements of this
subpart; and
(ii) If the affiliated covered entity combines the functions of a
health plan, health care provider, or health care clearinghouse, the
affiliated covered entity complies with paragraph (g) of this section.
(e)(1) Standard: Business associate contracts. (i) The contract or
other arrangement between the covered entity and the business associate
required by Sec. 164.502(e)(2) must meet the requirements of paragraph
(e)(2) or (e)(3) of this section, as applicable.
(ii) A covered entity is not in compliance with the standards in
Sec. 164.502(e) and paragraph (e) of this section, if the covered
entity knew of a pattern of activity or practice of the business
associate that constituted a material breach or violation of the
business associate's obligation under the contract or other
arrangement, unless the covered entity took reasonable steps to cure
the breach or end the violation, as applicable, and, if such steps were
unsuccessful:
(A) Terminated the contract or arrangement, if feasible; or
(B) If termination is not feasible, reported the problem to the
Secretary.
(2) Implementation specifications: Business associate contracts. A
contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of
such information by the business associate. The contract may not
authorize the business associate to use or further disclose the
information in a manner that would violate the requirements of this
subpart, if done by the covered entity, except that:
(A) The contract may permit the business associate to use and
disclose protected health information for the proper management and
administration of the business associate, as provided in paragraph
(e)(4) of this section; and
(B) The contract may permit the business associate to provide data
aggregation services relating to the health care operations of the
covered entity.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as
permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the
information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the
information not provided for by its contract of which it becomes aware;
(D) Ensure that any agents, including a subcontractor, to whom it
provides protected health information received from, or created or
received by the business associate on behalf of, the covered entity
agrees to the same restrictions and conditions that apply to the
business associate with respect to such information;
(E) Make available protected health information in accordance with
Sec. 164.524;
(F) Make available protected health information for amendment and
incorporate any amendments to protected health information in
accordance with Sec. 164.526;
(G) Make available the information required to provide an
accounting of disclosures in accordance with Sec. 164.528;
(H) Make its internal practices, books, and records relating to the
use and disclosure of protected health information received from, or
created or received by the business associate on behalf of, the covered
entity available to the Secretary for purposes of determining the
covered entity's compliance with this subpart; and
(I) At termination of the contract, if feasible, return or destroy
all protected health information received from, or created or received
by the business associate on behalf of, the covered entity that the
business associate still maintains in any form and retain no copies of
such information or, if such return or destruction is not feasible,
extend the protections of the contract to the information and limit
further uses and disclosures to those purposes that make the return or
destruction of the information infeasible.
(iii) Authorize termination of the contract by the covered entity,
if the covered entity determines that the business associate has
violated a material term of the contract.
(3) Implementation specifications: Other arrangements. (i) If a
covered entity and its business associate are both governmental
entities:
(A) The covered entity may comply with paragraph (e) of this
section by entering into a memorandum of understanding with the
business associate that contains terms that accomplish the objectives
of paragraph (e)(2) of this section.
(B) The covered entity may comply with paragraph (e) of this
section, if other law (including regulations adopted by the covered
entity or its business associate) contains requirements applicable to
the business associate that accomplish the objectives of paragraph
(e)(2) of this section.
(ii) If a business associate is required by law to perform a
function or activity on behalf of a covered entity or to provide a
service described in the definition of business associate in
Sec. 160.103 of this subchapter to a covered entity, such covered
entity may disclose protected health information to the business
associate to the extent necessary to comply with the legal mandate
without meeting the requirements of this paragraph (e), provided that
the covered entity attempts in good faith to obtain satisfactory
assurances as required by paragraph (e)(3)(i) of this section, and, if
such attempt fails, documents the attempt and the reasons that such
assurances cannot be obtained.
(iii) The covered entity may omit from its other arrangements the
termination authorization required by paragraph (e)(2)(iii) of this
section, if such authorization is inconsistent with the statutory
obligations of the covered entity or its business associate.
(4) Implementation specifications: Other requirements for contracts
and other arrangements. (i) The contract or other arrangement between
the covered entity and the business associate may
[[Page 82809]]
permit the business associate to use the information received by the
business associate in its capacity as a business associate to the
covered entity, if necessary:
(A) For the proper management and administration of the business
associate; or
(B) To carry out the legal responsibilities of the business
associate.
(ii) The contract or other arrangement between the covered entity
and the business associate may permit the business associate to
disclose the information received by the business associate in its
capacity as a business associate for the purposes described in
paragraph (e)(4)(i) of this section, if:
(A) The disclosure is required by law; or
(B)(1) The business associate obtains reasonable assurances from
the person to whom the information is disclosed that it will be held
confidentially and used or further disclosed only as required by law or
for the purpose for which it was disclosed to the person; and
(2) The person notifies the business associate of any instances of
which it is aware in which the confidentiality of the information has
been breached.
(f)(1) Standard: Requirements for group health plans. (i) Except as
provided under paragraph (f)(1)(ii) of this section or as otherwise
authorized under Sec. 164.508, a group health plan, in order to
disclose protected health information to the plan sponsor or to provide
for or permit the disclosure of protected health information to the
plan sponsor by a health insurance issuer or HMO with respect to the
group health plan, must ensure that the plan documents restrict uses
and discloses of such information by the plan sponsor consistent with
the requirements of this subpart.
(ii) The group health plan, or a health insurance issuer or HMO
with respect to the group health plan, may disclose summary health
information to the plan sponsor, if the plan sponsor requests the
summary health information for the purpose of :
(A) Obtaining premium bids from health plans for providing health
insurance coverage under the group health plan; or
(B) Modifying, amending, or terminating the group health plan.
(2) Implementation specifications: Requirements for plan documents.
The plan documents of the group health plan must be amended to
incorporate provisions to:
(i) Establish the permitted and required uses and disclosures of
such information by the plan sponsor, provided that such permitted and
required uses and disclosures may not be inconsistent with this
subpart.
(ii) Provide that the group health plan will disclose protected
health information to the plan sponsor only upon receipt of a
certification by the plan sponsor that the plan documents have been
amended to incorporate the following provisions and that the plan
sponsor agrees to:
(A) Not use or further disclose the information other than as
permitted or required by the plan documents or as required by law;
(B) Ensure that any agents, including a subcontractor, to whom it
provides protected health information received from the group health
plan agree to the same restrictions and conditions that apply to the
plan sponsor with respect to such information;
(C) Not use or disclose the information for employment-related
actions and decisions or in connection with any other benefit or
employee benefit plan of the plan sponsor;
(D) Report to the group health plan any use or disclosure of the
information that is inconsistent with the uses or disclosures provided
for of which it becomes aware;
(E) Make available protected health information in accordance with
Sec. 164.524;
(F) Make available protected health information for amendment and
incorporate any amendments to protected health information in
accordance with Sec. 164.526;
(G) Make available the information required to provide an
accounting of disclosures in accordance with Sec. 164.528;
(H) Make its internal practices, books, and records relating to the
use and disclosure of protected health information received from the
group health plan available to the Secretary for purposes of
determining compliance by the group health plan with this subpart;
(I) If feasible, return or destroy all protected health information
received from the group health plan that the sponsor still maintains in
any form and retain no copies of such information when no longer needed
for the purpose for which disclosure was made, except that, if such
return or destruction is not feasible, limit further uses and
disclosures to those purposes that make the return or destruction of
the information infeasible; and
(J) Ensure that the adequate separation required in paragraph
(f)(2)(iii) of this section is established.
(iii) Provide for adequate separation between the group health plan
and the plan sponsor. The plan documents must:
(A) Describe those employees or classes of employees or other
persons under the control of the plan sponsor to be given access to the
protected health information to be disclosed, provided that any
employee or person who receives protected health information relating
to payment under, health care operations of, or other matters
pertaining to the group health plan in the ordinary course of business
must be included in such description;
(B) Restrict the access to and use by such employees and other
persons described in paragraph (f)(2)(iii)(A) of this section to the
plan administration functions that the plan sponsor performs for the
group health plan; and
(C) Provide an effective mechanism for resolving any issues of
noncompliance by persons described in paragraph (f)(2)(iii)(A) of this
section with the plan document provisions required by this paragraph.
(3) Implementation specifications: Uses and disclosures. A group
health plan may:
(i) Disclose protected health information to a plan sponsor to
carry out plan administration functions that the plan sponsor performs
only consistent with the provisions of paragraph (f)(2) of this
section;
(ii) Not permit a health insurance issuer or HMO with respect to
the group health plan to disclose protected health information to the
plan sponsor except as permitted by this paragraph;
(iii) Not disclose and may not permit a health insurance issuer or
HMO to disclose protected health information to a plan sponsor as
otherwise permitted by this paragraph unless a statement required by
Sec. 164.520(b)(1)(iii)(C) is included in the appropriate notice; and
(iv) Not disclose protected health information to the plan sponsor for
the purpose of employment-related actions or decisions or in connection
with any other benefit or employee benefit plan of the plan sponsor.
(g) Standard: Requirements for a covered entity with multiple
covered functions.
(1) A covered entity that performs multiple covered functions that
would make the entity any combination of a health plan, a covered
health care provider, and a health care clearinghouse, must comply with
the standards, requirements, and implementation specifications of this
subpart, as applicable to the health plan, health care provider, or
health care clearinghouse covered functions performed.
[[Page 82810]]
(2) A covered entity that performs multiple covered functions may
use or disclose the protected health information of individuals who
receive the covered entity's health plan or health care provider
services, but not both, only for purposes related to the appropriate
function being performed.
Sec. 164.506 Consent for uses or disclosures to carry out treatment,
payment, or health care operations.
(a) Standard: Consent requirement. (1) Except as provided in
paragraph (a)(2) or (a)(3) of this section, a covered health care
provider must obtain the individual's consent, in accordance with this
section, prior to using or disclosing protected health information to
carry out treatment, payment, or health care operations.
(2) A covered health care provider may, without consent, use or
disclose protected health information to carry out treatment, payment,
or health care operations, if:
(i) The covered health care provider has an indirect treatment
relationship with the individual; or
(ii) The covered health care provider created or received the
protected health information in the course of providing health care to
an individual who is an inmate.
(3)(i) A covered health care provider may, without prior consent,
use or disclose protected health information created or received under
paragraph (a)(3)(i)(A)-(C) of this section to carry out treatment,
payment, or health care operations:
(A) In emergency treatment situations, if the covered health care
provider attempts to obtain such consent as soon as reasonably
practicable after the delivery of such treatment;
(B) If the covered health care provider is required by law to treat
the individual, and the covered health care provider attempts to obtain
such consent but is unable to obtain such consent; or
(C) If a covered health care provider attempts to obtain such
consent from the individual but is unable to obtain such consent due to
substantial barriers to communicating with the individual, and the
covered health care provider determines, in the exercise of
professional judgment, that the individual's consent to receive
treatment is clearly inferred from the circumstances.
(ii) A covered health care provider that fails to obtain such
consent in accordance with paragraph (a)(3)(i) of this section must
document its attempt to obtain consent and the reason why consent was
not obtained.
(4) If a covered entity is not required to obtain consent by
paragraph (a)(1) of this section, it may obtain an individual's consent
for the covered entity's own use or disclosure of protected health
information to carry out treatment, payment, or health care operations,
provided that such consent meets the requirements of this section.
(5) Except as provided in paragraph (f)(1) of this section, a
consent obtained by a covered entity under this section is not
effective to permit another covered entity to use or disclose protected
health information.
(b) Implementation specifications: General requirements. (1) A
covered health care provider may condition treatment on the provision
by the individual of a consent under this section.
(2) A health plan may condition enrollment in the health plan on
the provision by the individual of a consent under this section sought
in conjunction with such enrollment.
(3) A consent under this section may not be combined in a single
document with the notice required by Sec. 164.520.
(4)(i) A consent for use or disclosure may be combined with other
types of written legal permission from the individual (e.g., an
informed consent for treatment or a consent to assignment of benefits),
if the consent under this section:
(A) Is visually and organizationally separate from such other
written legal permission; and
(B) Is separately signed by the individual and dated.
(ii) A consent for use or disclosure may be combined with a
research authorization under Sec. 164.508(f).
(5) An individual may revoke a consent under this section at any
time, except to the extent that the covered entity has taken action in
reliance thereon. Such revocation must be in writing.
(6) A covered entity must document and retain any signed consent
under this section as required by Sec. 164.530(j).
(c) Implementation specifications: Content requirements. A consent
under this section must be in plain language and:
(1) Inform the individual that protected health information may be
used and disclosed to carry out treatment, payment, or health care
operations;
(2) Refer the individual to the notice required by Sec. 164.520 for
a more complete description of such uses and disclosures and state that
the individual has the right to review the notice prior to signing the
consent;
(3) If the covered entity has reserved the right to change its
privacy practices that are described in the notice in accordance with
Sec. 164.520(b)(1)(v)(C), state that the terms of its notice may change
and describe how the individual may obtain a revised notice;
(4) State that:
(i) The individual has the right to request that the covered entity
restrict how protected health information is used or disclosed to carry
out treatment, payment, or health care operations;
(ii) The covered entity is not required to agree to requested
restrictions; and
(iii) If the covered entity agrees to a requested restriction, the
restriction is binding on the covered entity;
(5) State that the individual has the right to revoke the consent
in writing, except to the extent that the covered entity has taken
action in reliance thereon; and
(6) Be signed by the individual and dated.
(d) Implementation specifications: Defective consents. There is no
consent under this section, if the document submitted has any of the
following defects:
(1) The consent lacks an element required by paragraph (c) of this
section, as applicable; or
(2) The consent has been revoked in accordance with paragraph
(b)(5) of this section.
(e) Standard: Resolving conflicting consents and authorizations.
