[Federal Register Volume 66, Number 38 (Monday, February 26, 2001)]
[Rules and Regulations]
[Page 12434]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 01-4810]
[[Page 12433]]
-----------------------------------------------------------------------
Part IV
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
Standards for Privacy of Individually Identifiable Health Information;
Final Rule
��Federal Register / Vol. 66, No. 38 / Monday, February 26, 2001 /
Rules and Regulations��
[[Page 12434]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB08
Standards for Privacy of Individually Identifiable Health
Information
AGENCY: Office for Civil Rights, HHS.
ACTION: Final rule; correction of effective and compliance dates.
-----------------------------------------------------------------------
SUMMARY: This action corrects the effective date of the final rules
adopting standards for privacy of individually identifiable health
information published on December 28, 2000, in the Federal Register (65
FR 82462), resulting in a new effective date of April 14, 2001. The
change in the effective date delays, by operation of law, the
compliance dates published in the final rules. The compliance dates in
the final rules are revised accordingly.
DATES: 1. The effective date of the Standards for Privacy of
Individually Identifiable Health Information published in the Federal
Register on December 28, 2000, at 65 FR 82462 as amended by this final
rule is April 14, 2001.
2. The revision to 45 CFR 164.534 is effective April 14, 2001.
FOR FURTHER INFORMATION CONTACT: Kimberly Coleman, 1-866-OCR-PRIV (1-
866-627-7748) or TTY 1-866-788-4989.
SUPPLEMENTARY INFORMATION: On December 28, 2000, we published in the
Federal Register final rules adopting standards for the privacy of
individually identifiable health information (Privacy Rule). The
Privacy Rule is the second in a series of rules mandated by sections
261-264 of the Health Insurance Portability and Accountability Act of
1996 (HIPAA), Public Law 104-191. In general, the Privacy Rule
establishes in 45 CFR Part 160 a set of definitions applicable to the
entire set of HIPAA rules, requirements for requesting that a state law
be excepted from preemption by the statute, and compliance and
enforcement requirements. The Privacy Rule also establishes a new
Subpart E of Part 164. Subpart E establishes standards which entities
covered by the statute--health plans, health care clearinghouses, and
certain health care providers--are required to comply with to protect
the privacy of certain individually identifiable health information
(``protected health information''). The standards establish
requirements relating to the uses and disclosures of protected health
information, the rights of individuals with respect to their protected
health information, and the procedures for exercising those rights.
We have determined that the report to the Congress required by 5
U.S.C. 801(a)(1) was not received, as previously thought, concurrent
with the transmission of the Rule to the Federal Register. The required
report was received by the Congress on February 13, 2001. Under 5
U.S.C. 801(a)(3)(A), the effective date of a major rule is, as
pertinent here, ``the later of the date occurring 60 days after the
date on which * * * the Congress receives the [required] report * * *,
or * * * the rule is published in the Federal Register * * *''. Thus,
the published effective date, which was 60 days following the date of
publication of the Rule in the Federal Register, is erroneous; rather,
under 5 U.S.C. 801(a)(3)(A), the actual effective date of the Privacy
Rule is 60 days after the receipt by the Congress of the final rule, or
April 14. This final rule corrects the previously published effective
date of the Privacy Rule accordingly.
Because the correction of the effective date is required by law, we
find good cause under 5 U.S.C. 553(b)(3)(B) and 553(d)(3) to waive
public comment thereon and to make the correction effective immediately
upon publication today in the Federal Register.
Under section 1175 of the Social Security Act, 42 U.S.C. 1320d-4,
enacted by section 262 of HIPAA, most covered entities have two years
following initial adoption of a HIPAA standard to come into compliance
with the standard; small health plans have three years. Since a HIPAA
standard is adopted when the rule adopting it becomes effective, the
change in effective date, by operation of law, has the effect of moving
the statutory compliance dates forward by a commensurate period. As the
compliance dates are part of the text of the Privacy Rule (45 CFR
164.534), they are being amended to reflect the change in the effective
date.
This amendment is technical in nature and is required by statute,
in light of the change of the effective date of the Privacy Rule.
Consequently, we find that good causer under 5 U.S.C. 553(b)(3)(B)
exists for waiving prior public comment on the revision to
Sec. 164.534.
List of Subjects
45 CFR Part 160
Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
Medical research, Medicare, Privacy, Reporting and record keeping
requirements.
45 CFR Part 164
Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
Medical research, Medicare, Privacy, Reporting and record keeping
requirements.
Dated: February 22, 2001.
Tommy G. Thompson,
Secretary.
For the reasons set forth in the preamble, Sec. 164.534 of title
45, Code of Federal Regulations, is amended as follows:
1. The authority citation for Subpart E of 45 Code of Federal
Regulations Part 164 is revised to read as follows:
Authority: 42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L.
104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)).
2. Section 164.534 of Subpart E of 45 Code of Federal Regulations
Part 164 is revised to read as follows:
Sec. 164.534 Compliance dates for initial implementation of the
privacy standards.
(a) Health care providers. A covered health care provider must
comply with the applicable requirements of this subpart no later than
April 14, 2003.
(b) Health plans. A health plan must comply with the applicable
requirements of this subpart no later than the following as applicable:
(1) Health plans other han small health plans. April 14, 2003.
(2) Small health plans. April 14, 2004.
(c) Health clearinghouses. A health care clearinghouse must comply
with the applicable requirements of this subpart no later than April
14, 2003.
[FR Doc. 01-4810 Filed 2-23-01; 1:00 pm]
BILLING CODE 4150-04-M