[Federal Register Volume 67, Number 157 (Wednesday, August 14, 2002)]
[Rules and Regulations]
[Pages 53182-53273]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-20554]



[[Page 53181]]

-----------------------------------------------------------------------

Part V





Department of Health and Human Services





-----------------------------------------------------------------------



Office of the Secretary



-----------------------------------------------------------------------



45 CFR Parts 160 and 164



Standards for Privacy of Individually Identifiable Health Information; 
Final Rule

  Federal Register / Vol. 67, No. 157 / Wednesday, August 14, 2002 / 
Rules and Regulations  

[[Page 53182]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991-AB14


Standards for Privacy of Individually Identifiable Health 
Information

AGENCY: Office for Civil Rights, HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (``HHS'' or 
``Department'') modifies certain standards in the Rule entitled 
``Standards for Privacy of Individually Identifiable Health 
Information'' (``Privacy Rule''). The Privacy Rule implements the 
privacy requirements of the Administrative Simplification subtitle of 
the Health Insurance Portability and Accountability Act of 1996.
    The purpose of these modifications is to maintain strong 
protections for the privacy of individually identifiable health 
information while clarifying certain of the Privacy Rule's provisions, 
addressing the unintended negative effects of the Privacy Rule on 
health care quality or access to health care, and relieving unintended 
administrative burdens created by the Privacy Rule.

DATES: This final rule is effective on October 15, 2002.

FOR FURTHER INFORMATION CONTACT: Felicia Farmer, 1-866-OCR-PRIV (1-866-
627-7748) or TTY 1-866-788-4989.

SUPPLEMENTARY INFORMATION: Availability of copies, and electronic 
access.
    Copies: To order copies of the Federal Register containing this 
document, send your request to: New Orders, Superintendent of 
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date 
of the issue requested and enclose a check or money order payable to 
the Superintendent of Documents, or enclose your Visa or Master Card 
number and expiration date. Credit card orders can also be placed by 
calling the order desk at (202) 512-1800 (or toll-free at 1-866-512-
1800) or by fax to (202) 512-2250. The cost for each copy is $10.00. 
Alternatively, you may view and photocopy the Federal Register document 
at most libraries designated as Federal Depository Libraries and at 
many other public and academic libraries throughout the country that 
receive the Federal Register.
    Electronic Access: This document is available electronically at the 
HHS Office for Civil Rights (OCR) Privacy Web site at http://www.hhs.gov/ocr/hipaa/, as well as at the web site of the Government 
Printing Office at http://www.access.gpo.gov/su_docs/aces/aces140.html.

I. Background

A. Statutory Background

    Congress recognized the importance of protecting the privacy of 
health information given the rapid evolution of health information 
systems in the Health Insurance Portability and Accountability Act of 
1996 (HIPAA), Public Law 104-191, which became law on August 21, 1996. 
HIPAA's Administrative Simplification provisions, sections 261 through 
264 of the statute, were designed to improve the efficiency and 
effectiveness of the health care system by facilitating the electronic 
exchange of information with respect to certain financial and 
administrative transactions carried out by health plans, health care 
clearinghouses, and health care providers who transmit information 
electronically in connection with such transactions. To implement these 
provisions, the statute directed HHS to adopt a suite of uniform, 
national standards for transactions, unique health identifiers, code 
sets for the data elements of the transactions, security of health 
information, and electronic signature.
    At the same time, Congress recognized the challenges to the 
confidentiality of health information presented by the increasing 
complexity of the health care industry, and by advances in the health 
information systems technology and communications. Thus, the 
Administrative Simplification provisions of HIPAA authorized the 
Secretary to promulgate standards for the privacy of individually 
identifiable health information if Congress did not enact health care 
privacy legislation by August 21, 1999. HIPAA also required the 
Secretary of HHS to provide Congress with recommendations for 
legislating to protect the confidentiality of health care information. 
The Secretary submitted such recommendations to Congress on September 
11, 1997, but Congress did not pass such legislation within its self-
imposed deadline.
    With respect to these regulations, HIPAA provided that the 
standards, implementation specifications, and requirements established 
by the Secretary not supersede any contrary State law that imposes more 
stringent privacy protections. Additionally, Congress required that HHS 
consult with the National Committee on Vital and Health Statistics, a 
Federal advisory committee established pursuant to section 306(k) of 
the Public Health Service Act (42 U.S.C. 242k(k)), and the Attorney 
General in the development of HIPAA privacy standards.
    After a set of HIPAA Administrative Simplification standards is 
adopted by the Department, HIPAA provides HHS with authority to modify 
the standards as deemed appropriate, but not more frequently than once 
every 12 months. However, modifications are permitted during the first 
year after adoption of the standards if the changes are necessary to 
permit compliance with the standards. HIPAA also provides that 
compliance with modifications to standards or implementation 
specifications must be accomplished by a date designated by the 
Secretary, which may not be earlier than 180 days after the adoption of 
the modification.

B. Regulatory and Other Actions to Date

    HHS published a proposed Rule setting forth privacy standards for 
individually identifiable health information on November 3, 1999 (64 FR 
59918). The Department received more than 52,000 public comments in 
response to the proposal. After reviewing and considering the public 
comments, HHS issued a final Rule (65 FR 82462) on December 28, 2000, 
establishing ``Standards for Privacy of Individually Identifiable 
Health Information'' (``Privacy Rule'').
    In an era where consumers are increasingly concerned about the 
privacy of their personal information, the Privacy Rule creates, for 
the first time, a floor of national protections for the privacy of 
their most sensitive information--health information. Congress has 
passed other laws to protect consumers' personal information contained 
in bank, credit card, other financial records, and even video rentals. 
These health privacy protections are intended to provide consumers with 
similar assurances that their health information, including genetic 
information, will be properly protected. Under the Privacy Rule, health 
plans, health care clearinghouses, and certain health care providers 
must guard against misuse of individuals' identifiable health 
information and limit the sharing of such information, and consumers 
are afforded significant new rights to enable them to understand and 
control how their health information is used and disclosed.
    After publication of the Privacy Rule, HHS received many inquiries 
and unsolicited comments through

[[Page 53183]]

telephone calls, e-mails, letters, and other contacts about the impact 
and operation of the Privacy Rule on numerous sectors of the health 
care industry. Many of these commenters exhibited substantial confusion 
and misunderstanding about how the Privacy Rule will operate; others 
expressed great concern over the complexity of the Privacy Rule. In 
response to these communications and to ensure that the provisions of 
the Privacy Rule would protect patients' privacy without creating 
unanticipated consequences that might harm patients' access to health 
care or quality of health care, the Secretary of HHS opened the Privacy 
Rule for additional public comment in March 2001 (66 FR 12738).
    After an expedited review of the comments by the Department, the 
Secretary decided that it was appropriate for the Privacy Rule to 
become effective on April 14, 2001, as scheduled (65 FR 12433). At the 
same time, the Secretary directed the Department immediately to begin 
the process of developing guidelines on how the Privacy Rule should be 
implemented and to clarify the impact of the Privacy Rule on health 
care activities. In addition, the Secretary charged the Department with 
proposing appropriate changes to the Privacy Rule during the next year 
to clarify the requirements and correct potential problems that could 
threaten access to, or quality of, health care. The comments received 
during the comment period, as well as other communications from the 
public and all sectors of the health care industry, including letters, 
testimony at public hearings, and meetings requested by these parties, 
have helped to inform the Department's efforts to develop proposed 
modifications and guidance on the Privacy Rule.
    On July 6, 2001, the Department issued its first guidance to answer 
common questions and clarify certain of the Privacy Rule's provisions. 
In the guidance, the Department also committed to proposing 
modifications to the Privacy Rule to address problems arising from 
unintended effects of the Privacy Rule on health care delivery and 
access. The guidance will soon be updated to reflect the modifications 
adopted in this final Rule. The revised guidance will be available on 
the HHS Office for Civil Rights (OCR) Privacy Web site at http://www.hhs.gov/ocr/hipaa/.
    In addition, the National Committee for Vital and Health Statistics 
(NCVHS), Subcommittee on Privacy and Confidentiality, held public 
hearings on the implementation of the Privacy Rule on August 21-23, 
2001, and January 24-25, 2002, and provided recommendations to the 
Department based on these hearings. The NCVHS serves as the statutory 
advisory body to the Secretary of HHS with respect to the development 
and implementation of the Rules required by the Administrative 
Simplification provisions of HIPAA, including the privacy standards. 
Through the hearings, the NCVHS specifically solicited public input on 
issues related to certain key standards in the Privacy Rule: consent, 
minimum necessary, marketing, fundraising, and research. The resultant 
public testimony and subsequent recommendations submitted to the 
Department by the NCVHS also served to inform the development of these 
proposed modifications.

II. Overview of the March 2002 Notice of Proposed Rulemaking (NPRM)

    As described above, through public comments, testimony at public 
hearings, meetings at the request of industry and other stakeholders, 
as well as other communications, the Department learned of a number of 
concerns about the potential unintended effects certain provisions 
would have on health care quality and access. On March 27, 2002, in 
response to these concerns, and pursuant to HIPAA's provisions for 
modifications to the standards, the Department proposed modifications 
to the Privacy Rule (67 FR 14776). ]
    The Department proposed to modify the following areas or provisions 
of the Privacy Rule: consent; uses and disclosures for treatment, 
payment, and health care operations; notice of privacy practices; 
minimum necessary uses and disclosures, and oral communications; 
business associates; uses and disclosures for marketing; parents as the 
personal representatives of unemancipated minors; uses and disclosures 
for research purposes; uses and disclosures for which authorizations 
are required; and de-identification. In addition to these key areas, 
the proposal included changes to other provisions where necessary to 
clarify the Privacy Rule. The Department also included in the proposed 
Rule a list of technical corrections intended as editorial or 
typographical corrections to the Privacy Rule.
    The proposed modifications collectively were designed to ensure 
that protections for patient privacy are implemented in a manner that 
maximizes the effectiveness of such protections while not compromising 
either the availability or the quality of medical care. They reflected 
a continuing commitment on the part of the Department to strong privacy 
protections for medical records and the belief that privacy is most 
effectively protected by requirements that are not exceptionally 
difficult to implement. The Department welcomed comments and 
suggestions for alternative ways effectively to protect patient privacy 
without adversely affecting access to, or the quality of, health care.
    Given that the compliance date of the Privacy Rule for most covered 
entities is April 14, 2003, and the Department's interest in having the 
compliance date for these revisions also be no later than April 14, 
2003, the Department solicited public comment on the proposed 
modifications for only 30 days. As stated above, the proposed 
modifications addressed public concerns already communicated to the 
Department through a wide variety of sources since publication of the 
Privacy Rule in December 2000. For these reasons, the Department 
believed that 30 days should be sufficient for the public to state its 
views fully to the Department on the proposed modifications to the 
Privacy Rule. During the 30-day comment period, the Department received 
in excess of 11,400 comments.

III. Section-by-Section Description of Final Modifications and 
Response to Comments

A. Section 164.501--Definitions

1. Marketing

December 2000 Privacy Rule

    The Privacy Rule defined ``marketing'' at Sec. 164.501 as a 
communication about a product or service, a purpose of which is to 
encourage recipients of the communication to purchase or use the 
product or service, subject to certain limited exceptions. To avoid 
interfering with, or unnecessarily burdening communications about, 
treatment or about the benefits and services of health plans and health 
care providers, the Privacy Rule explicitly excluded two types of 
communications from the definition of ``marketing:'' (1) communications 
made by a covered entity for the purpose of describing the 
participating providers and health plans in a network, or describing 
the services offered by a provider or the benefits covered by a health 
plan; and (2) communications made by a health care provider as part of 
the treatment of a patient and for the purpose of furthering that 
treatment, or made by a provider or health plan in the course of 
managing an individual's treatment or recommending an alternative 
treatment. Thus, a health plan could send its

[[Page 53184]]

enrollees a listing of network providers, and a health care provider 
could refer a patient to a specialist without either an authorization 
under Sec. 164.508 or having to meet the other special requirements in 
Sec. 164.514(e) that attach to marketing communications. However, these 
communications qualified for the exception to the definition of 
``marketing'' only if they were made orally or, if in writing, were 
made without remuneration from a third party. For example, it would not 
have been marketing for a pharmacy to call a patient about the need to 
refill a prescription, even if that refill reminder was subsidized by a 
third party; but it would have been marketing for that same, subsidized 
refill reminder to be sent to the patient in the mail.
    Generally, if a communication was marketing, the Privacy Rule 
required the covered entity to obtain the individual's authorization to 
use or disclose protected health information to make the communication. 
However, the Privacy Rule, at Sec. 164.514(e), permitted the covered 
entity to make health-related marketing communications without such 
authorization, provided it complied with certain conditions on the 
manner in which the communications were made. Specifically, the Privacy 
Rule permitted a covered entity to use or disclose protected health 
information to communicate to individuals about the health-related 
products or services of the covered entity or of a third party, without 
first obtaining an authorization for that use or disclosure of 
protected health information, if the communication: (1) Identified the 
covered entity as the party making the communication; (2) identified, 
if applicable, that the covered entity received direct or indirect 
remuneration from a third party for making the communication; (3) with 
the exception of general circulation materials, contained instructions 
describing how the individual could opt-out of receiving future 
marketing communications; and (4) where protected health information 
was used to target the communication about a product or service to 
individuals based on their health status or health condition, explained 
why the individual had been targeted and how the product or service 
related to the health of the individual.
    For certain permissible marketing communications, however, the 
Department did not believe these conditions to be practicable. 
Therefore, Sec. 164.514(e) also permitted a covered entity to make a 
marketing communication that occurred in a face-to-face encounter with 
the individual, or that involved products or services of only nominal 
value, without meeting the above conditions or requiring an 
authorization. These provisions, for example, permitted a covered 
entity to provide sample products during a face-to-face communication, 
or to distribute calendars, pens, and the like, that displayed the name 
of a product or provider.

March 2002 NPRM

    The Department received many complaints concerning the complexity 
and unworkability of the Privacy Rule's marketing requirements. Many 
entities expressed confusion over the Privacy Rule's distinction 
between health care communications that are excepted from the 
definition of ``marketing'' versus those that are marketing but 
permitted subject to the special conditions in Sec. 164.514(e). For 
example, questions were raised as to whether disease management 
communications or refill reminders were ``marketing'' communications 
subject to the special disclosure and opt-out conditions in 
Sec. 164.514(e). Others stated that it was unclear whether various 
health care operations activities, such as general health-related 
educational and wellness promotional activities, were to be treated as 
marketing under the Privacy Rule.
    The Department also learned that consumers were generally 
dissatisfied with the conditions required by Sec. 164.514(e). Many 
questioned the general effectiveness of the conditions and whether the 
conditions would properly protect consumers from unwanted disclosure of 
protected health information to commercial entities, and from the 
intrusion of unwanted solicitations. They expressed specific 
dissatisfaction with the provision at Sec. 164.514(e)(3)(iii) for 
individuals to opt-out of future marketing communications. Many argued 
for the opportunity to opt-out of marketing communications before any 
marketing occurred. Others requested that the Department limit 
marketing communications to only those consumers who affirmatively 
chose to receive such communications.
    In response to these concerns, the Department proposed to modify 
the Privacy Rule to make the marketing provisions clearer and simpler. 
First, the Department proposed to simplify the Privacy Rule by 
eliminating the special provisions for marketing health-related 
products and services at Sec. 164.514(e). Instead, any use or 
disclosure of protected health information for a communication defined 
as ``marketing'' in Sec. 164.501 would require an authorization by the 
individual. Thus, covered entities would no longer be able to make any 
type of marketing communications that involved the use or disclosure of 
protected health information without authorization simply by meeting 
the disclosure and opt-out conditions in the Privacy Rule. The 
Department intended to effectuate greater consumer privacy protection 
by requiring authorization for all uses or disclosures of protected 
health information for marketing communications, as compared to the 
disclosure and opt-out conditions of Sec. 164.514(e).
    Second, the Department proposed minor clarifications to the Privacy 
Rule's definition of ``marketing'' at Sec. 164.501. Specifically, the 
Department proposed to define ``marketing'' as ``to make a 
communication about a product or service to encourage recipients of the 
communication to purchase or use the product or service.'' The proposed 
modification retained the substance of the ``marketing'' definition, 
but changed the language slightly to avoid the implication that in 
order for a communication to be marketing, the purpose or intent of the 
covered entity in making such a communication would have to be 
determined. The simplified language permits the Department to make the 
determination based on the communication itself.
    Third, with respect to the exclusions from the definition of 
``marketing'' in Sec. 164.501, the Department proposed to simplify the 
language to avoid confusion and better conform to other sections of the 
regulation, particularly in the area of treatment communications. The 
proposal retained the exclusions for communications about a covered 
entity's own products and services and about the treatment of the 
individual. With respect to the exclusion for a communication made ``in 
the course of managing the treatment of that individual,'' the 
Department proposed to modify the language to use the terms ``case 
management'' and ``care coordination'' for that individual. These terms 
are more consistent with the terms used in the definition of ``health 
care operations,'' and were intended to clarify the Department's 
intent.
    One substantive change to the definition proposed by the Department 
was to eliminate the condition on the above exclusions from the 
definition of ``marketing'' that the covered entity could not receive 
remuneration from a third party for any written communication. This 
limitation was not well understood and treated similar communications 
differently. For

[[Page 53185]]

example, a prescription refill reminder was marketing if it was in 
writing and paid for by a third party, while a refill reminder that was 
not subsidized, or was made orally, was not marketing. With the 
proposed elimination of the health-related marketing requirements in 
Sec. 164.514(e) and the proposed requirement that any marketing 
communication require an individual's prior written authorization, 
retention of this condition would have adversely affected a health care 
provider's ability to make many common health-related communications. 
Therefore, the Department proposed to eliminate the remuneration 
prohibition to the exceptions to the definition so as not to interfere 
with necessary and important treatment and health-related 
communications between a health care provider and patient.
    To reinforce the policy requiring an authorization for most 
marketing communications, the Department proposed to add a new 
marketing provision at Sec. 164.508(a)(3) explicitly requiring an 
authorization for a use or disclosure of protected health information 
for marketing purposes. Additionally, if the marketing was expected to 
result in direct or indirect remuneration to the covered entity from a 
third party, the Department proposed that the authorization state this 
fact. As noted above, because a use or disclosure of protected health 
information for marketing communications required an authorization, the 
disclosure and opt-out provisions in Sec. 164.514(e) no longer would be 
necessary and the Department proposed to eliminate them. As in the 
December 2000 Privacy Rule at Sec. 164.514(e)(2), the proposed 
modifications at Sec. 164.508(a)(3) excluded from the marketing 
authorization requirements face-to-face communications made by a 
covered entity to an individual. The Department proposed to retain this 
exception so that the marketing provisions would not interfere with the 
relationship and dialogue between health care providers and 
individuals. Similarly, the Department proposed to retain the exception 
to the authorization requirement for a marketing communication that 
involved products or services of nominal value, but proposed to replace 
the language with the common business term ``promotional gift of 
nominal value.''
    As noted above, because some of the proposed simplifications were a 
substitute for Sec. 164.514(e), the Department proposed to eliminate 
that section, and to make conforming changes to remove references to 
Sec. 164.514(e) at Sec. 164.502(a)(1)(vi) and in paragraph (6)(v) of 
the definition of ``health care operations'' in Sec. 164.501.

Overview of Public Comments

    The following discussion provides an overview of the public comment 
received on this proposal. Additional comments received on this issue 
are discussed below in the section entitled, ``Response to Other Public 
Comments.''
    The Department received generally favorable comment on its proposal 
to simplify the marketing provisions by requiring authorizations for 
uses or disclosures of protected health information for marketing 
communications, instead of the special provisions for health-related 
products and services at Sec. 164.514(e). Many also supported the 
requirement that authorizations notify the individual of marketing that 
results in direct or indirect remuneration to the covered entity from a 
third party. They argued that for patients to make informed decisions, 
they must be notified of potential financial conflicts of interest. 
However, some commenters opposed the authorization requirement for 
marketing, arguing instead for the disclosure and opt-out requirements 
at Sec. 164.514(e) or for a one-time, blanket authorization from an 
individual for their marketing activities.
    Commenters were sharply divided on whether the Department had 
properly defined what is and what is not marketing. Most of those 
opposed to the Department's proposed definitions objected to the 
elimination of health-related communications for which the covered 
entity received remuneration from the definition of ``marketing.'' They 
argued that these communications would have been subject to the 
consumer protections in Sec. 164.514(e) but, under the proposal, could 
be made without any protections at all. The mere presence of 
remuneration raised conflict of interest concerns for these commenters, 
who feared patients would be misled into thinking the covered entity 
was acting solely in the patients' best interest when recommending an 
alternative medication or treatment. Of particular concern to these 
commenters was the possibility of a third party, such as a 
pharmaceutical company, obtaining a health care provider's patient list 
to market its own products or services directly to the patients under 
the guise of recommending an ``alternative treatment'' on behalf of the 
provider. Commenters argued that, even if the parties attempted to 
cloak the transaction in the trappings of a business associate 
relationship, when the remuneration flowed from the third party to the 
covered entity, the transaction was tantamount to selling the patient 
lists and ought to be considered marketing.
    On the other hand, many commenters urged the Department to broaden 
the categories of communications that are not marketing. Several 
expressed concern that, under the proposal, they would be unable to 
send newsletters and other general circulation materials with 
information about health-promoting activities (e.g., screenings for 
certain diseases) to their patients or members without an 
authorization. Health plans were concerned that they would be unable to 
send information regarding enhancements to health insurance coverage to 
their members and beneficiaries. They argued, among other things, that 
they should be excluded from the definition of ``marketing'' because 
these communications would be based on limited, non-clinical protected 
health information, and because policyholders benefit and use such 
information to fully evaluate the mix of coverage most appropriate to 
their needs. They stated that providing such information is especially 
important given that individual and market-wide needs, as well as 
benefit offerings, change over time and by statute. For example, 
commenters informed the Department that some States now require long-
term care insurers to offer new products to existing policyholders as 
they are brought to market and to allow policyholders to purchase the 
new benefits through a formal upgrade process. These health plans were 
concerned that an authorization requirement for routine communications 
about options and enhancements would take significant time and expense. 
Some insurers also urged that they be allowed to market other lines of 
insurance to their health plan enrollees.
    A number of commenters urged the Department to exclude any activity 
that met the definitions of ``treatment,'' ``payment,'' or ``health 
care operations'' from the definition of ``marketing'' so that they 
could freely inform customers about prescription discount card and 
price subsidy programs. Still others wanted the Department to broaden 
the treatment exception to include all health-related communications 
between providers and patients.
    Final Modifications. The Department adopts the modifications to 
marketing substantially as proposed in the NPRM, but makes changes to 
the proposed definition of ``marketing'' and further clarifies one of 
the exclusions from the definition of ``marketing'' in response to 
comments on the proposal. The

[[Page 53186]]

definition of ``marketing'' is modified to close what commenters 
characterized as a loophole, that is, the possibility that covered 
entities, for remuneration, could disclose protected health information 
to a third party that would then be able to market its own products and 
services directly to individuals. Also, in response to comments, the 
Department clarifies the language in the marketing exclusion for 
communications about a covered entity's own products and services.
    As it proposed to do, the Department eliminates the special 
provisions for marketing health-related products and services at 
Sec. 164.514(e). Except as provided for at Sec. 164.508(a)(3), a 
covered entity must have the individual's prior written authorization 
to use or disclose protected health information for marketing 
communications and will no longer be able to do so simply by meeting 
the disclosure and opt-out provisions, previously set forth in 
Sec. 164.514(e). The Department agrees with commenters that the 
authorization provides individuals with more control over whether they 
receive marketing communications and better privacy protections for 
such uses and disclosures of their health information. In response to 
commenters who opposed this proposal, the Department does not believe 
that an opt-out requirement for marketing communications would provide 
a sufficient level of control for patients regarding their health 
information. Nor does the Department believe that a blanket 
authorization provides sufficient privacy protections for individuals. 
Section 164.508(c) sets forth the core elements of an authorization 
necessary to give individuals control of their protected health 
information. Those requirements give individuals sufficient information 
and notice regarding the type of use or disclosure of their protected 
health information that they are authorizing. Without such specificity, 
an authorization would not have meaning. Indeed, blanket marketing 
authorizations would be considered defective under Sec. 164.508(b)(2).
    The Department adopts the general definition of ``marketing'' with 
one clarification. Thus, ``marketing'' means ``to make a communication 
about a product or service that encourages the recipients of the 
communication to purchase or use the product or service.'' In removing 
the language referencing the purpose of the communication and 
substituting the term ``that encourages'' for the term ``to 
encourage'', the Department intends to simplify the determination of 
whether a communication is marketing. If, on its face, the 
communication encourages recipients of the communication to purchase or 
use the product or service, the communication is marketing. A few 
commenters argued for retaining the purpose of the communication as 
part of the definition of ``marketing'' based on their belief that the 
intent of the communication was a clearer and more definitive standard 
than the effect of the communication. The Department disagrees with 
these commenters. Tying the definition of ``marketing'' to the purpose 
of the communication creates a subjective standard that would be 
difficult to enforce because the intent of the communicator rarely 
would be documented in advance. The definition adopted by the Secretary 
allows the communication to speak for itself.
    The Department further adopts the three categories of 
communications that were proposed as exclusions from the definition of 
``marketing.'' Thus, the covered entity is not engaged in marketing 
when it communicates to individuals about: (1) The participating 
providers and health plans in a network, the services offered by a 
provider, or the benefits covered by a health plan; (2) the 
individual's treatment; or (3) case management or care coordination for 
that individual, or directions or recommendations for alternative 
treatments, therapies, health care providers, or settings of care to 
that individual. For example, a doctor that writes a prescription or 
refers an individual to a specialist for follow-up tests is engaging in 
a treatment communication and is not marketing a product or service. 
The Department continues to exempt from the ``marketing'' definition 
the same types of communications that were not marketing under the 
Privacy Rule as published in December 2000, but has modified some of 
the language to better track the terminology used in the definition of 
``health care operations.'' The commenters generally supported this 
clarification of the language.
    The Department, however, does not agree with commenters that sought 
to expand the exceptions from marketing for all communications that 
fall within the definitions of ``treatment,'' ``payment,'' or ``health 
care operations.'' The purpose of the exclusions from the definition of 
marketing is to facilitate those communications that enhance the 
individual's access to quality health care. Beyond these important 
communications, the public strongly objected to any commercial use of 
protected health information to attempt to sell products or services, 
even when the product or service is arguably health related. In light 
of these strong public objections, ease of administration is an 
insufficient justification to categorically exempt all communications 
about payment and health care operations from the definition of 
``marketing.''
    However, in response to comments, the Department is clarifying the 
language that excludes from the definition of ``marketing'' those 
communications that describe network participants and the services or 
benefits of the covered entity. Several commenters, particularly 
insurers, were concerned that the reference to a ``plan of benefits'' 
was too limiting and would prevent them from sending information to 
their enrollees regarding enhancements or upgrades to their health 
insurance coverage. They inquired whether the following types of 
communications would be permissible: enhancements to existing products; 
changes in deductibles/copays and types of coverage (e.g., prescription 
drug); continuation products for students reaching the age of majority 
on parental policies; special programs such as guaranteed issue 
products and other conversion policies; and prescription drug card 
programs. Some health plans also inquired if they could communicate 
with beneficiaries about ``one-stop shopping'' with their companies to 
obtain long-term care, property, casualty, and life insurance products.
    The Department understands the need for covered health care 
providers and health plans to be able to communicate freely to their 
patients or enrollees about their own products, services, or benefits. 
The Department also understands that some of these communications are 
required by State or other law. To ensure that such communications may 
continue, the Department is broadening its policy, both of the December 
2000 Privacy Rule as well as proposed in the March 2002 NPRM, to allow 
covered entities to use protected health information to convey 
information to beneficiaries and members about health insurance 
products offered by the covered entity that could enhance or substitute 
for existing health plan coverage. Specifically, the Department 
modifies the relevant exemption from the definition of ``marketing'' to 
include communications that describe ``a health-related product or 
service (or payment for such product or service) that is provided by, 
or included in a plan of benefits of, the covered entity making the 
communication, including communications about: the entities 
participating in a health care provider network or health plan network; 
replacement of, or enhancements to, a

[[Page 53187]]

health plan; and health-related products or services available only to 
a health plan enrollee that add value to, but are not part of, a plan 
of benefits.'' Thus, under this exemption, a health plan is not 
engaging in marketing when it advises its enrollees about other 
available health plan coverages that could enhance or substitute for 
existing health plan coverage. For example, if a child is about to age 
out of coverage under a family's policy, this provision will allow the 
plan to send the family information about continuation coverage for the 
child. This exception, however, does not extend to excepted benefits 
(described in section 2791(c)(1) of the Public Health Service Act, 42 
U.S.C. 300gg-91(c)(1)), such as accident-only policies), nor to other 
lines of insurance (e.g., it is marketing for a multi-line insurer to 
promote its life insurance policies using protected health 
information).
    Moreover, the expanded language makes clear that it is not 
marketing when a health plan communicates about health-related products 
and services available only to plan enrollees or members that add value 
to, but are not part of, a plan of benefits. The provision of value-
added items or services (VAIS) is a common practice, particularly for 
managed care organizations. Communications about VAIS may qualify as a 
communication that is about a health plan's own products or services, 
even if VAIS are not considered plan benefits for the Adjusted 
Community Rate purposes. To qualify for this exclusion, however, the 
VAIS must meet two conditions. First, they must be health-related. 
Therefore, discounts offered by Medicare+Choice or other managed care 
organizations for eyeglasses may be considered part of the plan's 
benefits, whereas discounts to attend movie theaters will not. Second, 
such items and services must demonstrably ``add value'' to the plan's 
membership and not merely be a pass-through of a discount or item 
available to the public at large. Therefore, a Medicare+Choice or other 
managed care organization could, for example, offer its members a 
special discount opportunity for a health/fitness club without 
obtaining authorizations, but could not pass along to its members 
discounts to a health fitness club that the members would be able to 
obtain directly from the health/fitness clubs.
    In further response to comments, the Department has added new 
language to the definition of ``marketing'' to close what commenters 
perceived as a loophole that a covered entity could sell protected 
health information to another company for the marketing of that 
company's products or services. For example, many were concerned that a 
pharmaceutical company could pay a provider for a list of patients with 
a particular condition or taking a particular medication and then use 
that list to market its own drug products directly to those patients. 
The commenters believed the proposal would permit this to happen under 
the guise of the pharmaceutical company acting as a business associate 
of the covered entity for the purpose of recommending an alternative 
treatment or therapy to the individual. The Department agrees with 
commenters that the potential for manipulating the business associate 
relationship in this fashion should be expressly prohibited. Therefore, 
the Department is adding language that would make clear that business 
associate transactions of this nature are marketing. Marketing is 
defined expressly to include ``an arrangement between a covered entity 
and any other entity whereby the covered entity discloses protected 
health information to the other entity, in exchange for direct or 
indirect remuneration, for the other entity or its affiliate to make a 
communication about its own product or service that encourages 
recipients of the communication to purchase or use that product or 
service.'' These communications are marketing and can only occur if the 
covered entity obtains the individual's authorization pursuant to 
Sec. 164.508. The Department believes that this provision will make 
express the fundamental prohibition against covered entities selling 
lists of patients or enrollees to third parties, or from disclosing 
protected health information to a third party for the marketing 
activities of the third party, without the written authorization of the 
individual. The Department further notes that manufacturers that 
receive identifiable health information and misuse it may be subject to 
action taken under other consumer protection statutes by other Federal 
agencies, such as the Federal Trade Commission.
    The Department does not, however, agree with commenters who argued 
for retention of the provisions that would condition the exclusions 
from the ``marketing'' definition on the absence of remuneration. 
Except for the arrangements that are now expressly defined as 
``marketing,'' the Department eliminates the conditions that 
communications are excluded from the definition of ``marketing'' only 
if they are made orally, or, if in writing, are made without any direct 
or indirect remuneration. The Department does not agree that the simple 
receipt of remuneration should transform a treatment communication into 
a commercial promotion of a product or service. For example, health 
care providers should be able to, and can, send patients prescription 
refill reminders regardless of whether a third party pays or subsidizes 
the communication. The covered entity also is able to engage a 
legitimate business associate to assist it in making these permissible 
communications. It is only in situations where, in the guise of a 
business associate, an entity other than the covered entity is 
promoting its own products using protected health information it has 
received from, and for which it has paid, the covered entity, that the 
remuneration will place the activity within the definition of 
``marketing.''
    In addition, the Department adopts the proposed marketing 
authorization provision at Sec. 164.508(a)(3), with minor language 
changes to conform to the revised ``marketing'' definition. The Rule 
expressly requires an authorization for uses or disclosures of 
protected health information for marketing communications, except in 
two circumstances: (1) When the communication occurs in a face-to-face 
encounter between the covered entity and the individual; or (2) the 
communication involves a promotional gift of nominal value. A marketing 
authorization must include a statement about remuneration, if any. For 
ease of administration, the Department has changed the regulatory 
provision to require a statement on the authorization whenever the 
marketing ``involves'' direct or indirect remuneration to the covered 
entity from a third party, rather than requiring the covered entity to 
identify those situations where ``the marketing is expected to result 
in'' remuneration.
    Finally, the Department clarifies that nothing in the marketing 
provisions of the Privacy Rule are to be construed as amending, 
modifying, or changing any rule or requirement related to any other 
Federal or State statutes or regulations, including specifically anti-
kickback, fraud and abuse, or self-referral statutes or regulations, or 
to authorize or permit any activity or transaction currently proscribed 
by such statutes and regulations. Examples of such laws include the 
anti-kickback statute (section 1128B(b) of the Social Security Act), 
safe harbor regulations (42 CFR part 1001), Stark law (section 1877 of 
the Social Security Act) and regulations (42 CFR parts 411 and 424), 
and HIPAA statute on self-referral (section 1128C of the Social 
Security Act). The definition

[[Page 53188]]

of ``marketing'' is solely applicable to the Privacy Rule and the 
permissions granted by the Rule are only for a covered entity's use or 
disclosure of protected health information. In particular, although 
this regulation defines the term ``marketing'' to exclude 
communications to an individual to recommend, purchase, or use a 
product or service as part of the treatment of the individual or for 
case management or care coordination of that individual, such 
communication by a ``white coat'' health care professional may violate 
the anti-kickback statute. Similar examples for pharmacist 
communications with patients relating to the marketing of products on 
behalf of pharmaceutical companies were identified by the OIG as 
problematic in a 1994 Special Fraud Alert (December 19, 1994, 59 FR 
65372). Other violations have involved home health nurses and physical 
therapists acting as marketers for durable medical equipment companies. 
Although a particular communication under the Privacy Rule may not 
require patient authorization because it is not marketing, or may 
require patient authorization because it is ``marketing'' as the Rule 
defines it, the arrangement may nevertheless violate other statutes and 
regulations administered by HHS, the Department of Justice, or other 
Federal or State agency.

Response to Other Public Comments

    Comment: Some commenters recommended that the definition of 
``marketing'' be broadened to read as follows: ``any communication 
about a product or service to encourage recipients of the communication 
to purchase or use the product or service or that will make the 
recipient aware of the product or service available for purchase or use 
by the recipient.'' According to these commenters, the additional 
language would capture marketing campaign activities to establish 
``brand recognition.''
    Response: The Department believes that marketing campaigns to 
establish brand name recognition of products is already encompassed 
within the general definition of ``marketing'' and that it is not 
necessary to add language to accomplish this purpose.
    Comment: Some commenters opposed the proposed deletion of 
references to the covered entity as the source of the communications, 
in the definition of those communications that were excluded from the 
``marketing'' definition. They objected to these non-marketing 
communications being made by unrelated third parties based on protected 
health information disclosed to these third parties by the covered 
entity, without the individual's knowledge or authorization.
    Response: These commenters appear to have misinterpreted the 
proposal as allowing third parties to obtain protected health 
information from covered entities for marketing or other purposes for 
which the Rule requires an individual's authorization. The deletion of 
the specific reference to the covered entity does not permit 
disclosures to a third party beyond the disclosures already permitted 
by the Rule. The change is intended to be purely editorial: since the 
Rule applies only to covered entities, the only entities whose 
communications can be governed by the Rule are covered entities, and 
thus the reference to covered entities there was redundant. Covered 
entities may not disclose protected health information to third parties 
for marketing purposes without authorization from the individual, even 
if the third party is acting as the business associate of the 
disclosing covered entity. Covered entities may, however, use protected 
health information to communicate with individuals about the covered 
entity's own health-related products or services, the individual's 
treatment, or case management or care coordination for the individual. 
The covered entity does not need an authorization for these types of 
communications and may make the communication itself or use a business 
associate to do so.
    Comment: Some commenters advocated for reversion to the provision 
in Sec. 164.514(e) that the marketing communication identify the 
covered entity responsible for the communication, and argued that the 
covered entity should be required to identify itself as the source of 
the protected health information.
    Response: As modified, the Privacy Rule requires the individual's 
written authorization for the covered entity to use or disclose 
protected health information for marketing purposes, with limited 
exceptions. The Department believes that the authorization process 
itself will put the individual sufficiently on notice that the covered 
entity is the source of the protected health information. To the extent 
that the commenter suggests that these disclosures are necessary for 
communications that are not ``marketing'as defined by the Rule, the 
Department disagrees because such a requirement would place an undue 
burden on necessary health-related communications.
    Comment: Many commenters opposed the proposed elimination of the 
provision that would have transformed a communication exempted from 
marketing into a marketing communication if it was in writing and paid 
for by a third party. They argued that marketing should include any 
activity in which a covered entity receives compensation, directly or 
indirectly, through such things as discounts from another provider, 
manufacturer, or service provider in exchange for providing information 
about the manufacturer or service provider's products to consumers, and 
that consumers should be advised whenever such remuneration is involved 
and allowed to opt-out of future communications.
    Response: The Department considered whether remuneration should 
determine whether a given activity is marketing, but ultimately 
concluded that remuneration should not define whether a given activity 
is marketing or falls under an exception to marketing. In fact, the 
Department believes that the provision in the December 2000 Rule that 
transformed a treatment communication into a marketing communication if 
it was in writing and paid for by a third party blurred the line 
between treatment and marketing in ways that would have made the 
Privacy Rule difficult to implement. The Department believes that 
certain health care communications, such as refill reminders or 
informing patients about existing or new health care products or 
services, are appropriate, whether or not the covered entity receives 
remuneration from third parties to pay for them. The fact that 
remuneration is received for a marketing communication does not mean 
the communication is biased or inaccurate. For the same reasons, the 
Department does not believe that the communications that are exempt 
from the definition of ``marketing'' require any special conditions, 
based solely on direct or indirect remuneration received by the covered 
entity. Requiring disclosure and opt-out conditions on these 
communications, as Sec. 164.514(e) had formerly imposed on health-
related marketing communications, would add a layer of complexity to 
the Privacy Rule that the Department intended to eliminate. 
Individuals, of course, are free to negotiate with covered entities for 
limitations on such uses and disclosures, to which the entity may, but 
is not required to, agree.
    The Department does agree with commenters that, in limited 
circumstances, abuses can occur. The Privacy Rule, both as published in 
December 2000 and as proposed to be modified in March 2002, has always 
prohibited covered entities from selling protected health information 
to a third

[[Page 53189]]

party for the marketing activities of the third party, without 
authorization. Nonetheless, in response to continued public concern, 
the Department has added a new provision to the definition of 
``marketing'' to prevent situations in which a covered entity could 
take advantage of the business associate relationship to sell protected 
health information to another entity for that entity's commercial 
marketing purposes. The Department intends this prohibition to address 
the potential financial conflict of interest that would lead a covered 
entity to disclose protected health information to another entity under 
the guise of a treatment exemption.
    Comment: Commenters argued that written authorizations (opt-ins) 
should be required for the use of clinical information in marketing. 
They stated that many consumers do not want covered entities to use 
information about specific clinical conditions that an individual has, 
such as AIDS or diabetes, to target them for marketing of services for 
such conditions.
    Response: The Department does not intend to interfere with the 
ability of health care providers or health plans to deliver quality 
health care to individuals. The ``marketing'' definition excludes 
communications for the individual's treatment and for case management, 
care coordination or the recommendation of alternative therapies. 
Clinical information is critical for these communications and, hence, 
cannot be used to distinguish between communications that are or are 
not marketing. The covered entity needs the individual's authorization 
to use or disclose protected health information for marketing 
communications, regardless of whether clinical information is to be 
used.
    Comment: The proposed modification eliminated the Sec. 164.514 
requirements that permitted the use of protected health information to 
market health-related products and services without an authorization. 
In response to that proposed modification, many commenters asked 
whether covered entities would be allowed to make communications about 
``health education'' or ``health promoting'' materials or services 
without an authorization under the modified Rule. Examples included 
communications about health improvement or disease prevention, new 
developments in the diagnosis or treatment of disease, health fairs, 
health/wellness-oriented classes or support groups.
    Response: The Department clarifies that a communication that merely 
promotes health in a general manner and does not promote a specific 
product or service from a particular provider does not meet the general 
definition of ``marketing.'' Such communications may include 
population-based activities to improve health or reduce health care 
costs as set forth in the definition of ``health care operations'' at 
Sec. 164.501. Therefore, communications, such as mailings reminding 
women to get an annual mammogram, and mailings providing information 
about how to lower cholesterol, about new developments in health care 
(e.g., new diagnostic tools), about health or ``wellness'' classes, 
about support groups, and about health fairs are permitted, and are not 
considered marketing.
    Comment: Some commenters asked whether they could communicate with 
beneficiaries about government programs or government-sponsored 
programs such as information about SCHIP; eligibility for Medicare/
Medigap (e.g., eligibility for limited, six-month open enrollment 
period for Medicare supplemental benefits).
    Response: The Department clarifies that communications about 
government and government-sponsored programs do not fall within the 
definition of ``marketing.'' There is no commercial component to 
communications about benefits available through public programs. 
Therefore, a covered entity is permitted to use and disclose protected 
health information to communicate about eligibility for Medicare 
supplemental benefits, or SCHIP. As in our response above, these 
communications may reflect population-based activities to improve 
health or reduce health care costs as set forth in the definition of 
``health care operations'' at Sec. 164.501.
    Comment: The proposed modification eliminated the Sec. 164.514 
requirements that allowed protected health information to be used and 
disclosed without authorization or the opportunity to opt-out, for 
communications contained in newsletters or similar general 
communication devices widely distributed to patients, enrollees, or 
other broad groups of individuals. Many commenters requested 
clarification as to whether various types of general circulation 
materials would be permitted under the proposed modification. 
Commenters argued that newsletters or similar general communication 
devices widely distributed to patients, enrollees, or other broad 
groups of individuals should be permitted without authorizations 
because they are ``common'' and ``serve appropriate information 
distribution purposes'' and, based on their general circulation, are 
less intrusive than other forms of communication.
    Response: Covered entities may make communications in newsletter 
format without authorization so long as the content of such 
communications is not ``marketing,'' as defined by the Rule. The 
Department is not creating any special exemption for newsletters.
    Comment: One commenter suggested that, even when authorizations are 
granted to disclose protected health information for a particular 
marketing purpose to a non-covered entity, there should also be an 
agreement by the third party not to re-disclose the protected health 
information. This same commenter also recommended that the Privacy Rule 
place restrictions on non-secure modes of making communications 
pursuant to an authorization. This commenter argued that protected 
health information should not be disclosed on the outside of mailings 
or through voice mail, unattended FAX, or other modes of communication 
that are not secure.
    Response: Under the final Rule, a covered entity must obtain an 
individual's authorization to use or disclose protected health 
information for a marketing communication, with some exceptions. If an 
individual wanted an authorization to limit the use of the information 
by the covered entity, the individual could negotiate with the covered 
entity to make that clear in the authorization. Similarly, individuals 
can request confidential forms of communication, even with respect to 
authorized disclosures. See Sec. 164.522(b).
    Comment: Commenters requested that HHS provide clear guidance on 
what types of activities constitute a use or disclosure for marketing, 
and, therefore, require an authorization.
    Response: The Department has modified the ``marketing'' definition 
to clarify the types of uses or disclosures of protected health 
information that are marketing, and, therefore, require prior 
authorization and those that are not marketing. The Department intends 
to update its guidance on this topic and address specific examples 
raised by commenters at that time.
    Comment: A number of commenters wanted the Department to amend the 
face-to-face authorization exception. Some urged that it be broadened 
to include telephone, mail and other common carriers, fax machines, or 
the Internet so that the exception would cover communications between 
providers and patients that are not in person. For example, it was 
pointed out that some providers, such as home

[[Page 53190]]

delivery pharmacies, may have a direct treatment relationship, but 
communicate with patients through other channels. Some raised specific 
concerns about communicating with ``shut-ins'' and ``persons living in 
rural areas.'' Other commenters asked the Department to make the 
exception more narrow to cover only those marketing communications made 
by a health care provider, as opposed to by a business associate, or to 
cover only those marketing communications of a provider that arise from 
a treatment or other essential health care communication.
    Response: The Department believes that expanding the face-to-face 
authorization exception to include telephone, mail, and other common 
carriers, fax machines or the Internet would create an exception 
essentially for all types of marketing communications. All providers 
potentially use a variety of means to communicate with their patients. 
The authorization exclusion, however, is narrowly crafted to permit 
only face-to-face encounters between the covered entity and the 
individual.
    The Department believes that further narrowing the exception to 
place conditions on such communications, other than that it be face-to-
face, would neither be practical nor better serve the privacy interests 
of the individual. The Department does not intend to police 
communications between doctors and patients that take place in the 
doctor's office. Further limiting the exception would add a layer of 
complexity to the Rule, encumbering physicians and potentially causing 
them to second-guess themselves when making treatment or other 
essential health care communications. In this context, the individual 
can readily stop any unwanted communications, including any 
communications that may otherwise meet the definition of ``marketing.''
2. Health Care Operations: Changes of Legal Ownership
    December 2000 Privacy Rule. The Rule's definition of ``health care 
operations'' included the disclosure of protected health information 
for the purposes of due diligence with respect to the contemplated sale 
or transfer of all or part of a covered entity's assets to a potential 
successor in interest who is a covered entity, or would become a 
covered entity as a result of the transaction.
    The Department indicated in the December 2000 preamble of the 
Privacy Rule its intent to include in the definition of health care 
operations the actual transfer of protected health information to a 
successor in interest upon a sale or transfer of its assets. (65 FR 
82609.) However, the regulation itself did not expressly provide for 
the transfer of protected health information upon the sale or transfer 
of assets to a successor in interest. Instead, the definition of 
``health care operations'' included uses or disclosures of protected 
health information only for due diligence purposes when a sale or 
transfer to a successor in interest is contemplated.
    March 2002 NPRM. A number of entities expressed concern about the 
discrepancy between the intent as expressed in the preamble to the 
December 2000 Privacy Rule and the actual regulatory language. To 
address these concerns, the Department proposed to add language to 
paragraph (6) of the definition of ``health care operations'' to 
clarify its intent to permit the transfer of records to a covered 
entity upon a sale, transfer, merger, or consolidation. This proposed 
change would prevent the Privacy Rule from interfering with necessary 
treatment or payment activities upon the sale of a covered entity or 
its assets.
    The Department also proposed to use the terms ``sale, transfer, 
consolidation or merger'' and to eliminate the term ``successor in 
interest'' from this paragraph. The Department intended this provision 
to apply to any sale, transfer, merger or consolidation and believed 
the current language may not accomplish this goal.
    The Department proposed to retain the limitation that such 
disclosures are health care operations only to the extent the entity 
receiving the protected health information is a covered entity or would 
become a covered entity as a result of the transaction. The Department 
clarified that the proposed modification would not affect a covered 
entity's other legal or ethical obligation to notify individuals of a 
sale, transfer, merger, or consolidation.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    Numerous commenters supported the proposed modifications. 
Generally, these commenters claimed the modifications would prevent 
inconvenience to consumers, and facilitate timely access to health 
care. Specifically, these commenters indicated that health care would 
be delayed and consumers would be inconvenienced if covered entities 
were required to obtain individual consent or authorization before they 
could access health records that are newly acquired assets resulting 
from the sale, transfer, merger, or consolidation of all or part of a 
covered entity. Commenters further claimed that the administrative 
burden of acquiring individual permission and culling records of 
consumers who do not give consent would be too great, and would cause 
some entities to simply store or destroy the records instead. 
Consequently, health information would be inaccessible, causing 
consumers to be inconvenienced and health care to be delayed. Some 
commenters noted that the proposed modifications recognize the 
realities of business without compromising the availability or quality 
of health care or diminishing privacy protections one would expect in 
the handling of protected health information during the course of such 
business transactions.
    Opposition to the proposed modifications was limited, with 
commenters generally asserting that the transfer of records in such 
circumstances would not be in the best interests of individuals.
    Final Modifications. The Department agrees with the commenters that 
supported the proposed modifications and, therefore, adopts the 
modifications to the definition of health care operations. Thus, 
``health care operations'' includes the sale, transfer, merger, or 
consolidation of all or part of the covered entity to or with another 
covered entity, or an entity that will become a covered entity as a 
result of the transaction, as well as the due diligence activities in 
connection with such transaction. In response to a comment, the final 
Rule modifies the phrase ``all or part of a covered entity'' to read 
``all or part of the covered entity'' to clarify that any disclosure 
for such activity must be by the covered entity that is a party to the 
transaction.
    Under the final definition of ``health care operations,'' a covered 
entity may use or disclose protected health information in connection 
with a sale or transfer of assets to, or a consolidation or merger 
with, an entity that is or will be a covered entity upon completion of 
the transaction; and to conduct due diligence in connection with such 
transaction. The modification makes clear it is also a health care 
operation to transfer records containing protected health information 
as part of the transaction. For example, if a pharmacy which is a 
covered entity buys another pharmacy which is also a covered entity, 
protected health information can be exchanged between the two entities 
for purposes of conducting due diligence, and the selling entity may

[[Page 53191]]

transfer any records containing protected health information to the new 
owner upon completion of the transaction. The new owner may then 
immediately use and disclose those records to provide health care 
services to the individuals, as well as for payment and health care 
operations purposes. Since the information would continue to be 
protected by the Privacy Rule, any other use or disclosure of the 
information would require an authorization unless otherwise permitted 
without authorization by the Rule, and the new owner would be obligated 
to observe the individual's rights of access, amendment, and 
accounting. The Privacy Rule would not interfere with other legal or 
ethical obligations of an entity that may arise out of the nature of 
its business or relationship with its customers or patients to provide 
such persons with notice of the transaction or an opportunity to agree 
to the transfer of records containing personal information to the new 
owner.

Response to Other Public Comments

    Comment: One commenter was concerned about what obligations the 
parties to a transaction have regarding protected health information 
that was exchanged as part of a transaction if the transaction does not 
go through.
    Response: The Department believes that other laws and standard 
business practices are adequate to address these situations and 
accordingly does not impose additional requirements of this type. It is 
standard practice for parties contemplating such transactions to enter 
into confidentiality agreements. In addition to exchanging protected 
health information, the parties to such transactions commonly exchange 
confidential proprietary information. It is a standard practice for the 
parties to these transaction to agree that the handling of all 
confidential information, such as proprietary information, will include 
ensuring that, in the event that the proposed transaction is not 
consummated, the information is either returned to its original owner 
or destroyed as appropriate. They may include protected health 
information in any such agreement, as they determine appropriate to the 
circumstances and applicable law. ]
3. Protected Health Information: Exclusion for Employment Records
    December 2000 Privacy Rule. The Privacy Rule broadly defines 
``protected health information'' as individually identifiable health 
information maintained or transmitted by a covered entity in any form 
or medium. The December 2000 Privacy Rule expressly excluded from the 
definition of ``protected health information'' only educational and 
other records that are covered by the Family Education Rights and 
Privacy Act of 1974, as amended, 20 U.S.C. 1232g. In addition, 
throughout the December 2000 preamble to the Privacy Rule, the 
Department repeatedly stated that the Privacy Rule does not apply to 
employers, nor does it apply to the employment functions of covered 
entities, that is, when they are acting in their role as employers. For 
example, the Department stated:

    Covered entities must comply with this regulation in their 
health care capacity, not in their capacity as employers. For 
example, information in hospital personnel files about a nurses' 
(sic) sick leave is not protected health information under this 
rule.

65 FR 82612. However, the definition of protected health information 
did not expressly exclude personnel or employment records of covered 
entities.
    March 2002 NPRM. The Department understands that covered entities 
are also employers, and that this creates two potential sources of 
confusion about the status of health information. First, some employers 
are required or elect to obtain health information about their 
employees, as part of their routine employment activities [e.g., 
hiring, compliance with the Occupational Safety and Health 
Administration (OSHA) requirements]. Second, employees of covered 
health care providers or health plans sometimes seek treatment or 
reimbursement from that provider or health plan, unrelated to the 
employment relationship.
    To avoid any confusion on the part of covered entities as to 
application of the Privacy Rule to the records they maintain as 
employers, the Department proposed to modify the definition of 
``protected health information'' in Sec. 164.501 to expressly exclude 
employment records held by a covered entity in its role as employer. 
The proposed modification also would alleviate the situation where a 
covered entity would feel compelled to elect to designate itself as a 
hybrid entity solely to carve out its employment functions. 
Individually identifiable health information maintained or transmitted 
by a covered entity in its health care capacity would, under the 
proposed modification, continue to be treated as protected health 
information.
    The Department specifically solicited comments on whether the term 
``employment records'' is clear and what types of records would be 
covered by the term.
    In addition, as discussed in section III.C.1. below, the Department 
proposed to modify the definition of a hybrid entity to permit any 
covered entity that engaged in both covered and non-covered functions 
to elect to operate as a hybrid entity. Under the proposed 
modification, a covered entity that primarily engaged in covered 
functions, such as a hospital, would be allowed to elect hybrid entity 
status even if its only non-covered functions were those related to its 
capacity as an employer. Indeed, because of the absence of an express 
exclusion for employment records in the definition of protected health 
information, some covered entities may have elected hybrid entity 
status under the misconception that this was the only way to prevent 
their personnel information from being treated as protected health 
information under the Rule.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The Department received comments both supporting and opposing the 
proposal to add an exemption for employment records to the definition 
of protected health information. Support for the proposal was based 
primarily on the need for clarity and certainty in this important area. 
Moreover, commenters supported the proposed exemption for employment 
records because it reinforced and clarified that the Privacy Rule does 
not conflict with an employer's obligation under numerous other laws, 
including OSHA, Family and Medical Leave Act (FMLA), workers' 
compensation, and alcohol and drug free workplace laws.
    Those opposed to the modification were concerned that a covered 
entity may abuse its access to the individually identifiable health 
information in its employment records by using that information for 
discriminatory purposes. Many commenters expressed concern that an 
employee's health information created, maintained, or transmitted by 
the covered entity in its health care capacity would be considered an 
employment record and, therefore, would not be considered protected 
health information. Some of these commenters argued for the inclusion 
of special provisions, similar to the ``adequate separation'' 
requirements for disclosure of protected health information from group 
health plan to plan sponsor functions (Sec. 164.504(f)), to heighten 
the protection for an employee's individually identifiable health 
information when moving between a covered entity's

[[Page 53192]]

health care functions and its employer functions.
    A number of commenters also suggested types of records that the 
Department should consider to be ``employment records'' and, therefore, 
excluded from the definition of ``protected health information.'' The 
suggested records included records maintained under the FMLA or the 
Americans with Disabilities Act (ADA), as well as records relating to 
occupational injury, disability insurance eligibility, sick leave 
requests and justifications, drug screening results, workplace medical 
surveillance, and fitness-for-duty test results. One commenter 
suggested that health information related to professional athletes 
should qualify as an employment record.
    Final Modifications. The Department adopts as final the proposed 
language excluding employment records maintained by a covered entity in 
its capacity as an employer from the definition of ``protected health 
information.'' The Department agrees with commenters that the 
regulation should be explicit that it does not apply to a covered 
entity's employer functions and that the most effective means of 
accomplishing this is through the definition of ``protected health 
information.''
    The Department is sensitive to the concerns of commenters that a 
covered entity not abuse its access to an employee's individually 
identifiable health information which it has created or maintains in 
its health care, not its employer, capacity. In responding to these 
concerns, the Department must remain within the boundaries set by the 
statute, which does not include employers per se as covered entities. 
Thus, we cannot regulate employers, even when it is a covered entity 
acting as an employer.
    To address these concerns, the Department clarifies that a covered 
entity must remain cognizant of its dual roles as an employer and as a 
health care provider, health plan, or health care clearinghouse. 
Individually identifiable health information created, received, or 
maintained by a covered entity in its health care capacity is protected 
health information. It does not matter if the individual is a member of 
the covered entity's workforce or not. Thus, the medical record of a 
hospital employee who is receiving treatment at the hospital is 
protected health information and is covered by the Rule, just as the 
medical record of any other patient of that hospital is protected 
health information and covered by the Rule. The hospital may use that 
information only as permitted by the Privacy Rule, and in most cases 
will need the employee's authorization to access or use the medical 
information for employment purposes. When the individual gives his or 
her medical information to the covered entity as the employer, such as 
when submitting a doctor's statement to document sick leave, or when 
the covered entity as employer obtains the employee's written 
authorization for disclosure of protected health information, such as 
an authorization to disclose the results of a fitness for duty 
examination, that medical information becomes part of the employment 
record, and, as such, is no longer protected health information. The 
covered entity as employer, however, may be subject to other laws and 
regulations applicable to the use or disclosure of information in an 
employee's employment record.
    The Department has decided not to add a definition of the term 
``employment records'' to the Rule. The comments indicate that the same 
individually identifiable health information about an individual may be 
maintained by the covered entity in both its employment records and the 
medical records it maintains as a health care provider or enrollment or 
claims records it maintains as a health plan. The Department therefore 
is concerned that a definition of ``employment record'' may lead to the 
misconception that certain types of information are never protected 
health information, and will put the focus incorrectly on the nature of 
the information rather than the reasons for which the covered entity 
obtained the information. For example, drug screening test results will 
be protected health information when the provider administers the test 
to the employee, but will not be protected health information when, 
pursuant to the employee's authorization, the test results are provided 
to the provider acting as employer and placed in the employee's 
employment record. Similarly, the results of a fitness for duty exam 
will be protected health information when the provider administers the 
test to one of its employees, but will not be protected health 
information when the results of the fitness for duty exam are turned 
over to the provider as employer pursuant to the employee's 
authorization.
    Furthermore, while the examples provided by commenters represent 
typical files or records that may be maintained by employers, the 
Department does not believe that it has sufficient information to 
provide a complete definition of employment record. Therefore, the 
Department does not adopt as part of this rulemaking a definition of 
employment record, but does clarify that medical information needed for 
an employer to carry out its obligations under FMLA, ADA, and similar 
laws, as well as files or records related to occupational injury, 
disability insurance eligibility, sick leave requests and 
justifications, drug screening results, workplace medical surveillance, 
and fitness-for-duty tests of employees, may be part of the employment 
records maintained by the covered entity in its role as an employer.

Response to Other Public Comments

    Comment: One commenter requested clarification as to whether the 
term ``employment record'' included the following information that is 
either maintained or transmitted by a fully insured group health plan 
to an insurer or HMO for enrollment and/or disenrollment purposes: (a) 
the identity of an individual including name, address, birth date, 
marital status, dependent information and SSN; (b) the individual's 
choice of plan; (c) the amount of premiums/contributions for coverage 
of the individual; (d) whether the individual is an active employee or 
retired; (e) whether the individual is enrolled in Medicare.
    Response: All of this information is protected health information 
when held by a fully insured group health plan and transmitted to an 
issuer or HMO, and the Privacy Rule applies when the group health plan 
discloses such information to any entity, including the plan sponsor. 
There are special rules in Sec. 164.504(f) which describe the 
conditions for disclosure of protected health information to the plan 
sponsor. If the group health plan received the information from the 
plan sponsor, it becomes protected health information when received by 
the group health plan. The plan sponsor is not the covered entity, so 
this information will not be protected when held by a plan sponsor, 
whether or not it is part of the plan sponsor's ``employment record.''
    Comment: One commenter asked for clarification as to how the 
Department would characterize the following items that a covered entity 
may have: (1) medical file kept separate from the rest of an employment 
record containing (a) doctor's notes; (b) leave requests; (c) physician 
certifications; and (d) positive hepatitis test results; (2) FMLA 
documentation including: (a) physician certification form; and (b) 
leave requests; (3) occupational injury files containing (a) drug 
screening; (b) exposure test results; (c) doctor's notes; and (d) 
medical director's notes.

[[Page 53193]]

    Response: As explained above, the nature of the information does 
not determine whether it is an employment record. Rather, it depends on 
whether the covered entity obtains or creates the information in its 
capacity as employer or in its capacity as covered entity. An 
employment record may well contain some or all of the items mentioned 
by the commenter; but so too might a treatment record. The Department 
also recognizes that the employer may be required by law or sound 
business practice to treat such medical information as confidential and 
maintain it separate from other employment records. It is the function 
being performed by the covered entity and the purpose for which the 
covered entity has the medical information, not its record keeping 
practices, that determines whether the health information is part of an 
employment record or whether it is protected health information.
    Comment: One commenter suggested that the health records of 
professional athletes should qualify as ``employment records.'' As 
such, the records would not be subject to the protections of the 
Privacy Rule.
    Response: Professional sports teams are unlikely to be covered 
entities. Even if a sports team were to be a covered entity, employment 
records of a covered entity are not covered by this Rule. If this 
comment is suggesting that the records of professional athletes should 
be deemed ``employment records'' even when created or maintained by 
health care providers and health plans, the Department disagrees. No 
class of individuals should be singled out for reduced privacy 
protections. As noted in the preamble to the December 2000 Rule, 
nothing in this Rule prevents an employer, such as a professional 
sports team, from making an employee's agreement to disclose health 
records a condition of employment. A covered entity, therefore, could 
disclose this information to an employer pursuant to an authorization.