(1) If a covered entity has obtained a consent under this section and
receives any other authorization or written legal permission from the
individual for a disclosure of protected health information to carry
out treatment, payment, or health care operations, the covered entity
may disclose such protected health information only in accordance with
the more restrictive consent, authorization, or other written legal
permission from the individual.
(2) A covered entity may attempt to resolve a conflict between a
consent and an authorization or other written legal permission from the
individual described in paragraph (e)(1) of this section by:
(i) Obtaining a new consent from the individual under this section
for the disclosure to carry out treatment, payment, or health care
operations; or
(ii) Communicating orally or in writing with the individual in
order to determine the individual's preference in resolving the
conflict. The covered entity must document the individual's preference
and may only disclose protected health information in accordance with
the individual's preference.
[[Page 82811]]
(f)(1) Standard: Joint consents. Covered entities that participate
in an organized health care arrangement and that have a joint notice
under Sec. 164.520(d) may comply with this section by a joint consent.
(2) Implementation specifications: Requirements for joint consents.
(i) A joint consent must:
(A) Include the name or other specific identification of the
covered entities, or classes of covered entities, to which the joint
consent applies; and
(B) Meet the requirements of this section, except that the
statements required by this section may be altered to reflect the fact
that the consent covers more than one covered entity.
(ii) If an individual revokes a joint consent, the covered entity
that receives the revocation must inform the other entities covered by
the joint consent of the revocation as soon as practicable.
Sec. 164.508 Uses and disclosures for which an authorization is
required.
(a) Standard: Authorizations for uses and disclosures. (1)
Authorization required: General rule. Except as otherwise permitted or
required by this subchapter, a covered entity may not use or disclose
protected health information without an authorization that is valid
under this section. When a covered entity obtains or receives a valid
authorization for its use or disclosure of protected health
information, such use or disclosure must be consistent with such
authorization.
(2) Authorization required: psychotherapy notes. Notwithstanding
any other provision of this subpart, other than transition provisions
provided for in Sec. 164.532, a covered entity must obtain an
authorization for any use or disclosure of psychotherapy notes, except:
(i) To carry out the following treatment, payment, or health care
operations, consistent with consent requirements in Sec. 164.506:
(A) Use by originator of the psychotherapy notes for treatment;
(B) Use or disclosure by the covered entity in training programs in
which students, trainees, or practitioners in mental health learn under
supervision to practice or improve their skills in group, joint,
family, or individual counseling; or
(C) Use or disclosure by the covered entity to defend a legal
action or other proceeding brought by the individual; and
(ii) A use or disclosure that is required by Sec. 164.502(a)(2)(ii)
or permitted by Sec. 164.512(a); Sec. 164.512(d) with respect to the
oversight of the originator of the psychotherapy notes;
Sec. 164.512(g)(1); or Sec. 164.512(j)(1)(i).
(b) Implementation specifications: General requirements.--(1) Valid
authorizations.
(i) A valid authorization is a document that contains the elements
listed in paragraph (c) and, as applicable, paragraph (d), (e), or (f)
of this section.
(ii) A valid authorization may contain elements or information in
addition to the elements required by this section, provided that such
additional elements or information are not be inconsistent with the
elements required by this section.
(2) Defective authorizations. An authorization is not valid, if the
document submitted has any of the following defects:
(i) The expiration date has passed or the expiration event is known
by the covered entity to have occurred;
(ii) The authorization has not been filled out completely, with
respect to an element described by paragraph (c), (d), (e), or (f) of
this section, if applicable;
(iii) The authorization is known by the covered entity to have been
revoked;
(iv) The authorization lacks an element required by paragraph (c),
(d), (e), or (f) of this section, if applicable;
(v) The authorization violates paragraph (b)(3) of this section, if
applicable;
(vi) Any material information in the authorization is known by the
covered entity to be false.
(3) Compound authorizations. An authorization for use or disclosure
of protected health information may not be combined with any other
document to create a compound authorization, except as follows:
(i) An authorization for the use or disclosure of protected health
information created for research that includes treatment of the
individual may be combined as permitted by Sec. 164.506(b)(4)(ii) or
paragraph (f) of this section;
(ii) An authorization for a use or disclosure of psychotherapy
notes may only be combined with another authorization for a use or
disclosure of psychotherapy notes;
(iii) An authorization under this section, other than an
authorization for a use or disclosure of psychotherapy notes may be
combined with any other such authorization under this section, except
when a covered entity has conditioned the provision of treatment,
payment, enrollment in the health plan, or eligibility for benefits
under paragraph (b)(4) of this section on the provision of one of the
authorizations.
(4) Prohibition on conditioning of authorizations. A covered entity
may not condition the provision to an individual of treatment, payment,
enrollment in the health plan, or eligibility for benefits on the
provision of an authorization, except:
(i) A covered health care provider may condition the provision of
research-related treatment on provision of an authorization under
paragraph (f) of this section;
(ii) A health plan may condition enrollment in the health plan or
eligibility for benefits on provision of an authorization requested by
the health plan prior to an individual's enrollment in the health plan,
if:
(A) The authorization sought is for the health plan's eligibility
or enrollment determinations relating to the individual or for its
underwriting or risk rating determinations; and
(B) The authorization is not for a use or disclosure of
psychotherapy notes under paragraph (a)(2) of this section;
(iii) A health plan may condition payment of a claim for specified
benefits on provision of an authorization under paragraph (e) of this
section, if:
(A) The disclosure is necessary to determine payment of such claim;
and
(B) The authorization is not for a use or disclosure of
psychotherapy notes under paragraph (a)(2) of this section; and
(iv) A covered entity may condition the provision of health care
that is solely for the purpose of creating protected health information
for disclosure to a third party on provision of an authorization for
the disclosure of the protected health information to such third party.
(5) Revocation of authorizations. An individual may revoke an
authorization provided under this section at any time, provided that
the revocation is in writing, except to the extent that:
(i) The covered entity has taken action in reliance thereon; or
(ii) If the authorization was obtained as a condition of obtaining
insurance coverage, other law provides the insurer with the right to
contest a claim under the policy.
(6) Documentation. A covered entity must document and retain any
signed authorization under this section as required by Sec. 164.530(j).
(c) Implementation specifications: Core elements and requirements.
(1) Core elements. A valid authorization under this section must
contain at least the following elements:
(i) A description of the information to be used or disclosed that
identifies the information in a specific and meaningful fashion;
[[Page 82812]]
(ii) The name or other specific identification of the person(s), or
class of persons, authorized to make the requested use or disclosure;
(iii) The name or other specific identification of the person(s),
or class of persons, to whom the covered entity may make the requested
use or disclosure;
(iv) An expiration date or an expiration event that relates to the
individual or the purpose of the use or disclosure;
(v) A statement of the individual's right to revoke the
authorization in writing and the exceptions to the right to revoke,
together with a description of how the individual may revoke the
authorization;
(vi) A statement that information used or disclosed pursuant to the
authorization may be subject to redisclosure by the recipient and no
longer be protected by this rule;
(vii) Signature of the individual and date; and
(viii) If the authorization is signed by a personal representative
of the individual, a description of such representative's authority to
act for the individual.
(2) Plain language requirement. The authorization must be written
in plain language.
(d) Implementation specifications: Authorizations requested by a
covered entity for its own uses and disclosures. If an authorization is
requested by a covered entity for its own use or disclosure of
protected health information that it maintains, the covered entity must
comply with the following requirements.
(1) Required elements. The authorization for the uses or
disclosures described in this paragraph must, in addition to meeting
the requirements of paragraph (c) of this section, contain the
following elements:
(i) For any authorization to which the prohibition on conditioning
in paragraph (b)(4) of this section applies, a statement that the
covered entity will not condition treatment, payment, enrollment in the
health plan, or eligibility for benefits on the individual's providing
authorization for the requested use or disclosure;
(ii) A description of each purpose of the requested use or
disclosure;
(iii) A statement that the individual may:
(A) Inspect or copy the protected health information to be used or
disclosed as provided in Sec. 164.524; and
(B) Refuse to sign the authorization; and
(iv) If use or disclosure of the requested information will result
in direct or indirect remuneration to the covered entity from a third
party, a statement that such remuneration will result.
(2) Copy to the individual. A covered entity must provide the
individual with a copy of the signed authorization.
(e) Implementation specifications: Authorizations requested by a
covered entity for disclosures by others. If an authorization is
requested by a covered entity for another covered entity to disclose
protected health information to the covered entity requesting the
authorization to carry out treatment, payment, or health care
operations, the covered entity requesting the authorization must comply
with the following requirements.
(1) Required elements. The authorization for the disclosures
described in this paragraph must, in addition to meeting the
requirements of paragraph (c) of this section, contain the following
elements:
(i) A description of each purpose of the requested disclosure;
(ii) Except for an authorization on which payment may be
conditioned under paragraph (b)(4)(iii) of this section, a statement
that the covered entity will not condition treatment, payment,
enrollment in the health plan, or eligibility for benefits on the
individual's providing authorization for the requested use or
disclosure; and
(iii) A statement that the individual may refuse to sign the
authorization.
(2) Copy to the individual. A covered entity must provide the
individual with a copy of the signed authorization.
(f) Implementation specifications: Authorizations for uses and
disclosures of protected health information created for research that
includes treatment of the individual.
(1) Required elements. Except as otherwise permitted by
Sec. 164.512(i), a covered entity that creates protected health
information for the purpose, in whole or in part, of research that
includes treatment of individuals must obtain an authorization for the
use or disclosure of such information. Such authorization must:
(i) For uses and disclosures not otherwise permitted or required
under this subpart, meet the requirements of paragraphs (c) and (d) of
this section; and
(ii) Contain:
(A) A description of the extent to which such protected health
information will be used or disclosed to carry out treatment, payment,
or health care operations;
(B) A description of any protected health information that will not
be used or disclosed for purposes permitted in accordance with
Secs. 164.510 and 164.512, provided that the covered entity may not
include a limitation affecting its right to make a use or disclosure
that is required by law or permitted by Sec. 164.512(j)(1)(i); and
(C) If the covered entity has obtained or intends to obtain the
individual's consent under Sec. 164.506, or has provided or intends to
provide the individual with a notice under Sec. 164.520, the
authorization must refer to that consent or notice, as applicable, and
state that the statements made pursuant to this section are binding.
(2) Optional procedure. An authorization under this paragraph may
be in the same document as:
(i) A consent to participate in the research;
(ii) A consent to use or disclose protected health information to
carry out treatment, payment, or health care operations under
Sec. 164.506; or
(iii) A notice of privacy practices under Sec. 164.520.
Sec. 164.510 Uses and disclosures requiring an opportunity for the
individual to agree or to object.
A covered entity may use or disclose protected health information
without the written consent or authorization of the individual as
described by Secs. 164.506 and 164.508, respectively, provided that the
individual is informed in advance of the use or disclosure and has the
opportunity to agree to or prohibit or restrict the disclosure in
accordance with the applicable requirements of this section. The
covered entity may orally inform the individual of and obtain the
individual's oral agreement or objection to a use or disclosure
permitted by this section.
(a) Standard: use and disclosure for facility directories. (1)
Permitted uses and disclosure. Except when an objection is expressed in
accordance with paragraphs (a)(2) or (3) of this section, a covered
health care provider may:
(i) Use the following protected health information to maintain a
directory of individuals in its facility:
(A) The individual's name;
(B) The individual's location in the covered health care provider's
facility;
(C) The individual's condition described in general terms that does
not communicate specific medical information about the individual; and
(D) The individual's religious affiliation; and
(ii) Disclose for directory purposes such information:
(A) To members of the clergy; or
[[Page 82813]]
(B) Except for religious affiliation, to other persons who ask for
the individual by name.
(2) Opportunity to object. A covered health care provider must
inform an individual of the protected health information that it may
include in a directory and the persons to whom it may disclose such
information (including disclosures to clergy of information regarding
religious affiliation) and provide the individual with the opportunity
to restrict or prohibit some or all of the uses or disclosures
permitted by paragraph (a)(1) of this section.
(3) Emergency circumstances. (i) If the opportunity to object to
uses or disclosures required by paragraph (a)(2) of this section cannot
practicably be provided because of the individual's incapacity or an
emergency treatment circumstance, a covered health care provider may
use or disclose some or all of the protected health information
permitted by paragraph (a)(1) of this section for the facility's
directory, if such disclosure is:
(A) Consistent with a prior expressed preference of the individual,
if any, that is known to the covered health care provider; and
(B) In the individual's best interest as determined by the covered
health care provider, in the exercise of professional judgment.
(ii) The covered health care provider must inform the individual
and provide an opportunity to object to uses or disclosures for
directory purposes as required by paragraph (a)(2) of this section when
it becomes practicable to do so.
(b) Standard: uses and disclosures for involvement in the
individual's care and notification purposes. (1) Permitted uses and
disclosures. (i) A covered entity may, in accordance with paragraphs
(b)(2) or (3) of this section, disclose to a family member, other
relative, or a close personal friend of the individual, or any other
person identified by the individual, the protected health information
directly relevant to such person's involvement with the individual's
care or payment related to the individual's health care.
(ii) A covered entity may use or disclose protected health
information to notify, or assist in the notification of (including
identifying or locating), a family member, a personal representative of
the individual, or another person responsible for the care of the
individual of the individual's location, general condition, or death.
Any such use or disclosure of protected health information for such
notification purposes must be in accordance with paragraphs (b)(2),
(3), or (4) of this section, as applicable.
(2) Uses and disclosures with the individual present. If the
individual is present for, or otherwise available prior to, a use or
disclosure permitted by paragraph (b)(1) of this section and has the
capacity to make health care decisions, the covered entity may use or
disclose the protected health information if it:
(i) Obtains the individual's agreement;
(ii) Provides the individual with the opportunity to object to the
disclosure, and the individual does not express an objection; or
(iii) Reasonably infers from the circumstances, based the exercise
of professional judgment, that the individual does not object to the
disclosure.
(3) Limited uses and disclosures when the individual is not
present. If the individual is not present for, or the opportunity to
agree or object to the use or disclosure cannot practicably be provided
because of the individual's incapacity or an emergency circumstance,
the covered entity may, in the exercise of professional judgment,
determine whether the disclosure is in the best interests of the
individual and, if so, disclose only the protected health information
that is directly relevant to the person's involvement with the
individual's health care. A covered entity may use professional
judgment and its experience with common practice to make reasonable
inferences of the individual's best interest in allowing a person to
act on behalf of the individual to pick up filled prescriptions,
medical supplies, X-rays, or other similar forms of protected health
information.
(4) Use and disclosures for disaster relief purposes. A covered
entity may use or disclose protected health information to a public or
private entity authorized by law or by its charter to assist in
disaster relief efforts, for the purpose of coordinating with such
entities the uses or disclosures permitted by paragraph (b)(1)(ii) of
this section. The requirements in paragraphs (b)(2) and (3) of this
section apply to such uses and disclosure to the extent that the
covered entity, in the exercise of professional judgment, determines
that the requirements do not interfere with the ability to respond to
the emergency circumstances.
Sec. 164.512 Uses and disclosures for which consent, an authorization,
or opportunity to agree or object is not required.
A covered entity may use or disclose protected health information
without the written consent or authorization of the individual as
described in Secs. 164.506 and 164.508, respectively, or the
opportunity for the individual to agree or object as described in
Sec. 164.510, in the situations covered by this section, subject to the
applicable requirements of this section. When the covered entity is
required by this section to inform the individual of, or when the
individual may agree to, a use or disclosure permitted by this section,
the covered entity's information and the individual's agreement may be
given orally.
(a) Standard: Uses and disclosures required by law. (1) A covered
entity may use or disclose protected health information to the extent
that such use or disclosure is required by law and the use or
disclosure complies with and is limited to the relevant requirements of
such law.
(2) A covered entity must meet the requirements described in
paragraph (c), (e), or (f) of this section for uses or disclosures
required by law.
(b) Standard: uses and disclosures for public health activities.
(1) Permitted disclosures. A covered entity may disclose protected
health information for the public health activities and purposes
described in this paragraph to:
(i) A public health authority that is authorized by law to collect
or receive such information for the purpose of preventing or
controlling disease, injury, or disability, including, but not limited
to, the reporting of disease, injury, vital events such as birth or
death, and the conduct of public health surveillance, public health
investigations, and public health interventions; or, at the direction
of a public health authority, to an official of a foreign government
agency that is acting in collaboration with a public health authority;
(ii) A public health authority or other appropriate government
authority authorized by law to receive reports of child abuse or
neglect;
(iii) A person subject to the jurisdiction of the Food and Drug
Administration:
(A) To report adverse events (or similar reports with respect to
food or dietary supplements), product defects or problems (including
problems with the use or labeling of a product), or biological product
deviations if the disclosure is made to the person required or directed
to report such information to the Food and Drug Administration;
(B) To track products if the disclosure is made to a person
required or directed by the Food and Drug Administration to track the
product;
(C) To enable product recalls, repairs, or replacement (including
locating and
[[Page 82814]]
notifying individuals who have received products of product recalls,
withdrawals, or other problems); or
(D) To conduct post marketing surveillance to comply with
requirements or at the direction of the Food and Drug Administration;
(iv) A person who may have been exposed to a communicable disease
or may otherwise be at risk of contracting or spreading a disease or
condition, if the covered entity or public health authority is
authorized by law to notify such person as necessary in the conduct of
a public health intervention or investigation; or
(v) An employer, about an individual who is a member of the
workforce of the employer, if:
(A) The covered entity is a covered health care provider who is a
member of the workforce of such employer or who provides a health care
to the individual at the request of the employer:
(1) To conduct an evaluation relating to medical surveillance of
the workplace; or
(2) To evaluate whether the individual has a work-related illness
or injury;
(B) The protected health information that is disclosed consists of
findings concerning a work-related illness or injury or a workplace-
related medical surveillance;
(C) The employer needs such findings in order to comply with its
obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50
through 90, or under state law having a similar purpose, to record such
illness or injury or to carry out responsibilities for workplace
medical surveillance;
(D) The covered health care provider provides written notice to the
individual that protected health information relating to the medical
surveillance of the workplace and work-related illnesses and injuries
is disclosed to the employer:
(1) By giving a copy of the notice to the individual at the time
the health care is provided; or
(2) If the health care is provided on the work site of the
employer, by posting the notice in a prominent place at the location
where the health care is provided.
(2) Permitted uses. If the covered entity also is a public health
authority, the covered entity is permitted to use protected health
information in all cases in which it is permitted to disclose such
information for public health activities under paragraph (b)(1) of this
section.
(c) Standard: Disclosures about victims of abuse, neglect or
domestic violence. (1) Permitted disclosures. Except for reports of
child abuse or neglect permitted by paragraph (b)(1)(ii) of this
section, a covered entity may disclose protected health information
about an individual whom the covered entity reasonably believes to be a
victim of abuse, neglect, or domestic violence to a government
authority, including a social service or protective services agency,
authorized by law to receive reports of such abuse, neglect, or
domestic violence:
(i) To the extent the disclosure is required by law and the
disclosure complies with and is limited to the relevant requirements of
such law;
(ii) If the individual agrees to the disclosure; or
(iii) To the extent the disclosure is expressly authorized by
statute or regulation and:
(A) The covered entity, in the exercise of professional judgment,
believes the disclosure is necessary to prevent serious harm to the
individual or other potential victims; or
(B) If the individual is unable to agree because of incapacity, a
law enforcement or other public official authorized to receive the
report represents that the protected health information for which
disclosure is sought is not intended to be used against the individual
and that an immediate enforcement activity that depends upon the
disclosure would be materially and adversely affected by waiting until
the individual is able to agree to the disclosure.
(2) Informing the individual. A covered entity that makes a
disclosure permitted by paragraph (c)(1) of this section must promptly
inform the individual that such a report has been or will be made,
except if:
(i) The covered entity, in the exercise of professional judgment,
believes informing the individual would place the individual at risk of
serious harm; or
(ii) The covered entity would be informing a personal
representative, and the covered entity reasonably believes the personal
representative is responsible for the abuse, neglect, or other injury,
and that informing such person would not be in the best interests of
the individual as determined by the covered entity, in the exercise of
professional judgment.
(d) Standard: Uses and disclosures for health oversight activities.
(1) Permitted disclosures. A covered entity may disclose protected
health information to a health oversight agency for oversight
activities authorized by law, including audits; civil, administrative,
or criminal investigations; inspections; licensure or disciplinary
actions; civil, administrative, or criminal proceedings or actions; or
other activities necessary for appropriate oversight of:
(i) The health care system;
(ii) Government benefit programs for which health information is
relevant to beneficiary eligibility;
(iii) Entities subject to government regulatory programs for which
health information is necessary for determining compliance with program
standards; or
(iv) Entities subject to civil rights laws for which health
information is necessary for determining compliance.
(2) Exception to health oversight activities. For the purpose of
the disclosures permitted by paragraph (d)(1) of this section, a health
oversight activity does not include an investigation or other activity
in which the individual is the subject of the investigation or activity
and such investigation or other activity does not arise out of and is
not directly related to:
(i) The receipt of health care;
(ii) A claim for public benefits related to health; or
(iii) Qualification for, or receipt of, public benefits or services
when a patient's health is integral to the claim for public benefits or
services.
(3) Joint activities or investigations. Nothwithstanding paragraph
(d)(2) of this section, if a health oversight activity or investigation
is conducted in conjunction with an oversight activity or investigation
relating to a claim for public benefits not related to health, the
joint activity or investigation is considered a health oversight
activity for purposes of paragraph (d) of this section.
(4) Permitted uses. If a covered entity also is a health oversight
agency, the covered entity may use protected health information for
health oversight activities as permitted by paragraph (d) of this
section.
(e) Standard: Disclosures for judicial and administrative
proceedings.
(1) Permitted disclosures. A covered entity may disclose protected
health information in the course of any judicial or administrative
proceeding:
(i) In response to an order of a court or administrative tribunal,
provided that the covered entity discloses only the protected health
information expressly authorized by such order; or
(ii) In response to a subpoena, discovery request, or other lawful
process, that is not accompanied by an order of a court or
administrative tribunal, if:
(A) The covered entity receives satisfactory assurance, as
described in paragraph (e)(1)(iii) of this section, from the party
seeking the information that reasonable efforts have been made by
[[Page 82815]]
such party to ensure that the individual who is the subject of the
protected health information that has been requested has been given
notice of the request; or
(B) The covered entity receives satisfactory assurance, as
described in paragraph (e)(1)(iv) of this section, from the party
seeking the information that reasonable efforts have been made by such
party to secure a qualified protective order that meets the
requirements of paragraph (e)(1)(v) of this section.
(iii) For the purposes of paragraph (e)(1)(ii)(A) of this section,
a covered entity receives satisfactory assurances from a party seeking
protecting health information if the covered entity receives from such
party a written statement and accompanying documentation demonstrating
that:
(A) The party requesting such information has made a good faith
attempt to provide written notice to the individual (or, if the
individual's location is unknown, to mail a notice to the individual's
last known address);
(B) The notice included sufficient information about the litigation
or proceeding in which the protected health information is requested to
permit the individual to raise an objection to the court or
administrative tribunal; and
(C) The time for the individual to raise objections to the court or
administrative tribunal has elapsed, and:
(1) No objections were filed; or
(2) All objections filed by the individual have been resolved by
the court or the administrative tribunal and the disclosures being
sought are consistent with such resolution.
(iv) For the purposes of paragraph (e)(1)(ii)(B) of this section, a
covered entity receives satisfactory assurances from a party seeking
protected health information, if the covered entity receives from such
party a written statement and accompanying documentation demonstrating
that:
(A) The parties to the dispute giving rise to the request for
information have agreed to a qualified protective order and have
presented it to the court or administrative tribunal with jurisdiction
over the dispute; or
(B) The party seeking the protected health information has
requested a qualified protective order from such court or
administrative tribunal.
(v) For purposes of paragraph (e)(1) of this section, a qualified
protective order means, with respect to protected health information
requested under paragraph (e)(1)(ii) of this section, an order of a
court or of an administrative tribunal or a stipulation by the parties
to the litigation or administrative proceeding that:
(A) Prohibits the parties from using or disclosing the protected
health information for any purpose other than the litigation or
proceeding for which such information was requested; and
(B) Requires the return to the covered entity or destruction of the
protected health information (including all copies made) at the end of
the litigation or proceeding.
(vi) Nothwithstanding paragraph (e)(1)(ii) of this section, a
covered entity may disclose protected health information in response to
lawful process described in paragraph (e)(1)(ii) of this section
without receiving satisfactory assurance under paragraph (e)(1)(ii)(A)
or (B) of this section, if the covered entity makes reasonable efforts
to provide notice to the individual sufficient to meet the requirements
of paragraph (e)(1)(iii) of this section or to seek a qualified
protective order sufficient to meet the requirements of paragraph
(e)(1)(iv) of this section.
(2) Other uses and disclosures under this section. The provisions
of this paragraph do not supersede other provisions of this section
that otherwise permit or restrict uses or disclosures of protected
health information.
(f) Standard: Disclosures for law enforcement purposes. A covered
entity may disclose protected health information for a law enforcement
purpose to a law enforcement official if the conditions in paragraphs
(f)(1) through (f)(6) of this section are met, as applicable.
(1) Permitted disclosures: Pursuant to process and as otherwise
required by law. A covered entity may disclose protected health
information:
(i) As required by law including laws that require the reporting of
certain types of wounds or other physical injuries, except for laws
subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or
(ii) In compliance with and as limited by the relevant requirements
of:
(A) A court order or court-ordered warrant, or a subpoena or
summons issued by a judicial officer;
(B) A grand jury subpoena; or
(C) An administrative request, including an administrative subpoena
or summons, a civil or an authorized investigative demand, or similar
process authorized under law, provided that:
(1) The information sought is relevant and material to a legitimate
law enforcement inquiry;
(2) The request is specific and limited in scope to the extent
reasonably practicable in light of the purpose for which the
information is sought; and
(3) De-identified information could not reasonably be used.
(2) Permitted disclosures: Limited information for identification
and location purposes. Except for disclosures required by law as
permitted by paragraph (f)(1) of this section, a covered entity may
disclose protected health information in response to a law enforcement
official's request for such information for the purpose of identifying
or locating a suspect, fugitive, material witness, or missing person,
provided that:
(i) The covered entity may disclose only the following information:
(A) Name and address;
(B) Date and place of birth;
(C) Social security number;
(D) ABO blood type and rh factor;
(E) Type of injury;
(F) Date and time of treatment;
(G) Date and time of death, if applicable; and
(H) A description of distinguishing physical characteristics,
including height, weight, gender, race, hair and eye color, presence or
absence of facial hair (beard or moustache), scars, and tattoos.
(ii) Except as permitted by paragraph (f)(2)(i) of this section,
the covered entity may not disclose for the purposes of identification
or location under paragraph (f)(2) of this section any protected health
information related to the individual's DNA or DNA analysis, dental
records, or typing, samples or analysis of body fluids or tissue.