B. Section 164.502--Uses and Disclosures of Protected Health 
Information: General Rules

1. Incidental Uses and Disclosures
    December 2000 Privacy Rule. The December 2000 Rule did not 
explicitly address incidental uses and disclosures of protected health 
information. Rather, the Privacy Rule generally requires covered 
entities to make reasonable efforts to limit the use or disclosure of, 
and requests for, protected health information to the minimum necessary 
to accomplish the intended purpose. See Sec. 164.502(b). Additionally, 
Sec. 164.530(c) of the Privacy Rule requires covered entities to 
implement appropriate administrative, technical, and physical 
safeguards to reasonably safeguard protected health information from 
any intentional or unintentional use or disclosure that violates the 
Rule.
    Protected health information includes individually identifiable 
health information (with limited exceptions) in any form, including 
information transmitted orally, or in written or electronic form. See 
the definition of ``protected health information'' at Sec. 164.501.
    March 2002 NPRM. After publication of the Privacy Rule, the 
Department received a number of concerns and questions as to whether 
the Privacy Rule's restrictions on uses and disclosures will prohibit 
covered entities from engaging in certain common and essential health 
care communications and practices in use today. In particular, concern 
was expressed that the Privacy Rule establishes absolute, strict 
standards that would not allow for the incidental or unintentional 
disclosures that could occur as a by-product of engaging in these 
health care communications and practices. It was argued that the 
Privacy Rule would, in effect, prohibit such practices and, therefore, 
impede many activities and communications essential to effective and 
timely treatment of patients.
    For example, some expressed concern that health care providers 
could no longer engage in confidential conversations with other 
providers or with patients, if there is a possibility that they could 
be overheard. Similarly, others questioned whether they would be 
prohibited from using sign-in sheets in waiting rooms or maintaining 
patient charts at bedside, or whether they would need to isolate X-ray 
lightboards or destroy empty prescription vials. These concerns seemed 
to stem from a perception that covered entities are required to prevent 
any incidental disclosure such as those that may occur when a visiting 
family member or other person not authorized to access protected health 
information happens to walk by medical equipment or other material 
containing individually identifiable health information, or when 
individuals in a waiting room sign their name on a log sheet and 
glimpse the names of other patients.
    The Department, in its July 6 guidance, clarified that the Privacy 
Rule is not intended to impede customary and necessary health care 
communications or practices, nor to require that all risk of incidental 
use or disclosure be eliminated to satisfy its standards. The guidance 
promised that the Department would propose modifications to the Privacy 
Rule to clarify that such communications and practices may continue, if 
reasonable safeguards are taken to minimize the chance of incidental 
disclosure to others.
    Accordingly, the Department proposed to modify the Privacy Rule to 
add a new provision at Sec. 164.502(a)(1)(iii) which would explicitly 
permit certain incidental uses and disclosures that occur as a result 
of a use or disclosure otherwise permitted by the Privacy Rule. The 
proposal described an incidental use or disclosure as a secondary use 
or disclosure that cannot reasonably be prevented, is limited in 
nature, and that occurs as a by-product of an otherwise permitted use 
or disclosure. The Department proposed that an incidental use or 
disclosure be permissible only to the extent that the covered entity 
had applied reasonable safeguards as required by Sec. 164.530(c), and 
implemented the minimum necessary standard, where applicable, as 
required by Secs. 164.502(b) and 164.514(d).
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The Department received many comments on its proposal to permit 
certain incidental uses and disclosures, the majority of which 
expressed strong support for the proposal. Many of these commenters 
indicated that such a policy would help to ensure that essential health 
care communications and practices are not chilled by the Privacy Rule. 
A few commenters opposed the Department's proposal to permit certain 
incidental uses and disclosures, one of whom asserted that the burden 
on medical staff to take precautions not to be overheard is minimal 
compared to the potential harm to patients if incidental disclosures 
were to be considered permissible.
    Final Modifications. In response to the overwhelming support of 
commenters on this proposal, the Department adopts the proposed 
provision at Sec. 164.502(a)(1)(iii), explicitly permitting certain 
incidental uses and disclosures that occur as a by-product of a use or 
disclosure otherwise permitted under the Privacy Rule. As in the 
proposal, an incidental use or disclosure is permissible only to the 
extent that the covered entity has applied reasonable safeguards as

[[Page 53194]]

required by Sec. 164.530(c), and implemented the minimum necessary 
standard, where applicable, as required by Secs. 164.502(b) and 
164.514(d). The Department continues to believe, as was stated in the 
proposed Rule, that so long as reasonable safeguards are employed, the 
burden of impeding such communications is not outweighed by any 
benefits that may accrue to individuals' privacy interests.
    However, an incidental use or disclosure that occurs as a result of 
a failure to apply reasonable safeguards or the minimum necessary 
standard, where required, is not a permissible use or disclosure and, 
therefore, is a violation of the Privacy Rule. For example, a hospital 
that permits an employee to have unimpeded access to patients' medical 
records, where such access is not necessary for the employee to do her 
job, is not applying the minimum necessary standard and, therefore, any 
incidental use or disclosure that results from this practice would be 
an unlawful use or disclosure under the Privacy Rule.
    In response to the few comments that opposed the proposal to permit 
certain incidental uses and disclosures, the Department reiterates that 
the Privacy Rule must not impede essential health care communications 
and practices. Prohibiting all incidental uses and disclosures would 
have a chilling effect on normal and important communications among 
providers, and between providers and their patients, and, therefore, 
would negatively affect individuals' access to quality health care. The 
Department does not intend with this provision to obviate the need for 
medical staff to take precautions to avoid being overheard, but rather, 
will only allow incidental uses and disclosures where appropriate 
precautions have been taken.
    The Department clarifies, in response to a comment, that this 
provision applies, subject to reasonable safeguards and the minimum 
necessary standard, to an incidental use or disclosure that occurs as a 
result of any permissible use or disclosure under the Privacy Rule made 
to any person, and not just to incidental uses and disclosures 
resulting from treatment communications or only to communications among 
health care providers or other medical staff. For example, a provider 
may instruct an administrative staff member to bill a patient for a 
particular procedure, and may be overheard by one or more persons in 
the waiting room. Assuming that the provider made reasonable efforts to 
avoid being overheard and reasonably limited the information shared, an 
incidental disclosure resulting from such conversation is permissible 
under the Rule.
    In the proposal, the Department did not address whether or not 
incidental disclosures would need to be included in the accounting of 
disclosures required by Sec. 164.528. However, one commenter urged the 
Department to exclude incidental disclosures from the accounting. The 
Department agrees with this commenter and clarifies that covered 
entities are not required to include incidental disclosures in an 
accounting of disclosures provided to the individual pursuant to 
Sec. 164.528. The Department does not believe such a requirement would 
be practicable; in many instances, the covered entity may not know that 
an incidental disclosure occurred. To make this policy clear, the 
Department includes an explicit exception for such disclosures to the 
accounting standard at Sec. 164.528(a)(1).

Response to Other Public Comments

    Comment: One commenter expressed concern that the requirement 
reasonably to safeguard protected health information would be 
problematic because any unintended use or disclosure could arguably 
demonstrate a failure to ``reasonably safeguard.'' This commenter 
requested that the Department either delete the language in 
Sec. 164.530(c)(2)(ii) or modify the language to make clear that the 
fact that an incidental use or disclosure occurs does not imply that 
safeguards were not reasonable.
    Response: The Department clarifies that the fact that an incidental 
use or disclosure occurs does not by itself imply that safeguards were 
not reasonable. However, the Department does not believe that a 
modification to the proposed language is necessary to express this 
intent. The language proposed and now adopted at Sec. 164.530(c)(2)(ii) 
requires only that the covered entity reasonably safeguard protected 
health information to limit incidental uses or disclosures, not that 
the covered entity prevent all incidental uses and disclosures. Thus, 
the Department expects that incidental uses and disclosures will occur 
and permits such uses and disclosures to the extent the covered entity 
has in place reasonable safeguards and has applied the minimum 
necessary standard, where applicable.
    Comment: Another commenter requested that the Department clarify 
its proposal to assure that unintended disclosures will not result in 
civil penalties.
    Response: The Department's authority to impose civil monetary 
penalties on violations of the Privacy Rule is defined in HIPAA. 
Specifically, HIPAA added section 1176 to the Social Security Act, 
which prescribes the Secretary's authority to impose civil monetary 
penalties. Therefore, in the case of a violation of a disclosure 
provision in the Privacy Rule, a penalty may not be imposed, among 
other things, if the person liable for the penalty did not know and, by 
exercising reasonable diligence would not have known, that such person 
violated the provision. HIPAA also provides for criminal penalties 
under certain circumstances, but the Department of Justice, not this 
Department, has authority for criminal penalties.
    Comment: One commenter requested that the Department clarify how 
covered entities should implement technical and physical safeguards 
when they do not yet know what safeguards the final Security Rule will 
require.
    Response: Each covered entity should assess the nature of the 
protected health information it holds, and the nature and scope of its 
business, and implement safeguards that are reasonable for its 
particular circumstances. There should be no potential for conflict 
between the safeguards required by the Privacy Rule and the final 
Security Rule standards, for several reasons. First, while the Privacy 
Rule applies to protected health information in all forms, the Security 
Rule will apply only to electronic health information systems that 
maintain or transmit individually identifiable health information. 
Thus, all safeguards for protected health information in oral, written, 
or other non-electronic forms will be unaffected by the Security Rule. 
Second, in preparing the final Security Rule, the Department is working 
to ensure the Security Rule requirements for electronic information 
systems work ``hand in glove'' with any relevant requirements in the 
Privacy Rule, including Sec. 164.530.
    Comment: One commenter argued that while this new provision is 
helpful, it does not alleviate covered entities' concerns that routine 
practices, often beneficial for treatment, will be prohibited by the 
Privacy Rule. This commenter stated that, for example, specialists 
provide certain types of therapy to patients in a group setting, and, 
in some cases, where family members are also present.
    Response: The Department reiterates that the Privacy Rule is not 
intended to impede common health care communications and practices that 
are essential in providing health care to the individual. Further, the 
Privacy Rule's new provision permitting certain incidental uses and 
disclosures is

[[Page 53195]]

intended to increase covered entities' confidence that such practices 
can continue even where an incidental use or disclosure may occur, 
provided that the covered entity has taken reasonable precautions to 
safeguard and limit the protected health information disclosed. For 
example, this provision should alleviate concerns that common 
practices, such as the use of sign-in sheets and calling out names in 
waiting rooms will not violate the Rule, so long as the information 
disclosed is appropriately limited. With regard to the commenters' 
specific example, disclosure of protected health information in a group 
therapy setting would be a treatment disclosure, and thus permissible 
without individual authorization. Further, Sec. 164.510(b) generally 
permits a covered entity to disclose protected health information to a 
family member or other person involved in the individual's care. In 
fact, this section specifically provides that, where the individual is 
present during a disclosure, the covered entity may disclose protected 
health information if it is reasonable to infer from the circumstances 
that the individual does not object to the disclosure. Absent 
countervailing circumstances, the individual's agreement to participate 
in group therapy or family discussions is a good basis for such a 
reasonable inference. As such disclosures are permissible disclosures 
in and of themselves, they would not be incidental disclosures.
    Comment: Some commenters, while in support of permitting incidental 
uses and disclosures, requested that the Department provide additional 
guidance in this area by providing additional examples of permitted 
incidental uses and disclosures and/or clarifying what would constitute 
``reasonable safeguards.''
    Response: The reasonable safeguards and minimum necessary standards 
are flexible and adaptable to the specific business needs and 
circumstances of the covered entity. Given the discretion covered 
entities have in implementing these standards, it is difficult for the 
Department to provide specific guidance in this area that is generally 
applicable to many covered entities. However, the Department intends to 
provide future guidance through frequently asked questions or other 
materials in response to specific scenarios that are raised by 
industry.
2. Minimum Necessary Standard
    December 2000 Privacy Rule. The Privacy Rule generally requires 
covered entities to make reasonable efforts to limit the use or 
disclosure of, and requests for, protected health information to the 
minimum necessary to accomplish the intended purpose. See 
Sec. 164.502(b). Protected health information includes individually 
identifiable health information (with limited exceptions) in any form, 
including information transmitted orally, or in written or electronic 
form. See the definition of ``protected health information'' at 
Sec. 164.501. The minimum necessary standard is intended to make 
covered entities evaluate their practices and enhance protections as 
needed to limit unnecessary or inappropriate access to, and disclosures 
of, protected health information.
    The Privacy Rule contains some exceptions to the minimum necessary 
standard. The minimum necessary requirements do not apply to uses or 
disclosures that are required by law, disclosures made to the 
individual or pursuant to an authorization initiated by the individual, 
disclosures to or requests by a health care provider for treatment 
purposes, uses or disclosures that are required for compliance with the 
regulations implementing the other administrative simplification 
provisions of HIPAA, or disclosures to the Secretary of HHS for 
purposes of enforcing this Rule. See Sec. 164.502(b)(2).
    The Privacy Rule sets forth requirements for implementing the 
minimum necessary standard with regard to a covered entity's uses, 
disclosures, and requests at Sec. 164.514(d). A covered entity is 
required to develop and implement policies and procedures appropriate 
to the entity's business practices and workforce that reasonably 
minimize the amount of protected health information used, disclosed, 
and requested. For uses of protected health information, the policies 
and procedures must identify the persons or classes of persons within 
the covered entity who need access to the information to carry out 
their job duties, the categories or types of protected health 
information needed, and the conditions appropriate to such access. For 
routine or recurring requests and disclosures, the policies and 
procedures may be standard protocols. Non-routine requests for, and 
disclosures of, protected health information must be reviewed 
individually.
    With regard to disclosures, the Privacy Rule permits a covered 
entity to rely on the judgment of certain parties requesting the 
disclosure as to the minimum amount of information that is needed. For 
example, a covered entity is permitted reasonably to rely on 
representations from a public official, such as a State workers' 
compensation official, that the information requested is the minimum 
necessary for the intended purpose. Similarly, a covered entity is 
permitted reasonably to rely on the judgment of another covered entity 
that the information requested is the minimum amount of information 
reasonably necessary to fulfill the purpose for which the request has 
been made. See Sec. 164.514(d)(3)(iii).
    March 2002 NPRM. The Department proposed a number of minor 
modifications to the minimum necessary standard to clarify the 
Department's intent or otherwise conform these provisions to other 
proposed modifications. First, the Department proposed to separate 
Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii) 
and (iii)) to eliminate confusion regarding the exception to the 
minimum necessary standard for uses or disclosures made pursuant to an 
authorization under Sec. 164.508, and the separate exception for 
disclosures made to the individual. Second, to conform to the proposal 
to eliminate the special authorizations required by the Privacy Rule at 
Sec. 164.508(d), (e), and (f), the Department proposed to exempt from 
the minimum necessary standard any uses or disclosures for which the 
covered entity had received an authorization that meets the 
requirements of Sec. 164.508, rather than just those authorizations 
initiated by the individual.
    Third, the Department proposed to modify Sec. 164.514(d)(1) to 
delete the term ``reasonably ensure'' in response to concerns that the 
term connotes an absolute, strict standard and, therefore, is 
inconsistent with the Department's intent that the minimum necessary 
requirements be reasonable and flexible to the unique circumstances of 
the covered entity. In addition, the Department proposed to generally 
revise the language in Sec. 164.514(d)(1) to be more consistent with 
the description of standards elsewhere in the Privacy Rule.
    Fourth, so that the minimum necessary standard would be applied 
consistently to requests for, and disclosures of, protected health 
information, the Department proposed to add a provision to 
Sec. 164.514(d)(4) to make the implementation specifications for 
applying the minimum necessary standard to requests for protected 
health information by a covered entity more consistent with the 
corresponding implementation specifications for disclosures. 
Specifically, for requests not made on a routine and recurring basis, 
the Department proposed to add the requirement that a covered entity 
must implement the minimum

[[Page 53196]]

necessary standard by developing and implementing criteria designed to 
limit its request for protected health information to the minimum 
necessary to accomplish the intended purpose.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The Department received a number of comments on its proposal to 
exempt from the minimum necessary standard any use or disclosure of 
protected health information for which the covered entity has received 
an authorization that meets the requirements of Sec. 164.508. Many 
commenters supported this proposal. A few commenters generally urged 
that the minimum necessary standard be applied to uses and disclosures 
pursuant to an authorization. A few other commenters appeared to 
misinterpret the policy in the December 2000 Rule and urged that the 
Department retain the minimum necessary standard for disclosures 
``pursuant to an authorization other than disclosures to an 
individual.'' Some commenters raised specific concerns about 
authorizations for psychotherapy notes and the particular need for 
minimum necessary to be applied in these cases.
    A number of commenters expressed support for the Department's 
statements in the preamble to the proposed Rule reinforcing that the 
minimum necessary standard is intended to be flexible to account for 
the characteristics of the entity's business and workforce, and not 
intended to override the professional judgment of the covered entity. 
Similarly, some commenters expressed support for the Department's 
proposal to remove the term ``reasonably ensure'' from 
Sec. 164.514(d)(1). However, a few commenters expressed concerns that 
the proposed alternative language actually would implement a stricter 
standard than that included in the December 2000 Privacy Rule.
    Final Modifications. In this final Rule, the Department adopts the 
proposed policy to exempt from the minimum necessary standard any uses 
or disclosures for which the covered entity has received an 
authorization that meets the requirements of Sec. 164.508. The final 
modification adopts the proposal to eliminate the special 
authorizations that were required by the December 2000 Privacy Rule at 
Sec. 164.508(d), (e), and (f). (See section III.E.1. of the preamble 
for a detailed discussion of the modifications to the authorization 
requirements of the Privacy Rule.) Since the only authorizations to 
which the minimum necessary standard applied are being eliminated in 
favor of a single consolidated authorization, the final Rule 
correspondingly eliminates the minimum necessary provisions that 
applied to the now-eliminated special authorizations. All uses and 
disclosures made pursuant to any authorization are exempt from the 
minimum necessary standard.
    In response to commenters who opposed this proposal as a potential 
weakening of privacy protections or who wanted the minimum necessary 
requirements to apply to authorizations other than disclosures to the 
individual, the Department notes that nothing in the final Rule 
eliminates an individual's control over his or her protected health 
information with respect to an authorization. All authorizations must 
include a description of the information to be used and disclosed that 
identifies the information in a specific and meaningful fashion as 
required by Sec. 164.508(c)(1)(i). If the individual does not wish to 
release the information requested, the individual has the right to not 
sign the authorization or to negotiate a narrower authorization with 
the requestor.
    Additionally, in response to those commenters who raised specific 
concerns with respect to authorizations which request release of 
psychotherapy notes, the Department clarifies that the final Rule does 
not require a covered entity to use and disclose protected health 
information pursuant to an authorization. Rather, as with most other 
uses and disclosures under the Privacy Rule, this is only a permissible 
use or disclosure. If a covered health care provider is concerned that 
a request for an individual's psychotherapy notes is not warranted or 
is excessive, the provider may consult with the individual to determine 
whether or not the authorization is consistent with the individual's 
wishes.
    Further, the Privacy Rule does not permit a health plan to 
condition enrollment, eligibility for benefits, or payment of a claim 
on obtaining the individual's authorization to use or disclose 
psychotherapy notes. Nor may a health care provider condition treatment 
on an authorization for the use or disclosure of psychotherapy notes. 
Thus, the Department believes that these additional protections 
appropriately and effectively protect an individual's privacy with 
respect to psychotherapy notes.
    The final Rule also retains for clarity the proposal to separate 
Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii) 
and (iii)); commenters did not explicitly address or raise issues with 
this proposed clarification.
    In response to concerns that the proposed language at 
Sec. 164.514(d)(1) would implement a stricter standard, the Department 
disagrees and, therefore, adopts the proposed language. The language in 
Sec. 164.514(d)(1) describes the standard: covered entities are 
required to meet the requirements in the implementation specifications 
of Sec. 164.514(d)(2) through (d)(5). The implementation specifications 
describe what covered entities must do reasonably to limit uses, 
disclosures, and requests to the minimum necessary. Thus, the 
Department believes that the language in the implementation 
specifications is adequate to reflect the Department's intent that the 
minimum necessary standard is reasonable and flexible to accommodate 
the unique circumstances of the covered entity.
    Commenters also generally did not address the Department's proposed 
clarification to make the implementation specifications for requests of 
protected health information consistent with those for disclosures of 
protected health information. Consequently, as commenters did not raise 
concerns with the proposal, this final Rule adopts the proposed 
provision at Sec. 164.514(d)(4). For requests of protected health 
information not made on a routine and recurring basis, a covered entity 
must implement the minimum necessary standard by developing and 
implementing criteria designed to limit its request for protected 
health information to the minimum necessary to accomplish the intended 
purpose.

Response to Other Public Comments

    Comment: Many commenters recommended changes to the minimum 
necessary standard unrelated to the proposed modifications. For 
example, some commenters urged that the Department exempt from the 
minimum necessary standard all uses of protected health information, or 
at least uses of protected health information for treatment purposes. 
Alternatively, one commenter urged that the minimum necessary standard 
be applied to disclosures for treatment purposes. Others requested that 
the Department exempt uses and disclosures for payment and health care 
operations from the standard, or exempt disclosures to another covered 
entity for such purposes. A few commenters argued that the minimum 
necessary standard should not apply to disclosures to another covered 
entity. Some urged that the minimum

[[Page 53197]]

necessary standard be eliminated entirely.
    Response: The Department did not propose modifications relevant to 
these comments, nor did it seek comment on these issues. The proposed 
modifications generally were intended to address those problems or 
issues that presented workability problems for covered entities or 
otherwise had the potential to impede an individual's timely access to 
quality health care. Moreover, the proposed modifications to the 
minimum necessary standard were either minor clarifications of the 
Department's intent with respect to the standard or would conform the 
standard to other proposed modifications. The Department has, in 
previous guidance as well as in the preamble to the December 2000 
Privacy Rule, explained its position with respect to the above 
concerns. The minimum necessary standard is derived from 
confidentiality codes and practices in common use today. We continue to 
believe that it is sound practice not to use or disclose private 
medical information that is not necessary to satisfy a request or 
effectively carry out a function. The privacy benefits of retaining the 
minimum necessary standard outweigh the burden involved with 
implementing the standard. The Department reiterates that position 
here.
    Further, the Department designed the minimum necessary standard to 
be sufficiently flexible to accommodate the various circumstances of 
any covered entity. Covered entities will develop their own policies 
and procedures to meet this standard. A covered entity's policies and 
procedures may and should allow the appropriate individuals within an 
entity to have access to protected health information as necessary to 
perform their jobs with respect to the entity's covered functions. The 
Department is not aware of any workability issues with this standard.
    With respect to disclosures to another covered entity, the Privacy 
Rule permits a covered entity reasonably to rely on another covered 
entity's request for protected health information as the minimum 
necessary for the intended disclosure. See Sec. 164.514(d)(3)(iii). The 
Department does not believe, therefore, that a blanket exception for 
such disclosures is justified. The covered entity who holds the 
information always retains discretion to make its own minimum necessary 
determination.
    Lastly, the Department continues to believe that the exception for 
disclosures to or requests by health care providers for treatment 
purposes is appropriate to ensure that access to timely and quality 
treatment is not impeded.
    As the Privacy Rule is implemented, the Department will monitor the 
workability of the minimum necessary standard and consider proposing 
revisions, where appropriate, to ensure that the Privacy Rule does not 
hinder timely access to quality health care.
    Comment: One commenter requested that the Department state in the 
preamble that the minimum necessary standard may not be used to 
interfere with or obstruct essential health plan payment and health 
care operations activities, including quality assurance, disease 
management, and other activities. Another commenter asked that the 
final Rule's preamble acknowledge that, in some cases, the minimum 
protected health information necessary for payment or health care 
operations will be the entire record. One commenter urged that the Rule 
be modified to presume that disclosure of a patient's entire record is 
justified, and that such disclosure does not require individual review, 
when requested for disease management purposes.
    Response: The minimum necessary standard is not intended to impede 
essential treatment, payment, or health care operations activities of 
covered entities. Nor is the Rule intended to change the way covered 
entities handle their differences with respect to disclosures of 
protected health information. The Department recognizes that, in some 
cases, an individual's entire medical record may be necessary for 
payment or health care operations purposes, including disease 
management purposes. However, the Department does not believe that 
disclosure of a patient's entire medical record is always justified for 
such purposes. The Privacy Rule does not prohibit the request for, or 
release of, entire medical records in such circumstances, provided that 
the covered entity has documented the specific justification for the 
request or disclosure of the entire record.
    Comment: A few commenters requested that the Department add to the 
regulatory text some of the statements included in the preamble to the 
proposed modifications. For example, commenters asked that the final 
Rule state that the minimum necessary standard is ``intended to be 
consistent with, and not override, professional judgement and 
standards.'' Similarly, others requested that the regulation specify 
that ``covered entities must implement policies and procedures based on 
their own assessment of what protected health information is reasonably 
necessary for a particular purpose, given the characteristics of their 
business and their workforce, and using their own professional 
judgment.''
    Response: It is the Department's policy that the minimum necessary 
standard is intended to be consistent with, and not override, 
professional judgment and standards, and that covered entities must 
implement policies and procedures based on their own assessment of what 
protected health information is reasonably necessary for a particular 
purpose, given the characteristics of their business and their 
workforce. However, the Department does not believe a regulatory 
modification is necessary because the Department has made its policy 
clear not only in the preamble to the proposed modifications but also 
in previous guidance and in this preamble.
    Comment: A commenter argued that the Department should exempt 
disclosures for any of the standard transactions as required by the 
Transactions Rule, when information is requested by a health plan or 
its business associate.
    Response: The Department disagrees. The Privacy Rule already 
exempts from the minimum necessary standard data elements that are 
required or situationally required in any of the standard transactions 
(Sec. 164.502(b)(2)(v)). If, however, a standard transaction permits 
the use of optional data elements, the minimum necessary standard 
applies. For example, the standard transactions adopted for the 
outpatient pharmacy sector use optional data elements. The payer 
currently specifies which of the optional data elements are needed for 
payment of its particular pharmacy claims. The minimum necessary 
standard applies to the payer's request for such information. A 
pharmacist is permitted to rely on the payer's request for information, 
if reasonable to do so, as the minimum necessary for the intended 
disclosure.
    Comment: A few commenters expressed concerns with respect to a 
covered entity's disclosures for research purposes. Specifically, one 
commenter was concerned that a covered entity will not accept 
documentation of an external IRB's waiver of authorization for purposes 
of reasonably relying on the request as the minimum necessary. It was 
suggested that the Department deem that a disclosure to a researcher 
based on appropriate documentation from an IRB or Privacy Board meets 
the minimum necessary standard.
    Response: The Department understands commenters' concerns that 
covered entities may decline to

[[Page 53198]]

participate in research studies, but believes that the Rule already 
addresses this concern. The Privacy Rule explicitly permits a covered 
entity reasonably to rely on a researcher's documentation or the 
representations of an IRB or Privacy Board pursuant to Sec. 164.512(i) 
that the information requested is the minimum necessary for the 
research purpose. This is true regardless of whether the documentation 
is obtained from an external IRB or Privacy Board or one that is 
associated with the covered entity. The preamble to the March 2002 NPRM 
further reinforced this policy by stating that reasonable reliance on 
an IRB's documentation of approval of the waiver criteria and a 
description of the data needed for the research as required by 
Sec. 164.512(i) would satisfy a covered entity's obligations with 
respect to limiting the disclosure to the minimum necessary. The 
Department reiterates this policy here and believes that this should 
give covered entities sufficient confidence in accepting IRB waivers of 
authorization.
    Comment: A number of commenters requested that the Department limit 
the amount of information that pharmacy benefits managers (PBM) may 
demand from pharmacies as part of their claims payment activities.
    Response: The health plan, as a covered entity, is obligated to 
instruct the PBM, as its business associate acting through the business 
associate contract, to request only the minimum amount of information 
necessary to pay a claim. The pharmacist may rely on this determination 
if reasonable to do so, and then does not need to engage in a separate 
minimum necessary assessment. If a pharmacist does not agree that the 
amount of information requested is reasonably necessary for the PBM to 
fulfill its obligations, it is up to the pharmacist and PBM to 
negotiate a resolution of the dispute as to the amount of information 
needed by the PBM to carry out its obligations and that the pharmacist 
is willing to provide, recognizing that the PBM is not required to pay 
claims if it has not received the information it believes is necessary 
to process the claim in accordance with its procedures, including fraud 
prevention procedures.
    The standard for electronic pharmacy claims, adopted by the 
Secretary in the Transactions Rule, includes optional data elements and 
relies on each payer to specify the data elements required for payment 
of its claims. Understandably, the majority of health plans require 
some patient identification elements in order to adjudicate claims. As 
the National Council for Prescription Drug Programs (NCPDP) moves from 
optional to required and situational data elements, the question of 
whether the specific element of ``patient name'' should be required or 
situational will be debated by the NCPDP, by the Designated Standards 
Maintenance Organizations, by the National Committee on Vital and 
Health Statistics, and ultimately will be decided in rulemaking by the 
Secretary.
    Comment: One commenter requested that the minimum necessary 
standard be made an administrative requirement rather than a standard 
for uses and disclosures, to ease liability concerns with implementing 
the standard. The commenter stated that this change would mean that 
covered entities would be required to implement reasonable minimum 
necessary policies and procedures and would be liable if: (1) They fail 
to implement minimum necessary policies and procedures; (2) their 
policies and procedures are not reasonable; or (3) they fail to enforce 
their policies and procedures. The commenter further explained that 
health plans would be liable if their policies and procedures for 
requesting health information were unreasonable, but the burden of 
liability for the request shifts largely to the entity best suited to 
determine whether the amount of information requested is the minimum 
necessary.
    Response: The Privacy Rule already requires covered entities to 
implement reasonable minimum necessary policies and procedures and to 
limit any use, disclosure, or request for protected health information 
in a manner consistent with its policies and procedures. The minimum 
necessary standard is an appropriate standard for uses and disclosures, 
and is not merely an administrative requirement. The Privacy Rule 
provides adequate flexibility to adopt minimum necessary policies and 
procedures that are workable for the covered entity, thereby minimizing 
a covered entity's liability concerns.
    Comment: A number of commenters expressed concerns about 
application of the minimum necessary standard to disclosures for 
workers' compensation purposes. Commenters argued that the standard 
will prevent workers' compensation insurers and State administrators, 
as well as employers, from obtaining the information needed to pay 
injured workers the benefits guaranteed under the State workers' 
compensation system. They also argued that the minimum necessary 
standard could lead to fraudulent claims and unnecessary legal action 
in order to obtain information needed for workers' compensation 
purposes.
    Response: The Privacy Rule is not intended to disrupt existing 
workers' compensation systems as established by State law. In 
particular, the Rule is not intended to impede the flow of health 
information that is needed by employers, workers' compensation 
carriers, or State officials in order to process or adjudicate claims 
and/or coordinate care under the workers' compensation system. To this 
end, the Privacy Rule at Sec. 164.512(l) explicitly permits a covered 
entity to disclose protected health information as authorized by, and 
to the extent necessary to comply with, workers' compensation or other 
similar programs established by law that provide benefits for work-
related injuries or illnesses without regard to fault. The minimum 
necessary standard permits covered entities to disclose any protected 
health information under Sec. 164.512(l) that is reasonably necessary 
for workers' compensation purposes and is intended to operate so as to 
permit information to be shared for such purposes to the full extent 
permitted by State or other law.
    Additionally, where a State or other law requires a disclosure of 
protected health information for workers' compensation purposes, such 
disclosure is permitted under Sec. 164.512(a). A covered entity also is 
permitted to disclose protected health information to a workers' 
compensation insurer where the insurer has obtained the individual's 
authorization pursuant to Sec. 164.508 for the release of such 
information. The minimum necessary provisions do not apply to 
disclosures required by law or made pursuant to authorizations. See 
Sec. 164.502(b), as modified herein.
    Further, the Department notes that a covered entity is permitted to 
disclose information to any person or entity as necessary to obtain 
payment for health care services. The minimum necessary provisions 
apply to such disclosures but permit the covered entity to disclose the 
amount and types of information that are necessary to obtain payment.
    The Department also notes that because the disclosures described 
above are permitted by the Privacy Rule, there is no potential for 
conflict with State workers' compensation laws, and, thus, no 
possibility of preemption of such laws by the Privacy Rule.
    The Department's review of certain States workers' compensation 
laws demonstrates that many of these laws address the issue of the 
scope of information that is available to carriers and employers. The 
Privacy Rule's minimum necessary standard will not create an obstacle 
to the type and

[[Page 53199]]

amount of information that currently is provided to employers, workers' 
compensation carriers, and State administrative agencies under these 
State laws. In many cases, the minimum necessary standard will not 
apply to disclosures made pursuant to such laws. In other cases, the 
minimum necessary standard applies, but permits disclosures to the full 
extent authorized by the workers' compensation laws. For example, Texas 
workers' compensation law requires a health care provider, upon the 
request of the injured employee or insurance carrier, to furnish 
records relating to the treatment or hospitalization for which 
compensation is being sought. Since such disclosure is required by law, 
it also is permissible under the Privacy Rule at Sec. 164.512(a) and 
exempt from the minimum necessary standard. The Texas law further 
provides that a health care provider is permitted to disclose to the 
insurance carrier records relating to the diagnosis or treatment of the 
injured employee without the authorization of the injured employee to 
determine the amount of payment or the entitlement to payment. Since 
the disclosure only is permitted and not required by Texas law, the 
provisions at Sec. 164.512(l) would govern to permit such disclosure. 
In this case, the minimum necessary standard would apply to the 
disclosure but would allow for information to be disclosed as 
authorized by the statute, that is, as necessary to ``determine the 
amount of payment or the entitlement to payment.''
    As another example, under Louisiana workers' compensation law, a 
health care provider who has treated an employee related to a workers' 
compensation claim is required to release any requested medical 
information and records relative to the employee's injury to the 
employer or the workers' compensation insurer. Again, since such 
disclosure is required by law, it is permissible under the Privacy Rule 
at Sec. 164.512(a) and exempt from the minimum necessary standard. The 
Louisiana law further provides that any information relative to any 
other treatment or condition shall be available to the employer or 
workers' compensation insurer through a written release by the 
claimant. Such disclosure also would be permissible and exempt from the 
minimum necessary standard under the Privacy Rule if the individual's 
written authorization is obtained consistent with the requirements of 
Sec. 164.508.
    The Department understands concerns about the potential chilling 
effect of the Privacy Rule on the workers' compensation system. 
Therefore, as the Privacy Rule is implemented, the Department will 
actively monitor the effects of the Rule on this industry to assure 
that the Privacy Rule does not have any unintended negative effects 
that disturb the existing workers' compensation systems. If the 
Department finds that, despite the above clarification of intent, the 
Privacy Rule is being misused and misapplied to interfere with the 
smooth operation of the workers' compensation systems, it will consider 
proposing modifications to the Rule to clarify the application of the 
minimum necessary standard to disclosures for workers' compensation 
purposes.
    Comment: Another commenter urged the Department to clarify that a 
covered entity can reasonably rely on a determination made by a 
financial institution or credit card payment system regarding the 
minimum necessary information needed by that financial institution or 
payment system to complete a contemplated payment transaction.
    Response: Except to the extent information is required or 
situationally required for a standard payment transaction (see 45 CFR 
162.1601, 162.1602), the minimum necessary standard applies to a 
covered entity's disclosure of protected health information to a 
financial institution in order to process a payment transaction. With 
limited exceptions, the Privacy Rule does not allow a covered entity to 
substitute the judgment of a private, third party for its own 
assessment of the minimum necessary information for a disclosure. Under 
the exceptions in Sec. 164.514(d)(3)(iii), a covered entity is 
permitted reasonably to rely on the request of another covered entity 
because, in this case, the requesting covered entity is itself subject 
to the minimum necessary standard and, therefore, required to limit its 
request to only that information that is reasonably necessary for the 
purpose. Thus, the Department does not agree that a covered entity 
should generally be permitted reasonably to rely on the request of a 
financial institution as the minimum necessary. However, the Department 
notes that where, for example, a financial institution is acting as a 
business associate of a covered entity, the disclosing covered entity 
may reasonably rely on a request from such financial institution, 
because in this situation, both the requesting and disclosing entity 
are subject to the minimum necessary standard.
    Comment: A number of commenters continued to request additional 
guidance with respect to implementing this discretionary standard. Many 
expressed support for the statement in the NPRM that HHS intends to 
issue further guidance to clarify issues causing confusion and concern 
in industry, as well as provide additional technical assistance 
materials to help covered entities implement the provisions.
    Response: The Department is aware of the need for additional 
guidance in this area and intends to provide technical assistance and 
further clarifications as necessary to address these concerns and 
questions.
3. Parents as Personal Representatives of Unemancipated Minors \1\
---------------------------------------------------------------------------

    \1\ Throughout this section of the preamble, ``minor'' refers to 
an unemancipated minor and ``parent'' refers to a parent, guardian, 
or other person acting in loco parentis.
---------------------------------------------------------------------------

    December 2000 Privacy Rule. The Privacy Rule is intended to assure 
that parents have appropriate access to health information about their 
children. By creating new Federal protections and individual rights 
with respect to individually identifiable health information, parents 
will generally have new rights with respect to the health information 
about their minor children. In addition, the Department intended that 
the disclosure of health information about a minor child to a parent 
should be governed by State or other applicable law.
    Under the Privacy Rule, parents are granted new rights as the 
personal representatives of their minor children. (See 
Sec. 164.502(g).) Generally, parents will be able to access and control 
the health information about their minor children. (See 
Sec. 164.502(g)(3).)
    The Privacy Rule recognizes a limited number of exceptions to this 
general rule. These exceptions generally track the ability under State 
or other applicable laws of certain minors to obtain specified health 
care without parental consent. For example, every State has a law that 
permits adolescents to be tested for HIV without the consent of a 
parent. These laws are created to assure that adolescents will seek 
health care that is essential to their own health, as well as the 
public health. In these exceptional cases, where a minor can obtain a 
particular health care service without the consent of a parent under 
State or other applicable law, it is the minor, and not the parent, who 
may exercise the privacy rights afforded to individuals under the 
December 2000 Privacy Rule. (See Sec. 164.502(g)(3)(i) and (ii), 
redesignated as Sec. 164.502(g)(3)(i)(A) and (B)).
    The December 2000 Privacy Rule also allows the minor to exercise 
control of

[[Page 53200]]

protected health information when the parent has agreed to the minor 
obtaining confidential treatment (see Sec. 164.502(g)(3)(iii), 
redesignated as Sec. 164.502(g)(3)(i)(C) in this final Rule), and 
allows a covered health care provider to choose not to treat a parent 
as a personal representative of the minor when the provider is 
concerned about abuse or harm to the child. (See Sec. 164.502(g)(5).)
    Of course, a covered provider may disclose health information about 
a minor to a parent in the most critical situations, even if one of the 
limited exceptions discussed above apply. Disclosure of such 
information is always permitted as necessary to avert a serious and 
imminent threat to the health or safety of the minor. (See 
Sec. 164.512(j).) The Privacy Rule adopted in December 2000 also states 
that disclosure of health information about a minor to a parent is 
permitted if State law authorizes disclosure to a parent, thereby 
allowing such disclosure where State law determines it is appropriate. 
(See Sec. 160.202, definition of ``more stringent.'') Finally, health 
information about the minor may be disclosed to the parent if the minor 
involves the parent in his or her health care and does not object to 
such disclosure. (See Sec. 164.502(g)(3)(i), redesignated as 
Sec. 164.502(g)(3)(i)(A), and Sec. 164.510(b)). The parent will retain 
all rights concerning any other health information about his or her 
minor child that does not meet one of the few exceptions listed above.
    March 2002 NPRM. After reassessing the parents and minors 
provisions in the Privacy Rule, the Department identified two areas in 
which there were unintended consequences of the Rule. First, the 
language regarding deference to State law, which authorizes or 
prohibits disclosure of health information about a minor to a parent, 
fails to assure that State or other law governs when the law grants a 
provider discretion in certain circumstances to disclose protected 
health information to a parent. Second, the Privacy Rule may have 
prohibited parental access in certain situations in which State or 
other law may have permitted such access.
    The Department proposed changes to these standards where they did 
not operate as intended and did not adequately defer to State or other 
applicable law with respect to parents and minors. First, in order to 
assure that State and other applicable laws that address disclosure of 
health information about a minor to his or her parent govern in all 
cases, the Department proposed to move the relevant language about the 
disclosure of health information from the definition of ``more 
stringent'' (see Sec. 160.202) to the standards regarding parents and 
minors (see Sec. 164.502(g)(3)). This change would make it clear that 
State and other applicable law governs not only when a State explicitly 
addresses disclosure of protected health information to a parent but 
also when such law provides discretion to a provider. The language 
itself is also changed in the proposal to adapt it to the new section.
    Second, the Department proposed to add a new paragraph (iii) to 
Sec. 164.502(g)(3) to establish a neutral policy regarding the right of 
access of a parent to health information about his or her minor child 
under Sec. 164.524, in the rare circumstance in which the parent is 
technically not the personal representative of his or her minor child 
under the Privacy Rule. This policy would apply particularly where 
State or other law is silent or unclear.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The Department received a number of comments on the proposed 
changes to the parents and minors provisions of the Privacy Rule. Many 
commenters, particularly health care providers involved in provision of 
health care to minors, requested that the Department return to the 
approach under the Privacy Rule published in December 2000, because 
they believed that the proposed approach would discourage minors from 
seeking necessary health care. At a minimum, these commenters suggested 
that the Department clarify that discretion to grant a parent access 
under the proposal is limited to the covered health care provider that 
is providing treatment to the minor.
    Supporters of the proposal asserted that the Department was moving 
in the right direction, but many also advocated for more parental 
rights. They asserted that parents have protected rights to act for 
their children and that the Privacy Rule interferes with these rights.
    There were also some commenters that were confused by the new 
proposal and others that requested a Federal standard that would 
preempt all State laws.
    Final Modifications. The Department will continue to defer to State 
or other applicable law and to remain neutral to the extent possible. 
However, the Department is adopting changes to the standards in the 
December 2000 Privacy Rule, where they do not operate as intended and 
are inconsistent with the Department's underlying goals. These 
modifications are similar in approach to the NPRM and the rationale for 
these changes remains the same as was stated in the NPRM. However, the 
Department makes some changes from the language that was proposed, in 
order to simplify the provisions and clarify the Department's intent.
    There are three goals with respect to the parents and minors 
provisions in the Privacy Rule. First, the Department wants to assure 
that parents have appropriate access to the health information about 
their minor children to make important health care decisions about 
them, while also making sure that the Privacy Rule does not interfere 
with a minor's ability to consent to and obtain health care under State 
or other applicable law. Second, the Department does not want to 
interfere with State or other applicable laws related to competency or 
parental rights, in general, or the role of parents in making health 
care decisions about their minor children, in particular. Third, the 
Department does not want to interfere with the professional 
requirements of State medical boards or other ethical codes of health 
care providers with respect to confidentiality of health information or 
with the health care practices of such providers with respect to 
adolescent health care.
    In order to honor these differing goals, the Department has and 
continues to take the approach of deferring to State or other 
applicable law and professional practice with respect to parents and 
minors. Where State and other applicable law is silent or unclear, the 
Department has attempted to create standards, implementation 
specifications, and requirements that are consistent with such laws and 
that permit States the discretion to continue to define the rights of 
parents and minors with respect to health information without 
interference from the Federal Privacy Rule.
    The Department adopts two changes to the provisions regarding 
parents and minors in order to address unintended consequences from the 
December 2000 Privacy Rule and to defer to State and other law. The 
first change is about disclosure of protected health information to a 
parent and the second is about access to the health information by the 
parent. Disclosure is about a covered entity providing individually 
identifiable information to persons outside the entity, either the 
individual or a third party. Access is a particular type of disclosure 
that is the right of an individual (directly or through a personal 
representative) to review or

[[Page 53201]]

obtain a copy of his or her health information under Sec. 164.524. This 
modification treats both activities similarly by deferring to State or 
other applicable law.
    The first change, regarding disclosure of protected health 
information to a parent, is the same as the change proposed in the 
NPRM. In order to assure that State and other applicable laws that 
address disclosure of health information about a minor to his or her 
parent govern in all cases, the language in the definition of ``more 
stringent'' (see Sec. 160.202) that addresses the disclosure of 
protected health information about a minor to a parent has been moved 
to the standards regarding parents and minors (see Sec. 164.502(g)(3)). 
The addition of paragraphs (g)(3)(ii)(A) and (B) of Sec. 164.502, 
clarify that State and other applicable law governs when such law 
explicitly requires, permits, or prohibits disclosure of protected 
health information to a parent.
    In connection with moving the language, the language is changed 
from the December 2000 Privacy Rule in order to adapt it to the new 
section. Section 164.502(g)(3)(ii)(A) states that a covered entity may 
disclose protected health information about a minor to a parent if an 
applicable provision of State or other law permits or requires such 
disclosure. By adopting this provision, the Department makes clear that 
nothing in the regulation prohibits disclosure of health information to 
a parent if, and to the extent that, State or other law permits or 
requires such disclosure. The Privacy Rule defers to such State or 
other law and permits covered entities to act in accordance to such 
law. Section 164.502(g)(3)(ii)(B) states that a covered entity may not 
disclose protected health information about a minor to a parent if an 
applicable provision of State or other law prohibits such disclosure. 
Again, regardless of how the Privacy Rule would operate in the absence 
of explicit State or other law, if such law prohibits the disclosure of 
protected health information about a minor to a parent, so does the 
Privacy Rule. The revision also clarifies that deference to State or 
other applicable law includes deference to established case law as well 
as explicit provisions in statutes or regulations that permit, require, 
or prohibit particular disclosures.
    The second change, regarding access to protected health 
information, also reflects the same policy as proposed in the NPRM. 
There are two provisions that refer to access, in order to clarify the 
Department's intent in this area. The first is where there is an 
explicit State or other law regarding parental access, and the second 
is where State or other law is silent or unclear, which is often the 
case with access.
    Like the provisions regarding disclosure of protected health 
information to a parent, the final Rule defers to State or other 
applicable law regarding a parent's access to health information about 
a minor. The change assures that State or other applicable law governs 
when the law explicitly requires, permits, or prohibits access to 
protected health information about a minor to a parent. This includes 
deference to established case law as well as an explicit provision in a 
statute or regulation. This issue is addressed in paragraphs 
(g)(3)(ii)(A) and (B) of Sec. 164.502 with the disclosure provisions 
discussed above.
    In addition to the provision regarding explicit State access laws, 
the Department recognizes that the Privacy Rule creates a right of 
access that previously did not exist in most States. Most States do not 
have explicit laws in this area. In order to address the limited number 
of cases in which the parent is not the personal representative of the 
minor because one of the exceptions in the parents and minors 
provisions are met (see Sec. 164.502(g)(3)(i)(A), (B), or (C)), the 
Department adds a provision, Sec. 164.502(g)(3)(ii)(C), similar to a 
provision proposed in the NPRM, that addresses those situations in 
which State and other law about parental access is not explicit. Under 
this provision, a covered entity may provide or deny access to a parent 
provided that such discretion is permitted by State or other law. This 
new paragraph would assure that the Privacy Rule would not prevent a 
covered entity from providing access to a parent if the covered entity 
would have been able to provide this access under State or other 
applicable law. The new paragraph would also prohibit access by a 
parent if providing such access would violate State or other applicable 
law.
    It is important to note that this provision regarding access to 
health information about a minor in cases in which State and other laws 
are silent or unclear will not apply in the majority of cases because, 
typically, the parent will be the personal representative of his or her 
minor child and will have a right of access to the medical records of 
his or her minor children under the Privacy Rule. This provision only 
applies in cases in which the parent is not the personal representative 
under the Privacy Rule.
    In response to comments by health care providers, the final 
modifications also clarify that, the discretion to provide or deny 
access to a parent under Sec. 164.502(g)(3)(ii)(C) only may be 
exercised by a licensed health care professional, in the exercise of 
professional judgment. This is consistent with the policy described in 
the preamble to the NPRM, is similar to the approach in the access 
provisions in Sec. 164.524(a)(3), and furthers the Department's 
interest in balancing the goals of providing appropriate information to 
parents and of assuring that minors obtain appropriate access to health 
care. This decision should be made by a health care professional, who 
is accustomed to exercising professional judgment. A health plan may 
also exercise such discretion if the decision is made by a licensed 
health care provider.
    The Department takes no position on the ability of a minor to 
consent to treatment and no position on how State or other law affects 
privacy between the minor and parent. Where State or other law is 
unclear, covered entities should continue to conduct the same analysis 
of such law as they do now to determine if access is permissible or 
not. Because the Privacy Rule defers to State and other law in the area 
of parents and minors, the Department assumes that the current 
practices of health care providers with respect to access by parents 
and confidentiality of minor's records are consistent with State and 
other applicable law, and, therefore, can continue under the Privacy 
Rule.
    Parental access under this section would continue to be subject to 
any limitations on activities of a personal representative in 
Sec. 164.502(g)(5) and Sec. 164.524(a)(2) and (3). In cases in which 
the parent is not the personal representative of the minor and State or 
other law does not require parental access, this provision does not 
provide a parent a right to demand access and does not require a 
covered entity to provide access to a parent. Furthermore, nothing in 
these modifications shall affect whether or not a minor would have a 
right to access his or her records. That is, a covered entity's 
exercise of discretion to not grant a parent access does not affect the 
right of access the minor may have under the Privacy Rule. A covered 
entity may deny a parent access in accordance with State or other law 
and may be required to provide access to the minor under the Privacy 
Rule.
    These changes also do not affect the general provisions, explained 
in the section ``December 2000 Privacy Rule'' above, regarding parents 
as personal representatives of their minor children or the exceptions 
to this general rule, where parents would not be the

[[Page 53202]]

personal representatives of their minor children.
    These changes adopted in this Rule provide States with the option 
of clarifying the interaction between their laws regarding consent to 
health care and the ability of parents to have access to the health 
information about the care received by their minor children in 
accordance with such laws. As such, this change should more accurately 
reflect current State and other laws and modifications to such laws.

Response to Other Public Comments

    Comment: Some commenters urged the Department to retain the 
approach to parents and minors that was adopted in December 2000. They 
claimed that the NPRM approach would seriously undermine minors' 
willingness to seek necessary medical care. Other commenters advocated 
full parental access to health information about their minor children, 
claiming that the Privacy Rule interferes with parents' rights.
    Response: We believe the approach adopted in the final Rule strikes 
the right balance between these concerns. It defers to State law or 
other applicable law and preserves the status quo to the greatest 
extent possible.
    Comment: Health care providers generally opposed the changes to the 
parents and minors provisions claiming that they would eliminate 
protection of a minor's privacy, and therefore, would decrease the 
willingness of adolescents to obtain necessary health care for 
sensitive types of health care services. They also argued that the NPRM 
approach is inconsistent with State laws that give minors the right to 
consent to certain health care because the purpose of these laws is to 
provide minors with confidential health care.
    Response: Issues related to parents' and minors' rights with 
respect to health care are best left for the States to decide. The 
standards regarding parents and minors are designed to defer to State 
law in this area. While we believe that there is a correlation between 
State laws that grant minors the authority to consent to treatment and 
confidentiality of the information related to such treatment, our 
research has not established that these laws bar parental access to 
such health information under all circumstances. Therefore, to act in a 
manner consistent with State law, the approach adopted in this Final 
Rule is more flexible than the standards adopted in December 2000, in 
order to assure that the Privacy Rule does not preclude a provider from 
granting access to a parent if this is permissible under State law. 
However, this new standard would not permit activity that would be 
impermissible under State law.
    Some State or other laws may state clearly that a covered entity 
must provide a parent access to the medical records of his or her minor 
child, even when the minor consents to the treatment without the 
parent. In this case, the covered entity must provide a parent access, 
subject to the access limitations in the Privacy Rule at 
Sec. 164.524(a)(2) and (3). Other laws may state clearly that a covered 
entity must not provide a parent access to their minor child's medical 
records when the minor consents to the treatment without the parent. In 
this case, the covered entity would be precluded from granting access 
to the parent. If the State or other law clearly provides a covered 
entity with discretion to grant a parent access, then the covered 
entity may exercise such discretion, to the extent permitted under such 
other law.
    If State law is silent or unclear on its face, then a covered 
entity would have to go through the same analysis as it would today to 
determine if such law permitted, required, or prohibited providing a 
parent with access to a minor's records. That analysis may involve 
review of case law, attorney general opinions, legislative history, 
etc. If such analysis showed that the State would permit an entity to 
provide a parent access to health information about a minor child, and 
under the Privacy Rule, the parent would not be the personal 
representative of the minor because of one of the limited exceptions in 
Sec. 164.502(g)(3)(i), then the covered entity may exercise such 
discretion, based on the professional judgment of a licensed health 
care provider, to choose whether or not to provide the parent access to 
the medical records of his or her minor child. If, as the commenters 
suggest, a State consent law were interpreted to prohibit such access, 
then such access is prohibited under the Privacy Rule as well.
    Comment: One commenter asserted that the Privacy Rule 
inappropriately erects barriers between parents and children. 
Specifically, the commenter stated that Sec. 164.502(g)(5) delegates to 
private entities government power to decide whether a child may be 
subjected to abuse or could be endangered. The commenter also stated 
that the access provisions in Sec. 164.502(g)(3) would erect barriers 
where State law is silent or unclear.
    Response: The Department does not agree that the Privacy Rule 
erects barriers between a parent and a minor child because the relevant 
standards are intended to defer to State law. Health care providers 
have responsibilities under other laws and professional standards to 
report child abuse to the appropriate authorities and to use 
professional discretion to protect the child's welfare in abuse 
situations. Similarly the Privacy Rule permits (but does not require) 
the provider to use professional discretion to act to protect a child 
she believes is being abused. If the Privacy Rule were to mandate that 
a provider grant a parent access to a medical record in abuse 
situations, as the commenter suggests, this would be a change from 
current law. In addition, the Privacy Rule does not allow a denial of 
parental access to medical records if State or other law would require 
such access.
    Comment: Commenters continue to raise preemption issues. A few 
commenters called for preemption of all State law in this area. Others 
stated that there should be one standard, not 50 standards, controlling 
disclosure of protected health information about a minor to a parent 
and that the NPRM approach would burden regional and national health 
care providers. Others urged preemption of State laws that are less 
protective of a minor's privacy, consistent with the general preemption 
provisions.
    Response: The Department does not want to interfere with a State's 
role in determining the appropriate rights of parents and their minor 
children. The claim that the Privacy Rule introduces 50 standards is 
inaccurate. These State standards exist today and are not created by 
the Privacy Rule. Our approach has been, and continues to be, to defer 
to State and other applicable law in this area.
    Comment: One commenter requested the Privacy Rule state that good 
faith compliance with the Privacy Rule is an affirmative defense to 
enforcement of contrary laws ultimately determined to be more stringent 
than the Rule, or that it provide specific guidance on which State laws 
conflict with or are more stringent than the Privacy Rule.
    Response: The Privacy Rule cannot dictate how States enforce their 
own privacy laws. Furthermore, guidance on whether or not a State law 
is preempted would not be binding on a State interpreting its own law.
    Comment: Some commenters remain concerned that a parent will not 
get information about a child who receives care in an emergency without 
the consent of the parent and that the provisions in Sec. 164.510(b) 
are not sufficient.
    Response: As we have stated in previous guidance, a provider 
generally can discuss all the health information

[[Page 53203]]

about a minor child with his parent, because the parent usually will be 
the personal representative of the child. This is true, under the 
Privacy Rule, even if the parent did not provide consent to the 
treatment because of the emergency nature of the health care. A parent 
may be unable to obtain such information in limited circumstances, such 
as when the minor provided consent for the treatment in accordance with 
State law or the treating physician suspects abuse or neglect or 
reasonably believes that releasing the information to the parent will 
endanger the child.
    Comment: A couple of commenters were concerned that the provisions 
regarding confidential communications conflict with the Fair Debt 
Collection Practices Act (FDCPA), which allows collection agencies to 
contact the party responsible for payment of the debt, be it the spouse 
or parent (of a minor) of the individual that incurred the debt, and 
share information that supports the incurrence and amount of the debt. 
They feared that the Privacy Rule would no longer allow collection 
agencies to continue this practice.
    Response: Our analysis of the relevant provisions of the Privacy 
Rule and the FDCPA does not indicate any conflicts between the two 
laws. An entity that is subject to the FDCPA and the Privacy Rule (or 
that must act consistent with the Privacy Rule as a business associate 
of the covered entity) should be able to comply with both laws, because 
the FDCPA permits an entity to exercise discretion to disclose 
information about one individual to another.
    The FDCPA allows debt collectors to communicate with the debtor's 
spouse or parent if the debtor is a minor. The provisions of the FDCPA 
are permissive rather than required.
    Generally, the Privacy Rule permits covered entities to use the 
services of debt collectors as the use of such services to obtain 
payment for the provision of health care comes within the definition of 
``payment.'' The Privacy Rule generally does not identify to whom 
information can be disclosed when a covered entity is engaged in its 
own payment activities. Therefore, if a covered entity or a debt 
collector, as a business associate of a covered entity, needs to 
disclose protected health information to a spouse or a parent, the 
Privacy Rule generally would not prevent such disclosure. In these 
cases where the Privacy Rule would permit disclosure to a parent or 
spouse, there should be no concern with the interaction with the FDCPA.
    However, there are some circumstances in which the Privacy Rule may 
prohibit a disclosure to a parent or a spouse for payment purposes. For 
example, under Sec. 164.522(a), an individual has the right to request 
restrictions to the disclosure of health information for payment. A 
provider or health plan may choose whether or not to agree to the 
request. If the covered entity agreed to a restriction, the covered 
entity would be bound by that restriction and would not be permitted to 
disclose the individual's health information in violation of that 
agreement. Also, Sec. 164.522(b) generally requires covered entities to 
accommodate reasonable requests by individuals to receive 
communications of protected health information by alternative means or 
at alternative locations. However, the covered entity may condition the 
accommodation on the individual providing information on how payment 
will be handled. In both of these cases, the covered entity has means 
for permitting disclosures as permitted by the FDCPA. Therefore, these 
provisions of the Privacy Rule need not limit options available under 
the FDCPA. However, if the agreed-to restrictions or accommodation for 
confidential communications prohibit disclosure to a parent or spouse 
of an individual, the covered entity, and the debt collector as a 
business associate of the covered entity, would be prohibited from 
disclosing such information under the Privacy Rule. In such case, 
because the FDCPA would provide discretion to make a disclosure, but 
the Privacy Rule would prohibit the disclosure, a covered entity or the 
debt collector as a business associate of a covered entity would have 
to exercise discretion granted under the FDCPA in a way that complies 
with the Privacy Rule. This means not making the disclosure.