(3) Permitted disclosure: Victims of a crime. Except for
disclosures required by law as permitted by paragraph (f)(1) of this
section, a covered entity may disclose protected health information in
response to a law enforcement official's request for such information
about an individual who is or is suspected to be a victim of a crime,
other than disclosures that are subject to paragraph (b) or (c) of this
section, if:
(ii) The individual agrees to the disclosure; or
(iii) The covered entity is unable to obtain the individual's
agreement because of incapacity or other emergency circumstance,
provided that:
(A) The law enforcement official represents that such information
is needed to determine whether a violation of law by a person other
than the victim has occurred, and such information is not intended to
be used against the victim;
(B) The law enforcement official represents that immediate law
enforcement activity that depends upon the disclosure would be
materially and
[[Page 82816]]
adversely affected by waiting until the individual is able to agree to
the disclosure; and
(C) The disclosure is in the best interests of the individual as
determined by the covered entity, in the exercise of professional
judgment.
(4) Permitted disclosure: Decedents. A covered entity may disclose
protected health information about an individual who has died to a law
enforcement official for the purpose of alerting law enforcement of the
death of the individual if the covered entity has a suspicion that such
death may have resulted from criminal conduct.
(5) Permitted disclosure: Crime on premises. A covered entity may
disclose to a law enforcement official protected health information
that the covered entity believes in good faith constitutes evidence of
criminal conduct that occurred on the premises of the covered entity.
(6) Permitted disclosure: Reporting crime in emergencies. (i) A
covered health care provider providing emergency health care in
response to a medical emergency, other than such emergency on the
premises of the covered health care provider, may disclose protected
health information to a law enforcement official if such disclosure
appears necessary to alert law enforcement to:
(A) The commission and nature of a crime;
(B) The location of such crime or of the victim(s) of such crime;
and
(C) The identity, description, and location of the perpetrator of
such crime.
(ii) If a covered health care provider believes that the medical
emergency described in paragraph (f)(6)(i) of this section is the
result of abuse, neglect, or domestic violence of the individual in
need of emergency health care, paragraph (f)(6)(i) of this section does
not apply and any disclosure to a law enforcement official for law
enforcement purposes is subject to paragraph (c) of this section.
(g) Standard: Uses and disclosures about decedents. (1) Coroners
and medical examiners. A covered entity may disclose protected health
information to a coroner or medical examiner for the purpose of
identifying a deceased person, determining a cause of death, or other
duties as authorized by law. A covered entity that also performs the
duties of a coroner or medical examiner may use protected health
information for the purposes described in this paragraph.
(2) Funeral directors. A covered entity may disclose protected
health information to funeral directors, consistent with applicable
law, as necessary to carry out their duties with respect to the
decedent. If necessary for funeral directors carry out their duties,
the covered entity may disclose the protected health information prior
to, and in reasonable anticipation of, the individual's death.
(h) Standard: Uses and disclosures for cadaveric organ, eye or
tissue donation purposes. A covered entity may use or disclose
protected health information to organ procurement organizations or
other entities engaged in the procurement, banking, or transplantation
of cadaveric organs, eyes, or tissue for the purpose of facilitating
organ, eye or tissue donation and transplantation.
(i) Standard: Uses and disclosures for research purposes. (1)
Permitted uses and disclosures. A covered entity may use or disclose
protected health information for research, regardless of the source of
funding of the research, provided that:
(i) Board approval of a waiver of authorization. The covered entity
obtains documentation that an alteration to or waiver, in whole or in
part, of the individual authorization required by Sec. 164.508 for use
or disclosure of protected health information has been approved by
either:
(A) An Institutional Review Board (IRB), established in accordance
with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16
CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR
46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45
CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or
(B) A privacy board that:
(1) Has members with varying backgrounds and appropriate
professional competency as necessary to review the effect of the
research protocol on the individual's privacy rights and related
interests;
(2) Includes at least one member who is not affiliated with the
covered entity, not affiliated with any entity conducting or sponsoring
the research, and not related to any person who is affiliated with any
of such entities; and
(3) Does not have any member participating in a review of any
project in which the member has a conflict of interest.
(ii) Reviews preparatory to research. The covered entity obtains
from the researcher representations that:
(A) Use or disclosure is sought solely to review protected health
information as necessary to prepare a research protocol or for similar
purposes preparatory to research;
(B) No protected health information is to be removed from the
covered entity by the researcher in the course of the review; and
(C) The protected health information for which use or access is
sought is necessary for the research purposes.
(iii) Research on decedent's information. The covered entity
obtains from the researcher:
(A) Representation that the use or disclosure is sought is solely
for research on the protected health information of decedents;
(B) Documentation, at the request of the covered entity, of the
death of such individuals; and
(C) Representation that the protected health information for which
use or disclosure is sought is necessary for the research purposes.
(2) Documentation of waiver approval. For a use or disclosure to be
permitted based on documentation of approval of an alteration or
waiver, under paragraph (i)(1)(i) of this section, the documentation
must include all of the following:
(i) Identification and date of action. A statement identifying the
IRB or privacy board and the date on which the alteration or waiver of
authorization was approved;
(ii) Waiver criteria. A statement that the IRB or privacy board has
determined that the alteration or waiver, in whole or in part, of
authorization satisfies the following criteria:
(A) The use or disclosure of protected health information involves
no more than minimal risk to the individuals;
(B) The alteration or waiver will not adversely affect the privacy
rights and the welfare of the individuals;
(C) The research could not practicably be conducted without the
alteration or waiver;
(D) The research could not practicably be conducted without access
to and use of the protected health information;
(E) The privacy risks to individuals whose protected health
information is to be used or disclosed are reasonable in relation to
the anticipated benefits if any to the individuals, and the importance
of the knowledge that may reasonably be expected to result from the
research;
(F) There is an adequate plan to protect the identifiers from
improper use and disclosure;
(G) There is an adequate plan to destroy the identifiers at the
earliest opportunity consistent with conduct of the research, unless
there is a health or research justification for retaining the
identifiers, or such retention is otherwise required by law; and
(H) There are adequate written assurances that the protected health
[[Page 82817]]
information will not be reused or disclosed to any other person or
entity, except as required by law, for authorized oversight of the
research project, or for other research for which the use or disclosure
of protected health information would be permitted by this subpart.
(iii) Protected health information needed. A brief description of
the protected health information for which use or access has been
determined to be necessary by the IRB or privacy board has determined,
pursuant to paragraph (i)(2)(ii)(D) of this section;
(iv) Review and approval procedures. A statement that the
alteration or waiver of authorization has been reviewed and approved
under either normal or expedited review procedures, as follows:
(A) An IRB must follow the requirements of the Common Rule,
including the normal review procedures (7 CFR 1c.108(b), 10 CFR
745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b),
21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR
46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40
CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR
11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR
745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR
56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110,
34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45 CFR
690.110, or 49 CFR 11.110);
(B) A privacy board must review the proposed research at convened
meetings at which a majority of the privacy board members are present,
including at least one member who satisfies the criterion stated in
paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver
of authorization must be approved by the majority of the privacy board
members present at the meeting, unless the privacy board elects to use
an expedited review procedure in accordance with paragraph
(i)(2)(iv)(C) of this section;
(C) A privacy board may use an expedited review procedure if the
research involves no more than minimal risk to the privacy of the
individuals who are the subject of the protected health information for
which use or disclosure is being sought. If the privacy board elects to
use an expedited review procedure, the review and approval of the
alteration or waiver of authorization may be carried out by the chair
of the privacy board, or by one or more members of the privacy board as
designated by the chair; and
(v) Required signature. The documentation of the alteration or
waiver of authorization must be signed by the chair or other member, as
designated by the chair, of the IRB or the privacy board, as
applicable.
(j) Standard: Uses and disclosures to avert a serious threat to
health or safety. (1) Permitted disclosures. A covered entity may,
consistent with applicable law and standards of ethical conduct, use or
disclose protected health information, if the covered entity, in good
faith, believes the use or disclosure:
(i)(A) Is necessary to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public; and
(B) Is to a person or persons reasonably able to prevent or lessen
the threat, including the target of the threat; or
(ii) Is necessary for law enforcement authorities to identify or
apprehend an individual:
(A) Because of a statement by an individual admitting participation
in a violent crime that the covered entity reasonably believes may have
caused serious physical harm to the victim; or
(B) Where it appears from all the circumstances that the individual
has escaped from a correctional institution or from lawful custody, as
those terms are defined in Sec. 164.501.
(2) Use or disclosure not permitted. A use or disclosure pursuant
to paragraph (j)(1)(ii)(A) of this section may not be made if the
information described in paragraph (j)(1)(ii)(A) of this section is
learned by the covered entity:
(i) In the course of treatment to affect the propensity to commit
the criminal conduct that is the basis for the disclosure under
paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or
(ii) Through a request by the individual to initiate or to be
referred for the treatment, counseling, or therapy described in
paragraph (j)(2)(i) of this section.
(3) Limit on information that may be disclosed. A disclosure made
pursuant to paragraph (j)(1)(ii)(A) of this section shall contain only
the statement described in paragraph (j)(1)(ii)(A) of this section and
the protected health information described in paragraph (f)(2)(i) of
this section.
(4) Presumption of good faith belief. A covered entity that uses or
discloses protected health information pursuant to paragraph (j)(1) of
this section is presumed to have acted in good faith with regard to a
belief described in paragraph (j)(1)(i) or (ii) of this section, if the
belief is based upon the covered entity's actual knowledge or in
reliance on a credible representation by a person with apparent
knowledge or authority.
(k) Standard: Uses and disclosures for specialized government
functions. (1) Military and veterans activities. (i) Armed Forces
personnel. A covered entity may use and disclose the protected health
information of individuals who are Armed Forces personnel for
activities deemed necessary by appropriate military command authorities
to assure the proper execution of the military mission, if the
appropriate military authority has published by notice in the Federal
Register the following information:
(A) Appropriate military command authorities; and
(B) The purposes for which the protected health information may be
used or disclosed.
(ii) Separation or discharge from military service. A covered
entity that is a component of the Departments of Defense or
Transportation may disclose to the Department of Veterans Affairs (DVA)
the protected health information of an individual who is a member of
the Armed Forces upon the separation or discharge of the individual
from military service for the purpose of a determination by DVA of the
individual's eligibility for or entitlement to benefits under laws
administered by the Secretary of Veterans Affairs.
(iii) Veterans. A covered entity that is a component of the
Department of Veterans Affairs may use and disclose protected health
information to components of the Department that determine eligibility
for or entitlement to, or that provide, benefits under the laws
administered by the Secretary of Veterans Affairs.
(iv) Foreign military personnel. A covered entity may use and
disclose the protected health information of individuals who are
foreign military personnel to their appropriate foreign military
authority for the same purposes for which uses and disclosures are
permitted for Armed Forces personnel under the notice published in the
Federal Register pursuant to paragraph (k)(1)(i) of this section.
(2) National security and intelligence activities. A covered entity
may disclose protected health information to authorized federal
officials for the conduct of lawful intelligence, counter-intelligence,
and other national security activities authorized by the National
Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g.,
Executive Order 12333).
(3) Protective services for the President and others. A covered
entity may disclose protected health
[[Page 82818]]
information to authorized federal officials for the provision of
protective services to the President or other persons authorized by 18
U.S.C. 3056, or to foreign heads of state or other persons authorized
by 22 U.S.C. 2709(a)(3), or to for the conduct of investigations
authorized by 18 U.S.C. 871 and 879.
(4) Medical suitability determinations. A covered entity that is a
component of the Department of State may use protected health
information to make medical suitability determinations and may disclose
whether or not the individual was determined to be medically suitable
to the officials in the Department of State who need access to such
information for the following purposes:
(i) For the purpose of a required security clearance conducted
pursuant to Executive Orders 10450 and 12698;
(ii) As necessary to determine worldwide availability or
availability for mandatory service abroad under sections 101(a)(4) and
504 of the Foreign Service Act; or
(iii) For a family to accompany a Foreign Service member abroad,
consistent with section 101(b)(5) and 904 of the Foreign Service Act.
(5) Correctional institutions and other law enforcement custodial
situations. (i) Permitted disclosures. A covered entity may disclose to
a correctional institution or a law enforcement official having lawful
custody of an inmate or other individual protected health information
about such inmate or individual, if the correctional institution or
such law enforcement official represents that such protected health
information is necessary for:
(A) The provision of health care to such individuals;
(B) The health and safety of such individual or other inmates;
(C) The health and safety of the officers or employees of or others
at the correctional institution;
(D) The health and safety of such individuals and officers or other
persons responsible for the transporting of inmates or their transfer
from one institution, facility, or setting to another;
(E) Law enforcement on the premises of the correctional
institution; and
(F) The administration and maintenance of the safety, security, and
good order of the correctional institution.
(ii) Permitted uses. A covered entity that is a correctional
institution may use protected health information of individuals who are
inmates for any purpose for which such protected health information may
be disclosed.
(iii) No application after release. For the purposes of this
provision, an individual is no longer an inmate when released on
parole, probation, supervised release, or otherwise is no longer in
lawful custody.
(6) Covered entities that are government programs providing public
benefits. (i) A health plan that is a government program providing
public benefits may disclose protected health information relating to
eligibility for or enrollment in the health plan to another agency
administering a government program providing public benefits if the
sharing of eligibility or enrollment information among such government
agencies or the maintenance of such information in a single or combined
data system accessible to all such government agencies is required or
expressly authorized by statute or regulation.
(ii) A covered entity that is a government agency administering a
government program providing public benefits may disclose protected
health information relating to the program to another covered entity
that is a government agency administering a government program
providing public benefits if the programs serve the same or similar
populations and the disclosure of protected health information is
necessary to coordinate the covered functions of such programs or to
improve administration and management relating to the covered functions
of such programs.
(l) Standard: Disclosures for workers' compensation. A covered
entity may disclose protected health information as authorized by and
to the extent necessary to comply with laws relating to workers'
compensation or other similar programs, established by law, that
provide benefits for work-related injuries or illness without regard to
fault.
Sec. 164.514 Other requirements relating to uses and disclosures of
protected health information.
(a) Standard: de-identification of protected health information.
Health information that does not identify an individual and with
respect to which there is no reasonable basis to believe that the
information can be used to identify an individual is not individually
identifiable health information.
(b) Implementation specifications: requirements for de-
identification of protected health information. A covered entity may
determine that health information is not individually identifiable
health information only if:
(1) A person with appropriate knowledge of and experience with
generally accepted statistical and scientific principles and methods
for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk
is very small that the information could be used, alone or in
combination with other reasonably available information, by an
anticipated recipient to identify an individual who is a subject of the
information; and
(ii) Documents the methods and results of the analysis that justify
such determination; or
(2)(i) The following identifiers of the individual or of relatives,
employers, or household members of the individual, are removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including
street address, city, county, precinct, zip code, and their equivalent
geocodes, except for the initial three digits of a zip code if,
according to the current publicly available data from the Bureau of the
Census:
(1) The geographic unit formed by combining all zip codes with the
same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic
units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related
to an individual, including birth date, admission date, discharge date,
date of death; and all ages over 89 and all elements of dates
(including year) indicative of such age, except that such ages and
elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate
numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code;
and
[[Page 82819]]
(ii) The covered entity does not have actual knowledge that the
information could be used alone or in combination with other
information to identify an individual who is a subject of the
information.
(c) Implementation specifications: re-identification. A covered
entity may assign a code or other means of record identification to
allow information de-identified under this section to be re-identified
by the covered entity, provided that:
(1) Derivation. The code or other means of record identification is
not derived from or related to information about the individual and is
not otherwise capable of being translated so as to identify the
individual; and
(2) Security. The covered entity does not use or disclose the code
or other means of record identification for any other purpose, and does
not disclose the mechanism for re-identification.
(d)(1) Standard: minimum necessary requirements. A covered entity
must reasonably ensure that the standards, requirements, and
implementation specifications of Sec. 164.502(b) and this section
relating to a request for or the use and disclosure of the minimum
necessary protected health information are met.
(2) Implementation specifications: minimum necessary uses of
protected health information. (i) A covered entity must identify:
(A) Those persons or classes of persons, as appropriate, in its
workforce who need access to protected health information to carry out
their duties; and
(B) For each such person or class of persons, the category or
categories of protected health information to which access is needed
and any conditions appropriate to such access.
(ii) A covered entity must make reasonable efforts to limit the
access of such persons or classes identified in paragraph (d)(2)(i)(A)
of this section to protected health information consistent with
paragraph (d)(2)(i)(B) of this section.
(3) Implementation specification: Minimum necessary disclosures of
protected health information. (i) For any type of disclosure that it
makes on a routine and recurring basis, a covered entity must implement
policies and procedures (which may be standard protocols) that limit
the protected health information disclosed to the amount reasonably
necessary to achieve the purpose of the disclosure.
(ii) For all other disclosures, a covered entity must:
(A) Develop criteria designed to limit the protected health
information disclosed to the information reasonably necessary to
accomplish the purpose for which disclosure is sought; and
(B) Review requests for disclosure on an individual basis in
accordance with such criteria.
(iii) A covered entity may rely, if such reliance is reasonable
under the circumstances, on a requested disclosure as the minimum
necessary for the stated purpose when:
(A) Making disclosures to public officials that are permitted under
Sec. 164.512, if the public official represents that the information
requested is the minimum necessary for the stated purpose(s);
(B) The information is requested by another covered entity;
(C) The information is requested by a professional who is a member
of its workforce or is a business associate of the covered entity for
the purpose of providing professional services to the covered entity,
if the professional represents that the information requested is the
minimum necessary for the stated purpose(s); or
(D) Documentation or representations that comply with the
applicable requirements of Sec. 164.512(i) have been provided by a
person requesting the information for research purposes.
(4) Implementation specifications: Minimum necessary requests for
protected health information. (i) A covered entity must limit any
request for protected health information to that which is reasonably
necessary to accomplish the purpose for which the request is made, when
requesting such information from other covered entities.
(ii) For a request that is made on a routine and recurring basis, a
covered entity must implement policies and procedures (which may be
standard protocols) that limit the protected health information
requested to the amount reasonably necessary to accomplish the purpose
for which the request is made.
(iii) For all other requests, a covered entity must review the
request on an individual basis to determine that the protected health
information sought is limited to the information reasonably necessary
to accomplish the purpose for which the request is made.
(5) Implementation specification: Other content requirement. For
all uses, disclosures, or requests to which the requirements in
paragraph (d) of this section apply, a covered entity may not use,
discloses or request an entire medical record, except when the entire
medical record is specifically justified as the amount that is
reasonably necessary to accomplish the purpose of the use, disclosure,
or request.
(e)(1) Standard: Uses and disclosures of protected health
information for marketing. A covered entity may not use or disclose
protected health information for marketing without an authorization
that meets the applicable requirements of Sec. 164.508, except as
provided for by paragraph (e)(2) of this section.
(2) Implementation specifications: Requirements relating to
marketing. (i) A covered entity is not required to obtain an
authorization under Sec. 164.508 when it uses or discloses protected
health information to make a marketing communication to an individual
that:
(A) Occurs in a face-to-face encounter with the individual;
(B) Concerns products or services of nominal value; or
(C) Concerns the health-related products and services of the
covered entity or of a third party and the communication meets the
applicable conditions in paragraph (e)(3) of this section.
(ii) A covered entity may disclose protected health information for
purposes of such communications only to a business associate that
assists the covered entity with such communications.
(3) Implementation specifications: Requirements for certain
marketing communications. For a marketing communication to qualify
under paragraph (e)(2)(i) of this section, the following conditions
must be met:
(i) The communication must:
(A) Identify the covered entity as the party making the
communication;
(B) If the covered entity has received or will receive direct or
indirect remuneration for making the communication, prominently state
that fact; and
(C) Except when the communication is contained in a newsletter or
similar type of general communication device that the covered entity
distributes to a broad cross-section of patients, enrollees, or other
broad groups of individuals, contain instructions describing how the
individual may opt out of receiving future such communications.
(ii) If the covered entity uses or discloses protected health
information to target the communication to individuals based on their
health status or condition:
(A) The covered entity must make a determination prior to making
the communication that the product or service being marketed may be
beneficial to the health of the type or class of individual targeted;
and
(B) The communication must explain why the individual has been
targeted
[[Page 82820]]
and how the product or service relates to the health of the individual.
(iii) The covered entity must make reasonable efforts to ensure
that individuals who decide to opt out of receiving future marketing
communications, under paragraph (e)(3)(i)(C) of this section, are not
sent such communications.
(f)(1) Standard: Uses and disclosures for fundraising. A covered
entity may use, or disclose to a business associate or to an
institutionally related foundation, the following protected health
information for the purpose of raising funds for its own benefit,
without an authorization meeting the requirements of Sec. 164.508:
(i) Demographic information relating to an individual; and
(ii) Dates of health care provided to an individual.
(2) Implementation specifications: Fundraising requirements. (i)
The covered entity may not use or disclose protected health information
for fundraising purposes as otherwise permitted by paragraph (f)(1) of
this section unless a statement required by Sec. 164.520(b)(1)(iii)(B)
is included in the covered entity's notice;
(ii) The covered entity must include in any fundraising materials
it sends to an individual under this paragraph a description of how the
individual may opt out of receiving any further fundraising
communications.
(iii) The covered entity must make reasonable efforts to ensure
that individuals who decide to opt out of receiving future fundraising
communications are not sent such communications.
(g) Standard: Uses and disclosures for underwriting and related
purposes. If a health plan receives protected heath information for the
purpose of underwriting, premium rating, or other activities relating
to the creation, renewal, or replacement of a contract of health
insurance or health benefits, and if such health insurance or health
benefits are not placed with the health plan, such health plan may not
use or disclose such protected health information for any other
purpose, except as may be required by law.
(h)(1) Standard: Verification requirements. Prior to any disclosure
permitted by this subpart, a covered entity must:
(i) Except with respect to disclosures under Sec. 164.510, verify
the identity of a person requesting protected health information and
the authority of any such person to have access to protected health
information under this subpart, if the identity or any such authority
of such person is not known to the covered entity; and
(ii) Obtain any documentation, statements, or representations,
whether oral or written, from the person requesting the protected
health information when such documentation, statement, or
representation is a condition of the disclosure under this subpart.
(2) Implementation specifications: Verification. (i) Conditions on
disclosures. If a disclosure is conditioned by this subpart on
particular documentation, statements, or representations from the
person requesting the protected health information, a covered entity
may rely, if such reliance is reasonable under the circumstances, on
documentation, statements, or representations that, on their face, meet
the applicable requirements.
(A) The conditions in Sec. 164.512(f)(1)(ii)(C) may be satisfied by
the administrative subpoena or similar process or by a separate written
statement that, on its face, demonstrates that the applicable
requirements have been met.
(B) The documentation required by Sec. 164.512(i)(2) may be
satisfied by one or more written statements, provided that each is
appropriately dated and signed in accordance with Sec. 164.512(i)(2)(i)
and (v).
(ii) Identity of public officials. A covered entity may rely, if
such reliance is reasonable under the circumstances, on any of the
following to verify identity when the disclosure of protected health
information is to a public official or a person acting on behalf of the
public official:
(A) If the request is made in person, presentation of an agency
identification badge, other official credentials, or other proof of
government status;
(B) If the request is in writing, the request is on the appropriate
government letterhead; or
(C) If the disclosure is to a person acting on behalf of a public
official, a written statement on appropriate government letterhead that
the person is acting under the government's authority or other evidence
or documentation of agency, such as a contract for services, memorandum
of understanding, or purchase order, that establishes that the person
is acting on behalf of the public official.
(iii) Authority of public officials. A covered entity may rely, if
such reliance is reasonable under the circumstances, on any of the
following to verify authority when the disclosure of protected health
information is to a public official or a person acting on behalf of the
public official:
(A) A written statement of the legal authority under which the
information is requested, or, if a written statement would be
impracticable, an oral statement of such legal authority;
(B) If a request is made pursuant to legal process, warrant,
subpoena, order, or other legal process issued by a grand jury or a
judicial or administrative tribunal is presumed to constitute legal
authority.
(iv) Exercise of professional judgment. The verification
requirements of this paragraph are met if the covered entity relies on
the exercise of professional judgment in making a use or disclosure in
accordance with Sec. 164.510 or acts on a good faith belief in making a
disclosure in accordance with Sec. 164.512(j).
Sec. 164.520 Notice of privacy practices for protected health
information.
(a) Standard: notice of privacy practices. (1) Right to notice.
Except as provided by paragraph (a)(2) or (3) of this section, an
individual has a right to adequate notice of the uses and disclosures
of protected health information that may be made by the covered entity,
and of the individual's rights and the covered entity's legal duties
with respect to protected health information.
(2) Exception for group health plans. (i) An individual enrolled in
a group health plan has a right to notice:
(A) From the group health plan, if, and to the extent that, such an
individual does not receive health benefits under the group health plan
through an insurance contract with a health insurance issuer or HMO; or
(B) From the health insurance issuer or HMO with respect to the
group health plan through which such individuals receive their health
benefits under the group health plan.
(ii) A group health plan that provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and that creates or receives protected health information in addition
to summary health information as defined in Sec. 164.504(a) or
information on whether the individual is participating in the group
health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan, must:
(A) Maintain a notice under this section; and
(B) Provide such notice upon request to any person. The provisions
of paragraph (c)(1) of this section do not apply to such group health
plan.
[[Page 82821]]
(iii) A group health plan that provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and does not create or receive protected health information other than
summary health information as defined in Sec. 164.504(a) or information
on whether an individual is participating in the group health plan, or
is enrolled in or has disenrolled from a health insurance issuer or HMO
offered by the plan, is not required to maintain or provide a notice
under this section.
(3) Exception for inmates. An inmate does not have a right to
notice under this section, and the requirements of this section do not
apply to a correctional institution that is a covered entity.
(b) Implementation specifications: content of notice.
(1) Required elements. The covered entity must provide a notice
that is written in plain language and that contains the elements
required by this paragraph.
(i) Header. The notice must contain the following statement as a
header or otherwise prominently displayed: ``THIS NOTICE DESCRIBES HOW
MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.''
(ii) Uses and disclosures. The notice must contain:
(A) A description, including at least one example, of the types of
uses and disclosures that the covered entity is permitted by this
subpart to make for each of the following purposes: treatment, payment,
and health care operations.
(B) A description of each of the other purposes for which the
covered entity is permitted or required by this subpart to use or
disclose protected health information without the individual's written
consent or authorization.
(C) If a use or disclosure for any purpose described in paragraphs
(b)(1)(ii)(A) or (B) of this section is prohibited or materially
limited by other applicable law, the description of such use or
disclosure must reflect the more stringent law as defined in
Sec. 160.202 of this subchapter.
(D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of
this section, the description must include sufficient detail to place
the individual on notice of the uses and disclosures that are permitted
or required by this subpart and other applicable law.
(E) A statement that other uses and disclosures will be made only
with the individual's written authorization and that the individual may
revoke such authorization as provided by Sec. 164.508(b)(5).
(iii) Separate statements for certain uses or disclosures. If the
covered entity intends to engage in any of the following activities,
the description required by paragraph (b)(1)(ii)(A) of this section
must include a separate statement, as applicable, that:
(A) The covered entity may contact the individual to provide
appointment reminders or information about treatment alternatives or
other health-related benefits and services that may be of interest to
the individual;
(B) The covered entity may contact the individual to raise funds
for the covered entity; or
(C) A group health plan, or a health insurance issuer or HMO with
respect to a group health plan, may disclose protected health
information to the sponsor of the plan.