C. Section 164.504--Uses and Disclosures: Organizational Requirements

1. Hybrid Entities
    December 2000 Privacy Rule. The Privacy Rule, as published in 
December 2000, defined covered entities that primarily engage in 
activities that are not ``covered functions,'' that is, functions that 
relate to the entity's operation as a health plan, health care 
provider, or health care clearinghouse, as hybrid entities. See 45 CFR 
164.504(a). Examples of hybrid entities were: (1) corporations that are 
not in the health care industry, but that operate on-site health 
clinics that conduct the HIPAA standard transactions electronically; 
and (2) insurance carriers that have multiple lines of business that 
include both health insurance and other insurance lines, such as 
general liability or property and casualty insurance.
    Under the December 2000 Privacy Rule, a hybrid entity was required 
to define and designate those parts of the entity that engage in 
covered functions as one or more health care component(s). A hybrid 
entity also was required to include in the health care component(s) any 
other components of the entity that support the covered functions in 
the same way such support may be provided by a business associate 
(e.g., an auditing component). The health care component was to include 
such ``business associate'' functions for two reasons: (1) It is 
impracticable for the entity to contract with itself; and (2) having to 
obtain an authorization for disclosures to such support components 
would limit the ability of the hybrid entity to engage in necessary 
health care operations functions. In order to limit the burden on 
hybrid entities, most of the requirements of the Privacy Rule only 
applied to the health care component(s) of the entity and not to the 
parts of the entity that do not engage in covered functions.
    The hybrid entity was required to create adequate separation, in 
the form of firewalls, between the health care component(s) and other 
components of the entity. Transfer of protected health information held 
by the health care component to other components of the hybrid entity 
was a disclosure under the Privacy Rule and was allowed only to the 
same extent such a disclosure was permitted to a separate entity.
    In the preamble to the December 2000 Privacy Rule, the Department 
explained that the use of the term ``primary'' in the definition of a 
``hybrid entity'' was not intended to operate with mathematical 
precision. The Department further explained that it intended a common 
sense evaluation of whether the covered entity mostly operates as a 
health plan, health care provider, or health care clearinghouse. If an 
entity's primary activity was a covered function, then the whole entity 
would have been a covered entity and the hybrid entity provisions would 
not have applied. However, if the covered entity primarily conducted 
non-health activities, it would have qualified as a hybrid entity and 
would have been required to comply with the Privacy Rule with respect 
to its health care component(s). See 65 FR 82502.
    March 2002 NPRM. Since the publication of the final Rule, concerns 
were raised that the policy guidance in the preamble was insufficient 
so long as the Privacy Rule itself limited the hybrid entity provisions 
to entities that primarily conducted non-health related activities. In 
particular, concerns were

[[Page 53204]]

raised about whether entities, which have the health plan line of 
business as the primary business and an excepted benefits line, such as 
workers' compensation insurance, as a small portion of the business, 
qualified as hybrid entities. There were also concerns about how 
``primary'' was to be defined, if it was not a mathematical 
calculation, and how an entity would know whether or not it was a 
hybrid entity based on the guidance in the preamble.
    As a result of these comments, the Department proposed to delete 
the term ``primary'' from the definition of ``hybrid entity'' in 
Sec. 164.504(a) and permit any covered entity that is a single legal 
entity and that performs both covered and non-covered functions to 
choose whether or not to be a hybrid entity for purposes of the Privacy 
Rule. Under the proposal, any covered entity could be a hybrid entity 
regardless of whether the non-covered functions represent the entity's 
primary functions, a substantial function, or even a small portion of 
the entity's activities. In order to be a hybrid entity under the 
proposal, a covered entity would have to designate its health care 
component(s). If the covered entity did not designate any health care 
component(s), the entire entity would be a covered entity and, 
therefore, subject to the Privacy Rule. Since the entire entity would 
be the covered entity, Sec. 164.504(c)(2) requiring firewalls between 
covered and non-covered portions of hybrid entities would not apply.
    The Department explained in the preamble to the proposal that there 
are advantages and disadvantages to being a hybrid entity. Whether or 
not the advantages outweigh the disadvantages would be a decision for 
each covered entity that qualified as a hybrid entity, taking into 
account factors such as how the entity was organized and the proportion 
of the entity that must be included in the health care component.
    The Department also proposed to simplify the definition of ``health 
care component'' in Sec. 164.504(a) to make clear that a health care 
component is whatever the covered entity designates as the health care 
component, consistent with the provisions regarding designation in 
proposed Sec. 164.504(c)(3)(iii). The Department proposed to move the 
specific language regarding which components make up a health care 
component to the implementation specification that addresses 
designation of health care components at Sec. 164.504(c)(3)(iii). At 
Sec. 164.504(c)(3)(iii), the Department proposed that a health care 
component could include: (1) Components of the covered entity that 
engage in covered functions, and (2) any component that engages in 
activities that would make such component a business associate of a 
component that performs covered functions, if the two components were 
separate legal entities. In addition, the Department proposed to make 
clear at Sec. 164.504(c)(3)(iii) that a hybrid entity must designate as 
a health care component(s) any component that would meet the definition 
of ``covered entity'' if it were a separate legal entity.
    There was some ambiguity in the December 2000 Privacy Rule as to 
whether a health care provider that does not conduct electronic 
transactions for which the Secretary has adopted standards (i.e., a 
non-covered health care provider) and which is part of a larger covered 
entity was required to be included in the health care component. To 
clarify this issue, the proposal also would allow a hybrid entity the 
discretion to include in its health care component a non-covered health 
care provider component. Including a non-covered health care provider 
in the health care component would subject the non-covered provider to 
the Privacy Rule. Accordingly, the Department proposed a conforming 
change in Sec. 164.504(c)(1)(ii) to make clear that a reference to a 
``covered health care provider'' in the Privacy Rule could include the 
functions of a health care provider who does not engage in electronic 
transactions, if the covered entity chooses to include such functions 
in the health care component.
    The proposal also would permit a hybrid entity to designate 
otherwise non-covered portions of its operations that provide services 
to the covered functions, such as parts of the legal or accounting 
divisions of the entity, as part of the health care component, so that 
protected health information could be shared with such functions of the 
entity without business associate agreements or individual 
authorizations. The proposal would not require that the covered entity 
designate entire divisions as in or out of the covered component. 
Rather, it would permit the covered entity to designate functions 
within such divisions, such as the functions of the accounting division 
that support health insurance activities, without including those 
functions that support life insurance activities. The Department 
proposed to delete as unnecessary and redundant the related language in 
paragraph (2)(ii) of the definition of ``health care component'' in the 
Privacy Rule that requires the ``business associate'' functions include 
the use of protected health information.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The Department received relatively few comments on its proposal 
regarding hybrid entities. A number of comments supported the proposal, 
appreciative of the added flexibility it would afford covered entities 
in their compliance efforts. For example, some drug stores stated that 
the proposal would provide them with the flexibility to designate 
health care components, whereas under the December 2000 Rule, these 
entities would have been required to subject their entire business, 
including the ``front end'' of the store which is not associated with 
dispensing prescription drugs, to the Privacy Rule's requirements.
    Some health plans and other insurers also expressed strong support 
for the proposal. These comments, however, seemed to be based on a 
misinterpretation of the uses and disclosures the proposal actually 
would permit. These commenters appear to assume that the proposal would 
allow information to flow freely between non-covered and covered 
functions in the same entity, if that entity chose not to be a hybrid 
entity. For example, commenters explained that they interpreted the 
proposal to mean that a multi-line insurer which does not elect hybrid 
entity status would be permitted to share protected health information 
between its covered lines and its otherwise non-covered lines. It was 
stated that such latitude would greatly enhance multi-line insurers' 
ability to detect and prevent fraudulent activities and eliminate 
barriers to sharing claims information between covered and non-covered 
lines of insurance where necessary to process a claim.
    Some commenters opposed the Department's hybrid entity proposal, 
stating that the proposal would reduce the protections afforded under 
the Privacy Rule and would be subject to abuse. Commenters expressed 
concerns that the proposal would allow a covered entity with only a 
small health care component to avoid the extra protections of creating 
firewalls between the health care component and the rest of the 
organization. Moreover, one of the commenters stated that the proposal 
could allow a covered entity that is primarily performing health care 
functions to circumvent the requirements of the Rule for a large part 
of its operations by designating itself a hybrid and excluding from the 
health

[[Page 53205]]

care component a non-covered health care provider function, such as a 
free nurse advice line that does not bill electronically. In addition, 
it was stated that the ambiguous language in the proposal could 
potentially be construed as allowing a hybrid entity to designate only 
the business associate-like functions as the health care component, and 
exclude covered functions. The commenter urged the Department to 
clarify that a hybrid entity must, at a minimum, designate a component 
that performs covered functions as a health care component, and that a 
health care provider cannot avoid having its treatment component 
considered a health care component by relying on a billing department 
to conduct its standard electronic transactions. These commenters urged 
the Department to retain the existing policy by requiring those 
organizations whose primary functions are not health care to be hybrid 
entities and to institute firewall protections between their health 
care and other components.
    Final Modifications. After consideration of the comments, the 
Department adopts in the final Rule the proposed approach to provide 
covered entities that otherwise qualify the discretion to decide 
whether to be a hybrid entity. To do so, the Department eliminates the 
term ``primary'' from the definition of ``hybrid entity'' at 
Sec. 164.504(a). Any covered entity that otherwise qualifies (i.e., is 
a single legal entity that performs both covered and non-covered 
functions) and that designates health care component(s) in accordance 
with Sec. 164.504(c)(3)(iii) is a hybrid entity. A hybrid entity is 
required to create adequate separation, in the form of firewalls, 
between the health care component(s) and other components of the 
entity. Transfer of protected health information held by the health 
care component to other components of the hybrid entity continues to be 
a disclosure under the Privacy Rule, and, thus, allowed only to the 
same extent such a disclosure is permitted to a separate entity.
    Most of the requirements of the Privacy Rule continue to apply only 
to the health care component(s) of a hybrid entity. Covered entities 
that choose not to designate health care component(s) are subject to 
the Privacy Rule in their entirety.
    The final Rule regarding hybrid entities is intended to provide a 
covered entity with the flexibility to apply the Privacy Rule as best 
suited to the structure of its organization, while maintaining privacy 
protections for protected health information within the organization. 
In addition, the policy in the final Rule simplifies the Privacy Rule 
and makes moot any questions about what ``primary'' means for purposes 
of determining whether an entity is a hybrid entity.
    The final Rule adopts the proposal's simplified definition of 
``health care component,'' which makes clear that a health care 
component is what the covered entity designates as the health care 
component. The Department makes a conforming change in 
Sec. 164.504(c)(2)(ii) to reflect the changes to the definition of 
``health care component.'' The final Rule at Sec. 164.504(c)(3)(iii) 
requires a health care component to include a component that would meet 
the definition of a ``covered entity'' if it were a separate legal 
entity. The Department also modifies the language of the final Rule at 
Sec. 164.504(c)(3)(iii) to clarify that only a component that performs 
covered functions, and a component to the extent that it performs 
covered functions or activities that would make such component a 
business associate of a component that performs covered functions if 
the two components were separate legal entities, may be included in the 
health care component. ``Covered functions'' are defined at 
Sec. 164.501 as ``those functions of a covered entity the performance 
of which makes the entity a health plan, health care provider, or 
health care clearinghouse.''
    As in the proposal, the Department provides a hybrid entity with 
some discretion as to what functions may be included in the health care 
component in two ways. First, the final Rule clarifies that a hybrid 
entity may include in its health care component a non-covered health 
care provider component. Accordingly, the Department adopts the 
proposed conforming change to Sec. 164.504(c)(1)(ii) to make clear that 
a reference to a ``covered health care provider'' in the Privacy Rule 
may include the functions of a health care provider who does not engage 
in electronic transactions for which the Secretary has adopted 
standards, if the covered entity chooses to include such functions in 
the health care component. A hybrid entity that chooses to include a 
non-covered health care provider in its health care component is 
required to ensure that the non-covered health care provider, as well 
as the rest of the health care component, is in compliance with the 
Privacy Rule.
    Second, the final Rule retains the proposed policy to provide 
hybrid entities with discretion as to whether or not to include 
business associate-like divisions within the health care component. It 
is not a violation of the Privacy Rule to exclude such divisions from 
the health care component. However, a disclosure of protected health 
information from the health care component to such other division that 
is not part of the health care component is the same as a disclosure 
outside the covered entity. Because an entity cannot have a business 
associate contract with itself, such a disclosure likely will require 
individual authorization.
    The Department clarifies, in response to comments, that a health 
care provider cannot avoid being a covered entity and, therefore, part 
of a health care component of a hybrid entity just by relying on a 
billing department to conduct standard transactions on its behalf. A 
health care provider is a covered entity if standard transactions are 
conducted on his behalf, regardless of whether the provider or a 
business associate (or billing department within a hybrid entity) 
actually conducts the transactions. In such a situation, however, 
designating relevant parts of the business associate division as part 
of the health care component would facilitate the conduct of health 
care operations and payment.
    Also in response to comments, the Department clarifies that even if 
a covered entity does not choose to be a hybrid entity, and therefore 
is not required to erect firewalls around its health care functions, 
the entity still only is allowed to use protected health information as 
permitted by the Privacy Rule, for example, for treatment, payment, and 
health care operations. Additionally, the covered entity is still 
subject to minimum necessary restrictions under Secs. 164.502 and 
164.514(d), and, thus, must have policies and procedures that describe 
who within the entity may have access to the protected health 
information. Under these provisions, workforce members may be permitted 
access to protected health information only as necessary to carry out 
their duties with respect to the entity's covered functions. For 
example, the health insurance line of a multi-line insurer is not 
permitted to share protected health information with the life insurance 
line for purposes of determining eligibility for life insurance 
benefits or any other life insurance purposes absent an individual's 
written authorization. However, the health insurance line of a multi-
line insurer may share protected health information with another line 
of business pursuant to Sec. 164.512(a), if, for example, State law 
requires an insurer that receives a claim under one policy to share 
that information with other lines of insurance to determine if the 
event also may be payable under

[[Page 53206]]

another insurance policy. Furthermore, the health plan may share 
information with another line of business if necessary for the health 
plan's coordination of benefits activities, which would be a payment 
activity of the health plan.
    Given the above restrictions on information flows within the 
covered entity, the Department disagrees with those commenters who 
raised concerns that the proposed policy would weaken the Rule by 
eliminating the formal requirement for ``firewalls.'' Even if a covered 
entity does not designate health care component(s) and, therefore, does 
not have to establish firewalls to separate its health care function(s) 
from the non-covered functions, the Privacy Rule continues to restrict 
how protected health information may be used and shared within the 
entity and who gets access to the information.
    Further, the Department does not believe that allowing a covered 
entity to exclude a non-covered health care provider component from its 
health care component will be subject to abuse. Excluding health care 
functions from the health care component has significant implications 
under the Rule. Specifically, the Privacy Rule treats the sharing of 
protected health information from a health care component to a non-
covered component as a disclosure, subject to the same restrictions as 
a disclosure between two legally separate entities. For example, if a 
covered entity decides to exclude from its health care component a non-
covered provider, the health care component is then restricted from 
disclosing protected health information to that provider for any of the 
non-covered provider's health care operations, absent an individual's 
authorization. See Sec. 164.506(c). If, however, the non-covered health 
care provider function is not excluded, it would be part of the health 
care component and that information could be used for its operations 
without the individual's authorization.

Response to Other Public Comments

    Comment: A number of academic medical centers expressed concern 
that the Privacy Rule prevents them from organizing for compliance in a 
manner that reflects the integration of operations between the medical 
school and affiliated faculty practice plans and teaching hospitals. 
These commenters stated that neither the proposal nor the existing Rule 
would permit many academic medical centers to designate themselves as 
either a hybrid or affiliated entity, since the components of each must 
belong to a single legal entity or share common ownership or control. 
These commenters also explained that a typical medical school would not 
appear to qualify as an organized health care arrangement (OHCA) 
because it does not engage in any of the requisite joint activities, 
for example, quality assessment and improvement activities, on behalf 
of the covered entity. It was stated that it is essential that there 
not be impediments to the flow of information within an academic 
medical center. These commenters, therefore, urged that the Department 
add a definition of ``academic medical center'' to the Privacy Rule and 
modify the definition of ``common control'' to explicitly apply to the 
components of an academic medical center, so as to ensure that academic 
medical centers qualify as affiliated entities for purposes of the 
Rule.
    Response: The Department does not believe that a modification to 
include a special rule for academic medical centers is warranted. The 
Privacy Rule's organizational requirements at Sec. 164.504 for hybrid 
entities and affiliated entities, as well as the definition of 
``organized health care arrangement'' in Sec. 164.501, provide covered 
entities with much flexibility to apply the Rule's requirements as best 
suited to the structure of their businesses. However, in order to 
maintain privacy protections, the Privacy Rule places appropriate 
conditions on who may qualify for such organizational options, as well 
as how information may flow within such constructs. Additionally, if 
the commenter is suggesting that information should flow freely between 
the covered and non-covered functions within an academic medical 
center, the Department clarifies that the Privacy Rule restricts the 
sharing of protected health information between covered and non-covered 
functions, regardless of whether the information is shared within a 
single covered entity or a hybrid entity, or among affiliated covered 
entities or covered entities participating in an OHCA. Such uses and 
disclosures may only be made as permitted by the Rule.
    Comment: A few commenters expressed concern with respect to 
governmental hybrid entities having to include business associate-like 
divisions within the health care component or else being required to 
obtain an individual's authorization for disclosures to such division. 
It was stated that this concept does not take into account the 
organizational structures of local governments and effectively forces 
such governmental hybrid entities to bring those components that 
perform business associate type functions into their covered component. 
Additionally, a commenter stated that this places an undue burden on 
local government by essentially requiring that functions, such as 
auditor/controller or county counsel, be treated as fully covered by 
the Privacy Rule in order to minimize otherwise considerable risk. 
Commenters, therefore, urged that the Department allow a health care 
component to enter into a memorandum of understanding (MOU) or other 
agreement with the business associate division within the hybrid 
entity. Alternatively, it was suggested that a governmental hybrid 
entity be permitted to include in its notice of privacy practices the 
possibility that information may be shared with other divisions within 
the same government entity for specific purposes.
    Response: The Department clarifies that a covered entity which 
chooses to include its business associate division within the health 
care component may only do so to the extent such division performs 
activities on behalf of, or provides services to, the health care 
component. That same division's activities with respect to non-covered 
activities may not be included. To clarify this point, the Department 
modified the proposed language in Sec. 164.504(c)(3)(iii) to provide 
that a health care component may only include a component to the extent 
that it performs covered functions or activities that would make such 
component a business associate of a component that performs covered 
functions if the two components were separate legal entities. For 
example, employees within an accounting division may be included within 
the health care component to the extent that they provide services to 
such component. However, where these same employees also provide 
services to non-covered components of the entity, their activities with 
respect to the health care component must be adequately separated from 
their other non-covered functions.
    While the Department does not believe that a MOU between 
governmental divisions within a hybrid entity may be necessary given 
the above clarification, the Department notes that a governmental 
hybrid entity may elect to have its health care component enter into a 
MOU with its business associate division, provided that such agreement 
is legally binding and meets the relevant requirements of 
Sec. 164.504(e)(3) and (e)(4). Such agreement would eliminate the need 
for the health care component to include the business associate 
division or for obtaining the

[[Page 53207]]

individual's authorization to disclose to such division.
    Additionally, the Department encourages covered entities to develop 
a notice of privacy practices that is as specific as possible, which 
may include, for a government hybrid entity, a statement that 
information may be shared with other divisions within the government 
entity as permitted by the Rule. However, the notice of privacy 
practices is not an adequate substitute for, as appropriate, a 
memorandum of understanding; designation of business associate 
functions as part of a health care component; or alternatively, 
conditioning disclosures to such business associate functions on 
individuals' authorizations.
    Comment: One commenter requested a clarification that a pharmacy-
convenience store, where the pharmacy itself is a separate enclosure 
under supervision of a licensed pharmacist, is not a hybrid entity.
    Response: The Department clarifies that a pharmacy-convenience 
store, if a single legal entity, is permitted, but not required, to be 
a hybrid entity and designate the pharmacy as the health care 
component. Alternatively, such an entity may choose to be a covered 
entity in its entirety. However, if the pharmacy and the convenience 
store are separate legal entities, the convenience store is not a 
covered entity simply by virtue of sharing retail space with the 
covered pharmacy.
    Comment: Another commenter stated that the Rule implies that 
individual providers, once covered, are covered for all circumstances 
even if they are employed by more than one entity--one sending 
transactions electronically but not the other--or if the individual 
provider changes functions or employment and no longer electronically 
transmits standard transactions. This commenter asked that either the 
Rule permit an individual provider to be a hybrid entity (recognizing 
that there are times when an individual provider may be engaging in 
standard transactions, and other times when he is not), or that the 
definition of a ``covered entity'' should be modified so that 
individual providers are themselves classified as covered entities only 
when they are working as individuals.
    Response: A health care provider is not a covered entity based on 
his being a workforce member of a health care provider that conducts 
the standard transactions. Thus, a health care provider may maintain a 
separate uncovered practice (if he does not engage in standard 
transactions electronically in connection with that practice), even 
though the provider may also practice at a hospital which may be a 
covered entity. However, the Rule does not permit an individual 
provider to use hybrid entity status to eliminate protections on 
information when he is not conducting standard transactions. If a 
health care provider conducts standard transactions electronically on 
his own behalf, then the protected health information maintained or 
transmitted by that provider is covered, regardless of whether the 
information is actually used in such transactions.
    Comment: One commenter requested a clarification that employers are 
not hybrid entities simply because they may be the plan sponsor of a 
group health plan.
    Response: The Department clarifies that an employer is not a hybrid 
entity simply because it is the plan sponsor of a group health plan. 
The employer/plan sponsor and group health plan are separate legal 
entities and, therefore, do not qualify as a hybrid entity. Further, 
disclosures from the group health plan to the plan sponsor are governed 
specifically by the requirements of Sec. 164.504(f).
    Comment: A few commenters asked the Department to permit a covered 
entity with multiple types of health care components to tailor notices 
to address the specific privacy practices within a component, rather 
than have just one generic notice for the entire covered entity.
    Response: Covered entities are allowed to provide a separate notice 
for each separate health care component, and are encouraged to provide 
individuals with the most specific notice possible.
2. Group Health Plan Disclosures of Enrollment and Disenrollment 
Information to Plan Sponsors
    December 2000 Privacy Rule. The Department recognized the 
legitimate need of plan sponsors and employers to access health 
information held by group health plans in order to carry out essential 
functions related to the group health plan. Therefore, the Privacy Rule 
at Sec. 164.504(f) permits a group health plan, and health insurance 
issuers or HMOs with respect to the group health plan, to disclose 
protected health information to a plan sponsor provided that, among 
other requirements, the plan documents are amended appropriately to 
reflect and restrict the plan sponsor's uses and disclosures of such 
information. The Department further determined that there were two 
situations in which protected health information could be shared 
between the group health plan and the plan sponsor without individual 
authorization or an amendment to the plan documents. First, 
Sec. 164.504(f) permits the group health plan to share summary health 
information (as defined in Sec. 164.504(a)) with the plan sponsor. 
Second, a group health plan is allowed to share enrollment or 
disenrollment information with the plan sponsor without amending the 
plan documents as required by Sec. 164.504(f). As explained in the 
preamble to the December 2000 Privacy Rule, a plan sponsor is permitted 
to perform enrollment functions on behalf of its employees without 
meeting the requirements of Sec. 164.504(f), as such functions are 
considered outside of the plan administration functions. However, the 
second exception was not stated in the regulation text.
    March 2002 NPRM. The ability of group health plans to disclose 
enrollment or disenrollment information without amending the plan 
documents was addressed only in the preamble to the Privacy Rule. The 
absence of a specific provision in the regulation text caused many 
entities to conclude that plan documents would need to be amended for 
enrollment and disenrollment information to be exchanged between plans 
and plan sponsors. To remedy this misunderstanding and make its policy 
clear, the Department proposed to add an explicit exception at 
Sec. 164.504(f)(1)(iii) to clarify that group health plans (or health 
insurance issuers or HMOs with respect to group health plans, as 
appropriate) are permitted to disclose enrollment or disenrollment 
information to a plan sponsor without meeting the plan document 
amendment and other related requirements.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    Commenters in general supported the proposed modification. Some 
supported the proposal because it was limited to information about 
whether an individual is participating or enrolled in a group health 
plan and would not permit the disclosure of any other protected health 
information. Others asserted that the modification is a reasonable 
approach because enrollment and disenrollment information is needed by 
plan sponsors for payroll and other employment reasons.
    Final Modifications. The Department adopts the modification to 
Sec. 164.504(f)(1)(iii) essentially as proposed. Thus, a group health 
plan, or

[[Page 53208]]

a health insurance issuer or HMO acting for a group health plan, may 
disclose to a plan sponsor information on whether the individual is 
participating in the group health plan, or is enrolled in or has 
disenrolled from a health insurance issuer or HMO offered by the plan. 
This disclosure can be made without amending the plan documents. In 
adopting the modification as a final Rule, the Department deletes the 
phrase ``to the plan sponsor'' that appeared at the end of the proposed 
new provision, as mere surplusage.
    As a result of the modification, summary health information and 
enrollment and disenrollment information are treated consistently. 
Under Sec. 164.504(f), as modified, group health plans can share 
summary health information and enrollment or disenrollment information 
with plan sponsors without having to amend the plan documents. Section 
164.520(a) provides that a fully insured group health plan does not 
need to comply with the Privacy Rule's notice requirements if the only 
protected health information it creates or receives is summary health 
information and/or information about individuals' enrollment in, or 
disenrollment from, a health insurer or HMO offered by the group health 
plan. Similarly, in Sec. 164.530(k), the Department exempts fully 
insured group health plans from many of the administrative requirements 
in that section if the only protected health information held by the 
group health plan is summary health information and/or information 
about individuals' enrollment in, or disenrollment from, a health 
insurer or HMO offered by the group health plan. Such consistency will 
simplify compliance with the Privacy Rule.

Response to Other Public Comments

    Comment: One commenter stated that there needs to be protection for 
health information given to group health plans on enrollment forms. In 
particular, this commenter suggested that the Department include a 
definition of ``enrollment'' or ``disenrollment'' information that 
specifies that medical information, such as past or present medical 
conditions and doctor or hospital visits, is not enrollment 
information, but rather is individually identifiable health 
information, and therefore, subject to the Privacy Rule's protections.
    Response: Individually identifiable health information received or 
created by the group health plan for enrollment purposes is protected 
health information under the Privacy Rule. The modification to 
Sec. 164.504(f) being adopted in this rulemaking does not affect this 
policy. The Privacy Rule does not define the information that may be 
transmitted for enrollment and disenrollment purposes. Rather, the 
Department in the Transactions Rule has adopted a standard transaction 
for enrollment and disenrollment in a health plan. That standard (ASC 
X12N 834, Benefit Enrollment and Maintenance, Version 4010, May 2000, 
Washington Publishing Company) specifies the required and situationally 
required data elements to be transmitted as part of such a transaction. 
While the standard enrollment and disenrollment transaction does not 
include any substantial clinical information, the information provided 
as part of the transaction may indicate whether or not tobacco use, 
substance abuse, or short, long-term, permanent, or total disability is 
relevant, when such information is available. However, the Department 
clarifies that, in disclosing or maintaining information about an 
individual's enrollment in, or disenrollment from, a health insurer or 
HMO offered by the group health plan, the group health plan may not 
include medical information about the individual above and beyond that 
which is required or situationally required by the standard transaction 
and still qualify for the exceptions for enrollment and disenrollment 
information allowed under the Rule.
    Comment: Several commenters recommended that enrollment and 
disenrollment information specifically be excluded from the definition 
of ``protected health information.'' They argued that this change would 
be warranted because enrollment and disenrollment information do not 
include health information. They further argued that such a change 
would help alleviate confusion surrounding the application of the 
Privacy Rule to employers.
    Response: We disagree that enrollment and disenrollment information 
should be excluded from the definition of ``protected health 
information.'' Enrollment and disenrollment information fall under the 
statutory definition of ``individually identifiable health 
information,'' since it is received or created by a health plan, 
identifies an individual, and relates to the past, present, or future 
payment for the provision of health care to an individual. As such, the 
Department believes there is no statutory basis to exclude such 
information from the definition of ``protected health information.'' 
The Department believes that the exception to the requirement for group 
health plans to amend plan documents that has been added to the Privacy 
Rule for enrollment and disenrollment information balances the 
legitimate need that plan sponsors have for enrollment and 
disenrollment information against the individual's right to have such 
information kept private and confidential.
    Comment: Given that, under Sec. 164.504(f)(2), plan sponsors agree 
not to use or further disclose protected health information other than 
as permitted or required by plan documents or ``required by law,'' one 
commenter requested that the definition of ``required by law'' set 
forth at Sec. 164.501 should be revised to reflect that it applies not 
only to covered entities, but also to plan sponsors who are required to 
report under OSHA or similar laws.
    Response: The Department agrees and has made a technical correction 
to the definition of ``required by law'' in Sec. 164.501 to reflect 
that the definition applies to a requirement under law that compels any 
entity, not just a covered entity, to make a use or disclosure of 
protected health information.

D. Section 164.506--Uses and Disclosures for Treatment, Payment, and 
Health Care Operations

1. Consent
    December 2000 Privacy Rule. Treatment and payment for health care 
are core functions of the health care industry, and uses and 
disclosures of individually identifiable health information for such 
purposes are critical to the effective operation of the health care 
system. Health care providers and health plans must also use 
individually identifiable health information for certain health care 
operations, such as administrative, financial, and legal activities, to 
run their businesses and to support the essential health care functions 
of treatment and payment. Equally important are health care operations 
designed to maintain and improve the quality of health care. In 
developing the Privacy Rule, the Department balanced the privacy 
implications of uses and disclosures for treatment, payment, and health 
care operations and the need for these core activities to continue. The 
Department considered the fact that many individuals expect that their 
health information will be used and disclosed as necessary to treat 
them, bill for treatment, and, to some extent, operate the covered 
entity's health care business. Given public expectations with respect 
to the use or disclosure of information for such activities and so as 
not to interfere with an individual's

[[Page 53209]]

access to quality health care or the efficient payment for such health 
care, the Department's goal is, and has always been, to permit these 
activities to occur with little or no restriction.
    Consistent with this goal, the Privacy Rule published in December 
2000 generally provided covered entities with permission to use and 
disclose protected health information as necessary for treatment, 
payment, and health care operations. For certain health care providers 
that have direct treatment relationships with individuals, such as many 
physicians, hospitals, and pharmacies, the December 2000 Privacy Rule 
required such providers to obtain an individual's written consent prior 
to using or disclosing protected health information for these purposes. 
The Department designed consent as a one-time, general permission from 
the individual, which the individual would have had the right to 
revoke. A health care provider could have conditioned treatment on the 
receipt of consent. Other covered entities also could have chosen to 
obtain consent but would have been required to follow the consent 
standards if they opted to do so.
    The consent requirement for health care providers with direct 
treatment relationships was a significant change from the Department's 
initial proposal published in November 1999. At that time, the 
Department proposed to permit all covered entities to use and disclose 
protected health information to carry out treatment, payment, and 
health care operations without any requirement that the covered 
entities obtain an individual's consent for such uses and disclosures, 
subject to a few limited exceptions. Further, the Department proposed 
to prohibit covered entities from obtaining an individual's consent for 
uses and disclosures of protected health information for these 
purposes, unless required by other applicable law.
    The transition provisions of the Privacy Rule permit covered health 
care providers that were required to obtain consent to use and disclose 
protected health information they created or received prior to the 
compliance date of the Privacy Rule for treatment, payment, or health 
care operations if they had obtained consent, authorization, or other 
express legal permission to use or disclose such information for any of 
these purposes, even if such permission did not meet the consent 
requirements of the Privacy Rule.
    March 2002 NPRM. The Department heard concerns about significant 
practical problems that resulted from the consent requirements in the 
Privacy Rule. Covered entities and others provided numerous examples of 
obstacles that the consent provisions would pose to timely access to 
health care. These examples extended to various types of providers and 
various settings. The most troubling, pervasive problem was that health 
care providers would not have been able to use or disclose protected 
health information for treatment, payment, or health care operations 
purposes prior to their initial face-to-face contact with the patient, 
something which is routinely done today to provide patients with timely 
access to quality health care. A list of some of the more significant 
examples and concerns are as follows:
     Pharmacists would not have been able to fill a 
prescription, search for potential drug interactions, determine 
eligibility, or verify coverage before the individual arrived at the 
pharmacy to pick up the prescription if the individual had not already 
provided consent under the Privacy Rule.
     Hospitals would not have been able to use information from 
a referring physician to schedule and prepare for procedures before the 
individual presented at the hospital for such procedure, or the patient 
would have had to make a special trip to the hospital to sign the 
consent form.
     Providers who do not provide treatment in person may have 
been unable to provide care because they would have had difficulty 
obtaining prior written consent to use protected health information at 
the first service delivery.
     Emergency medical providers were concerned that, if a 
situation was urgent, they would have had to try to obtain consent to 
comply with the Privacy Rule, even if that would be inconsistent with 
appropriate practice of emergency medicine.
     Emergency medical providers were also concerned that the 
requirement that they attempt to obtain consent as soon as reasonably 
practicable after an emergency would have required significant efforts 
and administrative burden which might have been viewed as harassing by 
individuals, because these providers typically do not have ongoing 
relationships with individuals.
     Providers who did not meet one of the consent exceptions 
were concerned that they could have been put in the untenable position 
of having to decide whether to withhold treatment when an individual 
did not provide consent or proceed to use information to treat the 
individual in violation of the consent requirements.
     The right to revoke a consent would have required tracking 
consents, which could have hampered treatment and resulted in large 
institutional providers deciding that it would be necessary to obtain 
consent at each patient encounter instead.
     The transition provisions would have resulted in 
significant operational problems, and the inability to access health 
records would have had an adverse effect on quality activities, because 
many providers currently are not required to obtain consent for 
treatment, payment, or health care operations.
     Providers that are required by law to treat were concerned 
about the mixed messages to patients and interference with the 
physician-patient relationship that would have resulted because they 
would have had to ask for consent to use or disclose protected health 
information for treatment, payment, or health care operations, but 
could have used or disclosed the information for such purposes even if 
the patient said ``no.''
    As a result of the large number of treatment-related obstacles 
raised by various types of health care providers that would have been 
required to obtain consent, the Department became concerned that 
individual fixes would be too complex and could possibly overlook 
important problems. Instead, the Department proposed an approach 
designed to protect privacy interests by affording patients the 
opportunity to engage in important discussions regarding the use and 
disclosure of their health information through the strengthened notice 
requirement, while allowing activities that are essential to quality 
health care to occur unimpeded (see section III.H. of the preamble for 
a discussion of the strengthened notice requirements).
    Specifically, the Department proposed to make the obtaining of 
consent to use and disclose protected health information for treatment, 
payment, or health care operations more flexible for all covered 
entities, including providers with direct treatment relationships. 
Under this proposal, health care providers with direct treatment 
relationships with individuals would no longer be required to obtain an 
individual's consent prior to using and disclosing information about 
him or her for treatment, payment, and health care operations. They, 
like other covered entities, would have regulatory permission for such 
uses and disclosures.
    The NPRM included provisions to permit covered entities to obtain 
consent for uses and disclosures of protected health information for 
treatment, payment, or health care

[[Page 53210]]

operations, if they wished to do so. These provisions would grant 
providers complete discretion in designing this process. These proposed 
changes were partnered, however, by the proposal to strengthen the 
notice provisions to require direct treatment providers to make good 
faith efforts to obtain a written acknowledgment of receipt of the 
notice. The intent was to preserve the opportunity to raise questions 
about the entity's privacy policies that the consent requirements 
previously provided.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The vast majority of commenters addressed the consent proposal. 
Most comments fell into three basic categories: (1) Many comments 
supported the NPRM approach to eliminate the consent requirement; (2) 
many comments urged the Department to require consent, but make 
targeted fixes to address workability issues; and (3) some comments 
urged the Department to strengthen the consent requirement.
    The proposed approach of eliminating required consent and making 
obtaining of consent permissible, at the entity's discretion, was 
supported by many covered entities that asserted that it would provide 
the appropriate balance among access to quality health care, 
administrative burden, and patient privacy. Many argued that the 
appropriate privacy protections were preserved by strengthening the 
notice requirement. This approach was also supported by the NCVHS.
    The comments received in response to the NPRM continued to raise 
the issues and obstacles described above, and others. For example, in 
addition to providing health care services to patients, hospices often 
provide psychological and emotional support to family members. These 
consultations often take place long distance and would likely be 
considered treatment. The consent requirement would make it difficult, 
or impossible in some circumstances, for hospices to provide these 
important services to grieving family members on a timely basis. 
Comments explained that the consent provisions in the Rule pose 
significant obstacles to oncologists as well. Cancer treatment is 
referral-based. Oncologists often obtain information from other 
doctors, hospital, labs, etc., speak with patients by telephone, 
identify treatment options, and develop preliminary treatment plans, 
all before the initial patient visit. The prior consent requirement 
would prevent all of these important preliminary activities before the 
first patient visit, which would delay treatment in cases in which such 
delay cannot be tolerated.
    Other commenters continued to strongly support a consent 
requirement, consistent with their views expressed during the comment 
period in March 2001. Some argued that the NPRM approach would 
eliminate an important consumer protection and that such a ``radical'' 
approach to fixing the workability issues was not required. They 
recommended a targeted approach to fixing each problem, and suggested 
ways to fix each unintended consequence of the consent requirement, in 
lieu of removing the requirement to obtain consent.
    A few commenters argued for reinstating a consent requirement, but 
making it similar to the proposal for acknowledgment of notice by 
permitting flexibility and including a ``good faith'' standard. They 
also urged the Department to narrow the definition of health care 
operations and require that de-identified information be used where 
possible for health care operations.
    Finally, a few commenters continued to assert that consent should 
be strengthened by applying it to more covered entities, requiring it 
to be obtained more frequently, or prohibiting the conditioning of 
treatment on the obtaining of consent.
    Final Modifications. The Department continues to be concerned by 
the multitude of comments and examples demonstrating that the consent 
requirements would result in unintended consequences that would impede 
the provision of health care in many critical circumstances. We are 
also concerned that other such unintended consequences may exist which 
have yet to be brought to our attention. The Department would not have 
been able to address consent issues arising after publication of this 
Rule until at least a year had passed from this Rule's publication date 
due to statutory limitations on the timing of modifications. The 
Department believes in strong privacy protections for individually 
identifiable health information, but does not want to compromise timely 
access to quality health care. The Department also understands that the 
opportunity to discuss privacy practices and concerns is an important 
component of privacy, and that the confidential relationship between a 
patient and a health care provider includes the patient's ability to be 
involved in discussions and decisions related to the use and disclosure 
of protected health information about him or her.
    A review of the comments showed that almost all of the commenters 
that discussed consent acknowledged that there are unintended 
consequences of the consent requirement that would interfere with 
treatment. These comments point toward two potential approaches to 
fixing these problems. The Department could address these problems by 
adopting a single solution that would address most or all of the 
concerns, or could address these problems by adopting changes targeted 
to each specific problem that was brought to the attention of the 
Department. One of the goals in making changes to the Privacy Rule is 
to simplify, rather than add complexity to, the Rule. Another goal is 
to assure that the Privacy Rule does not hamper necessary treatment. 
For both of these reasons, the Department is concerned about adopting 
different changes for different issues related to consent and 
regulating to address specific examples that have been brought to its 
attention. Therefore, the options that the Department most seriously 
considered were those that would provide a global fix to the consent 
problems. Some commenters provided global options other than the 
proposed approach. However, none of these would have resolved the 
operational problems created by a mandatory consent.
    The Department also reviewed State laws to understand how they 
approached uses and disclosures of health information for treatment, 
payment, or health care operations purposes. Of note was the California 
Confidentiality of Medical Information Act. Cal. Civ. Code Sec. 56. 
This law permits health care providers and health plans to disclose 
health information for treatment, payment, and certain types of health 
care operations purposes without obtaining consent of the individual. 
The California HealthCare Foundation conducted a medical privacy and 
confidentiality survey in January 1999 that addressed consumer views on 
confidentiality of medical records. The results showed that, despite 
the California law that permitted disclosures of health information 
without an individual's consent, consumers in California did not have 
greater concerns about confidentiality than other health care 
consumers. This is true with respect to trust of providers and health 
plans to keep health information private and confidential and the level 
of access to health information that providers and health plans have.

[[Page 53211]]

    The Department adopts the approach that was proposed in the NPRM, 
because it is the only one that resolves the operational problems that 
have been identified in a simple and uniform manner. First, this Rule 
strengthens the notice requirements to preserve the opportunity for 
individuals to discuss privacy practices and concerns with providers. 
(See section III.H. of the preamble for the related discussion of 
modifications to strengthen the notice requirements.) Second, the final 
Rule makes the obtaining of consent to use and disclose protected 
health information for treatment, payment, or health care operations 
optional on the part of all covered entities, including providers with 
direct treatment relationships. A health care provider that has a 
direct treatment relationship with an individual is not required by the 
Privacy Rule to obtain an individual's consent prior to using and 
disclosing information about him or her for treatment, payment, and 
health care operations. They, like other covered entities, have 
regulatory permission for such uses and disclosures. The fact that 
there is a State law that has been using a similar model for years 
provides us confidence that this is a workable approach.
    Other rights provided by the Rule are not affected by this 
modification. Although covered entities will not be required to obtain 
an individual's consent, any uses or disclosures of protected health 
information for treatment, payment, or health care operations must 
still be consistent with the covered entity's notice of privacy 
practices. Also, the removal of the consent requirement applies only to 
consent for treatment, payment, and health care operations; it does not 
alter the requirement to obtain an authorization under Sec. 164.508 for 
uses and disclosures of protected health information not otherwise 
permitted by the Privacy Rule or any other requirements for the use or 
disclosure of protected health information. The Department intends to 
enforce strictly the requirement for obtaining an individual's 
authorization, in accordance with Sec. 164.508, for uses and disclosure 
of protected health information for purposes not otherwise permitted or 
required by the Privacy Rule. Furthermore, individuals retain the right 
to request restrictions, in accordance with Sec. 164.522(a). This 
allows individuals and covered entities to enter into agreements to 
restrict uses and disclosures of protected health information for 
treatment, payment, and health care operations that are enforceable 
under the Privacy Rule.
    Although consent for use and disclosure of protected health 
information for treatment, payment, and health care operations is no 
longer mandated, this Final Rule allows covered entities to have a 
consent process if they wish to do so. The Department heard from many 
commenters that obtaining consent was an integral part of the ethical 
and other practice standards for many health care professionals. It, 
therefore, does not prohibit covered entities from obtaining consent.
    This final Rule allows covered entities that choose to have a 
consent process complete discretion in designing that process. Prior 
comments have informed the Department that one consent process and one 
set of principles will likely be unworkable. Covered entities that 
choose to obtain consent may rely on industry practices to design a 
voluntary consent process that works best for their practice area and 
consumers, but they are not required to do so.
    This final Rule effectuates these changes in the same manner as 
proposed by the NPRM. The consent provisions in Sec. 164.506 are 
replaced with a new provision at Sec. 164.506(a) that provides 
regulatory permission for covered entities to use or disclose protected 
health information for treatment, payment, and health care operations. 
A new provision is added at Sec. 164.506(b) that permits covered 
entities to obtain consent if they choose to, and makes clear any such 
consent process does not override or alter the authorization 
requirements in Sec. 164.508. Section 164.506(b) includes a small 
change from the proposed version to make it clearer that authorizations 
are still required by referring directly to authorizations under 
Sec. 164.508.
    Additionally, this final Rule includes a number of conforming 
modifications, identical to those proposed in the NPRM, to accommodate 
the new approach. The most substantive corresponding changes are at 
Secs. 164.502 and 164.532. Section 164.502(a)(1) provides a list of the 
permissible uses and disclosures of protected health information, and 
refers to the corresponding section of the Privacy Rule for the 
detailed requirements. The provisions at Secs. 164.502(a)(1)(ii) and 
(iii) that address uses and disclosures of protected health information 
for treatment, payment, and health care operations are collapsed into a 
single provision, and the language is modified to eliminate the consent 
requirement.
    The references in Sec. 164.532 to Sec. 164.506 and to consent, 
authorization, or other express legal permission obtained for uses and 
disclosures of protected health information for treatment, payment, and 
health care operations prior to the compliance date of the Privacy Rule 
are deleted. The proposal to permit a covered entity to use or disclose 
protected health information for these purposes without consent or 
authorization would apply to any protected health information held by a 
covered entity whether created or received before or after the 
compliance date. Therefore, transition provisions are not necessary.
    This final Rule also includes conforming changes to the definition 
of ``more stringent'' in Sec. 160.202; the text of 
Sec. 164.500(b)(1)(v), Secs. 164.508(a)(2)(i) and (b)(3)(i), and 
Sec. 164.520(b)(1)(ii)(B); the introductory text of Secs. 164.510 and 
164.512, and the title of Sec. 164.512 to eliminate references to 
required consent.

Response to Other Public Comments

    Comment: There were three categories of commenters with respect to 
the Rule's general approach to consent-those that supported the changes 
proposed in the NPRM provisions, those that requested targeted changes 
to the consent requirement, and those that requested that the consent 
requirement be strengthened.
    Many commenters supported the NPRM approach to consent, making 
consent to use or disclose protected health information for treatment, 
payment, and health care operations voluntary for all covered entities. 
These commenters said that this approach provided flexibility for 
covered entities to address consent in a way that is consistent with 
their practices. These commenters also stated that the NPRM approach 
assured that the Privacy Rule would not interfere with or delay 
necessary treatment.
    Those that advocated retaining a consent requirement stated that 
the NPRM approach would undermine trust in the health care system and 
that requiring consent before using or disclosing protected health 
information shows respect for the patient's autonomy, underscores the 
need to inform the patient of the risks and benefits of sharing 
protected health information, and makes it possible for the patient to 
make an informed decision. Many of these commenters suggested that the 
consent requirement be retained and that the problems raised by consent 
be addressed through targeted changes or guidance for each issue.
    Some suggestions targeted to specific problems were: (1) Fix the 
problems

[[Page 53212]]

related to filling prescriptions by treating pharmacists as providers 
with indirect treatment relationships or by deeming a prescription to 
serve as an implied consent; and (2) allow certain uses and disclosures 
prior to first patient encounter. Some of these commenters argued that 
certain issues could be addressed through guidance on other provisions 
in the Rule, rather than a change in the regulation. For example, they 
suggested that guidance could explain that physicians who take phone 
calls for one another are part of an organized health care arrangement, 
or could provide technical assistance about revocations on consent by 
identifying when a covered entity has taken action in reliance on a 
consent.
    Other suggestions were more general. They included suggestions that 
the Department: (1) Substitute a good faith effort requirement for the 
current provisions; (2) provide regulatory permission for certain uses 
and disclosures of protected heath information prior to first service 
delivery; (3) permit oral consent with documentation; (4) retain a 
consent requirement for disclosures, but not uses; (5) retain a consent 
requirement for payment and operations, but not treatment uses and 
disclosures; (6) allow individuals to opt out of the consent 
requirement; (7) allow the consent to apply to activities of referred-
to providers, and (8) retain the consent requirement but add 
flexibility, not exceptions.
    The third group of commenters requested that the consent 
requirement be strengthened. Some requested that the Privacy Rule not 
permit conditioning of treatment or enrollment on consent for multiple 
uses and disclosures. Others requested that the consent requirement be 
extended to covered entities other than providers with direct treatment 
relationships, such as health plans. Some commenters also asked that 
the consent be time-limited or be required more frequently, such as at 
each service delivery.
    Response: The Department recognizes that there are some benefits to 
the consent requirement and has considered all options to preserve the 
consent requirement while fixing the problems it raises. After 
examining each of these options, we do not believe that any would 
address all of the issues that were brought to the Department's 
attention during the comment process or would be the best approach for 
regulating this area. For example, the suggestion to treat pharmacists 
as indirect treatment providers would not be consistent with the 
current regulatory definition of that term and would not have addressed 
other referral situations. This approach was also rejected by some 
pharmacists who view themselves as providing treatment directly to 
individuals. The suggestion to allow certain uses and disclosures prior 
to first patient encounter would not address concerns of tracking 
consents, use of historical data for quality purposes, or the concerns 
of emergency treatment providers.
    The Department desired a global approach to resolving the problems 
raised by the prior consent requirement, so as not to add additional 
complexity to the Privacy Rule or apply different standards to 
different types of direct treatment providers. This approach is 
consistent with the basic goal of the Rule to provide flexibility as 
necessary for the standards to work for all sectors of the health care 
industry.
    More global approaches suggested were carefully considered, but 
each had some flaw or failed to address all of the treatment-related 
concerns brought to our attention. For example, those who suggested 
that the Rule be modified to require a good faith effort to obtain 
consent at first service delivery failed to explain how that approach 
would provide additional protection than the approach we proposed. The 
Department also decided against eliminating the consent requirement 
only for uses and disclosures for treatment, or only for uses of 
protected health information but not for disclosures, because these 
options fall short of addressing all of the problems raised. Scheduling 
appointments and surgeries, and conducting many pre-admission 
activities, are health care operations activities, not treatment. 
Retaining the consent requirement for payment would be problematic 
because, in cases where a provider, such as a pharmacist or hospital, 
engages in a payment activity prior to face-to-face contact with the 
individual, it would prohibit the provider from contacting insurance 
companies to obtain pre-certification or to verify coverage.
    Similarly, the suggestion to limit the prior consent requirement to 
disclosures and not to uses would not have addressed all of the 
problems raised by the consent requirements. Many of the basic 
activities that occur before the initial face-to-face meeting between a 
provider and an individual involve disclosures as well as uses. Like 
the previous approach, this approach also would prohibit pharmacists 
and hospitals from contacting insurance companies to obtain pre-
certification or verify coverage if they did not have the individual's 
prior consent to disclose the protected health information for payment. 
It also would prohibit a provider from contacting another provider to 
ask questions about the medical record and discuss the patient's 
condition, because this would be a disclosure and would require 
consent.
    There was a substantial amount of support from commenters for the 
approach taken in the NPRM. The Department continues to believe that 
this approach makes the most sense and meets the goals of not 
interfering with access to quality health care and of providing a 
single standard that works for the entire health care industry. 
Therefore, the Department has adopted the approach proposed in the 
NPRM.
    Comment: Some commenters asserted that eliminating the consent 
requirement would be a departure from current medical ethical standards 
that protect patient confidentiality and common law and State law 
remedies for breach of confidentiality that generally require or 
support patient consent prior to disclosing patient information for any 
reason. Another commenter was concerned that the removal of the consent 
requirement from the Privacy Rule will become the de facto industry 
standard and supplant professional ethical duties to obtain consent for 
the use of protected health information.
    Response: The Privacy Rule provides a floor of privacy protection. 
State laws that are more stringent remain in force. In order not to 
interfere with such laws and ethical standards, this Rule permits 
covered entities to obtain consent. Nor is the Privacy Rule intended to 
serve as a ``best practices'' standard. Thus, professional standards 
that are more protective of privacy retain their vitality.
    Comment: Some commenters requested that, if the Department adopts 
the NPRM approach to eliminate the consent requirement for uses and 
disclosures of protected health information for treatment, payment, or 
health care operations, the definition of ``health care operations'' 
should also be narrowed to protect individual expectations of privacy.
    Response: We disagree. As stated in the preamble to the December 
2000 Privacy Rule, the Department believes that narrowing the 
definition of ``health care operations'' will place serious burdens on 
covered entities and impair their ability to conduct legitimate 
business and management functions.
    Comment: Some commenters requested that the regulation text state 
more specifically that a voluntary consent cannot substitute for an 
authorization when an authorization is otherwise required under the 
Privacy Rule.

[[Page 53213]]

    Response: The Department agrees and modifies the regulation text, 
at Sec. 164.506(b)(2), to make this clear. As stated in the preamble to 
the NPRM, the Department intends to enforce strictly the requirement 
for obtaining an individual's authorization, in accordance with 
Sec. 164.508, for uses and disclosures of protected health information 
for purposes not otherwise permitted or required by the Privacy Rule. A 
consent obtained voluntarily would not be sufficient to permit a use or 
disclosure which, under the Privacy Rule, requires an authorization or 
is otherwise expressly conditioned under the Rule. For example, a 
consent under Sec. 164.506 could not be obtained in lieu of an 
authorization required by Sec. 164.508 or a waiver of authorization by 
an IRB or Privacy Board under Sec. 164.512(i) to disclose protected 
health information for research purposes.
    Comment: Some commenters requested that, if the Department decides 
to allow consent on a voluntary basis, the Privacy Rule include 
requirements for those covered entities that voluntarily choose to 
obtain consents.
    Response: The goal of the NPRM approach was to enhance flexibility 
for covered entities by allowing them to design a consent process that 
best matches their needs. The Department learned over the past year 
that no single consent process works for all covered entities. In 
addition, the Department wants to encourage covered entities to adopt a 
consent process, and is concerned that by prescribing particular rules, 
it would discourage some covered entities from doing so.
    Comment: Some commenters asserted that the consent requirement 
provides individuals with control because providers may not opt to 
withhold treatment if a patient refuses consent only for the use or 
disclosure of protected health information for health care operations.
    Response: These commenters may not fully understand the consent 
requirements in the December 2000 Rule. That requirement did not allow 
separate consents for use of protected health information for 
treatment, payment, and health care operations. The only way to allow 
use of protected health information for treatment but not for health 
care operations purposes would have been to invoke the right to request 
restrictions (Sec. 164.522(a)); the provider could agree or not agree 
to restrict use and disclosure of protected health information for 
health care operations. That is also how the Rule will work with these 
modifications. The Department is not modifying the right to request 
restrictions.
    Comment: Some commenters were confused about the relationship 
between the proposed changes to the consent provisions and State law. 
Some were concerned that the Privacy Rule would override State consent 
laws which provide stronger protections for medical and 
psychotherapeutic privacy.
    Response: The Privacy Rule does not weaken the operation of State 
laws that require consent to use or disclose health information. The 
Privacy Rule permits a covered entity to obtain consent to use or 
disclose health information, and, therefore, presents no barrier to the 
entity's ability to comply with State law requirements.
    Comment: One commenter suggested that the consent requirement be 
retained to protect victims of domestic violence.
    Response: The Department understands the concerns that the Privacy 
Rule not endanger victims of domestic violence, but we do not believe 
that eliminating the consent requirement will do so. The Department 
believes that the provisions that provide real protections to victims 
of domestic violence in how information is used or disclosed for 
treatment, payment, and health care operations, are provisions that 
allow an individual to object to disclosure of directory information 
and of protected health information to family members or friends 
involved in the individual's care (see Sec. 164.510), that provide an 
individual the right to request restrictions (see Sec. 164.522(a)), and 
that grant an individual the right to request confidential 
communications (see Sec. 164.522(b)). These provisions are not affected 
by the changes in this final Rule.
    Comment: One commenter asserted that written consent represents a 
signed agreement between the provider and patient regarding the manner 
in which covered entities will use and disclose health information in 
the future, and that the removal of this requirement would shift 
``ownership'' of records from patients to doctors and corporate 
entities.
    Response: The Department disagrees with this position. Our research 
indicates that a signed consent form is most typically treated as a 
waiver of rights by a patient and not as a binding agreement between a 
provider and a patient. Further, many States have laws assigning the 
ownership of records, apart from any consent requirements. The Privacy 
Rule does not address, and is not intended to affect, existing laws 
governing the ownership of health records.
    Comment: A few commenters claimed that the signed notice of a 
provider's privacy policy is meaningless if the individual has no right 
to withhold consent and the NPRM approach would reinforce the fact that 
individuals have no say in how their health information is used or 
disclosed.
    Response: The Department disagrees. The individual's options under 
the consent requirement established by the Privacy Rule published in 
December 2000 and the voluntary consent and strengthened notice 
provisions adopted by this Rule are the same. Under the previous Rule, 
a patient who disagreed with the covered entity's information practices 
as stated in the notice could withhold consent and not receive 
treatment, or could sign the consent form and obtain treatment despite 
concerns about the information practices. The patient could request 
that the provider restrict the use and/or disclosure of the 
information. Under the Rule as modified, a patient who disagrees with 
the covered entity's information practices as stated in the notice, can 
choose not to receive treatment from that provider, or can obtain 
treatment despite concerns about the information practices. The patient 
can request that the provider restrict the use and/or disclosure of the 
information. The result, for the patient, is the same.
    Comment: One commenter requested clarification with respect to the 
effect of a revocation of voluntary consent and whether agreed-to 
restrictions must be honored.
    Response: The final Rule is silent as to how a covered entity 
handles the revocation of a voluntary consent under Sec. 164.506(b)(1). 
The Rule provides the covered entity that chooses to adopt a consent 
process discretion to design the process that works for that entity.
    The change to the consent provision in the Privacy Rule does not 
affect the right of an individual under Sec. 164.522(a) to request 
restrictions to a use or disclosure of protected health information. 
While a covered entity is not required to agree to such restrictions, 
it must act in accordance with any restriction it does agree to. 
Failure of a covered entity to act in accordance with an agreed-to 
restriction is a violation of the Rule.
    Comment: Commenters asked the Department to rename consent to 
``consent for information use'' to reduce confusion with consent for 
treatment.
    Response: In order to clear up confusion between informed consent 
for treatment, which is addressed by State law, and consent to use or 
disclose protected health information under the

[[Page 53214]]

Privacy Rule, we changed the title of Sec. 164.506(b) from ``Consent 
permitted'' to ``Consent for uses and disclosures of information 
permitted.'' The Privacy Rule does not affect informed consent for 
treatment.
    Comment: A few commenters requested that the Department modify the 
regulation to state that de-identified information should be used for 
health care operations where possible.
    Response: The Department continues to encourage covered entities to 
use de-identified information wherever possible. As the Department has 
made this position clear in the preambles to both the December 2000 
Privacy Rule and the March 2002 NPRM, as well as in this preamble, we 
do not believe that it is necessary to modify the regulation to include 
such language. Further, the minimum necessary requirements, under 
Secs. 164.502(b)(2) and 164.514(d), already require a covered entity to 
make reasonable efforts to limit protected health information used for 
health care operations and other purposes to the minimum necessary to 
accomplish the intended purpose, which may, in some cases, be de-
identified information.
    Comment: One commenter requested that the Privacy Rule state that 
consent is not required for provider-to-provider communications.
    Response: Prior to these final modifications, the consent 
requirements of the Privacy Rule would have required a provider to 
obtain written consent to disclose protected health information to 
another provider for treatment purposes--which could have interfered 
with an individual's ability to obtain timely access to quality care. 
This is one reason the Department has eliminated the consent 
requirement for treatment, payment, and health care operations. 
Providers will not need a patient's consent to consult with other 
providers about the treatment of a patient. However, if a provider is 
disclosing protected health information to another provider for 
purposes other than treatment, payment, or health care operations, an 
authorization may be required under Sec. 164.508 (e.g., generally, 
disclosures for clinical trials would require an authorization).
    Comment: One commenter asserted that, without a consent 
requirement, nothing will stop a health plan from demanding a patient's 
mental health records as a condition of payment for physical therapy.
    Response: The Department does not agree that the former consent 
requirement is the relevant standard with respect to the activities of 
the health plan that concern the commenter. Rather, the Transactions 
Rule and the minimum necessary standard of the Privacy Rule prescribe 
and limit the health information that may be disclosed as part of 
payment transactions between health plans and health care providers. 
Although a health plan may request additional information to process a 
specific claim, in addition to the required and situational elements 
under the Transactions Rule, the request must comply with the Privacy 
Rule's minimum necessary requirements. In this example, the health plan 
can only request mental health records if they are reasonably necessary 
for the plan to process the physical therapy claim.
2. Disclosures for Treatment, Payment, or Health Care Operations of 
Another Entity
    December 2000 Privacy Rule. The Privacy Rule permits a covered 
entity to use and disclose protected health information for treatment, 
payment, or health care operations. For treatment purposes, the Rule 
generally allows protected health information to be shared without 
restriction. The definition of ``treatment'' incorporates the necessary 
interaction of more than one entity. In particular, the definition of 
``treatment'' includes the coordination and management of health care 
among health care providers or by a health care provider with a third 
party, consultations between health care providers, and referrals of a 
patient for health care from one health care provider to another. As a 
result, covered entities are permitted to disclose protected health 
information for treatment purposes regardless of to whom the disclosure 
is made, as well as to disclose protected health information for the 
treatment activities of another health care provider.
    However, for payment and health care operations, the Privacy Rule, 
as published in December 2000, generally limited a covered entity's 
uses and disclosures of protected health information to those that were 
necessary for its own payment and health care operations activities. 
This limitation was explicitly stated in the December 2000 preamble 
discussions of the definitions of ``payment'' and ``health care 
operations.'' 65 FR 82490, 82495. The Privacy Rule also provided that a 
covered entity must obtain authorization to disclose protected health 
information for the payment or health care operations of another 
entity. The Department intended these requirements to be consistent 
with individuals' privacy expectations. See 45 CFR 164.506(a)(5) and 
164.508(e).
    March 2002 NPRM. Since the publication of the December 2000 Rule, a 
number of commenters raised specific concerns with the restriction that 
a covered entity may not disclose protected health information for 
another entity's payment and health care operations activities, absent 
an authorization. These commenters presented a number of examples where 
such a restriction would impede the ability of certain entities to 
obtain reimbursement for health care, to conduct certain quality 
assurance or improvement activities, such as accreditation, or to 
monitor fraud and abuse.
    With regard to payment, for example, the Department heard concerns 
of ambulance service providers who explained that they normally receive 
the information they need to obtain payment for their treatment 
services from the hospital emergency departments to which they 
transport their patients. They explained that it is usually not 
possible for the ambulance service provider to obtain such information 
directly from the individual, nor is it always practicable or feasible 
for the hospital to obtain the individual's authorization to provide 
payment information to the ambulance service provider. This disclosure 
of protected health information from the hospital to the ambulance 
service provider was not permitted under the December 2000 Privacy Rule 
without an authorization from the patient, because it was a disclosure 
by the hospital for the payment activities of the ambulance service 
provider.
    Commenters also were concerned about situations in which covered 
entities outsource their billing, claims, and reimbursement functions 
to accounts receivable management companies. These collectors often 
attempt to recover payments from a patient on behalf of multiple health 
care providers. Commenters were concerned that the Privacy Rule would 
prevent these collectors, as business associates of multiple providers, 
from using a patient's demographic information received from one 
provider to facilitate collection for another provider's payment.
    With regard to health care operations, the Department also received 
comments about the difficulty that the Privacy Rule would place on 
health plans trying to obtain information needed for quality assessment 
activities. Health plans informed the Department that they need to 
obtain individually identifiable health information from health care 
providers for the plans' quality-related activities, accreditation, and 
performance measures, such as Health Plan Employer Data and Information 
Set

[[Page 53215]]

(HEDIS). Commenters explained that the information provided to plans 
for payment purposes (e.g., claims or encounter information) may not be 
sufficient for quality assessment or accreditation purposes.
    The NCVHS, in response to public testimony on this issue at its 
August 2001 hearing, also recommended that the Department amend the 
Privacy Rule to allow for uses and disclosures for quality-related 
activities among covered entities, without the individual's written 
authorization.
    Based on these concerns, the Department proposed to modify 
Sec. 164.506 to permit a covered entity to disclose protected health 
information for the payment activities of another covered entity or any 
health care provider, and also for certain types of health care 
operations of another covered entity. The proposal would broaden the 
uses and disclosures that are permitted without authorization as part 
of treatment, payment, and health care operations so as not to 
interfere inappropriately with access to quality and effective health 
care, while limiting this expansion in order to continue to protect the 
privacy expectations of the individual.
    Specifically, the Department proposed the following. First, the 
Department proposed to add to Sec. 164.506(c)(1) language stating that 
a covered entity may use or disclose protected health information for 
its own treatment, payment, or health care operations without prior 
permission.
    Second, the Department proposed to include language in 
Sec. 164.506(c)(2) to clarify its intent that a covered entity may 
share protected health information for the treatment activities of 
another health care provider. For example, a primary care provider who 
is a covered entity under the Privacy Rule may send a copy of an 
individual's medical record to a specialist who needs the information 
to treat the same individual, whether or not that specialist is also a 
covered entity. No authorization would be required.
    Third, the Department proposed to include language in 
Sec. 164.506(c)(3) to permit a covered entity to disclose protected 
health information to another covered entity or any health care 
provider for the payment activities of that entity. The Department 
recognized that not all health care providers who need protected health 
information to obtain payment are covered entities, and, therefore, 
proposed to allow disclosures of protected health information to both 
covered and non-covered health care providers. In addition, the 
Department proposed a conforming change to delete the word ``covered'' 
in paragraph (1)(ii) of the definition of ``payment,'' to permit 
disclosures to non-covered providers for their payment activities.
    The Department also proposed to limit disclosures under this 
provision to those health plans that are covered by the Privacy Rule. 
However, the Department solicited comment on whether plans that are not 
covered by the Privacy Rule would be able to obtain the protected 
health information that they need for payment purposes.
    Fourth, in Sec. 164.506(c)(4), the Department proposed to permit a 
covered entity to disclose protected health information about an 
individual to another covered entity for specified health care 
operations purposes of the covered entity that receives the 
information, provided that both entities have a relationship with the 
individual. This proposed expansion was limited in a number of ways. 
The proposal would permit such disclosures only for the activities 
described in paragraphs (1) and (2) of the definition of ``health care 
operations,'' as well as for health care fraud and abuse detection and 
compliance programs (as provided for in paragraph (4) of the definition 
of ``health care operations''). The activities that fall into 
paragraphs (1) and (2) of the definition of ``health care operations'' 
include quality assessment and improvement activities, population-based 
activities relating to improving health or reducing health care costs, 
case management, conducting training programs, and accreditation, 
certification, licensing, or credentialing activities. The Department 
proposed this limitation because it recognized that ``health care 
operations'' is a broad term and that individuals are less aware of the 
business-related activities that are part of health care operations 
than they are of treatment- or payment-related activities. In addition, 
many commenters and the NCVHS focused their comments on covered 
entities' needs to share protected health information for quality-
related health care operations activities. The proposed provision was 
intended to allow information to flow from one covered entity to 
another for activities important to providing quality and effective 
health care.
    The proposal would have applied only to disclosures of protected 
health information to other covered entities. By limiting such 
disclosures to those entities that are required to comply with the 
Privacy Rule, the Department intended to ensure that the protected 
health information remained protected. The Department believed that 
this would create the appropriate balance between meeting an 
individual's privacy expectations and meeting a covered entity's need 
for information for quality-related health care operations.
    Further, such disclosures would be permitted only to the extent 
that each entity has, or had, a relationship with the individual who is 
the subject of the information being disclosed. Where the relationship 
between the individual and the covered entity has ended, a disclosure 
of protected health information about the individual would be allowed 
only if related to the past relationship. The Department believed that 
this limitation would be necessary in order to further protect the 
privacy expectations of the individual.
    The proposal made clear that these provisions would not eliminate a 
covered entity's responsibility to apply the Privacy Rule's minimum 
necessary provisions to both the disclosure of and request for 
protected health information for payment and health care operations 
purposes. In addition, the proposal strongly encouraged the use of de-
identified information, wherever feasible.
    While the Department stated that it believed it had struck the 
right balance with respect to the proposed modification for disclosures 
for health care operations, the Department was aware that the proposal 
could pose barriers to disclosures for quality-related health care 
operations to health plans and health care providers that are not 
covered entities, or to entities that do not have a relationship with 
the individual. Therefore, the preamble referred commenters to the 
Department's request for comment on an approach that would permit for 
any health care operations purposes the disclosure of protected health 
information that does not contain direct identifiers, subject to a data 
use or similar agreement.
    In addition, related to the above modifications and in response to 
comments evidencing confusion on this matter, the Department also 
proposed to clarify that covered entities participating in an organized 
health care arrangement (OHCA) may share protected health information 
for the health care operations of the OHCA (Sec. 164.506(c)(5)). The 
Department also proposed to remove the language regarding OHCAs from 
the definition of ``health care operations'' as unnecessary because 
such language now would appear in Sec. 164.506(c)(5).
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional

[[Page 53216]]

comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The Department received a number of comments on its proposal to 
permit a covered entity to disclose protected health information for 
the payment and health care operations activities of other entities.
    Most of the commenters who addressed the Department's proposed 
clarification regarding treatment expressed support for the 
clarification. Also, the majority of commenters supported, either 
wholly or in part, the Department's proposal to expand the payment and 
health care operations disclosures that would be permitted.
    Most commenters generally were supportive of the Department's 
proposed approach regarding disclosures for payment. A number of 
commenters stated that the proposed expansion is important to 
facilitate coordination of benefits for many patients who have multiple 
sources of payment for prescription drugs. One commenter, however, 
requested that the Department narrow its proposed language to address 
only those problems specifically described in the preamble, that is, 
payment issues faced by ambulance providers and collection agencies 
that are business associates of multiple health care providers. This 
commenter stated that, at the very least, covered entities should be 
required to obtain assurances from non-covered providers, prior to 
disclosure of protected health information, that the recipient will not 
use protected health information for any other purpose or disclose it 
to others. Another commenter remarked that the proposal to limit 
disclosures only to another covered entity or any health care provider 
may impede disclosures to reinsurers that are not covered entities.
    While most commenters supported expanding disclosures for health 
care operations, many requested that the Department modify the proposal 
in a number of ways. For example, a number of health plans and others 
requested that the Department eliminate the condition that both covered 
entities have a relationship with the individual. Some of these 
commenters explained that such a restriction would impede some fraud 
and abuse activities, credentialing investigations, and quality 
assurance research and outcome studies. Some commenters asked that the 
Department clarify that the condition that both covered entities have a 
relationship with the individual would not be limited to a current 
relationship, but also would include a past relationship with the 
individual.
    In addition, many commenters requested that the Department expand 
the proposed provision to allow for disclosures for any type of health 
care operation of another covered entity, or at least additional 
activities beyond those specified in the proposal. Some health plans 
commented that they may need information from a health care provider in 
order for the health plan to resolve member or internal grievances, 
provide customer service, arrange for legal services, or conduct 
medical review or auditing activities. A number of commenters requested 
that the proposal be expanded to allow for disclosures for another 
covered entity's underwriting or premium rating.
    Some commenters also requested that the Department expand the 
provision to allow for disclosures to non-covered entities. In 
particular, a number of these commenters urged that the Department 
allow disclosures to non-covered insurers for fraud and abuse purposes. 
Some of these commenters specifically requested that the Department 
allow for disclosures to affiliated entities or non-health care 
components of the covered entity for purposes of investigating fraud 
and abuse. A few commenters requested that the Rule allow for 
disclosures to a non-covered health care provider for that provider's 
operations. For example, it was explained that an independent emergency 
services provider, who is not a covered entity and who often asks for 
outcome information on patients it has treated and transported to a 
facility because it wants to improve care, would be unable to obtain 
such information absent the individual's authorization.
    Some commenters were generally opposed to the proposed expansion of 
the disclosures permitted under the Rule for health care operations 
purposes, viewing the proposal as a weakening of the Privacy Rule. One 
of these commenters urged the Department to implement a targeted 
solution allowing disclosures for only those activities specifically 
identified as problematic in the preamble, instead of allowing 
disclosures for all activities that fall within certain paragraphs 
within the definition of ``health care operations.''
    Final Modifications. In this final Rule, the Department adopts its 
proposal to allow covered entities to disclose protected health 
information for the treatment, payment, and certain health care 
operations purposes of another entity. Specifically, the final Rule at 
Sec. 164.506(c):
    (1) States that a covered entity may use or disclose protected 
health information for its own treatment, payment, or health care 
operations.
    (2) Clarifies that a covered entity may use or disclose protected 
health information for the treatment activities of any health care 
provider.
    (3) Permits a covered entity to disclose protected health 
information to another covered entity or any health care provider for 
the payment activities of the entity that receives the information.
    (4) Permits a covered entity to disclose protected health 
information to another covered entity for the health care operations 
activities of the entity that receives the information, if each entity 
either has or had a relationship with the individual who is the subject 
of the information, the protected health information pertains to such 
relationship, and the disclosure is:
    (i) For a purpose listed in paragraphs (1) or (2) of the definition 
of ``health care operations,'' which includes quality assessment and 
improvement activities, population-based activities relating to 
improving health or reducing health care costs, case management and 
care coordination, conducting training programs, and accreditation, 
licensing, or credentialing activities; or
    (ii) For the purpose of health care fraud and abuse detection or 
compliance.
    (5) Clarifies that a covered entity that participates in an 
organized health care arrangement may disclose protected health 
information about an individual to another covered entity that 
participates in the organized health care arrangement for any health 
care operations activities of the organized health care arrangement.
    Based on the comments received, the Department believes that the 
above provisions strike the appropriate balance between meeting an 
individual's privacy expectations and meeting a covered entity's need 
for information for reimbursement and quality purposes. The Department 
also clarifies that disclosures pursuant to the above provisions may be 
made to or by a business associate of a covered entity.
    In Sec. 164.506(c)(2), in response to a comment, the Department 
deletes the word ``another'' before ``health care provider'' to 
eliminate any implication that the disclosing entity must also be a 
health care provider.
    With respect to payment, the majority of commenters were supportive 
of the Department's proposal. In response to those commenters who 
expressed support for the proposal because it would facilitate 
coordination of benefits, the Department clarifies that the definition 
of ``payment'' in the

[[Page 53217]]

Privacy Rule allows for uses and disclosures necessary for coordination 
of benefits. The new language may, however, reinforce that uses and 
disclosures for such purposes are permitted under the Rule.
    The Department does not believe, as suggested by one commenter, 
that a targeted approach, one that would address only the problems 
raised by the ambulance providers and collection agencies, is a 
practical solution to these problems. The Department believes that 
these problems may apply in other situations. For example, an indirect 
treatment provider, such as a pathologist, may need to obtain health 
coverage information about an individual for billing purposes from the 
hospital to which the pathologist provided services. If the Department 
addressed only these discrete scenarios in this final modification, 
each additional similar problem that arises would require another 
rulemaking, which would, in and of itself, create a problem because the 
Department can change a standard only once per year. In addition, by 
creating special rules to address multiple, distinct circumstances, the 
Department would have created a substantially more complicated policy 
for covered entities to follow and implement.
    The suggestion that the Department require a covered entity to 
obtain assurances from non-covered providers, prior to disclosure of 
protected health information for payment purposes, that the recipient 
will not use protected health information for any other purpose or 
disclose it to others, similarly would add a layer of complexity to 
payment disclosures. Such a requirement would encumber these 
communications and may interfere with the ability of non-covered health 
care providers to be paid for treatment they have provided. Moreover, 
the Privacy Rule requires a covered entity to apply the minimum 
necessary standard to disclosures for a non-covered provider's payment 
purposes. Thus, a non-covered provider will receive only the minimum 
information reasonably necessary for such purposes. Accordingly, the 
Department believes the final Rule appropriately and practically 
addresses the issue.
    In response to the comment that the proposal may impede disclosures 
to reinsurers who are not covered entities, the Department clarifies 
that disclosures to obtain payment under a contract for reinsurance 
explicitly are permitted as part of the definition of ``payment,'' 
regardless of whether the reinsurer is a covered entity. Similarly, 
disclosures for the purposes of ceding, securing, or placing a contract 
for reinsurance of risk relating to claims for health care are 
explicitly permitted as part of the definition of ``health care 
operations,'' also without regard to whether the reinsurer is a covered 
entity. See the definitions of ``payment'' and ``health care 
operations'' in Sec. 164.501.
    With respect to disclosures for the health care operations of 
another covered entity, the Department continues to believe that the 
condition that both entities have a relationship with the individual is 
appropriate to balance an individual's privacy expectations with a 
covered entity's need for the information. The Department clarifies 
that a covered entity, prior to making a disclosure allowed under this 
requirement, is permitted to communicate with another covered entity as 
necessary to determine if this condition has been met. Additionally, in 
response to comments, the Department adds language to 
Sec. 164.506(c)(4) to make clear that the condition that both covered 
entities have a relationship with the individual is not limited to a 
current relationship. Where the relationship between the covered entity 
and the individual has ended, a disclosure of protected health 
information about the individual is permitted to the extent the 
disclosure is related to the past relationship. For example, the final 
Rule would permit a health care provider to disclose protected health 
information to a health plan for HEDIS purposes, even if the individual 
no longer was covered by the health plan, provided that the period for 
which information is needed overlaps with the period for which the 
individual was enrolled in the health plan.
    In response to commenters who were concerned that this condition 
would impede certain health care operations activities where the 
covered entity may not have a relationship with the individual, the 
Department notes that the new limited data set provisions in 
Sec. 164.514(e) are intended to provide a mechanism for disclosures of 
protected health information for quality and other health care 
operations where the covered entity requesting the information does not 
have a relationship with the individual. Under those provisions, the 
final modifications permit a covered entity to disclose protected 
health information, with direct identifiers removed, for any health 
care operations activities of the entity requesting the information, 
subject to a data use agreement. Additionally, as clarified by 
Sec. 164.506(c)(5), covered entities that participate in an OHCA may 
share protected health information for the health care operations of 
the OHCA, without the condition that each covered entity have a 
relationship with the individual who is the subject of the information. 
The Department believes that such provisions provide adequate avenues 
for covered entities to obtain the information they need for health 
care operations activities, without eliminating appropriate privacy 
protections and conditions on such disclosures.
    The Department also was not persuaded by the comments that the 
proposal should be broadened to allow disclosures for other types of 
health care operations activities, such as resolution of internal 
grievances, customer service, or medical review or auditing activities. 
The Department believes that the provisions at Sec. 164.506(c)(5), 
which permit covered entities that participate in an OHCA to share 
information for any health care operations activities of the OHCA, 
adequately provides for such disclosures. For example, a health plan 
and the health care providers in its network that participate as part 
of the same OHCA are permitted to share information for any of the 
activities listed in the definition of ``health care operations.'' The 
Department understands the need for entities participating in these 
joint arrangements to have shared access to information for health care 
operations purposes and intended the OHCA provisions to provide for 
such access. Where such a joint arrangement does not exist and fully 
identifiable health information is needed, one covered entity may 
disclose protected health information for another covered entity's 
health care operations pursuant to an individual's authorization as 
required by Sec. 164.508. In addition, as described above, a covered 
entity also may disclose protected health information as part of a 
limited data set, with direct identifiers removed, for such purposes, 
as permitted by Sec. 164.514(e).
    With respect to underwriting and premium rating, a few commenters 
raised similar concerns that the Department's proposal to expand the 
disclosures permitted under health care operations would not allow for 
the disclosures between a health insurance issuer and a group health 
plan, or the agent or broker as a business associate of the plan, 
needed to perform functions related to supplementing or replacing 
insurance coverage, such as to solicit bids from prospective issuers. 
The Department clarifies that, if more than summary health information 
is needed for this purpose, paragraphs (3), (4), and (5) of the 
definition of ``organized health

[[Page 53218]]

care arrangement'' may permit the disclosure. These provisions define 
the arrangements between group health plans and their health insurance 
issuers or HMOs as OHCAs, which are permitted to share information for 
each other's health care operations. Such disclosures also may be made 
to a broker or agent that is a business associate of the health plan. 
The Department clarifies that the OHCA provisions also permit the 
sharing of protected health information between such entities even when 
they no longer have a current relationship, that is, when a group 
health plan needs protected health information from a former issuer. 
The Department, therefore, does not believe that a broadening of the 
provisions under Sec. 164.506(c)(4), to allow disclosures of protected 
health information for other types of health care operations 
activities, is warranted.
    The final Rule also adopts the condition proposed in the NPRM that 
disclosures for these health care operations may be made only to 
another covered entity. The Department continues to consider such a 
condition necessary to appropriately balance an individual's privacy 
interests with entities' needs for the information. The Department was 
not convinced by the commenters who urged that this condition needed to 
be eliminated to allow for disclosures to non-covered health care 
providers or third parties. The Department believes that permitting 
disclosures of protected health information to a non-covered provider 
for that provider's treatment and payment purposes is warranted and 
appropriate so as not to impede such core activities. However, given 
that an individual's health information will no longer be protected 
when it is disclosed to a non-covered provider, the Department does not 
consider disclosures for a non-covered provider's health care 
operations to warrant similar consideration under the Rule. Moreover, 
this final Rule at Sec. 164.514(e) permits a covered entity to disclose 
a limited data set, with direct identifiers removed, to a non-covered 
provider for any of the provider's health care operations purposes, 
without individual authorization.
    Also, the Department believes that expanding the provision to allow 
disclosures to a third party for any of the third party's business 
operations would severely weaken the Privacy Rule and essentially 
negate the need for individual authorization. With respect to those 
commenters who urged the Department to permit disclosures to non-health 
care components of a hybrid entity or to an affiliated entity for the 
purposes of investigating fraud and abuse, the Department's position is 
that disclosures to a non-health care component within a hybrid entity 
or to a non-covered affiliated entity present the same privacy risks as 
do disclosures to a non-covered entity. The Privacy Rule, therefore, 
permits such disclosures only to the same extent the disclosures are 
permitted to a separate entity. This policy is further explained in 
section III.C.1. regarding hybrid entities.
    Lastly, the Department believes that the final Rule does in fact 
implement a targeted solution to the problems previously identified by 
commenters, by allowing disclosures for only quality-related and fraud 
and abuse activities. The Department does not believe further limiting 
such disclosures to only certain activities within paragraphs (1) and 
(2) of the definition of ``health care operations'' is practical or 
appropriate. The Department is aware of the important role that these 
quality-related activities play in ensuring that individuals have 
access to quality health care. Covered entities have a legitimate need 
for protected health information in order to conduct these quality 
activities, regardless of whether such information is used for HEDIS 
purposes or for training. Moreover, as described above, the final Rule 
retains a number of conditions on such disclosures that serve to 
protect an individual's privacy interests and expectations. In 
addition, the Privacy Rule requires that the minimum necessary standard 
be applied to both covered entities' requests for and disclosures of 
protected health information for such purposes.

Response to Other Public Comments

    Comment: One commenter urged that the Department permit disclosures 
among participants in an OHCA only when their privacy notices (or any 
joint notice they issue) informs individuals of this possibility.
    Response: The Privacy Rule requires the joint notice of an OHCA to 
reflect the fact that the notice covers more than one covered entity 
and that, if applicable, the covered entities participating in the OHCA 
will share protected health information with each other, as necessary 
to carry out treatment, payment, or health care operations relating to 
the OHCA. See Sec. 164.520(d). Where the participants of an OHCA choose 
to have separate notices, such notices must reflect and describe in 
sufficient detail the particular uses and disclosures that each covered 
entity may make to place the individual on notice. This detail should 
include disclosures to other members of an OHCA, where appropriate.
    Comment: Another commenter requested clarification as to whether a 
covered entity (such as an HMO) is permitted to disclose protected 
health information for payment and health care operations both to the 
group health plan and to the plan's third party administrator or plan 
sponsor. The commenter stated that it was not clear from the proposal 
whether a covered entity could share protected health information 
directly with another covered entity's business associate.
    Response: The Department clarifies that, if the Rule permits a 
covered entity to share protected health information with another 
covered entity, the covered entity is permitted to disclose protected 
health information directly to a business associate acting on behalf of 
that other covered entity. This is true with respect to all of the 
Rule's provisions. Also, an HMO may disclose protected health 
information to a group health plan, or a third party administrator that 
is a business associate of the plan, because the relationship between 
the HMO and the group health plan is defined as an OHCA for purposes of 
the Rule. See Sec. 164.501, definition of ``organized health care 
arrangement.'' The group health plan (or the HMO with respect to the 
group health plan) may disclose protected health information to a plan 
sponsor in accordance with Sec. 164.504(f).
    Comment: Several commenters requested that the Department expand 
the definition of ``payment'' to include disclosures to a responsible 
party. Additionally, these commenters urged that the Department permit 
covered entities (and their business associates) to use and disclose 
protected health information as permitted by other law, rather than 
only as required by law. These commenters were concerned that the 
Privacy Rule would impede the ability of first-party billing companies, 
collection agencies, and accounts receivable management companies to 
continue to bill and communicate, on behalf of a health care provider, 
with the responsible party on an account when that person is different 
from the individual to whom health care services were provided; report 
outstanding receivables owed by the responsible party on an account to 
a credit reporting agency; and perform collection litigation services.
    Response: The Department does not believe a modification to the 
definition of ``payment'' is necessary. The Privacy Rule permits a 
covered entity, or a business associate acting on behalf of a covered 
entity (e.g., a collection agency),

[[Page 53219]]

to disclose protected health information as necessary to obtain payment 
for health care, and does not limit to whom such a disclosure may be 
made. See the definition of ``payment'' in Sec. 164.501. Therefore, a 
collection agency, as a business associate of a covered entity, is 
permitted to contact persons other than the individual to whom health 
care is provided as necessary to obtain payment for such services.
    Regarding the commenters' concerns about collection or payment 
activities otherwise permitted by law, the Department clarifies that 
the Privacy Rule permits covered entities to use and disclose protected 
health information as required by other law, or as permitted by other 
law provided that such use or disclosure does not conflict with the 
Privacy Rule. For example, the Privacy Rule permits a collection 
agency, as a business associate of a covered health care provider, to 
use and disclose protected health information as necessary to obtain 
reimbursement for health care services, which could include disclosures 
of certain protected health information to a credit reporting agency, 
or as part of collection litigation. See the definition of ``payment'' 
in Sec. 164.501.
    The Department notes, however, that a covered entity, and its 
business associate through its contract, is required to reasonably 
limit the amount of information disclosed for such purposes to the 
minimum necessary, where applicable, as well as abide by any reasonable 
requests for confidential communications and any agreed-to restrictions 
as required by the Privacy Rule.
    Comment: One commenter asked that the Department clarify that 
disclosure by an eye doctor to confirm a contact prescription received 
by a mail-order contact company is treatment.
    Response: The Department agrees that disclosure of protected health 
information by an eye doctor to a distributor of contact lenses for the 
purpose of confirming a contact lens prescription is treatment and is 
permissible under Sec. 164.506. In relevant part, treatment is defined 
by the Privacy Rule as ``the provision, coordination, or management of 
health care and related services by one or more health care providers, 
including the coordination or management of health care by a health 
care provider with a third party * * *'' Health care is defined, in 
part, as ``care, services, or supplies related to the health of an 
individual. Health care includes * * * Sale or dispensing of a drug, 
device, equipment, or other item in accordance with a prescription.'' 
Therefore, the dispensing of contact lenses based on a prescription is 
health care and the disclosure of protected health information by a 
provider to confirm a prescription falls within the provision, 
coordination, or management of health care and related services and is 
a treatment activity.

E. Uses and Disclosures for Which Authorization Is Required

1. Restructuring Authorization
    December 2000 Privacy Rule. The Privacy Rule requires individual 
authorization for uses and disclosures of protected health information 
for purposes that are not otherwise permitted or required under the 
Rule. To ensure that authorizations are informed and voluntary, the 
Rule prohibits, with limited exceptions, covered entities from 
conditioning treatment, payment, or eligibility for benefits or 
enrollment in a health plan, on obtaining an authorization. The Rule 
also permits, with limited exceptions, individuals to revoke an 
authorization at any time. Additionally, the Rule sets out core 
elements that must be included in any authorization. These elements are 
intended to provide individuals with the information they need to make 
an informed decision about giving their authorization. This information 
includes specific details about the use or disclosure, and provides the 
individual fair notice about his or her rights with respect to the 
authorization and the potential for the information to be redisclosed. 
Additionally, the authorization must be written in plain language so 
individuals can read and understand its contents. The Privacy Rule 
required that authorizations provide individuals with additional 
information for specific circumstances under the following three sets 
of implementation specifications: In Sec. 164.508(d), for 
authorizations requested by a covered entity for its own uses and 
disclosures; in Sec. 164.508(e), for authorizations requested by a 
covered entity for another entity to disclose protected health 
information to the covered entity requesting the authorization to carry 
out treatment, payment, or health care operations; and in 
Sec. 164.508(f), for authorizations requested by a covered entity for 
research that includes treatment of the individual.
    March 2002 NPRM. Various issues were raised regarding the 
authorization requirements. Commenters claimed the authorization 
provisions were too complex and confusing. They alleged that the 
different sets of implementation specifications were not discrete, 
creating the potential for the implementation specifications for 
specific circumstances to conflict with the required core elements. 
Some covered entities were confused about which authorization 
requirements they should implement in any given circumstance. Also, 
although the Department intended to permit insurers to obtain necessary 
protected health information during contestability periods under State 
law, the Rule did not provide an exception to the revocation provision 
when other law provides an insurer the right to contest an insurance 
policy.
    To address these issues, the Department proposed to simplify the 
authorization provisions by consolidating the implementation 
specifications into a single set of criteria under Sec. 164.508(c), 
thus eliminating paragraphs (d), (e), and (f) which contained separate 
implementation specifications. Under the proposal, paragraph (c)(1) 
would require all authorizations to contain the following core 
elements: (1) A description of the information to be used or disclosed, 
(2) the identification of the persons or class of persons authorized to 
make the use or disclosure of the protected health information, (3) the 
identification of the persons or class of persons to whom the covered 
entity is authorized to make the use or disclosure, (4) a description 
of each purpose of the use or disclosure, (5) an expiration date or 
event, (6) the individual's signature and date, and (7) if signed by a 
personal representative, a description of his or her authority to act 
for the individual. The proposal also included new language to clarify 
that when individuals initiate an authorization for their own purposes, 
the purpose may be described as ``at the request of the individual.''
    In the NPRM, the Department proposed that Sec. 164.508(c)(2) 
require authorizations to contain the following required notifications: 
(1) A statement that the individual may revoke the authorization in 
writing, and either a statement regarding the right to revoke and 
instructions on how to exercise such right or, to the extent this 
information is included in the covered entity's notice, a reference to 
the notice, (2) a statement that treatment, payment, enrollment, or 
eligibility for benefits may not be conditioned on obtaining the 
authorization if such conditioning is prohibited by the Privacy Rule, 
or, if conditioning is permitted by the Privacy Rule a statement about 
the consequences of refusing to sign the authorization, and (3) a 
statement about the potential for the protected health information to 
be redisclosed by the recipient.

[[Page 53220]]

    Also under the proposal, covered entities would be required to 
obtain an authorization to use or disclose protected health information 
for marketing purposes, and to disclose in such authorizations any 
direct or indirect remuneration the covered entity would receive from a 
third party as a result of obtaining or disclosing the protected health 
information. The other proposed changes regarding marketing are 
discussed in section III.A.1. of the preamble.
    The NPRM proposed a new exception to the revocation provision at 
Sec. 164.508(b)(5)(ii) for authorizations obtained as a condition of 
obtaining insurance coverage when other law gives the insurer the right 
to contest the policy. Additionally, the Department proposed that the 
exception to permit conditioning payment of a claim on obtaining an 
authorization be deleted, since the proposed provision to permit the 
sharing of protected health information for the payment activities of 
another covered entity or a health care provider would eliminate the 
need for an authorization in such situations.
    Finally, the Department proposed modifications at 
Sec. 164.508(a)(2)(i)(A), (B), and (C), to clarify its intent that the 
proposed provisions for sharing protected health information for the 
treatment, payment, or health care operations of another entity would 
not apply to psychotherapy notes.
    There were a number of proposed modifications concerning 
authorizations for research purposes. Those modifications are discussed 
in section III.E.2. of the preamble.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    There was overwhelming support for the proposed modifications. 
Overall, supporters were of the opinion that the consolidation and 
simplification would promote efficiency, simplify compliance, and 
reduce confusion. Many commenters claimed the changes would eliminate 
barriers to quality health care. Some commenters claimed the proposed 
modifications would make the authorization process easier for both 
providers and individuals, and one commenter said they would make 
authorizations easier to read and understand. A number of commenters 
stated the changes would not have adverse consequences for individuals, 
and one commenter noted the proposal would preserve the opportunity for 
individuals to give a meaningful authorization.
    However, some of the proponents suggested the Department go further 
to ease the administrative burden of obtaining authorizations. Some 
urged the Department to eliminate some of the required elements which 
they perceived as unnecessary to protect privacy, while others 
suggested that covered entities should decide which elements were 
relevant in a given situation. Some commenters urged the Department to 
retain the exception to the prohibition on conditioning payment of a 
claim on obtaining an authorization. These commenters expressed fear 
that the voluntary consent process and/or the right to request 
restrictions on uses and disclosures for treatment, payment, or health 
care operations might prevent covered entities from disclosing 
protected health information needed for payment purposes, or providers 
may be reluctant to cooperate in disclosures for payment purposes based 
on inadequately drafted notices.
    Comments were divided on the proposed requirement to disclose 
remuneration in marketing authorizations. Recommendations ranged from 
requiring the disclosure of remuneration on all authorizations, to 
eliminating the requirement altogether.
    Final Modifications. In the final modifications, the Department 
adopts the changes proposed in the NPRM. Since the modifications to the 
authorization provision are comprehensive, the Department is publishing 
this section in its entirety so that it will be easier to use and 
understand. Therefore, the preamble addresses all authorization 
requirements, and not just those that were modified.
    In Sec. 164.508(a), covered entities are required to obtain an 
authorization for uses and disclosures of protected health information, 
unless the use or disclosure is required or otherwise permitted by the 
Rule. Covered entities may use only authorizations that meet the 
requirements of Sec. 164.508(b), and any such use or disclosure will be 
lawful only to the extent it is consistent with the terms of such 
authorization. Thus, a voluntary consent document will not constitute a 
valid permission to use or disclose protected health information for a 
purpose that requires an authorization under the Rule.
    Although the requirements regarding uses and disclosures of 
psychotherapy notes are not changed substantively, the Department made 
minor changes to the language in paragraph (a)(2) to clarify that a 
covered entity may not use or disclose psychotherapy notes for purposes 
of another covered entity's treatment, payment, or health care 
operations without obtaining the individual's authorization. However, 
covered entities may use and disclose psychotherapy notes, without 
obtaining individual authorization, to carry out its own limited 
treatment, payment, or health care operations as follows: (1) Use by 
the originator of the notes for treatment, (2) use or disclosure for 
the covered entity's own training programs for its mental health 
professionals, students, and trainees, and (3) use or disclosure by the 
covered entity to defend itself in a legal action or other proceeding 
brought by the individual.
    Section 164.508(a)(3) requires covered entities to obtain an 
authorization to use or disclose protected health information for 
marketing purposes, with two exceptions. The authorization requirements 
for marketing and the comments received on these provisions are 
discussed in detail in section III.A.1. of the preamble.
    If the marketing involves any direct or indirect remuneration to 
the covered entity from a third party, the authorization must state 
that fact. The comments on this requirement also are discussed in 
section III.A.1. of the preamble. However, a statement concerning 
remuneration is not a required notification for other authorizations. 
Such a statement was never required for all authorizations and the 
Department believes it would be most meaningful for consumers on 
authorizations for uses and disclosures of protected health information 
for marketing purposes. Some commenters urged the Department to require 
remuneration statements on research authorizations. The Department has 
not done so because the complexity of such arrangements would make it 
difficult to define what constitutes remuneration in the research 
context. Moreover, to require covered entities to disclose remuneration 
by a third party on authorizations for research would go beyond the 
requirements imposed in the December 2000 Rule, which did not require 
such a disclosure on authorizations obtained for the research of a 
third party. The Department believes that concerns regarding financial 
conflicts of interest that arise in research are not limited to privacy 
concerns, but also are important to the objectivity of research and to 
protecting human subjects from harm. Therefore, in the near future, the 
Department plans to issue guidance for the research community on this 
important topic.
    Pursuant to Sec. 164.508(b)(1), an authorization is not valid under 
the Rule unless it contains all of the

[[Page 53221]]

required core elements and notification statements, which are discussed 
below. Covered entities may include additional, non-required elements 
so long as they are not inconsistent with the required elements and 
statements. The language regarding defective authorizations in 
Sec. 164.508(b)(2) is not changed substantively. However, some changes 
are made to conform this paragraph to modifications to other parts of 
the authorization provision, as well as other sections of the Rule. An 
authorization is not valid if it contains any of the following defects: 
(1) The expiration date has passed or the expiration event has 
occurred, and the covered entity is aware of the fact, (2) any of the 
required core elements or notification statements are omitted or 
incomplete, (3) the authorization violates the specifications regarding 
compounding or conditioning authorizations, or (4) the covered entity 
knows that material information in the authorization is false.
    In Sec. 164.508(b)(3) regarding compound authorizations, the 
requirements for authorizations for purposes other than research are 
not changed. That is, authorizations for use or disclosure of 
psychotherapy notes may be combined only with another authorization for 
the use or disclosure of psychotherapy notes. Other authorizations may 
be combined, unless a covered entity has conditioned the provision of 
treatment, payment, enrollment in a health plan, or eligibility for 
benefits on one of the authorizations. A covered entity generally may 
not combine an authorization with any other type of document, such as a 
notice of privacy practices or a written voluntary consent. However, 
there are exceptions for research authorizations, which are discussed 
in section III.E.2. of the preamble.
    Section 164.508(b)(4) prohibits the conditioning of treatment, 
payment, enrollment in a health plan, or eligibility for benefits on 
obtaining an authorization, with a few exceptions. The exceptions to 
this requirement for research-related treatment, eligibility for 
benefits and enrollment in a health plan, and health care solely for 
creating protected health information for disclosure to a third party 
are not changed. Moreover, the Department eliminates the exception to 
the prohibition on conditioning payment of a claim on obtaining an 
authorization. Although some insurers urged that this conditioning 
authority be retained to provide them with more collection options, the 
Department believes this authorization is no longer necessary because 
we are adding a new provision in Sec. 164.506 that permits covered 
entities to disclose protected health information for the payment 
purposes of another covered entity or health care provider. Therefore, 
that exception has been eliminated.
    Section 164.508(b)(5) provides individuals the right to revoke an 
authorization at any time in writing. The two exceptions to this right 
are retained, but with some modification. An individual may not revoke 
an authorization if the covered entity has acted in reliance on the 
authorization, or if the authorization was obtained as a condition of 
obtaining insurance coverage and other law gives the insurer the right 
to contest the claim or the policy itself. The Department adopts the 
proposed modification to the latter exception so that insurers can 
exercise the right to contest an insurance policy under other law. 
Public comment was generally supportive of this proposed modification.
    Section 164.508(b)(6) requires covered entities to document and 
retain authorizations as required under Sec. 164.530(j). This 
requirement is not changed.
    The different sets of implementation criteria are consolidated into 
one set of criteria under Sec. 164.508(c), thus eliminating the 
confusion and uncertainty associated with different requirements for 
specific circumstances. Covered entities may use one authorization form 
for all purposes. The Department adopts in paragraph (c)(1), the 
following core elements for a valid authorization: (1) A description of 
the information to be used or disclosed, (2) the identification of the 
persons or class of persons authorized to make the use or disclosure of 
the protected health information, (3) the identification of the persons 
or class of persons to whom the covered entity is authorized to make 
the use or disclosure, (4) a description of each purpose of the use or 
disclosure, (5) an expiration date or event, (6) the individual's 
signature and date, and (7) if signed by a personal representative, a 
description of his or her authority to act for the individual. An 
authorization that does not contain all of the core elements does not 
meet the requirements for a valid authorization. The Department intends 
for the authorization process to provide individuals with the 
opportunity to know and understand the circumstances surrounding a 
requested authorization.
    To further protect the privacy interests of individuals, when 
individuals initiate an authorization for their own purposes, the 
purpose may be stated as ``at the request of the individual.'' Other 
changes to the core elements pertain to authorizations for research, 
and are discussed in section III.E.2. of the preamble.
    Also, under Sec. 164.508(c)(2), an authorization is not valid 
unless it contains all of the following: (1) A statement that the 
individual may revoke the authorization in writing, and either a 
statement regarding the right to revoke, and instructions on how to 
exercise such right or, to the extent this information is included in 
the covered entity's notice, a reference to the notice, (2) a statement 
that treatment, payment, enrollment, or eligibility for benefits may 
not be conditioned on obtaining the authorization if such conditioning 
is prohibited by the Privacy Rule or, if conditioning is permitted, a 
statement about the consequences of refusing to sign the authorization, 
and (3) a statement about the potential for the protected health 
information to be redisclosed by the recipient. Although the 
notification statements are not included in the paragraph on core 
elements an authorization is not valid unless it contains both the 
required core elements, and all of the required statements. This is the 
minimum information the Department believes is needed to ensure 
individuals are fully informed of their rights with respect to an 
authorization and to understand the consequences of authorizing the use 
or disclosure. The required statements must be written in a manner that 
is adequate to place the individual on notice of the substance of the 
statements.
    In response to comments, the Department clarifies that the 
statement regarding the potential for redisclosure does not require an 
analysis of the risk for redisclosure, but may be a general statement 
that the health information may no longer be protected by the Privacy 
Rule once it is disclosed by the covered entity. Others objected to 
this statement because individuals might be hesitant to sign an 
authorization if they knew their protected health information could be 
redisclosed and no longer protected by the Rule. In response, the 
Department believes that individuals need to know about the 
consequences of authorizing the disclosure of their protected health 
information. As the commenter recognized, the potential for 
redisclosure may, indeed, be an important factor in an individual's 
decision to give or deny a requested authorization.
    Others suggested that the statement regarding redisclosure should 
be omitted when an authorization is obtained only for a use, since such 
a statement would be confusing and

[[Page 53222]]

inappropriate when the covered entity maintains the information. 
Similarly, some commenters were concerned that the statement may be 
misleading where the recipient of the information, although not a 
covered entity, will keep the information confidential. In response, 
the Department clarifies that, while a general statement would suffice, 
a covered entity has the discretion to provide a more definitive 
statement where appropriate. Thus, the covered entity requesting an 
authorization for its own use of protected health information may 
provide assurances that the information will remain subject to the 
Privacy Rule. Similarly, if a third party, such as a researcher, is 
seeking an authorization for research, the statement may refer to the 
privacy protections that the researcher will provide for the data.
    Under Sec. 164.508(c)(3), authorizations must be written in plain 
language so that individuals can understand the information contained 
in the form, and thus be able to make an informed decision about 
whether to give the authorization. A few commenters urged the 
Department to keep the plain language requirement as a core element of 
a valid authorization. Under the December 2000 Rule, the plain language 
requirement was not a requisite for a valid authorization. 
Nevertheless, under both the December 2000 Rule and the final 
modifications, authorizations must be written in plain language. The 
fact that the plain language requirement is not a core element does not 
diminish its importance or effect, and the failure to meet this 
requirement is a violation of the Rule.
    Finally, under Sec. 164.508(c)(4), covered entities who seek an 
authorization are required to provide the individual with a copy of the 
signed authorization form.

Response to Other Public Comments

    Comment: A number of commenters specifically expressed support of 
the proposed authorization requirement for marketing, and urged the 
Department to adopt the requirement. However, one commenter claimed 
that requiring authorizations for marketing would reduce hospitals' 
ability to market their programs and services effectively in order to 
compete in the marketplace, and that obtaining, storing, and 
maintaining marketing authorizations would be too burdensome.
    Response: In light of the support in the comments, the Department 
has adopted the proposed requirement for an authorization before a 
covered entity may use or disclose protected health information for 
marketing. However, the commenter is mistaken that this requirement 
will interfere with a hospital's ability to promote its own program and 
services within the community. First, such broad-based marketing is 
likely taking place without resort to protected health information, 
through dissemination of information about the hospital through 
community-wide mailing lists. Second, under the Privacy Rule, a 
communication is not marketing if a covered entity is describing its 
own products and services. Therefore, nothing in the Rule will inhibit 
a hospital from competing in the marketplace by communicating about its 
programs and services.
    Comment: One commenter suggested that authorizations for marketing 
should clearly indicate that they are comprehensive and may contain 
sensitive protected health information.
    Response: The Department treats all individually identifiable 
health information as sensitive and equally deserving of protections 
under the Privacy Rule. The Rule requires all authorizations to contain 
the specified core elements to ensure individuals are given the 
information they need to make an informed decision. One of the core 
elements for all authorizations is a clear description of the 
information that is authorized to be used or disclosed in specific and 
meaningful terms. The authorization process provides the individual 
with the opportunity to ask questions, negotiate how their information 
will be used and disclosed, and ultimately to control whether these 
uses and disclosures will be made.
    Comment: Several commenters urged the Department to retain the 
existing structure of the implementation specifications, whereby the 
notification statements about the individual's right to revoke and the 
potential for redisclosure are ``core elements.'' It was argued that 
this information is essential to an informed decision. One of the 
commenters claimed that moving them out of the core elements and only 
requiring a statement adequate to put the person on notice of the 
information would increase uncertainty, and that these two elements are 
too important to risk inadequate explanation.
    Response: The Department agrees that the required notification 
statements are essential information that a person needs in order to 
make an informed decision about authorizing the use or disclosure of 
protected health information. Individuals need to know what rights they 
have with respect to an authorization, and how they can exercise those 
rights. However, separating the core elements and notification 
statements into two different subparagraphs does not diminish the 
importance or effect of the notification statements. The Department 
clarifies that both the core elements and the notification statements 
are required, and both must be included for an authorization to be 
valid.
    Comment: Several commenters urged the Department to eliminate 
unnecessary authorization contents. They argued the test should be 
whether the person needs the information to protect his or her privacy, 
and cited the disclosure of remuneration by a third party as an example 
of unnecessary content, alleging that the disclosure of remuneration is 
not relevant to protecting privacy. One commenter suggested that 
covered entities should be given the flexibility to decide which 
contents are applicable in a given situation.
    Response: The Department believes the core elements are all 
essential information. Individuals need to know this information to 
make an informed decision about giving the authorization to use or 
disclose their protected health information. Therefore, the Department 
believes all of the core elements are necessary content in all 
situations. The Department does not agree that the remuneration 
statement required on an authorization for uses and disclosures of an 
individual's protected health information for marketing purposes is not 
relevant to protecting privacy. Individuals exercise control over the 
privacy of their protected health information by either giving or 
denying an authorization, and remuneration from a third party to the 
covered entity for obtaining an authorization for marketing is an 
important factor in making that choice.
    Comment: One commenter suggested that covered entities should not 
be required to state on an authorization a person's authority to act on 
an individual's behalf, and they should be trusted to require such 
identification or proof of legal authority when the authorization is 
signed. The commenter stated that this requirement only increases 
administrative burden for covered entities.
    Response: The Department does not agree. The authorization 
requirement is intended to give individuals some control over uses and 
disclosures of protected health information that are not otherwise 
permitted or required by the Rule. Therefore, the Rule requires that 
covered entities verify and document a person's authority to sign an 
authorization on an individual's behalf, since that person is 
exercising the individual's control of the information. Furthermore, 
the Department understands that it is a

[[Page 53223]]

current industry standard to verify and document a person's authority 
to sign any legal permission on another person's behalf. Thus, the 
requirement should not result in any undue administrative burden for 
covered entities.
    Comment: One commenter suggested that the Department should require 
authorizations to include a complete list of entities that will use and 
share the information, and that the individual should be notified 
periodically of any changes to the list so that the individual can 
provide written authorization for the changes.
    Response: It may not always be feasible or practical for covered 
entities to include a comprehensive list of persons authorized to use 
and share the information disclosed pursuant to an authorization. 
However, individuals may discuss this option with covered entities, and 
they may refuse to sign an authorization that does not meet their 
expectations. Also, subject to certain limitations, individuals may 
revoke an authorization at any time.
    Comment: One commenter asked for clarification that a health plan 
may not condition a provider's participation in the health plan on 
seeking authorization for the disclosure of psychotherapy notes, 
arguing that this practice would coerce providers to request, and 
patients to provide, an authorization to disclose psychotherapy notes.
    Response: The Privacy Rule does not permit a health plan to 
condition enrollment, eligibility for benefits, or payment of a claim 
on obtaining the individual's authorization to use or disclose 
psychotherapy notes. Nor may a health care provider condition treatment 
on an authorization for the use or disclosure of psychotherapy notes. 
In a situation such as the one described by the commenter, the 
Department would look closely at whether the health plan was attempting 
to accomplish indirectly that which the Rule prohibits. These 
prohibitions are to ensure that the individual's permission is wholly 
voluntary and informed with regard to such an authorization. To meet 
these standards, in the circumstances set forth in the comment, the 
Department would expect the provider subject to such a requirement by 
the health plan to explain to the individual in very clear terms that, 
while the provider is required to ask, the individual remains free to 
refuse to authorize the disclosure and that such refusal will have no 
effect on either the provision of treatment or the individual's 
coverage under, and payment of claims by, the health plan.
    Comment: A few commenters suggested the Department should allow 
covered entities to combine an authorization with other documents, such 
as the notice acknowledgment, claiming it would reduce administrative 
burden and paperwork, as well as reduce patient confusion and waiting 
times, without compromising privacy protections.
    Response: The Department disagrees that combining an authorization 
with other documents, such as the notice acknowledgment, would be less 
confusing for individuals. To the contrary, the Department believes 
that combining unrelated documents would be more confusing. However, 
the Rule does permit an authorization to be combined with other 
authorizations so long as the provision of treatment, payment, 
enrollment in a health plan or eligibility for benefits is not 
conditioned on obtaining any of the authorizations, and the 
authorization is not for the use or disclosure of psychotherapy notes.
    Also, authorizations must contain the same information, whether it 
is a separate document or combined with another document; and the 
individual must be given the opportunity to read and discuss that 
information. Combining an authorization with routine paperwork 
diminishes individuals' ability to make a considered and informed 
judgment to permit the use or disclosure of their medical information 
for some other purpose.
    Comment: One commenter stated that the requirement for covered 
entities to use only authorizations that are valid under the Rule must 
be an unintended result of the Rule, because covered entities would 
have to use only valid authorizations when requesting information from 
non-covered entities. The commenter did not believe the Department 
intended this requirement to apply with respect to non-covered 
entities, and gave the example of dental health plans obtaining 
protected health information in connection with paper claims submitted 
by dental offices. The commenter requested clarification that health 
plans may continue to use authorization forms currently in use for all 
claims submitted by non-covered entities.
    Response: The commenter misapprehends the Rule's requirements. The 
requirements apply to uses and disclosure of protected health 
information by covered entities. In the example provided, where a 
health plan is requesting additional information in support of a claim 
for payment by a non-covered health care provider, the health plan is 
not required to use an authorization. The plan does not need the 
individual's authorization to use protected health information for 
payment purposes, and the non-covered health care provider is not 
subject to any of the Rule's requirements. Therefore, the exchange of 
information may occur as it does today. The Department notes that, 
based on the modifications regarding consent adopted in this 
rulemaking, neither a consent nor an authorization would be required in 
this example even if the health care provider was also a covered 
entity.
    Comment: Several commenters urged the Department to add a 
transition provision to permit hospitals to use protected health 
information in already existing databases for marketing and outreach to 
the communities they serve. Commenters claimed that these databases are 
important assets that would take many years to rebuild, and hospitals 
may not have an already existing authorization or other express legal 
permission for such use of the information. They contended that, 
without a transition provision, these databases would become useless 
under the Rule. Commenters suggested the Department should adopt an 
``opt out'' provision that would allow continued use of these databases 
to initially communicate with the persons listed in the database; at 
that time, they could obtain authorization for future communications, 
thus providing a smooth transition.
    Response: Covered entities are provided a two-year period in which 
to come into compliance with the Privacy Rule. One of the purposes of 
the compliance period is to allow covered entities sufficient time to 
undertake actions such as those described in the comment (obtaining the 
legal permissions that would permit databases to continue to operate 
after the compliance date). An additional transition period for these 
activities has not been justified by the commenters. However, the 
Department notes that a covered entity is permitted to use the 
information in a database for communications that are either excepted 
from or that do not meet the definition of ``marketing'' in 
Sec. 164.501, without individual authorization. For example, a hospital 
may use protected health information in an existing database to 
distribute information about the services it provides, or to distribute 
a newsletter with general health or wellness information that does not 
promote a particular product or service.

[[Page 53224]]

2. Research Authorizations
    December 2000 Privacy Rule. The Privacy Rule requires covered 
entities to obtain an individual's voluntary and informed authorization 
before using or disclosing protected health information for any purpose 
that is not otherwise permitted or required under the Rule. Uses and 
disclosures of protected health information for research purposes are 
subject to the same authorization requirements as uses and disclosures 
for other purposes. However, for research that includes treatment of 
the individual, the December 2000 Privacy Rule prescribed special 
authorization requirements at Sec. 164.508(f). The December 2000 
Privacy Rule, at Sec. 164.508(b)(5), also permitted individuals to 
revoke their authorization at any time, with limited exceptions. 
Further, the December 2000 Privacy Rule prohibited the combining of the 
authorization for the use or disclosure of existing protected health 
information with any other legal permission related to the research 
study.
    March 2002 NPRM. Several of those who commented on the December 
2000 Privacy Rule argued that certain authorization requirements in 
Sec. 164.508 were unduly complex and burdensome as applied to research 
uses and disclosures. In particular, several commenters favored 
eliminating the Rule's specific provisions at Sec. 164.508(f) for 
authorizations for uses and disclosures of protected health information 
for research that includes treatment of the individual. The Department 
also heard from several provider groups who argued in favor of 
permitting covered entities to combine all of the research 
authorizations required by the Privacy Rule with the informed consent 
to participate in the research. Commenters also noted that the Rule's 
requirement for an ``expiration date or event that relates to the 
individual or the purpose of the use or disclosure'' runs counter to 
the needs of research databases and repositories that are often 
retained indefinitely.
    In response to these concerns, the Department proposed to a number 
of modifications to simplify the authorization requirements both 
generally, and in certain circumstances, as they specifically applied 
to uses and disclosures of protected health information for research. 
In particular, the Department proposed a single set of authorization 
requirements for all uses and disclosures, including those for research 
purposes. This proposal would eliminate the additional authorization 
requirements for the use and disclosure of protected health information 
created for research that includes treatment of the individual. 
Consistent with this proposed change, the Department further proposed 
to modify the requirements prohibiting the conditioning of 
authorizations at Sec. 164.508(b)(4)(i) to remove the reference to 
Sec. 164.508(f).
    In addition, the Department proposed that the Privacy Rule permit 
an authorization for the use or disclosure of protected health 
information to be combined with any other legal permission related to 
the research study, including another authorization or consent to 
participate in the research.
    Finally, the Department proposed to provide explicitly that the 
statement, ``end of a research study,'' or similar language be 
sufficient to meet the requirement for an expiration date in 
Sec. 164.508(c)(1)(v). Additionally, the Department proposed that the 
statement ``none'' or similar language be sufficient to meet this 
provision if the authorization was for a covered entity to use or 
disclose protected health information for the creation or maintenance 
of a research database or repository.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The vast majority of commenters were very supportive of the 
proposed revisions to the Rule's provisions for research 
authorizations. However, the Department did hear from several 
commenters that the Privacy Rule's requirement for an expiration date 
or event should be eliminated for all research uses and disclosures of 
protected health information, not just for uses and disclosures for the 
creation or maintenance of a research database or repository, as was 
proposed in the NPRM. These commenters were concerned that the Privacy 
Rule would prohibit important uses and disclosures of protected health 
information after the termination of a research project, such as the 
reporting of research results to the Food and Drug Administration (FDA) 
for an FDA investigational new drug application, unless the covered 
entity obtained another patient authorization. In addition, several of 
these commenters cited confusion in defining repositories and 
databases. Some of these commenters stated that an individual who 
authorizes information to be used for an indeterminate time most likely 
expects and intends for the information to be used and disclosed if 
needed well into the future, regardless of whether or not the research 
involves the use or disclosure of protected health information for the 
creation or maintenance of a database or repository.
    Several commenters responded to the Department's request for 
comments on how to appropriately limit uses and disclosures following 
revocation of an authorization, while preserving the integrity of the 
research. The NPRM attempted to clarify that ``even though a revocation 
will prevent a covered entity from further disclosing protected health 
information for research purposes, the exception to this requirement is 
intended to allow for certain continued uses of information as 
appropriate to preserve the integrity of the research study.'' However, 
the NPRM further stated that ``if covered entities were permitted to 
continue using or disclosing protected health information for the 
research project even after an individual had revoked his or her 
authorization, this would undermine the primary objective of the 
authorization requirements to be a voluntary, informed choice of the 
individual.'' Several commenters were concerned and confused by the 
NPRM's statements. In particular, the Department received comments 
urging that the regulation permit covered entities to use and disclose 
research data already obtained, even after an individual has withdrawn 
his or her authorization. These commenters suggested that once a 
subject has authorized the use and disclosure of protected health 
information for research and the covered entity has relied on the 
authorization, the covered entity must retain the ability to use or 
disclose the subject's pre-withdrawal information for purposes 
consistent with the overall research. One commenter argued that it 
would be inadequate for the reliance exception at Sec. 164.508(b)(5) to 
be interpreted to permit continued uses of the individual's information 
as appropriate only to account for an individual's withdrawal from the 
study. In this commenter's opinion, most research would call for the 
continued use of protected health information obtained prior to an 
individual's revocation of their authorization to safeguard statistical 
validity and truly to preserve the integrity of human research.
    Final Modifications. The Department agrees with the commenters that 
supported the NPRM's proposed simplification of authorizations for 
research uses and disclosures of protected health information and, 
therefore, adopts the modifications to these provisions as proposed in 
the NPRM. The final Rule requires a single

[[Page 53225]]

set of authorization requirements for all uses and disclosures, 
including those for research purposes, and permits an authorization for 
the use or disclosure of protected health information to be combined 
with any other legal permission related to the research study, 
including another authorization or consent to participate in the 
research.
    In addition, in response to commenters' concerns that the Rule 
would prohibit important uses and disclosures of protected health 
information after the termination of a research project, the final Rule 
eliminates the requirement for an expiration date for all uses and 
disclosures of protected health information for research purposes, not 
only for the creation and maintenance of a research database or 
repository. The Department agrees that the line between research 
repositories and databases in particular, and research data collection 
in general, is sometimes arbitrary and unclear. If the authorization 
for research uses and disclosures of protected health information does 
not have an expiration date, the final Rule at Sec. 164.508(c)(1)(v), 
requires that this fact be stated on the authorization form. Patients 
continue to control whether protected health information about them may 
be used or disclosed for research, since the authorization must include 
an expiration date or event, or a statement that the authorization will 
have no expiration date. In addition, patients will be permitted to 
revoke their authorization at any time during the research project, 
except as specified under Sec. 164.508(b)(5). However, the Department 
notes that researchers may choose to include, and covered entities may 
choose to require, an expiration date when appropriate.
    Although the final Rule does not modify the revocation provision at 
Sec. 164.508(b)(5), in response to commenters' concerns, the Department 
clarifies that this provision permits covered entities to continue 
using and disclosing protected health information that was obtained 
prior to the time the individual revoked his or her authorization, as 
necessary to maintain the integrity of the research study. An 
individual may not revoke an authorization to the extent the covered 
entity has acted in reliance on the authorization. For research uses 
and disclosures, this reliance exception at Sec. 164.508(b)(5)(i) 
permits the continued use and disclosure of protected health 
information already obtained pursuant to a valid authorization to the 
extent necessary to preserve the integrity of the research study. For 
example, the reliance exception would permit the continued use and 
disclosure of protected health information to account for a subject's 
withdrawal from the research study, as necessary to incorporate the 
information as part of a marketing application submitted to the FDA, to 
conduct investigations of scientific misconduct, or to report adverse 
events. However, the reliance exception would not permit a covered 
entity to continue disclosing additional protected health information 
to a researcher or to use for its own research purposes information not 
already gathered at the time an individual withdraws his or her 
authorization. The Department believes that this clarification of the 
Rule will minimize the negative effects on research caused by 
participant withdrawal and will allow for important continued uses and 
disclosures to occur, while maintaining privacy protections for 
research subjects.

Response to Other Public Comments

    Comment: In opposition to the March 2002 NPRM, one commenter 
suggested prohibiting the combining of authorization forms with an 
informed consent when the covered entity disclosing the protected 
health information is not otherwise participating in research. The 
commenter argued that the NPRM would allow covered entities to receive 
more information than necessary to fulfill a patient's authorization 
request, such as information about the particular type or purpose of 
the study itself, and could, thereby, violate the patient's privacy.
    Response: The Department acknowledges the concern raised by these 
commenters; however, prohibiting the combination of authorization forms 
with an informed consent reduces the flexibility proposed in the March 
2002 NPRM. Since the final modifications permit--but do not require--
such combining of forms, the Department has decided to leave it to the 
discretion of researchers or the IRBs to determine whether the 
combining of authorization forms and consent forms for research would 
be appropriate for a particular research study.
    Comment: Some commenters supported retaining the December 2000 
Privacy Rule requirement that a description of the extent to which 
protected health information will be used or disclosed for treatment, 
payment, or health care operations be included in an authorization to 
use or disclose protected health information for a research study that 
includes treatment of individuals. These commenters argued that an 
individual's ability to make informed decisions requires that he or she 
know how research information will and will not be used and disclosed.
    Response: The Department agrees with the majority of the commenters 
who were in support of the March 2002 NPRM proposal to eliminate the 
additional authorization requirements for research that includes 
treatment, and has adopted these proposed modifications in the final 
Rule. Retaining the distinction between research that involves 
treatment and research that does not would require overly subjective 
decisions without providing commensurate privacy protections for 
individuals. However, the Department notes that it may sometimes be 
advisable for authorization forms to include a statement regarding how 
protected health information obtained for a research study will be used 
and disclosed for treatment, payment, and health care operations, if 
such information would assist individuals in making informed decisions 
about whether or not to provide their authorization for a research 
study.
    Comment: One commenter argued that expiration dates should be 
included on authorizations and that extensions should be required for 
all research uses and disclosures made after the expiration date or 
event has passed.
    Response: The Department disagrees. We have determined that an 
expiration date or event would not always be feasible or desirable for 
some research uses and disclosures of protected health information. By 
allowing for no expiration date, the final Rule permits without 
separate patient authorization important disclosures even after the 
``termination of the research project'' that might otherwise be 
prohibited. However, the final Rule contains the requirement that the 
patient authorization specify if the authorization would not have an 
expiration date or event. Therefore, patients will have this 
information to make an informed decision about whether to sign the 
authorization.
    Comment: Another commenter suggested permitting covered entities/
researchers to continue using or disclosing protected health 
information even after a revocation of the initial authorization but 
only if an IRB or Privacy Board approved the continuation. This 
commenter argued that such review by an IRB or Privacy Board would 
protect privacy, while permitting continued uses and disclosures of 
protected health information for important purposes.

[[Page 53226]]

    Response: As stated above, the Department agrees that it may 
sometimes be necessary to continue using and disclosing protected 
health information even after an individual has revoked his or her 
authorization in order to preserve the integrity of a research study. 
Therefore, the Department has clarified that the reliance exception at 
Sec. 164.508(b)(5)(i) would permit the continued use and disclosure of 
protected health information already obtained pursuant to a valid 
authorization to the extent necessary to preserve the integrity of the 
research study. A requirement for documentation of IRB or Privacy Board 
review and approval of the continued use or disclosure of protected 
health information after an individual's authorization had been revoked 
could protect patient privacy. However, the Department believes that 
the additional burden on the IRB or Privacy Board could be substantial, 
and is not warranted at this time.
    Comment: A commenter requested clarification that the ``reliance 
exception'' does not permit covered entities as researchers to continue 
analyzing data once an individual has revoked his or her authorization.
    Response: As discussed above, the Department disagrees with this 
comment. Patient privacy must be balanced against other public goods, 
such as research and the risk of compromising such research projects if 
researchers could not continue to use such data. The Department 
determined that permitting continued uses and disclosures of protected 
health information already obtained to protect the integrity of 
research, even after an individual's authorization has been revoked, 
would pose minimal privacy risk to individuals without compromising 
research.
    Comment: Several commenters suggested permitting the proposed 
authorization requirement for a ``description of each purpose of the 
requested use or disclosure'' at Sec. 164.508 to be sufficiently broad 
to encompass future unspecified research. These commenters argued that 
this option would reduce the burden for covered entities and 
researchers by permitting covered entities to use or disclose protected 
health information for re-analysis without having to obtain an 
additional authorization from the individual. Some discussed the 
possibility that burden for patients would also be reduced because they 
would not have to provide additional authorizations. These commenters 
also argued that such a provision would more directly align the Rule 
with the Common Rule, which permits broad informed consent for 
secondary studies if the IRB deems the original informed consent to be 
adequate.
    Response: The Department disagrees with broadening the required 
``description of the purpose of the use or disclosure'' because of the 
concern that patients would lack necessary information to make an 
informed decision. In addition, unlike the Common Rule, the Privacy 
Rule does not require IRB or Privacy Board review of research uses and 
disclosures made with individual authorization. Therefore, instead of 
IRBs or Privacy Boards reviewing the adequacy of existing patient 
authorizations, covered entities would be left to decide whether or not 
the initial authorization was broad enough to cover subsequent research 
analyses. Furthermore, it should be noted that patient authorization 
would not be required for such re-analysis if, with respect to the re-
analysis, the covered entity obtains IRB or Privacy Board waiver of 
such authorization as required by Sec. 164.512(i). For these reasons, 
the Department has decided to retain the requirement that each purpose 
of the requested use or disclosure described in the authorization form 
be research study specific. However, the Department understands that, 
in the past, some express legal permissions and informed consents have 
not been study-specific and sometimes authorize the use or disclosure 
of information for future unspecified research. Furthermore, some IRB-
approved waivers of informed consent have been for future unspecified 
research. Therefore, the final Rule at Sec. 164.532 permits covered 
entities to rely on an express legal permission, informed consent, or 
IRB-approved waiver of informed consent for future unspecified 
research, provided the legal permission, informed consent or IRB-
approved waiver was obtained prior to the compliance date.
    Comment: Several commenters suggested retaining the authorization 
element requiring a statement regarding ``the potential for information 
disclosed pursuant to the authorization to be subject to redisclosure 
by the recipient and no longer protected by this Rule'' but with one 
addition. This addition would state that ``researchers could only use 
or disclose the protected health information for purposes approved by 
the IRB or as required by law or regulation.'' These commenters argued 
that this would be clearer to participants and would prevent the 
misconception that their information would not be protected by any 
confidentiality standards.
    Response: The Department recognizes the concern of the commenters 
seeking to supplement the requirement, but points out that, although 
the final Rule will not require this addition, it is permissible to 
include such a statement in the authorization. In addition, since the 
Privacy Rule does not require IRB or Privacy Board review of research 
uses and disclosures made with patient authorization, the Department 
determined that adding the commenters' suggestion to the final Rule 
would be inappropriate. Section III.E.1. above provides further 
discussion of this provision.

F. Section 164.512--Uses and Disclosures for Which Authorization or 
Opportunity To Agree or Object Is Not Required

1. Uses and Disclosures Regarding FDA-Regulated Products and Activities
    December 2000 Privacy Rule. The Privacy Rule permits covered 
entities to disclose protected health information without consent or 
authorization for public health purposes. Generally, these disclosures 
may be made to public health authorities, as well as to contractors and 
agents of public health authorities. However, in recognition of the 
essential role of drug and medical device manufacturers and other 
private persons in carrying out the Food and Drug Administration's 
(FDA) public health mission, the December 2000 Privacy Rule permitted 
covered entities to make such disclosures to a person who is subject to 
the jurisdiction of the FDA, but only for the following specified 
purposes: (1) To report adverse events, defects or problems, or 
biological product deviations with respect to products regulated by the 
FDA (if the disclosure is made to the person required or directed to 
report such information to the FDA); (2) to track products (if the 
disclosure is made to the person required or directed to report such 
information to the FDA); (3) for product recalls, repairs, or 
replacement; and (4) for conducting post-marketing surveillance to 
comply with FDA requirements or at the direction of the FDA.
    March 2002 NPRM. The Department heard a number of concerns about 
the scope of the disclosures permitted for FDA-regulated products and 
activities and the failure of the Privacy Rule to reflect the breadth 
of the public health activities currently conducted by private sector 
entities subject to the jurisdiction of the FDA on a voluntary basis. 
These commenters claimed the Rule would constrain important public 
health surveillance and reporting activities by

[[Page 53227]]

impeding the flow of needed information to those subject to the 
jurisdiction of the FDA. For instance, there were concerns that the 
Rule would have a chilling effect on current voluntary reporting 
practices. The FDA gets the vast majority of information concerning 
problems with FDA-regulated products, including drugs, medical devices, 
biological products, and food indirectly through voluntary reports made 
by health care providers to the manufacturers. These reports are 
critically important to public health and safety. The December 2000 
Rule permitted such disclosures only when made to a person ``required 
or directed'' to report the information to the FDA or to track the 
product. The manufacturer may or may not be required to report such 
problems to the FDA, and the covered entities who make these reports 
are not in a position to know whether the recipient of the information 
is so obligated. Consequently, many feared that this uncertainty would 
cause covered entities to discontinue their practices of voluntary 
reporting of adverse events related to FDA-regulated products or 
entities.
    Some covered entities also expressed fears of the risk of liability 
should they inadvertently report the information to a person who is not 
subject to the jurisdiction of the FDA or to the wrong manufacturer. 
Hence, they urged the Department to provide a ``good-faith'' safe 
harbor to protect covered entities from enforcement actions arising 
from unintentional violations of the Privacy Rule.
    A number of commenters, including some subject to the jurisdiction 
of the FDA, suggested that it is not necessary to disclose identifiable 
health information for some or all of these public health purposes, 
that identifiable health information is not reported to the FDA, and 
that information without direct identifiers (such as name, mailing 
address, phone number, social security number, and email address) is 
sufficient for post-marketing surveillance purposes.
    The Rule is not intended to discourage or prevent adverse event 
reporting or otherwise disrupt the flow of essential information that 
the FDA and persons subject to the jurisdiction of the FDA need in 
order to carry out their important public health activities. Therefore, 
the Department proposed some modifications to the Rule to address these 
issues in the NPRM. Specifically, the Department proposed to remove 
from Secs. 164.512(b)(1)(iii)(A) and (B) the phrase ``if the disclosure 
is made to a person required or directed to report such information to 
the Food and Drug Administration'' and to remove from subparagraph (D) 
the phrase ``to comply with requirements or at the direction of the 
Food and Drug Administration.'' In lieu of this language, the 
Department proposed to describe at the outset the public health 
purposes for which disclosures may be made. The proposed language read: 
``A person subject to the jurisdiction of the Food and Drug 
Administration (FDA) with respect to an FDA-regulated product or 
activity for which that person has responsibility, for the purpose of 
activities related to the quality, safety or effectiveness of such FDA-
regulated product or activity.''
    The proposal retained the specific activities identified in 
paragraphs (A), (B), (C), and (D) as examples of common FDA purposes 
for which disclosures would be permitted, but eliminated the language 
that would have made this listing the only activities for which such 
disclosures would be allowed. These activities include reporting of 
adverse events and other product defects, the tracking of FDA-regulated 
products, enabling product recalls, repairs, or replacement, and 
conducting post-marketing surveillance. Additionally, the Department 
proposed to include ``lookback'' activities in paragraph (C), which are 
necessary for tracking blood and plasma products, as well as 
quarantining tainted blood or plasma and notifying recipients of such 
tainted products.
    In addition to these specific changes, the Department solicited 
comments on whether a limited data set should be required or permitted 
for some or all public health purposes, or if a special rule should be 
developed for public health reporting. The Department also requested 
comments as to whether the proposed modifications would be sufficient, 
or if additional measures, such as a good-faith safe harbor, would be 
needed for covered entities to continue to report vital information 
concerning FDA-regulated products or activities on a voluntary basis.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The proposed changes received wide support. The overwhelming 
majority of commenters urged the Department to adopt the proposed 
changes, claiming it would reduce the chilling effect that the Rule 
would otherwise have on current voluntary reporting practices, which 
are an important means of identifying adverse events, defects, and 
other problems regarding FDA-regulated products. Several commenters 
further urged the Department to provide a good-faith safe harbor to 
allay providers' fears of inadvertently violating the Rule, stating 
that covered entities would otherwise be reluctant to risk liability to 
make these important public health disclosures.
    A few commenters opposed the proposed changes, expressing concern 
that the scope of the proposal was too broad. They were particularly 
concerned that including activities related to ``quality'' or 
``effectiveness'' would create a loophole for manufacturers to obtain 
and use protected health information for purposes the average person 
would consider unrelated to public health or safety, such as using 
information to market products to individuals. Some of these commenters 
said the Department should retain the exclusive list of purposes and 
activities for which such disclosures may be made, and some urged the 
Department to retain the ``required or directed'' language, as it 
creates an essential nexus to a government authority or requirement. It 
was also suggested that the chilling effect on reporting of adverse 
events could be counteracted by a more targeted approach. Commenters 
were also concerned that the proposal would permit disclosure of much 
more protected health information to non-covered entities that are not 
obligated by the Rule to protect the privacy of the information. 
Comments regarding use of a limited data set for public health 
disclosures are discussed in section III.G.1. of the preamble.
    Final Modifications. In the final modifications, the Department 
adopts the language proposed in the NPRM. Section 164.512(b)(1)(iii), 
as modified, permits covered entities to disclose protected health 
information, without authorization, to a person subject to the 
jurisdiction of the FDA with respect to an FDA-regulated product or 
activity for which that person has responsibility, for the purpose of 
activities related to the quality, safety, or effectiveness of such 
FDA-regulated product or activity. Such purposes include, but are not 
limited to, the following activities and purposes listed in 
subparagraphs (A) through (D): (1) To collect or report adverse events 
(or similar activities regarding food or dietary supplements), product 
defects or problems (including problems with the use or labeling of a 
product), or biological product deviations, (2) to track FDA-regulated 
products, (3) to enable product recalls, repairs, or replacement, or 
for lookback (including locating and notifying persons who have

[[Page 53228]]

received products that have been withdrawn, recalled, or are the 
subject of lookback), and (4) to conduct post-marketing surveillance.
    The Department believes these modifications are necessary to remove 
barriers that could prevent or chill the continued flow of vital 
information between health care providers and manufacturers of food, 
drugs, medical and other devices, and biological products. Health care 
providers have been making these disclosures to manufacturers for many 
years, and commenters opposed to the proposal did not cite any examples 
of abuses of information disclosed for such purposes. Furthermore, both 
the individuals who are the subjects of the information and the general 
public benefit from these disclosures, which are an important means of 
identifying and dealing with FDA-regulated products on the market that 
potentially pose a health or safety threat. For example, FDA learns a 
great deal about the safety of a drug after it is marketed as a result 
of voluntary adverse event reports made by covered entities to the 
product's manufacturer. The manufacturer is required to submit these 
safety reports to FDA, which uses the information to help make the 
product safer by, among other things, adding warnings or changing the 
product's directions for use. The modifications provide the necessary 
assurances to covered entities that such voluntary reporting may 
continue.
    Although the list of permissible disclosures is no longer 
exclusive, the Department disagrees with commenters that asserted the 
modifications permit virtually unlimited disclosures for FDA purposes. 
As modified, such disclosures must still be made to a person subject to 
the jurisdiction of the FDA. The disclosure also must relate to FDA-
regulated products or activities for which the person using or 
receiving the information has responsibility, and be made only for 
activities related to the safety, effectiveness, or quality of such 
FDA-regulated product or activity. These terms are terms of art with 
commonly accepted and understood meanings in the FDA context, meanings 
of which providers making such reports are aware. This limits the 
possibility that FDA-regulated manufacturers and entities will able to 
abuse this provision to obtain information to which they would 
otherwise not be entitled.
    Moreover, Sec. 164.512(b)(1) specifically limits permissible 
disclosures to those made for public health activities and purposes. 
While a disclosure related to the safety, quality or effectiveness of 
an FDA-regulated product is a permissible disclosure, the disclosure 
also must be for a ``public health'' activity or purpose. For example, 
it is not permissible under Sec. 164.512(b)(1)(iii) for a covered 
entity to disclose protected health information to a manufacturer to 
allow the manufacturer to evaluate the effectiveness of a marketing 
campaign for a prescription drug. In this example, although the 
disclosure may be related to the effectiveness of an FDA-regulated 
activity (the advertising of a prescription drug), the disclosure is 
made for the commercial purposes of the manufacturer rather than for a 
public health purpose.
    A disclosure related to a ``quality'' defect of an FDA-regulated 
product is also permitted. For instance, the public health exception 
permits a covered entity to contact the manufacturer of a product to 
report drug packaging quality defects. However, this section does not 
permit all possible reports from a covered entity to a person subject 
to FDA jurisdiction about product quality. It would not be permissible 
for a provider to furnish a manufacturer with a list of patients who 
prefer a different flavored cough syrup over the flavor of the 
manufacturer's product. Such a disclosure generally would not be for a 
public health purpose. However, a disclosure related to the flavor of a 
product would be permitted under this section if the covered entity 
believed that a difference in the product's flavor indicated, for 
example, a possible manufacturing problem or suggested that the product 
had been tampered with in a way that could affect the product's safety.
    The Department clarifies that the types of disclosures that covered 
entities are permitted to make to persons subject to FDA jurisdiction 
are those of the type that have been traditionally made over the years. 
These reports include, but are not limited to, those made for the 
purposes identified in paragraphs (A)-(D) of Sec. 164.512(b)(1)(iii) of 
this final Rule.
    Also, the minimum necessary standard applies to public health 
disclosures, including those made to persons subject to the 
jurisdiction of the FDA. There are many instances where a report about 
the quality, safety, or effectiveness of an FDA-regulated product can 
be made without disclosing protected health information. Such may be 
the case with many adverse drug events where it is important to know 
what happened but it may not be important to know to whom. However, in 
other circumstances, such as device tracking or blood lookback, it is 
essential for the manufacturer to have identifying patient information 
in order to carry out its responsibilities under the Food, Drug, and 
Cosmetic Act. Therefore, identifiable health information can be 
disclosed for these purposes, consistent with the minimum necessary 
standard.
    As the Department stated in the preamble of the NPRM, ``a person'' 
subject to the jurisdiction of the FDA does not mean that the 
disclosure must be made to a specific individual. The Food, Drug, and 
Cosmetic Act defines ``person'' to include an individual, partnership, 
corporation, and association. Therefore, covered entities may continue 
to disclose protected health information to the companies subject to 
FDA's jurisdiction that have responsibility for the product or 
activity. Covered entities may identify responsible companies by using 
information obtained from product labels or product labeling (written 
material about the product that accompanies the product) including 
sources of labeling, such as the Physician's Desk Reference.
    The Department believes these modifications effectively balance the 
privacy interests of individuals with the interests of public health 
and safety. Since the vast majority of commenters were silent on the 
question of the potential need for a ``good faith'' exception, the 
Department believes that these modifications will be sufficient to 
preserve the current public health activities of persons subject to the 
jurisdiction of the FDA, without such a safe harbor. However, the 
Department will continue to evaluate the effect of the Rule to 
determine whether there is need for further modifications or guidance.