(iv) Individual rights. The notice must contain a statement of the
individual's rights with respect to protected health information and a
brief description of how the individual may exercise these rights, as
follows:
(A) The right to request restrictions on certain uses and
disclosures of protected health information as provided by
Sec. 164.522(a), including a statement that the covered entity is not
required to agree to a requested restriction;
(B) The right to receive confidential communications of protected
health information as provided by Sec. 164.522(b), as applicable;
(C) The right to inspect and copy protected health information as
provided by Sec. 164.524;
(D) The right to amend protected health information as provided by
Sec. 164.526;
(E) The right to receive an accounting of disclosures of protected
health information as provided by Sec. 164.528; and
(F) The right of an individual, including an individual who has
agreed to receive the notice electronically in accordance with
paragraph (c)(3) of this section, to obtain a paper copy of the notice
from the covered entity upon request.
(v) Covered entity's duties. The notice must contain:
(A) A statement that the covered entity is required by law to
maintain the privacy of protected health information and to provide
individuals with notice of its legal duties and privacy practices with
respect to protected health information;
(B) A statement that the covered entity is required to abide by the
terms of the notice currently in effect; and
(C) For the covered entity to apply a change in a privacy practice
that is described in the notice to protected health information that
the covered entity created or received prior to issuing a revised
notice, in accordance with Sec. 164.530(i)(2)(ii), a statement that it
reserves the right to change the terms of its notice and to make the
new notice provisions effective for all protected health information
that it maintains. The statement must also describe how it will provide
individuals with a revised notice.
(vi) Complaints. The notice must contain a statement that
individuals may complain to the covered entity and to the Secretary if
they believe their privacy rights have been violated, a brief
description of how the individual may file a complaint with the covered
entity, and a statement that the individual will not be retaliated
against for filing a complaint.
(vii) Contact. The notice must contain the name, or title, and
telephone number of a person or office to contact for further
information as required by Sec. 164.530(a)(1)(ii).
(viii) Effective date. The notice must contain the date on which
the notice is first in effect, which may not be earlier than the date
on which the notice is printed or otherwise published.
(2) Optional elements. (i) In addition to the information required
by paragraph (b)(1) of this section, if a covered entity elects to
limit the uses or disclosures that it is permitted to make under this
subpart, the covered entity may describe its more limited uses or
disclosures in its notice, provided that the covered entity may not
include in its notice a limitation affecting its right to make a use or
disclosure that is required by law or permitted by
Sec. 164.512(j)(1)(i).
(ii) For the covered entity to apply a change in its more limited
uses and disclosures to protected health information created or
received prior to issuing a revised notice, in accordance with
Sec. 164.530(i)(2)(ii), the notice must include the statements required
by paragraph (b)(1)(v)(C) of this section.
(3) Revisions to the notice. The covered entity must promptly
revise and distribute its notice whenever there is a material change to
the uses or disclosures, the individual's rights, the covered entity's
legal duties, or other privacy practices stated in the notice. Except
when required by law, a material change to any term of the notice may
not be implemented prior to the effective date of the notice in which
such material change is reflected.
(c) Implementation specifications: Provision of notice. A covered
entity must make the notice required by this
[[Page 82822]]
section available on request to any person and to individuals as
specified in paragraphs (c)(1) through (c)(4) of this section, as
applicable.
(1) Specific requirements for health plans. (i) A health plan must
provide notice:
(A) No later than the compliance date for the health plan, to
individuals then covered by the plan;
(B) Thereafter, at the time of enrollment, to individuals who are
new enrollees; and
(C) Within 60 days of a material revision to the notice, to
individuals then covered by the plan.
(ii) No less frequently than once every three years, the health
plan must notify individuals then covered by the plan of the
availability of the notice and how to obtain the notice.
(iii) The health plan satisfies the requirements of paragraph
(c)(1) of this section if notice is provided to the named insured of a
policy under which coverage is provided to the named insured and one or
more dependents.
(iv) If a health plan has more than one notice, it satisfies the
requirements of paragraph (c)(1) of this section by providing the
notice that is relevant to the individual or other person requesting
the notice.
(2) Specific requirements for certain covered health care
providers. A covered health care provider that has a direct treatment
relationship with an individual must:
(i) Provide the notice no later than the date of the first service
delivery, including service delivered electronically, to such
individual after the compliance date for the covered health care
provider;
(ii) If the covered health care provider maintains a physical
service delivery site:
(A) Have the notice available at the service delivery site for
individuals to request to take with them; and
(B) Post the notice in a clear and prominent location where it is
reasonable to expect individuals seeking service from the covered
health care provider to be able to read the notice; and
(iii) Whenever the notice is revised, make the notice available
upon request on or after the effective date of the revision and
promptly comply with the requirements of paragraph (c)(2)(ii) of this
section, if applicable.
(3) Specific requirements for electronic notice. (i) A covered
entity that maintains a web site that provides information about the
covered entity's customer services or benefits must prominently post
its notice on the web site and make the notice available electronically
through the web site.
(ii) A covered entity may provide the notice required by this
section to an individual by e-mail, if the individual agrees to
electronic notice and such agreement has not been withdrawn. If the
covered entity knows that the e-mail transmission has failed, a paper
copy of the notice must be provided to the individual. Provision of
electronic notice by the covered entity will satisfy the provision
requirements of paragraph (c) of this section when timely made in
accordance with paragraph (c)(1) or (2) of this section.
(iii) For purposes of paragraph (c)(2)(i) of this section, if the
first service delivery to an individual is delivered electronically,
the covered health care provider must provide electronic notice
automatically and contemporaneously in response to the individual's
first request for service.
(iv) The individual who is the recipient of electronic notice
retains the right to obtain a paper copy of the notice from a covered
entity upon request.
(d) Implementation specifications: Joint notice by separate covered
entities. Covered entities that participate in organized health care
arrangements may comply with this section by a joint notice, provided
that:
(1) The covered entities participating in the organized health care
arrangement agree to abide by the terms of the notice with respect to
protected health information created or received by the covered entity
as part of its participation in the organized health care arrangement;
(2) The joint notice meets the implementation specifications in
paragraph (b) of this section, except that the statements required by
this section may be altered to reflect the fact that the notice covers
more than one covered entity; and
(i) Describes with reasonable specificity the covered entities, or
class of entities, to which the joint notice applies;
(ii) Describes with reasonable specificity the service delivery
sites, or classes of service delivery sites, to which the joint notice
applies; and
(iii) If applicable, states that the covered entities participating
in the organized health care arrangement will share protected health
information with each other, as necessary to carry out treatment,
payment, or health care operations relating to the organized health
care arrangement.
(3) The covered entities included in the joint notice must provide
the notice to individuals in accordance with the applicable
implementation specifications of paragraph (c) of this section.
Provision of the joint notice to an individual by any one of the
covered entities included in the joint notice will satisfy the
provision requirement of paragraph (c) of this section with respect to
all others covered by the joint notice.
(e) Implementation specifications: Documentation. A covered entity
must document compliance with the notice requirements by retaining
copies of the notices issued by the covered entity as required by
Sec. 164.530(j).
Sec. 164.522 Rights to request privacy protection for protected health
information.
(a)(1) Standard: Right of an individual to request restriction of
uses and disclosures. (i) A covered entity must permit an individual to
request that the covered entity restrict:
(A) Uses or disclosures of protected health information about the
individual to carry out treatment, payment, or health care operations;
and
(B) Disclosures permitted under Sec. 164.510(b).
(ii) A covered entity is not required to agree to a restriction.
(iii) A covered entity that agrees to a restriction under paragraph
(a)(1)(i) of this section may not use or disclose protected health
information in violation of such restriction, except that, if the
individual who requested the restriction is in need of emergency
treatment and the restricted protected health information is needed to
provide the emergency treatment, the covered entity may use the
restricted protected health information, or may disclose such
information to a health care provider, to provide such treatment to the
individual.
(iv) If restricted protected health information is disclosed to a
health care provider for emergency treatment under paragraph
(a)(1)(iii) of this section, the covered entity must request that such
health care provider not further use or disclose the information.
(v) A restriction agreed to by a covered entity under paragraph (a)
of this section, is not effective under this subpart to prevent uses or
disclosures permitted or required under Secs. 164.502(a)(2)(i),
164.510(a) or 164.512.
(2) Implementation specifications: Terminating a restriction. A
covered entity may terminate its agreement to a restriction, if :
(i) The individual agrees to or requests the termination in
writing;
(ii) The individual orally agrees to the termination and the oral
agreement is documented; or
(iii) The covered entity informs the individual that it is
terminating its
[[Page 82823]]
agreement to a restriction, except that such termination is only
effective with respect to protected health information created or
received after it has so informed the individual.
(3) Implementation specification: Documentation. A covered entity
that agrees to a restriction must document the restriction in
accordance with Sec. 164.530(j).
(b)(1) Standard: Confidential communications requirements. (i) A
covered health care provider must permit individuals to request and
must accommodate reasonable requests by individuals to receive
communications of protected health information from the covered health
care provider by alternative means or at alternative locations.
(ii) A health plan must permit individuals to request and must
accommodate reasonable requests by individuals to receive
communications of protected health information from the health plan by
alternative means or at alternative locations, if the individual
clearly states that the disclosure of all or part of that information
could endanger the individual.
(2) Implementation specifications: Conditions on providing
confidential communications.
(i) A covered entity may require the individual to make a request
for a confidential communication described in paragraph (b)(1) of this
section in writing.
(ii) A covered entity may condition the provision of a reasonable
accommodation on:
(A) When appropriate, information as to how payment, if any, will
be handled; and
(B) Specification of an alternative address or other method of
contact.
(iii) A covered health care provider may not require an explanation
from the individual as to the basis for the request as a condition of
providing communications on a confidential basis.
(iv) A health plan may require that a request contain a statement
that disclosure of all or part of the information to which the request
pertains could endanger the individual.
Sec. 164.524 Access of individuals to protected health information.
(a) Standard: Access to protected health information. (1) Right of
access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of
this section, an individual has a right of access to inspect and obtain
a copy of protected health information about the individual in a
designated record set, for as long as the protected health information
is maintained in the designated record set, except for:
(i) Psychotherapy notes;
(ii) Information compiled in reasonable anticipation of, or for use
in, a civil, criminal, or administrative action or proceeding; and
(iii) Protected health information maintained by a covered entity
that is:
(A) Subject to the Clinical Laboratory Improvements Amendments of
1988, 42 U.S.C. 263a, to the extent the provision of access to the
individual would be prohibited by law; or
(B) Exempt from the Clinical Laboratory Improvements Amendments of
1988, pursuant to 42 CFR 493.3(a)(2).
(2) Unreviewable grounds for denial. A covered entity may deny an
individual access without providing the individual an opportunity for
review, in the following circumstances.
(i) The protected health information is excepted from the right of
access by paragraph (a)(1) of this section.
(ii) A covered entity that is a correctional institution or a
covered health care provider acting under the direction of the
correctional institution may deny, in whole or in part, an inmate's
request to obtain a copy of protected health information, if obtaining
such copy would jeopardize the health, safety, security, custody, or
rehabilitation of the individual or of other inmates, or the safety of
any officer, employee, or other person at the correctional institution
or responsible for the transporting of the inmate.
(iii) An individual's access to protected health information
created or obtained by a covered health care provider in the course of
research that includes treatment may be temporarily suspended for as
long as the research is in progress, provided that the individual has
agreed to the denial of access when consenting to participate in the
research that includes treatment, and the covered health care provider
has informed the individual that the right of access will be reinstated
upon completion of the research.
(iv) An individual's access to protected health information that is
contained in records that are subject to the Privacy Act, 5 U.S.C.
552a, may be denied, if the denial of access under the Privacy Act
would meet the requirements of that law.
(v) An individual's access may be denied if the protected health
information was obtained from someone other than a health care provider
under a promise of confidentiality and the access requested would be
reasonably likely to reveal the source of the information.
(3) Reviewable grounds for denial. A covered entity may deny an
individual access, provided that the individual is given a right to
have such denials reviewed, as required by paragraph (a)(4) of this
section, in the following circumstances:
(i) A licensed health care professional has determined, in the
exercise of professional judgment, that the access requested is
reasonably likely to endanger the life or physical safety of the
individual or another person;
(ii) The protected health information makes reference to another
person (unless such other person is a health care provider) and a
licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely
to cause substantial harm to such other person; or
(iii) The request for access is made by the individual's personal
representative and a licensed health care professional has determined,
in the exercise of professional judgment, that the provision of access
to such personal representative is reasonably likely to cause
substantial harm to the individual or another person.
(4) Review of a denial of access. If access is denied on a ground
permitted under paragraph (a)(3) of this section, the individual has
the right to have the denial reviewed by a licensed health care
professional who is designated by the covered entity to act as a
reviewing official and who did not participate in the original decision
to deny. The covered entity must provide or deny access in accordance
with the determination of the reviewing official under paragraph (d)(4)
of this section.
(b) Implementation specifications: requests for access and timely
action. (1) Individual's request for access. The covered entity must
permit an individual to request access to inspect or to obtain a copy
of the protected health information about the individual that is
maintained in a designated record set. The covered entity may require
individuals to make requests for access in writing, provided that it
informs individuals of such a requirement.
(2) Timely action by the covered entity. (i) Except as provided in
paragraph (b)(2)(ii) of this section, the covered entity must act on a
request for access no later than 30 days after receipt of the request
as follows.
(A) If the covered entity grants the request, in whole or in part,
it must inform the individual of the acceptance of the request and
provide the access requested, in accordance with paragraph (c) of this
section.
[[Page 82824]]
(B) If the covered entity denies the request, in whole or in part,
it must provide the individual with a written denial, in accordance
with paragraph (d) of this section.