Response to Other Public Comments

    Comment: A few commenters urged the Department to include foreign 
public health authorities in the Rule's definition of ``public health 
authority.'' These commenters claimed that medical products are often 
distributed in multiple countries, and the associated public health 
issues are experienced globally. They further claimed that requiring 
covered entities to obtain the permission of a United States-based 
public health authority before disclosing protected health information 
to a foreign government public health authority will impede important 
communications.
    Response: The Department notes that covered entities are permitted 
to disclose protected health information for public health purposes, at 
the direction of a public health authority, to an official of a foreign 
government agency that is acting in collaboration with a public health 
authority. The

[[Page 53229]]

Department does not have sufficient information at this time as to any 
potential impacts or workability issues that could arise from this 
language and, therefore, does not modify the Rule in this regard.
    Comment: Some commenters, who opposed the proposal as a weakening 
of the Privacy Rule, suggested that the Department implement a more 
targeted approach to address only those issues raised in the preamble 
to the NPRM, such as voluntary adverse event reporting activities, 
rather than broadening the provision generally.
    Response: The NPRM was intended to address a number of issues in 
addition to the concern that the December 2000 Privacy Rule would chill 
reporting of adverse events to entities from whom the FDA receives much 
of its adverse event information. For instance, the text of the 
December 2000 Privacy Rule did not expressly permit disclosure of 
protected health information to FDA-regulated entities for the purpose 
of enabling ``lookback,'' which is an activity performed by the blood 
and plasma industry to identify and quarantine blood and blood products 
that may be at increased risk of transmitting certain blood-borne 
diseases, and which includes the notification of individuals who 
received possibly tainted products, permitting them to seek medical 
attention and counseling. The NPRM also was intended to simplify the 
public health reporting provision and to make it more readily 
understandable. Finally, the approach proposed in the NPRM, and adopted 
in this final Rule, is intended to add flexibility to the public health 
reporting provision of the December 2000 Rule, whose exclusive list of 
permissible disclosures was insufficiently flexible to assure that 
Sec. 164.512(b)(1)(iii) will allow legitimate public health reporting 
activities that might arise in the future.
    In addition, the Department clarifies that the reporting of adverse 
events is not restricted to the FDA or persons subject to the 
jurisdiction of the FDA. A covered entity may, under Sec. 164.512(b), 
disclose protected health information to a public health authority that 
is authorized to receive or collect a report on an adverse event. In 
addition, to the extent an adverse event is required to be reported by 
law, the disclosure of protected health information for this purpose is 
also permitted under Sec. 164.512(a). For example, a Federally funded 
researcher who is a covered health care provider under the Privacy Rule 
may disclose protected health information related to an adverse event 
to the National Institutes of Health (NIH) if required to do so by NIH 
regulations. Even if not required to do so, the researcher may also 
disclose adverse events directly to NIH as a public health authority. 
To the extent that NIH has public health matters as part of its 
official mandate it qualifies as a public health authority under the 
Privacy Rule, and to the extent it is authorized by law to collect or 
receive reports about injury and other adverse events such collection 
would qualify as a public health activity.
2. Institutional Review Board (IRB) or Privacy Board Approval of a 
Waiver of Authorization
    December 2000 Privacy Rule. The Privacy Rule builds upon existing 
Federal regulations governing the conduct of human subjects research. 
In particular, the Rule at Sec. 164.512(i) establishes conditions under 
which covered entities can use and disclose protected health 
information for research purposes without individual authorization if 
the covered entity first obtains either of the following:
     Documentation of approval of a waiver of authorization 
from an Institutional Review Board (IRB) or a Privacy Board. The 
Privacy Rule specifies requirements that must be documented, including 
the Board's determination that eight defined waiver criteria had been 
met.
     Where a review of protected health information is 
conducted preparatory to research or where research is conducted solely 
on decedents' information, certain representations from the researcher, 
including that the use or disclosure is sought solely for such a 
purpose and that the protected health information is necessary for the 
purpose.
    March 2002 NPRM. A number of commenters informed the Department 
that the eight waiver criteria in the December 2000 Privacy Rule were 
confusing, redundant, and internally inconsistent. These commenters 
urged the Department to simplify these provisions, noting that they 
would be especially burdensome and duplicative for research that was 
currently governed by the Common Rule. In response to these comments, 
the Department proposed the following modifications to the waiver 
criteria for all research uses and disclosures of protected health 
information, regardless of whether or not the research is subject to 
the Common Rule:
     The Department proposed to delete the criterion that ``the 
alteration or waiver will not adversely affect the privacy rights and 
the welfare of the individuals,'' because it may conflict with the 
criterion regarding the assessment of minimal privacy risk.
     In response to commenters' concerns about the overlap and 
potential inconsistency among several of the Privacy Rule's criteria, 
the Department proposed to turn the following three criteria into 
factors that must be considered as part of the IRB's or Privacy Board's 
assessment of minimal risk to privacy:
     There is an adequate plan to protect the identifiers from 
improper use and disclosure;
     There is an adequate plan to destroy the identifiers at 
the earliest opportunity consistent with the conduct of the research, 
unless there is a health or research justification for retaining the 
identifiers, or such retention is otherwise required by law; and
     There are adequate written assurances that the protected 
health information will not be reused or disclosed to any other person 
or entity, except as required by law, for authorized oversight of the 
research project, or for other research for which the use or disclosure 
of protected health information would be permitted by this subpart.
     In response to concerns that the following waiver 
criterion was unnecessarily duplicative of other provisions to protect 
patients' confidentiality interests, the Department proposed to 
eliminate the criterion that: ``the privacy risks to individuals whose 
protected health information is to be used or disclosed are reasonable 
in relation to the anticipated benefits, if any, to the individual, and 
the importance of the knowledge that may reasonably be expected to 
result from the research.''
    In sum, the NPRM proposed that the following waiver criteria 
replace the waiver criteria in the December 2000 Privacy Rule at 
Sec. 164.512(i)(2)(ii):
    (1) The use or disclosure of protected health information involves 
no more than a minimal risk to the privacy of individuals, based on, at 
least, the presence of the following elements:
    (a) An adequate plan to protect the identifiers from improper use 
and disclosure;
    (b) An adequate plan to destroy the identifiers at the earliest 
opportunity consistent with conduct of the research, unless there is a 
health or research justification for retaining the identifiers or such 
retention is otherwise required by law; and
    (c) Adequate written assurances that the protected health 
information will not be reused or disclosed to any other person or 
entity, except as required by law, for authorized oversight of the

[[Page 53230]]

research project, or for other research for which the use or disclosure 
of protected health information would be permitted by this subpart;
    (2) The research could not practicably be conducted without the 
waiver or alteration; and
    (3) The research could not practicably be conducted without access 
to and use of the protected health information.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The overwhelming majority of commenters were supportive of the 
Department's proposed modifications to the Privacy Rule's waiver 
criteria. These commenters found that the proposed revisions adequately 
addressed earlier concerns that the waiver criteria in the December 
2000 Rule were confusing, redundant, and internally inconsistent. 
However, a few commenters argued that some of the proposed criteria 
continued to be too subjective and urged that they be eliminated.
    Final Modifications. The Department agrees with the majority of 
commenters that supported the proposed waiver criteria, and adopts the 
modifications as proposed in the NPRM. The criteria safeguard patient 
privacy, require attention to issues sometimes currently overlooked by 
IRBs, and are compatible with the Common Rule. Though IRBs and Privacy 
Boards may initially struggle to interpret the criteria, as a few 
commenters mentioned, the Department intends to issue guidance 
documents to address this concern. Furthermore, the Department notes 
that experience and guidance have enabled IRBs to successfully 
implement the Common Rule's waiver criteria, which also require 
subjective determinations.
    This final Rule also contains a conforming modification in 
Sec. 164.512(i)(2)(iii) to replace ``(i)(2)(ii)(D)'' with 
``(i)(2)(ii)(C).''

Response to Other Public Comments

    Comment: It was suggested that the Department eliminate the March 
2002 NPRM waiver criterion that requires IRBs or Privacy Boards to 
determine if there is an ``adequate plan to protect identifiers from 
improper use and disclosure,'' in order to avoid the IRB having to make 
subjective decisions.
    Response: The Department disagrees with the commenter that the 
waiver criterion adopted in this final Rule is too subjective for an 
IRB or a Privacy Board to use. First, the consideration of whether 
there is an adequate plan to protect identifiers from improper use and 
disclosure is one of three factors that an IRB or Privacy Board must 
weigh in determining that the use or disclosure of protected health 
information for the research proposal involves no more than a minimal 
risk to the privacy of the individual. The Department does not believe 
that the minimal risk determination, which is based upon a similar 
waiver criterion in the Common Rule, is made unduly subjective by 
requiring the IRB to take into account the researcher's plans for 
maintaining the confidentiality of the information.
    Second, as noted in the discussion of these provisions in the 
proposal, the Privacy Rule is intended to supplement and build upon the 
human subject protections already afforded by the Common Rule and the 
Food and Drug Administration's human subject protection regulations. 
One provision already in effect under these authorities is that, to 
approve a study, an IRB must determine that ``when appropriate, there 
are adequate provisions to protect the privacy of subjects and to 
maintain the confidentiality of data.'' (Common Rule Sec. __.111(a)(7), 
21 CFR 56.111(a)(7).) The Department, therefore, believes that IRBs and 
Privacy Boards are accustomed to making the type of determinations 
required under the Privacy Rule.
    Nonetheless, as stated above, the Department is prepared to respond 
to actual issues that may arise during the implementation of these 
provisions and to provide the guidance necessary to address concerns of 
IRBs, Privacy Boards, and researchers in this area.
    Comment: A few commenters requested elimination of the waiver 
element at Sec. 164.512(i)(2)(ii)(A)(2) that would require the IRB or 
Privacy Board to determine that ``there is an adequate plan to destroy 
identifiers at the earliest opportunity consistent with the conduct of 
the research, unless there is a health or research justification for 
their retention or such retention is required by law.'' These 
commenters argued that this requirement may lead to premature 
destruction of the data, which may hinder investigations of defective 
data analysis or research misconduct.
    Response: The waiver element at Sec. 164.512(i)(2)(ii)(A)(2) 
accounts for these concerns by permitting the retention of identifiers 
if there is a health or research justification, or if such retention is 
required by law. It is expected that IRBs and Privacy Boards will 
consider the need for continued analysis of the data, research, and 
possible investigations of research misconduct when considering whether 
this waiver element has been met. In addition, destroying identifiers 
at the earliest opportunity helps to ensure that the use or disclosure 
of protected health information will indeed pose no more than ``minimal 
risk to the privacy of individuals.'' Requiring the researcher to 
justify the need to retain patient identifiers provides needed 
flexibility for research, while maintaining the goal of protecting 
individuals' privacy interests. If additional issues arise after 
implementation, the Department can most appropriately address them 
through guidance.
    Comment: Commenters also requested clarification of the proposed 
waiver element at Sec. 164.512(i)(2)(ii)(A)(3), that will require an 
IRB or Privacy Board to determine that there are ``adequate written 
assurances that the protected health information would not be reused or 
disclosed to any other person or entity, except as required by law, for 
authorized oversight of the research project, or for other research for 
which the use or disclosure of protected health information would be 
permitted by this subpart.'' Specifically, the commenter's concern 
centered on what effect this criterion could have on retrospective 
studies involving data re-analysis.
    Response: The Department clarifies that the Privacy Rule permits 
the use or disclosure of protected health information for retrospective 
research studies involving data re-analysis only if such use or 
disclosure is made either with patient authorization or a waiver of 
patient authorization as permitted by Sec. 164.508 or Sec. 164.512(i), 
respectively. If issues develop in the course of implementation, the 
Department intends to provide the guidance necessary to address these 
questions.
    Comment: A few commenters suggested clarifying that recruitment for 
clinical trials by a covered entity using protected health information 
in the covered entity's possession is a health care operation function, 
not a marketing function. These commenters argued that a partial IRB or 
Privacy Board waiver of authorization for recruitment purposes would be 
too burdensome for the covered entity, and would prevent covered health 
care providers from communicating with their patients about the 
availability of clinical trials.
    Response: Research recruitment is neither a marketing nor a health 
care operations activity. Under the Rule, a covered entity is permitted 
to disclose protected health information to the individual who is the 
subject of the information, regardless of the purpose of the 
disclosure. See Sec. 164.502(a)(1)(i). Therefore, covered health care 
providers and patients may continue to discuss the option of enrolling 
in a clinical trial without patient authorization, and

[[Page 53231]]

without an IRB or Privacy Board waiver of patient authorization. 
However, where a covered entity wants to disclose an individual's 
information to a third party for purposes of recruitment in a research 
study, the covered entity first must obtain either authorization from 
that individual as required at Sec. 164.508, or a waiver of 
authorization as permitted at Sec. 164.512(i).
    Comment: It was suggested that the Rule should permit covered 
health care providers to obtain an authorization allowing the use of 
protected health information for recruitment into clinical trials 
without specifying the person to whom the information would be 
disclosed and the exact information to be disclosed, but retaining the 
authorization requirements of specified duration and purpose, and 
adding a requirement for the minimum necessary use or disclosure.
    Response: The Department understands that the Privacy Rule will 
alter some research recruitment but disagrees with the commenter's 
proposal to permit broad authorizations for recruitment into clinical 
trials. The Department decided not to adopt this suggestion because 
such a blanket authorization would not provide individuals with 
sufficient information to make an informed choice about whether to sign 
the authorization. In addition, adopting this change also would be 
inconsistent with Department's decision to eliminate the distinction in 
the Rule between research that includes treatment and research that 
does not.
    Comment: It was suggested that the Department exempt from the 
Privacy Rule research that is already covered by the Common Rule and/or 
FDA's human subject protection regulations. Commenters stated that this 
would reduce the burden of complying with the Rule for covered entities 
and researchers already governed by human subject protection 
regulations, while requiring those not previously subject to compliance 
with human subject protection regulations to protect individuals' 
privacy.
    Response: Many who commented on the December 2000 Privacy Rule 
argued for this option as well. The Department had previously 
considered, but chose not to adopt, this approach. Since the Common 
Rule and the FDA's human subject protection regulations contain only 
two requirements that specifically address confidentiality protections, 
the Privacy Rule will strengthen existing human subject privacy 
protections for research. More importantly, the Privacy Rule creates 
equal standards of privacy protection for research governed by the 
existing regulations and research that is not.
    Comment: It was argued that the waiver provision should be 
eliminated. The commenter argued that IRBs or Privacy Boards should not 
have the right to waive a person's privacy rights, and that individuals 
should have the right to authorize all uses and disclosures of 
protected health information about themselves.
    Response: The Department disagrees that safeguarding individuals' 
privacy interests requires that individuals be permitted to authorize 
all uses and disclosures of protected health information about 
themselves. In developing the Privacy Rule, the Department carefully 
weighed individuals' privacy interests with the need for identifiable 
health information for certain public policy and national priority 
purposes. The Department believes that the Privacy Rule reflects an 
appropriate balance. For example, the Rule appropriately allows for the 
reporting of information necessary to ensure public health, such as 
information about a contagious disease that may be indicative of a 
bioterrorism event, without individual authorization. With respect to 
research, the Department strongly believes that continued improvements 
in our nation's health require that researchers be permitted access to 
protected health information without individual authorization in 
certain limited circumstances. However, we do believe that researchers' 
ability to use protected health information without a patient's 
authorization is a privilege that requires strong confidentiality 
protections to ensure that the information is not misused. The 
Department believes that the safeguards required by the final Rule 
achieve the appropriate balance between protecting individuals' privacy 
interests, while permitting researchers to access protected health 
information for important, and potentially life-saving, studies.
    Comment: A few commenters stated that, if the Rule permits covered 
entities to release protected health information to sponsor-initiated 
registries related to quality, safety, or effectiveness of FDA-
regulated products, then this permission should apply to academic 
institutes and non-profit organizations as well. Otherwise, the 
commenters argued, the Rule establishes a double standard for research 
registries created by FDA-regulated entities versus registries created 
by academic or non-profit sponsored entities.
    Response: The provisions under Sec. 164.512(b)(iii) are intended to 
allow the disclosure of information to FDA-regulated entities for the 
limited purpose of conducting public health activities to ensure the 
qualify, safety, or effectiveness of FDA-regulated products, including 
drugs, medical devices, biological products, and food. Thus, the 
Department does not believe a modification to the research provisions 
is appropriate. The Privacy Rule permits covered entities to disclose 
protected health information to a registry for research purposes, 
including those sponsored by academic and non-profit organizations, if 
such disclosure: is required by law under Sec. 164.512(a), is made 
pursuant to an IRB or Privacy Board waiver of authorization under 
Sec. 164.512(i), is made pursuant to the individual's authorization as 
provided by Sec. 164.508, or consists only of a limited data set as 
provided by Sec. 164.514(e).
    Comment: It was suggested that the Department modify the Rule's 
definition of ``research'' or the provision for preparatory research to 
explicitly permit the building and maintenance of research databases 
and repositories. The commenter further asserted that, under the Common 
Rule, ``research'' signifies an actual research protocol, and would not 
include a data or tissue compilation that is undertaken to facilitate 
future protocols. Therefore, since the Privacy Rule and the Common Rule 
have the same definition of ``research,'' this commenter was concerned 
that the Privacy Rule would not permit a pre-research practice in which 
a covered entity compiles protected health information in a systematic 
way to either assist researchers in their reviews that are preparatory 
to research, or to conduct future research.
    Response: The Department does not believe such a modification is 
necessary. Under the Common Rule, the Office for Human Research 
Protections (OHRP) has interpreted the definition of ``research'' to 
include the development of a repository or database for future research 
purposes. In fact, OHRP has issued guidance on this issue, which can be 
found at the following URL: http://ohrp.osophs.dhhs.gov/humansubjects/guidance/reposit.htm. The Department interprets the definition of 
``research'' in the Privacy Rule to be consistent with what is 
considered research under the Common Rule. Thus, the development of 
research repositories and databases for future research are considered 
research for the purposes of the Privacy Rule.
    Comment: A commenter suggested eliminating the minimum necessary 
requirement for uses and disclosures made pursuant to a waiver of 
authorization by an IRB or Privacy

[[Page 53232]]

Board. The commenter argued that this proposal would lessen covered 
entities' concern that they would be held responsible for an IRB or 
Privacy Board's inappropriate determination and would, thus, increase 
the likelihood that covered entities would rely on the requesting 
researcher's IRB or Privacy Board documentation that patient 
authorization could be waived as permitted at Sec. 164.512(i). This 
commenter further argued that this proposal would discourage covered 
entities from imposing duplicate review by the covered entities' own 
IRB or Privacy Board, thereby decreasing burden for covered entities, 
researchers, IRBs, and Privacy Boards.
    Response: Although the Secretary acknowledges the concern of these 
commenters, the Rule at Sec. 164.514(d)(3)(iii)(D) already permits 
covered entities to reasonably rely on documentation from an external 
IRB or Privacy Board as meeting the minimum necessary requirement, 
provided the documentation complies with the applicable requirements of 
Sec. 164.512(i). The Department understands that covered entities may 
elect to require duplicate IRB or Privacy Board reviews before 
disclosing protected health information to requesting researchers, but 
has determined that eliminating the minimum necessary requirement would 
pose inappropriate and unnecessary risk to individuals' privacy. For 
example, if the covered entity has knowledge that the documentation of 
IRB or Privacy Board approval was fraudulent with respect to the 
protected health information needed for a research study, the covered 
entity should not be permitted to rely on the IRB or Privacy Board's 
documentation as fulfilling the minimum necessary requirement. 
Therefore, in the revised Final Rule, the Department has retained the 
minimum necessary requirement for research uses and disclosures made 
pursuant to Sec. 164.512(i).

G. Section 164.514--Other Requirements Relating to Uses and Disclosures 
of Protected Health Information

1. De-Identification of Protected Health Information
    December 2000 Privacy Rule. At Sec. 164.514(a)-(c), the Privacy 
Rule permits a covered entity to de-identify protected health 
information so that such information may be used and disclosed freely, 
without being subject to the Privacy Rule's protections. Health 
information is de-identified, or not individually identifiable, under 
the Privacy Rule, if it does not identify an individual and if the 
covered entity has no reasonable basis to believe that the information 
can be used to identify an individual. In order to meet this standard, 
the Privacy Rule provides two alternative methods for covered entities 
to de-identify protected health information.
    First, a covered entity may demonstrate that it has met the 
standard if a person with appropriate knowledge and experience applying 
generally acceptable statistical and scientific principles and methods 
for rendering information not individually identifiable makes and 
documents a determination that there is a very small risk that the 
information could be used by others to identify a subject of the 
information. The preamble to the Privacy Rule refers to two government 
reports that provide guidance for applying these principles and 
methods, including describing types of techniques intended to reduce 
the risk of disclosure that should be considered by a professional when 
de-identifying health information. These techniques include removing 
all direct identifiers, reducing the number of variables on which a 
match might be made, and limiting the distribution of records through a 
``data use agreement'' or ``restricted access agreement'' in which the 
recipient agrees to limits on who can use or receive the data.
    Alternatively, covered entities may choose to use the Privacy 
Rule's safe harbor method for de-identification. Under the safe harbor 
method, covered entities must remove all of a list of 18 enumerated 
identifiers and have no actual knowledge that the information remaining 
could be used, alone or in combination, to identify a subject of the 
information. The identifiers that must be removed include direct 
identifiers, such as name, street address, social security number, as 
well as other identifiers, such as birth date, admission and discharge 
dates, and five-digit zip code. The safe harbor requires removal of 
geographic subdivisions smaller than a State, except for the initial 
three digits of a zip code if the geographic unit formed by combining 
all zip codes with the same initial three digits contains more than 
20,000 people. In addition, age, if less than 90, gender, ethnicity, 
and other demographic information not listed may remain in the 
information. The safe harbor is intended to provide covered entities 
with a simple, definitive method that does not require much judgment by 
the covered entity to determine if the information is adequately de-
identified.
    The Privacy Rule also allows for the covered entity to assign a 
code or other means of record identification to allow de-identified 
information to be re-identified by the covered entity, if the code is 
not derived from, or related to, information about the subject of the 
information. For example, the code cannot be a derivation of the 
individual's social security number, nor can it be otherwise capable of 
being translated so as to identify the individual. The covered entity 
also may not use or disclose the code for any other purpose, and may 
not disclose the mechanism (e.g., algorithm or other tool) for re-
identification.
    The Department is cognizant of the increasing capabilities and 
sophistication of electronic data matching used to link data elements 
from various sources and from which, therefore, individuals may be 
identified. Given this increasing risk to individuals' privacy, the 
Department included in the Privacy Rule the above stringent standards 
for determining when information may flow unprotected. The Department 
also wanted the standards to be flexible enough so the Privacy Rule 
would not be a disincentive for covered entities to use or disclose de-
identified information wherever possible. The Privacy Rule, therefore, 
strives to balance the need to protect individuals' identities with the 
need to allow de-identified databases to be useful.
    March 2002 NPRM. The Department heard a number of concerns 
regarding the de-identification standard in the Privacy Rule. These 
concerns generally were raised in the context of using and disclosing 
information for research, public health purposes, or for certain health 
care operations. In particular, concerns were expressed that the safe 
harbor method for de-identifying protected health information was so 
stringent that it required removal of many of the data elements that 
were essential to analyses for research and these other purposes. The 
comments, however, demonstrated little consensus as to which data 
elements were needed for such analyses and were largely silent 
regarding the feasibility of using the Privacy Rule's alternative 
statistical method to de-identify information.
    Based on the comments received, the Department was not convinced of 
the need to modify the safe harbor standard for de-identified 
information. However, the Department was aware that a number of 
entities were confused by potentially conflicting provisions within the 
de-identification standard. These entities argued that, on the one 
hand, the Privacy Rule treats information as de-identified if all 
listed identifiers on the information are stripped, including

[[Page 53233]]

any unique, identifying number, characteristic, or code. Yet, the 
Privacy Rule permits a covered entity to assign a code or other record 
identification to the information so that it may be re-identified by 
the covered entity at some later date.
    The Department did not intend such a re-identification code to be 
considered one of the unique, identifying numbers or codes that 
prevented the information from being de-identified. Therefore, the 
Department proposed a technical modification to the safe harbor 
provisions explicitly to except the re-identification code or other 
means of record identification permitted by Sec. 164.514(c) from the 
listed identifiers (Sec. 164.514(b)(2)(i)(R)).
    Overview of Public Comments. The following provides an overview of 
the public comment received on this proposal. Additional comments 
received on this issue are discussed below in the section entitled, 
``Response to Other Public Comments.''
    All commenters on our clarification of the safe harbor re-
identification code not being an enumerated identifier supported our 
proposed regulatory clarification.
    Final Modifications. Based on the Department's intent that the re-
identification code not be considered one of the enumerated identifiers 
that must be excluded under the safe harbor for de-identification, and 
the public comment supporting this clarification, the Department adopts 
the provision as proposed. The re-identification code or other means of 
record identification permitted by Sec. 164.514(c) is expressly 
excepted from the listed safe harbor identifiers at 
Sec. 164.514(b)(2)(i)(R).

Response to Other Public Comments

    Comment: One commenter asked if data can be linked inside the 
covered entity and a dummy identifier substituted for the actual 
identifier when the data is disclosed to the external researcher, with 
control of the dummy identifier remaining with the covered entity.
    Response: The Privacy Rule does not restrict linkage of protected 
health information inside a covered entity. The model that the 
commenter describes for the dummy identifier is consistent with the re-
identification code allowed under the Rule's safe harbor so long as the 
covered entity does not generate the dummy identifier using any 
individually identifiable information. For example, the dummy 
identifier cannot be derived from the individual's social security 
number, birth date, or hospital record number.
    Comment: Several commenters who supported the creation of de-
identified data for research based on removal of facial identifiers 
asked if a keyed-hash message authentication code (HMAC) can be used as 
a re-identification code even though it is derived from patient 
information, because it is not intended to re-identify the patient and 
it is not possible to identify the patient from the code. The 
commenters stated that use of the keyed-hash message authentication 
code would be valuable for research, public health and bio-terrorism 
detection purposes where there is a need to link clinical events on the 
same person occurring in different health care settings (e.g. to avoid 
double counting of cases or to observe long-term outcomes).
    These commenters referenced Federal Information Processing Standard 
(FIPS) 198: ``The Keyed-Hash Message Authentication Code.'' This 
standard describes a keyed-hash message authentication code (HMAC) as a 
mechanism for message authentication using cryptographic hash 
functions. The HMAC can be used with any iterative approved 
cryptographic hash function, in combination with a shared secret key. A 
hash function is an approved mathematical function that maps a string 
of arbitrary length (up to a pre-determined maximum size) to a fixed 
length string. It may be used to produce a checksum, called a hash 
value or message digest, for a potentially long string or message.
    According to the commenters, the HMAC can only be breached when the 
key and the identifier from which the HMAC is derived and the de-
identified information attached to this code are known to the public. 
It is common practice that the key is limited in time and scope (e.g. 
only for the purpose of a single research query) and that data not be 
accumulated with such codes (with the code needed for joining records 
being discarded after the de-identified data has been joined).
    Response: The HMAC does not meet the conditions for use as a re-
identification code for de-identified information. It is derived from 
individually identified information and it appears the key is shared 
with or provided by the recipient of the data in order for that 
recipient to be able to link information about the individual from 
multiple entities or over time. Since the HMAC allows identification of 
individuals by the recipient, disclosure of the HMAC violates the Rule. 
It is not solely the public's access to the key that matters for these 
purposes; the covered entity may not share the key to the re-
identification code with anyone, including the recipient of the data, 
regardless of whether the intent is to facilitate re-identification or 
not.
    The HMAC methodology, however, may be used in the context of the 
limited data set, discussed below. The limited data set contains 
individually identifiable health information and is not a de-identified 
data set. Creation of a limited data set for research with a data use 
agreement, as specified in Sec. 164.514(e), would not preclude 
inclusion of the keyed-hash message authentication code in the limited 
data set. The Department encourages inclusion of the additional 
safeguards mentioned by the commenters as part of the data use 
agreement whenever the HMAC is used.
    Comment: One commenter requested that HHS update the safe harbor 
de-identification standard with prohibited 3-digit zip codes based on 
2000 Census data.
    Response: The Department stated in the preamble to the December 
2000 Privacy Rule that it would monitor such data and the associated 
re-identification risks and adjust the safe harbor as necessary. 
Accordingly, the Department provides such updated information in 
response to the above comment. The Department notes that these three-
digit zip codes are based on the five-digit zip Code Tabulation Areas 
created by the Census Bureau for the 2000 Census. This new methodology 
also is briefly described below, as it will likely be of interest to 
all users of data tabulated by zip code.
    The Census Bureau will not be producing data files containing U.S. 
Postal Service zip codes either as part of the Census 2000 product 
series or as a post Census 2000 product. However, due to the public's 
interest in having statistics tabulated by zip code, the Census Bureau 
has created a new statistical area called the Zip Code Tabulation Area 
(ZCTA) for Census 2000. The ZCTAs were designed to overcome the 
operational difficulties of creating a well-defined zip code area by 
using Census blocks (and the addresses found in them) as the basis for 
the ZCTAs. In the past, there has been no correlation between zip codes 
and Census Bureau geography. Zip codes can cross State, place, county, 
census tract, block group and census block boundaries. The geographic 
entities the Census Bureau uses to tabulate data are relatively stable 
over time. For instance, census tracts are only defined every ten 
years. In contrast, zip codes can change more frequently. Because of 
the ill-defined nature of zip code boundaries, the Census Bureau has no 
file (crosswalk) showing the relationship

[[Page 53234]]

between US Census Bureau geography and US Postal Service zip codes.
    ZCTAs are generalized area representations of U.S. Postal Service 
(USPS) zip code service areas. Simply put, each one is built by 
aggregating the Census 2000 blocks, whose addresses use a given zip 
code, into a ZCTA which gets that zip code assigned as its ZCTA code. 
They represent the majority USPS five-digit zip code found in a given 
area. For those areas where it is difficult to determine the prevailing 
five-digit zip code, the higher-level three-digit zip code is used for 
the ZCTA code. For further information, go to: http://www.census.gov/geo/www/gazetteer/places2k.html.
    Utilizing 2000 Census data, the following three-digit ZCTAs have a 
population of 20,000 or fewer persons. To produce a de-identified data 
set utilizing the safe harbor method, all records with three-digit zip 
codes corresponding to these three-digit ZCTAs must have the zip code 
changed to 000. The 17 restricted zip codes are: 036, 059, 063, 102, 
203, 556, 692, 790, 821, 823, 830, 831, 878, 879, 884, 890, and 893.
2. Limited Data Sets
    March 2002 NPRM. As noted above, the Department heard many concerns 
that the de-identification standard in the Privacy Rule could curtail 
important research, public health, and health care operations 
activities. Specific concerns were raised by State hospital 
associations regarding their current role in using patient information 
from area hospitals to conduct and disseminate analyses that are useful 
for hospitals in making decisions about quality and efficiency 
improvements. Similarly, researchers raised concerns that the 
impracticality of using de-identified data would significantly increase 
the workload of IRBs because waivers of individual authorization would 
need to be sought more frequently for research studies even though no 
direct identifiers were needed for the studies. Many of these 
activities and studies were also being pursued for public health 
purposes. Some commenters urged the Department to permit covered 
entities to disclose protected health information for research if the 
protected health information is facially de-identified, that is, 
stripped of direct identifiers, so long as the research entity provides 
assurances that it will not use or disclose the information for 
purposes other than research and will not identify or contact the 
individuals who are the subjects of the information.
    In response to these concerns, the Department, in the NPRM, 
requested comments on an alternative approach that would permit uses 
and disclosures of a limited data set which would not include direct 
identifiers but in which certain potentially identifying information 
would remain. The Department proposed limiting the use or disclosure of 
any such limited data set to research, public health, and health care 
operations purposes only.
    From the de-identification safe harbor list of identifiers, we 
proposed the following as direct identifiers that would have to be 
removed from any limited data set: name, street address, telephone and 
fax numbers, e-mail address, social security number, certificate/
license number, vehicle identifiers and serial numbers, URLs and IP 
addresses, and full face photos and any other comparable images. The 
proposed limited data set could include the following identifiable 
information: admission, discharge, and service dates; date of death; 
age (including age 90 or over); and five-digit zip code.
    The Department solicited comment on whether one or more other 
geographic units smaller than State, such as city, county, precinct, 
neighborhood or other unit, would be needed in addition to, or be 
preferable to, the five-digit zip code. In addition, to address 
concerns raised by commenters regarding access to birth date for 
research or other studies relating to young children or infants, the 
Department clarified that the Privacy Rule de-identification safe 
harbor allows disclosure of the age of an individual, including age 
expressed in months, days, or hours. Given that the limited data set 
could include all ages, including age in months, days, or hours (if 
preferable), the Department requested comment on whether date of birth 
would be needed and, if so, whether the entire date would be needed, or 
just the month and year.
    In addition, to further protect privacy, the Department proposed to 
condition the disclosure of the limited data set on covered entities 
obtaining from the recipients a data use or similar agreement, in which 
the recipient would agree to limit the use of the limited data set to 
the purposes specified in the Privacy Rule, to limit who can use or 
receive the data, and agree not to re-identify the data or contact the 
individuals.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    Almost all those who commented on this issue supported the basic 
premise of the limited data set for research, public health, and health 
care operations. Many of these commenters used the opportunity to 
reiterate their opposition to the safe harbor and statistical de-
identification methods, and some misinterpreted the limited data set 
proposal as creating another safe-harbor form of de-identified data. In 
general, commenters agreed with the list of direct identifiers proposed 
in the preamble of the NPRM; some recommended changes. The requirement 
of a data use agreement was similarly widely supported, although a few 
commenters viewed it as unnecessary and others offered additional terms 
which they argued would make the data use agreement more effective. 
Others questioned the enforceability of the data use agreements.
    A few commenters argued that the limited data set would present a 
significant risk of identification of individuals because of the 
increased ability to use the other demographic variables (e.g., race, 
gender) in such data sets to link to other publicly available data. 
Some of these commenters also argued that the development of computer-
based solutions to support the statistical method of de-identification 
is advancing rapidly and can support, in some cases better than the 
limited data set, many of the needs for research, public health and 
health care operations. These commenters asserted that authorization of 
the limited data set approach would undermine incentives to further 
develop statistical techniques for de-identification that may be more 
protective of privacy.
    Most commenters who supported the limited data set concept favored 
including the five-digit zip code, but also wanted other geographic 
units smaller than a State to be included in the limited data set. 
Examples of other geographic units that commenters argued are needed 
for research, public health or health care operational purposes were 
county, city, full zip code, census tract, and neighborhood. Various 
analytical needs were cited to support these positions, such as 
tracking the occurrence of a particular disease to the neighborhood 
level or using county level data for a needs assessment of physician 
specialties. A few commenters opposed inclusion of the 5-digit zip code 
in the limited data set, recommending that the current Rule, which 
requires data aggregation at the 3-digit zip code level, remain the 
standard.
    Similarly, the majority of commenters addressing the issue 
supported inclusion of the full birth date in the

[[Page 53235]]

limited data set. These commenters asserted that the full birth date 
was needed for longitudinal studies, and similar research, to assure 
accuracy of data. Others stated that while they preferred access to the 
full birth date, their data needs would be satisfied by inclusion of at 
least the month and year of birth in the limited data set. A number of 
commenters also opposed inclusion of the date of birth in the limited 
data as unduly increasing the risk of identification of individuals.
    Final Modifications. In view of the support in the public comments 
for the concept of a limited data set, the Department determines that 
adoption of standards for the use and disclosure of protected health 
information for this purpose is warranted. Therefore, the Department 
adds at Sec. 164.514(e) a new standard and implementation 
specifications for a limited data set for research, public health, or 
health care operations purposes if the covered entity (1) uses or 
discloses only a ``limited data set'' as defined at Sec. 164.514(e)(2), 
and (2) obtains from the recipient of the limited data set a ``data use 
agreement'' as defined at Sec. 164.514(e)(4). In addition, the 
Department adds to the permissible uses and disclosures in 
Sec. 164.502(a) express reference to the limited data set standards.
    The implementation specifications do not delineate the data that 
can be released through a limited data set. Rather, the Rule specifies 
the direct identifiers that must be removed for a data set to qualify 
as a limited data set. As with the de-identification safe harbor 
provisions, the direct identifiers listed apply to protected health 
information about the individual or about relatives, employers, or 
household members of the individual. The direct identifiers include all 
of the facial identifiers proposed in the preamble to the NPRM: (1) 
Name; (2) street address (renamed postal address information, other 
than city, State and zip code); (3) telephone and fax numbers; (4) e-
mail address; (5) social security number; (6) certificate/license 
numbers; (7) vehicle identifiers and serial numbers; (8) URLs and IP 
addresses; and (9) full face photos and any other comparable images. 
The public comment generally supported the removal of this facially 
identifying information.
    In addition to these direct identifiers, the Department designates 
the following information as direct identifiers that must be removed 
before protected health information will be considered a limited data 
set: (1) Medical record numbers, health plan beneficiary numbers, and 
other account numbers; (2) device identifiers and serial numbers; and 
(3) biometric identifiers, including finger and voice prints. Only a 
few commenters specifically stated a need for some or all of these 
identifiers as part of the limited data set. For example, one commenter 
wanted an (encrypted) medical record number to be included in the 
limited data set to support disease management planning and program 
development to meet community needs and quality management. Another 
commenter wanted the health plan beneficiary number included in the 
limited data set to permit researchers to ensure that results 
indicating sex, gender or ethnic differences were not influenced by the 
participant's health plan. And a few commenters wanted device 
identifiers and serial numbers included in the limited data set, to 
facilitate product recalls and patient safety initiatives. However, the 
Department has not been persuaded that the need for these identifiers 
outweighs the potential privacy risks to the individual by their 
release as part of a limited data set, particularly when the Rule makes 
other avenues available for the release of information that may 
directly identify an individual.
    The Department does not include in the list of direct identifiers 
the ``catch-all'' category from the de-identification safe harbor of 
``any other unique identifying number, characteristic or code.'' While 
this requirement is essential to assure that the de-identification safe 
harbor does in fact produce a de-identified data set, it is difficult 
to define in advance in the context of a limited data set. Since our 
goal in establishing a limited data set is not to create de-identified 
information and since the data use agreement constrains further 
disclosure of the information, we determined that it would only add 
complexity to implementation of the limited data set with little added 
protection.
    In response to wide public support, the Department does not 
designate as a direct identifier any dates related to the individual or 
any geographic subdivision other than street address. Therefore, as 
part of a limited data set, researchers and others involved in public 
health studies will have access to dates of admission and discharge, as 
well as dates of birth and death for the individual. We agree with 
commenters who asserted that birth date is critical for certain 
research, such as longitudinal studies where there is a need to track 
individuals across time and for certain infant-related research. Rather 
than adding complexity to the Rule by trying to carve out an exception 
for these specific situations, and other justifiable uses, we rely on 
the minimum necessary requirement to keep the Rule simple while 
avoiding abuse. Birth date should only be disclosed where the 
researcher and covered entity agree that it is needed for the purpose 
of the research. Further, even though birth date may be included with a 
limited data set, the Department clarifies, as it did in the preamble 
to the proposed rulemaking, that the Privacy Rule allows the age of an 
individual to be expressed in years or in months, days, or hours as 
appropriate.
    Moreover, the limited data set may include the five-digit zip code 
or any other geographic subdivision, such as State, county, city, 
precinct and their equivalent geocodes, except for street address. We 
substitute for street address the term postal address information, 
other than city, State and zip code in order to make clear that 
individual elements of postal address such as street name by itself are 
also direct identifiers. Commenters identified a variety of needs for 
various geographical codes (county, city, neighborhood, census tract, 
precinct) to support a range of essential research, public health and 
health care operations activities. Some of the examples provided 
included the need to analyze local geographic variations in disease 
burdens or in the provision of health services, conducting research 
looking at pathogens or patterns of health risks which may need to 
compare areas within a single zip code, or studies to examine data by 
county or neighborhood when looking for external causes of disease, as 
would be the case for illnesses and diseases such as bladder cancer 
that may have environmental links. The Department agrees with these 
commenters that a variety of geographical designations other than five-
digit zip code are needed to permit useful and significant studies and 
other research to go forward unimpeded. So long as an appropriate data 
use agreement is in place, the Department does not believe that there 
is any greater privacy risk in including in the limited data set such 
geographic codes than in releasing the five-digit zip code.
    Finally, the implementation specifications adopted at 
Sec. 164.514(e) require a data use agreement between the covered entity 
and the recipient of the limited data set. The need for a data use 
agreement and the core elements of such an agreement were widely 
supported in the public comment.
    In the NPRM, we asked whether additional conditions should be added 
to the data use agreement. In response, a few commenters made specific

[[Page 53236]]

suggestions. These included prohibiting further disclosure of the 
limited data set except as required by law, prohibiting further 
disclosure without the written consent of the covered entity, requiring 
that the recipient safeguard the information received in the limited 
data set, prohibiting further disclosure unless the data has been de-
identified utilizing the statistical or safe harbor methods of the 
Privacy Rule, and limiting use of the data to the purpose for which it 
was received.
    In response to these comments, in the final Rule we specify that 
the covered entity must enter into a data use agreement with the 
intended recipient which establishes the permitted uses and disclosures 
of such information by the recipient, consistent with the purposes of 
research, public health, or health care operations, limits who can use 
or receive the data, and requires the recipient to agree not to re-
identify the data or contact the individuals. In addition, the data use 
agreement must contain adequate assurances that the recipient use 
appropriate safeguards to prevent use or disclosure of the limited data 
set other than as permitted by the Rule and the data use agreement, or 
as required by law. These adequate assurances are similar to the 
existing requirements for business associate agreements.
    Since the data use agreement already requires the recipient to 
limit who can use or receive the data, and to prevent uses and 
disclosures beyond those stated in the agreement, and since we could 
not anticipate all the possible scenarios under which a limited data 
set with a data use agreement would be created, the Department 
concluded that adding any of the other suggested restrictions would 
bring only marginal additional protection while potentially impeding 
some of the purposes intended for the limited data set. The Department 
believes the provisions of the data use agreement provide a firm 
foundation for protection of the information in the limited data set, 
but encourages and expects covered entities and data recipients to 
further strengthen their agreements to conform to current practices.
    We do not specify the form of the data use agreement. Thus, private 
parties might choose to enter into a formal contract, while two 
government agencies might use a memorandum of understanding to specify 
the terms of the agreement. In the case of a covered entity that wants 
to create and use a limited data set for its own research purposes, the 
requirements of the data use agreement could be met by having affected 
workforce members sign an agreement with the covered entity, comparable 
to confidentiality agreements that employees handling sensitive 
information frequently sign.
    A few commenters questioned the enforceability of the data use 
agreements. The Department clarifies that, if the recipient breaches a 
data use agreement, HHS cannot take enforcement action directly against 
that recipient unless the recipient is a covered entity. Where the 
recipient is a covered entity, the final modifications provide that 
such covered entity is in noncompliance with the Rule if it violates a 
data use agreement. See Sec. 164.514(e)(4)(iii)(B). Additionally, the 
Department clarifies that the disclosing covered entity is not liable 
for breaches of the data use agreement by the recipient of the limited 
data set. However, similar to business associate agreements, if a 
covered entity knows of a pattern of activity or practice of the data 
recipient that constitutes a material breach or violation of the data 
recipient's obligation under the data use agreement, then it must take 
reasonable steps to cure the breach or end the violation, as 
applicable, and, if unsuccessful, discontinue disclosure of protected 
health information to the recipient and report the problem to the 
Secretary. And the recipient is required to report to the covered 
entity any improper uses or disclosures of limited data set information 
of which it becomes aware. We also clarify that the data use agreement 
requirements apply to disclosures of the limited data set to agents and 
subcontractors of the original limited data set recipient.
    In sum, we have created the limited data set option because we 
believe that this mechanism provides a way to allow important research, 
public health and health care operations activities to continue in a 
manner consistent with the privacy protections of the Rule. We agree 
with those commenters who stated that the limited data set is not de-
identified information, as retention of geographical and date 
identifiers measurably increases the risk of identification of the 
individual through matching of data with other public (or private) data 
sets. However, we believe that the limitations on the specific uses of 
the limited data set, coupled with the requirements of the data use 
agreement, will provide sufficient protections for privacy and 
confidentiality of the data. The December 2000 Privacy Rule preamble on 
the statistical method for de-identification discussed the data use 
agreement as one of the techniques identified that can be used to 
reduce the risk of disclosure. A number of Federal agencies that 
distribute data sets for research or other uses routinely employ data 
use agreements successfully to protect and otherwise restrict further 
use of the information.
    We note that, while disclosures of protected health information for 
certain public health purposes is already allowed under 
Sec. 164.512(b), the limited data set provision may permit disclosures 
for some public health activities not allowed under that section. These 
might include disease registries maintained by private organizations or 
universities or other types of studies undertaken by the private sector 
or non-profit organizations for public health purposes.
    In response to comments, the Department clarifies that, when a 
covered entity discloses protected health information in a limited data 
set to a researcher who has entered into an appropriate data use 
agreement, the covered entity does not also need to have documentation 
from an IRB or a Privacy Board that individual authorization has been 
waived for the purposes of the research. However, the covered entity 
may not disclose any of the direct identifiers listed in 
Sec. 164.514(e) without either the individual's authorization or 
documentation of an IRB or Privacy Board waiver of that authorization.
    The Department further clarifies that there are other requirements 
in the Privacy Rule that apply to disclosure of a limited data set, 
just as they do to other disclosures. For example, any use, disclosure, 
or request for a limited data set must also adhere to the minimum 
necessary requirements of the Rule. The covered entity could accomplish 
this by, for example, requiring the data requestor, in the data use 
agreement, to specify not only the purposes of the limited data set, 
but also the particular data elements, or categories of data elements, 
requested. The covered entity may reasonably rely on a requested 
disclosure as the minimum necessary, consistent with the provisions of 
Sec. 164.514(d)(3)(iii). As an example of the use of the minimum 
necessary standard, a covered entity who believes that another covered 
entity's request to include date of birth in the limited data set is 
not warranted is free to negotiate with the recipient about that 
requirement. If the entity requesting a limited data set including date 
of birth is not one on whose request a covered entity may reasonably 
rely under Sec. 164.514(d)(3)(iii), and the covered entity believes 
inclusion of date of birth is not warranted, the covered entity must 
either negotiate a reasonably

[[Page 53237]]

necessary limited data set or not make a disclosure.
    The Department amends Sec. 164.514(e)(3)(ii) to make clear that a 
covered entity may engage a business associate to create a limited data 
set, in the same way it can use a business associate to create de-
identified data. As with de-identified data, a business associate 
relationship arises even if the limited data set is not being created 
for the covered entity's own use. For instance, if a researcher needs 
county data, but the covered entity's data contains only the postal 
address of the individual, a business associate may be used to convert 
the covered entity's geographical information into that needed by the 
researcher. The covered entity may hire the intended recipient of the 
limited data set as a business associate for this purpose. That is, the 
covered entity may provide protected health information, including 
direct identifiers, to a business associate who is also the intended 
data recipient, to create a limited data set of the information 
responsive to the business associate's request.
    Finally, the Department amends Sec. 164.528 to make clear that the 
covered entity does not need to include disclosures of protected health 
information in limited data sets in any accounting of disclosures 
provided to the individual. Although the Department does not consider 
the limited data set to constitute de-identified information, all 
direct identifiers are removed from the limited data set and the 
recipient of the data agrees not to identify or contact the individual. 
The burden of accounting for these disclosures in these circumstances 
is not warranted, given that the data may not be used in any way to 
gain knowledge about a specific individual or to take action in 
relation to that individual.

Response to Other Public Comments

    Comment: A small number of commenters argued that the development 
of computer-based solutions to support the statistical method of de-
identification is advancing rapidly and can support, in some cases 
better than the limited data set, many of the needs for research, 
public health and health care operations. They also asserted that 
authorization of the limited data set approach will undermine 
incentives to further develop statistical techniques that will be more 
protective of privacy than the limited data set. They proposed imposing 
a sunset clause on the limited data set provision in order to promote 
use of de-identification tools.
    Response: We agree that progress is being made in the development 
of electronic tools to de-identify protected health information. 
However, the information presented by commenters did not convince us 
that current techniques meet all the needs identified or are easy 
enough to use that they can have the broad application needed to 
support key research, public health and health care operations needs. 
Where de-identification can provide better outcomes than a limited data 
set, purveyors of such de-identification tools will have to demonstrate 
to covered entities the applicability and ease of use of their 
products. We do not believe a sunset provision on the limited data set 
authority is appropriate. Rather, as part of its ongoing review of the 
Privacy Rule in general, and the de-identification provisions in 
particular, the Office for Civil Rights will periodically assess the 
need for these provisions.
    Comment: Some commenters said that if HHS clearly defines direct 
identifiers and facially identifiable information, there is no need for 
a data use agreement.
    Response: We disagree. As previously noted, the resulting limited 
data set is not de-identified; it still contains individually 
identifiable health information. As a means to assure continued 
protection of the information once it leaves the control of the covered 
entity, we believe a data use agreement is essential.
    Comment: Several commenters wanted to be able to have a single 
coordinated data use agreement between a State hospital association and 
its member hospitals where data collection is coordinated through the 
hospital association. In addition, there was concern that requiring a 
data use agreement and a business associate agreement in this 
circumstance would create an excessive and unnecessary burden.
    Response: Nothing in the requirement for a data use agreement 
prevents a State hospital association and its member hospitals from 
being parties to a common data use agreement. Furthermore, that data 
use agreement can be combined with a business associate agreement into 
a single agreement that meets the requirements of both Privacy Rule 
provisions.
    Comment: A few commenters argued that a data use agreement should 
not be required for data users getting a limited data set and 
performing data analysis as part of the Medicaid rebate validation 
process under which third-party data vendors, working for 
pharmaceutical companies, collect prescription claims data from State 
agencies and analyze the results for errors and discrepancies. They 
argued that State agencies often find entering into such contracts 
difficult and time consuming. Consequently, if States have to establish 
data use or similar agreements, then the Medicaid rebate validation 
process could be adversely impacted.
    Response: We are not persuaded that there is a compelling reason to 
exempt this category of limited data set use from the requirements for 
a data use agreement, as compared to other important uses. The data use 
agreement is key to ensuring the integrity of the limited data set 
process and avoiding inappropriate further uses and disclosures.
    Comment: One commenter stated that allowing disclosure of the 
limited data set without IRB or Privacy Board review would create a 
loophole in the Privacy Rule, with Federally funded research continuing 
to undergo IRB review while private research would not.
    Response: The Rule continues to make no distinction between 
disclosure of protected health information to Federally and privately 
funded researchers. To obtain a limited data set from a covered entity, 
both Federally-funded and privately-funded researchers must enter into 
a data use agreement with the covered entity. One of the reasons for 
establishing the limited data set provisions is that the concept of 
``personally identifiable information'' that triggers IRB review of 
research that is subject to the Common Rule does not coincide with the 
definition of ``individually identifiable health information'' in the 
Privacy Rule. The Department believes that the limited data set comes 
closer to the type of information not requiring IRB approval under the 
Common Rule than does the de-identified data set of the Privacy Rule. 
However, there is no uniform definition of ``personally identifiable 
information'' under the Common Rule; rather, as a matter of practice, 
it is currently set by each individual IRB.
    Comment: A few commenters suggested expanding the allowable 
purposes for the limited data set. One commenter proposed including 
payment as an allowable purpose, in order to facilitate comparison of 
premiums charged to insured versus uninsured patients. A few commenters 
wanted to allow disclosures to journalists if the individual's name and 
social security number have been removed and if, in the context of the 
record or file, the identity of the patient has not been revealed. A 
few commenters suggested that there was no need to restrict the purpose 
at all as long

[[Page 53238]]

as there is a data use agreement. A couple of commenters wanted to 
extend the purpose to include creation or maintenance of research 
databases and repositories.
    Response: If the comparison of premiums charged to different 
classes of patients is being performed as a health care operation of 
another entity, then a limited data set could be used for this purpose. 
It seems unlikely that this activity would occur in relation to a 
payment activity, so a change to include payment as a permissible 
purpose is not warranted. A ``payment'' activity must relate to payment 
for an individual and, thus, will need direct identifiers, and uses and 
disclosures of protected health information for such purposes is 
permitted under Sec. 164.506.
    With respect to disclosures to journalists, while recognizing the 
important role performed by newspapers and other media in reporting on 
public health issues and the health care system, we disagree that the 
purposes of the limited data set should be expanded to include 
journalists. A key element of the limited data set is that the 
recipient enter into a data use agreement that would limit access to 
the limited data set, prohibit any attempt to identify or contact any 
individual, and limit further use or disclosure of the limited data 
set. These limitations are inherently at odds with journalists' 
asserted need for access to patient information.
    The suggestion to allow disclosure of a limited data set for any 
purpose if there is a data use agreement would undermine the purpose of 
the Privacy Rule to protect individually identifiable health 
information from unauthorized disclosures and would conflict with the 
requirement in the data use agreement to restrict further use to 
research, public health, health care operations purposes. The 
Department clarifies that research encompasses the establishment of 
research databases and repositories. Therefore, no change to the 
proposal is necessary.
    Comment: One commenter said that HHS should not create a list of 
excluded direct identifiers; rather it should enunciate principles and 
leave it to researchers to apply the principles.
    Response: The statistical method of de-identification is based on 
scientific principles and methods and leaves the application to the 
researcher and the covered entity. Unfortunately, many have viewed this 
approach as too complex or imprecise for broad use. To allow broad 
discretion in selection of variables in the creation of a limited data 
set would trigger the same concerns as the statistical method, because 
some measure of reasonableness would have to be established. Commenters 
have consistently asked for precision so that they would not have to 
worry as to whether they were in compliance with the requirements of 
the Privacy Rule. The commenter's proposal runs counter to this desire 
for precision.
    Comment: One commenter wanted prescription numbers allowed in a 
limited data set because they do not include any ``facially 
identifiable information.''
    Response: Prescription numbers are medical record numbers in that 
they are used to track an individual's encounter with a health care 
provider and are uniquely associated with that individual. The fact 
that an individual receives a new prescription number for each 
prescription, even if it is randomly generated, is analogous to an 
individual receiving a separate medical record number for different 
hospital visits. Thus, a prescription number is an excluded direct 
identifier under the medical record number exclusion for the limited 
data set (and also must be excluded in the creation of de-identified 
data).
    Comment: One commenter wanted clarification that a sponsor of a 
multi-employer group health plan could utilize the limited data set 
approach for the purpose of resolving claim appeals. That commenter 
also suggested that if the only information that a plan sponsor 
received was the limited data set, the group health plan should be able 
to give that information to the plan sponsor without amending plan 
documents. In lieu of the limited data set, this commenter wanted 
clarification that redacted information, as delineated in their 
comment, is a reasonable way to meet the minimum necessary standard if 
the plan sponsor has certified that the plan documents have been 
amended pursuant to the requirements of the Privacy Rule.
    Response: Uses and disclosures of a limited data set is authorized 
only for public health, research, and health care operations purposes. 
A claims appeal is more likely to be a payment function, rather than a 
health care operation. It is also likely to require use of protected 
health information that includes direct identifiers. The Department 
disagrees with the commenter's suggestions that the Rule should allow 
group health plans to disclose a limited data set to a plan sponsor 
without amending the plan documents to describe such disclosures. 
Limited data sets are not de-identified information, and thus warrant 
this degree of protection. Therefore, only summary health information 
and the enrollment status of the individual can be disclosed by the 
group health plan to the plan sponsor without amending the plan 
documents. The Privacy Rule does not specify what particular data 
elements constitute the minimum necessary for any particular purpose.

H. Section 164.520--Notice of Privacy Practices for Protected Health 
Information

    December 2000 Privacy Rule. The Privacy Rule at Sec. 164.520 
requires most covered entities to provide individuals with adequate 
notice of the uses and disclosures of protected health information that 
may be made by the covered entity, and of the individual's rights and 
the covered entity's responsibilities with respect to protected health 
information. The Rule delineates specific requirements for the content 
of the notice, as well as for provision of the notice. The requirements 
for providing notice to individuals vary based on type of covered 
entity and method of service delivery. For example, a covered health 
care provider that has a direct treatment relationship with an 
individual must provide the notice no later than the date of first 
service delivery and, if the provider maintains a physical service 
delivery site, must post the notice in a clear and prominent location 
and have it available upon request for individuals to take with them. 
If the first service delivery to an individual is electronic, the 
covered provider must furnish electronic notice automatically and 
contemporaneously in response to the individual's first request for 
service. In addition, if a covered entity maintains a website, the 
notice must be available electronically through the web site.
    March 2002 NPRM. The Department proposed to modify the notice 
requirements at Sec. 164.520(c)(2) to require that a covered health 
care provider with a direct treatment relationship make a good faith 
effort to obtain an individual's written acknowledgment of receipt of 
the provider's notice of privacy practices. Other covered entities, 
such as health plans, would not be required to obtain this 
acknowledgment from individuals, but could do so if they chose.
    The Department proposed to strengthen the notice requirements in 
order to preserve a valuable aspect of the consent process. The notice 
acknowledgment proposal was intended to create the ``initial moment'' 
between a covered health care provider and an individual, formerly a 
result of the consent requirement, when individuals may focus on 
information practices and privacy rights and discuss with the

[[Page 53239]]

provider any concerns related to the privacy of their protected health 
information. This ``initial moment'' also would provide an opportunity 
for an individual to make a request for additional restrictions on the 
use or disclosure of his or her protected health information or for 
additional confidential treatment of communications, as permitted under 
Sec. 164.522.
    With one exception for emergency treatment situations, the proposal 
would require that the good faith effort to obtain the written 
acknowledgment be made no later than the date of first service 
delivery, including service delivered electronically. To address 
potential operational difficulties with implementing these notice 
requirements in emergency treatment situations, the Department proposed 
in Sec. 164.520(c)(2) to delay the requirement for provision of notice 
until reasonably practicable after the emergency treatment situation, 
and exempt health care providers with a direct treatment relationship 
with the individual from having to make a good faith effort to obtain 
the acknowledgment altogether in such situations.
    Other than requiring that the acknowledgment be in writing, the 
proposal would not prescribe other details of the form of the 
acknowledgment or limit the manner in which a covered health care 
provider could obtain the acknowledgment.
    The proposal also provided that, if the individual's acknowledgment 
of receipt of the notice could not be obtained, the covered health care 
provider would be required to document its good faith efforts to obtain 
the acknowledgment and the reason why the acknowledgment was not 
obtained. Failure by a covered entity to obtain an individual's 
acknowledgment, assuming it otherwise documented its good faith effort, 
would not be considered a violation of the Privacy Rule.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    In general, many commenters expressed support for the proposal to 
require that certain health care providers, as an alternative to 
obtaining prior consent, make a good faith effort to obtain a written 
acknowledgment from the individual of receipt of the notice. Commenters 
stated that even though the requirement would place some burden on 
certain health care providers, the proposed policy was a reasonable and 
workable alternative to the Rule's prior consent requirement. A number 
of these commenters conveyed support for the proposed flexibility of 
the requirement that would allow covered entities to implement the 
requirement in accordance with their own practices. Commenters urged 
that the Department not prescribe (other than that the acknowledgment 
be in writing) the form or content of the acknowledgment, or other 
requirements that would further burden the acknowledgment process. In 
addition, commenters viewed the proposed exception for emergency 
treatment situations as a practical policy.
    A number of other commenters, while supportive of the Department's 
proposal to make the obtaining of consent optional for all covered 
entities, expressed concern over the administrative burden the proposed 
notice acknowledgment requirements would impose on certain health care 
providers. Some of these commenters viewed the notice acknowledgment as 
an unnecessary burden on providers that would not afford individuals 
with any additional privacy rights or protections. Thus, some 
commenters urged that the good faith acknowledgment not be adopted in 
the final Rule. As an alternative, it was suggested by some that 
covered entities instead be required to make a good faith effort to 
make the notice available to consumers.
    Several commenters expressed concerns that the notice 
acknowledgment process would reestablish some of the same operational 
problems associated with the prior consent requirement. For example, 
commenters questioned how the requirement should be implemented when 
the provider's first contact with the patient is over the phone, 
electronically, or otherwise not face-to-face, such as with 
telemedecine. Accordingly, it was suggested that the good faith 
acknowledgment of the notice be required no later than the date of 
first face-to-face encounter with the patient rather than first service 
delivery to eliminate these perceived problems.
    A few others urged that the proposed notice acknowledgment 
requirement be modified to allow for an individual's oral 
acknowledgment of the notice, so long as the provider maintained a 
record that the individual's acknowledgment was obtained.
    Some commenters did not support the proposal's written notice 
acknowledgment as a suitable alternative to the consent requirement, 
stating that such a requirement would not provide individuals with 
comparable privacy protections or rights. It was stated that there are 
a number of fundamental differences between a consent and an 
acknowledgment of the notice. For example, one commenter argued that 
asking individuals to acknowledge receipt of the notice does not 
provide a comparable ``initial moment'' between the provider and the 
individual, especially when the individual is only asked to acknowledge 
receipt of the notice, and not whether they have read or understood it, 
or have questions. Further, commenters argued that the notice 
acknowledgment process would not be the same as seeking the 
individual's permission through a consent process. Some of these 
commenters urged that the Department retain the consent requirements 
and make appropriate modifications to fix the known operational 
problems associated with the requirement.
    A few commenters urged that the Department strengthen the notice 
acknowledgment process. Some commenters suggested that the Department 
do so by eliminating the ``good faith'' aspect of the standard and 
simply requiring certain health care providers to obtain the written 
acknowledgment, with appropriate exceptions for emergencies and other 
situations where it may not be practical to do so. It was also 
suggested that the Department require providers to ensure that the 
consumer has an understanding of the information provided in the 
notice. One commenter suggested that this may be achieved by having 
individuals not only indicate whether they have received the notice, 
but also be asked on separate lines after each section of the notice 
whether they have read that section. Another commenter argued that 
consumers should be asked to sign something more meaningful than a 
notice acknowledgment, such as a ``Summary of Consumer Rights,'' which 
clearly and briefly summarizes the ways in which their information may 
be used by covered entities, as well as the key rights consumers have 
under the Privacy Rule.
    Final Modifications. After consideration of the public comment, the 
Department adopts in this final Rule at Sec. 164.520(c)(2)(ii), the 
proposed requirement that a covered health care provider with a direct 
treatment relationship with an individual make a good faith effort to 
obtain the individual's written acknowledgment of receipt of the 
notice. Other covered entities, such as health plans, are not required 
to obtain this acknowledgment from individuals, but may do so if they 
choose. The Department agrees with

[[Page 53240]]

those commenters who stated that the notice acknowledgment process is a 
workable alternative to the prior consent process, retaining the 
beneficial aspects of the consent without impeding timely access to 
quality health care. The Department continues to believe strongly that 
promoting individuals' understanding of privacy practices is an 
essential component of providing notice to individuals. Through this 
requirement, the Department facilitates achieving this goal by 
retaining the opportunity for individuals to discuss privacy practices 
and concerns with their health care providers. Additionally, the 
requirement provides individuals with an opportunity to request any 
additional restrictions on uses and disclosures of their health 
information or confidential communications, as permitted by 
Sec. 164.522.
    As proposed in the NPRM, the final Rule requires, with one 
exception, that a covered direct treatment provider make a good faith 
effort to obtain the written acknowledgment no later than the date of 
first service delivery, including service delivered electronically, 
that is, at the time the notice is required to be provided. During 
emergency treatment situations, the final Rule at 
Sec. 164.520(c)(2)(i)(B) delays the requirement for provision of the 
notice until reasonably practicable after the emergency situation, and 
at Sec. 164.520(c)(2)(ii) exempts health care providers from having to 
make a good faith effort to obtain an individual's acknowledgment in 
such emergency situations. The Department agrees with commenters that 
such exceptions are practical and necessary to ensure that the notice 
and acknowledgment requirements do not impede an individual's timely 
access to quality health care.
    The Department also agrees with commenters that the notice 
acknowledgment process must be flexible and provide covered entities 
with discretion in order to be workable. Therefore, the final 
modification adopts the flexibility proposed in the NPRM for the 
acknowledgment requirement. The Rule requires only that the 
acknowledgment be in writing, and does not prescribe other details such 
as the form that the acknowledgment must take or the process for 
obtaining the acknowledgment. For example, the final Rule does not 
require an individual's signature to be on the notice. Instead, a 
covered health provider is permitted, for example, to have the 
individual sign a separate sheet or list, or to simply initial a cover 
sheet of the notice to be retained by the provider. Alternatively, a 
pharmacist is permitted to have the individual sign or initial an 
acknowledgment within the log book that patients already sign when they 
pick up prescriptions, so long as the individual is clearly informed on 
the log book of what they are acknowledging and the acknowledgment is 
not also used as a waiver or permission for something else (such as a 
waiver to consult with the pharmacist). For notice that is delivered 
electronically as part of first service delivery, the Department 
believes the provider's system should be capable of capturing the 
individual's acknowledgment of receipt electronically. In addition, 
those covered health care providers that choose to obtain consent from 
an individual may design one form that includes both a consent and the 
acknowledgment of receipt of the notice. Covered health care providers 
are provided discretion to design the acknowledgment process best 
suited to their practices.
    While the Department believes that the notice acknowledgment 
process must remain flexible, the Department does not consider oral 
acknowledgment by the individual to be either a meaningful or 
appropriate manner by which a covered health care provider may 
implement these provisions. The notice acknowledgment process is 
intended to provide a formal opportunity for the individual to engage 
in a discussion with a health care provider about privacy. At the very 
least, the process is intended to draw the individual's attention to 
the importance of the notice. The Department believes these goals are 
better accomplished by requiring a written acknowledgment and, 
therefore, adopts such provision in this final modification.
    Under the final modification, if an individual refuses to sign or 
otherwise fails to provide an acknowledgment, a covered health care 
provider is required to document its good faith efforts to obtain the 
acknowledgment and the reason why the acknowledgment was not obtained. 
Failure by a covered entity to obtain an individual's acknowledgment, 
assuming it otherwise documented its good faith effort, is not a 
violation of this Rule. Such reason for failure simply may be, for 
example, that the individual refused to sign the acknowledgment after 
being requested to do so. This provision also is intended to allow 
covered health care providers flexibility to deal with a variety of 
circumstances in which obtaining an acknowledgment is problematic. In 
response to commenters requests for examples of good faith efforts, the 
Department intends to provide future guidance on this and other 
modifications.
    A covered entity is required by Sec. 164.530(j) to document 
compliance with these provisions by retaining copies of any written 
acknowledgments of receipt of the notice or, if not obtained, 
documentation of its good faith efforts to obtain such written 
acknowledgment.
    The Department was not persuaded by those commenters who urged that 
the Department eliminate the proposed notice acknowledgment 
requirements because of concerns about burden. The Department believes 
that the final modification is simple and flexible enough so as not to 
impose a significant burden on covered health care providers. Covered 
entities are provided much discretion to design the notice 
acknowledgment process that works best for their business. Further, as 
described above, the Department believes that the notice acknowledgment 
requirements are important in that they retain the important aspects of 
the prior consent process that otherwise would be lost in the final 
modifications.
    In response to commenters' operational concerns about the proposed 
notice acknowledgment requirements, the Department clarifies that the 
modification as proposed and now adopted as final is intended to be 
flexible enough to address the various types of relationships that 
covered health care providers may have with the individuals to whom 
they provide treatment, including those treatment situations that are 
not face-to-face. For example, a health care provider whose first 
treatment encounter with a patient is over the phone satisfies the 
notice provision requirements of the Rule by mailing the notice to the 
individual no later than the day of that service delivery. To satisfy 
the requirement that the provider also make a good faith effort to 
obtain the individual's acknowledgment of the notice, the provider may 
include a tear-off sheet or other document with the notice that 
requests such acknowledgment be mailed back to the provider. The 
Department would not consider the health care provider in violation of 
the Rule if the individual chooses not to mail back an acknowledgment. 
The Department clarifies, however, that where a health care provider's 
initial contact with the patient is simply to schedule an appointment, 
the notice provision and acknowledgment requirements may be satisfied 
at the time the individual arrives at the provider's facility for his 
or her

[[Page 53241]]

appointment. For service provided electronically, the Department 
believes that, just as a notice may be delivered electronically, a 
provider should be capable of capturing the individual's acknowledgment 
of receipt electronically in response to that transmission.
    Finally, the Department does not agree with those commenters who 
argued that the proposed notice acknowledgment requirements are not an 
adequate alternative to the prior consent requirements, nor with those 
who argued that the proposed acknowledgment process should be 
strengthened if an individual's consent is no longer required. The 
Department believes that the notice acknowledgment process retains the 
important aspects of the consent process, such as creating an 
opportunity for a discussion between the individual and the provider of 
privacy issues, including the opportunity for the individual to request 
restrictions on how her information may be used and disclosed as 
permitted by Sec. 164.522.
    Additionally, the Department believes that requiring certain health 
care providers to obtain the individual's acknowledgment of receipt of 
the notice, rather than make a good faith effort to do so, would remove 
the flexibility of the standard and increase the burden substantially 
on covered entities. Such a modification, therefore, would have the 
potential to cause workability and operational problems similar to 
those caused by the prior consent requirements. Prescribing the form or 
content of the acknowledgment could have the same effect. The 
Department believes that the notice acknowledgment process must not 
negatively impact timely access to quality health care.
    Also, the Department agrees that it will not be easy for every 
individual to understand fully the information in the notice, and 
acknowledges that the onus of ensuring that individuals have an 
understanding of the notice should not be placed solely on health care 
providers. The Rule ensures that individuals are provided with a notice 
in plain language but leaves it to each individual's discretion to 
review the notice and to initiate a discussion with the covered entity 
about the use and disclosure of his or her health information or the 
individual's rights. However, the Department continues to believe 
strongly that promoting individuals' understanding of privacy practices 
is an essential component of providing notice to individuals. The 
Department anticipates that many stakeholders, including the 
Department, covered entities, consumer organizations, health educators, 
the mass media and journalists, and a host of other organizations and 
individuals, will be involved in educating individuals about privacy 
notices and practices.

Response to Other Public Comments

    Comment: Several commenters requested clarification as to whether a 
health care provider is required to obtain from individuals a new 
acknowledgment of receipt of the notice if the facility changes its 
privacy policy.
    Response: The Department clarifies that this is not required. To 
minimize burden on the covered direct treatment provider, the final 
modification intends the obtaining of the individual's acknowledgment 
to be consistent with the timing for provision of the notice to the 
individual, that is, no later than the date of first service delivery. 
Upon revision of the notice, the Privacy Rule requires only that the 
direct treatment provider make the notice available upon request on or 
after the effective date of the revision, and, if he maintains a 
physical service delivery site, to post the revised notice in a clear 
and prominent location in his facility. See Sec. 164.520(c)(2)(iii). As 
the Rule does not require a health care provider to provide the revised 
notice directly to the individual, unless requested by the individual, 
a new written acknowledgment is not required at the time of revision of 
the notice.
    Comment: A few commenters requested clarification as to how the 
Department intended the notice acknowledgment process to be implemented 
within an affiliated covered entity or an organized health care 
arrangement (OHCA).
    Response: The requirement for an individual's written 
acknowledgment of the notice corresponds with the requirement that the 
notice be provided to the individual by certain health care providers 
at first service delivery, regardless of whether the notice itself is 
the joint notice of an OHCA, the notice of an affiliated covered 
entity, or the notice of one entity. With respect to an OHCA, the 
Privacy Rule permits covered entities that participate in an OHCA to 
satisfy the notice requirements through the use of a joint notice, 
provided that the relevant conditions of Sec. 164.520(d) are met. 
Section 164.520(d)(3) further provides that provision of a joint notice 
to an individual by any one of the covered entities included in the 
joint notice satisfies the notice provision requirements at 
Sec. 164.520(c) with respect to all others covered by the joint notice. 
Thus, a health care provider with a direct treatment relationship with 
an individual that is participating in an OHCA only need make a good 
faith effort to obtain the individual's acknowledgment of the joint 
notice if that provider is the covered entity within the OHCA that is 
providing the joint notice to the individual. Where the joint notice is 
provided to the individual by a participating covered entity other than 
a provider with a direct treatment relationship with the individual, no 
acknowledgment need be obtained. However, covered entities that 
participate in an OHCA are not required to utilize a joint notice and 
may maintain separate notices. In such case, each covered health care 
provider with a direct treatment relationship within the OHCA must make 
a good faith effort to obtain the individual's acknowledgment of the 
notice he or she provides.
    Similarly, an affiliated covered entity may have one single notice 
that covers all of its affiliates. Thus, if the affiliated covered 
entity's notice is provided to the individual by a health care provider 
with which the individual has a direct treatment relationship, the 
health care provider must make a good faith effort to obtain the 
individual's acknowledgment of receipt of the notice. Alternatively, 
where the affiliated entity's notice is provided to the individual by a 
participating entity other than a provider with a direct treatment 
relationship with the individual, no acknowledgment need be obtained. 
However, as with the OHCA, the Department clarifies that covered 
entities that are part of an affiliated covered entity may maintain 
separate notices if they choose to do so; if they do so, each provider 
with a direct treatment relationship with the individual must make a 
good faith effort to obtain the individual's acknowledgment of the 
notice he or she provides.
    Comment: It was suggested that if a provider chooses to obtain 
consent, the provider should not also be required to obtain the 
individual's acknowledgment of the notice.
    Response: For those covered entities that choose to obtain consent, 
the Rule does not prescribe any details of the form or manner in which 
the consent must be obtained. Given this discretion, the Department 
does not believe that all consents will provide the same benefits to 
the individual as those afforded by the notice acknowledgment process. 
The Rule, therefore, does not relieve a covered health care provider of 
his obligations with respect to obtaining an individual's 
acknowledgment of the

[[Page 53242]]

notice if that provider also obtains the individual's consent. However, 
the Rule provides those covered health care providers that choose to 
obtain consent from an individual the discretion to design one form 
that includes both a consent and the acknowledgment of receipt of the 
notice.
    Comment: Some commenters asked that the Privacy Rule allow the 
written acknowledgment of the notice to be obtained electronically 
without regard to channel of delivery (electronically or on paper) of 
the notice.
    Response: Generally, the Privacy Rule allows for electronic 
documents to qualify as written documents for purposes of meeting the 
Rule's requirements. This also applies with respect to the notice 
acknowledgment. For notice delivered electronically, the Department 
intends a return receipt or other transmission from the individual to 
suffice as the notice acknowledgment.
    For notice delivered on paper in a face-to-face encounter with the 
provider, although it is unclear to the Department how exactly the 
provider may do so, the Rule does not preclude providers from obtaining 
the individual's written acknowledgment electronically. The Department 
cautions, however, that the notice acknowledgment process is intended 
to alert individuals to the importance of the notice and provide them 
the opportunity to discuss privacy issues with their providers. To 
ensure that individuals are aware of the importance of the notice, the 
Rule requires that the individual's acknowledgment be in writing. Thus, 
the Department would not consider a receptionist's notation in a 
computer system to be an individual's written acknowledgment.
    Comment: One commenter expressed concern that the Rule did not 
define ``emergency'' as it applies to ambulance services given the 
Rule's exceptions to the notice requirements for such situations. This 
commenter also urged that the Rule's notice provisions at 
Sec. 164.520(c)(2) with respect to emergency treatment situations be 
expanded also to apply to non-emergency trips of ambulance providers. 
The commenter explained that even in non-emergency circumstances, 
patients, especially the elderly, often suffer from incapacitating or 
stressful conditions when they need to be transferred by ambulance, at 
which time it may not be effective or appropriate to provide the notice 
and obtain the individual's acknowledgment of receipt of the notice.
    Response: During emergency treatment situations, the final Rule at 
Sec. 164.520(c)(2)(i)(B) delays the requirement for provision of the 
notice until reasonably practicable after the emergency situation, and 
exempts health care providers from having to make a good faith effort 
to obtain an individual's acknowledgment. As the provisions are not 
intended to apply only to ambulance providers, the Department does not 
believe that defining emergency with respect to such providers is 
appropriate or necessary. Nor does the Department believe that 
expanding these provisions to cover non-emergency trips of ambulance 
providers is appropriate. The provisions are intended to provide 
exceptions for those situations where providing the notice and 
obtaining an individual's acknowledgment may not be feasible or 
practicable. Where such extenuating circumstances do not exist, the 
Department expects that covered health care providers are able to 
provide individuals with a notice and make a good faith effort to 
obtain their acknowledgment of receipt. Where an individual does not 
provide an acknowledgment, the Rule requires only that the provider 
document his good faith effort to obtain the acknowledgment.
    Comment: A number of commenters requested clarification on how to 
implement the ``good faith'' standard and urged the Department to 
provide more specific guidance and examples. Some commenters expressed 
concern over the perceived liability that would arise from such a 
discretionary standard.
    Response: Covered entities are provided much discretion to 
implement the notice acknowledgment process as best suited to their 
specific business practices. The standard is designed as a ``good faith 
effort'' standard because the Department understands that obtaining an 
individual's acknowledgment of the notice may not always be feasible or 
practical, in spite of a covered entity's efforts. Thus, the standard 
is intended to account for those difficult situations, including where 
an individual simply refuses to provide the written acknowledgment. 
Given the discretion covered health care providers have in implementing 
these standards and the various ways such providers interact with their 
patients, it is difficult for the Department to provide specific 
guidance in this area that is generally applicable to many covered 
health care providers. However, the Department intends to provide 
future guidance through frequently asked questions or other materials 
in response to specific scenarios that are raised by industry.
    With respect to commenters' concerns regarding potential liability, 
the Department's position is that a failure by a covered entity to 
obtain an individual's acknowledgment, assuming it otherwise documented 
its good faith effort (as required by Sec. 164.520(c)(2)(ii)), will not 
be considered a violation of this Rule.
    Comment: Many commenters generally urged that the Department modify 
the Rule to allow for a simpler, shorter, and, therefore, more readable 
notice. Some of the commenters explained that a shorter notice would 
assure that more individuals would take the time to read and be able to 
understand the information. Others suggested that a shorter notice 
would help to alleviate burden on the covered entity. A number of these 
commenters suggested that the Department allow for a shorter summary or 
1-page notice to replace the prescriptive notice required by the 
Privacy Rule. It was recommended that such a notice could refer 
individuals to a more detailed notice, available on request, or to an 
HHS web site, for additional information about an individual's rights 
under the Privacy Rule. Others recommended that the Department allow 
for a layered notice that contains: (1) A short notice that briefly 
describes, for example, the entity's principal uses and disclosures of 
an individual's health information, as well as the individual's rights 
with respect to that information; and (2) a longer notice, layered 
beneath the short notice, that contains all the elements required by 
the Rule.
    Certain other commenters urged that one way to make the notice 
shorter, as well as to alleviate burden on the covered entity, would be 
to eliminate the requirement that the notice explain the more stringent 
State privacy laws. Commenters stated that companies that operate in 
multiple States will have to develop and print up to 50 different 
notices, and then update and reissue those notices whenever a material 
change is made to the State law. These commenters recommended instead 
that the notice simply state that State law may provide additional 
protections.
    A few commenters urged that the Department provide a model notice 
that covered entities could use in their implementation efforts.
    Response: The Department does not modify the notice content 
provisions at Sec. 164.520(b). The Department believes that the 
elements required by Sec. 164.520(b) are important to fully inform the 
individual of the covered entity's privacy practices, as well as his or 
her rights. However, the Department agrees that such information must 
be provided in a clear, concise, and easy to

[[Page 53243]]

understand manner. Therefore, the Department clarifies that covered 
entities may utilize a ``layered notice'' to implement the Rule's 
provisions, so long as the elements required by Sec. 164.520(b) are 
included in the document that is provided to the individual. For 
example, a covered entity may satisfy the notice provisions by 
providing the individual with both a short notice that briefly 
summarizes the individual's rights, as well as other information; and a 
longer notice, layered beneath the short notice, that contains all the 
elements required by the Privacy Rule. Covered entities, however, while 
encouraged to use a layered notice, are not required to do so. Nothing 
in the final modifications relieve a covered entity of its duty to 
provide the entire notice in plain language so the average reader can 
understand it. See Sec. 164.520(b)(1).
    In response to comments regarding a model notice, it would be 
difficult for the Department to develop a document that would be 
generally useful to many different types of covered entities. A covered 
entity's notice must reflect in sufficient detail the particular uses 
and disclosures that entity may make. Such uses and disclosures likely 
will be very different for each type of covered entity. Thus, a 
uniform, model notice could not capture the wide variation in 
information practices across covered entities. The Department intends, 
however, to issue further general guidance to help covered entities 
implement the notice provisions of the Rule.
    Comment: A number of commenters also requested that the Department 
lessen the burden associated with distributing the notice. For example, 
some commenters asked that covered entities be permitted to satisfy the 
notice provision requirements by posting the notice at the facility or 
on a web site and by providing a copy only to those consumers who 
request one, or by placing copies on display where an interested 
consumer may take one.
    Response: The Department's position that making the notice 
available to individuals, either on request, by posting it at a 
facility or on a web site, or by placing copies on display, does not 
substitute for physically providing the notice directly to individuals. 
Adequate notice of privacy practices is a fundamental right afforded 
individuals by the Rule. As such, the Department does not believe that 
the burden of obtaining such information should be placed on the 
individual. Covered entities are required to distribute the notice in 
the manner described under Sec. 164.520(c).
    Comment: A few commenters requested that the Department make clear 
that no special mailings are required to provide individuals with a 
covered entity's notice; rather, that the notice may be distributed as 
part of other mailings or distributions by the covered entity. For 
example, one commenter argued that the Rule should be flexible enough 
to allow for notices to be included in a health plan's Summary Plan 
Descriptions, Booklets, or an Enrollment Application. It was argued 
that the notice would receive greater attention, be more carefully 
reviewed and, thus, better understood if it were published in materials 
known to be widely read by members.
    Response: The Department clarifies that no special or separate 
mailings are required to satisfy the notice distribution requirements. 
The Privacy Rule provides covered entities with discretion in this 
area. A health plan distributing its notice through the mail, in 
accordance with Sec. 164.520(c)(1), may do so as part of another 
mailing to the individual. In addition, a covered entity that provides 
its notice to an individual by e-mail, in accordance with 
Sec. 164.520(c)(3), may include additional materials in the e-mail. No 
separate e-mail is required. However, the Privacy Rule at 
Sec. 164.508(b)(3) continues to prohibit a covered entity from 
combining the notice in a single document with an authorization.
    Comment: Commenters also urged that the Rule permit, for group 
products, a health plan to send its notice to the administrator of the 
group product or the plan sponsor, who would then be responsible for 
distributing the notice to each enrollee/employee. One commenter 
claimed this distribution method is especially appropriate where there 
is no regular communication with the covered individuals, as in an 
employer-pay-all group medical or dental plan. According to the 
commenter, providing the notice to the employer makes sense because the 
employer picks the plan and should be aware of the plan's privacy 
practices when doing so.
    Response: The Privacy Rule requires a health plan to distribute its 
notice to each individual covered by the plan. Health plans may arrange 
to have another entity, or person, for example, a group administrator 
or a plan sponsor, distribute the notice on their behalf. However, the 
Department cautions that if such other entity or person fails to 
distribute the notice to individuals, the health plan would be in 
violation of the Rule.
    Comment: Another commenter asked that the Department eliminate the 
requirement that a covered entity must provide the notice to every 
dependent, rather than just the head of the household. This commenter 
argued that while it makes sense to provide the notice to an 
emancipated minor or to a minor who pursuant to State law has consented 
to treatment, it does not make sense to send the notice to a 2-year old 
child.
    Response: The Privacy Rule provides that a health plan may satisfy 
the notice provision requirements by distributing the notice to the 
named insured of a policy under which coverage is provided to the named 
insured and one or more dependents. A health plan is not required to 
distribute the notice to each dependent. See Sec. 164.520(c)(1)(iii).
    Further, a covered health care provider with a direct treatment 
relationship with the individual is required only to provide the notice 
to the individual receiving treatment at first service delivery. Where 
a parent brings a 2-year old child in for treatment, the provider 
satisfies the notice distribution requirements by providing the notice 
only to the child's parent.

I. Section 164.528--Accounting of Disclosures of Protected Health 
Information

    December 2000 Privacy Rule. Under the Privacy Rule at Sec. 164.528, 
individuals have the right to receive an accounting of disclosures of 
protected health information made by the covered entity, with certain 
exceptions. These exceptions, or instances where a covered entity is 
not required to account for disclosures, include disclosures made by 
the covered entity to carry out treatment, payment, or health care 
operations, as well as disclosures to individuals of protected health 
information about them. The individual must request an accounting of 
disclosures.
    The accounting is required to include the following: (1) 
Disclosures of protected health information that occurred during the 
six years prior to the date of the request for an accounting; and (2) 
for each disclosure: the date of the disclosure; the name of the entity 
or person who received the protected health information, and, if known, 
the address of such entity or person; a brief description of the 
protected health information disclosed; and a brief statement of the 
purpose of the disclosure that reasonably informs the individual of the 
basis for the disclosure, or in lieu of such a statement, a copy of the 
individual's written authorization pursuant to Sec. 164.508 or a copy 
of a written request

[[Page 53244]]

for a disclosure under Secs. 164.502(a)(2)(ii) or 164.512. For multiple 
disclosures of protected health information to the same person, the 
Privacy Rule allows covered entities to provide individuals with an 
accounting that contains only the following information: (1) For the 
first disclosure, a full accounting, with the elements described above; 
(2) the frequency, periodicity, or number of disclosures made during 
the accounting period; and (3) the date of the last such disclosure 
made during the accounting period.
    March 2002 NPRM. In response to concerns about the high costs and 
administrative burdens associated with the requirement to account to 
individuals for the covered entity's disclosure of protected health 
information, the Department proposed to expand the exceptions to the 
standard at Sec. 164.528(a)(1) to include disclosures made pursuant to 
an authorization as provided in Sec. 164.508. Covered entities would no 
longer be required to account for any disclosures authorized by the 
individual in accordance with Sec. 164.508. The Department proposed to 
alleviate burden in this way because, like disclosures of protected 
health information made directly to the individual--which are already 
excluded from the accounting provisions in Sec. 164.528(a)(1)--
disclosures made pursuant to an authorization are also known by the 
individual, in as much as the individual was required to sign the forms 
authorizing the disclosures.
    In addition to the exception language at Sec. 164.528(a)(1), the 
Department proposed two conforming amendments at 
Secs. 164.528(b)(2)(iv) and (b)(3) to delete references in the 
accounting content requirements to disclosures made pursuant to an 
authorization.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    The majority of comments on the accounting proposal supported the 
elimination of the accounting for authorized disclosures. The 
commenters agreed that, on balance, since the individual had elected to 
authorize the disclosure in the first instance, and that election was 
fully informed and voluntary, subsequently accounting for the 
disclosure made pursuant to that authorization was not necessary.
    Many of the commenters went on to suggest other ways in which the 
accounting requirement could be made less burdensome. For example, 
several commenters wanted some or all of the disclosures which are 
permitted at Sec. 164.512 without individual consent or authorization 
to also be exempt from the accounting requirements. Others proposed 
alternative means of accounting for disclosures for research, 
particularly when such disclosures involve large numbers of records. 
These commenters argued that accounting for each individual record 
disclosed for a large research project would be burdensome and may 
deter covered entities from participating in such research. Rather than 
an individual accounting, the commenters suggested that the covered 
entity be required only to disclose a listing of all relevant protocols 
under which an individual's information may have been released during 
the accounting period, the timeframes during which disclosures were 
made under a protocol, and the name of the institution and researcher 
or investigator responsible for the protocol, together with contact 
information for the researcher. The National Committee on Vital Health 
Statistics, while not endorsing a protocol listing directly, 
recommended the Department consider alternatives to minimize the burden 
of the accounting requirements on research.
    Finally, several commenters objected to the elimination of the 
accounting requirement for authorized disclosures. Some of these 
commenters expressed concern that the proposal would eliminate the 
requirement to account for the authorized disclosure of psychotherapy 
notes. Others were primarily concerned that the proposal would weaken 
the accounting rights of individuals. According to these commenters, 
informing the individual of disclosures was only part of the purpose of 
an accounting. Even with regard to authorized disclosures, an 
accounting could be important to verify that disclosures were in accord 
with the scope and purpose as stated in the authorization and to detect 
potentially fraudulent, altered, or otherwise improperly accepted 
authorizations. Since authorizations had to be maintained in any event, 
accounting for these disclosures represented minimal work for the 
covered entity.
    Final Modifications. Based on the general support in the public 
comment, the Department adopts the modification to eliminate the 
accounting requirement for authorized disclosures. The authorization 
process itself adequately protects individual privacy by assuring that 
the individual's permission is given both knowingly and voluntarily. 
The Department agrees with the majority of commenters that felt 
accounting for authorized disclosures did not serve to add to the 
individual's knowledge about disclosures of protected health 
information. The Department does recognize the role of accounting 
requirements in the detection of altered or fraudulent authorizations. 
However, the Department considers the incidence of these types of 
abuses, and the likelihood of their detection through a request for an 
accounting, to be too remote to warrant the burden on all covered 
entities of including authorized disclosures in an accounting. As noted 
by some commenters, the covered entity must retain a copy of the 
authorization to document their disclosure of protected health 
information and that documentation would be available to help resolve 
an individual's complaint to either the covered entity or the 
Secretary.
    Specific concern about the elimination of the accounting 
requirement for authorized disclosures was expressed by mental health 
professionals, who believed their patients should always have the right 
to monitor access to their personal information. The Department 
appreciates theses commenters' concern about the need for heightened 
protections and accountability with regard to psychotherapy notes. It 
is because of these concerns that the Rule requires, with limited 
exceptions, individual authorization for even routine uses and 
disclosures of psychotherapy notes by anyone other than the originator 
of the notes. The Department clarifies that nothing in modifications 
adopted in this rulemaking prevents a mental health professional from 
including authorized disclosures of psychotherapy notes in an 
accounting requested by their patients. Indeed, any covered entity may 
account to the individual for disclosures based on the individual's 
authorization. The modification adopted by the Department simply no 
longer requires such an accounting.
    In response to comment on this proposal, as well as on the 
proposals to permit incidental disclosures and disclosures of protected 
health information, other than direct identifiers, as part of a limited 
data set, the Department has added two additional exclusions to the 
accounting requirements. Disclosures that are part of a limited data 
set and disclosures that are merely incidental to another permissible 
use or disclosure will not require an accounting. The limited data set 
does not contain any protected health information that directly 
identifies the individual and the individual is further protected from 
identification by the required data use

[[Page 53245]]

agreement. The Department believes that accounting for these 
disclosures would be too burdensome. Similarly, the Department believes 
that it is impracticable to account for incidental disclosures, which 
by their very nature, may be uncertain or unknown to the covered entity 
at the time they occur. Incidental disclosures are permitted as long as 
reasonable safeguards and minimum necessary standards have been 
observed for the underlying communication. Moreover, incidental 
disclosures may most often happen in the context of a communication 
that relates to treatment or health care operations. In that case, the 
underlying disclosure is not subject to an accounting and it would be 
arbitrary to require an accounting for a disclosure that was merely 
incidental to such a communication.
    The Department however disagrees with commenters who requested that 
other public purpose disclosures not be subject to the accounting 
requirement. Although the Rule permits disclosure for a variety of 
public purposes, they are not routine disclosures of the individual's 
information. The accounting requirement was designed as a means for the 
individual to find out the non-routine purposes for which his or her 
protected health information was disclosed by the covered entity, so as 
to increase the individual's awareness of persons or entities other 
than the individual's health care provider or health plan in possession 
of this information. To eliminate some or all of these public purposes 
would defeat the core purpose of the accounting requirement.
    The Department disagrees with commenters' proposal to exempt all 
research disclosures made pursuant to a waiver of authorization from 
the accounting requirement. Individuals have a right to know what 
information about them has been disclosed without their authorization, 
and for what purpose(s). However, the Department agrees that the Rule's 
accounting requirements could have the undesired effect of causing 
covered entities to halt disclosures of protected health information 
for research. Therefore, the Department adopts commenters' proposal to 
revise the accounting requirement at Sec. 164.528 to permit covered 
entities to meet the requirement for research disclosures if they 
provide individuals with a list of all protocols for which the 
patient's protected health information may have been disclosed for 
research pursuant to a waiver of authorization under Sec. 164.512(i), 
as well as the researcher's name and contact information. The 
Department agrees with commenters that this option struck the 
appropriate balance between affirming individuals' right to know how 
information about them is disclosed, and ensuring that important 
research is not halted.
    The Department considered and rejected a similar proposal by 
commenters when it adopted the Privacy Rule in December 2000. While 
recognizing the potential burden for research, the Department 
determined that the individual was entitled to the same level of 
specificity in an accounting for research disclosures as any other 
disclosure. At that time, however, the Department added the summary 
accounting procedures at Sec. 164.528(b)(3) to address the burden 
issues of researchers and others in accounting for multiple disclosures 
to the same entity. In response to the Department's most recent request 
for comments, researchers and others explained that the summary 
accounting procedures do not address the burden of having to account 
for disclosures for research permitted by Sec. 164.512(i). These 
research projects usually involve many records. It is the volume of 
records for each disclosure, not the repeated nature of the 
disclosures, that presents an administrative obstacle for research if 
each record must be individually tracked for the accounting. Similarly, 
the summary accounting procedures do not relieve the burden for covered 
entities that participate in many different studies on a routine basis. 
The Department, therefore, reconsidered the proposal to account for 
large research projects by providing a list of protocols in light of 
these comments.
    Specifically, the Department adds a paragraph (4) to 
Sec. 164.528(b) to provide for simplified accounting for research 
disclosures as follows:
    (1) The research disclosure must be pursuant to Sec. 164.512(i) and 
involve at least 50 records. Thus, the simplified accounting procedures 
may be used for research disclosures based on an IRB or Privacy Board 
waiver of individual authorization, the provision of access to the 
researcher to protected health information for purposes preparatory to 
research, or for research using only records of deceased individuals. 
The large number of records likely to be disclosed for these research 
purposes justifies the need for the simplified accounting procedures. 
The Department has determined that a research request for 50 or more 
records warrants use of these special procedures.
    (2) For research protocols for which the individual's protected 
health information may have been disclosed during the accounting 
period, the accounting must include the name of the study or protocol, 
a description of the purpose of the study and the type of protected 
health information sought, and the timeframe of disclosures in response 
to the request.
    (3) When requested by the individual, the covered entity must 
provide assistance in contacting those researchers to whom it is likely 
that the individual's protected health information was actually 
disclosed.
    Support for streamlining accounting for research disclosures came 
in comments and from NCVHS. The Department wants to encourage research 
and believes protections afforded information in hands of researcher, 
particularly research overseen by IRB or Privacy Board, provides 
assurance of continued confidentiality of information. The Department 
does not agree that the individual has no need to know that his or her 
information has been disclosed for a research purpose. Covered 
entities, of course, may account for research disclosures in the same 
manner as all other disclosures. Even when the covered entity elects to 
use the alternative of a protocol listing, the Department encourages 
covered entities to provide individuals with disclosure of the specific 
research study or protocol for which their protected health information 
was disclosed, and other specific information relating to such actual 
disclosures if they so choose. If the covered entity lists all 
protocols for which the individual's information may have been 
disclosed, the Department would further encourage that the covered 
entity list under separate headings, or on separate lists, all 
protocols relating to particular health issues or conditions, so that 
individuals may more readily identify the specific studies for which 
their protected health information is more likely to have been 
disclosed.
    The Department intends to monitor the simplified accounting 
procedures for certain research disclosures to determine if they are 
effective in providing meaningful information to individuals about how 
their protected health information is disclosed for research purposes, 
while still reducing the administrative burden on covered entities 
participating in such research efforts. The Department may make 
adjustments to the accounting procedures for research in the future as 
necessary to ensure both goals are fully met.

Response to Other Public Comments

    Comment: A few commenters opposed the proposal to eliminate the 
accounting requirement for all

[[Page 53246]]

authorized disclosures arguing that, absent a full accounting, the 
individual cannot meaningfully exercise the right to amend or to revoke 
the authorization. Others also felt that a comprehensive right to an 
accounting, with no exceptions, was better from an oversight and 
enforcement standpoint as it encouraged consistent documentation of 
disclosures. One commenter also pointed to an example of the potential 
for fraudulent authorizations by citing press accounts of a chain drug 
store that allegedly took customers signatures from a log that waived 
their right to consult with the pharmacist and attached those 
signatures to a form authorizing the receipt of marketing materials. 
Under the proposal, the commenter asserted, the chain drug store would 
not have to include such fraudulent authorizations as part of an 
accounting to the individual.
    Response: The Department does not agree that the individual's right 
to amendment is materially affected by the accounting requirements for 
authorized disclosures. The covered entity that created the protected 
health information contained in a designated record set has the primary 
obligation to the individual to amend any erroneous or incomplete 
information. The individual does not necessarily have a right to amend 
information that is maintained by other entities that the individual 
has authorized to have his or her protected health information. 
Furthermore, the covered entity that has amended its own designated 
record set at the request of the individual is obligated to make 
reasonable efforts to notify other persons, including business 
associates, that are known to have the protected health information 
that was the subject of the amendment and that may rely on such 
information to the detriment of the individual. This obligation would 
arise with regard to persons to whom protected health information was 
disclosed with the individual's authorization. Therefore, the 
individual's amendment rights are not adversely affected by the 
modifications to the accounting requirements. Furthermore, nothing in 
the modification adversely affects the individual's right to revoke the 
authorization.
    The Department agrees that oversight is facilitated by consistent 
documentation of disclosures. However, the Department must balance its 
oversight functions with the burden on entities to track all 
disclosures regardless of purpose. Based on this balancing, the 
Department has exempted routine disclosures, such as those for 
treatment, payment, and health care operations, and others for security 
reasons. The addition of authorized disclosures to the exemption from 
the accounting does not materially affect the Department's oversight 
function. Compliance with the Rule's authorization requirements can 
still be effectively monitored because covered entities are required to 
maintain signed authorizations as documentation of disclosures. 
Therefore, the Department believes that effective oversight, not the 
happenstance of discovery by an individual through the accounting 
requirement, is the best means to detect and prevent serious misdeeds 
such as those alleged in fraudulent authorizations.
    Comment: A number of commenters recommended other types of 
disclosures for exemption from the accounting requirement. Many 
recommended elimination of the accounting requirement for public health 
disclosures arguing that the burden of the requirement may deter 
entities from making such disclosures and that because many are made 
directly to public health authorities by doctors and nurses, rather 
than from a central records component of the entity, public health 
disclosures are particularly difficult to track and document. Others 
suggested exempting from an accounting requirement any disclosure 
required by another law on the grounds that neither the individual nor 
the entity has any choice about such required disclosures. Still others 
wanted all disclosures to a governmental entity exempted as many such 
disclosures are required and often reports are routine or require lots 
of data. Some wanted disclosures to law enforcement or to insurers for 
claims investigations exempted from the accounting requirement to 
prevent interference with such investigatory efforts. Finally, a few 
commenters suggested that all of the disclosures permitted or required 
by the Privacy Rule should be excluded from the accounting requirement.
    Response: Elimination of an accounting requirement for authorized 
disclosures is justified in large part by the individual's knowledge of 
and voluntary agreement to such disclosures. None of the above 
suggestions for exemption of other permitted disclosures can be 
similarly justified. The right to an accounting of disclosures serves 
an important function in informing the individual as to which 
information was sent to which recipients. While it is possible that 
informing individuals about the disclosures of their health information 
may on occasion discourage some worthwhile activity, the Department 
believes that the individual's right to know who is using their 
information and for what purposes takes precedence.
    Comment: One commenter sought an exemption from the accounting 
requirement for disclosures to adult protective services when referrals 
are made for abuse, neglect, or domestic violence victims. For the same 
reasons that the Rule permits waiver of notification to the victim at 
the time of the referral based on considerations of the victim's 
safety, the regulation should not make such disclosures known after the 
fact through the accounting requirement.
    Response: The Department appreciates the concerns expressed by the 
commenter for the safety and welfare of the victims of abuse, neglect, 
or domestic violence. In recognition of these concerns, the Department 
does give the covered entity discretion in notifying the victim and/or 
the individual's personal representative at the time of the disclosure. 
These concerns become more attenuated in the context of an accounting 
for disclosures, which must be requested by the individual and for 
which the covered entity has a longer timeframe to respond. Concern for 
the safety of victims of abuse or domestic violence should not result 
in stripping these individuals of the rights granted to others. If the 
individual is requesting the accounting, even after being warned of the 
potential dangers, the covered entity should honor that request. 
However, if the request is by the individual's personal representative 
and the covered entity has a reasonable belief that such person is the 
abuser or that providing the accounting to such person could endanger 
the individual, the covered entity continues to have the discretion in 
Sec. 164.502(g)(5) to decline such a request.
    Comment: One commenter suggested elimination of the accounting 
requirement in its entirety. The commenter argued that HIPAA does not 
require an accounting as the individual's right and the accounting does 
not provide any additional privacy protections to the individual's 
information.
    Response: The Department disagrees with the commenter. HIPAA 
authorized the Secretary to identify rights of the individual with 
respect to protected health information and how those rights should be 
exercised. In absence of regulation, HIPAA also authorized the 
Secretary to effectuate these rights by regulation. As stated in the 
preamble to the December 2000 Privacy Rule, the standard adopted by the 
Secretary that provides individuals with a right to an

[[Page 53247]]

accounting of disclosures, is consistent with well-established privacy 
principles in other law and with industry standards and ethical 
guidelines, such as the Federal Privacy Act (5 U.S.C. 552a), the July 
1977 Report of the Privacy Protection Study Commission, and NAIC Health 
Information Privacy Model Act. (See 65 FR 82739.)
    Comment: A few commenters requested that the accounting period be 
shortened from six years to two years or three years.
    Response: The Department selected six years as the time period for 
an accounting to be consistent with documentation retention 
requirements in the Rule. We note that the Rule exempts from the 
accounting disclosures made prior to the compliance date for Rule, or 
April 14, 2003. Therefore, it will not be until April 2009 that a full 
six year accounting period will occur. Also, the Rule permits 
individuals to request and the covered entity to provide for an 
accounting for less than full six year period. For example, an 
individual may be interested only in disclosures that occurred in the 
prior year or in a particular month. The Department will monitor the 
use of the accounting requirements after the compliance date and will 
evaluate the need for changes in the future if the six year period for 
the accounting proves to be unduly burdensome.
    Comment: Commenters requested clarification of the need to account 
for disclosures to business associates, noting that while the 
regulation states that disclosures to and by a business associate are 
subject to an accounting, most such disclosures are for health care 
operations for which no accounting is required.
    Response: The Department clarifies that the implementation 
specification in Sec. 164.528(b)(1), that expressly includes in the 
content of an accounting disclosures to or by a business associate, 
must be read in conjunction with the basic standard for an accounting 
for disclosures in Sec. 164.528(a). Indeed, the implementation 
specification expressly references the standard. Read together, the 
Rule does not require an accounting of any disclosure to or by a 
business associate that is for any exempt purpose, including 
disclosures for treatment, payment, and health care operations.
    Comment: One commenter wanted health care providers to be able to 
charge reasonable fees to cover the retrieval and preparation costs of 
an accounting for disclosures.
    Response: In granting individuals the right to an accounting, the 
Department had to balance the individual's right to know how and to 
whom protected health information is being disclosed and the financial 
and administrative burden on covered entities in responding to such 
requests. The balance struck by the Department with regard to cost was 
to grant the individual a right to an accounting once a year without 
charge. The covered entity may impose reasonable, cost-based fees for 
any subsequent requests during the one year period. The Department 
clarifies that the covered entity may recoup its reasonable retrieval 
and report preparation costs, as well as any mailing costs, incurred in 
responding to subsequent requests. The Rule requires that individuals 
be notified in advance of these fees and provided an opportunity to 
withdraw or amend its request for a subsequent accounting to avoid 
incurring excessive fees.
    Comment: One commenter wanted clarification of the covered entity's 
responsibility to account for the disclosures of others. For example, 
the commenter wanted to know if the covered entity was responsible only 
for its own disclosures or did it also need to account for disclosures 
by every person that may subsequently handle the information.
    Response: The Department clarifies in response to this comment that 
a covered entity is responsible to account to the individual for 
certain disclosures that it makes and for disclosures by its business 
associates. The covered entity is not responsible to account to the 
individual for any subsequent disclosures of the information by others 
that receive the information from the covered entity or its business 
associate.

J. Section 164.532--Transition Provisions

1. Research Transition
    December 2000 Privacy Rule. The December 2000 Privacy Rule at 
Sec. 164.532 contained different transition requirements for research 
being conducted with an individual's legal permission that included 
treatment, and for research being conducted with an individual's legal 
permission that did not include treatment. However, the Rule did not 
explicitly address transition provisions for research studies ongoing 
after the compliance date where the legal permission of the individual 
had not been sought.
    March 2002 NPRM. Several commenters found the transition provisions 
for research to be confusing, and further noted that December 2000 
Privacy Rule did not address research ongoing after the compliance date 
where the legal permission of the individual had not been sought. To 
address these concerns, the Department proposed several revisions to 
the Privacy Rule's transition provisions. In particular, the Department 
proposed that there be no distinction in the transition provisions 
between research that includes treatment and research that does not, 
and no distinction between the requirements for research conducted with 
a patient's legal permission and research conducted with an IRB-
approved waiver of a patient's informed consent. In sum, the NPRM 
proposed that covered entities be permitted to use or disclose 
protected health information created or received for a specific 
research study before the compliance date (if there was no agreed-to 
restriction in accordance with Sec. 164.522(a)), if the covered entity 
has obtained, prior to the compliance date, any one of the following: 
(1) An authorization or other express legal permission from an 
individual to use or disclose protected health information for the 
research study; (2) the informed consent of the individual to 
participate in the research study; or (3) a waiver, by an IRB of 
informed consent for the research study in accordance with the Common 
Rule or FDA's human subject protection regulations. However, even if 
the researcher obtained, from an IRB, a waiver of informed consent, an 
authorization would be required if informed consent is later obtained. 
This may occur if there is a temporary waiver of informed consent for 
emergency research under the Food and Drug Administration human subject 
protection regulations.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    Most commenters supported the proposed revisions to the Privacy 
Rule's transition provisions for research. However, a few commenters 
requested that the transition provisions be broadened to permit covered 
entities to rely on an express legal permission or informed consent 
approved by an IRB before the compliance date, even if the permission 
or consent had not been signed by the individual prior to the 
compliance date. Consequently, a researcher could use the same forms 
throughout their study, decreasing the chance of introducing error into 
the research through the use of multiple recruitment procedures, 
disruption to the research, and the burden for the IRBs and 
researchers. A few other

[[Page 53248]]

commenters suggested that covered entities be permitted to use and 
disclose protected health information with consent forms approved by an 
IRB prior to the compliance date until the next review by the IRB, as 
required by the Common Rule. They argued that this would result in all 
informed consent forms being in compliance with the Privacy Rule's 
authorization regulations within a one-year period, and it would avoid 
disruption to ongoing research, as well as a flood of consent form 
revision requests to the IRBs.
    Final Modifications. The Department agrees with the majority of 
comments that supported the modifications to the transition provisions, 
and has therefore adopted the research transition modifications as 
proposed in the NPRM. The Department disagrees with the comments that 
suggest broadening the transition provisions to permit covered entities 
to rely on an express legal permission or informed consent that had not 
been signed by the individual before the compliance date. The 
Department understands that this provision may disrupt some ongoing 
research; however, the recruitment periods for some studies may 
continue long after the compliance date, and it would be unreasonable 
to grandfather-in existing informed consent documents indefinitely. 
While the commenter's suggestion to only grandfather-in such informed 
consent documents until the next review by the IRB would address this 
concern, the Privacy Rule does not require initial or continuing IRB or 
Privacy Board review of authorization forms or informed consent 
documents. Therefore, the Department does not adopt this change to its 
proposal.
    However, the Department understands that some existing express 
legal permissions, informed consents, or IRB-approved waivers of 
informed consents are not study specific. Therefore, the final Rule 
permits covered entities to rely on an express legal permission, 
informed consent, or IRB-approved waiver of informed consent for future 
unspecified research, provided the legal permission, informed consent 
or IRB-approved waiver was obtained prior to the compliance date.

Response to Other Public Comments

    Comment: A commenter requested that the transition provision be 
narrowed by requiring research that received a waiver of informed 
consent from an IRB prior to the compliance date but that begins after 
the compliance date be re-evaluated under the Privacy Rule's waiver 
criteria.
    Response: The Department disagrees. Given that the Privacy Rule's 
waiver criteria for an individual's authorization generally are 
consistent with the same types of considerations currently applied to a 
waiver of an individual's informed consent, this suggestion would 
impose unnecessary burdens on researchers, IRBs, and Privacy Boards, 
with respect to the few research studies that would fall in this 
category.
2. Business Associates
    December 2000 Privacy Rule. The Privacy Rule at Sec. 164.502(e) 
permits a covered entity to disclose protected health information to a 
business associate who performs a function or activity on behalf of, or 
provides a service to, the covered entity that involves the creation, 
use, or disclosure of, protected health information, provided that the 
covered entity obtains satisfactory assurances that the business 
associate will appropriately safeguard the information. The Department 
recognizes that most covered entities do not perform or carry out all 
of their health care activities and functions by themselves, but rather 
use the services of, or receive assistance from, a variety of other 
persons or entities. Given this framework, the Department intended 
these provisions to allow such business relationships to continue while 
ensuring that identifiable health information created or shared in the 
course of the relationships was protected.
    The Privacy Rule requires that the satisfactory assurances obtained 
from the business associate be in the form of a written contract (or 
other written arrangement, as between governmental entities) between 
the covered entity and the business associate that contains the 
elements specified at Sec. 164.504(e). For example, the agreement must 
identify the uses and disclosures of protected health information the 
business associate is permitted or required to make, as well as require 
the business associate to put in place appropriate safeguards to 
protect against a use or disclosure not permitted by the contract or 
agreement.
    The Privacy Rule also provides that, where a covered entity knows 
of a material breach or violation by the business associate of the 
contract or agreement, the covered entity is required to take 
reasonable steps to cure the breach or end the violation, and if such 
steps are unsuccessful, to terminate the contract or arrangement. If 
termination of the contract or arrangement is not feasible, a covered 
entity is required to report the problem to the Secretary of HHS. A 
covered entity that violates the satisfactory assurances it provided as 
a business associate of another covered entity is in noncompliance with 
the Privacy Rule.
    The Privacy Rule's definition of ``business associate'' at 
Sec. 160.103 includes the types of functions or activities, and list of 
services, that make a person or entity who engages in them a business 
associate, if such activity or service involves protected health 
information. For example, a third party administrator (TPA) is a 
business associate of a health plan to the extent the TPA assists the 
health plan with claims processing or another covered function. 
Similarly, accounting services performed by an outside consultant give 
rise to a business associate relationship when provision of the service 
entails access to the protected health information held by a covered 
entity.
    The Privacy Rule excepts from the business associate standard 
certain uses or disclosures of protected health information. That is, 
in certain situations, a covered entity is not required to have a 
contract or other written agreement in place before disclosing 
protected health information to a business associate or allowing 
protected health information to be created by the business associate on 
its behalf. Specifically, the standard does not apply to: disclosures 
by a covered entity to a health care provider for treatment purposes; 
disclosures to the plan sponsor by a group health plan, or a health 
insurance issuer or HMO with respect to a group health plan, to the 
extent that the requirements of Sec. 164.504(f) apply and are met; or 
to the collection and sharing of protected health information by a 
health plan that is a public benefits program and an agency other than 
the agency administering the health plan, where the other agency 
collects protected health information for, or determines eligibility or 
enrollment with respect to, the government program, and where such 
activity is authorized by law. See Sec. 164.502(e)(1)(ii).
    March 2002 NPRM. The Department heard concerns from many covered 
entities and others about the business associate provisions of the 
Privacy Rule. The majority expressed some concern over the anticipated 
administrative burden and cost to implement the business associate 
provisions. Some stated that many covered entities have existing 
contracts that are not set to terminate or expire until after the 
compliance date of the Privacy Rule. Others expressed specific concern 
that the two-year compliance period does not provide enough time to 
reopen and renegotiate what could be hundreds or more contracts for 
large covered entities. These entities went on to urge the

[[Page 53249]]

Department to grandfather in existing contracts until such contracts 
come up for renewal instead of requiring that all contracts be in 
compliance with the business associate provisions by the compliance 
date of the Privacy Rule.
    In response to these concerns, the Department proposed to relieve 
some of the burden on covered entities in complying with the business 
associate provisions by both adding a transition provision to 
grandfather certain existing contracts for a specified period of time, 
as well as publishing sample contract language in the proposed Rule. 
The following discussion addresses the issue of the business associate 
transition provisions. A discussion of the business associate sample 
contract language is included in Part X of the preamble.
    The Department proposed new transition provisions at 
Sec. 164.532(d) and (e) to allow covered entities, other than small 
health plans, to continue to operate under certain existing contracts 
with business associates for up to one year beyond the April 14, 2003, 
compliance date of the Privacy Rule. The additional transition period 
would be available to a covered entity, other than a small health plan, 
if, prior to the effective date of the transition provision, the 
covered entity had an existing contract or other written arrangement 
with a business associate, and such contract or arrangement was not 
renewed or modified between the effective date of this provision and 
the Privacy Rule's compliance date of April 14, 2003. The proposed 
provisions were intended to allow those covered entities with contracts 
that qualified as described above to continue to disclose protected 
health information to the business associate, or allow the business 
associate to create or receive protected health information on its 
behalf, for up to one year beyond the Privacy Rule's compliance date, 
regardless of whether the contract meets the applicable contract 
requirements in the Privacy Rule. The Department proposed to deem such 
contracts to be compliant with the Privacy Rule until either the 
covered entity had renewed or modified the contract following the 
compliance date of the Privacy Rule (April 14, 2003), or April 14, 
2004, whichever was sooner. In cases where a contract simply renewed 
automatically without any change in terms or other action by the 
parties (also known as ``evergreen contracts''), the Department 
intended that such evergreen contracts would be eligible for the 
extension and that deemed compliance would not terminate when these 
contracts automatically rolled over.
    These transition provisions would apply to covered entities only 
with respect to written contracts or other written arrangements as 
specified above, and not to oral contracts or other arrangements. In 
addition, the proposed transition provisions would not apply to small 
health plans, as defined in the Privacy Rule. Small health plans would 
be required to have all business associate contracts be in compliance 
with the Privacy Rule's applicable provisions, by the compliance 
deadline of April 14, 2004, for such covered entities.
    In proposed Sec. 164.532(e)(2), the Department provided that the 
new transition provisions would not relieve a covered entity of its 
responsibilities with respect to making protected health information 
available to the Secretary, including information held by a business 
associate, as necessary for the Secretary to determine compliance. 
Similarly, these provisions would not relieve a covered entity of its 
responsibilities with respect to an individual's rights to access or 
amend his or her protected health information held by a business 
associate, or receive an accounting of disclosures by a business 
associate, as provided for by the Privacy Rule's requirements at 
Secs. 164.524, 164.526, and 164.528. Covered entities still would be 
required to fulfill individuals' rights with respect to their protected 
health information, including information held by a business associate 
of the covered entity. Covered entities would have to ensure, in 
whatever manner effective, the appropriate cooperation by their 
business associates in meeting these requirements.
    The Department did not propose modifications to the standards and 
implementation specifications that apply to business associate 
relationships as set forth at Secs. 164.502(e) and 164.504(e), 
respectively, of the Privacy Rule.
    Overview of Public Comments. The following discussion provides an 
overview of the public comment received on this proposal. Additional 
comments received on this issue are discussed below in the section 
entitled, ``Response to Other Public Comments.''
    Most commenters on this issue expressed general support for a 
transition period for business associate contracts. Of these 
commenters, however, many requested that the Department modify the 
proposal in a number of different ways. For example, a number of 
commenters urged the Department to modify which contracts qualify for 
the transition period, such as by making the transition period 
available to contracts existing as of the compliance date of the 
Privacy Rule, rather than as of the effective date of the transition 
modification. Others requested that the Department apply the transition 
period to all business associate arrangements, even those arrangements 
for which there was no existing written contract.
    Some commenters urged the Department to modify the end date of the 
transition period. A few of these commenters requested that the 
transition period apply to existing business associate contracts until 
they expired or were renewed, with no specified end date in the 
regulation. It was also suggested that the Department simply provide 
one extra year, until April 14, 2004, for compliance with the business 
associate contract provisions, without the provision that a renewal or 
modification of the contract would trigger an earlier transition period 
end date. A few commenters requested further guidance as to the types 
of actions the Department would or would not consider to be a ``renewal 
or modification'' of the contract.
    Additionally, numerous commenters requested that the Department 
further clarify a covered entity's responsibilities with regard to 
their business associates during the transition period. Commenters 
expressed concerns with the proposal's requirement that the transition 
provisions would not have relieved a covered entity of its 
responsibilities with respect to an individual's rights to access or 
amend his or her protected health information held by business 
associates, or receive an accounting of disclosures by a business 
associate. Similarly, commenters raised concerns that the transition 
provisions would not have relieved a covered entity of its 
responsibilities to make information available to the Secretary, 
including information held by a business associate, as necessary for 
the Secretary to determine compliance. Commenters also expressed 
concerns about the fact that it appeared that covered entities still 
would have been required to obtain satisfactory assurances from a 
business associate that protected health information not be used 
improperly by the business associate, or that the covered entity still 
would have been required to mitigate any known harmful effects of a 
business associate's improper use or disclosure of protected health 
information during the transition period. It was stated that 
cooperation by a business associate with respect to the covered 
entity's obligations under the Rule would be difficult, if not

[[Page 53250]]

impossible, to secure without a formal agreement.
    A few commenters opposed the proposal, one of whom raised concerns 
that the proposed transition period would encourage covered entities to 
enter into ``stop gap'' contracts instead of compliant business 
associate contracts. This commenter urged that the Department maintain 
the original compliance date for business associate contracts.
    Final Modifications. In the final Rule, the Department adopts the 
transition period for certain business associate contracts as proposed 
in the NPRM. The final Rule's transition provisions at Sec. 164.532(d) 
and (e) permit covered entities, other than small health plans, to 
continue to operate under certain existing contracts with business 
associates for up to one year beyond the April 14, 2003, compliance 
date of the Privacy Rule. The transition period is available to covered 
entities who have an existing contract (or other written arrangement) 
with a business associate prior to the effective date of this 
modification, provided that the contract is not renewed or modified 
prior to the April 14, 2003, compliance date of the Privacy Rule. (See 
the ``Dates'' section above for the effective date of this 
modification.) Covered entities with contracts that qualify are 
permitted to continue to operate under those contracts with their 
business associates until April 14, 2004, or until the contract is 
renewed or modified, whichever is sooner. During the transition period, 
such contracts are deemed to be compliant with the Privacy Rule 
regardless of whether the contract meets the Rule's applicable contract 
requirements at Secs. 164.502(e) and 164.504(e).
    The transition provisions are intended to address the concerns of 
covered entities that the two-year period between the effective date 
and compliance date of the Privacy Rule is insufficient to reopen and 
renegotiate all existing contracts for the purposes of bringing them 
into compliance with the Rule. These provisions also provide covered 
entities with added flexibility to incorporate the business associate 
contract requirements at the time they would otherwise modify or renew 
the existing contract.
    Given the intended purpose of these provisions, the Department is 
not persuaded by the comments that it is necessary to modify the 
provision to make the transition period available to those contracts 
existing prior to the Rule's compliance date of April 14, 2003, rather 
than the effective date of the modification, or, even less so, to any 
business associate arrangement regardless of whether a written contract 
currently exists.
    A covered entity that does not have a written contract with a 
business associate prior to the effective date of this modification 
does not encounter the same burdens described by other commenters 
associated with having to reopen and renegotiate many existing 
contracts at once. The Department believes that such a covered entity 
should be able to enter into a compliant business associate contract by 
the compliance date of the Rule. Further, those covered entities whose 
business associate contracts come up for renewal or modification prior 
to the compliance date have the opportunity to bring such contracts 
into compliance by April 14, 2003. Thus, a covered entity that enters 
into a business associate contract after the effective date of this 
modification, or that has a contract that is renewed or modified prior 
to the compliance date of the Rule, is not eligible for the transition 
period and is required to have a business associate contract in place 
that meets the applicable requirements of Secs. 164.502(e) and 
164.504(e) by the Privacy Rule's compliance date of April 14, 2003. 
Further, as in the proposed Rule, the transition provisions apply only 
to written contracts or other written arrangements. Oral contracts or 
other arrangements are not eligible for the transition period. The 
Department clarifies, however, that nothing in these provisions 
requires a covered entity to come into compliance with the business 
associate contract provisions prior to April 14, 2003.
    Similarly, in response to those commenters who requested that the 
Department permit existing contracts to be transitioned until April 14, 
2004, regardless of whether such contracts are renewed or modified 
prior to that date, the Department considers a renewal or modification 
of the contract to be an appropriate, less burdensome opportunity to 
bring such contracts into compliance with the Privacy Rule. The 
Department, therefore, does not modify the proposal in such a way. 
Further, in response to commenters who requested that the Rule 
grandfather in existing business associate contracts until they expire 
or are renewed, with no specified end date in the regulation, the 
Department believes that limiting the transition period to one year 
beyond the Rule's compliance date is the proper balance between 
individuals' privacy interests and alleviating burden on the covered 
entity. All existing business associate contracts must be compliant 
with the Rule's business associate contract provisions by April 14, 
2004.
    As in the proposal, evergreen or other contracts that renew 
automatically without any change in terms or other action by the 
parties and that exist by the effective date of this modification are 
eligible for the transition period. The automatic renewal of such 
contracts itself does not terminate qualification for, or deemed 
compliance during, the transition period. Renewal or modification for 
the purposes of these transition provisions requires action by the 
parties involved. For example, the Department does not consider an 
automatic inflation adjustment to the price of a contract to be a 
renewal or modification for purposes of these provisions. Such an 
adjustment will not trigger the end of the transition period, nor make 
the contract ineligible for the transition period if the adjustment 
occurs before the compliance date of the Rule.
    The transition provisions do not apply to ``small health plans,'' 
as defined at Sec. 160.103. Small health plans are required to have 
business associate contracts that are compliant with Secs. 164.502(e) 
and 164.504(e) by the April 14, 2004, compliance date for such 
entities. As explained in the proposal, the Department believes that 
the additional year provided by the statute for these entities to 
comply with the Privacy Rule provides sufficient time for compliance 
with the Rule's business associate provisions. In addition, the sample 
contract provisions provided in the Appendix to the preamble will 
assist small health plans and other covered entities in their 
implementation of the Privacy Rule's business associate provisions by 
April 14, 2004.
    Like the proposal, the final Rule at Sec. 164.532(e)(2) provides 
that, during the transition period, covered entities are not relieved 
of their responsibilities to make information available to the 
Secretary, including information held by a business associate, as 
necessary for the Secretary to determine compliance by the covered 
entity. Similarly, the transition period does not relieve a covered 
entity of its responsibilities with respect to an individual's rights 
to access or amend his or her protected health information held by a 
business associate, or receive an accounting of disclosures by a 
business associate, as provided for by the Privacy Rule's requirements 
at Secs. 164.524, 164.526, and 164.528. In addition, unlike the 
proposed Rule, the final Rule at Sec. 164.532(e)(3) explicitly provides 
that with respect to those business associate contracts that qualify 
for the transition period as described above, a covered entity is not 
relieved of its obligation

[[Page 53251]]

under Sec. 164.530(f) to mitigate, to the extent practicable, any 
harmful effect that is known to the covered entity of a use or 
disclosure of protected health information by its business associate in 
violation of the covered entity's policies and procedures or the 
requirements of this subpart, as required by Sec. 164.530(f).
    The Department does not believe that a covered entity should be 
relieved during the transition period of its responsibilities with 
respect to cooperating with the Secretary or fulfilling an individual's 
rights with respect to protected health information held by the 
business associate, or mitigating any harmful effects of an 
inappropriate use or disclosure by the business associate. The 
transition period is intended to alleviate some of the burden on 
covered entities, but not at the expense of individuals' privacy 
rights. Eliminating these privacy protections and rights would severely 
weaken the Rule with respect to those covered entities with contracts 
that qualify for the transition period.
    Further, the Rule provides covered entities some discretion in 
implementing these requirements with respect to their business 
associates. For example, a covered entity does not need to provide an 
individual with access to protected health information held by a 
business associate if the only information the business associate holds 
is a duplicate of what the covered entity maintains and to which it has 
provided the individual access. Covered entities are required to 
ensure, in whatever manner deemed effective by the covered entity, the 
appropriate cooperation by their business associates in meeting these 
requirements.
    In response to other concerns from commenters, the Department 
clarifies that a covered entity is not required to obtain satisfactory 
assurances (in any form), as required by Sec. 164.502(e)(1), from a 
business associate to which the transition period applies. The 
transition period effectively deems such qualified contracts to fulfill 
the requirement for satisfactory assurances from the business 
associate.
    The Department is aware that the transition provisions may 
encourage some covered entities to enter into contracts before the 
effective date of the modification solely to take advantage of the 
transition period, rather than encourage such entities to execute fully 
compliant business associate contracts. However, the Department 
believes that the provision appropriately limits the potential for such 
misuse by requiring that qualified contracts exist prior to the 
modification effective date rather than the Privacy Rule's compliance 
date. Further, the transition provisions do not relieve the covered 
entity of its obligations with respect to protected health information 
held by the business associate and, therefore, ensures that an 
individual's rights, as provided for by the Rule, remain intact during 
the transition period.