(ii) If the request for access is for protected health information
that is not maintained or accessible to the covered entity on-site, the
covered entity must take an action required by paragraph (b)(2)(i) of
this section by no later than 60 days from the receipt of such a
request.
(iii) If the covered entity is unable to take an action required by
paragraph (b)(2)(i)(A) or (B) of this section within the time required
by paragraph (b)(2)(i) or (ii) of this section, as applicable, the
covered entity may extend the time for such actions by no more than 30
days, provided that:
(A) The covered entity, within the time limit set by paragraph
(b)(2)(i) or (ii) of this section, as applicable, provides the
individual with a written statement of the reasons for the delay and
the date by which the covered entity will complete its action on the
request; and
(B) The covered entity may have only one such extension of time for
action on a request for access.
(c) Implementation specifications: Provision of access. If the
covered entity provides an individual with access, in whole or in part,
to protected health information, the covered entity must comply with
the following requirements.
(1) Providing the access requested. The covered entity must provide
the access requested by individuals, including inspection or obtaining
a copy, or both, of the protected health information about them in
designated record sets. If the same protected health information that
is the subject of a request for access is maintained in more than one
designated record set or at more than one location, the covered entity
need only produce the protected health information once in response to
a request for access.
(2) Form of access requested. (i) The covered entity must provide
the individual with access to the protected health information in the
form or format requested by the individual, if it is readily producible
in such form or format; or, if not, in a readable hard copy form or
such other form or format as agreed to by the covered entity and the
individual.
(ii) The covered entity may provide the individual with a summary
of the protected health information requested, in lieu of providing
access to the protected health information or may provide an
explanation of the protected health information to which access has
been provided, if:
(A) The individual agrees in advance to such a summary or
explanation; and
(B) The individual agrees in advance to the fees imposed, if any,
by the covered entity for such summary or explanation.
(3) Time and manner of access. The covered entity must provide the
access as requested by the individual in a timely manner as required by
paragraph (b)(2) of this section, including arranging with the
individual for a convenient time and place to inspect or obtain a copy
of the protected health information, or mailing the copy of the
protected health information at the individual's request. The covered
entity may discuss the scope, format, and other aspects of the request
for access with the individual as necessary to facilitate the timely
provision of access.
(4) Fees. If the individual requests a copy of the protected health
information or agrees to a summary or explanation of such information,
the covered entity may impose a reasonable, cost-based fee, provided
that the fee includes only the cost of:
(i) Copying, including the cost of supplies for and labor of
copying, the protected health information requested by the individual;
(ii) Postage, when the individual has requested the copy, or the
summary or explanation, be mailed; and
(iii) Preparing an explanation or summary of the protected health
information, if agreed to by the individual as required by paragraph
(c)(2)(ii) of this section.
(d) Implementation specifications: Denial of access. If the covered
entity denies access, in whole or in part, to protected health
information, the covered entity must comply with the following
requirements.
(1) Making other information accessible. The covered entity must,
to the extent possible, give the individual access to any other
protected health information requested, after excluding the protected
health information as to which the covered entity has a ground to deny
access.
(2) Denial. The covered entity must provide a timely, written
denial to the individual, in accordance with paragraph (b)(2) of this
section. The denial must be in plain language and contain:
(i) The basis for the denial;
(ii) If applicable, a statement of the individual's review rights
under paragraph (a)(4) of this section, including a description of how
the individual may exercise such review rights; and
(iii) A description of how the individual may complain to the
covered entity pursuant to the complaint procedures in Sec. 164.530(d)
or to the Secretary pursuant to the procedures in Sec. 160.306. The
description must include the name, or title, and telephone number of
the contact person or office designated in Sec. 164.530(a)(1)(ii).
(3) Other responsibility. If the covered entity does not maintain
the protected health information that is the subject of the
individual's request for access, and the covered entity knows where the
requested information is maintained, the covered entity must inform the
individual where to direct the request for access.
(4) Review of denial requested. If the individual has requested a
review of a denial under paragraph (a)(4) of this section, the covered
entity must designate a licensed health care professional, who was not
directly involved in the denial to review the decision to deny access.
The covered entity must promptly refer a request for review to such
designated reviewing official. The designated reviewing official must
determine, within a reasonable period of time, whether or not to deny
the access requested based on the standards in paragraph (a)(3) of this
section. The covered entity must promptly provide written notice to the
individual of the determination of the designated reviewing official
and take other action as required by this section to carry out the
designated reviewing official's determination.
(e) Implementation specification: Documentation. A covered entity
must document the following and retain the documentation as required by
Sec. 164.530(j):
(1) The designated record sets that are subject to access by
individuals; and
(2) The titles of the persons or offices responsible for receiving
and processing requests for access by individuals.
Sec. 164.526 Amendment of protected health information.
(a) Standard: Right to amend. (1) Right to amend. An individual has
the right to have a covered entity amend protected health information
or a record about the individual in a designated record set for as long
as the protected health information is maintained in the designated
record set.
(2) Denial of amendment. A covered entity may deny an individual's
request for amendment, if it determines that the protected health
information or record that is the subject of the request:
(i) Was not created by the covered entity, unless the individual
provides a reasonable basis to believe that the
[[Page 82825]]
originator of protected health information is no longer available to
act on the requested amendment;
(ii) Is not part of the designated record set;
(iii) Would not be available for inspection under Sec. 164.524; or
(iv) Is accurate and complete.
(b) Implementation specifications: requests for amendment and
timely action. (1) Individual's request for amendment. The covered
entity must permit an individual to request that the covered entity
amend the protected health information maintained in the designated
record set. The covered entity may require individuals to make requests
for amendment in writing and to provide a reason to support a requested
amendment, provided that it informs individuals in advance of such
requirements.
(2) Timely action by the covered entity. (i) The covered entity
must act on the individual's request for an amendment no later than 60
days after receipt of such a request, as follows.
(A) If the covered entity grants the requested amendment, in whole
or in part, it must take the actions required by paragraphs (c)(1) and
(2) of this section.
(B) If the covered entity denies the requested amendment, in whole
or in part, it must provide the individual with a written denial, in
accordance with paragraph (d)(1) of this section.
(ii) If the covered entity is unable to act on the amendment within
the time required by paragraph (b)(2)(i) of this section, the covered
entity may extend the time for such action by no more than 30 days,
provided that:
(A) The covered entity, within the time limit set by paragraph
(b)(2)(i) of this section, provides the individual with a written
statement of the reasons for the delay and the date by which the
covered entity will complete its action on the request; and
(B) The covered entity may have only one such extension of time for
action on a request for an amendment.
(c) Implementation specifications: Accepting the amendment. If the
covered entity accepts the requested amendment, in whole or in part,
the covered entity must comply with the following requirements.
(1) Making the amendment. The covered entity must make the
appropriate amendment to the protected health information or record
that is the subject of the request for amendment by, at a minimum,
identifying the records in the designated record set that are affected
by the amendment and appending or otherwise providing a link to the
location of the amendment.
(2) Informing the individual. In accordance with paragraph (b) of
this section, the covered entity must timely inform the individual that
the amendment is accepted and obtain the individual's identification of
and agreement to have the covered entity notify the relevant persons
with which the amendment needs to be shared in accordance with
paragraph (c)(3) of this section.
(3) Informing others. The covered entity must make reasonable
efforts to inform and provide the amendment within a reasonable time
to:
(i) Persons identified by the individual as having received
protected health information about the individual and needing the
amendment; and
(ii) Persons, including business associates, that the covered
entity knows have the protected health information that is the subject
of the amendment and that may have relied, or could foreseeably rely,
on such information to the detriment of the individual.
(d) Implementation specifications: Denying the amendment. If the
covered entity denies the requested amendment, in whole or in part, the
covered entity must comply with the following requirements.
(1) Denial. The covered entity must provide the individual with a
timely, written denial, in accordance with paragraph (b)(2) of this
section. The denial must use plain language and contain:
(i) The basis for the denial, in accordance with paragraph (a)(2)
of this section;
(ii) The individual's right to submit a written statement
disagreeing with the denial and how the individual may file such a
statement;
(iii) A statement that, if the individual does not submit a
statement of disagreement, the individual may request that the covered
entity provide the individual's request for amendment and the denial
with any future disclosures of the protected health information that is
the subject of the amendment; and
(iv) A description of how the individual may complain to the
covered entity pursuant to the complaint procedures established in
Sec. 164.530(d) or to the Secretary pursuant to the procedures
established in Sec. 160.306. The description must include the name, or
title, and telephone number of the contact person or office designated
in Sec. 164.530(a)(1)(ii).
(2) Statement of disagreement. The covered entity must permit the
individual to submit to the covered entity a written statement
disagreeing with the denial of all or part of a requested amendment and
the basis of such disagreement. The covered entity may reasonably limit
the length of a statement of disagreement.
(3) Rebuttal statement. The covered entity may prepare a written
rebuttal to the individual's statement of disagreement. Whenever such a
rebuttal is prepared, the covered entity must provide a copy to the
individual who submitted the statement of disagreement.
(4) Recordkeeping. The covered entity must, as appropriate,
identify the record or protected health information in the designated
record set that is the subject of the disputed amendment and append or
otherwise link the individual's request for an amendment, the covered
entity's denial of the request, the individual's statement of
disagreement, if any, and the covered entity's rebuttal, if any, to the
designated record set.
(5) Future disclosures. (i) If a statement of disagreement has been
submitted by the individual, the covered entity must include the
material appended in accordance with paragraph (d)(4) of this section,
or, at the election of the covered entity, an accurate summary of any
such information, with any subsequent disclosure of the protected
health information to which the disagreement relates.
(ii) If the individual has not submitted a written statement of
disagreement, the covered entity must include the individual's request
for amendment and its denial, or an accurate summary of such
information, with any subsequent disclosure of the protected health
information only if the individual has requested such action in
accordance with paragraph (d)(1)(iii) of this section.
(iii) When a subsequent disclosure described in paragraph (d)(5)(i)
or (ii) of this section is made using a standard transaction under part
162 of this subchapter that does not permit the additional material to
be included with the disclosure, the covered entity may separately
transmit the material required by paragraph (d)(5)(i) or (ii) of this
section, as applicable, to the recipient of the standard transaction.
(e) Implementation specification: Actions on notices of amendment.
A covered entity that is informed by another covered entity of an
amendment to an individual's protected health information, in
accordance with paragraph (c)(3) of this section, must amend the
protected health information in designated record sets as provided by
paragraph (c)(1) of this section.
(f) Implementation specification: Documentation. A covered entity
must document the titles of the persons or
[[Page 82826]]
offices responsible for receiving and processing requests for
amendments by individuals and retain the documentation as required by
Sec. 164.530(j).
Sec. 164.528 Accounting of disclosures of protected health
information.
(a) Standard: Right to an accounting of disclosures of protected
health information. (1) An individual has a right to receive an
accounting of disclosures of protected health information made by a
covered entity in the six years prior to the date on which the
accounting is requested, except for disclosures:
(i) To carry out treatment, payment and health care operations as
provided in Sec. 164.502;
(ii) To individuals of protected health information about them as
provided in Sec. 164.502;
(iii) For the facility's directory or to persons involved in the
individual's care or other notification purposes as provided in
Sec. 164.510;
(iv) For national security or intelligence purposes as provided in
Sec. 164.512(k)(2);
(v) To correctional institutions or law enforcement officials as
provided in Sec. 164.512(k)(5); or
(vi) That occurred prior to the compliance date for the covered
entity.
(2)(i) The covered entity must temporarily suspend an individual's
right to receive an accounting of disclosures to a health oversight
agency or law enforcement official, as provided in Sec. 164.512(d) or
(f), respectively, for the time specified by such agency or official,
if such agency or official provides the covered entity with a written
statement that such an accounting to the individual would be reasonably
likely to impede the agency's activities and specifying the time for
which such a suspension is required.
(ii) If the agency or official statement in paragraph (a)(2)(i) of
this section is made orally, the covered entity must:
(A) Document the statement, including the identity of the agency or
official making the statement;
(B) Temporarily suspend the individual's right to an accounting of
disclosures subject to the statement; and
(C) Limit the temporary suspension to no longer than 30 days from
the date of the oral statement, unless a written statement pursuant to
paragraph (a)(2)(i) of this section is submitted during that time.
(3) An individual may request an accounting of disclosures for a
period of time less than six years from the date of the request.
(b) Implementation specifications: Content of the accounting. The
covered entity must provide the individual with a written accounting
that meets the following requirements.
(1) Except as otherwise provided by paragraph (a) of this section,
the accounting must include disclosures of protected health information
that occurred during the six years (or such shorter time period at the
request of the individual as provided in paragraph (a)(3) of this
section) prior to the date of the request for an accounting, including
disclosures to or by business associates of the covered entity.
(2) The accounting must include for each disclosure:
(i) The date of the disclosure;
(ii) The name of the entity or person who received the protected
health information and, if known, the address of such entity or person;
(iii) A brief description of the protected health information
disclosed; and
(iv) A brief statement of the purpose of the disclosure that
reasonably informs the individual of the basis for the disclosure; or,
in lieu of such statement:
(A) A copy of the individual's written authorization pursuant to
Sec. 164.508; or
(B) A copy of a written request for a disclosure under
Secs. 164.502(a)(2)(ii) or 164.512, if any.
(3) If, during the period covered by the accounting, the covered
entity has made multiple disclosures of protected health information to
the same person or entity for a single purpose under
Secs. 164.502(a)(2)(ii) or 164.512, or pursuant to a single
authorization under Sec. 164.508, the accounting may, with respect to
such multiple disclosures, provide:
(i) The information required by paragraph (b)(2) of this section
for the first disclosure during the accounting period;
(ii) The frequency, periodicity, or number of the disclosures made
during the accounting period; and
(iii) The date of the last such disclosure during the accounting
period.
(c) Implementation specifications: Provision of the accounting. (1)
The covered entity must act on the individual's request for an
accounting, no later than 60 days after receipt of such a request, as
follows.
(i) The covered entity must provide the individual with the
accounting requested; or
(ii) If the covered entity is unable to provide the accounting
within the time required by paragraph (c)(1) of this section, the
covered entity may extend the time to provide the accounting by no more
than 30 days, provided that:
(A) The covered entity, within the time limit set by paragraph
(c)(1) of this section, provides the individual with a written
statement of the reasons for the delay and the date by which the
covered entity will provide the accounting; and
(B) The covered entity may have only one such extension of time for
action on a request for an accounting.
(2) The covered entity must provide the first accounting to an
individual in any 12 month period without charge. The covered entity
may impose a reasonable, cost-based fee for each subsequent request for
an accounting by the same individual within the 12 month period,
provided that the covered entity informs the individual in advance of
the fee and provides the individual with an opportunity to withdraw or
modify the request for a subsequent accounting in order to avoid or
reduce the fee.
(d) Implementation specification: Documentation. A covered entity
must document the following and retain the documentation as required by
Sec. 164.530(j):
(1) The information required to be included in an accounting under
paragraph (b) of this section for disclosures of protected health
information that are subject to an accounting under paragraph (a) of
this section;
(2) The written accounting that is provided to the individual under
this section; and
(3) The titles of the persons or offices responsible for receiving
and processing requests for an accounting by individuals.
Sec. 164.530 Administrative requirements.
(a)(1) Standard: Personnel designations. (i) A covered entity must
designate a privacy official who is responsible for the development and
implementation of the policies and procedures of the entity.
(ii) A covered entity must designate a contact person or office who
is responsible for receiving complaints under this section and who is
able to provide further information about matters covered by the notice
required by Sec. 164.520.
(2) Implementation specification: Personnel designations. A covered
entity must document the personnel designations in paragraph (a)(1) of
this section as required by paragraph (j) of this section.
(b)(1) Standard: Training. A covered entity must train all members
of its workforce on the policies and procedures with respect to
protected health information required by this subpart, as necessary and
appropriate for the members of the workforce to
[[Page 82827]]
carry out their function within the covered entity.
(2) Implementation specifications: Training. (i) A covered entity
must provide training that meets the requirements of paragraph (b)(1)
of this section, as follows:
(A) To each member of the covered entity's workforce by no later
than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a
reasonable period of time after the person joins the covered entity's
workforce; and
(C) To each member of the covered entity's workforce whose
functions are affected by a material change in the policies or
procedures required by this subpart, within a reasonable period of time
after the material change becomes effective in accordance with
paragraph (i) of this section.
(ii) A covered entity must document that the training as described
in paragraph (b)(2)(i) of this section has been provided, as required
by paragraph (j) of this section.
(c)(1) Standard: Safeguards. A covered entity must have in place
appropriate administrative, technical, and physical safeguards to
protect the privacy of protected health information.
(2) Implementation specification: Safeguards. A covered entity must
reasonably safeguard protected health information from any intentional
or unintentional use or disclosure that is in violation of the
standards, implementation specifications or other requirements of this
subpart.
(d)(1) Standard: Complaints to the covered entity. A covered entity
must provide a process for individuals to make complaints concerning
the covered entity's policies and procedures required by this subpart
or its compliance with such policies and procedures or the requirements
of this subpart.
(2) Implementation specification: Documentation of complaints. As
required by paragraph (j) of this section, a covered entity must
document all complaints received, and their disposition, if any.
(e)(1) Standard: Sanctions. A covered entity must have and apply
appropriate sanctions against members of its workforce who fail to
comply with the privacy policies and procedures of the covered entity
or the requirements of this subpart. This standard does not apply to a
member of the covered entity's workforce with respect to actions that
are covered by and that meet the conditions of Sec. 164.502(j) or
paragraph (g)(2) of this section.
(2) Implementation specification: Documentation. As required by
paragraph (j) of this section, a covered entity must document the
sanctions that are applied, if any.
(f) Standard: Mitigation. A covered entity must mitigate, to the
extent practicable, any harmful effect that is known to the covered
entity of a use or disclosure of protected health information in
violation of its policies and procedures or the requirements of this
subpart by the covered entity or its business associate.
(g) Standard: Refraining from intimidating or retaliatory acts. A
covered entity may not intimidate, threaten, coerce, discriminate
against, or take other retaliatory action against:
(1) Individuals. Any individual for the exercise by the individual
of any right under, or for participation by the individual in any
process established by this subpart, including the filing of a
complaint under this section;
(2) Individuals and others. Any individual or other person for:
(i) Filing of a complaint with the Secretary under subpart C of
part 160 of this subchapter;
(ii) Testifying, assisting, or participating in an investigation,
compliance review, proceeding, or hearing under Part C of Title XI; or
(iii) Opposing any act or practice made unlawful by this subpart,
provided the individual or person has a good faith belief that the
practice opposed is unlawful, and the manner of the opposition is
reasonable and does not involve a disclosure of protected health
information in violation of this subpart.
(h) Standard: Waiver of rights. A covered entity may not require
individuals to waive their rights under Sec. 160.306 of this subchapter
or this subpart as a condition of the provision of treatment, payment,
enrollment in a health plan, or eligibility for benefits.
(i)(1) Standard: Policies and procedures. A covered entity must
implement policies and procedures with respect to protected health
information that are designed to comply with the standards,
implementation specifications, or other requirements of this subpart.
The policies and procedures must be reasonably designed, taking into
account the size of and the type of activities that relate to protected
health information undertaken by the covered entity, to ensure such
compliance. This standard is not to be construed to permit or excuse an
action that violates any other standard, implementation specification,
or other requirement of this subpart.
(2) Standard: Changes to policies or procedures. (i) A covered
entity must change its policies and procedures as necessary and
appropriate to comply with changes in the law, including the standards,
requirements, and implementation specifications of this subpart;
(ii) When a covered entity changes a privacy practice that is
stated in the notice described in Sec. 164.520, and makes corresponding
changes to its policies and procedures, it may make the changes
effective for protected health information that it created or received
prior to the effective date of the notice revision, if the covered
entity has, in accordance with Sec. 164.520(b)(1)(v)(C), included in
the notice a statement reserving its right to make such a change in its
privacy practices; or
(iii) A covered entity may make any other changes to policies and
procedures at any time, provided that the changes are documented and
implemented in accordance with paragraph (i)(5) of this section.
(3) Implementation specification: Changes in law. Whenever there is
a change in law that necessitates a change to the covered entity's
policies or procedures, the covered entity must promptly document and
implement the revised policy or procedure. If the change in law
materially affects the content of the notice required by Sec. 164.520,
the covered entity must promptly make the appropriate revisions to the
notice in accordance with Sec. 164.520(b)(3). Nothing in this paragraph
may be used by a covered entity to excuse a failure to comply with the
law.
(4) Implementation specifications: Changes to privacy practices
stated in the notice. (i) To implement a change as provided by
paragraph (i)(2)(ii) of this section, a covered entity must:
(A) Ensure that the policy or procedure, as revised to reflect a
change in the covered entity's privacy practice as stated in its
notice, complies with the standards, requirements, and implementation
specifications of this subpart;
(B) Document the policy or procedure, as revised, as required by
paragraph (j) of this section; and
(C) Revise the notice as required by Sec. 164.520(b)(3) to state
the changed practice and make the revised notice available as required
by Sec. 164.520(c). The covered entity may not implement a change to a
policy or procedure prior to the effective date of the revised notice.
(ii) If a covered entity has not reserved its right under
Sec. 164.520(b)(1)(v)(C) to change a privacy practice that is stated in
the notice, the covered entity is bound by the privacy practices as
stated
[[Page 82828]]
in the notice with respect to protected health information created or
received while such notice is in effect. A covered entity may change a
privacy practice that is stated in the notice, and the related policies
and procedures, without having reserved the right to do so, provided
that:
(A) Such change meets the implementation the requirements in
paragraphs (i)(4)(i)(A)-(C) of this section; and
(B) Such change is effective only with respect to protected health
information created or received after the effective date of the notice.
(5) Implementation specification: Changes to other policies or
procedures. A covered entity may change, at any time, a policy or
procedure that does not materially affect the content of the notice
required by Sec. 164.520, provided that:
(i) The policy or procedure, as revised, complies with the
standards, requirements, and implementation specifications of this
subpart; and
(ii) Prior to the effective date of the change, the policy or
procedure, as revised, is documented as required by paragraph (j) of
this section.
(j)(1) Standard: Documentation. A covered entity must:
(i) Maintain the policies and procedures provided for in paragraph
(i) of this section in written or electronic form;
(ii) If a communication is required by this subpart to be in
writing, maintain such writing, or an electronic copy, as
documentation; and
(iii) If an action, activity, or designation is required by this
subpart to be documented, maintain a written or electronic record of
such action, activity, or designation.
(2) Implementation specification: Retention period. A covered
entity must retain the documentation required by paragraph (j)(1) of
this section for six years from the date of its creation or the date
when it last was in effect, whichever is later.
(k) Standard: Group health plans. (1) A group health plan is not
subject to the standards or implementation specifications in paragraphs
(a) through (f) and (i) of this section, to the extent that:
(i) The group health plan provides health benefits solely through
an insurance contract with a health insurance issuer or an HMO; and
(ii) The group health plan does not create or receive protected
health information, except for:
(A) Summary health information as defined in Sec. 164.504(a); or
(B) Information on whether the individual is participating in the
group health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan.
(2) A group health plan described in paragraph (k)(1) of this
section is subject to the standard and implementation specification in
paragraph (j) of this section only with respect to plan documents
amended in accordance with Sec. 164.504(f).
Sec. 164.532 Transition provisions.
(a) Standard: Effect of prior consents and authorizations.
Notwithstanding other sections of this subpart, a covered entity may
continue to use or disclose protected health information pursuant to a
consent, authorization, or other express legal permission obtained from
an individual permitting the use or disclosure of protected health
information that does not comply with Secs. 164.506 or 164.508 of this
subpart consistent with paragraph (b) of this section.
(b) Implementation specification: Requirements for retaining
effectiveness of prior consents and authorizations. Notwithstanding
other sections of this subpart, the following provisions apply to use
or disclosure by a covered entity of protected health information
pursuant to a consent, authorization, or other express legal permission
obtained from an individual permitting the use or disclosure of
protected health information, if the consent, authorization, or other
express legal permission was obtained from an individual before the
applicable compliance date of this subpart and does not comply with
Secs. 164.506 or 164.508 of this subpart.
(1) If the consent, authorization, or other express legal
permission obtained from an individual permits a use or disclosure for
purposes of carrying out treatment, payment, or health care operations,
the covered entity may, with respect to protected health information
that it created or received before the applicable compliance date of
this subpart and to which the consent, authorization, or other express
legal permission obtained from an individual applies, use or disclose
such information for purposes of carrying out treatment, payment, or
health care operations, provided that:
(i) The covered entity does not make any use or disclosure that is
expressly excluded from the a consent, authorization, or other express
legal permission obtained from an individual; and
(ii) The covered entity complies with all limitations placed by the
consent, authorization, or other express legal permission obtained from
an individual.
(2) If the consent, authorization, or other express legal
permission obtained from an individual specifically permits a use or
disclosure for a purpose other than to carry out treatment, payment, or
health care operations, the covered entity may, with respect to
protected health information that it created or received before the
applicable compliance date of this subpart and to which the consent,
authorization, or other express legal permission obtained from an
individual applies, make such use or disclosure, provided that:
(i) The covered entity does not make any use or disclosure that is
expressly excluded from the consent, authorization, or other express
legal permission obtained from an individual; and
(ii) The covered entity complies with all limitations placed by the
consent, authorization, or other express legal permission obtained from
an individual.
(3) In the case of a consent, authorization, or other express legal
permission obtained from an individual that identifies a specific
research project that includes treatment of individuals:
(i) If the consent, authorization, or other express legal
permission obtained from an individual specifically permits a use or
disclosure for purposes of the project, the covered entity may, with
respect to protected health information that it created or received
either before or after the applicable compliance date of this subpart
and to which the consent or authorization applies, make such use or
disclosure for purposes of that project, provided that the covered
entity complies with all limitations placed by the consent,
authorization, or other express legal permission obtained from an
individual.
(ii) If the consent, authorization, or other express legal
permission obtained from an individual is a general consent to
participate in the project, and a covered entity is conducting or
participating in the research, such covered entity may, with respect to
protected health information that it created or received as part of the
project before or after the applicable compliance date of this subpart,
make a use or disclosure for purposes of that project, provided that
the covered entity complies with all limitations placed by the consent,
authorization, or other express legal permission obtained from an
individual.
(4) If, after the applicable compliance date of this subpart, a
covered entity agrees to a restriction requested by an individual under
Sec. 164.522(a), a subsequent use or disclosure of
[[Page 82829]]
protected health information that is subject to the restriction based
on a consent, authorization, or other express legal permission obtained
from an individual as given effect by paragraph (b) of this section,
must comply with such restriction.
Sec. 164.534 Compliance dates for initial implementation of the
privacy standards.
(a) Health care providers. A covered health care provider must
comply with the applicable requirements of this subpart no later than
February 26, 2003.
(b) Health plans. A health plan must comply with the applicable
requirements of this subpart no later than the following date, as
applicable:
(1) Health plans other than small health plans--February 26, 2003.
(2) Small health plans--February 26, 2004.
(c) Health care clearinghouses. A health care clearinghouse must
comply with the applicable requirements of this subpart no later than
February 26, 2003.
[FR Doc. 00-32678 Filed 12-20-00; 11:21 am]
BILLING CODE 4150-04-P