Response to Other Public Comments

    Comment: One commenter requested that the transition period also be 
applied to the requirement that a group health plan amend plan 
documents pursuant to Sec. 164.504(f) before protected health 
information may be disclosed to the plan sponsor.
    Response: The Department does not make such a modification. The 
intent of the business associate transition provisions is to alleviate 
burden on those covered entities with many existing contracts, where as 
a result, the two-year period between the effective date and compliance 
date of the Privacy Rule may be insufficient to reopen and renegotiate 
all such contracts for the purposes of bringing them into compliance 
with the Rule. The Privacy Rule does not require a business associate 
contract for disclosure of protected health information from a group 
health plan to a plan sponsor. Rather, the Rule permits a group health 
plan to disclose protected health information to a plan sponsor if, 
among other requirements, the plan documents are amended to 
appropriately reflect and restrict the plan sponsor's uses and 
disclosures of such information. As the group health plan should only 
have one set of plan documents that must be amended, the same burdens 
described above do not exist with respect to this activity. Thus, the 
Department expects that group health plans will be able to modify plan 
documents in accordance with the Rule by the Rule's compliance date.
    Comment: Many commenters continued to recommend various 
modifications to the business associate standard, unrelated to the 
proposed modifications. For example, some commenters urged that the 
Department eliminate the business associate requirements entirely. 
Several commenters urged that the Department exempt covered entities 
from having to enter into contracts with business associates who are 
also covered entities under the Privacy Rule. Alternatively, one 
commenter suggested that the Department simplify the requirements by 
requiring a covered entity that is a business associate to specify in 
writing the uses and disclosures the covered entity is permitted to 
make as a business associate.
    Other commenters requested that the Department allow business 
associates to self-certify or be certified by a third party or HHS as 
compliant with the Privacy Rule, as an alternative to the business 
associate contract requirement.
    Certain commenters urged the Department to modify the Rule to 
eliminate the need for a contract with accreditation organizations. 
Some commenters suggested that the Department do so by reclassifying 
private accreditation organizations acting under authority from a 
government agency as health oversight organizations, rather than as 
business associates.
    Response: The proposed modifications regarding business associates 
were intended to address the concerns of commenters with respect to 
having insufficient time to reopen and renegotiate what could be 
thousands of contracts for some covered entities by the compliance date 
of the Privacy Rule. The proposed modifications did not address changes 
to the definition of, or requirements for, business associates 
generally. The Department has, in previous guidance, as well as in the 
preamble to the December 2000 Privacy Rule, explained its position with 
respect to most of the above concerns. However, the Department 
summarizes its position in response to such comments briefly below.
    The Department recognizes that most covered entities acquire the 
services of a variety of other persons or entities to assist in 
carrying covered entities' health care activities. The business 
associate provisions are necessary to ensure that individually 
identifiable health information created or shared in the course of 
these relationships is protected. Further, without the business 
associate provisions, covered entities would be able to circumvent the 
requirements of the Privacy Rule simply by contracting out certain of 
its functions.
    With respect to a contract between a covered entity and a business 
associate who is also a covered entity, the Department restates its 
position that a covered entity that is a business associate should be 
restricted from using or disclosing the protected health information it 
creates or receives as a business associate for any purposes other than 
those explicitly provided for in its contract. Further, to modify the 
provisions to require or permit a type of written assurance, other than 
a contract, by a covered entity would add unnecessary complexity to the 
Rule.
    Additionally, the Department at this time does not believe that a 
business associate certification process would

[[Page 53252]]

provide the same kind of protections and guarantees with respect to a 
business associate's actions that are available to a covered entity 
through a contract under State law. With respect to certification by a 
third party, it is unclear whether such a process would allow for any 
meaningful enforcement (such as termination of a contract) for the 
actions of a business associate. Further, the Department could not 
require that a business associate be certified by a third party. Thus, 
the Privacy Rule still would have to allow for a contract between a 
covered entity and a business associate.
    The Privacy Rule explicitly defines organizations that accredit 
covered entities as business associates. See the definition of 
``business associate'' at Sec. 160.103. The Department defined such 
organizations as business associates because, like other business 
associates, they provide a service to the covered entity during which 
much protected health information is shared. The Privacy Rule treats 
all organizations that provide accreditation services to covered 
entities alike. The Department has not been persuaded by the comments 
that those accreditation organizations acting under grant of authority 
from a government agency should be treated differently under the Rule 
and relieved of the conditions placed on other such relationships. 
However, the Department understands concerns regarding the burdens 
associated with the business associate contract requirements. The 
Department clarifies that the business associate provisions may be 
satisfied by standard or model contract forms which could require 
little or no modification for each covered entity. As an alternative to 
the business associate contract, these final modifications permit a 
covered entity to disclose a limited data set of protected health 
information, not including direct identifiers, for accreditation and 
other health care operations purposes subject to a data use agreement. 
See Sec. 164.514(e).
    Comment: A number of commenters continued to express concern over a 
covered entity's perceived liability with respect to the actions of its 
business associate. Some commenters requested further clarification 
that a covered entity is not responsible for or required to monitor the 
actions of its business associates. It also was suggested that such 
language expressly be included in the Rule's regulatory text. One 
commenter recommended that the Rule provide that business associates 
are directly liable for their own failure to comply with the Privacy 
Rule. Another commenter urged that the Department eliminate a covered 
entity's obligation to mitigate any harmful effects caused by a 
business associate's improper use or disclosure of protected health 
information.
    Response: The Privacy Rule does not require a covered entity to 
actively monitor the actions of its business associates nor is the 
covered entity responsible or liable for the actions of its business 
associates. Rather, the Rule only requires that, where a covered entity 
knows of a pattern of activity or practice that constitutes a material 
breach or violation of the business associate's obligations under the 
contract, the covered entity take steps to cure the breach or end the 
violation. See Sec. 164.504(e)(1). The Department does not believe a 
regulatory modification is necessary in this area. The Department does 
not have the statutory authority to hold business associates, that are 
not also covered entities, liable under the Privacy Rule.
    With respect to mitigation, the Department does not accept the 
commenter's suggestion. When protected health information is used or 
disclosed inappropriately, the harm to the individual is the same, 
regardless of whether the violation was caused by the covered entity or 
a by business associate. Further, this provision is not an absolute 
standard intended to require active monitoring of the business 
associate or mitigation of all harm caused by the business associate. 
Rather, the provision applies only if the covered entity has actual 
knowledge of the harm, and requires mitigation only ``to the extent 
practicable'' by the covered entity. See Sec. 164.530(f).
    Comment: Several commenters asked the Department to provide 
additional clarification as to who is and is not a business associate 
for purposes of the Rule. For example, commenters questioned whether 
researchers were business associates. Other commenters requested 
further clarification as to when a health care provider would be the 
business associate of another health care provider. One commenter asked 
the Department to clarify whether covered entities that engage in joint 
activities under an organized health care arrangement (OHCA) are 
required to have a business associate contract. Several commenters 
asked the Department to clarify that a business associate agreement is 
not required with organizations or persons where contact with protected 
health information would result inadvertently (if at all), for example, 
janitorial services.
    Response: The Department provides the following guidance in 
response to commenters. Disclosures from a covered entity to a 
researcher for research purposes as permitted by the Rule do not 
require a business associate contract. This remains true even in those 
instances where the covered entity has hired the researcher to perform 
research on the covered entity's own behalf because research is not a 
covered function or activity. However, the Rule does not prohibit a 
covered entity from entering into a business associate contract with a 
researcher if the covered entity wishes to do so. Notwithstanding the 
above, a covered entity must enter into a data use agreement, as 
required by Sec. 164.514(e), prior to disclosing a limited data set for 
research purposes to a researcher.
    With respect to business associate contracts between health care 
providers, the Privacy Rule explicitly excepts from the business 
associate requirements disclosures by a covered entity to a health care 
provider for treatment purposes. See Sec. 164.502(e)(1). Therefore, any 
covered health care provider (or other covered entity) may share 
protected health information with a health care provider for treatment 
purposes without a business associate contract. The Department does not 
intend the Rule to interfere with the sharing of information among 
health care providers for treatment. However, this exception does not 
preclude one health care provider from establishing a business 
associate relationship with another health care provider for some other 
purpose. For example, a hospital may enlist the services of another 
health care provider to assist in the hospital's training of medical 
students. In this case, a business associate contract would be required 
before the hospital could allow the health care provider access to 
patient health information.
    As to disclosures among covered entities who participate in an 
organized health care arrangement, the Department clarifies that no 
business associate contract is needed to the extent the disclosure 
relates to the joint activities of the OHCA.
    The Department also clarifies that a business associate contract is 
not required with persons or organizations whose functions, activities, 
or services do not involve the use or disclosure of protected health 
information, and where any access to protected health information by 
such persons would be de minimus, if at all. For example, a health care 
provider is not required to enter into a business associate contract 
with its janitorial service because the performance of such service 
does not involve the use or disclosure of protected health information. 
In this case, where a janitor has contact with

[[Page 53253]]

protected health information incidentally, such disclosure is 
permissible under Sec. 164.502(a)(1)(iii) provided reasonable 
safeguards are in place.
    The Department is aware that similar questions still remain with 
respect to the business associate provisions of the Privacy Rule and 
intends to provide technical assistance and further clarifications as 
necessary to address these questions.
    Comment: A few commenters urged that the Department modify the 
Privacy Rule's requirement for a covered entity to take reasonable 
steps to cure a breach or end a violation of its business associate 
contract by a business associate. One commenter recommended that the 
requirement be modified instead to require a covered entity who has 
knowledge of a breach to ask its business associate to cure the breach 
or end the violation. Another commenter argued that a covered entity 
only should be required to take reasonable steps to cure a breach or 
end a violation if the business associate or a patient reports to the 
privacy officer or other responsible employee of the covered entity 
that a misuse of protected health information has occurred.
    Response: It is expected that a covered entity with evidence of a 
violation will ask its business associate, where appropriate, to cure 
the breach or end the violation. Further, the Department intends that 
whether a covered entity ``knew'' of a pattern or practice of the 
business associate in breach or violation of the contract will be 
consistent with common principles of law that dictate when knowledge 
can be attributed to a corporate entity. Regardless, a covered entity's 
training of its workforce, as required by Sec. 164.530(b), should 
address the recognition and reporting of violations to the appropriate 
responsible persons with the entity.
    Comment: Several commenters requested clarification as to whether a 
business associate is required to provide individuals with access to 
their protected health information as provided by Sec. 164.524 or an 
accounting of disclosures as provided by Sec. 164.528, or amend 
protected health information as required by Sec. 164.526. Some 
commenters wanted clarification that the access and amendment 
provisions apply to the business associate only if the business 
associate maintains the original designated record set of the protected 
health information.
    Response: Under the Rule, the covered entity is responsible for 
fulfilling all of an individual's rights, including the rights of 
access, amendment, and accounting, as provided for by Secs. 164.524, 
164.526, and 164.528. With limited exceptions, a covered entity is 
required to provide an individual access to his or her protected health 
information in a designated record set. This includes information in a 
designated record set of a business associate, unless the information 
held by the business associate merely duplicates the information 
maintained by the covered entity. However, the Privacy Rule does not 
prevent the parties from agreeing through the business associate 
contract that the business associate will provide access to 
individuals, as may be appropriate where the business associate is the 
only holder of the, or part of the, designated record set.
    As governed by Sec. 164.526, a covered entity must amend protected 
health information about an individual in a designated record set, 
including any designated record sets (or copies thereof) held by a 
business associate. Therefore, the Rule requires covered entities to 
specify in the business associate contract that the business associate 
will make protected health information available for amendment and will 
incorporate amendments accordingly. The covered entity itself is 
responsible for addressing requests from individuals for amendment and 
coordinating such requests with its business associate. However, the 
Privacy Rule also does not prevent the parties from agreeing through 
the contract that the business associate will receive and address 
requests for amendment on behalf of the covered entity.
    With respect to accounting, Sec. 164.528 requires a covered entity 
to provide an accounting of certain disclosures, including certain 
disclosures by its business associate, to the individual upon request. 
The business associate contract must provide that the business 
associate will make such information available to the covered entity in 
order for the covered entity to fulfill its obligation to the 
individual. As with access and amendment, the parties can agree through 
the business associate contract that the business associate will 
provide the accounting to individuals, as may be appropriate given the 
protected health information held by, and the functions of, the 
business associate.
    Comment: One commenter asked whether a business associate agreement 
in electronic form, with an electronic signature, would satisfy the 
Privacy Rule's business associate requirements.
    Response: The Privacy Rule generally allows for electronic 
documents to qualify as written documents for purposes of meeting the 
Rule's requirements. This also applies with respect to business 
associate agreements. However, currently, no standards exist under 
HIPAA for electronic signatures. Thus, in the absence of specific 
standards, covered entities should ensure any electronic signature used 
will result in a legally binding contract under applicable State or 
other law.
    Comment: Certain commenters raised concerns with the Rule's 
classification of attorneys as business associates. A few of these 
commenters urged the Department to clarify that the Rule's requirement 
at Sec. 164.504(e)(2)(ii)(H), which requires a contract to state the 
business associate must make information relating to the use or 
disclosure of protected health information available to the Secretary 
for purposes of determining the covered entity's compliance with the 
Rule, not apply to protected health information in possession of a 
covered entity's lawyer. Commenters argued that such a requirement 
threatens to impact attorney-client privilege. Others expressed concern 
over the requirement that the attorney, as a business associate, must 
return or destroy protected health information at termination of the 
contract. It was argued that such a requirement is inconsistent with 
many current obligations of legal counsel and is neither warranted nor 
useful.
    Response: The Department does not modify the Rule in this regard. 
The Privacy Rule is not intended to interfere with attorney-client 
privilege. Nor does the Department anticipate that it will be necessary 
for the Secretary to have access to privileged material in order to 
resolve a complaint or investigate a violation of the Privacy Rule. 
However, the Department does not believe that it is appropriate to 
exempt attorneys from the business associate requirements.
    With respect to the requirement for the return or destruction of 
protected health information, the Rule requires the return or 
destruction of all protected health information at termination of the 
contract only where feasible or permitted by law. Where such action is 
not feasible, the contract must state that the information will remain 
protected after the contract ends for as long as the information is 
maintained by the business associate, and that further uses and 
disclosures of the information will be limited to those purposes that 
make the return or destruction infeasible.
    Comment: One commenter was concerned that the business associate 
provisions regarding the return or

[[Page 53254]]

destruction of protected health information upon termination of the 
business associate agreement conflict with various provisions of the 
Bank Secrecy Act, which require financial institutions to retain 
certain records for up to five years. The commenter further noted that 
there are many State banking regulations that require financial 
institutions to retain certain records for up to ten years. The 
commenter recommended that the Department clarify, in instances of 
conflict with the Privacy Rule, that financial institutions comply with 
Federal and State banking regulations.
    Response: The Department does not believe there is a conflict 
between the Privacy Rule and the Bank Secrecy Act retention 
requirements or that the Privacy Rule would prevent a financial 
institution that is a business associate of a covered entity from 
complying with the Bank Secrecy Act. The Privacy Rule generally 
requires a business associate contract to provide that the business 
associate will return or destroy protected health information upon the 
termination of the contract; however, it does not require this if the 
return or destruction of protected health information is infeasible. 
Return or destruction would be considered ``infeasible'' if other law, 
such as the Bank Secrecy Act, requires the business associate to retain 
protected health information for a period of time beyond the 
termination of the business associate contract. The Privacy Rule would 
require that the business associate contract extend the protections of 
the contract and limit further uses and disclosures to those purposes 
that make the return or destruction of the information infeasible. In 
this case, the business associate would have to limit the use or 
disclosure of the protected health information to purposes of the Bank 
Secrecy Act or State banking regulations.
    Comment: A commenter requested clarification concerning the 
economic impact on business associates of the cost-based copying fees 
allowed to be charged to individuals who request a copy of their 
medical record under the right of access provided by the Privacy Rule. 
See Sec. 164.524. According to the commenter, many hospitals and other 
covered entities currently outsource their records reproduction 
function for fees that often include administrative costs over and 
above the costs of copying. In some cases, the fees may be set in 
accordance with State law. The Privacy Rule, at Sec. 164.524(c)(4), 
however, permits only reasonable, cost-based copying fees to be charged 
to individuals seeking to obtain a copy of their medical record under 
their right of access. The commenter was concerned that others seeking 
copies of all or part of the medical record, such as payers, attorneys, 
or entities that have the individual's authorization, would try to 
claim the limited copying fees provided in Sec. 164.524(c)(4). The 
commenter asserted that such a result would drastically alter the 
economics of the outsourcing industry, driving outsourcing companies 
out of business, and raising costs for the health industry as a whole. 
A clarification that the fee structure in Sec. 164.524(c)(4) applies 
only to individuals exercising their right of access was sought.
    Response: The Department clarifies that the Rule, at 
Sec. 164.524(c)(4), limits only the fees that may be charged to 
individuals, or to their personal representatives in accordance with 
Sec. 164.502(g), when the request is to obtain a copy of protected 
health information about the individual in accordance with the right of 
access. The fee limitations in Sec. 164.524(c)(4) do not apply to any 
other permissible disclosures by the covered entity, including 
disclosures that are permitted for treatment, payment or health care 
operations, disclosures that are based on an individual's authorization 
that is valid under Sec. 164.508, or other disclosures permitted 
without the individual's authorization as specified in Sec. 164.512.
    The fee limitation in Sec. 164.524(c)(4) is intended to assure that 
the right of access provided by the Privacy Rule is available to all 
individuals, and not just to those who can afford to do so. Based on 
the clarification provided, the Department does not anticipate that 
this provision will cause any significant disruption in the way that 
covered entities do business today. To the extent hospitals and other 
entities outsource this function because it is less expensive than 
doing it themselves, the fee limitation for individuals seeking access 
under Sec. 164.524 will affect only a portion of this business; and, in 
these cases, hospitals should still find it economical to outsource 
these activities, even if they can only pass on a portion of the costs 
to the individual.

K. Technical Corrections and Other Clarifications

1. Definition of ``Individually Identifiable Health Information''
    Part 160 contains the definitions that are relevant to all of the 
Administrative Simplification provisions at Parts 160 through 164. 
Although the term ``individually identifiable health information'' is 
relevant to Parts 160 through 164, it is defined in Sec. 164.501 of the 
Privacy Rule. To correct this technical error, the Department proposed 
to move the definition of individually identifiable health information 
from Sec. 164.501 to Sec. 160.103.
    The limited comment on this proposal supported moving the 
definition into Sec. 160.103, for the same reasons cited by the 
Department. Therefore, the Department in this final Rule deletes the 
definition of ``individually identifiable health information'' from 
Sec. 164.501 of the Privacy Rule, and adds the definition to 
Sec. 160.103.
2. Technical Corrections
    The Privacy Rule contained some technical and typographical errors. 
Therefore, the Department is making the following corrections:
    a. In Sec. 160.102(b), beginning in the second line, ``section 
201(a)(5) of the Health Insurance Portability Act of 1996, (Pub. L. 
104-191),'' is replaced with ``42 U.S.C. 1320a-7c(a)(5).''
    b. In Sec. 160.203(b), in the second line, ``health information'' 
is replaced with ``individually identifiable health information.''
    c. In Sec. 164.102, ``implementation standards'' is corrected to 
read ``implementation specifications.''
    d. In Sec. 164.501, in the definition of ``protected health 
information'', ``Family Educational Right and Privacy Act'' is 
corrected to read ``Family Educational Rights and Privacy Act.''
    e. In Sec. 164.508(b)(1)(ii), in the fifth line, the word ``be'' is 
deleted.
    f. In Sec. 164.508(b)(3)(iii), a comma is added after the words 
``psychotherapy notes.''
    g. In Sec. 164.510(b)(3), in the third line, the word ``for'' is 
deleted.
    h. In Sec. 164.512(b)(1)(v)(A), in the fourth line, the word ``a'' 
is deleted.
    i. In Sec. 164.512(b)(1)(v)(C), in the eighth line, the word 
``and'' is added after the semicolon.
    j. In Sec. 164.512(f)(3), paragraphs (ii) and (iii) are 
redesignated as (i) and (ii), respectively.
    k. In Sec. 164.512(g)(2), in the seventh line, the word ``to'' is 
added after the word ``directors.''
    l. In Sec. 164.512(i)(1)(iii)(A), in the second line, the word 
``is'' after the word ``sought'' is deleted.
    m. In Sec. 164.514(d)(5), the word ``discloses'' is corrected to 
read ``disclose.''
    n. In Sec. 164.520(c), in the introductory text, ``(c)(4)'' is 
corrected to read ``(c)(3).''
    o. In Sec. 164.522(a)(1)(v), in the sixth line, 
``Secs. 164.502(a)(2)(i)'' is corrected to read 
``Secs. 164.502(a)(2)(ii).''
    p. In Sec. 164.530(i)(4)(ii)(A), in the second line, ``the 
requirements'' is

[[Page 53255]]

replaced with the word ``specifications.''

IV. Final Regulatory Impact Analysis

    Federal law (5 U.S.C. 804(2), as added by section 251 of Pub. L. 
No. 104-21), specifies that a ``major rule'' is any rule that the 
Office of Management and Budget finds is likely to result in:
     An annual effect on the economy of $100 million or more;
     A major increase in costs or prices for consumers, 
individual industries, Federal, State, or local government agencies, or 
geographic regions; or
     Significant adverse effects in competition, employment, 
investment productivity, innovation, or on the ability of United States 
based enterprises to compete with foreign-based enterprises in domestic 
and export markets.
    The impact of the modifications adopted in this rulemaking will 
have an annual effect on the economy of at least $100 million. 
Therefore, this Rule is a major rule as defined in 5 U.S.C. 804(2).
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, when regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects; distributive impacts; and equity). According to Executive 
Order 12866, a regulatory action is ``significant'' if it meets any one 
of a number of specified conditions, including having an annual effect 
on the economy of $100 million or more, adversely affecting in a 
material way a sector of the economy, competition, or jobs, or if it 
raises novel legal or policy issues. The purpose of the regulatory 
impact analysis is to assist decision-makers in understanding the 
potential ramifications of a regulation as it is being developed. The 
analysis is also intended to assist the public in understanding the 
general economic ramifications of the regulatory changes.
    The December 2000 preamble to the Privacy Rule included a 
regulatory impact analysis (RIA), which estimated the cost of the 
Privacy Rule at $17.6 billion over ten years. 65 FR 82462, 82758. The 
modifications to the Privacy Rule adopted by this rulemaking are a 
result of comment by the industry and the public at large identifying a 
number of unintended consequences of the Privacy Rule that could 
adversely affect access to, or the quality of, health care delivery. 
These modifications should facilitate implementation and compliance 
with the Privacy Rule, and lower the costs and burdens associated with 
the Privacy Rule while maintaining the confidentiality of protected 
health information. The Department estimates the impact of the 
modifications adopted in this rulemaking will be a net reduction of 
costs associated with the Privacy Rule of at least $100 million over 
ten years.
    The modifications affect five areas of the Privacy Rule that will 
have an economic impact: (1) consent; (2) notice; (3) marketing; (4) 
research; and (5) business associates. In addition, this rulemaking 
contains a number of changes that, though important, can be categorized 
as clarifications of intended policy. For example, the modifications 
permit certain uses and disclosures of protected health information 
that are incidental to an otherwise permitted use or disclosure. This 
change recognizes such practices as the need for physicians to talk to 
patients in semi-private hospital rooms or nurses to communicate with 
others in public areas, and avoids the costs covered entities might 
have incurred to reconfigure facilities as necessary to ensure absolute 
privacy for these common treatment-related communications. This and 
other modifications adopted in this rulemaking (other than those 
described below) clarify the intent of the standards in the Privacy 
Rule and, as such, do not change or alter the associated costs that 
were estimated for the Privacy Rule. Public comments have indicated 
that these provisions would be interpreted in a way that could 
significantly increase costs. However, because that was not the intent 
of the December 2000 Privacy Rule, the Department is not ascribing cost 
savings to the clarification of these provisions.

A. Summary of Costs and Benefits in the December 2000 Regulatory Impact 
Statement

    The Privacy Rule was estimated to produce net costs of $17.6 
billion, with net present value costs of $11.8 billion (2003 dollars) 
over ten years (2003-2012). The Department estimates the modifications 
in this proposal would lower the net cost of the Privacy Rule by 
approximately $100 million over ten years.
    Measuring both the economic costs and benefits of health 
information privacy was recognized as a difficult task. The paucity of 
data and incomplete information on current industry privacy and 
information system practices made cost estimation a challenge. Benefits 
were difficult to measure because they are, for the most part, 
inherently intangible. Therefore, the regulatory impact analysis in the 
Privacy Rule focused on the key policy areas addressed by the privacy 
standards, some of which are affected by the modifications adopted in 
this rulemaking.

B. Proposed Modifications To Prevent Barriers to Access to or Quality 
of Health Care

    The modifications adopted in this rulemaking are intended to 
address the possible adverse effects of the final privacy standards on 
an individual's access to, or the quality of, health care. The 
modifications touch on five of the key policy areas addressed by the 
final regulatory impact analysis, including consent, research, 
marketing, notice, and business associates.
    The Department received few comments on this section of the March 
2002 proposal. Most of the comments on the cost implications of the 
modifications indicated a general belief that the costs would be higher 
than the Department estimated. None of commenters, however, provided 
sufficient specific information concerning costs to permit the 
Department to adjust its estimates. The public comment on each of the 
key policy areas is summarized in the following sections. However, the 
estimated cost impact of each area has not changed.
1. Consent
    Under the December 2000 Privacy Rule, a covered health care 
provider with a direct treatment relationship with an individual must 
have obtained the individual's prior written consent for use or 
disclosure of protected health information for treatment, payment, or 
health care operations, subject to a limited number of exceptions. 
Other covered health care providers and health plans may have obtained 
such a consent if they so chose. The initial cost of the consent 
requirement was estimated in December 2000 to be $42 million. Based on 
assumptions for growth in the number of patients, the total costs for 
ten years was estimated to be $103 million. See 65 FR 82771 (December 
28, 2000).\2\
---------------------------------------------------------------------------

    \2\ The total cost for consent in the regulatory impact analysis 
showed an initial cost of $166 million and $227 million over ten 
years. Included in these total numbers is the cost of tracking 
patient requests to restrict the disclosure of their health 
information. This right is not changed in these modifications. The 
numbers here represent the costs associated with the consent 
functions that are proposed to be repealed.
---------------------------------------------------------------------------

    The modifications eliminate the consent requirement. The consent 
requirement posed many difficulties for an individual's access to 
health care, and was problematic for operations essential for the 
quality of the health

[[Page 53256]]

care delivery system. However, any health care provider or health plan 
may choose to obtain an individual's consent for treatment, payment, 
and health care operations. The elimination of the consent requirement 
reduces the initial cost of the privacy standards by $42 million in the 
first year and by $103 million over ten years.
    As explained in detail in section III.D.1. above, the Department 
received many comments supporting the proposed elimination of the 
consent requirement on the ground that it created unintended barriers 
to timely provision of care, particularly with respect to use and 
disclosure of health information prior to a health care provider's 
first face-to-face contact with the individual. These and other 
barriers discussed above would have entailed costs not anticipated in 
the economic analyses in the Privacy Rule. These comments also revealed 
that the consent requirements create administrative burdens, for 
example, with respect to tracking the status and revocation of 
consents, that were not foreseen and thus not included in that economic 
analysis. Therefore, while the estimated costs of the consent 
provisions over a ten-year period were $103 million, the comments 
suggest that the costs would likely be much higher. If these comments 
are accurate, the cost savings associated with retracting the consent 
provisions would, therefore, also be significantly higher than $103 
million over a ten-year period.

Response to Public Comments

    Comment: As discussed in section III.H. above, many commenters 
expressed support for the proposed requirement that certain health care 
providers make a good faith effort to obtain a written acknowledgment 
of receipt of the notice, as a workable alternative to the Rule's prior 
consent requirement. Many of these commenters conveyed support for the 
flexibility of the requirement, and most commenters agreed that 
eliminating the consent requirement would mean considerable savings.
    Response: The Department received no public comment containing 
empirical, direct evidence on the estimates of financial impact that 
either supported or contradicted the Department's calculations. 
Therefore, our estimates remain unchanged.
    Comment: Many other commenters confused the net savings associated 
with the Administrative Simplification provisions with cost savings 
associated with the Privacy Rule, and relied on this misinformation to 
argue in favor of retaining the consent provisions for treatment, 
payment, and health care operations.
    Response: These commenters were essentially propounding a policy 
choice and not making a comment on the validity of the estimates for 
cost savings associated with the elimination of the consent 
requirement. The comments did not include any reliable estimation that 
would cause the Department to reevaluate its savings estimate.
2. Notice
    In eliminating the consent requirement, the Department preserves 
the opportunity for a covered health care provider with a direct 
treatment relationship with an individual to engage in a meaningful 
communication about the provider's privacy practices and the 
individual's rights by strengthening the notice requirements. Under the 
Privacy Rule, these health care providers are required to distribute to 
individuals their notice of privacy practices no later than the date of 
the first service delivery after the compliance date. The modifications 
do not change this distribution requirement, but add a new 
documentation requirement. A covered health care provider with a direct 
treatment relationship is required to make a good faith effort to 
obtain the individual's acknowledgment of receipt of the notice 
provided at the first service delivery. The form of the acknowledgment 
is not prescribed and can be as unintrusive as retaining a copy of the 
notice initialed by the individual. If the provider's good faith effort 
fails, documentation of the attempt is all that is required. Since the 
modification does not require any change in the form of the notice or 
its distribution, the ten-year cost estimate of $391 million for these 
areas in the Privacy Rule's impact analysis remains the same. See 65 FR 
82770.
    However, the additional effort by direct treatment providers in 
obtaining and documenting the individual's acknowledgment of receipt of 
the notice adds costs. This new requirement attaches only to the 
initial provision of notice by a direct treatment provider to an 
individual after the compliance date. Under the modification, providers 
have considerable flexibility on how to achieve this. Some providers 
could choose to obtain the required written acknowledgment on a 
separate piece of paper, while others could take different approaches, 
such as an initialed check-off sheet or a signature line on the notice 
itself with the provider keeping a copy.
    In its December 2000 analysis, the Department estimated that the 
consent cost would be $0.05 per page based on the fact that the consent 
had to be a stand alone document requiring a signature. This 
modification to the notice requirement provides greater flexibility 
and, therefore, greater opportunity to reduce costs compared to the 
consent requirement. Without knowing exactly how direct treatment 
providers will decide to exercise the flexibility provided, the 
Department cannot, with any precision, estimate the cost to implement 
this provision. In the NPRM, the Department estimated that the 
flexibility of the notice acknowledgment requirement would mean that 
the cost of the notice acknowledgment would be 20 percent less than the 
cost of the signed consent. The Department did not receive any comments 
on this estimate and, therefore, does not change it's estimate that the 
additional cost of the signature requirement, on average, is $0.03 per 
notice. Based on data obtained from the Medical Expenditure Panel 
Survey (MEPS), which estimate the number of patient visits in a year, 
the Department estimates that in the first year there would be 816 
million notices distributed to which the new good faith acknowledgment 
requirement will attach. Over the next nine years, the Department 
estimates, again based on MEPS data, that there would be 5.3 billion 
visits to health care providers by new patients (established patients 
will not need to receive another copy of the notice). At $0.03 per 
document, the first year cost will be $24 million and the total cost 
over ten years will be $184 million.

Response to Public Comments

    Comment: As discussed in section III.H. above, a number of other 
commenters expressed concern over the administrative and financial 
burden the requirement to obtain a good faith acknowledgment of the 
notice would impose.
    Response: The Department received no public comment containing 
empirical, direct evidence on the estimates of financial impact that 
either supported or contradicted the Department's calculations. 
Therefore, our estimates remain unchanged.
    Comment: One commenter requested that model language for the notice 
be developed as a means of reducing the costs associated with Privacy 
Rule compliance.
    Response: As stated in section III.H. above, in the final Rule, the 
Department sought to retain the maximum flexibility by requiring only 
that the acknowledgment be in writing and does not prescribe other 
details of the form

[[Page 53257]]

that the acknowledgment must take or the process for obtaining the 
acknowledgment. This permits covered health care providers the 
discretion to design the acknowledgment process as best suited to their 
practices, including the option of obtaining an electronic 
acknowledgment regardless of whether the notice is provided 
electronically or on paper. Furthermore, there is no change to the 
substance of the notice and the commenter provided no empirical, direct 
benefit/cost data in support of their proposal.
    Comment: The Department received comments expressing opposition to 
obtaining written acknowledgment of the receipt of the notice because 
it is too costly. Others commented that the acknowledgment increases 
the administrative burden as it would not replace a signed consent for 
uses and disclosures of health information when State law requires 
providers to obtain consent.
    Response: The Department received no public comment containing 
empirical, direct evidence on the estimates of financial impact that 
either supported or contradicted the Department's calculations. 
Therefore, our estimates remain unchanged.
    Comment: A number of commenters expressed concern over the 
perceived increase in liability that would arise from the discretionary 
standard of ``good faith'' efforts (i.e., risk of tort-based litigation 
for private right of action under State laws).
    Response: The Department received no estimate of the impact of this 
perceived risk of liability. As no empirical, direct evidence on the 
estimates of financial impact that either supported or contradicted the 
Department's calculations was supplied, our estimates remain unchanged.
3. Business Associates
    The Privacy Rule requires a covered entity to have a written 
contract, or other arrangement, that documents satisfactory assurances 
that a business associates will appropriately safeguard protected 
health information in order to disclose protected health information to 
the business associate. The regulatory impact analysis for the Privacy 
Rule provided cost estimates for two aspects of this requirement. In 
the Privacy Rule, $103 million in first-year costs was estimated for 
development of a standard business associate contract language. (There 
were additional costs associated with these requirements related to the 
technical implementation of new data transfer protocols, but these are 
not affected by the modification adopted here.) In addition, $197 
million in first-year costs and $697 million in total costs over ten 
years were estimated in the Privacy Rule for the review and oversight 
of existing business associate contracts.
    The modifications do not change the standards for business 
associate contracts or the implementation specifications with respect 
to the covered entity's responsibilities for managing the contracts. 
However, the Department includes sample business associate contract 
language as part of the preamble to this rulemaking. This sample 
language is only suggested language and is not a complete contract. The 
sample language is designed to be adapted to the business arrangement 
between the covered entity and the business associate and to be 
incorporated into a contract drafted by the parties. Certain provisions 
of the sample language have been revised, as described in more detail 
below, based on the public comment received on the proposal. The 
December 2000 regulatory impact analysis assumed the development of 
such standard language by trade and professional associations. While 
this has occurred to some degree, the Department received strong public 
comment supporting the for sample contract language. The Department 
expects that trade and professional associations will continue to 
provide assistance to their members. However, the sample contract 
language in this rulemaking will simplify their efforts by providing a 
base from which they can develop language. The Department had estimated 
$103 million in initial year costs for this activity based on the 
assumption it would require one hour per non-hospital provider and two 
hours for hospitals and health plans to develop contract language and 
to tailor the language to the particular needs of the covered entity. 
The additional time for hospitals and health plans reflected the 
likelihood that these covered entities would have a more extensive 
number of business associate relationships. Because there will be less 
effort expended than originally estimated in the Privacy Rule, the 
Department estimates a reduction in contract development time by one-
third because of the availability of the model language. Thus, the 
Department now estimates that this activity will take 40 minutes for 
non-hospital providers and 80 minutes for hospitals and health plans. 
The Department estimates that the savings from the proposed business 
associate contract language would be approximately $35 million in the 
first year. The changes being adopted to the sample contract language 
do not affect these cost estimates.
    The Department, in this rulemaking, also gives most covered 
entities additional time to conform written contracts to the privacy 
standards. Under the modification, a covered entity's written business 
associate contracts, existing at the time the modifications become 
effective, are deemed to comply with the privacy standards until such 
time as the contracts are renewed or modified, or until April 14, 2004, 
whichever is earlier. The effect of this proposal is to spread first-
year costs over an additional year, with a corresponding postponement 
of the costs estimated for the out years. However, the Department has 
no reliable information as to the number of contracts potentially 
affected by the modification or the average delay that will occur. 
Therefore, the Department is uncertain about the extent of the cost 
savings attributable to this modification.

Response to Public Comments

    Comment: While many commenters supported the business associate 
transition provisions as helpful to reducing the administrative burden 
and cost of compliance, commenters argued that the business associate 
provisions would still be very burdensome and costly to implement, 
especially for small and solo businesses.
    Response: The Department acknowledges that there are compliance 
costs associated with the business associate standards. However, no 
commenters supplied empirical, direct evidence in support of or 
contradictory to the Department's estimates of the cost savings 
associated with the business associate transition provisions. 
Therefore, our estimates remain unchanged.
    Comment: Some commenters disputed the estimated costs of complying 
with the business associate requirements based on the quantity of 
contracts (with suppliers, physicians, local agencies and national 
concerns), and the number of hours necessary to individually tailor and 
renegotiate all of these contracts.
    Response: These comments address the underlying costs of the 
business associate requirements and do not address the reduction in 
costs afforded through the sample business associate agreement 
language. Moreover, no empirical, direct evidence, based on 
accomplished workload rather than extrapolations of singular events, 
were provided to contradict the Department's calculations. Therefore, 
our estimates remain unchanged.

[[Page 53258]]

4. Marketing
    Under Sec. 164.514(e) of the December 2000 Privacy Rule, certain 
health-related communications were subject to special conditions on 
marketing communications, if they also served to promote the use or 
sale of a product or service. These marketing conditions required that 
particular disclosures be made as part of the marketing materials sent 
to individuals. Absent these disclosures, protected health information 
could only be used or disclosed in connection with such marketing 
communications with the individual's authorization. The Department is 
aware that the Privacy Rule's Sec. 164.514(e) conditions for health-
related communications created a potential burden on covered entities 
to make difficult assessments regarding many of their communications. 
The modifications to the marketing provisions relieve the burden on 
covered entities by making most marketing subject to an authorization 
requirement (see Sec. 164.508(a)(3)), making clear that necessary 
treatment and health care operations activities were not marketing, and 
eliminating the Sec. 164.514(e) conditions on marketing communications.
    In developing the December 2000 impact analysis for the Privacy 
Rule, the Department was unable to estimate the cost of the marketing 
provisions. There was too little data and too much variation in current 
practice to estimate how the Privacy Rule might affect marketing. The 
same remains true today. However, the modifications relieve burden on 
the covered entities in making communications for treatment and certain 
health care operations relative to the requirements in the Privacy 
Rule. Although the Department cannot provide a quantifiable estimate, 
the effect of these modifications is to lower the costs associated with 
the Privacy Rule.

Response to Public Comment

    Comment: Many providers, especially mental health providers, 
opposed the changes to marketing and consent as they fear increased 
access to individually identifiable health information would cause 
patients to refrain from seeking treatment. By not seeking timely 
treatment, the medical conditions could worsen, and result in increased 
or additional costs to society.
    Response: The commenters did not attempt to segment out the cost 
attributed to marketing alone. In fact, no empirical, direct evidence 
on the estimates of financial impact that either supported or 
contradicted the Department's calculations was provided. Therefore, our 
estimates remain unchanged.
5. Research
    In the final impact analysis of the December 2000 Privacy Rule, the 
Department estimated the total cost of the provisions requiring 
documentation of an Institutional Review Board (IRB) or Privacy Board 
waiver of individual authorization for the use or disclosure of 
protected health information for a research purpose as $40 million for 
the first year and $585 million for the ten-year period. The costs were 
estimated based on the time that an IRB or Privacy Board would need to 
consider a request for a waiver under the criteria provided in the 
Privacy Rule. See 65 FR 82770-82771 (December 28, 2000).
    The modifications simplify and reduce the number of criteria 
required for an IRB or Privacy Board to approve a waiver of 
authorization to better conform to the Common Rule's waiver criteria 
for informed consent to participate in the research study. The 
Department estimates that the net effect of these modifications is to 
reduce the time necessary to assemble the waivers and for an IRB or 
Privacy Board to consider and act on waiver requests by one quarter. 
The Department estimates these simplifications would reduce the 
expected costs first year costs by $10 million and the ten year costs 
by $146 million, relative to the December 2000 Privacy Rule. Although 
the Department requested information to better assess this cost 
savings, the public comment period failed to produce any sound data. 
Therefore, the Department's estimates have not changed.
    The Department adopts three other modifications to simplify the 
Privacy Rule requirements to relieve the potential administrative 
burden on research. First, the modifications permit a covered entity to 
use and disclose protected health information in the form of a limited 
data set for research, public health, and health care operations. A 
limited data set does not contain any direct identifiers of 
individuals, but may contain any other demographic or health 
information needed for research, public health or health care 
operations purposes. The covered entity must obtain a data use 
agreement from the recipient of a limited data set pursuant to which 
the recipient agrees to restrict use and disclosure of the limited data 
set and not to identify or contact any individual. With a data use 
agreement, a researcher may access a limited data set without obtaining 
individual authorization or having to go through an IRB or a Privacy 
Board for a waiver of the authorization. (See discussion at III.G.2.) 
Second, the modifications simplify the accounting procedures for 
research disclosures by the covered entity by eliminating the need to 
account for disclosures which the individual has authorized or which 
are part of a limited data set, and by providing a simplified basis to 
account for a research disclosure involving 50 or more records. (See 
discussion at III.F.2.) Third, the modifications simplify the 
authorization process for research to facilitate the combining of the 
informed consent for participation in the research itself with an 
authorization required under the Privacy Rule. (See discussion at 
III.E.2.) Any cost savings attributed to the later two modifications 
would accrue primarily to the covered entity disclosing protected 
health information for research purposes and, therefore, would not 
affect the costs estimated here for the impact of the Privacy Rule on 
IRBs.
    With regard to limited data sets, the Department anticipates that 
the modification will avoid IRBs having to review and approve 
researchers' requests for waiver of authorization for numerous studies 
that are undertaken today without IRB review and approval. For example, 
a researcher may not need IRB approval or waiver of informed consent to 
collect health information that is linked to the individual only by 
inclusion of the individual's zip code as this may not be personally 
identifying information under the Common Rule. However, this 
information would not be considered de-identified information under the 
Privacy Rule and it could not be disclosed to the researcher without 
the individual's authorization or an IRB waiver of that authorization. 
With the limited data set, research that does not require direct 
identifiers can continue to go on expeditiously without adding burden 
to IRBs and Privacy Boards. Similarly, limited data sets, similar to 
the Hospital Discharge Abstract data, will permit much useful 
information to be available for research, public health, and health 
care operations purposes.
    Although there was broad support for limited data sets in the 
comments received by the Department, we do not have sufficient 
information to estimate the amount of research that currently occurs 
without IRB review or approval and which, but for the provision on 
limited data sets, would have had to involved the IRB to meet the use 
and disclosure requirements of the Privacy Rule. Nor did the comments 
supply information upon which the Department could reasonably rely in 
making a estimate of the cost savings. Therefore, the Department does 
not increase its

[[Page 53259]]

estimated savings for research to reflect this modification, although 
we are confident that the overall impact of the Privacy Rule on 
research will be much lower based on the modifications adopted in this 
rulemaking.

Response to Public Comments

    Comment: The Department received a number of comments that argued 
that the Privacy Rule would increase costs and workloads for 
researchers and research institutions. One commenter delineated these 
issues as: (1) An increased difficulty in recruiting research 
participants; (2) the need for increased IRB scrutiny (and the 
associated resource costs); and (3) the additional paperwork and 
documentation required.
    Response: The Department recognized the impact of the final Privacy 
Rule on researchers and research institutions and provided a cost 
estimate for this impact as part of the Final Rule. Likewise, the NPRM 
offered modifications, such as more closely aligning the Privacy and 
Common Rule criteria, to ease the burden and, correspondingly, 
estimated cost savings of these proposed modifications. The specific 
comments appear to dispute the research cost estimates in the final 
Rule, as their delineated issues are not reflective of the 
modifications and cost savings specified in the NPRM. In any event, no 
reliable empirical, direct information on the estimates of financial 
impact that either supported or contradicted the Department's 
calculations was provided. Therefore, our estimates remain unchanged.

                               Privacy Rule Modifications--Ten-Year Cost Estimates
----------------------------------------------------------------------------------------------------------------
                                                                                              Change due to
              Policy                     Original cost              Modification              modification
----------------------------------------------------------------------------------------------------------------
Consent..........................  $103 million.............  Provision removed.......  -$103 million.\1\
Notice...........................  $391 million.............  Good faith effort to      +$184 million.
                                                               obtain acknowledgment
                                                               of receipt.
Marketing........................  Not scored due to lack of  Fewer activities          Reduction in cost but
                                    data.                      constitute marketing.     magnitude cannot be
                                                                                         estimated.
Business Associates..............  $103 million for contract  Model language provided.  -$35 million.
                                    modifications.
Research.........................  $585 million.............  Waiver requirements       -$146 million.
                                                               simplified.
Net Change.......................  .........................  ........................  -$100 million.
----------------------------------------------------------------------------------------------------------------
\1\ As noted above in the discussion on consent, while the estimated costs of the consent provisions were $103
  million, comments have suggested that the costs were likely to be much higher. If these comments are accurate,
  the cost savings associated with retracting the consent provisions would, therefore, also be significantly
  higher than $103 million.

C. Costs to the Federal Government

    The modifications adopted in this Rule will result in small savings 
to the Federal government relative to the costs that would have 
occurred under the Privacy Rule. Although there will be some increase 
in costs for the new requirements for obtaining acknowledgment for 
receipt of the notice, these costs are at least partially offset by the 
savings in the elimination of the consent. As discussed above, to the 
extent concerns are accurate that the costs for the consent provisions 
are much higher than estimated, the cost savings associated with the 
retraction of these provisions would, therefore, be significantly 
higher. The Department does not believe the Federal government engages 
in significant marketing as defined in the Privacy Rule. The Federal 
government will have business associates under the Privacy Rule, and, 
therefore, the sample language proposed in this rulemaking will be of 
benefit to Federal departments and agencies. The Department has not 
estimated the Federal government's portion of the $35 million savings 
it estimated for this change. Similarly, the Federal government, which 
conducts and sponsors a significant amount of research that is subject 
to IRBs, will realize some savings as a result of the research 
modifications in this rulemaking. The Department does not have 
sufficient information, however, to estimate the Federal government's 
portion of the total $146 million savings with respect to research 
modifications.

D. Costs to State and Local Government

    The modifications also may affect the costs to State and local 
governments. However, these effects likely will be small. As with the 
Federal government, State and local governments will have any costs of 
the additional notice requirement offset by the savings realized by the 
elimination of the consent requirement. As discussed above, to the 
extent concerns are accurate that the costs for the consent provisions 
are much higher than estimated, the cost savings associated with the 
retraction of these provisions would, therefore, be significantly 
higher. State and local governments could realize savings from the 
sample language for business associates and the changes in research, 
but the savings are likely to be small. The Department does not have 
sufficient information to estimate the State and local government's 
share of the net savings from the modifications.

E. Benefits

    The benefits of various provisions of these modifications will be 
strong privacy protections for individuals coupled with increased 
access to quality health care, and ease of compliance with privacy 
protections by covered entities. The changes will have the benefit of 
eliminating obstacles that could interfere with patient access to 
timely and high quality health care. The modifications will also 
improve quality health care by removing obstacles that may have 
interfered with research activities that form the basis of advancements 
in medical technology and provide greater understanding of disease. It 
is extremely difficult to quantify the benefits of enhanced privacy of 
medical records and elimination of obstacles to research and quality 
activities. This section provides examples of the qualitative benefits 
of these Privacy Rule modifications.
1. Strengthened Notice, Flexible Consent
    The new requirement that a covered entity make a good faith attempt 
to obtain written acknowledgment of the notice of privacy practices 
will increase privacy protections to patients. The strengthened notice 
requirement will focus individuals on uses and disclosures of their 
health information, and assure that individuals have the opportunity to 
discuss privacy concerns with the health care providers with whom they 
have direct treatment relationships. Awareness of privacy practices 
should provide patients with a greater degree of comfort in discussing 
sensitive personal information with

[[Page 53260]]

their doctors. The strengthened notice standard was adopted in tandem 
with changes to make consent more flexible. The changes to the consent 
requirement have the benefit of removing significant barriers to health 
care. In many circumstances, the consent requirement would have 
resulted in delayed treatment and, in other circumstances, would have 
required patients to be greatly inconvenienced at a time when they 
needed care, by forcing additional trips simply to sign consent forms. 
These modifications have the benefit of removing barriers to access to 
health care that would have resulted from the consent requirement while 
preserving important privacy protections in the notice standard.
2. Research
    Research is key to the continued availability of high quality 
health care. The modifications remove potential barriers to research. 
For example, the modifications streamline the criteria to be used by 
IRBs or Privacy Boards in approving a waiver of individual 
authorization for research that could not otherwise be done and ensure 
the criteria are compatible with similar waiver determinations under 
the Common Rule. Thus, administrative burdens on IRBs and Privacy 
Boards are eased, without diminishing the health information privacy 
and confidentiality standards for research. In addition, the research 
transition provisions have been modified to ensure that the Privacy 
Rule does not interfere with ongoing or future research for which an 
individual has granted permission to use his information. By permitting 
this research to continue, these modifications make sure that vast 
research resources continue to be usable for important research that 
result in development of new medical technology and increased quality 
of health care.
3. Sharing Information for Quality Activities and Public Health
    Health plans and health care providers play a valuable role in 
assessing the quality of health care and improving health care 
outcomes. The modifications ensure access to health information needed 
by covered entities and others involved in quality activities. The 
increased sharing of information will help to limit medical error rates 
and to determine appropriate, high quality treatment for specific 
conditions by encouraging these issues to be studied and allowing 
benchmarking against similar entities. The modifications, in creating a 
limited data set, also encourages private entities to continue studies 
and research in support of public health activities. These activities 
help reduce the spread and occurrence of diseases.
4. Availability of Information About Treatment Alternatives
    Understanding treatment alternatives is an important factor in 
increasing an individual's involvement in his or her own treatment and 
making informed health care decisions. By streamlining the marketing 
requirements, the modifications make it easier for a covered entity to 
understand that they may share valuable information about treatment 
alternatives with their patients or enrollees, and the conditions for 
doing so. These modifications make sure that covered entities will be 
permitted to continue to share important treatment alternative 
information that gives patients knowledge about newer, less expensive, 
and/or more appropriate health care options.

F. Alternatives

    In July 2001, the Department clarified the Privacy Rule in 
guidance, where feasible, to resolve some of the issues raised by 
commenters. Issues that could not adequately be addressed through 
guidance because of the need for a regulatory change are addressed in 
this rulemaking. The Department examined a number of alternatives to 
these modifications. One alternative was to not make any changes to the 
Privacy Rule, but this option was rejected for the reasons explained 
throughout the preamble. The Department also considered various 
alternatives to specific provisions in the development of this final 
Rule. These alternatives are generally discussed above, where 
appropriate.

V. Preliminary Regulatory Flexibility Analysis

    The Department also examined the impact of this proposed Rule as 
required by the Small Business Regulatory Enforcement and Fairness Act 
(SBREFA) (5 U.S.C. 601, et seq.). SBREFA requires agencies to determine 
whether a rule will have a significant economic impact on a substantial 
number of small entities.
    The law does not define the thresholds to use in implementing the 
law and the Small Business Administration discourages establishing 
quantitative criteria. However, the Department has long used two 
criteria--the number of entities affected and the impact on revenue and 
costs--for assessing whether a regulatory flexibility analysis is 
necessary. Department guidelines state that an impact of three to five 
percent should be considered a significant economic impact. Based on 
these criteria, the Department has determined that a regulatory 
flexibility analysis is not required.
    As described in the December 2000 Regulatory Flexibility Analysis 
for the Privacy Rule, most covered entities are small businesses--
approximately 465,000. See Table A, 65 FR 82780 (December 28, 2000). 
Lessening the burden for small entities, consistent with the intent of 
protecting privacy, was an important consideration in developing these 
modifications. However, as discussed in the Final Regulatory Impact 
Analysis, above, the net affect of the modifications is an overall 
savings of approximately $100 million over ten years. Even if all of 
this savings were to accrue to small entities (an over estimation), the 
impact per small entity would be de minimis.

VI. Collection of Information Requirements

    Under the Paperwork Reduction Act (PRA) of 1995, the Department is 
required to provide 30-day notice in the Federal Register and solicit 
public comment before a collection of information requirement is 
submitted to the Office of Management and Budget (OMB) for review and 
approval. In order to fairly evaluate whether an information collection 
should be approved by OMB, section 3506(c)(2)(A) of the PRA requires 
that the Department solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of the agency;
     The accuracy of the estimate of the information collection 
burden;
     The quality, utility, and clarity of the information to be 
collected; and
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    Section A below summarizes the proposed information collection 
requirements on which we explicitly seek, and will consider, public 
comment for 30 days. Due to the complexity of this regulation, and to 
avoid redundancy of effort, we are referring readers to Section V 
(Final Regulatory Impact Analysis published in the Federal Register on 
December 28, 2000), to review the detailed cost assumptions associated 
with these PRA requirements.
    Section B below references the HIPAA Privacy Rule regulation 
sections published for 60-day public comment on November 3, 1999, and 
for 30-day public comment on December 28, 2000,

[[Page 53261]]

in compliance with the PRA public comment process. These earlier 
publications contained the information collection requirements for 
these sections as required by the PRA. The portions of the Privacy 
Rule, included by reference only in Section B, have not changed 
subsequent to the two public comment periods. Thus, the Department has 
fulfilled its statutory obligation to solicit public comment on the 
information collection requirements for these provisions. The 
information in Section B is pending OMB PRA approval, but is not 
reopened for comment. However, for clarity purposes, we will upon this 
publication submit to OMB for PRA review and approval the entire set of 
information collection requirements required referenced in 
Secs. 160.204, 160.306, 160.310, 164.502, 164.504, 164.506, 164.508, 
164.510, 164.512, 164.514, 164.520, 164.522, 164.524, 164.526, 164.528, 
and 164.530.

Section A

1. Section 164.506--Consent for Treatment, Payment, and Health Care 
Operations
    Under the Privacy Rule, as issued in December 2000, a covered 
health care provider that has a direct treatment relationship with 
individuals would have had, except in certain circumstances, to obtain 
an individual's consent to use or disclose protected health information 
to carry out treatment, payment, and health care operations. The 
amended final Rule eliminates this requirement.
2. Section 164.520--Notice of Privacy Practices for Protected Health 
Information
    The amended final Privacy Rule imposes a good faith effort on 
direct treatment providers to obtain an individual's acknowledgment of 
receipt of the entity's notice of privacy practices for protected 
health information, and to document such acknowledgment or, in the 
absence of such acknowledgment, the entity's good faith efforts to 
obtain it.
    The underlying requirements for notice of privacy practices for 
protected health information are not changed. These requirements 
provide that, except in certain circumstances set forth in this section 
of the Rule, individuals have a right to adequate notice of the uses 
and disclosures of protected health information that may be made by the 
covered entity, and of the individual's rights and the covered entity's 
legal duties with respect to protected health information. To comply 
with this requirement a covered entity must provide a notice, written 
in plain language, that includes the elements set forth at 
Sec. 164.520(b). For health plans, there will be an average of 160.2 
million notices each year. We assume that the most efficient means of 
distribution for health plans will be to send them out annually as part 
of the materials they send to current and potential enrollees, even 
though it is not required by the regulation. The number of notices per 
health plan per year would be about 10,570. We further estimate that it 
will require each health plan, on average, only 10 seconds to 
disseminate each notice. The total annual burden associated with this 
requirement is calculated to be 267,000 hours.
    Health care providers with direct treatment relationships would:
     Provide a copy of the notice to an individual at the time 
of first service delivery to the individual;
     Make the notice available at the service delivery site for 
individuals to request and take with them;
     Whenever the content of the notice is revised, make it 
available upon request and post it, if required by this section, in a 
location where it is reasonable to expect individuals seeking services 
from the provider to be able to read the notice.
    The annual number of notices disseminated by all providers is 613 
million. We further estimate that it will require each health care 
provider, on average, 10 seconds to disseminate each notice. This 
estimate is based upon the assumption that the required notice will be 
incorporated into and disseminated with other patient materials. The 
total annual burden associated with this requirement is calculated to 
be 1 million hours. However, the amended final Privacy Rule also 
imposes a good faith effort on direct treatment providers to obtain an 
individual's acknowledgment of receipt of the provider's notice, and to 
document such acknowledgment or, in the absence of such acknowledgment, 
the provider's good faith efforts to obtain it. The estimated burden 
for the acknowledgment of receipt of the notice is 10 seconds for each 
notice. This is based on the fact that the provider does not need to 
take elaborate steps to receive acknowledgment. Initialing a box on an 
existing form or some other simple means will suffice. With the annual 
estimate of 613,000,000 acknowledgment forms it is estimated that the 
acknowledgment burden is 1,000,000 hours.
    A covered entity is also required to document compliance with the 
notice requirements by retaining copies of the versions of the notice 
issued by the covered entity, and a direct treatment provider is 
required to retain a copy of each individual's acknowledgment or 
documentation of the good faith effort as required by Sec. 164.530(j).
3. Appendix to Preamble--Sample Business Associate Contract Provisions
    The Department also solicits public comments on the collection of 
information requirements associated with the model business associate 
contract language displayed in the Appendix to this preamble Rule. The 
language displayed has been changed in response to comments on the 
language that was published with the Notice of Proposed Rulemaking on 
March 27, 2002. The Department provided the model business associate 
contract provisions in response to numerous requests for guidance. 
These provisions were designed to help covered entities more easily 
comply with the business associate contract requirements of the Privacy 
Rule. However, use of these model provisions is not required for 
compliance with the Privacy Rule. Nor is the model language a complete 
contract. Rather, the model language is designed to be adapted to the 
business arrangement between the covered entity and the business 
associate and to be incorporated into a contract drafted by the 
parties.

Section B

    As referenced above, the Department has complied with the public 
comment process as it relates to the information collection 
requirements contained in the sections of regulation referenced below. 
The Department is referencing this information solely for the purposes 
of providing an overview of the regulation sections containing 
information collection requirements established by the final Privacy 
Rule.


Section 160.204--Process for Requesting Exception Determinations
Section 160.306--Complaints to the Secretary
Section 160.310--Responsibilities of Covered Entities
Section 164.502--Uses and Disclosures of Protected Health 
Information: General Rules
Section 164.504--Uses and Disclosures--Organizational Requirements
Section 164.508--Uses and Disclosures for Which Individual 
Authorization Is Required
Section 164.510--Uses and Disclosures Requiring an Opportunity for 
the Individual to Agree or to Object
Section 164.512--Uses and Disclosures for Which Consent, an 
Authorization, or Opportunity to Agree or Object is Not Required
Section 164.514--Other Procedural Requirements Relating to Uses and

[[Page 53262]]

Disclosures of Protected Health Information
Section 164.522--Rights to Request Privacy Protection for Protected 
Health Information
Section 164.524--Access of Individuals to Protected Health 
Information
Section 164.526--Amendment of Protected Health Information
Section 164.528--Accounting for Disclosures of Protected Health 
Information
Section 164.530--Administrative Requirements

C. Comments on Information Collection Requirements in Section A

    The Department has submitted a copy of these modifications to the 
Privacy Rule to OMB for its review and approval of the information 
collection requirements summarized in Section A above. If you comment 
on any of the modifications to the information collection and record 
keeping requirements in Secs. 164.506, 164.520, and/or the model 
business associate contract language please mail copies directly to the 
following:

Center for Medicaid and Medicare Services, Information Technology 
Investment Management Group, Division of CMS Enterprise Standards, Room 
C2-26-17, 7500 Security Boulevard, Baltimore, MD 21244-1850, ATTN: John 
Burke, HIPAA Privacy,
      and
Office of Information and Regulatory Affairs, Office of Management and 
Budget, Room 10235, New Executive Office Building, Washington, DC 
20503, ATTN: Brenda Aguilar, CMS Desk Officer.

VII. Unfunded Mandates

    Section 202 of the Unfunded Mandates Reform Act of 1995 also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule that may result in an expenditure by State, local, or 
tribal governments, in the aggregate, or by the private sector, of $110 
million in a single year. A final cost-benefit analysis was published 
in the Privacy Rule of December 28, 2000 (65 FR 82462, 82794). In 
developing the final Privacy Rule, the Department adopted the least 
burdensome alternatives, consistent with achieving the Rule's goals. 
The Department does not believe that the amendments to the Privacy Rule 
would qualify as an unfunded mandate under the statute.

VIII. Environmental Impact

    The Department has determined under 21 CFR 25.30(k) that this 
action is of a type that does not individually or cumulatively have a 
significant effect on the human environment. Therefore, neither an 
environmental assessment nor an environmental impact statement is 
required.

IX. Executive Order 13132: Federalism

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a rule that imposes substantial 
direct requirement costs on State and local governments, preempts State 
law, or otherwise has Federalism implications. The Federalism 
implications of the Privacy Rule were assessed as required by Executive 
Order 13132 and published in the Privacy Rule of December 28, 2000 (65 
FR 82462, 82797). The amendments with the most direct effect on 
Federalism principles concerns the clarifications regarding the rights 
of parents and minors under State law.
    The amendments make clear the intent of the Department to defer to 
State law with respect to such rights. Therefore, the Department 
believes that the amended Privacy Rule would not significantly affect 
the rights, roles and responsibilities of States.

X. Sample Business Associate Contract Provisions--Appendix

    March 2002 NPRM. In response to requests for guidance, the 
Department provided sample language for business associate contracts. 
The provisions were provided as an appendix to the preamble and were 
intended to serve as guidance for covered entities to assist in 
compliance with the business associate provisions of the Privacy Rule. 
The proposal was not a model contract, but rather was sample language 
that could be included in a contract.
    Overview of Public Comment. The Department received a small number 
of comments addressing the sample business associate contract 
provisions. The comments fell into four general categories. Most 
commenters were pleased with the Department's guidance for business 
associate contracts and expressed appreciation for such guidance. There 
were some commenters that thought the language was insufficient and 
requested the Department create a complete model contract not just 
sample provisions. The third category of commenters thought the 
provisions went further than the requirements in the regulation and 
requested specific changes to the sample language. In addition, a few 
commenters requested that the Department withdraw the sample provisions 
asserting that they will eliminate the potential of negotiating or 
establishing a business associate contract that is tailored to the 
precise requirements of the particular relationship.
    Final Modifications. This Rule continues to include sample business 
associate contract provisions as an appendix to the preamble, because 
the majority of commenters that addressed this subject found these 
provisions to be helpful guidance in their compliance efforts with the 
business associate contract requirements in the Privacy Rule.
    The Department has made several changes to the language originally 
proposed in response to comment. Although these are only sample 
provisions, the changes, which are described below, should help to 
clear up some confusion.
    First, the Department has changed the name from ``model language'' 
to ``sample language'' to clarify that the provisions are merely sample 
clauses, and that none are required to be in a business associate 
contract so long as the contract meets the requirements of the 
regulation. The sample language continues to indicate, using square 
brackets, those instances in which a provision or phrase in a provision 
applies only in certain circumstances or is optional.
    The Department has made three modifications in the Obligations and 
Activities of the Business Associate provisions. First, there are 
modifications to clarify that the parties can negotiate appropriate 
terms regarding the time and manner of providing access to protected 
health information in a designated record set, providing information to 
account for disclosures of protected health information, and for making 
amendments to protected health information in a designated record set. 
Although the language clarifies that the terms are to be negotiated by 
the Parties, the agreement must permit the covered entity to comply 
with its obligations under the Privacy Rule.
    Second, the Department has amended the sample language regarding 
review of business associate practices, books, and records to clarify 
that the contract must permit the Secretary, not the covered entity, to 
have access to such records, including protected health information, 
for purposes of determining the covered entity's compliance with the 
Privacy Rule. The sample language continues to include the option that 
parties additionally agree that the business associate shall disclose 
this information to the covered entity for compliance purposes to 
indicate that this is still an appropriate approach for this purpose. 
The modifications also clarify that parties can negotiate the time and 
manner of providing the covered entity with access to the business 
associate's internal practices, books, and records.

[[Page 53263]]

    Finally, the Department has modified the sample language to clarify 
that business associates are only required to notify the covered entity 
of uses and disclosures of protected health information not provided 
for by the agreement of which it becomes aware in order to more closely 
align the sample contract provisions with the regulation text. The 
Department did not intend to imply a different standard than that 
included in the regulation.
    The Department has modified the General Use and Disclosure sample 
language to clarify that there are two possible approaches, and that in 
each approach the use or disclosure of protected health information by 
a business associate shall be consistent with the minimum necessary 
policies and procedures of the covered entity.
    The Department has adopted one change to the sample language under 
Specific Use and Disclosure that clarifies that a permitted specific 
use of protected health information by the business associate includes 
reporting violations of law to appropriate Federal and State 
authorities. This would permit a business associate to use or disclose 
protected health information in accordance with the standards in 
Sec. 164.502(j)(1). We indicate that this is optional text, not 
required by the Privacy Rule. Because we have included this language as 
sample language, we have deleted discussion of this issue in the 
statement preceding the sample business associate contract provisions.
    Under Obligations of Covered Entity, the Department has clarified 
that covered entities need only notify business associates of a 
restriction to the use or disclosure of protected health information in 
its notice of privacy practices to the extent that such restriction may 
affect the business associates' use or disclosure of protected health 
information. The other provisions requiring the covered entity to 
notify the business associate of restrictions to the use or disclosure 
of protected health information remain and have been modified to 
include similar limiting language.
    In the Term and Termination provisions, the Department has added 
clarifying language that indicates that if neither termination nor cure 
are feasible, the covered entity shall report the violation to the 
Secretary. We have also clarified that the parties should negotiate how 
they will determine whether the return or destruction of protected 
health information is infeasible.
    Finally, the Department has clarified the miscellaneous provision 
regarding interpretation to clarify that ambiguities shall be resolved 
to permit the covered entity's compliance with the Privacy Rule.
    Each entity should carefully analyze each of the sample provisions 
to ensure that it is appropriate given the specific business associate 
relationship. Some of the modifications are intended to address some 
commenters concerns that the sample language is weighted too heavily in 
favor of the covered entity. Individual parties are reminded that all 
contract provisions are subject to negotiation, provided that they are 
consistent with the requirements in the Privacy Rule. The sample 
language is not intended to, and cannot, substitute for responsible 
legal advice.

Response to Other Public Comments

    Comment: Several commenters noted that the sample language was 
missing certain required contractual elements, such as an effective 
date, insurance and indemnification clauses, procedures for amending 
the contract, as well as other provisions that may be implicated by the 
Privacy Rule, such as the Electronic Transactions Standards. Some of 
these commenters requested that the guidance be a complete model 
contract rather than sample contract provisions so that the covered 
entity would not need legal assistance.
    Response: The Department intentionally did not make this guidance a 
complete model contract, but rather provided only those provisions 
specifically tied to requirements of the Privacy Rule. As stated above, 
this guidance does not substitute for legal advice. Other contract 
provisions may be dictated by State or other law or by the relationship 
between the parties. It is not feasible to provide sample contracts 
that would accommodate each situation. Parties are free to negotiate 
additional terms, including those that may be required by other laws or 
regulations.
    Comment: Some commenters requested that use of the sample business 
associate contract language create a safe harbor for an entity that 
adopts them.
    Response: The sample business associate contract provisions are not 
a safe harbor. Rather, the sample language is intended to provide 
guidance and assist covered entities in the effort required to enter 
into a business associate agreement. Use of the sample provisions or 
similar provisions, where appropriate, would be considered strong 
evidence of compliance with the business associate contract provisions 
of the Privacy Rule. However, contracts will necessarily vary based on 
State law and the relationship between the covered entity and the 
business associate.
    Comment: Some commenters were concerned that the sample provision 
permitting a covered entity to have access to the practices, books, and 
records of the business associate would impose an audit requirement on 
the covered entity.
    Response: The sample business associate contract provisions do not 
impose any additional requirements on covered entities. Only the 
regulation imposes requirements. Therefore, the inclusion of the 
provision that the business associate shall allow the covered entity 
access to the business associate practices, books, and records does not 
indicate that the Privacy Rule imposes an audit requirement on the 
covered entity. We have stated numerous times that the Privacy Rule 
does not require covered entities to monitor the activities of their 
business associates.
    Comment: One commenter noted that the business associate should not 
be required, under the contract, to mitigate damages resulting from a 
violation.
    Response: We disagree. In order for a covered entity to be able to 
act as it is required to under the Privacy Rule when a business 
associate is holding protected health information, the covered entity 
must require the same activities of the business associate through the 
contract.
    Comment: One commenter noted that the Privacy Rule does not 
explicitly direct that a covered entity provide its notice of privacy 
practices to its business associates.
    Response: We agree and have modified the language in the sample 
provision accordingly. However, in order for the business associate to 
act consistently with the privacy practices of the covered entity, 
which is required by the Privacy Rule, the parties may find it 
necessary to require disclosure of these policies. To the extent that 
parties can craft an alternate approach, they are free to do so.
    Comment: One commenter indicated that traditional contract terms 
such as ``term'' and ``termination'' should not be included in the 
sample language if the Department's intention is to address only those 
terms required by the Rule.
    Response: Because termination of the business associate agreement 
is specifically addressed in the Privacy Rule, we have retained these 
provisions in the sample language. As with all other provisions, 
parties are free to negotiate alternative Term and Termination 
provisions that meet their unique situations and concerns,

[[Page 53264]]

provided that they meet the requirements of the Privacy Rule.
    Comment: Another commenter indicated that the sample language 
should not require the return or destruction of protected health 
information in the possession of subcontractors or agents of the 
business associate.
    Response: We have retained this language as this is consistent with 
the Privacy Rule. Section 164.504(e)(2)(ii)(D) requires that the 
business associate contract include a provision that the business 
associate ensures that any agents, including subcontractors, agree to 
the same restrictions and conditions as the business associate. 
Generally, the contract must require the business associate to return 
or destroy protected health information; therefore, the contract also 
must require the business associate to have agents and subcontractors 
to do the same. This is reflected in the sample contract language.
    Comment: One commenter requested that the sample language include a 
provision that the covered entity may impose monetary damages on a 
business associate for violation of its privacy policies.
    Response: We have not included such a provision because the Privacy 
Rule does not address this issue. The Privacy Rule would not prohibit a 
monetary damages provision from being included in the contract. This, 
again, is a matter to be negotiated between covered entities and their 
business associates.
    Comment: One commenter suggested that specific references to 
sections in the Rule be deleted and either replaced by a general 
statement that the contract shall be interpreted in a manner consistent 
with the Rule or supplemented with clarifying language with examples.
    Response: We believe that using section reference is a valid and 
expeditious approach as it incorporates changes as modifications are 
made to the Privacy Rule. A business associate contract may take a 
different approach than using section references to the Privacy Rule.
    Comment: One commenter asked that the sample business associate 
contract provisions be included in the Rule rather than published as an 
appendix to the preamble so that it will be in the Code of Federal 
Regulations.
    Response: We have published the sample business associate contract 
provisions as an appendix to the preamble because they are meant as 
guidance. The sample language shall be available on the Office for 
Civil Rights web site at www.hhs.gov/ocr/hipaa; and may be updated or 
revised as necessary.

Appendix to the Preamble--Sample Business Associate Contract 
Provisions

Statement of Intent

    The Department provides these sample business associate contract 
provisions in response to numerous requests for guidance. This is only 
sample language. These provisions are designed to help covered entities 
more easily comply with the business associate contract requirements of 
the Privacy Rule. However, use of these sample provisions is not 
required for compliance with the Privacy Rule. The language may be 
amended to more accurately reflect business arrangements between the 
covered entity and the business associate.
    These or similar provisions may be incorporated into an agreement 
for the provision of services between the entities or they may be 
incorporated into a separate business associate agreement. These 
provisions only address concepts and requirements set forth in the 
Privacy Rule and alone are not sufficient to result in a binding 
contract under State law. They do not include many formalities and 
substantive provisions that are required or typically included in a 
valid contract. Reliance on this sample is not sufficient for 
compliance with State law and does not replace consultation with a 
lawyer or negotiations between the parties to the contract.
    Furthermore, a covered entity may want to include other provisions 
that are related to the Privacy Rule but that are not required by the 
Privacy Rule. For example, a covered entity may want to add provisions 
in a business associate contract in order for the covered entity to be 
able to rely on the business associate to help the covered entity meet 
its obligations under the Privacy Rule. In addition, there may be 
permissible uses or disclosures by a business associate that are not 
specifically addressed in these sample provisions, for example having a 
business associate create a limited data set. These and other types of 
issues will need to be worked out between the parties.

Sample Business Associate Contract Provisions \3\
---------------------------------------------------------------------------

    \3\ Words or phrases contained in brackets are intended as 
either optional language or as instructions to the users of these 
sample provisions and are not intended to be included in the 
contractual provisions.
---------------------------------------------------------------------------

Definitions (Alternative Approaches)
    Catch-all definition:
    Terms used, but not otherwise defined, in this Agreement shall have 
the same meaning as those terms in the Privacy Rule.
    Examples of specific definitions:
    (a) Business Associate. ``Business Associate'' shall mean [Insert 
Name of Business Associate].
    (b) Covered Entity. ``Covered Entity'' shall mean [Insert Name of 
Covered Entity].
    (c) Individual. ``Individual'' shall have the same meaning as the 
term ``individual'' in 45 CFR 164.501 and shall include a person who 
qualifies as a personal representative in accordance with 45 CFR 
164.502(g).
    (d) Privacy Rule. ``Privacy Rule'' shall mean the Standards for 
Privacy of Individually Identifiable Health Information at 45 CFR part 
160 and part 164, subparts A and E.
    (e) Protected Health Information. ``Protected Health Information'' 
shall have the same meaning as the term ``protected health 
information'' in 45 CFR 164.501, limited to the information created or 
received by Business Associate from or on behalf of Covered Entity.
    (f) Required By Law. ``Required By Law'' shall have the same 
meaning as the term ``required by law'' in 45 CFR 164.501.
    (g) Secretary. ``Secretary'' shall mean the Secretary of the 
Department of Health and Human Services or his designee.
Obligations and Activities of Business Associate
    (a) Business Associate agrees to not use or disclose Protected 
Health Information other than as permitted or required by the Agreement 
or as Required By Law.
    (b) Business Associate agrees to use appropriate safeguards to 
prevent use or disclosure of the Protected Health Information other 
than as provided for by this Agreement.
    (c) Business Associate agrees to mitigate, to the extent 
practicable, any harmful effect that is known to Business Associate of 
a use or disclosure of Protected Health Information by Business 
Associate in violation of the requirements of this Agreement. [This 
provision may be included if it is appropriate for the Covered Entity 
to pass on its duty to mitigate damages to a Business Associate.]
    (d) Business Associate agrees to report to Covered Entity any use 
or disclosure of the Protected Health Information not provided for by 
this Agreement of which it becomes aware.
    (e) Business Associate agrees to ensure that any agent, including a

[[Page 53265]]

subcontractor, to whom it provides Protected Health Information 
received from, or created or received by Business Associate on behalf 
of Covered Entity agrees to the same restrictions and conditions that 
apply through this Agreement to Business Associate with respect to such 
information.
    (f) Business Associate agrees to provide access, at the request of 
Covered Entity, and in the time and manner [Insert negotiated terms], 
to Protected Health Information in a Designated Record Set, to Covered 
Entity or, as directed by Covered Entity, to an Individual in order to 
meet the requirements under 45 CFR 164.524. [Not necessary if business 
associate does not have protected health information in a designated 
record set.]
    (g) Business Associate agrees to make any amendment(s) to Protected 
Health Information in a Designated Record Set that the Covered Entity 
directs or agrees to pursuant to 45 CFR 164.526 at the request of 
Covered Entity or an Individual, and in the time and manner [Insert 
negotiated terms]. [Not necessary if business associate does not have 
protected health information in a designated record set.]
    (h) Business Associate agrees to make internal practices, books, 
and records, including policies and procedures and Protected Health 
Information, relating to the use and disclosure of Protected Health 
Information received from, or created or received by Business Associate 
on behalf of, Covered Entity available [to the Covered Entity, or] to 
the Secretary, in a time and manner [Insert negotiated terms] or 
designated by the Secretary, for purposes of the Secretary determining 
Covered Entity's compliance with the Privacy Rule.
    (i) Business Associate agrees to document such disclosures of 
Protected Health Information and information related to such 
disclosures as would be required for Covered Entity to respond to a 
request by an Individual for an accounting of disclosures of Protected 
Health Information in accordance with 45 CFR 164.528.
    (j) Business Associate agrees to provide to Covered Entity or an 
Individual, in time and manner [Insert negotiated terms], information 
collected in accordance with Section [Insert Section Number in Contract 
Where Provision (i) Appears] of this Agreement, to permit Covered 
Entity to respond to a request by an Individual for an accounting of 
disclosures of Protected Health Information in accordance with 45 CFR 
164.528.

Permitted Uses and Disclosures by Business Associate

General Use and Disclosure Provisions [(a) and (b) are alternative 
approaches]
    (a) Specify purposes:
    Except as otherwise limited in this Agreement, Business Associate 
may use or disclose Protected Health Information on behalf of, or to 
provide services to, Covered Entity for the following purposes, if such 
use or disclosure of Protected Health Information would not violate the 
Privacy Rule if done by Covered Entity or the minimum necessary 
policies and procedures of the Covered Entity: [List Purposes].
    (b) Refer to underlying services agreement:
    Except as otherwise limited in this Agreement, Business Associate 
may use or disclose Protected Health Information to perform functions, 
activities, or services for, or on behalf of, Covered Entity as 
specified in [Insert Name of Services Agreement], provided that such 
use or disclosure would not violate the Privacy Rule if done by Covered 
Entity or the minimum necessary policies and procedures of the Covered 
Entity. Specific Use and Disclosure Provisions [only necessary if 
parties wish to allow Business Associate to engage in such activities]
    (a) Except as otherwise limited in this Agreement, Business 
Associate may use Protected Health Information for the proper 
management and administration of the Business Associate or to carry out 
the legal responsibilities of the Business Associate.
    (b) Except as otherwise limited in this Agreement, Business 
Associate may disclose Protected Health Information for the proper 
management and administration of the Business Associate, provided that 
disclosures are Required By Law, or Business Associate obtains 
reasonable assurances from the person to whom the information is 
disclosed that it will remain confidential and used or further 
disclosed only as Required By Law or for the purpose for which it was 
disclosed to the person, and the person notifies the Business Associate 
of any instances of which it is aware in which the confidentiality of 
the information has been breached.
    (c) Except as otherwise limited in this Agreement, Business 
Associate may use Protected Health Information to provide Data 
Aggregation services to Covered Entity as permitted by 42 CFR 
164.504(e)(2)(i)(B).
    (d) Business Associate may use Protected Health Information to 
report violations of law to appropriate Federal and State authorities, 
consistent with Sec. 164.502(j)(1).

Obligations of Covered Entity

Provisions for Covered Entity To Inform Business Associate of Privacy 
Practices and Restrictions [provisions dependent on business 
arrangement]
    (a) Covered Entity shall notify Business Associate of any 
limitation(s) in its notice of privacy practices of Covered Entity in 
accordance with 45 CFR 164.520, to the extent that such limitation may 
affect Business Associate's use or disclosure of Protected Health 
Information.
    (b) Covered Entity shall notify Business Associate of any changes 
in, or revocation of, permission by Individual to use or disclose 
Protected Health Information, to the extent that such changes may 
affect Business Associate's use or disclosure of Protected Health 
Information.
    (c) Covered Entity shall notify Business Associate of any 
restriction to the use or disclosure of Protected Health Information 
that Covered Entity has agreed to in accordance with 45 CFR 164.522, to 
the extent that such restriction may affect Business Associate's use or 
disclosure of Protected Health Information.
Permissible Requests by Covered Entity
    Covered Entity shall not request Business Associate to use or 
disclose Protected Health Information in any manner that would not be 
permissible under the Privacy Rule if done by Covered Entity. [Include 
an exception if the Business Associate will use or disclose protected 
health information for, and the contract includes provisions for, data 
aggregation or management and administrative activities of Business 
Associate].
Term and Termination
    (a) Term. The Term of this Agreement shall be effective as of 
[Insert Effective Date], and shall terminate when all of the Protected 
Health Information provided by Covered Entity to Business Associate, or 
created or received by Business Associate on behalf of Covered Entity, 
is destroyed or returned to Covered Entity, or, if it is infeasible to 
return or destroy Protected Health Information, protections are 
extended to such information, in accordance with the termination 
provisions in this Section. [Term may differ.]
    (b) Termination for Cause. Upon Covered Entity's knowledge of a 
material breach by Business Associate, Covered Entity shall either:
    (1) Provide an opportunity for Business Associate to cure the 
breach or

[[Page 53266]]

end the violation and terminate this Agreement [and the ___ Agreement/
sections __ of the ___ Agreement] if Business Associate does not cure 
the breach or end the violation within the time specified by Covered 
Entity;
    (2) Immediately terminate this Agreement [and the ___ Agreement/
sections __ of the ___ Agreement] if Business Associate has breached a 
material term of this Agreement and cure is not possible; or
    (3) If neither termination nor cure are feasible, Covered Entity 
shall report the violation to the Secretary. [Bracketed language in 
this provision may be necessary if there is an underlying services 
agreement. Also, opportunity to cure is permitted, but not required by 
the Privacy Rule.]
    (c) Effect of Termination.
    (1) Except as provided in paragraph (2) of this section, upon 
termination of this Agreement, for any reason, Business Associate shall 
return or destroy all Protected Health Information received from 
Covered Entity, or created or received by Business Associate on behalf 
of Covered Entity. This provision shall apply to Protected Health 
Information that is in the possession of subcontractors or agents of 
Business Associate. Business Associate shall retain no copies of the 
Protected Health Information.
    (2) In the event that Business Associate determines that returning 
or destroying the Protected Health Information is infeasible, Business 
Associate shall provide to Covered Entity notification of the 
conditions that make return or destruction infeasible. Upon [Insert 
negotiated terms] that return or destruction of Protected Health 
Information is infeasible, Business Associate shall extend the 
protections of this Agreement to such Protected Health Information and 
limit further uses and disclosures of such Protected Health Information 
to those purposes that make the return or destruction infeasible, for 
so long as Business Associate maintains such Protected Health 
Information.

Miscellaneous

    (a) Regulatory References. A reference in this Agreement to a 
section in the Privacy Rule means the section as in effect or as 
amended.
    (b) Amendment. The Parties agree to take such action as is 
necessary to amend this Agreement from time to time as is necessary for 
Covered Entity to comply with the requirements of the Privacy Rule and 
the Health Insurance Portability and Accountability Act of 1996, Pub. 
L. No. 104-191.
    (c) Survival. The respective rights and obligations of Business 
Associate under Section [Insert Section Number Related to ``Effect of 
Termination''] of this Agreement shall survive the termination of this 
Agreement.
    (d) Interpretation. Any ambiguity in this Agreement shall be 
resolved to permit Covered Entity to comply with the Privacy Rule.

List of Subjects

45 CFR Part 160

    Electronic transactions, Employer benefit plan, Health, Health 
care, Health facilities, Health insurance, Health records, Medicaid, 
Medical research, Medicare, Privacy, Reporting and record keeping 
requirements.

45 CFR Part 164

    Electronic transactions, Employer benefit plan, Health, Health 
care, Health facilities, Health insurance, Health records, Medicaid, 
Medical research, Medicare, Privacy, Reporting and record keeping 
requirements.

    Dated: August 6, 2002.
Tommy G. Thompson,
Secretary.

    For the reasons set forth in the preamble, the Department amends 45 
CFR subtitle A, subchapter C, as follows:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

    1. The authority citation for part 160 continues to read as 
follows:

    Authority: Sec. 1171 through 1179 of the Social Security Act (42 
U.S.C. 1320d-1329d-8), as added by sec. 262 of Pub. L. No. 104-191, 
110 Stat. 2021-2031 and sec. 264 of Pub. L. No. 104-191 (42 U.S.C. 
1320d-2(note)).


    2. Amend Sec. 160.102(b), by removing the phrase ``section 
201(a)(5) of the Health Insurance Portability Act of 1996, (Pub. L. No. 
104-191)'' and adding in its place the phrase ``the Social Security 
Act, 42 U.S.C. 1320a-7c(a)(5)''.


    3. In Sec. 160.103 add the definition of ``individually 
identifiable health information'' in alphabetical order to read as 
follows:


Sec. 160.103  Definitions.

* * * * *
    Individually identifiable health information is information that is 
a subset of health information, including demographic information 
collected from an individual, and:
    (1) Is created or received by a health care provider, health plan, 
employer, or health care clearinghouse; and
    (2) Relates to the past, present, or future physical or mental 
health or condition of an individual; the provision of health care to 
an individual; or the past, present, or future payment for the 
provision of health care to an individual; and
    (i) That identifies the individual; or
    (ii) With respect to which there is a reasonable basis to believe 
the information can be used to identify the individual.
* * * * *

    4. In Sec. 160.202 revise paragraphs (2) and (4) of the definition 
of ``more stringent'' to read as follows:


Sec. 160.202  Definitions.

* * * * *
    More stringent means * * *
    (2) With respect to the rights of an individual, who is the subject 
of the individually identifiable health information, regarding access 
to or amendment of individually identifiable health information, 
permits greater rights of access or amendment, as applicable.
* * * * *
    (4) With respect to the form, substance, or the need for express 
legal permission from an individual, who is the subject of the 
individually identifiable health information, for use or disclosure of 
individually identifiable health information, provides requirements 
that narrow the scope or duration, increase the privacy protections 
afforded (such as by expanding the criteria for), or reduce the 
coercive effect of the circumstances surrounding the express legal 
permission, as applicable.
* * * * *

    5. Amend Sec. 160.203(b) by adding the words ``individually 
identifiable'' before the word ``health''.

PART 164--SECURITY AND PRIVACY

Subpart E--Privacy of Individually Identifiable Health Information

    1. The authority citation for part 164 continues to read as 
follows:

    Authority: 42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L. 
No. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)).


    2. Amend Sec. 164.102 by removing the words ``implementation 
standards'' and adding in its place the words ``implementation 
specifications.''


    3. In Sec. 164.500, remove ``consent,'' from paragraph (b)(1)(v).


    4. Amend Sec. 164.501 as follows:
    a. In the definition of ``health care operations'' remove from the 
introductory text of the definition ``, and any of the following 
activities of an

[[Page 53267]]

organized health care arrangement in which the covered entity 
participates'' and revise paragraphs (6)(iv) and (v).
    b. Remove the definition of ``individually identifiable health 
information''.
    c. Revise the definition of ``marketing''.
    d. In paragraph (1)(ii) of the definition of ``payment,'' remove 
the word ``covered''.
    e. Revise paragraph (2) of the definition of ``protected health 
information''.
    f. Remove the words ``a covered'' and replace them with ``an'' in 
the definition of ``required by law''.
    The revisions read as follows:


Sec. 164.501  Definitions.

* * * * *
    Health care operations means * * *
    (6) * * *
    (iv) The sale, transfer, merger, or consolidation of all or part of 
the covered entity with another covered entity, or an entity that 
following such activity will become a covered entity and due diligence 
related to such activity; and
    (v) Consistent with the applicable requirements of Sec. 164.514, 
creating de-identified health information or a limited data set, and 
fundraising for the benefit of the covered entity.
* * * * *
    Marketing means:
    (1) To make a communication about a product or service that 
encourages recipients of the communication to purchase or use the 
product or service, unless the communication is made:
    (i) To describe a health-related product or service (or payment for 
such product or service) that is provided by, or included in a plan of 
benefits of, the covered entity making the communication, including 
communications about: the entities participating in a health care 
provider network or health plan network; replacement of, or 
enhancements to, a health plan; and health-related products or services 
available only to a health plan enrollee that add value to, but are not 
part of, a plan of benefits.
    (ii) For treatment of the individual; or
    (iii) For case management or care coordination for the individual, 
or to direct or recommend alternative treatments, therapies, health 
care providers, or settings of care to the individual.
    (2) An arrangement between a covered entity and any other entity 
whereby the covered entity discloses protected health information to 
the other entity, in exchange for direct or indirect remuneration, for 
the other entity or its affiliate to make a communication about its own 
product or service that encourages recipients of the communication to 
purchase or use that product or service.
* * * * *
    Protected health information means * * *
    (2) Protected health information excludes individually identifiable 
health information in:
    (i) Education records covered by the Family Educational Rights and 
Privacy Act, as amended, 20 U.S.C. 1232g;
    (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
    (iii) Employment records held by a covered entity in its role as 
employer.
* * * * *

    5. Amend Sec. 164.502 as follows:
    a. Revise paragraphs (a)(1)(ii), (iii), and (vi).
    b. Revise paragraph (b)(2)(ii).
    c. Redesignate paragraphs (b)(2)(iii) through (v) as paragraphs 
(b)(2)(iv) through (vi).
    d. Add a new paragraph (b)(2)(iii).
    e. Redesignate paragraphs (g)(3)(i) through (iii) as (g)(3)(i)(A) 
through (C) and redesignate paragraph (g)(3) as (g)(3)(i).
    f. Add a new paragraph (g)(3)(ii).
    The revisions and additions read as follows:


Sec. 164.502  Uses and disclosures of protected health information: 
general rules.

    (a) Standard. * * *
    (1) Permitted uses and disclosures. * * *
    (ii) For treatment, payment, or health care operations, as 
permitted by and in compliance with Sec. 164.506;
    (iii) Incident to a use or disclosure otherwise permitted or 
required by this subpart, provided that the covered entity has complied 
with the applicable requirements of Sec. 164.502(b), Sec. 164.514(d), 
and Sec. 164.530(c) with respect to such otherwise permitted or 
required use or disclosure;
* * * * *
    (vi) As permitted by and in compliance with this section, 
Sec. 164.512, or Sec. 164.514(e), (f), or (g).
* * * * *
    (b) Standard: Minimum necessary. * * *
    (2) Minimum necessary does not apply. * * *
    (ii) Uses or disclosures made to the individual, as permitted under 
paragraph (a)(1)(i) of this section or as required by paragraph 
(a)(2)(i) of this section;
    (iii) Uses or disclosures made pursuant to an authorization under 
Sec. 164.508;
* * * * *
    (g)(1) Standard: Personal representatives. * * *
    (3) Implementation specification: unemancipated minors. * * *
    (i) * * *
    (ii) Notwithstanding the provisions of paragraph (g)(3)(i) of this 
section:
    (A) If, and to the extent, permitted or required by an applicable 
provision of State or other law, including applicable case law, a 
covered entity may disclose, or provide access in accordance with 
Sec. 164.524 to, protected health information about an unemancipated 
minor to a parent, guardian, or other person acting in loco parentis;
    (B) If, and to the extent, prohibited by an applicable provision of 
State or other law, including applicable case law, a covered entity may 
not disclose, or provide access in accordance with Sec. 164.524 to, 
protected health information about an unemancipated minor to a parent, 
guardian, or other person acting in loco parentis; and
    (C) Where the parent, guardian, or other person acting in loco 
parentis, is not the personal representative under paragraphs 
(g)(3)(i)(A), (B), or (C) of this section and where there is no 
applicable access provision under State or other law, including case 
law, a covered entity may provide or deny access under Sec. 164.524 to 
a parent, guardian, or other person acting in loco parentis, if such 
action is consistent with State or other applicable law, provided that 
such decision must be made by a licensed health care professional, in 
the exercise of professional judgment.
* * * * *

    6. Amend Sec. 164.504 as follows:
    a. In paragraph (a), revise the definitions of ``health care 
component'' and ``hybrid entity''.
    b. Revise paragraph (c)(1)(ii).
    c. Revise paragraph (c)(2)(ii).
    d. Revise paragraph (c)(3)(iii).
    e. Revise paragraph (f)(1)(i).
    f. Add paragraph (f)(1)(iii).
    The revisions and addition read as follows:


Sec. 164.504  Uses and disclosures: Organizational requirements.

    (a) Definitions. * * *
    Health care component means a component or combination of 
components of a hybrid entity designated by the hybrid entity in 
accordance with paragraph (c)(3)(iii) of this section.
    Hybrid entity means a single legal entity:
    (1) That is a covered entity;
    (2) Whose business activities include both covered and non-covered 
functions; and

[[Page 53268]]

    (3) That designates health care components in accordance with 
paragraph (c)(3)(iii) of this section.
* * * * *
    (c)(1) Implementation specification: Application of other 
provisions. * * *
    (ii) A reference in such provision to a ``health plan,'' ``covered 
health care provider,'' or ``health care clearinghouse'' refers to a 
health care component of the covered entity if such health care 
component performs the functions of a health plan, health care 
provider, or health care clearinghouse, as applicable; and
* * * * *
    (2) Implementation specifications: Safeguard requirements. * * *
    (ii) A component that is described by paragraph (c)(3)(iii)(B) of 
this section does not use or disclose protected health information that 
it creates or receives from or on behalf of the health care component 
in a way prohibited by this subpart; and
* * * * *
    (3) Implementation specifications: Responsibilities of the covered 
entity. * * *
    (iii) The covered entity is responsible for designating the 
components that are part of one or more health care components of the 
covered entity and documenting the designation as required by 
Sec. 164.530(j), provided that, if the covered entity designates a 
health care component or components, it must include any component that 
would meet the definition of covered entity if it were a separate legal 
entity. Health care component(s) also may include a component only to 
the extent that it performs:
    (A) Covered functions; or
    (B) Activities that would make such component a business associate 
of a component that performs covered functions if the two components 
were separate legal entities.
* * * * *
    (f)(1) Standard: Requirements for group health plans. (i) Except as 
provided under paragraph (f)(1)(ii) or (iii) of this section or as 
otherwise authorized under Sec. 164.508, a group health plan, in order 
to disclose protected health information to the plan sponsor or to 
provide for or permit the disclosure of protected health information to 
the plan sponsor by a health insurance issuer or HMO with respect to 
the group health plan, must ensure that the plan documents restrict 
uses and disclosures of such information by the plan sponsor consistent 
with the requirements of this subpart.
* * * * *
    (iii) The group health plan, or a health insurance issuer or HMO 
with respect to the group health plan, may disclose to the plan sponsor 
information on whether the individual is participating in the group 
health plan, or is enrolled in or has disenrolled from a health 
insurance issuer or HMO offered by the plan.
* * * * *

    7. Revise Sec. 164.506 to read as follows:


Sec. 164.506  Uses and disclosures to carry out treatment, payment, or 
health care operations.

    (a) Standard: Permitted uses and disclosures. Except with respect 
to uses or disclosures that require an authorization under 
Sec. 164.508(a)(2) and (3), a covered entity may use or disclose 
protected health information for treatment, payment, or health care 
operations as set forth in paragraph (c) of this section, provided that 
such use or disclosure is consistent with other applicable requirements 
of this subpart.
    (b) Standard: Consent for uses and disclosures permitted. (1) A 
covered entity may obtain consent of the individual to use or disclose 
protected health information to carry out treatment, payment, or health 
care operations.
    (2) Consent, under paragraph (b) of this section, shall not be 
effective to permit a use or disclosure of protected health information 
when an authorization, under Sec. 164.508, is required or when another 
condition must be met for such use or disclosure to be permissible 
under this subpart.
    (c) Implementation specifications: Treatment, payment, or health 
care operations.
    (1) A covered entity may use or disclose protected health 
information for its own treatment, payment, or health care operations.
    (2) A covered entity may disclose protected health information for 
treatment activities of a health care provider.
    (3) A covered entity may disclose protected health information to 
another covered entity or a health care provider for the payment 
activities of the entity that receives the information.
    (4) A covered entity may disclose protected health information to 
another covered entity for health care operations activities of the 
entity that receives the information, if each entity either has or had 
a relationship with the individual who is the subject of the protected 
health information being requested, the protected health information 
pertains to such relationship, and the disclosure is:
    (i) For a purpose listed in paragraph (1) or (2) of the definition 
of health care operations; or
    (ii) For the purpose of health care fraud and abuse detection or 
compliance.
    (5) A covered entity that participates in an organized health care 
arrangement may disclose protected health information about an 
individual to another covered entity that participates in the organized 
health care arrangement for any health care operations activities of 
the organized health care arrangement.
    8. Revise Sec. 164.508 to read as follows:


Sec. 164.508  Uses and disclosures for which an authorization is 
required.

    (a) Standard: authorizations for uses and disclosures.--(1) 
Authorization required: general rule. Except as otherwise permitted or 
required by this subchapter, a covered entity may not use or disclose 
protected health information without an authorization that is valid 
under this section. When a covered entity obtains or receives a valid 
authorization for its use or disclosure of protected health 
information, such use or disclosure must be consistent with such 
authorization.
    (2) Authorization required: psychotherapy notes. Notwithstanding 
any provision of this subpart, other than the transition provisions in 
Sec. 164.532, a covered entity must obtain an authorization for any use 
or disclosure of psychotherapy notes, except:
    (i) To carry out the following treatment, payment, or health care 
operations:
    (A) Use by the originator of the psychotherapy notes for treatment;
    (B) Use or disclosure by the covered entity for its own training 
programs in which students, trainees, or practitioners in mental health 
learn under supervision to practice or improve their skills in group, 
joint, family, or individual counseling; or
    (C) Use or disclosure by the covered entity to defend itself in a 
legal action or other proceeding brought by the individual; and
    (ii) A use or disclosure that is required by Sec. 164.502(a)(2)(ii) 
or permitted by Sec. 164.512(a); Sec. 164.512(d) with respect to the 
oversight of the originator of the psychotherapy notes; 
Sec. 164.512(g)(1); or Sec. 164.512(j)(1)(i).
    (3) Authorization required: Marketing. (i) Notwithstanding any 
provision of this subpart, other than the transition provisions in 
Sec. 164.532, a covered entity must obtain an authorization for any use 
or disclosure of protected health

[[Page 53269]]

information for marketing, except if the communication is in the form 
of:
    (A) A face-to-face communication made by a covered entity to an 
individual; or
    (B) A promotional gift of nominal value provided by the covered 
entity.
    (ii) If the marketing involves direct or indirect remuneration to 
the covered entity from a third party, the authorization must state 
that such remuneration is involved.
    (b) Implementation specifications: general requirements.--(1) Valid 
authorizations. (i) A valid authorization is a document that meets the 
requirements in paragraphs (a)(3)(ii), (c)(1), and (c)(2) of this 
section, as applicable.
    (ii) A valid authorization may contain elements or information in 
addition to the elements required by this section, provided that such 
additional elements or information are not inconsistent with the 
elements required by this section.
    (2) Defective authorizations. An authorization is not valid, if the 
document submitted has any of the following defects:
    (i) The expiration date has passed or the expiration event is known 
by the covered entity to have occurred;
    (ii) The authorization has not been filled out completely, with 
respect to an element described by paragraph (c) of this section, if 
applicable;
    (iii) The authorization is known by the covered entity to have been 
revoked;
    (iv) The authorization violates paragraph (b)(3) or (4) of this 
section, if applicable;
    (v) Any material information in the authorization is known by the 
covered entity to be false.
    (3) Compound authorizations. An authorization for use or disclosure 
of protected health information may not be combined with any other 
document to create a compound authorization, except as follows:
    (i) An authorization for the use or disclosure of protected health 
information for a research study may be combined with any other type of 
written permission for the same research study, including another 
authorization for the use or disclosure of protected health information 
for such research or a consent to participate in such research;
    (ii) An authorization for a use or disclosure of psychotherapy 
notes may only be combined with another authorization for a use or 
disclosure of psychotherapy notes;
    (iii) An authorization under this section, other than an 
authorization for a use or disclosure of psychotherapy notes, may be 
combined with any other such authorization under this section, except 
when a covered entity has conditioned the provision of treatment, 
payment, enrollment in the health plan, or eligibility for benefits 
under paragraph (b)(4) of this section on the provision of one of the 
authorizations.
    (4) Prohibition on conditioning of authorizations. A covered entity 
may not condition the provision to an individual of treatment, payment, 
enrollment in the health plan, or eligibility for benefits on the 
provision of an authorization, except:
    (i) A covered health care provider may condition the provision of 
research-related treatment on provision of an authorization for the use 
or disclosure of protected health information for such research under 
this section;
    (ii) A health plan may condition enrollment in the health plan or 
eligibility for benefits on provision of an authorization requested by 
the health plan prior to an individual's enrollment in the health plan, 
if:
    (A) The authorization sought is for the health plan's eligibility 
or enrollment determinations relating to the individual or for its 
underwriting or risk rating determinations; and
    (B) The authorization is not for a use or disclosure of 
psychotherapy notes under paragraph (a)(2) of this section; and
    (iii) A covered entity may condition the provision of health care 
that is solely for the purpose of creating protected health information 
for disclosure to a third party on provision of an authorization for 
the disclosure of the protected health information to such third party.
    (5) Revocation of authorizations. An individual may revoke an 
authorization provided under this section at any time, provided that 
the revocation is in writing, except to the extent that:
    (i) The covered entity has taken action in reliance thereon; or
    (ii) If the authorization was obtained as a condition of obtaining 
insurance coverage, other law provides the insurer with the right to 
contest a claim under the policy or the policy itself.
    (6) Documentation. A covered entity must document and retain any 
signed authorization under this section as required by Sec. 164.530(j).
    (c) Implementation specifications: Core elements and 
requirements.--(1) Core elements. A valid authorization under this 
section must contain at least the following elements:
    (i) A description of the information to be used or disclosed that 
identifies the information in a specific and meaningful fashion.
    (ii) The name or other specific identification of the person(s), or 
class of persons, authorized to make the requested use or disclosure.
    (iii) The name or other specific identification of the person(s), 
or class of persons, to whom the covered entity may make the requested 
use or disclosure.
    (iv) A description of each purpose of the requested use or 
disclosure. The statement ``at the request of the individual'' is a 
sufficient description of the purpose when an individual initiates the 
authorization and does not, or elects not to, provide a statement of 
the purpose.
    (v) An expiration date or an expiration event that relates to the 
individual or the purpose of the use or disclosure. The statement ``end 
of the research study,'' ``none,'' or similar language is sufficient if 
the authorization is for a use or disclosure of protected health 
information for research, including for the creation and maintenance of 
a research database or research repository.
    (vi) Signature of the individual and date. If the authorization is 
signed by a personal representative of the individual, a description of 
such representative's authority to act for the individual must also be 
provided.
    (2) Required statements. In addition to the core elements, the 
authorization must contain statements adequate to place the individual 
on notice of all of the following:
    (i) The individual's right to revoke the authorization in writing, 
and either:
    (A) The exceptions to the right to revoke and a description of how 
the individual may revoke the authorization; or
    (B) To the extent that the information in paragraph (c)(2)(i)(A) of 
this section is included in the notice required by Sec. 164.520, a 
reference to the covered entity's notice.
    (ii) The ability or inability to condition treatment, payment, 
enrollment or eligibility for benefits on the authorization, by stating 
either:
    (A) The covered entity may not condition treatment, payment, 
enrollment or eligibility for benefits on whether the individual signs 
the authorization when the prohibition on conditioning of 
authorizations in paragraph (b)(4) of this section applies; or
    (B) The consequences to the individual of a refusal to sign the 
authorization when, in accordance with paragraph (b)(4) of this 
section, the covered entity can condition treatment, enrollment in the 
health plan, or eligibility for benefits on failure to obtain such 
authorization.

[[Page 53270]]

    (iii) The potential for information disclosed pursuant to the 
authorization to be subject to redisclosure by the recipient and no 
longer be protected by this subpart.
    (3) Plain language requirement. The authorization must be written 
in plain language.
    (4) Copy to the individual. If a covered entity seeks an 
authorization from an individual for a use or disclosure of protected 
health information, the covered entity must provide the individual with 
a copy of the signed authorization.

    9. Amend Sec. 164.510 as follows:
    a. Revise the first sentence of the introductory text.
    b. Remove the word ``for'' from paragraph (b)(3).
    The revision reads as follows:


Sec. 164.510  Uses and disclosures requiring an opportunity for the 
individual to agree or to object.

    A covered entity may use or disclose protected health information, 
provided that the individual is informed in advance of the use or 
disclosure and has the opportunity to agree to or prohibit or restrict 
the use or disclosure, in accordance with the applicable requirements 
of this section. * * *
* * * * *

    10. Amend Sec. 164.512 as follows:
    a. Revise the section heading and the first sentence of the 
introductory text.
    b. Revise paragraph (b)(1)(iii).
    c. In paragraph (b)(1)(v)(A) remove the word ``a'' before the word 
``health.''
    d. Add the word ``and'' after the semicolon at the end of paragraph 
(b)(1)(v)(C).
    e. Redesignate paragraphs (f)(3)(ii) and (iii) as (f)(3)(i) and 
(ii).
    f. In the second sentence of paragraph (g)(2) add the word ``to'' 
after the word ``directors.''
    g. In paragraph (i)(1)(iii)(A) remove the word ``is'' after the 
word ``disclosure.''
    h. Revise paragraph (i)(2)(ii).
    i. In paragraph (i)(2)(iii) remove ``(i)(2)(ii)(D)'' and add in its 
place ``(i)(2)(ii)(C)''.
    The revisions read as follows:


Sec. 164.512  Uses and disclosures for which an authorization or 
opportunity to agree or object is not required.

    A covered entity may use or disclose protected health information 
without the written authorization of the individual, as described in 
Sec. 164.508, or the opportunity for the individual to agree or object 
as described in Sec. 164.510, in the situations covered by this 
section, subject to the applicable requirements of this section. * * *
* * * * *
    (b) Standard: uses and disclosures for public health activities.
    (1) Permitted disclosures. * * *
    (iii) A person subject to the jurisdiction of the Food and Drug 
Administration (FDA) with respect to an FDA-regulated product or 
activity for which that person has responsibility, for the purpose of 
activities related to the quality, safety or effectiveness of such FDA-
regulated product or activity. Such purposes include:
    (A) To collect or report adverse events (or similar activities with 
respect to food or dietary supplements), product defects or problems 
(including problems with the use or labeling of a product), or 
biological product deviations;
    (B) To track FDA-regulated products;
    (C) To enable product recalls, repairs, or replacement, or lookback 
(including locating and notifying individuals who have received 
products that have been recalled, withdrawn, or are the subject of 
lookback); or
    (D) To conduct post marketing surveillance;
* * * * *
    (i) Standard: Uses and disclosures for research purposes. * * *
    (2) Documentation of waiver approval. * * *
    (ii) Waiver criteria. A statement that the IRB or privacy board has 
determined that the alteration or waiver, in whole or in part, of 
authorization satisfies the following criteria:
    (A) The use or disclosure of protected health information involves 
no more than a minimal risk to the privacy of individuals, based on, at 
least, the presence of the following elements;
    (1) An adequate plan to protect the identifiers from improper use 
and disclosure;
    (2) An adequate plan to destroy the identifiers at the earliest 
opportunity consistent with conduct of the research, unless there is a 
health or research justification for retaining the identifiers or such 
retention is otherwise required by law; and
    (3) Adequate written assurances that the protected health 
information will not be reused or disclosed to any other person or 
entity, except as required by law, for authorized oversight of the 
research study, or for other research for which the use or disclosure 
of protected health information would be permitted by this subpart;
    (B) The research could not practicably be conducted without the 
waiver or alteration; and
    (C) The research could not practicably be conducted without access 
to and use of the protected health information.
* * * * *

    11. Amend Sec. 164.514 as follows:
    a. Revise paragraph (b)(2)(i)(R).
    b. Revise paragraph (d)(1).
    c. Revise paragraph (d)(4)(iii).
    d. In paragraph (d)(5), remove the word ``discloses'' and add in 
its place the word ``disclose''.
    e. Revise paragraph (e).
    The revisions read as follows:


Sec. 164.514  Other requirements relating to uses and disclosures of 
protected health information.

* * * * *
    (b) Implementation specifications: Requirements for de-
identification of protected health information. * * *
    (2)(i) * * *
    (R) Any other unique identifying number, characteristic, or code, 
except as permitted by paragraph (c) of this section; and
* * * * *
    (d)(1) Standard: minimum necessary requirements. In order to comply 
with Sec. 164.502(b) and this section, a covered entity must meet the 
requirements of paragraphs (d)(2) through (d)(5) of this section with 
respect to a request for, or the use and disclosure of, protected 
health information.
* * * * *
    (4) Implementation specifications: Minimum necessary requests for 
protected health information. * * *
    (iii) For all other requests, a covered entity must:
    (A) Develop criteria designed to limit the request for protected 
health information to the information reasonably necessary to 
accomplish the purpose for which the request is made; and
    (B) Review requests for disclosure on an individual basis in 
accordance with such criteria.
* * * * *
    (e) (1) Standard: Limited data set. A covered entity may use or 
disclose a limited data set that meets the requirements of paragraphs 
(e)(2) and (e)(3) of this section, if the covered entity enters into a 
data use agreement with the limited data set recipient, in accordance 
with paragraph (e)(4) of this section.
    (2) Implementation specification: Limited data set: A limited data 
set is protected health information that excludes the following direct 
identifiers of the individual or of relatives, employers, or household 
members of the individual:
    (i) Names;
    (ii) Postal address information, other than town or city, State, 
and zip code;
    (iii) Telephone numbers;
    (iv) Fax numbers;

[[Page 53271]]

    (v) Electronic mail addresses;
    (vi) Social security numbers;
    (vii) Medical record numbers;
    (viii) Health plan beneficiary numbers;
    (ix) Account numbers;
    (x) Certificate/license numbers;
    (xi) Vehicle identifiers and serial numbers, including license 
plate numbers;
    (xii) Device identifiers and serial numbers;
    (xiii) Web Universal Resource Locators (URLs);
    (xiv) Internet Protocol (IP) address numbers;
    (xv) Biometric identifiers, including finger and voice prints; and
    (xvi) Full face photographic images and any comparable images.
    (3) Implementation specification: Permitted purposes for uses and 
disclosures. (i) A covered entity may use or disclose a limited data 
set under paragraph (e)(1) of this section only for the purposes of 
research, public health, or health care operations.
    (ii) A covered entity may use protected health information to 
create a limited data set that meets the requirements of paragraph 
(e)(2) of this section, or disclose protected health information only 
to a business associate for such purpose, whether or not the limited 
data set is to be used by the covered entity.
    (4) Implementation specifications: Data use agreement.--(i) 
Agreement required. A covered entity may use or disclose a limited data 
set under paragraph (e)(1) of this section only if the covered entity 
obtains satisfactory assurance, in the form of a data use agreement 
that meets the requirements of this section, that the limited data set 
recipient will only use or disclose the protected health information 
for limited purposes.
    (ii) Contents. A data use agreement between the covered entity and 
the limited data set recipient must:
    (A) Establish the permitted uses and disclosures of such 
information by the limited data set recipient, consistent with 
paragraph (e)(3) of this section. The data use agreement may not 
authorize the limited data set recipient to use or further disclose the 
information in a manner that would violate the requirements of this 
subpart, if done by the covered entity;
    (B) Establish who is permitted to use or receive the limited data 
set; and
    (C) Provide that the limited data set recipient will:
    (1) Not use or further disclose the information other than as 
permitted by the data use agreement or as otherwise required by law;
    (2) Use appropriate safeguards to prevent use or disclosure of the 
information other than as provided for by the data use agreement;
    (3) Report to the covered entity any use or disclosure of the 
information not provided for by its data use agreement of which it 
becomes aware;
    (4) Ensure that any agents, including a subcontractor, to whom it 
provides the limited data set agrees to the same restrictions and 
conditions that apply to the limited data set recipient with respect to 
such information; and
    (5) Not identify the information or contact the individuals.
    (iii) Compliance. (A) A covered entity is not in compliance with 
the standards in paragraph (e) of this section if the covered entity 
knew of a pattern of activity or practice of the limited data set 
recipient that constituted a material breach or violation of the data 
use agreement, unless the covered entity took reasonable steps to cure 
the breach or end the violation, as applicable, and, if such steps were 
unsuccessful:
    (1) Discontinued disclosure of protected health information to the 
recipient; and
    (2) Reported the problem to the Secretary.
    (B) A covered entity that is a limited data set recipient and 
violates a data use agreement will be in noncompliance with the 
standards, implementation specifications, and requirements of paragraph 
(e) of this section.
* * * * *

    12. Amend Sec. 164.520 as follows:
    a. Remove the words ``consent or'' from paragraph (b)(1)(ii)(B).
    b. In paragraph (c), introductory text, remove ``(c)(4)'' and add 
in its place ``(c)(3)''.
    c. Revise paragraph (c)(2)(i).
    d. Redesignate paragraphs (c)(2)(ii) and (iii) as (c)(2)(iii) and 
(iv).
    e. Add new paragraph (c)(2)(ii).
    f. Amend redesignated paragraph (c)(2)(iv) by removing 
``(c)(2)(ii)'' and adding in its place ``(c)(2)(iii)''.
    g. Amend paragraph (c)(3)(iii) by adding a sentence at the end.
    h. Revise paragraph (e).
    The revisions and addition read as follows:


Sec. 164.520  Notice of privacy practices for protected health 
information.

* * * * *
    (c) Implementation specifications: provision of notice. * * *
    (2) Specific requirements for certain covered health care 
providers. * * *
    (i) Provide the notice:
    (A) No later than the date of the first service delivery, including 
service delivered electronically, to such individual after the 
compliance date for the covered health care provider; or
    (B) In an emergency treatment situation, as soon as reasonably 
practicable after the emergency treatment situation.
    (ii) Except in an emergency treatment situation, make a good faith 
effort to obtain a written acknowledgment of receipt of the notice 
provided in accordance with paragraph (c)(2)(i) of this section, and if 
not obtained, document its good faith efforts to obtain such 
acknowledgment and the reason why the acknowledgment was not obtained;
* * * * *
    (3) Specific requirements for electronic notice. * * *
    (iii) * * * The requirements in paragraph (c)(2)(ii) of this 
section apply to electronic notice.
* * * * *
    (e) Implementation specifications: Documentation. A covered entity 
must document compliance with the notice requirements, as required by 
Sec. 164.530(j), by retaining copies of the notices issued by the 
covered entity and, if applicable, any written acknowledgments of 
receipt of the notice or documentation of good faith efforts to obtain 
such written acknowledgment, in accordance with paragraph (c)(2)(ii) of 
this section.

    13. Amend Sec. 164.522 by removing the reference to 
``164.502(a)(2)(i)'' in paragraph (a)(1)(v), and adding in its place 
``164.502(a)(2)(ii)''.

    14. Amend Sec. 164.528 as follows:
    a. In paragraph (a)(1)(i), remove ``Sec. 164.502'' and add in its 
place ``Sec. 164.506''.
    b. Remove the word ``or'' from paragraph (a)(1)(v).
    c. Redesignate paragraph (a)(1)(vi) as (a)(1)(ix) and redesignate 
paragraphs (a)(1)(iii) through (v) as (a)(1)(v) through (vii).
    d. Add paragraphs (a)(1)(iii), (iv), and (a)(1)(viii).
    e. Revise paragraph (b)(2), introductory text.
    f. Revise paragraph (b)(2)(iv).
    g. Remove ``or pursuant to a single authorization under 
Sec. 164.508,'' from paragraph (b)(3), introductory text.
    h. Add paragraph (b)(4).
    The additions and revisions read as follows:


Sec. 164.528  Accounting of disclosures of protected health 
information.

    (a) Standard: Right to an accounting of disclosures of protected 
health information.
    (1) * * *

[[Page 53272]]

    (iii) Incident to a use or disclosure otherwise permitted or 
required by this subpart, as provided in Sec. 164.502;
    (iv) Pursuant to an authorization as provided in Sec. 164.508;
* * * * *
    (viii) As part of a limited data set in accordance with 
Sec. 164.514(e); or
* * * * *
    (b) Implementation specifications: Content of the accounting. * * *
    (2) Except as otherwise provided by paragraphs (b)(3) or (b)(4) of 
this section, the accounting must include for each disclosure:
* * * * *
    (iv) A brief statement of the purpose of the disclosure that 
reasonably informs the individual of the basis for the disclosure or, 
in lieu of such statement, a copy of a written request for a disclosure 
under Secs. 164.502(a)(2)(ii) or 164.512, if any.
* * * * *
    (4)(i) If, during the period covered by the accounting, the covered 
entity has made disclosures of protected health information for a 
particular research purpose in accordance with Sec. 164.512(i) for 50 
or more individuals, the accounting may, with respect to such 
disclosures for which the protected health information about the 
individual may have been included, provide:
    (A) The name of the protocol or other research activity;
    (B) A description, in plain language, of the research protocol or 
other research activity, including the purpose of the research and the 
criteria for selecting particular records;
    (C) A brief description of the type of protected health information 
that was disclosed;
    (D) The date or period of time during which such disclosures 
occurred, or may have occurred, including the date of the last such 
disclosure during the accounting period;
    (E) The name, address, and telephone number of the entity that 
sponsored the research and of the researcher to whom the information 
was disclosed; and
    (F) A statement that the protected health information of the 
individual may or may not have been disclosed for a particular protocol 
or other research activity.
    (ii) If the covered entity provides an accounting for research 
disclosures, in accordance with paragraph (b)(4) of this section, and 
if it is reasonably likely that the protected health information of the 
individual was disclosed for such research protocol or activity, the 
covered entity shall, at the request of the individual, assist in 
contacting the entity that sponsored the research and the researcher.
* * * * *

    15. Amend Sec. 164.530 as follows:
    a. Redesignate paragraph (c)(2) as (c)(2)(i).
    b. Add paragraph (c)(2)(ii).
    c. Remove the words ``the requirements'' from paragraph 
(i)(4)(ii)(A) and add in their place the word ``specifications.''
    The addition reads as follows:


Sec. 164.530  Administrative requirements.

* * * * *
    (c) Standard: Safeguards. * * *
    (2) Implementation specifications: Safeguards. (i) * * *
    (ii) A covered entity must reasonably safeguard protected health 
information to limit incidental uses or disclosures made pursuant to an 
otherwise permitted or required use or disclosure.
* * * * *

    16. Revise Sec. 164.532 to read as follows:


Sec. 164.532  Transition provisions.

    (a) Standard: Effect of prior authorizations. Notwithstanding 
Secs. 164.508 and 164.512(i), a covered entity may use or disclose 
protected health information, consistent with paragraphs (b) and (c) of 
this section, pursuant to an authorization or other express legal 
permission obtained from an individual permitting the use or disclosure 
of protected health information, informed consent of the individual to 
participate in research, or a waiver of informed consent by an IRB.
    (b) Implementation specification: Effect of prior authorization for 
purposes other than research. Notwithstanding any provisions in 
Sec. 164.508, a covered entity may use or disclose protected health 
information that it created or received prior to the applicable 
compliance date of this subpart pursuant to an authorization or other 
express legal permission obtained from an individual prior to the 
applicable compliance date of this subpart, provided that the 
authorization or other express legal permission specifically permits 
such use or disclosure and there is no agreed-to restriction in 
accordance with Sec. 164.522(a).
    (c) Implementation specification: Effect of prior permission for 
research. Notwithstanding any provisions in Secs. 164.508 and 
164.512(i), a covered entity may, to the extent allowed by one of the 
following permissions, use or disclose, for research, protected health 
information that it created or received either before or after the 
applicable compliance date of this subpart, provided that there is no 
agreed-to restriction in accordance with Sec. 164.522(a), and the 
covered entity has obtained, prior to the applicable compliance date, 
either:
    (1) An authorization or other express legal permission from an 
individual to use or disclose protected health information for the 
research;
    (2) The informed consent of the individual to participate in the 
research; or
    (3) A waiver, by an IRB, of informed consent for the research, in 
accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d), 
15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d), 
24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 
97.116(d), 38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 
690.116(d), or 49 CFR 11.116(d), provided that a covered entity must 
obtain authorization in accordance with Sec. 164.508 if, after the 
compliance date, informed consent is sought from an individual 
participating in the research.
    (d) Standard: Effect of prior contracts or other arrangements with 
business associates. Notwithstanding any other provisions of this 
subpart, a covered entity, other than a small health plan, may disclose 
protected health information to a business associate and may allow a 
business associate to create, receive, or use protected health 
information on its behalf pursuant to a written contract or other 
written arrangement with such business associate that does not comply 
with Secs. 164.502(e) and 164.504(e) consistent with the requirements, 
and only for such time, set forth in paragraph (e) of this section.
    (e) Implementation specification: Deemed compliance.-- (1) 
Qualification. Notwithstanding other sections of this subpart, a 
covered entity, other than a small health plan, is deemed to be in 
compliance with the documentation and contract requirements of 
Secs. 164.502(e) and 164.504(e), with respect to a particular business 
associate relationship, for the time period set forth in paragraph 
(e)(2) of this section, if:
    (i) Prior to October 15, 2002, such covered entity has entered into 
and is operating pursuant to a written contract or other written 
arrangement with a business associate for such business associate to 
perform functions or activities or provide services that make the 
entity a business associate; and
    (ii) The contract or other arrangement is not renewed or modified 
from

[[Page 53273]]

October 15, 2002, until the compliance date set forth in Sec. 164.534.
    (2) Limited deemed compliance period. A prior contract or other 
arrangement that meets the qualification requirements in paragraph (e) 
of this section, shall be deemed compliant until the earlier of:
    (i) The date such contract or other arrangement is renewed or 
modified on or after the compliance date set forth in Sec. 164.534; or
    (ii) April 14, 2004.
    (3) Covered entity responsibilities. Nothing in this section shall 
alter the requirements of a covered entity to comply with part 160, 
subpart C of this subchapter and Secs. 164.524, 164.526, 164.528, and 
164.530(f) with respect to protected health information held by a 
business associate.

[FR Doc. 02-20554 Filed 8-9-02; 2:00 pm]
BILLING CODE 4153-01-P